1 //===- SemaChecking.cpp - Extra Semantic Checking -------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file implements extra semantic analysis beyond what is enforced
10 // by the C type system.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "clang/AST/APValue.h"
15 #include "clang/AST/ASTContext.h"
16 #include "clang/AST/Attr.h"
17 #include "clang/AST/AttrIterator.h"
18 #include "clang/AST/CharUnits.h"
19 #include "clang/AST/Decl.h"
20 #include "clang/AST/DeclBase.h"
21 #include "clang/AST/DeclCXX.h"
22 #include "clang/AST/DeclObjC.h"
23 #include "clang/AST/DeclarationName.h"
24 #include "clang/AST/EvaluatedExprVisitor.h"
25 #include "clang/AST/Expr.h"
26 #include "clang/AST/ExprCXX.h"
27 #include "clang/AST/ExprObjC.h"
28 #include "clang/AST/ExprOpenMP.h"
29 #include "clang/AST/FormatString.h"
30 #include "clang/AST/IgnoreExpr.h"
31 #include "clang/AST/NSAPI.h"
32 #include "clang/AST/NonTrivialTypeVisitor.h"
33 #include "clang/AST/OperationKinds.h"
34 #include "clang/AST/RecordLayout.h"
35 #include "clang/AST/Stmt.h"
36 #include "clang/AST/TemplateBase.h"
37 #include "clang/AST/Type.h"
38 #include "clang/AST/TypeLoc.h"
39 #include "clang/AST/UnresolvedSet.h"
40 #include "clang/Basic/AddressSpaces.h"
41 #include "clang/Basic/CharInfo.h"
42 #include "clang/Basic/Diagnostic.h"
43 #include "clang/Basic/IdentifierTable.h"
44 #include "clang/Basic/LLVM.h"
45 #include "clang/Basic/LangOptions.h"
46 #include "clang/Basic/OpenCLOptions.h"
47 #include "clang/Basic/OperatorKinds.h"
48 #include "clang/Basic/PartialDiagnostic.h"
49 #include "clang/Basic/SourceLocation.h"
50 #include "clang/Basic/SourceManager.h"
51 #include "clang/Basic/Specifiers.h"
52 #include "clang/Basic/SyncScope.h"
53 #include "clang/Basic/TargetBuiltins.h"
54 #include "clang/Basic/TargetCXXABI.h"
55 #include "clang/Basic/TargetInfo.h"
56 #include "clang/Basic/TypeTraits.h"
57 #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.
58 #include "clang/Sema/Initialization.h"
59 #include "clang/Sema/Lookup.h"
60 #include "clang/Sema/Ownership.h"
61 #include "clang/Sema/Scope.h"
62 #include "clang/Sema/ScopeInfo.h"
63 #include "clang/Sema/Sema.h"
64 #include "clang/Sema/SemaAMDGPU.h"
65 #include "clang/Sema/SemaARM.h"
66 #include "clang/Sema/SemaBPF.h"
67 #include "clang/Sema/SemaHLSL.h"
68 #include "clang/Sema/SemaHexagon.h"
69 #include "clang/Sema/SemaInternal.h"
70 #include "clang/Sema/SemaLoongArch.h"
71 #include "clang/Sema/SemaMIPS.h"
72 #include "clang/Sema/SemaNVPTX.h"
73 #include "clang/Sema/SemaObjC.h"
74 #include "clang/Sema/SemaOpenCL.h"
75 #include "clang/Sema/SemaPPC.h"
76 #include "clang/Sema/SemaRISCV.h"
77 #include "clang/Sema/SemaSystemZ.h"
78 #include "clang/Sema/SemaWasm.h"
79 #include "clang/Sema/SemaX86.h"
80 #include "llvm/ADT/APFloat.h"
81 #include "llvm/ADT/APInt.h"
82 #include "llvm/ADT/APSInt.h"
83 #include "llvm/ADT/ArrayRef.h"
84 #include "llvm/ADT/DenseMap.h"
85 #include "llvm/ADT/FoldingSet.h"
86 #include "llvm/ADT/STLExtras.h"
87 #include "llvm/ADT/SmallBitVector.h"
88 #include "llvm/ADT/SmallPtrSet.h"
89 #include "llvm/ADT/SmallString.h"
90 #include "llvm/ADT/SmallVector.h"
91 #include "llvm/ADT/StringExtras.h"
92 #include "llvm/ADT/StringRef.h"
93 #include "llvm/ADT/StringSet.h"
94 #include "llvm/ADT/StringSwitch.h"
95 #include "llvm/Support/AtomicOrdering.h"
96 #include "llvm/Support/Casting.h"
97 #include "llvm/Support/Compiler.h"
98 #include "llvm/Support/ConvertUTF.h"
99 #include "llvm/Support/ErrorHandling.h"
100 #include "llvm/Support/Format.h"
101 #include "llvm/Support/Locale.h"
102 #include "llvm/Support/MathExtras.h"
103 #include "llvm/Support/SaveAndRestore.h"
104 #include "llvm/Support/raw_ostream.h"
105 #include "llvm/TargetParser/RISCVTargetParser.h"
106 #include "llvm/TargetParser/Triple.h"
107 #include <algorithm>
108 #include <bitset>
109 #include <cassert>
110 #include <cctype>
111 #include <cstddef>
112 #include <cstdint>
113 #include <functional>
114 #include <limits>
115 #include <optional>
116 #include <string>
117 #include <tuple>
118 #include <utility>
119
120 using namespace clang;
121 using namespace sema;
122
getLocationOfStringLiteralByte(const StringLiteral * SL,unsigned ByteNo) const123 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
124 unsigned ByteNo) const {
125 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
126 Context.getTargetInfo());
127 }
128
combineFAPK(Sema::FormatArgumentPassingKind A,Sema::FormatArgumentPassingKind B)129 static constexpr unsigned short combineFAPK(Sema::FormatArgumentPassingKind A,
130 Sema::FormatArgumentPassingKind B) {
131 return (A << 8) | B;
132 }
133
checkArgCountAtLeast(CallExpr * Call,unsigned MinArgCount)134 bool Sema::checkArgCountAtLeast(CallExpr *Call, unsigned MinArgCount) {
135 unsigned ArgCount = Call->getNumArgs();
136 if (ArgCount >= MinArgCount)
137 return false;
138
139 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_few_args)
140 << 0 /*function call*/ << MinArgCount << ArgCount
141 << /*is non object*/ 0 << Call->getSourceRange();
142 }
143
checkArgCountAtMost(CallExpr * Call,unsigned MaxArgCount)144 bool Sema::checkArgCountAtMost(CallExpr *Call, unsigned MaxArgCount) {
145 unsigned ArgCount = Call->getNumArgs();
146 if (ArgCount <= MaxArgCount)
147 return false;
148 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_many_args_at_most)
149 << 0 /*function call*/ << MaxArgCount << ArgCount
150 << /*is non object*/ 0 << Call->getSourceRange();
151 }
152
checkArgCountRange(CallExpr * Call,unsigned MinArgCount,unsigned MaxArgCount)153 bool Sema::checkArgCountRange(CallExpr *Call, unsigned MinArgCount,
154 unsigned MaxArgCount) {
155 return checkArgCountAtLeast(Call, MinArgCount) ||
156 checkArgCountAtMost(Call, MaxArgCount);
157 }
158
checkArgCount(CallExpr * Call,unsigned DesiredArgCount)159 bool Sema::checkArgCount(CallExpr *Call, unsigned DesiredArgCount) {
160 unsigned ArgCount = Call->getNumArgs();
161 if (ArgCount == DesiredArgCount)
162 return false;
163
164 if (checkArgCountAtLeast(Call, DesiredArgCount))
165 return true;
166 assert(ArgCount > DesiredArgCount && "should have diagnosed this");
167
168 // Highlight all the excess arguments.
169 SourceRange Range(Call->getArg(DesiredArgCount)->getBeginLoc(),
170 Call->getArg(ArgCount - 1)->getEndLoc());
171
172 return Diag(Range.getBegin(), diag::err_typecheck_call_too_many_args)
173 << 0 /*function call*/ << DesiredArgCount << ArgCount
174 << /*is non object*/ 0 << Call->getArg(1)->getSourceRange();
175 }
176
checkBuiltinVerboseTrap(CallExpr * Call,Sema & S)177 static bool checkBuiltinVerboseTrap(CallExpr *Call, Sema &S) {
178 bool HasError = false;
179
180 for (unsigned I = 0; I < Call->getNumArgs(); ++I) {
181 Expr *Arg = Call->getArg(I);
182
183 if (Arg->isValueDependent())
184 continue;
185
186 std::optional<std::string> ArgString = Arg->tryEvaluateString(S.Context);
187 int DiagMsgKind = -1;
188 // Arguments must be pointers to constant strings and cannot use '$'.
189 if (!ArgString.has_value())
190 DiagMsgKind = 0;
191 else if (ArgString->find('$') != std::string::npos)
192 DiagMsgKind = 1;
193
194 if (DiagMsgKind >= 0) {
195 S.Diag(Arg->getBeginLoc(), diag::err_builtin_verbose_trap_arg)
196 << DiagMsgKind << Arg->getSourceRange();
197 HasError = true;
198 }
199 }
200
201 return !HasError;
202 }
203
convertArgumentToType(Sema & S,Expr * & Value,QualType Ty)204 static bool convertArgumentToType(Sema &S, Expr *&Value, QualType Ty) {
205 if (Value->isTypeDependent())
206 return false;
207
208 InitializedEntity Entity =
209 InitializedEntity::InitializeParameter(S.Context, Ty, false);
210 ExprResult Result =
211 S.PerformCopyInitialization(Entity, SourceLocation(), Value);
212 if (Result.isInvalid())
213 return true;
214 Value = Result.get();
215 return false;
216 }
217
218 /// Check that the first argument to __builtin_annotation is an integer
219 /// and the second argument is a non-wide string literal.
BuiltinAnnotation(Sema & S,CallExpr * TheCall)220 static bool BuiltinAnnotation(Sema &S, CallExpr *TheCall) {
221 if (S.checkArgCount(TheCall, 2))
222 return true;
223
224 // First argument should be an integer.
225 Expr *ValArg = TheCall->getArg(0);
226 QualType Ty = ValArg->getType();
227 if (!Ty->isIntegerType()) {
228 S.Diag(ValArg->getBeginLoc(), diag::err_builtin_annotation_first_arg)
229 << ValArg->getSourceRange();
230 return true;
231 }
232
233 // Second argument should be a constant string.
234 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts();
235 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg);
236 if (!Literal || !Literal->isOrdinary()) {
237 S.Diag(StrArg->getBeginLoc(), diag::err_builtin_annotation_second_arg)
238 << StrArg->getSourceRange();
239 return true;
240 }
241
242 TheCall->setType(Ty);
243 return false;
244 }
245
BuiltinMSVCAnnotation(Sema & S,CallExpr * TheCall)246 static bool BuiltinMSVCAnnotation(Sema &S, CallExpr *TheCall) {
247 // We need at least one argument.
248 if (TheCall->getNumArgs() < 1) {
249 S.Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
250 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
251 << TheCall->getCallee()->getSourceRange();
252 return true;
253 }
254
255 // All arguments should be wide string literals.
256 for (Expr *Arg : TheCall->arguments()) {
257 auto *Literal = dyn_cast<StringLiteral>(Arg->IgnoreParenCasts());
258 if (!Literal || !Literal->isWide()) {
259 S.Diag(Arg->getBeginLoc(), diag::err_msvc_annotation_wide_str)
260 << Arg->getSourceRange();
261 return true;
262 }
263 }
264
265 return false;
266 }
267
268 /// Check that the argument to __builtin_addressof is a glvalue, and set the
269 /// result type to the corresponding pointer type.
BuiltinAddressof(Sema & S,CallExpr * TheCall)270 static bool BuiltinAddressof(Sema &S, CallExpr *TheCall) {
271 if (S.checkArgCount(TheCall, 1))
272 return true;
273
274 ExprResult Arg(TheCall->getArg(0));
275 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getBeginLoc());
276 if (ResultType.isNull())
277 return true;
278
279 TheCall->setArg(0, Arg.get());
280 TheCall->setType(ResultType);
281 return false;
282 }
283
284 /// Check that the argument to __builtin_function_start is a function.
BuiltinFunctionStart(Sema & S,CallExpr * TheCall)285 static bool BuiltinFunctionStart(Sema &S, CallExpr *TheCall) {
286 if (S.checkArgCount(TheCall, 1))
287 return true;
288
289 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
290 if (Arg.isInvalid())
291 return true;
292
293 TheCall->setArg(0, Arg.get());
294 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(
295 Arg.get()->getAsBuiltinConstantDeclRef(S.getASTContext()));
296
297 if (!FD) {
298 S.Diag(TheCall->getBeginLoc(), diag::err_function_start_invalid_type)
299 << TheCall->getSourceRange();
300 return true;
301 }
302
303 return !S.checkAddressOfFunctionIsAvailable(FD, /*Complain=*/true,
304 TheCall->getBeginLoc());
305 }
306
307 /// Check the number of arguments and set the result type to
308 /// the argument type.
BuiltinPreserveAI(Sema & S,CallExpr * TheCall)309 static bool BuiltinPreserveAI(Sema &S, CallExpr *TheCall) {
310 if (S.checkArgCount(TheCall, 1))
311 return true;
312
313 TheCall->setType(TheCall->getArg(0)->getType());
314 return false;
315 }
316
317 /// Check that the value argument for __builtin_is_aligned(value, alignment) and
318 /// __builtin_aligned_{up,down}(value, alignment) is an integer or a pointer
319 /// type (but not a function pointer) and that the alignment is a power-of-two.
BuiltinAlignment(Sema & S,CallExpr * TheCall,unsigned ID)320 static bool BuiltinAlignment(Sema &S, CallExpr *TheCall, unsigned ID) {
321 if (S.checkArgCount(TheCall, 2))
322 return true;
323
324 clang::Expr *Source = TheCall->getArg(0);
325 bool IsBooleanAlignBuiltin = ID == Builtin::BI__builtin_is_aligned;
326
327 auto IsValidIntegerType = [](QualType Ty) {
328 return Ty->isIntegerType() && !Ty->isEnumeralType() && !Ty->isBooleanType();
329 };
330 QualType SrcTy = Source->getType();
331 // We should also be able to use it with arrays (but not functions!).
332 if (SrcTy->canDecayToPointerType() && SrcTy->isArrayType()) {
333 SrcTy = S.Context.getDecayedType(SrcTy);
334 }
335 if ((!SrcTy->isPointerType() && !IsValidIntegerType(SrcTy)) ||
336 SrcTy->isFunctionPointerType()) {
337 // FIXME: this is not quite the right error message since we don't allow
338 // floating point types, or member pointers.
339 S.Diag(Source->getExprLoc(), diag::err_typecheck_expect_scalar_operand)
340 << SrcTy;
341 return true;
342 }
343
344 clang::Expr *AlignOp = TheCall->getArg(1);
345 if (!IsValidIntegerType(AlignOp->getType())) {
346 S.Diag(AlignOp->getExprLoc(), diag::err_typecheck_expect_int)
347 << AlignOp->getType();
348 return true;
349 }
350 Expr::EvalResult AlignResult;
351 unsigned MaxAlignmentBits = S.Context.getIntWidth(SrcTy) - 1;
352 // We can't check validity of alignment if it is value dependent.
353 if (!AlignOp->isValueDependent() &&
354 AlignOp->EvaluateAsInt(AlignResult, S.Context,
355 Expr::SE_AllowSideEffects)) {
356 llvm::APSInt AlignValue = AlignResult.Val.getInt();
357 llvm::APSInt MaxValue(
358 llvm::APInt::getOneBitSet(MaxAlignmentBits + 1, MaxAlignmentBits));
359 if (AlignValue < 1) {
360 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_small) << 1;
361 return true;
362 }
363 if (llvm::APSInt::compareValues(AlignValue, MaxValue) > 0) {
364 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_big)
365 << toString(MaxValue, 10);
366 return true;
367 }
368 if (!AlignValue.isPowerOf2()) {
369 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_not_power_of_two);
370 return true;
371 }
372 if (AlignValue == 1) {
373 S.Diag(AlignOp->getExprLoc(), diag::warn_alignment_builtin_useless)
374 << IsBooleanAlignBuiltin;
375 }
376 }
377
378 ExprResult SrcArg = S.PerformCopyInitialization(
379 InitializedEntity::InitializeParameter(S.Context, SrcTy, false),
380 SourceLocation(), Source);
381 if (SrcArg.isInvalid())
382 return true;
383 TheCall->setArg(0, SrcArg.get());
384 ExprResult AlignArg =
385 S.PerformCopyInitialization(InitializedEntity::InitializeParameter(
386 S.Context, AlignOp->getType(), false),
387 SourceLocation(), AlignOp);
388 if (AlignArg.isInvalid())
389 return true;
390 TheCall->setArg(1, AlignArg.get());
391 // For align_up/align_down, the return type is the same as the (potentially
392 // decayed) argument type including qualifiers. For is_aligned(), the result
393 // is always bool.
394 TheCall->setType(IsBooleanAlignBuiltin ? S.Context.BoolTy : SrcTy);
395 return false;
396 }
397
BuiltinOverflow(Sema & S,CallExpr * TheCall,unsigned BuiltinID)398 static bool BuiltinOverflow(Sema &S, CallExpr *TheCall, unsigned BuiltinID) {
399 if (S.checkArgCount(TheCall, 3))
400 return true;
401
402 std::pair<unsigned, const char *> Builtins[] = {
403 { Builtin::BI__builtin_add_overflow, "ckd_add" },
404 { Builtin::BI__builtin_sub_overflow, "ckd_sub" },
405 { Builtin::BI__builtin_mul_overflow, "ckd_mul" },
406 };
407
408 bool CkdOperation = llvm::any_of(Builtins, [&](const std::pair<unsigned,
409 const char *> &P) {
410 return BuiltinID == P.first && TheCall->getExprLoc().isMacroID() &&
411 Lexer::getImmediateMacroName(TheCall->getExprLoc(),
412 S.getSourceManager(), S.getLangOpts()) == P.second;
413 });
414
415 auto ValidCkdIntType = [](QualType QT) {
416 // A valid checked integer type is an integer type other than a plain char,
417 // bool, a bit-precise type, or an enumeration type.
418 if (const auto *BT = QT.getCanonicalType()->getAs<BuiltinType>())
419 return (BT->getKind() >= BuiltinType::Short &&
420 BT->getKind() <= BuiltinType::Int128) || (
421 BT->getKind() >= BuiltinType::UShort &&
422 BT->getKind() <= BuiltinType::UInt128) ||
423 BT->getKind() == BuiltinType::UChar ||
424 BT->getKind() == BuiltinType::SChar;
425 return false;
426 };
427
428 // First two arguments should be integers.
429 for (unsigned I = 0; I < 2; ++I) {
430 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(I));
431 if (Arg.isInvalid()) return true;
432 TheCall->setArg(I, Arg.get());
433
434 QualType Ty = Arg.get()->getType();
435 bool IsValid = CkdOperation ? ValidCkdIntType(Ty) : Ty->isIntegerType();
436 if (!IsValid) {
437 S.Diag(Arg.get()->getBeginLoc(), diag::err_overflow_builtin_must_be_int)
438 << CkdOperation << Ty << Arg.get()->getSourceRange();
439 return true;
440 }
441 }
442
443 // Third argument should be a pointer to a non-const integer.
444 // IRGen correctly handles volatile, restrict, and address spaces, and
445 // the other qualifiers aren't possible.
446 {
447 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(2));
448 if (Arg.isInvalid()) return true;
449 TheCall->setArg(2, Arg.get());
450
451 QualType Ty = Arg.get()->getType();
452 const auto *PtrTy = Ty->getAs<PointerType>();
453 if (!PtrTy ||
454 !PtrTy->getPointeeType()->isIntegerType() ||
455 (!ValidCkdIntType(PtrTy->getPointeeType()) && CkdOperation) ||
456 PtrTy->getPointeeType().isConstQualified()) {
457 S.Diag(Arg.get()->getBeginLoc(),
458 diag::err_overflow_builtin_must_be_ptr_int)
459 << CkdOperation << Ty << Arg.get()->getSourceRange();
460 return true;
461 }
462 }
463
464 // Disallow signed bit-precise integer args larger than 128 bits to mul
465 // function until we improve backend support.
466 if (BuiltinID == Builtin::BI__builtin_mul_overflow) {
467 for (unsigned I = 0; I < 3; ++I) {
468 const auto Arg = TheCall->getArg(I);
469 // Third argument will be a pointer.
470 auto Ty = I < 2 ? Arg->getType() : Arg->getType()->getPointeeType();
471 if (Ty->isBitIntType() && Ty->isSignedIntegerType() &&
472 S.getASTContext().getIntWidth(Ty) > 128)
473 return S.Diag(Arg->getBeginLoc(),
474 diag::err_overflow_builtin_bit_int_max_size)
475 << 128;
476 }
477 }
478
479 return false;
480 }
481
482 namespace {
483 struct BuiltinDumpStructGenerator {
484 Sema &S;
485 CallExpr *TheCall;
486 SourceLocation Loc = TheCall->getBeginLoc();
487 SmallVector<Expr *, 32> Actions;
488 DiagnosticErrorTrap ErrorTracker;
489 PrintingPolicy Policy;
490
BuiltinDumpStructGenerator__anon28c3fbb10411::BuiltinDumpStructGenerator491 BuiltinDumpStructGenerator(Sema &S, CallExpr *TheCall)
492 : S(S), TheCall(TheCall), ErrorTracker(S.getDiagnostics()),
493 Policy(S.Context.getPrintingPolicy()) {
494 Policy.AnonymousTagLocations = false;
495 }
496
makeOpaqueValueExpr__anon28c3fbb10411::BuiltinDumpStructGenerator497 Expr *makeOpaqueValueExpr(Expr *Inner) {
498 auto *OVE = new (S.Context)
499 OpaqueValueExpr(Loc, Inner->getType(), Inner->getValueKind(),
500 Inner->getObjectKind(), Inner);
501 Actions.push_back(OVE);
502 return OVE;
503 }
504
getStringLiteral__anon28c3fbb10411::BuiltinDumpStructGenerator505 Expr *getStringLiteral(llvm::StringRef Str) {
506 Expr *Lit = S.Context.getPredefinedStringLiteralFromCache(Str);
507 // Wrap the literal in parentheses to attach a source location.
508 return new (S.Context) ParenExpr(Loc, Loc, Lit);
509 }
510
callPrintFunction__anon28c3fbb10411::BuiltinDumpStructGenerator511 bool callPrintFunction(llvm::StringRef Format,
512 llvm::ArrayRef<Expr *> Exprs = {}) {
513 SmallVector<Expr *, 8> Args;
514 assert(TheCall->getNumArgs() >= 2);
515 Args.reserve((TheCall->getNumArgs() - 2) + /*Format*/ 1 + Exprs.size());
516 Args.assign(TheCall->arg_begin() + 2, TheCall->arg_end());
517 Args.push_back(getStringLiteral(Format));
518 Args.insert(Args.end(), Exprs.begin(), Exprs.end());
519
520 // Register a note to explain why we're performing the call.
521 Sema::CodeSynthesisContext Ctx;
522 Ctx.Kind = Sema::CodeSynthesisContext::BuildingBuiltinDumpStructCall;
523 Ctx.PointOfInstantiation = Loc;
524 Ctx.CallArgs = Args.data();
525 Ctx.NumCallArgs = Args.size();
526 S.pushCodeSynthesisContext(Ctx);
527
528 ExprResult RealCall =
529 S.BuildCallExpr(/*Scope=*/nullptr, TheCall->getArg(1),
530 TheCall->getBeginLoc(), Args, TheCall->getRParenLoc());
531
532 S.popCodeSynthesisContext();
533 if (!RealCall.isInvalid())
534 Actions.push_back(RealCall.get());
535 // Bail out if we've hit any errors, even if we managed to build the
536 // call. We don't want to produce more than one error.
537 return RealCall.isInvalid() || ErrorTracker.hasErrorOccurred();
538 }
539
getIndentString__anon28c3fbb10411::BuiltinDumpStructGenerator540 Expr *getIndentString(unsigned Depth) {
541 if (!Depth)
542 return nullptr;
543
544 llvm::SmallString<32> Indent;
545 Indent.resize(Depth * Policy.Indentation, ' ');
546 return getStringLiteral(Indent);
547 }
548
getTypeString__anon28c3fbb10411::BuiltinDumpStructGenerator549 Expr *getTypeString(QualType T) {
550 return getStringLiteral(T.getAsString(Policy));
551 }
552
appendFormatSpecifier__anon28c3fbb10411::BuiltinDumpStructGenerator553 bool appendFormatSpecifier(QualType T, llvm::SmallVectorImpl<char> &Str) {
554 llvm::raw_svector_ostream OS(Str);
555
556 // Format 'bool', 'char', 'signed char', 'unsigned char' as numbers, rather
557 // than trying to print a single character.
558 if (auto *BT = T->getAs<BuiltinType>()) {
559 switch (BT->getKind()) {
560 case BuiltinType::Bool:
561 OS << "%d";
562 return true;
563 case BuiltinType::Char_U:
564 case BuiltinType::UChar:
565 OS << "%hhu";
566 return true;
567 case BuiltinType::Char_S:
568 case BuiltinType::SChar:
569 OS << "%hhd";
570 return true;
571 default:
572 break;
573 }
574 }
575
576 analyze_printf::PrintfSpecifier Specifier;
577 if (Specifier.fixType(T, S.getLangOpts(), S.Context, /*IsObjCLiteral=*/false)) {
578 // We were able to guess how to format this.
579 if (Specifier.getConversionSpecifier().getKind() ==
580 analyze_printf::PrintfConversionSpecifier::sArg) {
581 // Wrap double-quotes around a '%s' specifier and limit its maximum
582 // length. Ideally we'd also somehow escape special characters in the
583 // contents but printf doesn't support that.
584 // FIXME: '%s' formatting is not safe in general.
585 OS << '"';
586 Specifier.setPrecision(analyze_printf::OptionalAmount(32u));
587 Specifier.toString(OS);
588 OS << '"';
589 // FIXME: It would be nice to include a '...' if the string doesn't fit
590 // in the length limit.
591 } else {
592 Specifier.toString(OS);
593 }
594 return true;
595 }
596
597 if (T->isPointerType()) {
598 // Format all pointers with '%p'.
599 OS << "%p";
600 return true;
601 }
602
603 return false;
604 }
605
dumpUnnamedRecord__anon28c3fbb10411::BuiltinDumpStructGenerator606 bool dumpUnnamedRecord(const RecordDecl *RD, Expr *E, unsigned Depth) {
607 Expr *IndentLit = getIndentString(Depth);
608 Expr *TypeLit = getTypeString(S.Context.getRecordType(RD));
609 if (IndentLit ? callPrintFunction("%s%s", {IndentLit, TypeLit})
610 : callPrintFunction("%s", {TypeLit}))
611 return true;
612
613 return dumpRecordValue(RD, E, IndentLit, Depth);
614 }
615
616 // Dump a record value. E should be a pointer or lvalue referring to an RD.
dumpRecordValue__anon28c3fbb10411::BuiltinDumpStructGenerator617 bool dumpRecordValue(const RecordDecl *RD, Expr *E, Expr *RecordIndent,
618 unsigned Depth) {
619 // FIXME: Decide what to do if RD is a union. At least we should probably
620 // turn off printing `const char*` members with `%s`, because that is very
621 // likely to crash if that's not the active member. Whatever we decide, we
622 // should document it.
623
624 // Build an OpaqueValueExpr so we can refer to E more than once without
625 // triggering re-evaluation.
626 Expr *RecordArg = makeOpaqueValueExpr(E);
627 bool RecordArgIsPtr = RecordArg->getType()->isPointerType();
628
629 if (callPrintFunction(" {\n"))
630 return true;
631
632 // Dump each base class, regardless of whether they're aggregates.
633 if (const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD)) {
634 for (const auto &Base : CXXRD->bases()) {
635 QualType BaseType =
636 RecordArgIsPtr ? S.Context.getPointerType(Base.getType())
637 : S.Context.getLValueReferenceType(Base.getType());
638 ExprResult BasePtr = S.BuildCStyleCastExpr(
639 Loc, S.Context.getTrivialTypeSourceInfo(BaseType, Loc), Loc,
640 RecordArg);
641 if (BasePtr.isInvalid() ||
642 dumpUnnamedRecord(Base.getType()->getAsRecordDecl(), BasePtr.get(),
643 Depth + 1))
644 return true;
645 }
646 }
647
648 Expr *FieldIndentArg = getIndentString(Depth + 1);
649
650 // Dump each field.
651 for (auto *D : RD->decls()) {
652 auto *IFD = dyn_cast<IndirectFieldDecl>(D);
653 auto *FD = IFD ? IFD->getAnonField() : dyn_cast<FieldDecl>(D);
654 if (!FD || FD->isUnnamedBitField() || FD->isAnonymousStructOrUnion())
655 continue;
656
657 llvm::SmallString<20> Format = llvm::StringRef("%s%s %s ");
658 llvm::SmallVector<Expr *, 5> Args = {FieldIndentArg,
659 getTypeString(FD->getType()),
660 getStringLiteral(FD->getName())};
661
662 if (FD->isBitField()) {
663 Format += ": %zu ";
664 QualType SizeT = S.Context.getSizeType();
665 llvm::APInt BitWidth(S.Context.getIntWidth(SizeT),
666 FD->getBitWidthValue(S.Context));
667 Args.push_back(IntegerLiteral::Create(S.Context, BitWidth, SizeT, Loc));
668 }
669
670 Format += "=";
671
672 ExprResult Field =
673 IFD ? S.BuildAnonymousStructUnionMemberReference(
674 CXXScopeSpec(), Loc, IFD,
675 DeclAccessPair::make(IFD, AS_public), RecordArg, Loc)
676 : S.BuildFieldReferenceExpr(
677 RecordArg, RecordArgIsPtr, Loc, CXXScopeSpec(), FD,
678 DeclAccessPair::make(FD, AS_public),
679 DeclarationNameInfo(FD->getDeclName(), Loc));
680 if (Field.isInvalid())
681 return true;
682
683 auto *InnerRD = FD->getType()->getAsRecordDecl();
684 auto *InnerCXXRD = dyn_cast_or_null<CXXRecordDecl>(InnerRD);
685 if (InnerRD && (!InnerCXXRD || InnerCXXRD->isAggregate())) {
686 // Recursively print the values of members of aggregate record type.
687 if (callPrintFunction(Format, Args) ||
688 dumpRecordValue(InnerRD, Field.get(), FieldIndentArg, Depth + 1))
689 return true;
690 } else {
691 Format += " ";
692 if (appendFormatSpecifier(FD->getType(), Format)) {
693 // We know how to print this field.
694 Args.push_back(Field.get());
695 } else {
696 // We don't know how to print this field. Print out its address
697 // with a format specifier that a smart tool will be able to
698 // recognize and treat specially.
699 Format += "*%p";
700 ExprResult FieldAddr =
701 S.BuildUnaryOp(nullptr, Loc, UO_AddrOf, Field.get());
702 if (FieldAddr.isInvalid())
703 return true;
704 Args.push_back(FieldAddr.get());
705 }
706 Format += "\n";
707 if (callPrintFunction(Format, Args))
708 return true;
709 }
710 }
711
712 return RecordIndent ? callPrintFunction("%s}\n", RecordIndent)
713 : callPrintFunction("}\n");
714 }
715
buildWrapper__anon28c3fbb10411::BuiltinDumpStructGenerator716 Expr *buildWrapper() {
717 auto *Wrapper = PseudoObjectExpr::Create(S.Context, TheCall, Actions,
718 PseudoObjectExpr::NoResult);
719 TheCall->setType(Wrapper->getType());
720 TheCall->setValueKind(Wrapper->getValueKind());
721 return Wrapper;
722 }
723 };
724 } // namespace
725
BuiltinDumpStruct(Sema & S,CallExpr * TheCall)726 static ExprResult BuiltinDumpStruct(Sema &S, CallExpr *TheCall) {
727 if (S.checkArgCountAtLeast(TheCall, 2))
728 return ExprError();
729
730 ExprResult PtrArgResult = S.DefaultLvalueConversion(TheCall->getArg(0));
731 if (PtrArgResult.isInvalid())
732 return ExprError();
733 TheCall->setArg(0, PtrArgResult.get());
734
735 // First argument should be a pointer to a struct.
736 QualType PtrArgType = PtrArgResult.get()->getType();
737 if (!PtrArgType->isPointerType() ||
738 !PtrArgType->getPointeeType()->isRecordType()) {
739 S.Diag(PtrArgResult.get()->getBeginLoc(),
740 diag::err_expected_struct_pointer_argument)
741 << 1 << TheCall->getDirectCallee() << PtrArgType;
742 return ExprError();
743 }
744 QualType Pointee = PtrArgType->getPointeeType();
745 const RecordDecl *RD = Pointee->getAsRecordDecl();
746 // Try to instantiate the class template as appropriate; otherwise, access to
747 // its data() may lead to a crash.
748 if (S.RequireCompleteType(PtrArgResult.get()->getBeginLoc(), Pointee,
749 diag::err_incomplete_type))
750 return ExprError();
751 // Second argument is a callable, but we can't fully validate it until we try
752 // calling it.
753 QualType FnArgType = TheCall->getArg(1)->getType();
754 if (!FnArgType->isFunctionType() && !FnArgType->isFunctionPointerType() &&
755 !FnArgType->isBlockPointerType() &&
756 !(S.getLangOpts().CPlusPlus && FnArgType->isRecordType())) {
757 auto *BT = FnArgType->getAs<BuiltinType>();
758 switch (BT ? BT->getKind() : BuiltinType::Void) {
759 case BuiltinType::Dependent:
760 case BuiltinType::Overload:
761 case BuiltinType::BoundMember:
762 case BuiltinType::PseudoObject:
763 case BuiltinType::UnknownAny:
764 case BuiltinType::BuiltinFn:
765 // This might be a callable.
766 break;
767
768 default:
769 S.Diag(TheCall->getArg(1)->getBeginLoc(),
770 diag::err_expected_callable_argument)
771 << 2 << TheCall->getDirectCallee() << FnArgType;
772 return ExprError();
773 }
774 }
775
776 BuiltinDumpStructGenerator Generator(S, TheCall);
777
778 // Wrap parentheses around the given pointer. This is not necessary for
779 // correct code generation, but it means that when we pretty-print the call
780 // arguments in our diagnostics we will produce '(&s)->n' instead of the
781 // incorrect '&s->n'.
782 Expr *PtrArg = PtrArgResult.get();
783 PtrArg = new (S.Context)
784 ParenExpr(PtrArg->getBeginLoc(),
785 S.getLocForEndOfToken(PtrArg->getEndLoc()), PtrArg);
786 if (Generator.dumpUnnamedRecord(RD, PtrArg, 0))
787 return ExprError();
788
789 return Generator.buildWrapper();
790 }
791
BuiltinCallWithStaticChain(Sema & S,CallExpr * BuiltinCall)792 static bool BuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
793 if (S.checkArgCount(BuiltinCall, 2))
794 return true;
795
796 SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc();
797 Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts();
798 Expr *Call = BuiltinCall->getArg(0);
799 Expr *Chain = BuiltinCall->getArg(1);
800
801 if (Call->getStmtClass() != Stmt::CallExprClass) {
802 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_not_call)
803 << Call->getSourceRange();
804 return true;
805 }
806
807 auto CE = cast<CallExpr>(Call);
808 if (CE->getCallee()->getType()->isBlockPointerType()) {
809 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_block_call)
810 << Call->getSourceRange();
811 return true;
812 }
813
814 const Decl *TargetDecl = CE->getCalleeDecl();
815 if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(TargetDecl))
816 if (FD->getBuiltinID()) {
817 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_builtin_call)
818 << Call->getSourceRange();
819 return true;
820 }
821
822 if (isa<CXXPseudoDestructorExpr>(CE->getCallee()->IgnoreParens())) {
823 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_pdtor_call)
824 << Call->getSourceRange();
825 return true;
826 }
827
828 ExprResult ChainResult = S.UsualUnaryConversions(Chain);
829 if (ChainResult.isInvalid())
830 return true;
831 if (!ChainResult.get()->getType()->isPointerType()) {
832 S.Diag(BuiltinLoc, diag::err_second_argument_to_cwsc_not_pointer)
833 << Chain->getSourceRange();
834 return true;
835 }
836
837 QualType ReturnTy = CE->getCallReturnType(S.Context);
838 QualType ArgTys[2] = { ReturnTy, ChainResult.get()->getType() };
839 QualType BuiltinTy = S.Context.getFunctionType(
840 ReturnTy, ArgTys, FunctionProtoType::ExtProtoInfo());
841 QualType BuiltinPtrTy = S.Context.getPointerType(BuiltinTy);
842
843 Builtin =
844 S.ImpCastExprToType(Builtin, BuiltinPtrTy, CK_BuiltinFnToFnPtr).get();
845
846 BuiltinCall->setType(CE->getType());
847 BuiltinCall->setValueKind(CE->getValueKind());
848 BuiltinCall->setObjectKind(CE->getObjectKind());
849 BuiltinCall->setCallee(Builtin);
850 BuiltinCall->setArg(1, ChainResult.get());
851
852 return false;
853 }
854
855 namespace {
856
857 class ScanfDiagnosticFormatHandler
858 : public analyze_format_string::FormatStringHandler {
859 // Accepts the argument index (relative to the first destination index) of the
860 // argument whose size we want.
861 using ComputeSizeFunction =
862 llvm::function_ref<std::optional<llvm::APSInt>(unsigned)>;
863
864 // Accepts the argument index (relative to the first destination index), the
865 // destination size, and the source size).
866 using DiagnoseFunction =
867 llvm::function_ref<void(unsigned, unsigned, unsigned)>;
868
869 ComputeSizeFunction ComputeSizeArgument;
870 DiagnoseFunction Diagnose;
871
872 public:
ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,DiagnoseFunction Diagnose)873 ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,
874 DiagnoseFunction Diagnose)
875 : ComputeSizeArgument(ComputeSizeArgument), Diagnose(Diagnose) {}
876
HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * StartSpecifier,unsigned specifierLen)877 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
878 const char *StartSpecifier,
879 unsigned specifierLen) override {
880 if (!FS.consumesDataArgument())
881 return true;
882
883 unsigned NulByte = 0;
884 switch ((FS.getConversionSpecifier().getKind())) {
885 default:
886 return true;
887 case analyze_format_string::ConversionSpecifier::sArg:
888 case analyze_format_string::ConversionSpecifier::ScanListArg:
889 NulByte = 1;
890 break;
891 case analyze_format_string::ConversionSpecifier::cArg:
892 break;
893 }
894
895 analyze_format_string::OptionalAmount FW = FS.getFieldWidth();
896 if (FW.getHowSpecified() !=
897 analyze_format_string::OptionalAmount::HowSpecified::Constant)
898 return true;
899
900 unsigned SourceSize = FW.getConstantAmount() + NulByte;
901
902 std::optional<llvm::APSInt> DestSizeAPS =
903 ComputeSizeArgument(FS.getArgIndex());
904 if (!DestSizeAPS)
905 return true;
906
907 unsigned DestSize = DestSizeAPS->getZExtValue();
908
909 if (DestSize < SourceSize)
910 Diagnose(FS.getArgIndex(), DestSize, SourceSize);
911
912 return true;
913 }
914 };
915
916 class EstimateSizeFormatHandler
917 : public analyze_format_string::FormatStringHandler {
918 size_t Size;
919 /// Whether the format string contains Linux kernel's format specifier
920 /// extension.
921 bool IsKernelCompatible = true;
922
923 public:
EstimateSizeFormatHandler(StringRef Format)924 EstimateSizeFormatHandler(StringRef Format)
925 : Size(std::min(Format.find(0), Format.size()) +
926 1 /* null byte always written by sprintf */) {}
927
HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier & FS,const char *,unsigned SpecifierLen,const TargetInfo &)928 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
929 const char *, unsigned SpecifierLen,
930 const TargetInfo &) override {
931
932 const size_t FieldWidth = computeFieldWidth(FS);
933 const size_t Precision = computePrecision(FS);
934
935 // The actual format.
936 switch (FS.getConversionSpecifier().getKind()) {
937 // Just a char.
938 case analyze_format_string::ConversionSpecifier::cArg:
939 case analyze_format_string::ConversionSpecifier::CArg:
940 Size += std::max(FieldWidth, (size_t)1);
941 break;
942 // Just an integer.
943 case analyze_format_string::ConversionSpecifier::dArg:
944 case analyze_format_string::ConversionSpecifier::DArg:
945 case analyze_format_string::ConversionSpecifier::iArg:
946 case analyze_format_string::ConversionSpecifier::oArg:
947 case analyze_format_string::ConversionSpecifier::OArg:
948 case analyze_format_string::ConversionSpecifier::uArg:
949 case analyze_format_string::ConversionSpecifier::UArg:
950 case analyze_format_string::ConversionSpecifier::xArg:
951 case analyze_format_string::ConversionSpecifier::XArg:
952 Size += std::max(FieldWidth, Precision);
953 break;
954
955 // %g style conversion switches between %f or %e style dynamically.
956 // %g removes trailing zeros, and does not print decimal point if there are
957 // no digits that follow it. Thus %g can print a single digit.
958 // FIXME: If it is alternative form:
959 // For g and G conversions, trailing zeros are not removed from the result.
960 case analyze_format_string::ConversionSpecifier::gArg:
961 case analyze_format_string::ConversionSpecifier::GArg:
962 Size += 1;
963 break;
964
965 // Floating point number in the form '[+]ddd.ddd'.
966 case analyze_format_string::ConversionSpecifier::fArg:
967 case analyze_format_string::ConversionSpecifier::FArg:
968 Size += std::max(FieldWidth, 1 /* integer part */ +
969 (Precision ? 1 + Precision
970 : 0) /* period + decimal */);
971 break;
972
973 // Floating point number in the form '[-]d.ddde[+-]dd'.
974 case analyze_format_string::ConversionSpecifier::eArg:
975 case analyze_format_string::ConversionSpecifier::EArg:
976 Size +=
977 std::max(FieldWidth,
978 1 /* integer part */ +
979 (Precision ? 1 + Precision : 0) /* period + decimal */ +
980 1 /* e or E letter */ + 2 /* exponent */);
981 break;
982
983 // Floating point number in the form '[-]0xh.hhhhp±dd'.
984 case analyze_format_string::ConversionSpecifier::aArg:
985 case analyze_format_string::ConversionSpecifier::AArg:
986 Size +=
987 std::max(FieldWidth,
988 2 /* 0x */ + 1 /* integer part */ +
989 (Precision ? 1 + Precision : 0) /* period + decimal */ +
990 1 /* p or P letter */ + 1 /* + or - */ + 1 /* value */);
991 break;
992
993 // Just a string.
994 case analyze_format_string::ConversionSpecifier::sArg:
995 case analyze_format_string::ConversionSpecifier::SArg:
996 Size += FieldWidth;
997 break;
998
999 // Just a pointer in the form '0xddd'.
1000 case analyze_format_string::ConversionSpecifier::pArg:
1001 // Linux kernel has its own extesion for `%p` specifier.
1002 // Kernel Document:
1003 // https://docs.kernel.org/core-api/printk-formats.html#pointer-types
1004 IsKernelCompatible = false;
1005 Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
1006 break;
1007
1008 // A plain percent.
1009 case analyze_format_string::ConversionSpecifier::PercentArg:
1010 Size += 1;
1011 break;
1012
1013 default:
1014 break;
1015 }
1016
1017 Size += FS.hasPlusPrefix() || FS.hasSpacePrefix();
1018
1019 if (FS.hasAlternativeForm()) {
1020 switch (FS.getConversionSpecifier().getKind()) {
1021 // For o conversion, it increases the precision, if and only if necessary,
1022 // to force the first digit of the result to be a zero
1023 // (if the value and precision are both 0, a single 0 is printed)
1024 case analyze_format_string::ConversionSpecifier::oArg:
1025 // For b conversion, a nonzero result has 0b prefixed to it.
1026 case analyze_format_string::ConversionSpecifier::bArg:
1027 // For x (or X) conversion, a nonzero result has 0x (or 0X) prefixed to
1028 // it.
1029 case analyze_format_string::ConversionSpecifier::xArg:
1030 case analyze_format_string::ConversionSpecifier::XArg:
1031 // Note: even when the prefix is added, if
1032 // (prefix_width <= FieldWidth - formatted_length) holds,
1033 // the prefix does not increase the format
1034 // size. e.g.(("%#3x", 0xf) is "0xf")
1035
1036 // If the result is zero, o, b, x, X adds nothing.
1037 break;
1038 // For a, A, e, E, f, F, g, and G conversions,
1039 // the result of converting a floating-point number always contains a
1040 // decimal-point
1041 case analyze_format_string::ConversionSpecifier::aArg:
1042 case analyze_format_string::ConversionSpecifier::AArg:
1043 case analyze_format_string::ConversionSpecifier::eArg:
1044 case analyze_format_string::ConversionSpecifier::EArg:
1045 case analyze_format_string::ConversionSpecifier::fArg:
1046 case analyze_format_string::ConversionSpecifier::FArg:
1047 case analyze_format_string::ConversionSpecifier::gArg:
1048 case analyze_format_string::ConversionSpecifier::GArg:
1049 Size += (Precision ? 0 : 1);
1050 break;
1051 // For other conversions, the behavior is undefined.
1052 default:
1053 break;
1054 }
1055 }
1056 assert(SpecifierLen <= Size && "no underflow");
1057 Size -= SpecifierLen;
1058 return true;
1059 }
1060
getSizeLowerBound() const1061 size_t getSizeLowerBound() const { return Size; }
isKernelCompatible() const1062 bool isKernelCompatible() const { return IsKernelCompatible; }
1063
1064 private:
computeFieldWidth(const analyze_printf::PrintfSpecifier & FS)1065 static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
1066 const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
1067 size_t FieldWidth = 0;
1068 if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
1069 FieldWidth = FW.getConstantAmount();
1070 return FieldWidth;
1071 }
1072
computePrecision(const analyze_printf::PrintfSpecifier & FS)1073 static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
1074 const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
1075 size_t Precision = 0;
1076
1077 // See man 3 printf for default precision value based on the specifier.
1078 switch (FW.getHowSpecified()) {
1079 case analyze_format_string::OptionalAmount::NotSpecified:
1080 switch (FS.getConversionSpecifier().getKind()) {
1081 default:
1082 break;
1083 case analyze_format_string::ConversionSpecifier::dArg: // %d
1084 case analyze_format_string::ConversionSpecifier::DArg: // %D
1085 case analyze_format_string::ConversionSpecifier::iArg: // %i
1086 Precision = 1;
1087 break;
1088 case analyze_format_string::ConversionSpecifier::oArg: // %d
1089 case analyze_format_string::ConversionSpecifier::OArg: // %D
1090 case analyze_format_string::ConversionSpecifier::uArg: // %d
1091 case analyze_format_string::ConversionSpecifier::UArg: // %D
1092 case analyze_format_string::ConversionSpecifier::xArg: // %d
1093 case analyze_format_string::ConversionSpecifier::XArg: // %D
1094 Precision = 1;
1095 break;
1096 case analyze_format_string::ConversionSpecifier::fArg: // %f
1097 case analyze_format_string::ConversionSpecifier::FArg: // %F
1098 case analyze_format_string::ConversionSpecifier::eArg: // %e
1099 case analyze_format_string::ConversionSpecifier::EArg: // %E
1100 case analyze_format_string::ConversionSpecifier::gArg: // %g
1101 case analyze_format_string::ConversionSpecifier::GArg: // %G
1102 Precision = 6;
1103 break;
1104 case analyze_format_string::ConversionSpecifier::pArg: // %d
1105 Precision = 1;
1106 break;
1107 }
1108 break;
1109 case analyze_format_string::OptionalAmount::Constant:
1110 Precision = FW.getConstantAmount();
1111 break;
1112 default:
1113 break;
1114 }
1115 return Precision;
1116 }
1117 };
1118
1119 } // namespace
1120
ProcessFormatStringLiteral(const Expr * FormatExpr,StringRef & FormatStrRef,size_t & StrLen,ASTContext & Context)1121 static bool ProcessFormatStringLiteral(const Expr *FormatExpr,
1122 StringRef &FormatStrRef, size_t &StrLen,
1123 ASTContext &Context) {
1124 if (const auto *Format = dyn_cast<StringLiteral>(FormatExpr);
1125 Format && (Format->isOrdinary() || Format->isUTF8())) {
1126 FormatStrRef = Format->getString();
1127 const ConstantArrayType *T =
1128 Context.getAsConstantArrayType(Format->getType());
1129 assert(T && "String literal not of constant array type!");
1130 size_t TypeSize = T->getZExtSize();
1131 // In case there's a null byte somewhere.
1132 StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
1133 return true;
1134 }
1135 return false;
1136 }
1137
checkFortifiedBuiltinMemoryFunction(FunctionDecl * FD,CallExpr * TheCall)1138 void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
1139 CallExpr *TheCall) {
1140 if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
1141 isConstantEvaluatedContext())
1142 return;
1143
1144 bool UseDABAttr = false;
1145 const FunctionDecl *UseDecl = FD;
1146
1147 const auto *DABAttr = FD->getAttr<DiagnoseAsBuiltinAttr>();
1148 if (DABAttr) {
1149 UseDecl = DABAttr->getFunction();
1150 assert(UseDecl && "Missing FunctionDecl in DiagnoseAsBuiltin attribute!");
1151 UseDABAttr = true;
1152 }
1153
1154 unsigned BuiltinID = UseDecl->getBuiltinID(/*ConsiderWrappers=*/true);
1155
1156 if (!BuiltinID)
1157 return;
1158
1159 const TargetInfo &TI = getASTContext().getTargetInfo();
1160 unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
1161
1162 auto TranslateIndex = [&](unsigned Index) -> std::optional<unsigned> {
1163 // If we refer to a diagnose_as_builtin attribute, we need to change the
1164 // argument index to refer to the arguments of the called function. Unless
1165 // the index is out of bounds, which presumably means it's a variadic
1166 // function.
1167 if (!UseDABAttr)
1168 return Index;
1169 unsigned DABIndices = DABAttr->argIndices_size();
1170 unsigned NewIndex = Index < DABIndices
1171 ? DABAttr->argIndices_begin()[Index]
1172 : Index - DABIndices + FD->getNumParams();
1173 if (NewIndex >= TheCall->getNumArgs())
1174 return std::nullopt;
1175 return NewIndex;
1176 };
1177
1178 auto ComputeExplicitObjectSizeArgument =
1179 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1180 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1181 if (!IndexOptional)
1182 return std::nullopt;
1183 unsigned NewIndex = *IndexOptional;
1184 Expr::EvalResult Result;
1185 Expr *SizeArg = TheCall->getArg(NewIndex);
1186 if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
1187 return std::nullopt;
1188 llvm::APSInt Integer = Result.Val.getInt();
1189 Integer.setIsUnsigned(true);
1190 return Integer;
1191 };
1192
1193 auto ComputeSizeArgument =
1194 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1195 // If the parameter has a pass_object_size attribute, then we should use its
1196 // (potentially) more strict checking mode. Otherwise, conservatively assume
1197 // type 0.
1198 int BOSType = 0;
1199 // This check can fail for variadic functions.
1200 if (Index < FD->getNumParams()) {
1201 if (const auto *POS =
1202 FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
1203 BOSType = POS->getType();
1204 }
1205
1206 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1207 if (!IndexOptional)
1208 return std::nullopt;
1209 unsigned NewIndex = *IndexOptional;
1210
1211 if (NewIndex >= TheCall->getNumArgs())
1212 return std::nullopt;
1213
1214 const Expr *ObjArg = TheCall->getArg(NewIndex);
1215 uint64_t Result;
1216 if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
1217 return std::nullopt;
1218
1219 // Get the object size in the target's size_t width.
1220 return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
1221 };
1222
1223 auto ComputeStrLenArgument =
1224 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1225 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1226 if (!IndexOptional)
1227 return std::nullopt;
1228 unsigned NewIndex = *IndexOptional;
1229
1230 const Expr *ObjArg = TheCall->getArg(NewIndex);
1231 uint64_t Result;
1232 if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
1233 return std::nullopt;
1234 // Add 1 for null byte.
1235 return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
1236 };
1237
1238 std::optional<llvm::APSInt> SourceSize;
1239 std::optional<llvm::APSInt> DestinationSize;
1240 unsigned DiagID = 0;
1241 bool IsChkVariant = false;
1242
1243 auto GetFunctionName = [&]() {
1244 StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
1245 // Skim off the details of whichever builtin was called to produce a better
1246 // diagnostic, as it's unlikely that the user wrote the __builtin
1247 // explicitly.
1248 if (IsChkVariant) {
1249 FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
1250 FunctionName = FunctionName.drop_back(std::strlen("_chk"));
1251 } else {
1252 FunctionName.consume_front("__builtin_");
1253 }
1254 return FunctionName;
1255 };
1256
1257 switch (BuiltinID) {
1258 default:
1259 return;
1260 case Builtin::BI__builtin_strcpy:
1261 case Builtin::BIstrcpy: {
1262 DiagID = diag::warn_fortify_strlen_overflow;
1263 SourceSize = ComputeStrLenArgument(1);
1264 DestinationSize = ComputeSizeArgument(0);
1265 break;
1266 }
1267
1268 case Builtin::BI__builtin___strcpy_chk: {
1269 DiagID = diag::warn_fortify_strlen_overflow;
1270 SourceSize = ComputeStrLenArgument(1);
1271 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1272 IsChkVariant = true;
1273 break;
1274 }
1275
1276 case Builtin::BIscanf:
1277 case Builtin::BIfscanf:
1278 case Builtin::BIsscanf: {
1279 unsigned FormatIndex = 1;
1280 unsigned DataIndex = 2;
1281 if (BuiltinID == Builtin::BIscanf) {
1282 FormatIndex = 0;
1283 DataIndex = 1;
1284 }
1285
1286 const auto *FormatExpr =
1287 TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1288
1289 StringRef FormatStrRef;
1290 size_t StrLen;
1291 if (!ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context))
1292 return;
1293
1294 auto Diagnose = [&](unsigned ArgIndex, unsigned DestSize,
1295 unsigned SourceSize) {
1296 DiagID = diag::warn_fortify_scanf_overflow;
1297 unsigned Index = ArgIndex + DataIndex;
1298 StringRef FunctionName = GetFunctionName();
1299 DiagRuntimeBehavior(TheCall->getArg(Index)->getBeginLoc(), TheCall,
1300 PDiag(DiagID) << FunctionName << (Index + 1)
1301 << DestSize << SourceSize);
1302 };
1303
1304 auto ShiftedComputeSizeArgument = [&](unsigned Index) {
1305 return ComputeSizeArgument(Index + DataIndex);
1306 };
1307 ScanfDiagnosticFormatHandler H(ShiftedComputeSizeArgument, Diagnose);
1308 const char *FormatBytes = FormatStrRef.data();
1309 analyze_format_string::ParseScanfString(H, FormatBytes,
1310 FormatBytes + StrLen, getLangOpts(),
1311 Context.getTargetInfo());
1312
1313 // Unlike the other cases, in this one we have already issued the diagnostic
1314 // here, so no need to continue (because unlike the other cases, here the
1315 // diagnostic refers to the argument number).
1316 return;
1317 }
1318
1319 case Builtin::BIsprintf:
1320 case Builtin::BI__builtin___sprintf_chk: {
1321 size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
1322 auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1323
1324 StringRef FormatStrRef;
1325 size_t StrLen;
1326 if (ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1327 EstimateSizeFormatHandler H(FormatStrRef);
1328 const char *FormatBytes = FormatStrRef.data();
1329 if (!analyze_format_string::ParsePrintfString(
1330 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1331 Context.getTargetInfo(), false)) {
1332 DiagID = H.isKernelCompatible()
1333 ? diag::warn_format_overflow
1334 : diag::warn_format_overflow_non_kprintf;
1335 SourceSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1336 .extOrTrunc(SizeTypeWidth);
1337 if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
1338 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1339 IsChkVariant = true;
1340 } else {
1341 DestinationSize = ComputeSizeArgument(0);
1342 }
1343 break;
1344 }
1345 }
1346 return;
1347 }
1348 case Builtin::BI__builtin___memcpy_chk:
1349 case Builtin::BI__builtin___memmove_chk:
1350 case Builtin::BI__builtin___memset_chk:
1351 case Builtin::BI__builtin___strlcat_chk:
1352 case Builtin::BI__builtin___strlcpy_chk:
1353 case Builtin::BI__builtin___strncat_chk:
1354 case Builtin::BI__builtin___strncpy_chk:
1355 case Builtin::BI__builtin___stpncpy_chk:
1356 case Builtin::BI__builtin___memccpy_chk:
1357 case Builtin::BI__builtin___mempcpy_chk: {
1358 DiagID = diag::warn_builtin_chk_overflow;
1359 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
1360 DestinationSize =
1361 ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1362 IsChkVariant = true;
1363 break;
1364 }
1365
1366 case Builtin::BI__builtin___snprintf_chk:
1367 case Builtin::BI__builtin___vsnprintf_chk: {
1368 DiagID = diag::warn_builtin_chk_overflow;
1369 SourceSize = ComputeExplicitObjectSizeArgument(1);
1370 DestinationSize = ComputeExplicitObjectSizeArgument(3);
1371 IsChkVariant = true;
1372 break;
1373 }
1374
1375 case Builtin::BIstrncat:
1376 case Builtin::BI__builtin_strncat:
1377 case Builtin::BIstrncpy:
1378 case Builtin::BI__builtin_strncpy:
1379 case Builtin::BIstpncpy:
1380 case Builtin::BI__builtin_stpncpy: {
1381 // Whether these functions overflow depends on the runtime strlen of the
1382 // string, not just the buffer size, so emitting the "always overflow"
1383 // diagnostic isn't quite right. We should still diagnose passing a buffer
1384 // size larger than the destination buffer though; this is a runtime abort
1385 // in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
1386 DiagID = diag::warn_fortify_source_size_mismatch;
1387 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1388 DestinationSize = ComputeSizeArgument(0);
1389 break;
1390 }
1391
1392 case Builtin::BImemcpy:
1393 case Builtin::BI__builtin_memcpy:
1394 case Builtin::BImemmove:
1395 case Builtin::BI__builtin_memmove:
1396 case Builtin::BImemset:
1397 case Builtin::BI__builtin_memset:
1398 case Builtin::BImempcpy:
1399 case Builtin::BI__builtin_mempcpy: {
1400 DiagID = diag::warn_fortify_source_overflow;
1401 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1402 DestinationSize = ComputeSizeArgument(0);
1403 break;
1404 }
1405 case Builtin::BIsnprintf:
1406 case Builtin::BI__builtin_snprintf:
1407 case Builtin::BIvsnprintf:
1408 case Builtin::BI__builtin_vsnprintf: {
1409 DiagID = diag::warn_fortify_source_size_mismatch;
1410 SourceSize = ComputeExplicitObjectSizeArgument(1);
1411 const auto *FormatExpr = TheCall->getArg(2)->IgnoreParenImpCasts();
1412 StringRef FormatStrRef;
1413 size_t StrLen;
1414 if (SourceSize &&
1415 ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1416 EstimateSizeFormatHandler H(FormatStrRef);
1417 const char *FormatBytes = FormatStrRef.data();
1418 if (!analyze_format_string::ParsePrintfString(
1419 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1420 Context.getTargetInfo(), /*isFreeBSDKPrintf=*/false)) {
1421 llvm::APSInt FormatSize =
1422 llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1423 .extOrTrunc(SizeTypeWidth);
1424 if (FormatSize > *SourceSize && *SourceSize != 0) {
1425 unsigned TruncationDiagID =
1426 H.isKernelCompatible() ? diag::warn_format_truncation
1427 : diag::warn_format_truncation_non_kprintf;
1428 SmallString<16> SpecifiedSizeStr;
1429 SmallString<16> FormatSizeStr;
1430 SourceSize->toString(SpecifiedSizeStr, /*Radix=*/10);
1431 FormatSize.toString(FormatSizeStr, /*Radix=*/10);
1432 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1433 PDiag(TruncationDiagID)
1434 << GetFunctionName() << SpecifiedSizeStr
1435 << FormatSizeStr);
1436 }
1437 }
1438 }
1439 DestinationSize = ComputeSizeArgument(0);
1440 }
1441 }
1442
1443 if (!SourceSize || !DestinationSize ||
1444 llvm::APSInt::compareValues(*SourceSize, *DestinationSize) <= 0)
1445 return;
1446
1447 StringRef FunctionName = GetFunctionName();
1448
1449 SmallString<16> DestinationStr;
1450 SmallString<16> SourceStr;
1451 DestinationSize->toString(DestinationStr, /*Radix=*/10);
1452 SourceSize->toString(SourceStr, /*Radix=*/10);
1453 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1454 PDiag(DiagID)
1455 << FunctionName << DestinationStr << SourceStr);
1456 }
1457
BuiltinSEHScopeCheck(Sema & SemaRef,CallExpr * TheCall,Scope::ScopeFlags NeededScopeFlags,unsigned DiagID)1458 static bool BuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
1459 Scope::ScopeFlags NeededScopeFlags,
1460 unsigned DiagID) {
1461 // Scopes aren't available during instantiation. Fortunately, builtin
1462 // functions cannot be template args so they cannot be formed through template
1463 // instantiation. Therefore checking once during the parse is sufficient.
1464 if (SemaRef.inTemplateInstantiation())
1465 return false;
1466
1467 Scope *S = SemaRef.getCurScope();
1468 while (S && !S->isSEHExceptScope())
1469 S = S->getParent();
1470 if (!S || !(S->getFlags() & NeededScopeFlags)) {
1471 auto *DRE = cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1472 SemaRef.Diag(TheCall->getExprLoc(), DiagID)
1473 << DRE->getDecl()->getIdentifier();
1474 return true;
1475 }
1476
1477 return false;
1478 }
1479
1480 namespace {
1481 enum PointerAuthOpKind {
1482 PAO_Strip,
1483 PAO_Sign,
1484 PAO_Auth,
1485 PAO_SignGeneric,
1486 PAO_Discriminator,
1487 PAO_BlendPointer,
1488 PAO_BlendInteger
1489 };
1490 }
1491
checkPointerAuthEnabled(SourceLocation Loc,SourceRange Range)1492 bool Sema::checkPointerAuthEnabled(SourceLocation Loc, SourceRange Range) {
1493 if (getLangOpts().PointerAuthIntrinsics)
1494 return false;
1495
1496 Diag(Loc, diag::err_ptrauth_disabled) << Range;
1497 return true;
1498 }
1499
checkPointerAuthEnabled(Sema & S,Expr * E)1500 static bool checkPointerAuthEnabled(Sema &S, Expr *E) {
1501 return S.checkPointerAuthEnabled(E->getExprLoc(), E->getSourceRange());
1502 }
1503
checkPointerAuthKey(Sema & S,Expr * & Arg)1504 static bool checkPointerAuthKey(Sema &S, Expr *&Arg) {
1505 // Convert it to type 'int'.
1506 if (convertArgumentToType(S, Arg, S.Context.IntTy))
1507 return true;
1508
1509 // Value-dependent expressions are okay; wait for template instantiation.
1510 if (Arg->isValueDependent())
1511 return false;
1512
1513 unsigned KeyValue;
1514 return S.checkConstantPointerAuthKey(Arg, KeyValue);
1515 }
1516
checkConstantPointerAuthKey(Expr * Arg,unsigned & Result)1517 bool Sema::checkConstantPointerAuthKey(Expr *Arg, unsigned &Result) {
1518 // Attempt to constant-evaluate the expression.
1519 std::optional<llvm::APSInt> KeyValue = Arg->getIntegerConstantExpr(Context);
1520 if (!KeyValue) {
1521 Diag(Arg->getExprLoc(), diag::err_expr_not_ice)
1522 << 0 << Arg->getSourceRange();
1523 return true;
1524 }
1525
1526 // Ask the target to validate the key parameter.
1527 if (!Context.getTargetInfo().validatePointerAuthKey(*KeyValue)) {
1528 llvm::SmallString<32> Value;
1529 {
1530 llvm::raw_svector_ostream Str(Value);
1531 Str << *KeyValue;
1532 }
1533
1534 Diag(Arg->getExprLoc(), diag::err_ptrauth_invalid_key)
1535 << Value << Arg->getSourceRange();
1536 return true;
1537 }
1538
1539 Result = KeyValue->getZExtValue();
1540 return false;
1541 }
1542
1543 static std::pair<const ValueDecl *, CharUnits>
findConstantBaseAndOffset(Sema & S,Expr * E)1544 findConstantBaseAndOffset(Sema &S, Expr *E) {
1545 // Must evaluate as a pointer.
1546 Expr::EvalResult Result;
1547 if (!E->EvaluateAsRValue(Result, S.Context) || !Result.Val.isLValue())
1548 return {nullptr, CharUnits()};
1549
1550 const auto *BaseDecl =
1551 Result.Val.getLValueBase().dyn_cast<const ValueDecl *>();
1552 if (!BaseDecl)
1553 return {nullptr, CharUnits()};
1554
1555 return {BaseDecl, Result.Val.getLValueOffset()};
1556 }
1557
checkPointerAuthValue(Sema & S,Expr * & Arg,PointerAuthOpKind OpKind,bool RequireConstant=false)1558 static bool checkPointerAuthValue(Sema &S, Expr *&Arg, PointerAuthOpKind OpKind,
1559 bool RequireConstant = false) {
1560 if (Arg->hasPlaceholderType()) {
1561 ExprResult R = S.CheckPlaceholderExpr(Arg);
1562 if (R.isInvalid())
1563 return true;
1564 Arg = R.get();
1565 }
1566
1567 auto AllowsPointer = [](PointerAuthOpKind OpKind) {
1568 return OpKind != PAO_BlendInteger;
1569 };
1570 auto AllowsInteger = [](PointerAuthOpKind OpKind) {
1571 return OpKind == PAO_Discriminator || OpKind == PAO_BlendInteger ||
1572 OpKind == PAO_SignGeneric;
1573 };
1574
1575 // Require the value to have the right range of type.
1576 QualType ExpectedTy;
1577 if (AllowsPointer(OpKind) && Arg->getType()->isPointerType()) {
1578 ExpectedTy = Arg->getType().getUnqualifiedType();
1579 } else if (AllowsPointer(OpKind) && Arg->getType()->isNullPtrType()) {
1580 ExpectedTy = S.Context.VoidPtrTy;
1581 } else if (AllowsInteger(OpKind) &&
1582 Arg->getType()->isIntegralOrUnscopedEnumerationType()) {
1583 ExpectedTy = S.Context.getUIntPtrType();
1584
1585 } else {
1586 // Diagnose the failures.
1587 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_value_bad_type)
1588 << unsigned(OpKind == PAO_Discriminator ? 1
1589 : OpKind == PAO_BlendPointer ? 2
1590 : OpKind == PAO_BlendInteger ? 3
1591 : 0)
1592 << unsigned(AllowsInteger(OpKind) ? (AllowsPointer(OpKind) ? 2 : 1) : 0)
1593 << Arg->getType() << Arg->getSourceRange();
1594 return true;
1595 }
1596
1597 // Convert to that type. This should just be an lvalue-to-rvalue
1598 // conversion.
1599 if (convertArgumentToType(S, Arg, ExpectedTy))
1600 return true;
1601
1602 if (!RequireConstant) {
1603 // Warn about null pointers for non-generic sign and auth operations.
1604 if ((OpKind == PAO_Sign || OpKind == PAO_Auth) &&
1605 Arg->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNull)) {
1606 S.Diag(Arg->getExprLoc(), OpKind == PAO_Sign
1607 ? diag::warn_ptrauth_sign_null_pointer
1608 : diag::warn_ptrauth_auth_null_pointer)
1609 << Arg->getSourceRange();
1610 }
1611
1612 return false;
1613 }
1614
1615 // Perform special checking on the arguments to ptrauth_sign_constant.
1616
1617 // The main argument.
1618 if (OpKind == PAO_Sign) {
1619 // Require the value we're signing to have a special form.
1620 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Arg);
1621 bool Invalid;
1622
1623 // Must be rooted in a declaration reference.
1624 if (!BaseDecl)
1625 Invalid = true;
1626
1627 // If it's a function declaration, we can't have an offset.
1628 else if (isa<FunctionDecl>(BaseDecl))
1629 Invalid = !Offset.isZero();
1630
1631 // Otherwise we're fine.
1632 else
1633 Invalid = false;
1634
1635 if (Invalid)
1636 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_pointer);
1637 return Invalid;
1638 }
1639
1640 // The discriminator argument.
1641 assert(OpKind == PAO_Discriminator);
1642
1643 // Must be a pointer or integer or blend thereof.
1644 Expr *Pointer = nullptr;
1645 Expr *Integer = nullptr;
1646 if (auto *Call = dyn_cast<CallExpr>(Arg->IgnoreParens())) {
1647 if (Call->getBuiltinCallee() ==
1648 Builtin::BI__builtin_ptrauth_blend_discriminator) {
1649 Pointer = Call->getArg(0);
1650 Integer = Call->getArg(1);
1651 }
1652 }
1653 if (!Pointer && !Integer) {
1654 if (Arg->getType()->isPointerType())
1655 Pointer = Arg;
1656 else
1657 Integer = Arg;
1658 }
1659
1660 // Check the pointer.
1661 bool Invalid = false;
1662 if (Pointer) {
1663 assert(Pointer->getType()->isPointerType());
1664
1665 // TODO: if we're initializing a global, check that the address is
1666 // somehow related to what we're initializing. This probably will
1667 // never really be feasible and we'll have to catch it at link-time.
1668 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Pointer);
1669 if (!BaseDecl || !isa<VarDecl>(BaseDecl))
1670 Invalid = true;
1671 }
1672
1673 // Check the integer.
1674 if (Integer) {
1675 assert(Integer->getType()->isIntegerType());
1676 if (!Integer->isEvaluatable(S.Context))
1677 Invalid = true;
1678 }
1679
1680 if (Invalid)
1681 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_discriminator);
1682 return Invalid;
1683 }
1684
PointerAuthStrip(Sema & S,CallExpr * Call)1685 static ExprResult PointerAuthStrip(Sema &S, CallExpr *Call) {
1686 if (S.checkArgCount(Call, 2))
1687 return ExprError();
1688 if (checkPointerAuthEnabled(S, Call))
1689 return ExprError();
1690 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Strip) ||
1691 checkPointerAuthKey(S, Call->getArgs()[1]))
1692 return ExprError();
1693
1694 Call->setType(Call->getArgs()[0]->getType());
1695 return Call;
1696 }
1697
PointerAuthBlendDiscriminator(Sema & S,CallExpr * Call)1698 static ExprResult PointerAuthBlendDiscriminator(Sema &S, CallExpr *Call) {
1699 if (S.checkArgCount(Call, 2))
1700 return ExprError();
1701 if (checkPointerAuthEnabled(S, Call))
1702 return ExprError();
1703 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_BlendPointer) ||
1704 checkPointerAuthValue(S, Call->getArgs()[1], PAO_BlendInteger))
1705 return ExprError();
1706
1707 Call->setType(S.Context.getUIntPtrType());
1708 return Call;
1709 }
1710
PointerAuthSignGenericData(Sema & S,CallExpr * Call)1711 static ExprResult PointerAuthSignGenericData(Sema &S, CallExpr *Call) {
1712 if (S.checkArgCount(Call, 2))
1713 return ExprError();
1714 if (checkPointerAuthEnabled(S, Call))
1715 return ExprError();
1716 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_SignGeneric) ||
1717 checkPointerAuthValue(S, Call->getArgs()[1], PAO_Discriminator))
1718 return ExprError();
1719
1720 Call->setType(S.Context.getUIntPtrType());
1721 return Call;
1722 }
1723
PointerAuthSignOrAuth(Sema & S,CallExpr * Call,PointerAuthOpKind OpKind,bool RequireConstant)1724 static ExprResult PointerAuthSignOrAuth(Sema &S, CallExpr *Call,
1725 PointerAuthOpKind OpKind,
1726 bool RequireConstant) {
1727 if (S.checkArgCount(Call, 3))
1728 return ExprError();
1729 if (checkPointerAuthEnabled(S, Call))
1730 return ExprError();
1731 if (checkPointerAuthValue(S, Call->getArgs()[0], OpKind, RequireConstant) ||
1732 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1733 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator,
1734 RequireConstant))
1735 return ExprError();
1736
1737 Call->setType(Call->getArgs()[0]->getType());
1738 return Call;
1739 }
1740
PointerAuthAuthAndResign(Sema & S,CallExpr * Call)1741 static ExprResult PointerAuthAuthAndResign(Sema &S, CallExpr *Call) {
1742 if (S.checkArgCount(Call, 5))
1743 return ExprError();
1744 if (checkPointerAuthEnabled(S, Call))
1745 return ExprError();
1746 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Auth) ||
1747 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1748 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator) ||
1749 checkPointerAuthKey(S, Call->getArgs()[3]) ||
1750 checkPointerAuthValue(S, Call->getArgs()[4], PAO_Discriminator))
1751 return ExprError();
1752
1753 Call->setType(Call->getArgs()[0]->getType());
1754 return Call;
1755 }
1756
PointerAuthStringDiscriminator(Sema & S,CallExpr * Call)1757 static ExprResult PointerAuthStringDiscriminator(Sema &S, CallExpr *Call) {
1758 if (checkPointerAuthEnabled(S, Call))
1759 return ExprError();
1760
1761 // We've already performed normal call type-checking.
1762 const Expr *Arg = Call->getArg(0)->IgnoreParenImpCasts();
1763
1764 // Operand must be an ordinary or UTF-8 string literal.
1765 const auto *Literal = dyn_cast<StringLiteral>(Arg);
1766 if (!Literal || Literal->getCharByteWidth() != 1) {
1767 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_string_not_literal)
1768 << (Literal ? 1 : 0) << Arg->getSourceRange();
1769 return ExprError();
1770 }
1771
1772 return Call;
1773 }
1774
BuiltinLaunder(Sema & S,CallExpr * TheCall)1775 static ExprResult BuiltinLaunder(Sema &S, CallExpr *TheCall) {
1776 if (S.checkArgCount(TheCall, 1))
1777 return ExprError();
1778
1779 // Compute __builtin_launder's parameter type from the argument.
1780 // The parameter type is:
1781 // * The type of the argument if it's not an array or function type,
1782 // Otherwise,
1783 // * The decayed argument type.
1784 QualType ParamTy = [&]() {
1785 QualType ArgTy = TheCall->getArg(0)->getType();
1786 if (const ArrayType *Ty = ArgTy->getAsArrayTypeUnsafe())
1787 return S.Context.getPointerType(Ty->getElementType());
1788 if (ArgTy->isFunctionType()) {
1789 return S.Context.getPointerType(ArgTy);
1790 }
1791 return ArgTy;
1792 }();
1793
1794 TheCall->setType(ParamTy);
1795
1796 auto DiagSelect = [&]() -> std::optional<unsigned> {
1797 if (!ParamTy->isPointerType())
1798 return 0;
1799 if (ParamTy->isFunctionPointerType())
1800 return 1;
1801 if (ParamTy->isVoidPointerType())
1802 return 2;
1803 return std::optional<unsigned>{};
1804 }();
1805 if (DiagSelect) {
1806 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_launder_invalid_arg)
1807 << *DiagSelect << TheCall->getSourceRange();
1808 return ExprError();
1809 }
1810
1811 // We either have an incomplete class type, or we have a class template
1812 // whose instantiation has not been forced. Example:
1813 //
1814 // template <class T> struct Foo { T value; };
1815 // Foo<int> *p = nullptr;
1816 // auto *d = __builtin_launder(p);
1817 if (S.RequireCompleteType(TheCall->getBeginLoc(), ParamTy->getPointeeType(),
1818 diag::err_incomplete_type))
1819 return ExprError();
1820
1821 assert(ParamTy->getPointeeType()->isObjectType() &&
1822 "Unhandled non-object pointer case");
1823
1824 InitializedEntity Entity =
1825 InitializedEntity::InitializeParameter(S.Context, ParamTy, false);
1826 ExprResult Arg =
1827 S.PerformCopyInitialization(Entity, SourceLocation(), TheCall->getArg(0));
1828 if (Arg.isInvalid())
1829 return ExprError();
1830 TheCall->setArg(0, Arg.get());
1831
1832 return TheCall;
1833 }
1834
1835 // Emit an error and return true if the current object format type is in the
1836 // list of unsupported types.
CheckBuiltinTargetNotInUnsupported(Sema & S,unsigned BuiltinID,CallExpr * TheCall,ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes)1837 static bool CheckBuiltinTargetNotInUnsupported(
1838 Sema &S, unsigned BuiltinID, CallExpr *TheCall,
1839 ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes) {
1840 llvm::Triple::ObjectFormatType CurObjFormat =
1841 S.getASTContext().getTargetInfo().getTriple().getObjectFormat();
1842 if (llvm::is_contained(UnsupportedObjectFormatTypes, CurObjFormat)) {
1843 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
1844 << TheCall->getSourceRange();
1845 return true;
1846 }
1847 return false;
1848 }
1849
1850 // Emit an error and return true if the current architecture is not in the list
1851 // of supported architectures.
1852 static bool
CheckBuiltinTargetInSupported(Sema & S,unsigned BuiltinID,CallExpr * TheCall,ArrayRef<llvm::Triple::ArchType> SupportedArchs)1853 CheckBuiltinTargetInSupported(Sema &S, unsigned BuiltinID, CallExpr *TheCall,
1854 ArrayRef<llvm::Triple::ArchType> SupportedArchs) {
1855 llvm::Triple::ArchType CurArch =
1856 S.getASTContext().getTargetInfo().getTriple().getArch();
1857 if (llvm::is_contained(SupportedArchs, CurArch))
1858 return false;
1859 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
1860 << TheCall->getSourceRange();
1861 return true;
1862 }
1863
1864 static void CheckNonNullArgument(Sema &S, const Expr *ArgExpr,
1865 SourceLocation CallSiteLoc);
1866
CheckTSBuiltinFunctionCall(const TargetInfo & TI,unsigned BuiltinID,CallExpr * TheCall)1867 bool Sema::CheckTSBuiltinFunctionCall(const TargetInfo &TI, unsigned BuiltinID,
1868 CallExpr *TheCall) {
1869 switch (TI.getTriple().getArch()) {
1870 default:
1871 // Some builtins don't require additional checking, so just consider these
1872 // acceptable.
1873 return false;
1874 case llvm::Triple::arm:
1875 case llvm::Triple::armeb:
1876 case llvm::Triple::thumb:
1877 case llvm::Triple::thumbeb:
1878 return ARM().CheckARMBuiltinFunctionCall(TI, BuiltinID, TheCall);
1879 case llvm::Triple::aarch64:
1880 case llvm::Triple::aarch64_32:
1881 case llvm::Triple::aarch64_be:
1882 return ARM().CheckAArch64BuiltinFunctionCall(TI, BuiltinID, TheCall);
1883 case llvm::Triple::bpfeb:
1884 case llvm::Triple::bpfel:
1885 return BPF().CheckBPFBuiltinFunctionCall(BuiltinID, TheCall);
1886 case llvm::Triple::hexagon:
1887 return Hexagon().CheckHexagonBuiltinFunctionCall(BuiltinID, TheCall);
1888 case llvm::Triple::mips:
1889 case llvm::Triple::mipsel:
1890 case llvm::Triple::mips64:
1891 case llvm::Triple::mips64el:
1892 return MIPS().CheckMipsBuiltinFunctionCall(TI, BuiltinID, TheCall);
1893 case llvm::Triple::systemz:
1894 return SystemZ().CheckSystemZBuiltinFunctionCall(BuiltinID, TheCall);
1895 case llvm::Triple::x86:
1896 case llvm::Triple::x86_64:
1897 return X86().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
1898 case llvm::Triple::ppc:
1899 case llvm::Triple::ppcle:
1900 case llvm::Triple::ppc64:
1901 case llvm::Triple::ppc64le:
1902 return PPC().CheckPPCBuiltinFunctionCall(TI, BuiltinID, TheCall);
1903 case llvm::Triple::amdgcn:
1904 return AMDGPU().CheckAMDGCNBuiltinFunctionCall(BuiltinID, TheCall);
1905 case llvm::Triple::riscv32:
1906 case llvm::Triple::riscv64:
1907 return RISCV().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
1908 case llvm::Triple::loongarch32:
1909 case llvm::Triple::loongarch64:
1910 return LoongArch().CheckLoongArchBuiltinFunctionCall(TI, BuiltinID,
1911 TheCall);
1912 case llvm::Triple::wasm32:
1913 case llvm::Triple::wasm64:
1914 return Wasm().CheckWebAssemblyBuiltinFunctionCall(TI, BuiltinID, TheCall);
1915 case llvm::Triple::nvptx:
1916 case llvm::Triple::nvptx64:
1917 return NVPTX().CheckNVPTXBuiltinFunctionCall(TI, BuiltinID, TheCall);
1918 }
1919 }
1920
1921 // Check if \p Ty is a valid type for the elementwise math builtins. If it is
1922 // not a valid type, emit an error message and return true. Otherwise return
1923 // false.
checkMathBuiltinElementType(Sema & S,SourceLocation Loc,QualType ArgTy,int ArgIndex)1924 static bool checkMathBuiltinElementType(Sema &S, SourceLocation Loc,
1925 QualType ArgTy, int ArgIndex) {
1926 if (!ArgTy->getAs<VectorType>() &&
1927 !ConstantMatrixType::isValidElementType(ArgTy)) {
1928 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
1929 << ArgIndex << /* vector, integer or float ty*/ 0 << ArgTy;
1930 }
1931
1932 return false;
1933 }
1934
checkFPMathBuiltinElementType(Sema & S,SourceLocation Loc,QualType ArgTy,int ArgIndex)1935 static bool checkFPMathBuiltinElementType(Sema &S, SourceLocation Loc,
1936 QualType ArgTy, int ArgIndex) {
1937 QualType EltTy = ArgTy;
1938 if (auto *VecTy = EltTy->getAs<VectorType>())
1939 EltTy = VecTy->getElementType();
1940
1941 if (!EltTy->isRealFloatingType()) {
1942 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
1943 << ArgIndex << /* vector or float ty*/ 5 << ArgTy;
1944 }
1945
1946 return false;
1947 }
1948
1949 /// BuiltinCpu{Supports|Is} - Handle __builtin_cpu_{supports|is}(char *).
1950 /// This checks that the target supports the builtin and that the string
1951 /// argument is constant and valid.
BuiltinCpu(Sema & S,const TargetInfo & TI,CallExpr * TheCall,const TargetInfo * AuxTI,unsigned BuiltinID)1952 static bool BuiltinCpu(Sema &S, const TargetInfo &TI, CallExpr *TheCall,
1953 const TargetInfo *AuxTI, unsigned BuiltinID) {
1954 assert((BuiltinID == Builtin::BI__builtin_cpu_supports ||
1955 BuiltinID == Builtin::BI__builtin_cpu_is) &&
1956 "Expecting __builtin_cpu_...");
1957
1958 bool IsCPUSupports = BuiltinID == Builtin::BI__builtin_cpu_supports;
1959 const TargetInfo *TheTI = &TI;
1960 auto SupportsBI = [=](const TargetInfo *TInfo) {
1961 return TInfo && ((IsCPUSupports && TInfo->supportsCpuSupports()) ||
1962 (!IsCPUSupports && TInfo->supportsCpuIs()));
1963 };
1964 if (!SupportsBI(&TI) && SupportsBI(AuxTI))
1965 TheTI = AuxTI;
1966
1967 if ((!IsCPUSupports && !TheTI->supportsCpuIs()) ||
1968 (IsCPUSupports && !TheTI->supportsCpuSupports()))
1969 return S.Diag(TheCall->getBeginLoc(),
1970 TI.getTriple().isOSAIX()
1971 ? diag::err_builtin_aix_os_unsupported
1972 : diag::err_builtin_target_unsupported)
1973 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
1974
1975 Expr *Arg = TheCall->getArg(0)->IgnoreParenImpCasts();
1976 // Check if the argument is a string literal.
1977 if (!isa<StringLiteral>(Arg))
1978 return S.Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
1979 << Arg->getSourceRange();
1980
1981 // Check the contents of the string.
1982 StringRef Feature = cast<StringLiteral>(Arg)->getString();
1983 if (IsCPUSupports && !TheTI->validateCpuSupports(Feature)) {
1984 S.Diag(TheCall->getBeginLoc(), diag::warn_invalid_cpu_supports)
1985 << Arg->getSourceRange();
1986 return false;
1987 }
1988 if (!IsCPUSupports && !TheTI->validateCpuIs(Feature))
1989 return S.Diag(TheCall->getBeginLoc(), diag::err_invalid_cpu_is)
1990 << Arg->getSourceRange();
1991 return false;
1992 }
1993
1994 /// Checks that __builtin_popcountg was called with a single argument, which is
1995 /// an unsigned integer.
BuiltinPopcountg(Sema & S,CallExpr * TheCall)1996 static bool BuiltinPopcountg(Sema &S, CallExpr *TheCall) {
1997 if (S.checkArgCount(TheCall, 1))
1998 return true;
1999
2000 ExprResult ArgRes = S.DefaultLvalueConversion(TheCall->getArg(0));
2001 if (ArgRes.isInvalid())
2002 return true;
2003
2004 Expr *Arg = ArgRes.get();
2005 TheCall->setArg(0, Arg);
2006
2007 QualType ArgTy = Arg->getType();
2008
2009 if (!ArgTy->isUnsignedIntegerType()) {
2010 S.Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2011 << 1 << /*unsigned integer ty*/ 7 << ArgTy;
2012 return true;
2013 }
2014 return false;
2015 }
2016
2017 /// Checks that __builtin_{clzg,ctzg} was called with a first argument, which is
2018 /// an unsigned integer, and an optional second argument, which is promoted to
2019 /// an 'int'.
BuiltinCountZeroBitsGeneric(Sema & S,CallExpr * TheCall)2020 static bool BuiltinCountZeroBitsGeneric(Sema &S, CallExpr *TheCall) {
2021 if (S.checkArgCountRange(TheCall, 1, 2))
2022 return true;
2023
2024 ExprResult Arg0Res = S.DefaultLvalueConversion(TheCall->getArg(0));
2025 if (Arg0Res.isInvalid())
2026 return true;
2027
2028 Expr *Arg0 = Arg0Res.get();
2029 TheCall->setArg(0, Arg0);
2030
2031 QualType Arg0Ty = Arg0->getType();
2032
2033 if (!Arg0Ty->isUnsignedIntegerType()) {
2034 S.Diag(Arg0->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2035 << 1 << /*unsigned integer ty*/ 7 << Arg0Ty;
2036 return true;
2037 }
2038
2039 if (TheCall->getNumArgs() > 1) {
2040 ExprResult Arg1Res = S.UsualUnaryConversions(TheCall->getArg(1));
2041 if (Arg1Res.isInvalid())
2042 return true;
2043
2044 Expr *Arg1 = Arg1Res.get();
2045 TheCall->setArg(1, Arg1);
2046
2047 QualType Arg1Ty = Arg1->getType();
2048
2049 if (!Arg1Ty->isSpecificBuiltinType(BuiltinType::Int)) {
2050 S.Diag(Arg1->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2051 << 2 << /*'int' ty*/ 8 << Arg1Ty;
2052 return true;
2053 }
2054 }
2055
2056 return false;
2057 }
2058
2059 ExprResult
CheckBuiltinFunctionCall(FunctionDecl * FDecl,unsigned BuiltinID,CallExpr * TheCall)2060 Sema::CheckBuiltinFunctionCall(FunctionDecl *FDecl, unsigned BuiltinID,
2061 CallExpr *TheCall) {
2062 ExprResult TheCallResult(TheCall);
2063
2064 // Find out if any arguments are required to be integer constant expressions.
2065 unsigned ICEArguments = 0;
2066 ASTContext::GetBuiltinTypeError Error;
2067 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments);
2068 if (Error != ASTContext::GE_None)
2069 ICEArguments = 0; // Don't diagnose previously diagnosed errors.
2070
2071 // If any arguments are required to be ICE's, check and diagnose.
2072 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) {
2073 // Skip arguments not required to be ICE's.
2074 if ((ICEArguments & (1 << ArgNo)) == 0) continue;
2075
2076 llvm::APSInt Result;
2077 // If we don't have enough arguments, continue so we can issue better
2078 // diagnostic in checkArgCount(...)
2079 if (ArgNo < TheCall->getNumArgs() &&
2080 BuiltinConstantArg(TheCall, ArgNo, Result))
2081 return true;
2082 ICEArguments &= ~(1 << ArgNo);
2083 }
2084
2085 FPOptions FPO;
2086 switch (BuiltinID) {
2087 case Builtin::BI__builtin_cpu_supports:
2088 case Builtin::BI__builtin_cpu_is:
2089 if (BuiltinCpu(*this, Context.getTargetInfo(), TheCall,
2090 Context.getAuxTargetInfo(), BuiltinID))
2091 return ExprError();
2092 break;
2093 case Builtin::BI__builtin_cpu_init:
2094 if (!Context.getTargetInfo().supportsCpuInit()) {
2095 Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2096 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2097 return ExprError();
2098 }
2099 break;
2100 case Builtin::BI__builtin___CFStringMakeConstantString:
2101 // CFStringMakeConstantString is currently not implemented for GOFF (i.e.,
2102 // on z/OS) and for XCOFF (i.e., on AIX). Emit unsupported
2103 if (CheckBuiltinTargetNotInUnsupported(
2104 *this, BuiltinID, TheCall,
2105 {llvm::Triple::GOFF, llvm::Triple::XCOFF}))
2106 return ExprError();
2107 assert(TheCall->getNumArgs() == 1 &&
2108 "Wrong # arguments to builtin CFStringMakeConstantString");
2109 if (ObjC().CheckObjCString(TheCall->getArg(0)))
2110 return ExprError();
2111 break;
2112 case Builtin::BI__builtin_ms_va_start:
2113 case Builtin::BI__builtin_stdarg_start:
2114 case Builtin::BI__builtin_va_start:
2115 if (BuiltinVAStart(BuiltinID, TheCall))
2116 return ExprError();
2117 break;
2118 case Builtin::BI__va_start: {
2119 switch (Context.getTargetInfo().getTriple().getArch()) {
2120 case llvm::Triple::aarch64:
2121 case llvm::Triple::arm:
2122 case llvm::Triple::thumb:
2123 if (BuiltinVAStartARMMicrosoft(TheCall))
2124 return ExprError();
2125 break;
2126 default:
2127 if (BuiltinVAStart(BuiltinID, TheCall))
2128 return ExprError();
2129 break;
2130 }
2131 break;
2132 }
2133
2134 // The acquire, release, and no fence variants are ARM and AArch64 only.
2135 case Builtin::BI_interlockedbittestandset_acq:
2136 case Builtin::BI_interlockedbittestandset_rel:
2137 case Builtin::BI_interlockedbittestandset_nf:
2138 case Builtin::BI_interlockedbittestandreset_acq:
2139 case Builtin::BI_interlockedbittestandreset_rel:
2140 case Builtin::BI_interlockedbittestandreset_nf:
2141 if (CheckBuiltinTargetInSupported(
2142 *this, BuiltinID, TheCall,
2143 {llvm::Triple::arm, llvm::Triple::thumb, llvm::Triple::aarch64}))
2144 return ExprError();
2145 break;
2146
2147 // The 64-bit bittest variants are x64, ARM, and AArch64 only.
2148 case Builtin::BI_bittest64:
2149 case Builtin::BI_bittestandcomplement64:
2150 case Builtin::BI_bittestandreset64:
2151 case Builtin::BI_bittestandset64:
2152 case Builtin::BI_interlockedbittestandreset64:
2153 case Builtin::BI_interlockedbittestandset64:
2154 if (CheckBuiltinTargetInSupported(
2155 *this, BuiltinID, TheCall,
2156 {llvm::Triple::x86_64, llvm::Triple::arm, llvm::Triple::thumb,
2157 llvm::Triple::aarch64, llvm::Triple::amdgcn}))
2158 return ExprError();
2159 break;
2160
2161 case Builtin::BI__builtin_set_flt_rounds:
2162 if (CheckBuiltinTargetInSupported(
2163 *this, BuiltinID, TheCall,
2164 {llvm::Triple::x86, llvm::Triple::x86_64, llvm::Triple::arm,
2165 llvm::Triple::thumb, llvm::Triple::aarch64, llvm::Triple::amdgcn}))
2166 return ExprError();
2167 break;
2168
2169 case Builtin::BI__builtin_isgreater:
2170 case Builtin::BI__builtin_isgreaterequal:
2171 case Builtin::BI__builtin_isless:
2172 case Builtin::BI__builtin_islessequal:
2173 case Builtin::BI__builtin_islessgreater:
2174 case Builtin::BI__builtin_isunordered:
2175 if (BuiltinUnorderedCompare(TheCall, BuiltinID))
2176 return ExprError();
2177 break;
2178 case Builtin::BI__builtin_fpclassify:
2179 if (BuiltinFPClassification(TheCall, 6, BuiltinID))
2180 return ExprError();
2181 break;
2182 case Builtin::BI__builtin_isfpclass:
2183 if (BuiltinFPClassification(TheCall, 2, BuiltinID))
2184 return ExprError();
2185 break;
2186 case Builtin::BI__builtin_isfinite:
2187 case Builtin::BI__builtin_isinf:
2188 case Builtin::BI__builtin_isinf_sign:
2189 case Builtin::BI__builtin_isnan:
2190 case Builtin::BI__builtin_issignaling:
2191 case Builtin::BI__builtin_isnormal:
2192 case Builtin::BI__builtin_issubnormal:
2193 case Builtin::BI__builtin_iszero:
2194 case Builtin::BI__builtin_signbit:
2195 case Builtin::BI__builtin_signbitf:
2196 case Builtin::BI__builtin_signbitl:
2197 if (BuiltinFPClassification(TheCall, 1, BuiltinID))
2198 return ExprError();
2199 break;
2200 case Builtin::BI__builtin_shufflevector:
2201 return BuiltinShuffleVector(TheCall);
2202 // TheCall will be freed by the smart pointer here, but that's fine, since
2203 // BuiltinShuffleVector guts it, but then doesn't release it.
2204 case Builtin::BI__builtin_prefetch:
2205 if (BuiltinPrefetch(TheCall))
2206 return ExprError();
2207 break;
2208 case Builtin::BI__builtin_alloca_with_align:
2209 case Builtin::BI__builtin_alloca_with_align_uninitialized:
2210 if (BuiltinAllocaWithAlign(TheCall))
2211 return ExprError();
2212 [[fallthrough]];
2213 case Builtin::BI__builtin_alloca:
2214 case Builtin::BI__builtin_alloca_uninitialized:
2215 Diag(TheCall->getBeginLoc(), diag::warn_alloca)
2216 << TheCall->getDirectCallee();
2217 break;
2218 case Builtin::BI__arithmetic_fence:
2219 if (BuiltinArithmeticFence(TheCall))
2220 return ExprError();
2221 break;
2222 case Builtin::BI__assume:
2223 case Builtin::BI__builtin_assume:
2224 if (BuiltinAssume(TheCall))
2225 return ExprError();
2226 break;
2227 case Builtin::BI__builtin_assume_aligned:
2228 if (BuiltinAssumeAligned(TheCall))
2229 return ExprError();
2230 break;
2231 case Builtin::BI__builtin_dynamic_object_size:
2232 case Builtin::BI__builtin_object_size:
2233 if (BuiltinConstantArgRange(TheCall, 1, 0, 3))
2234 return ExprError();
2235 break;
2236 case Builtin::BI__builtin_longjmp:
2237 if (BuiltinLongjmp(TheCall))
2238 return ExprError();
2239 break;
2240 case Builtin::BI__builtin_setjmp:
2241 if (BuiltinSetjmp(TheCall))
2242 return ExprError();
2243 break;
2244 case Builtin::BI__builtin_classify_type:
2245 if (checkArgCount(TheCall, 1))
2246 return true;
2247 TheCall->setType(Context.IntTy);
2248 break;
2249 case Builtin::BI__builtin_complex:
2250 if (BuiltinComplex(TheCall))
2251 return ExprError();
2252 break;
2253 case Builtin::BI__builtin_constant_p: {
2254 if (checkArgCount(TheCall, 1))
2255 return true;
2256 ExprResult Arg = DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
2257 if (Arg.isInvalid()) return true;
2258 TheCall->setArg(0, Arg.get());
2259 TheCall->setType(Context.IntTy);
2260 break;
2261 }
2262 case Builtin::BI__builtin_launder:
2263 return BuiltinLaunder(*this, TheCall);
2264 case Builtin::BI__sync_fetch_and_add:
2265 case Builtin::BI__sync_fetch_and_add_1:
2266 case Builtin::BI__sync_fetch_and_add_2:
2267 case Builtin::BI__sync_fetch_and_add_4:
2268 case Builtin::BI__sync_fetch_and_add_8:
2269 case Builtin::BI__sync_fetch_and_add_16:
2270 case Builtin::BI__sync_fetch_and_sub:
2271 case Builtin::BI__sync_fetch_and_sub_1:
2272 case Builtin::BI__sync_fetch_and_sub_2:
2273 case Builtin::BI__sync_fetch_and_sub_4:
2274 case Builtin::BI__sync_fetch_and_sub_8:
2275 case Builtin::BI__sync_fetch_and_sub_16:
2276 case Builtin::BI__sync_fetch_and_or:
2277 case Builtin::BI__sync_fetch_and_or_1:
2278 case Builtin::BI__sync_fetch_and_or_2:
2279 case Builtin::BI__sync_fetch_and_or_4:
2280 case Builtin::BI__sync_fetch_and_or_8:
2281 case Builtin::BI__sync_fetch_and_or_16:
2282 case Builtin::BI__sync_fetch_and_and:
2283 case Builtin::BI__sync_fetch_and_and_1:
2284 case Builtin::BI__sync_fetch_and_and_2:
2285 case Builtin::BI__sync_fetch_and_and_4:
2286 case Builtin::BI__sync_fetch_and_and_8:
2287 case Builtin::BI__sync_fetch_and_and_16:
2288 case Builtin::BI__sync_fetch_and_xor:
2289 case Builtin::BI__sync_fetch_and_xor_1:
2290 case Builtin::BI__sync_fetch_and_xor_2:
2291 case Builtin::BI__sync_fetch_and_xor_4:
2292 case Builtin::BI__sync_fetch_and_xor_8:
2293 case Builtin::BI__sync_fetch_and_xor_16:
2294 case Builtin::BI__sync_fetch_and_nand:
2295 case Builtin::BI__sync_fetch_and_nand_1:
2296 case Builtin::BI__sync_fetch_and_nand_2:
2297 case Builtin::BI__sync_fetch_and_nand_4:
2298 case Builtin::BI__sync_fetch_and_nand_8:
2299 case Builtin::BI__sync_fetch_and_nand_16:
2300 case Builtin::BI__sync_add_and_fetch:
2301 case Builtin::BI__sync_add_and_fetch_1:
2302 case Builtin::BI__sync_add_and_fetch_2:
2303 case Builtin::BI__sync_add_and_fetch_4:
2304 case Builtin::BI__sync_add_and_fetch_8:
2305 case Builtin::BI__sync_add_and_fetch_16:
2306 case Builtin::BI__sync_sub_and_fetch:
2307 case Builtin::BI__sync_sub_and_fetch_1:
2308 case Builtin::BI__sync_sub_and_fetch_2:
2309 case Builtin::BI__sync_sub_and_fetch_4:
2310 case Builtin::BI__sync_sub_and_fetch_8:
2311 case Builtin::BI__sync_sub_and_fetch_16:
2312 case Builtin::BI__sync_and_and_fetch:
2313 case Builtin::BI__sync_and_and_fetch_1:
2314 case Builtin::BI__sync_and_and_fetch_2:
2315 case Builtin::BI__sync_and_and_fetch_4:
2316 case Builtin::BI__sync_and_and_fetch_8:
2317 case Builtin::BI__sync_and_and_fetch_16:
2318 case Builtin::BI__sync_or_and_fetch:
2319 case Builtin::BI__sync_or_and_fetch_1:
2320 case Builtin::BI__sync_or_and_fetch_2:
2321 case Builtin::BI__sync_or_and_fetch_4:
2322 case Builtin::BI__sync_or_and_fetch_8:
2323 case Builtin::BI__sync_or_and_fetch_16:
2324 case Builtin::BI__sync_xor_and_fetch:
2325 case Builtin::BI__sync_xor_and_fetch_1:
2326 case Builtin::BI__sync_xor_and_fetch_2:
2327 case Builtin::BI__sync_xor_and_fetch_4:
2328 case Builtin::BI__sync_xor_and_fetch_8:
2329 case Builtin::BI__sync_xor_and_fetch_16:
2330 case Builtin::BI__sync_nand_and_fetch:
2331 case Builtin::BI__sync_nand_and_fetch_1:
2332 case Builtin::BI__sync_nand_and_fetch_2:
2333 case Builtin::BI__sync_nand_and_fetch_4:
2334 case Builtin::BI__sync_nand_and_fetch_8:
2335 case Builtin::BI__sync_nand_and_fetch_16:
2336 case Builtin::BI__sync_val_compare_and_swap:
2337 case Builtin::BI__sync_val_compare_and_swap_1:
2338 case Builtin::BI__sync_val_compare_and_swap_2:
2339 case Builtin::BI__sync_val_compare_and_swap_4:
2340 case Builtin::BI__sync_val_compare_and_swap_8:
2341 case Builtin::BI__sync_val_compare_and_swap_16:
2342 case Builtin::BI__sync_bool_compare_and_swap:
2343 case Builtin::BI__sync_bool_compare_and_swap_1:
2344 case Builtin::BI__sync_bool_compare_and_swap_2:
2345 case Builtin::BI__sync_bool_compare_and_swap_4:
2346 case Builtin::BI__sync_bool_compare_and_swap_8:
2347 case Builtin::BI__sync_bool_compare_and_swap_16:
2348 case Builtin::BI__sync_lock_test_and_set:
2349 case Builtin::BI__sync_lock_test_and_set_1:
2350 case Builtin::BI__sync_lock_test_and_set_2:
2351 case Builtin::BI__sync_lock_test_and_set_4:
2352 case Builtin::BI__sync_lock_test_and_set_8:
2353 case Builtin::BI__sync_lock_test_and_set_16:
2354 case Builtin::BI__sync_lock_release:
2355 case Builtin::BI__sync_lock_release_1:
2356 case Builtin::BI__sync_lock_release_2:
2357 case Builtin::BI__sync_lock_release_4:
2358 case Builtin::BI__sync_lock_release_8:
2359 case Builtin::BI__sync_lock_release_16:
2360 case Builtin::BI__sync_swap:
2361 case Builtin::BI__sync_swap_1:
2362 case Builtin::BI__sync_swap_2:
2363 case Builtin::BI__sync_swap_4:
2364 case Builtin::BI__sync_swap_8:
2365 case Builtin::BI__sync_swap_16:
2366 return BuiltinAtomicOverloaded(TheCallResult);
2367 case Builtin::BI__sync_synchronize:
2368 Diag(TheCall->getBeginLoc(), diag::warn_atomic_implicit_seq_cst)
2369 << TheCall->getCallee()->getSourceRange();
2370 break;
2371 case Builtin::BI__builtin_nontemporal_load:
2372 case Builtin::BI__builtin_nontemporal_store:
2373 return BuiltinNontemporalOverloaded(TheCallResult);
2374 case Builtin::BI__builtin_memcpy_inline: {
2375 clang::Expr *SizeOp = TheCall->getArg(2);
2376 // We warn about copying to or from `nullptr` pointers when `size` is
2377 // greater than 0. When `size` is value dependent we cannot evaluate its
2378 // value so we bail out.
2379 if (SizeOp->isValueDependent())
2380 break;
2381 if (!SizeOp->EvaluateKnownConstInt(Context).isZero()) {
2382 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2383 CheckNonNullArgument(*this, TheCall->getArg(1), TheCall->getExprLoc());
2384 }
2385 break;
2386 }
2387 case Builtin::BI__builtin_memset_inline: {
2388 clang::Expr *SizeOp = TheCall->getArg(2);
2389 // We warn about filling to `nullptr` pointers when `size` is greater than
2390 // 0. When `size` is value dependent we cannot evaluate its value so we bail
2391 // out.
2392 if (SizeOp->isValueDependent())
2393 break;
2394 if (!SizeOp->EvaluateKnownConstInt(Context).isZero())
2395 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2396 break;
2397 }
2398 #define BUILTIN(ID, TYPE, ATTRS)
2399 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \
2400 case Builtin::BI##ID: \
2401 return AtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID);
2402 #include "clang/Basic/Builtins.inc"
2403 case Builtin::BI__annotation:
2404 if (BuiltinMSVCAnnotation(*this, TheCall))
2405 return ExprError();
2406 break;
2407 case Builtin::BI__builtin_annotation:
2408 if (BuiltinAnnotation(*this, TheCall))
2409 return ExprError();
2410 break;
2411 case Builtin::BI__builtin_addressof:
2412 if (BuiltinAddressof(*this, TheCall))
2413 return ExprError();
2414 break;
2415 case Builtin::BI__builtin_function_start:
2416 if (BuiltinFunctionStart(*this, TheCall))
2417 return ExprError();
2418 break;
2419 case Builtin::BI__builtin_is_aligned:
2420 case Builtin::BI__builtin_align_up:
2421 case Builtin::BI__builtin_align_down:
2422 if (BuiltinAlignment(*this, TheCall, BuiltinID))
2423 return ExprError();
2424 break;
2425 case Builtin::BI__builtin_add_overflow:
2426 case Builtin::BI__builtin_sub_overflow:
2427 case Builtin::BI__builtin_mul_overflow:
2428 if (BuiltinOverflow(*this, TheCall, BuiltinID))
2429 return ExprError();
2430 break;
2431 case Builtin::BI__builtin_operator_new:
2432 case Builtin::BI__builtin_operator_delete: {
2433 bool IsDelete = BuiltinID == Builtin::BI__builtin_operator_delete;
2434 ExprResult Res =
2435 BuiltinOperatorNewDeleteOverloaded(TheCallResult, IsDelete);
2436 if (Res.isInvalid())
2437 CorrectDelayedTyposInExpr(TheCallResult.get());
2438 return Res;
2439 }
2440 case Builtin::BI__builtin_dump_struct:
2441 return BuiltinDumpStruct(*this, TheCall);
2442 case Builtin::BI__builtin_expect_with_probability: {
2443 // We first want to ensure we are called with 3 arguments
2444 if (checkArgCount(TheCall, 3))
2445 return ExprError();
2446 // then check probability is constant float in range [0.0, 1.0]
2447 const Expr *ProbArg = TheCall->getArg(2);
2448 SmallVector<PartialDiagnosticAt, 8> Notes;
2449 Expr::EvalResult Eval;
2450 Eval.Diag = &Notes;
2451 if ((!ProbArg->EvaluateAsConstantExpr(Eval, Context)) ||
2452 !Eval.Val.isFloat()) {
2453 Diag(ProbArg->getBeginLoc(), diag::err_probability_not_constant_float)
2454 << ProbArg->getSourceRange();
2455 for (const PartialDiagnosticAt &PDiag : Notes)
2456 Diag(PDiag.first, PDiag.second);
2457 return ExprError();
2458 }
2459 llvm::APFloat Probability = Eval.Val.getFloat();
2460 bool LoseInfo = false;
2461 Probability.convert(llvm::APFloat::IEEEdouble(),
2462 llvm::RoundingMode::Dynamic, &LoseInfo);
2463 if (!(Probability >= llvm::APFloat(0.0) &&
2464 Probability <= llvm::APFloat(1.0))) {
2465 Diag(ProbArg->getBeginLoc(), diag::err_probability_out_of_range)
2466 << ProbArg->getSourceRange();
2467 return ExprError();
2468 }
2469 break;
2470 }
2471 case Builtin::BI__builtin_preserve_access_index:
2472 if (BuiltinPreserveAI(*this, TheCall))
2473 return ExprError();
2474 break;
2475 case Builtin::BI__builtin_call_with_static_chain:
2476 if (BuiltinCallWithStaticChain(*this, TheCall))
2477 return ExprError();
2478 break;
2479 case Builtin::BI__exception_code:
2480 case Builtin::BI_exception_code:
2481 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope,
2482 diag::err_seh___except_block))
2483 return ExprError();
2484 break;
2485 case Builtin::BI__exception_info:
2486 case Builtin::BI_exception_info:
2487 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHFilterScope,
2488 diag::err_seh___except_filter))
2489 return ExprError();
2490 break;
2491 case Builtin::BI__GetExceptionInfo:
2492 if (checkArgCount(TheCall, 1))
2493 return ExprError();
2494
2495 if (CheckCXXThrowOperand(
2496 TheCall->getBeginLoc(),
2497 Context.getExceptionObjectType(FDecl->getParamDecl(0)->getType()),
2498 TheCall))
2499 return ExprError();
2500
2501 TheCall->setType(Context.VoidPtrTy);
2502 break;
2503 case Builtin::BIaddressof:
2504 case Builtin::BI__addressof:
2505 case Builtin::BIforward:
2506 case Builtin::BIforward_like:
2507 case Builtin::BImove:
2508 case Builtin::BImove_if_noexcept:
2509 case Builtin::BIas_const: {
2510 // These are all expected to be of the form
2511 // T &/&&/* f(U &/&&)
2512 // where T and U only differ in qualification.
2513 if (checkArgCount(TheCall, 1))
2514 return ExprError();
2515 QualType Param = FDecl->getParamDecl(0)->getType();
2516 QualType Result = FDecl->getReturnType();
2517 bool ReturnsPointer = BuiltinID == Builtin::BIaddressof ||
2518 BuiltinID == Builtin::BI__addressof;
2519 if (!(Param->isReferenceType() &&
2520 (ReturnsPointer ? Result->isAnyPointerType()
2521 : Result->isReferenceType()) &&
2522 Context.hasSameUnqualifiedType(Param->getPointeeType(),
2523 Result->getPointeeType()))) {
2524 Diag(TheCall->getBeginLoc(), diag::err_builtin_move_forward_unsupported)
2525 << FDecl;
2526 return ExprError();
2527 }
2528 break;
2529 }
2530 case Builtin::BI__builtin_ptrauth_strip:
2531 return PointerAuthStrip(*this, TheCall);
2532 case Builtin::BI__builtin_ptrauth_blend_discriminator:
2533 return PointerAuthBlendDiscriminator(*this, TheCall);
2534 case Builtin::BI__builtin_ptrauth_sign_constant:
2535 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2536 /*RequireConstant=*/true);
2537 case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
2538 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2539 /*RequireConstant=*/false);
2540 case Builtin::BI__builtin_ptrauth_auth:
2541 return PointerAuthSignOrAuth(*this, TheCall, PAO_Auth,
2542 /*RequireConstant=*/false);
2543 case Builtin::BI__builtin_ptrauth_sign_generic_data:
2544 return PointerAuthSignGenericData(*this, TheCall);
2545 case Builtin::BI__builtin_ptrauth_auth_and_resign:
2546 return PointerAuthAuthAndResign(*this, TheCall);
2547 case Builtin::BI__builtin_ptrauth_string_discriminator:
2548 return PointerAuthStringDiscriminator(*this, TheCall);
2549 // OpenCL v2.0, s6.13.16 - Pipe functions
2550 case Builtin::BIread_pipe:
2551 case Builtin::BIwrite_pipe:
2552 // Since those two functions are declared with var args, we need a semantic
2553 // check for the argument.
2554 if (OpenCL().checkBuiltinRWPipe(TheCall))
2555 return ExprError();
2556 break;
2557 case Builtin::BIreserve_read_pipe:
2558 case Builtin::BIreserve_write_pipe:
2559 case Builtin::BIwork_group_reserve_read_pipe:
2560 case Builtin::BIwork_group_reserve_write_pipe:
2561 if (OpenCL().checkBuiltinReserveRWPipe(TheCall))
2562 return ExprError();
2563 break;
2564 case Builtin::BIsub_group_reserve_read_pipe:
2565 case Builtin::BIsub_group_reserve_write_pipe:
2566 if (OpenCL().checkSubgroupExt(TheCall) ||
2567 OpenCL().checkBuiltinReserveRWPipe(TheCall))
2568 return ExprError();
2569 break;
2570 case Builtin::BIcommit_read_pipe:
2571 case Builtin::BIcommit_write_pipe:
2572 case Builtin::BIwork_group_commit_read_pipe:
2573 case Builtin::BIwork_group_commit_write_pipe:
2574 if (OpenCL().checkBuiltinCommitRWPipe(TheCall))
2575 return ExprError();
2576 break;
2577 case Builtin::BIsub_group_commit_read_pipe:
2578 case Builtin::BIsub_group_commit_write_pipe:
2579 if (OpenCL().checkSubgroupExt(TheCall) ||
2580 OpenCL().checkBuiltinCommitRWPipe(TheCall))
2581 return ExprError();
2582 break;
2583 case Builtin::BIget_pipe_num_packets:
2584 case Builtin::BIget_pipe_max_packets:
2585 if (OpenCL().checkBuiltinPipePackets(TheCall))
2586 return ExprError();
2587 break;
2588 case Builtin::BIto_global:
2589 case Builtin::BIto_local:
2590 case Builtin::BIto_private:
2591 if (OpenCL().checkBuiltinToAddr(BuiltinID, TheCall))
2592 return ExprError();
2593 break;
2594 // OpenCL v2.0, s6.13.17 - Enqueue kernel functions.
2595 case Builtin::BIenqueue_kernel:
2596 if (OpenCL().checkBuiltinEnqueueKernel(TheCall))
2597 return ExprError();
2598 break;
2599 case Builtin::BIget_kernel_work_group_size:
2600 case Builtin::BIget_kernel_preferred_work_group_size_multiple:
2601 if (OpenCL().checkBuiltinKernelWorkGroupSize(TheCall))
2602 return ExprError();
2603 break;
2604 case Builtin::BIget_kernel_max_sub_group_size_for_ndrange:
2605 case Builtin::BIget_kernel_sub_group_count_for_ndrange:
2606 if (OpenCL().checkBuiltinNDRangeAndBlock(TheCall))
2607 return ExprError();
2608 break;
2609 case Builtin::BI__builtin_os_log_format:
2610 Cleanup.setExprNeedsCleanups(true);
2611 [[fallthrough]];
2612 case Builtin::BI__builtin_os_log_format_buffer_size:
2613 if (BuiltinOSLogFormat(TheCall))
2614 return ExprError();
2615 break;
2616 case Builtin::BI__builtin_frame_address:
2617 case Builtin::BI__builtin_return_address: {
2618 if (BuiltinConstantArgRange(TheCall, 0, 0, 0xFFFF))
2619 return ExprError();
2620
2621 // -Wframe-address warning if non-zero passed to builtin
2622 // return/frame address.
2623 Expr::EvalResult Result;
2624 if (!TheCall->getArg(0)->isValueDependent() &&
2625 TheCall->getArg(0)->EvaluateAsInt(Result, getASTContext()) &&
2626 Result.Val.getInt() != 0)
2627 Diag(TheCall->getBeginLoc(), diag::warn_frame_address)
2628 << ((BuiltinID == Builtin::BI__builtin_return_address)
2629 ? "__builtin_return_address"
2630 : "__builtin_frame_address")
2631 << TheCall->getSourceRange();
2632 break;
2633 }
2634
2635 case Builtin::BI__builtin_nondeterministic_value: {
2636 if (BuiltinNonDeterministicValue(TheCall))
2637 return ExprError();
2638 break;
2639 }
2640
2641 // __builtin_elementwise_abs restricts the element type to signed integers or
2642 // floating point types only.
2643 case Builtin::BI__builtin_elementwise_abs: {
2644 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2645 return ExprError();
2646
2647 QualType ArgTy = TheCall->getArg(0)->getType();
2648 QualType EltTy = ArgTy;
2649
2650 if (auto *VecTy = EltTy->getAs<VectorType>())
2651 EltTy = VecTy->getElementType();
2652 if (EltTy->isUnsignedIntegerType()) {
2653 Diag(TheCall->getArg(0)->getBeginLoc(),
2654 diag::err_builtin_invalid_arg_type)
2655 << 1 << /* signed integer or float ty*/ 3 << ArgTy;
2656 return ExprError();
2657 }
2658 break;
2659 }
2660
2661 // These builtins restrict the element type to floating point
2662 // types only.
2663 case Builtin::BI__builtin_elementwise_acos:
2664 case Builtin::BI__builtin_elementwise_asin:
2665 case Builtin::BI__builtin_elementwise_atan:
2666 case Builtin::BI__builtin_elementwise_ceil:
2667 case Builtin::BI__builtin_elementwise_cos:
2668 case Builtin::BI__builtin_elementwise_cosh:
2669 case Builtin::BI__builtin_elementwise_exp:
2670 case Builtin::BI__builtin_elementwise_exp2:
2671 case Builtin::BI__builtin_elementwise_floor:
2672 case Builtin::BI__builtin_elementwise_log:
2673 case Builtin::BI__builtin_elementwise_log2:
2674 case Builtin::BI__builtin_elementwise_log10:
2675 case Builtin::BI__builtin_elementwise_roundeven:
2676 case Builtin::BI__builtin_elementwise_round:
2677 case Builtin::BI__builtin_elementwise_rint:
2678 case Builtin::BI__builtin_elementwise_nearbyint:
2679 case Builtin::BI__builtin_elementwise_sin:
2680 case Builtin::BI__builtin_elementwise_sinh:
2681 case Builtin::BI__builtin_elementwise_sqrt:
2682 case Builtin::BI__builtin_elementwise_tan:
2683 case Builtin::BI__builtin_elementwise_tanh:
2684 case Builtin::BI__builtin_elementwise_trunc:
2685 case Builtin::BI__builtin_elementwise_canonicalize: {
2686 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2687 return ExprError();
2688
2689 QualType ArgTy = TheCall->getArg(0)->getType();
2690 if (checkFPMathBuiltinElementType(*this, TheCall->getArg(0)->getBeginLoc(),
2691 ArgTy, 1))
2692 return ExprError();
2693 break;
2694 }
2695 case Builtin::BI__builtin_elementwise_fma: {
2696 if (BuiltinElementwiseTernaryMath(TheCall))
2697 return ExprError();
2698 break;
2699 }
2700
2701 // These builtins restrict the element type to floating point
2702 // types only, and take in two arguments.
2703 case Builtin::BI__builtin_elementwise_pow: {
2704 if (BuiltinElementwiseMath(TheCall))
2705 return ExprError();
2706
2707 QualType ArgTy = TheCall->getArg(0)->getType();
2708 if (checkFPMathBuiltinElementType(*this, TheCall->getArg(0)->getBeginLoc(),
2709 ArgTy, 1) ||
2710 checkFPMathBuiltinElementType(*this, TheCall->getArg(1)->getBeginLoc(),
2711 ArgTy, 2))
2712 return ExprError();
2713 break;
2714 }
2715
2716 // These builtins restrict the element type to integer
2717 // types only.
2718 case Builtin::BI__builtin_elementwise_add_sat:
2719 case Builtin::BI__builtin_elementwise_sub_sat: {
2720 if (BuiltinElementwiseMath(TheCall))
2721 return ExprError();
2722
2723 const Expr *Arg = TheCall->getArg(0);
2724 QualType ArgTy = Arg->getType();
2725 QualType EltTy = ArgTy;
2726
2727 if (auto *VecTy = EltTy->getAs<VectorType>())
2728 EltTy = VecTy->getElementType();
2729
2730 if (!EltTy->isIntegerType()) {
2731 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2732 << 1 << /* integer ty */ 6 << ArgTy;
2733 return ExprError();
2734 }
2735 break;
2736 }
2737
2738 case Builtin::BI__builtin_elementwise_min:
2739 case Builtin::BI__builtin_elementwise_max:
2740 if (BuiltinElementwiseMath(TheCall))
2741 return ExprError();
2742 break;
2743
2744 case Builtin::BI__builtin_elementwise_bitreverse: {
2745 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2746 return ExprError();
2747
2748 const Expr *Arg = TheCall->getArg(0);
2749 QualType ArgTy = Arg->getType();
2750 QualType EltTy = ArgTy;
2751
2752 if (auto *VecTy = EltTy->getAs<VectorType>())
2753 EltTy = VecTy->getElementType();
2754
2755 if (!EltTy->isIntegerType()) {
2756 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2757 << 1 << /* integer ty */ 6 << ArgTy;
2758 return ExprError();
2759 }
2760 break;
2761 }
2762
2763 case Builtin::BI__builtin_elementwise_copysign: {
2764 if (checkArgCount(TheCall, 2))
2765 return ExprError();
2766
2767 ExprResult Magnitude = UsualUnaryConversions(TheCall->getArg(0));
2768 ExprResult Sign = UsualUnaryConversions(TheCall->getArg(1));
2769 if (Magnitude.isInvalid() || Sign.isInvalid())
2770 return ExprError();
2771
2772 QualType MagnitudeTy = Magnitude.get()->getType();
2773 QualType SignTy = Sign.get()->getType();
2774 if (checkFPMathBuiltinElementType(*this, TheCall->getArg(0)->getBeginLoc(),
2775 MagnitudeTy, 1) ||
2776 checkFPMathBuiltinElementType(*this, TheCall->getArg(1)->getBeginLoc(),
2777 SignTy, 2)) {
2778 return ExprError();
2779 }
2780
2781 if (MagnitudeTy.getCanonicalType() != SignTy.getCanonicalType()) {
2782 return Diag(Sign.get()->getBeginLoc(),
2783 diag::err_typecheck_call_different_arg_types)
2784 << MagnitudeTy << SignTy;
2785 }
2786
2787 TheCall->setArg(0, Magnitude.get());
2788 TheCall->setArg(1, Sign.get());
2789 TheCall->setType(Magnitude.get()->getType());
2790 break;
2791 }
2792 case Builtin::BI__builtin_reduce_max:
2793 case Builtin::BI__builtin_reduce_min: {
2794 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
2795 return ExprError();
2796
2797 const Expr *Arg = TheCall->getArg(0);
2798 const auto *TyA = Arg->getType()->getAs<VectorType>();
2799
2800 QualType ElTy;
2801 if (TyA)
2802 ElTy = TyA->getElementType();
2803 else if (Arg->getType()->isSizelessVectorType())
2804 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
2805
2806 if (ElTy.isNull()) {
2807 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2808 << 1 << /* vector ty*/ 4 << Arg->getType();
2809 return ExprError();
2810 }
2811
2812 TheCall->setType(ElTy);
2813 break;
2814 }
2815
2816 // These builtins support vectors of integers only.
2817 // TODO: ADD/MUL should support floating-point types.
2818 case Builtin::BI__builtin_reduce_add:
2819 case Builtin::BI__builtin_reduce_mul:
2820 case Builtin::BI__builtin_reduce_xor:
2821 case Builtin::BI__builtin_reduce_or:
2822 case Builtin::BI__builtin_reduce_and: {
2823 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
2824 return ExprError();
2825
2826 const Expr *Arg = TheCall->getArg(0);
2827 const auto *TyA = Arg->getType()->getAs<VectorType>();
2828
2829 QualType ElTy;
2830 if (TyA)
2831 ElTy = TyA->getElementType();
2832 else if (Arg->getType()->isSizelessVectorType())
2833 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
2834
2835 if (ElTy.isNull() || !ElTy->isIntegerType()) {
2836 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2837 << 1 << /* vector of integers */ 6 << Arg->getType();
2838 return ExprError();
2839 }
2840
2841 TheCall->setType(ElTy);
2842 break;
2843 }
2844
2845 case Builtin::BI__builtin_matrix_transpose:
2846 return BuiltinMatrixTranspose(TheCall, TheCallResult);
2847
2848 case Builtin::BI__builtin_matrix_column_major_load:
2849 return BuiltinMatrixColumnMajorLoad(TheCall, TheCallResult);
2850
2851 case Builtin::BI__builtin_matrix_column_major_store:
2852 return BuiltinMatrixColumnMajorStore(TheCall, TheCallResult);
2853
2854 case Builtin::BI__builtin_verbose_trap:
2855 if (!checkBuiltinVerboseTrap(TheCall, *this))
2856 return ExprError();
2857 break;
2858
2859 case Builtin::BI__builtin_get_device_side_mangled_name: {
2860 auto Check = [](CallExpr *TheCall) {
2861 if (TheCall->getNumArgs() != 1)
2862 return false;
2863 auto *DRE = dyn_cast<DeclRefExpr>(TheCall->getArg(0)->IgnoreImpCasts());
2864 if (!DRE)
2865 return false;
2866 auto *D = DRE->getDecl();
2867 if (!isa<FunctionDecl>(D) && !isa<VarDecl>(D))
2868 return false;
2869 return D->hasAttr<CUDAGlobalAttr>() || D->hasAttr<CUDADeviceAttr>() ||
2870 D->hasAttr<CUDAConstantAttr>() || D->hasAttr<HIPManagedAttr>();
2871 };
2872 if (!Check(TheCall)) {
2873 Diag(TheCall->getBeginLoc(),
2874 diag::err_hip_invalid_args_builtin_mangled_name);
2875 return ExprError();
2876 }
2877 break;
2878 }
2879 case Builtin::BI__builtin_popcountg:
2880 if (BuiltinPopcountg(*this, TheCall))
2881 return ExprError();
2882 break;
2883 case Builtin::BI__builtin_clzg:
2884 case Builtin::BI__builtin_ctzg:
2885 if (BuiltinCountZeroBitsGeneric(*this, TheCall))
2886 return ExprError();
2887 break;
2888
2889 case Builtin::BI__builtin_allow_runtime_check: {
2890 Expr *Arg = TheCall->getArg(0);
2891 // Check if the argument is a string literal.
2892 if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) {
2893 Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
2894 << Arg->getSourceRange();
2895 return ExprError();
2896 }
2897 break;
2898 }
2899 }
2900
2901 if (getLangOpts().HLSL && HLSL().CheckBuiltinFunctionCall(BuiltinID, TheCall))
2902 return ExprError();
2903
2904 // Since the target specific builtins for each arch overlap, only check those
2905 // of the arch we are compiling for.
2906 if (Context.BuiltinInfo.isTSBuiltin(BuiltinID)) {
2907 if (Context.BuiltinInfo.isAuxBuiltinID(BuiltinID)) {
2908 assert(Context.getAuxTargetInfo() &&
2909 "Aux Target Builtin, but not an aux target?");
2910
2911 if (CheckTSBuiltinFunctionCall(
2912 *Context.getAuxTargetInfo(),
2913 Context.BuiltinInfo.getAuxBuiltinID(BuiltinID), TheCall))
2914 return ExprError();
2915 } else {
2916 if (CheckTSBuiltinFunctionCall(Context.getTargetInfo(), BuiltinID,
2917 TheCall))
2918 return ExprError();
2919 }
2920 }
2921
2922 return TheCallResult;
2923 }
2924
ValueIsRunOfOnes(CallExpr * TheCall,unsigned ArgNum)2925 bool Sema::ValueIsRunOfOnes(CallExpr *TheCall, unsigned ArgNum) {
2926 llvm::APSInt Result;
2927 // We can't check the value of a dependent argument.
2928 Expr *Arg = TheCall->getArg(ArgNum);
2929 if (Arg->isTypeDependent() || Arg->isValueDependent())
2930 return false;
2931
2932 // Check constant-ness first.
2933 if (BuiltinConstantArg(TheCall, ArgNum, Result))
2934 return true;
2935
2936 // Check contiguous run of 1s, 0xFF0000FF is also a run of 1s.
2937 if (Result.isShiftedMask() || (~Result).isShiftedMask())
2938 return false;
2939
2940 return Diag(TheCall->getBeginLoc(),
2941 diag::err_argument_not_contiguous_bit_field)
2942 << ArgNum << Arg->getSourceRange();
2943 }
2944
getFormatStringInfo(const FormatAttr * Format,bool IsCXXMember,bool IsVariadic,FormatStringInfo * FSI)2945 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember,
2946 bool IsVariadic, FormatStringInfo *FSI) {
2947 if (Format->getFirstArg() == 0)
2948 FSI->ArgPassingKind = FAPK_VAList;
2949 else if (IsVariadic)
2950 FSI->ArgPassingKind = FAPK_Variadic;
2951 else
2952 FSI->ArgPassingKind = FAPK_Fixed;
2953 FSI->FormatIdx = Format->getFormatIdx() - 1;
2954 FSI->FirstDataArg =
2955 FSI->ArgPassingKind == FAPK_VAList ? 0 : Format->getFirstArg() - 1;
2956
2957 // The way the format attribute works in GCC, the implicit this argument
2958 // of member functions is counted. However, it doesn't appear in our own
2959 // lists, so decrement format_idx in that case.
2960 if (IsCXXMember) {
2961 if(FSI->FormatIdx == 0)
2962 return false;
2963 --FSI->FormatIdx;
2964 if (FSI->FirstDataArg != 0)
2965 --FSI->FirstDataArg;
2966 }
2967 return true;
2968 }
2969
2970 /// Checks if a the given expression evaluates to null.
2971 ///
2972 /// Returns true if the value evaluates to null.
CheckNonNullExpr(Sema & S,const Expr * Expr)2973 static bool CheckNonNullExpr(Sema &S, const Expr *Expr) {
2974 // Treat (smart) pointers constructed from nullptr as null, whether we can
2975 // const-evaluate them or not.
2976 // This must happen first: the smart pointer expr might have _Nonnull type!
2977 if (isa<CXXNullPtrLiteralExpr>(
2978 IgnoreExprNodes(Expr, IgnoreImplicitAsWrittenSingleStep,
2979 IgnoreElidableImplicitConstructorSingleStep)))
2980 return true;
2981
2982 // If the expression has non-null type, it doesn't evaluate to null.
2983 if (auto nullability = Expr->IgnoreImplicit()->getType()->getNullability()) {
2984 if (*nullability == NullabilityKind::NonNull)
2985 return false;
2986 }
2987
2988 // As a special case, transparent unions initialized with zero are
2989 // considered null for the purposes of the nonnull attribute.
2990 if (const RecordType *UT = Expr->getType()->getAsUnionType();
2991 UT && UT->getDecl()->hasAttr<TransparentUnionAttr>()) {
2992 if (const auto *CLE = dyn_cast<CompoundLiteralExpr>(Expr))
2993 if (const auto *ILE = dyn_cast<InitListExpr>(CLE->getInitializer()))
2994 Expr = ILE->getInit(0);
2995 }
2996
2997 bool Result;
2998 return (!Expr->isValueDependent() &&
2999 Expr->EvaluateAsBooleanCondition(Result, S.Context) &&
3000 !Result);
3001 }
3002
CheckNonNullArgument(Sema & S,const Expr * ArgExpr,SourceLocation CallSiteLoc)3003 static void CheckNonNullArgument(Sema &S,
3004 const Expr *ArgExpr,
3005 SourceLocation CallSiteLoc) {
3006 if (CheckNonNullExpr(S, ArgExpr))
3007 S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr,
3008 S.PDiag(diag::warn_null_arg)
3009 << ArgExpr->getSourceRange());
3010 }
3011
3012 /// Determine whether the given type has a non-null nullability annotation.
isNonNullType(QualType type)3013 static bool isNonNullType(QualType type) {
3014 if (auto nullability = type->getNullability())
3015 return *nullability == NullabilityKind::NonNull;
3016
3017 return false;
3018 }
3019
CheckNonNullArguments(Sema & S,const NamedDecl * FDecl,const FunctionProtoType * Proto,ArrayRef<const Expr * > Args,SourceLocation CallSiteLoc)3020 static void CheckNonNullArguments(Sema &S,
3021 const NamedDecl *FDecl,
3022 const FunctionProtoType *Proto,
3023 ArrayRef<const Expr *> Args,
3024 SourceLocation CallSiteLoc) {
3025 assert((FDecl || Proto) && "Need a function declaration or prototype");
3026
3027 // Already checked by constant evaluator.
3028 if (S.isConstantEvaluatedContext())
3029 return;
3030 // Check the attributes attached to the method/function itself.
3031 llvm::SmallBitVector NonNullArgs;
3032 if (FDecl) {
3033 // Handle the nonnull attribute on the function/method declaration itself.
3034 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) {
3035 if (!NonNull->args_size()) {
3036 // Easy case: all pointer arguments are nonnull.
3037 for (const auto *Arg : Args)
3038 if (S.isValidPointerAttrType(Arg->getType()))
3039 CheckNonNullArgument(S, Arg, CallSiteLoc);
3040 return;
3041 }
3042
3043 for (const ParamIdx &Idx : NonNull->args()) {
3044 unsigned IdxAST = Idx.getASTIndex();
3045 if (IdxAST >= Args.size())
3046 continue;
3047 if (NonNullArgs.empty())
3048 NonNullArgs.resize(Args.size());
3049 NonNullArgs.set(IdxAST);
3050 }
3051 }
3052 }
3053
3054 if (FDecl && (isa<FunctionDecl>(FDecl) || isa<ObjCMethodDecl>(FDecl))) {
3055 // Handle the nonnull attribute on the parameters of the
3056 // function/method.
3057 ArrayRef<ParmVarDecl*> parms;
3058 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl))
3059 parms = FD->parameters();
3060 else
3061 parms = cast<ObjCMethodDecl>(FDecl)->parameters();
3062
3063 unsigned ParamIndex = 0;
3064 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end();
3065 I != E; ++I, ++ParamIndex) {
3066 const ParmVarDecl *PVD = *I;
3067 if (PVD->hasAttr<NonNullAttr>() || isNonNullType(PVD->getType())) {
3068 if (NonNullArgs.empty())
3069 NonNullArgs.resize(Args.size());
3070
3071 NonNullArgs.set(ParamIndex);
3072 }
3073 }
3074 } else {
3075 // If we have a non-function, non-method declaration but no
3076 // function prototype, try to dig out the function prototype.
3077 if (!Proto) {
3078 if (const ValueDecl *VD = dyn_cast<ValueDecl>(FDecl)) {
3079 QualType type = VD->getType().getNonReferenceType();
3080 if (auto pointerType = type->getAs<PointerType>())
3081 type = pointerType->getPointeeType();
3082 else if (auto blockType = type->getAs<BlockPointerType>())
3083 type = blockType->getPointeeType();
3084 // FIXME: data member pointers?
3085
3086 // Dig out the function prototype, if there is one.
3087 Proto = type->getAs<FunctionProtoType>();
3088 }
3089 }
3090
3091 // Fill in non-null argument information from the nullability
3092 // information on the parameter types (if we have them).
3093 if (Proto) {
3094 unsigned Index = 0;
3095 for (auto paramType : Proto->getParamTypes()) {
3096 if (isNonNullType(paramType)) {
3097 if (NonNullArgs.empty())
3098 NonNullArgs.resize(Args.size());
3099
3100 NonNullArgs.set(Index);
3101 }
3102
3103 ++Index;
3104 }
3105 }
3106 }
3107
3108 // Check for non-null arguments.
3109 for (unsigned ArgIndex = 0, ArgIndexEnd = NonNullArgs.size();
3110 ArgIndex != ArgIndexEnd; ++ArgIndex) {
3111 if (NonNullArgs[ArgIndex])
3112 CheckNonNullArgument(S, Args[ArgIndex], Args[ArgIndex]->getExprLoc());
3113 }
3114 }
3115
CheckArgAlignment(SourceLocation Loc,NamedDecl * FDecl,StringRef ParamName,QualType ArgTy,QualType ParamTy)3116 void Sema::CheckArgAlignment(SourceLocation Loc, NamedDecl *FDecl,
3117 StringRef ParamName, QualType ArgTy,
3118 QualType ParamTy) {
3119
3120 // If a function accepts a pointer or reference type
3121 if (!ParamTy->isPointerType() && !ParamTy->isReferenceType())
3122 return;
3123
3124 // If the parameter is a pointer type, get the pointee type for the
3125 // argument too. If the parameter is a reference type, don't try to get
3126 // the pointee type for the argument.
3127 if (ParamTy->isPointerType())
3128 ArgTy = ArgTy->getPointeeType();
3129
3130 // Remove reference or pointer
3131 ParamTy = ParamTy->getPointeeType();
3132
3133 // Find expected alignment, and the actual alignment of the passed object.
3134 // getTypeAlignInChars requires complete types
3135 if (ArgTy.isNull() || ParamTy->isDependentType() ||
3136 ParamTy->isIncompleteType() || ArgTy->isIncompleteType() ||
3137 ParamTy->isUndeducedType() || ArgTy->isUndeducedType())
3138 return;
3139
3140 CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy);
3141 CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy);
3142
3143 // If the argument is less aligned than the parameter, there is a
3144 // potential alignment issue.
3145 if (ArgAlign < ParamAlign)
3146 Diag(Loc, diag::warn_param_mismatched_alignment)
3147 << (int)ArgAlign.getQuantity() << (int)ParamAlign.getQuantity()
3148 << ParamName << (FDecl != nullptr) << FDecl;
3149 }
3150
checkCall(NamedDecl * FDecl,const FunctionProtoType * Proto,const Expr * ThisArg,ArrayRef<const Expr * > Args,bool IsMemberFunction,SourceLocation Loc,SourceRange Range,VariadicCallType CallType)3151 void Sema::checkCall(NamedDecl *FDecl, const FunctionProtoType *Proto,
3152 const Expr *ThisArg, ArrayRef<const Expr *> Args,
3153 bool IsMemberFunction, SourceLocation Loc,
3154 SourceRange Range, VariadicCallType CallType) {
3155 // FIXME: We should check as much as we can in the template definition.
3156 if (CurContext->isDependentContext())
3157 return;
3158
3159 // Printf and scanf checking.
3160 llvm::SmallBitVector CheckedVarArgs;
3161 if (FDecl) {
3162 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) {
3163 // Only create vector if there are format attributes.
3164 CheckedVarArgs.resize(Args.size());
3165
3166 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range,
3167 CheckedVarArgs);
3168 }
3169 }
3170
3171 // Refuse POD arguments that weren't caught by the format string
3172 // checks above.
3173 auto *FD = dyn_cast_or_null<FunctionDecl>(FDecl);
3174 if (CallType != VariadicDoesNotApply &&
3175 (!FD || FD->getBuiltinID() != Builtin::BI__noop)) {
3176 unsigned NumParams = Proto ? Proto->getNumParams()
3177 : isa_and_nonnull<FunctionDecl>(FDecl)
3178 ? cast<FunctionDecl>(FDecl)->getNumParams()
3179 : isa_and_nonnull<ObjCMethodDecl>(FDecl)
3180 ? cast<ObjCMethodDecl>(FDecl)->param_size()
3181 : 0;
3182
3183 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) {
3184 // Args[ArgIdx] can be null in malformed code.
3185 if (const Expr *Arg = Args[ArgIdx]) {
3186 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx])
3187 checkVariadicArgument(Arg, CallType);
3188 }
3189 }
3190 }
3191
3192 if (FDecl || Proto) {
3193 CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);
3194
3195 // Type safety checking.
3196 if (FDecl) {
3197 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
3198 CheckArgumentWithTypeTag(I, Args, Loc);
3199 }
3200 }
3201
3202 // Check that passed arguments match the alignment of original arguments.
3203 // Try to get the missing prototype from the declaration.
3204 if (!Proto && FDecl) {
3205 const auto *FT = FDecl->getFunctionType();
3206 if (isa_and_nonnull<FunctionProtoType>(FT))
3207 Proto = cast<FunctionProtoType>(FDecl->getFunctionType());
3208 }
3209 if (Proto) {
3210 // For variadic functions, we may have more args than parameters.
3211 // For some K&R functions, we may have less args than parameters.
3212 const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size());
3213 bool IsScalableRet = Proto->getReturnType()->isSizelessVectorType();
3214 bool IsScalableArg = false;
3215 for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) {
3216 // Args[ArgIdx] can be null in malformed code.
3217 if (const Expr *Arg = Args[ArgIdx]) {
3218 if (Arg->containsErrors())
3219 continue;
3220
3221 if (Context.getTargetInfo().getTriple().isOSAIX() && FDecl && Arg &&
3222 FDecl->hasLinkage() &&
3223 FDecl->getFormalLinkage() != Linkage::Internal &&
3224 CallType == VariadicDoesNotApply)
3225 PPC().checkAIXMemberAlignment((Arg->getExprLoc()), Arg);
3226
3227 QualType ParamTy = Proto->getParamType(ArgIdx);
3228 if (ParamTy->isSizelessVectorType())
3229 IsScalableArg = true;
3230 QualType ArgTy = Arg->getType();
3231 CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1),
3232 ArgTy, ParamTy);
3233 }
3234 }
3235
3236 // If the callee has an AArch64 SME attribute to indicate that it is an
3237 // __arm_streaming function, then the caller requires SME to be available.
3238 FunctionProtoType::ExtProtoInfo ExtInfo = Proto->getExtProtoInfo();
3239 if (ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask) {
3240 if (auto *CallerFD = dyn_cast<FunctionDecl>(CurContext)) {
3241 llvm::StringMap<bool> CallerFeatureMap;
3242 Context.getFunctionFeatureMap(CallerFeatureMap, CallerFD);
3243 if (!CallerFeatureMap.contains("sme"))
3244 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3245 } else if (!Context.getTargetInfo().hasFeature("sme")) {
3246 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3247 }
3248 }
3249
3250 // If the call requires a streaming-mode change and has scalable vector
3251 // arguments or return values, then warn the user that the streaming and
3252 // non-streaming vector lengths may be different.
3253 const auto *CallerFD = dyn_cast<FunctionDecl>(CurContext);
3254 if (CallerFD && (!FD || !FD->getBuiltinID()) &&
3255 (IsScalableArg || IsScalableRet)) {
3256 bool IsCalleeStreaming =
3257 ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask;
3258 bool IsCalleeStreamingCompatible =
3259 ExtInfo.AArch64SMEAttributes &
3260 FunctionType::SME_PStateSMCompatibleMask;
3261 SemaARM::ArmStreamingType CallerFnType = getArmStreamingFnType(CallerFD);
3262 if (!IsCalleeStreamingCompatible &&
3263 (CallerFnType == SemaARM::ArmStreamingCompatible ||
3264 ((CallerFnType == SemaARM::ArmStreaming) ^ IsCalleeStreaming))) {
3265 if (IsScalableArg)
3266 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3267 << /*IsArg=*/true;
3268 if (IsScalableRet)
3269 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3270 << /*IsArg=*/false;
3271 }
3272 }
3273
3274 FunctionType::ArmStateValue CalleeArmZAState =
3275 FunctionType::getArmZAState(ExtInfo.AArch64SMEAttributes);
3276 FunctionType::ArmStateValue CalleeArmZT0State =
3277 FunctionType::getArmZT0State(ExtInfo.AArch64SMEAttributes);
3278 if (CalleeArmZAState != FunctionType::ARM_None ||
3279 CalleeArmZT0State != FunctionType::ARM_None) {
3280 bool CallerHasZAState = false;
3281 bool CallerHasZT0State = false;
3282 if (CallerFD) {
3283 auto *Attr = CallerFD->getAttr<ArmNewAttr>();
3284 if (Attr && Attr->isNewZA())
3285 CallerHasZAState = true;
3286 if (Attr && Attr->isNewZT0())
3287 CallerHasZT0State = true;
3288 if (const auto *FPT = CallerFD->getType()->getAs<FunctionProtoType>()) {
3289 CallerHasZAState |=
3290 FunctionType::getArmZAState(
3291 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3292 FunctionType::ARM_None;
3293 CallerHasZT0State |=
3294 FunctionType::getArmZT0State(
3295 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3296 FunctionType::ARM_None;
3297 }
3298 }
3299
3300 if (CalleeArmZAState != FunctionType::ARM_None && !CallerHasZAState)
3301 Diag(Loc, diag::err_sme_za_call_no_za_state);
3302
3303 if (CalleeArmZT0State != FunctionType::ARM_None && !CallerHasZT0State)
3304 Diag(Loc, diag::err_sme_zt0_call_no_zt0_state);
3305
3306 if (CallerHasZAState && CalleeArmZAState == FunctionType::ARM_None &&
3307 CalleeArmZT0State != FunctionType::ARM_None) {
3308 Diag(Loc, diag::err_sme_unimplemented_za_save_restore);
3309 Diag(Loc, diag::note_sme_use_preserves_za);
3310 }
3311 }
3312 }
3313
3314 if (FDecl && FDecl->hasAttr<AllocAlignAttr>()) {
3315 auto *AA = FDecl->getAttr<AllocAlignAttr>();
3316 const Expr *Arg = Args[AA->getParamIndex().getASTIndex()];
3317 if (!Arg->isValueDependent()) {
3318 Expr::EvalResult Align;
3319 if (Arg->EvaluateAsInt(Align, Context)) {
3320 const llvm::APSInt &I = Align.Val.getInt();
3321 if (!I.isPowerOf2())
3322 Diag(Arg->getExprLoc(), diag::warn_alignment_not_power_of_two)
3323 << Arg->getSourceRange();
3324
3325 if (I > Sema::MaximumAlignment)
3326 Diag(Arg->getExprLoc(), diag::warn_assume_aligned_too_great)
3327 << Arg->getSourceRange() << Sema::MaximumAlignment;
3328 }
3329 }
3330 }
3331
3332 if (FD)
3333 diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);
3334 }
3335
CheckConstrainedAuto(const AutoType * AutoT,SourceLocation Loc)3336 void Sema::CheckConstrainedAuto(const AutoType *AutoT, SourceLocation Loc) {
3337 if (ConceptDecl *Decl = AutoT->getTypeConstraintConcept()) {
3338 DiagnoseUseOfDecl(Decl, Loc);
3339 }
3340 }
3341
CheckConstructorCall(FunctionDecl * FDecl,QualType ThisType,ArrayRef<const Expr * > Args,const FunctionProtoType * Proto,SourceLocation Loc)3342 void Sema::CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType,
3343 ArrayRef<const Expr *> Args,
3344 const FunctionProtoType *Proto,
3345 SourceLocation Loc) {
3346 VariadicCallType CallType =
3347 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply;
3348
3349 auto *Ctor = cast<CXXConstructorDecl>(FDecl);
3350 CheckArgAlignment(
3351 Loc, FDecl, "'this'", Context.getPointerType(ThisType),
3352 Context.getPointerType(Ctor->getFunctionObjectParameterType()));
3353
3354 checkCall(FDecl, Proto, /*ThisArg=*/nullptr, Args, /*IsMemberFunction=*/true,
3355 Loc, SourceRange(), CallType);
3356 }
3357
CheckFunctionCall(FunctionDecl * FDecl,CallExpr * TheCall,const FunctionProtoType * Proto)3358 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
3359 const FunctionProtoType *Proto) {
3360 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) &&
3361 isa<CXXMethodDecl>(FDecl);
3362 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) ||
3363 IsMemberOperatorCall;
3364 VariadicCallType CallType = getVariadicCallType(FDecl, Proto,
3365 TheCall->getCallee());
3366 Expr** Args = TheCall->getArgs();
3367 unsigned NumArgs = TheCall->getNumArgs();
3368
3369 Expr *ImplicitThis = nullptr;
3370 if (IsMemberOperatorCall && !FDecl->hasCXXExplicitFunctionObjectParameter()) {
3371 // If this is a call to a member operator, hide the first
3372 // argument from checkCall.
3373 // FIXME: Our choice of AST representation here is less than ideal.
3374 ImplicitThis = Args[0];
3375 ++Args;
3376 --NumArgs;
3377 } else if (IsMemberFunction && !FDecl->isStatic() &&
3378 !FDecl->hasCXXExplicitFunctionObjectParameter())
3379 ImplicitThis =
3380 cast<CXXMemberCallExpr>(TheCall)->getImplicitObjectArgument();
3381
3382 if (ImplicitThis) {
3383 // ImplicitThis may or may not be a pointer, depending on whether . or -> is
3384 // used.
3385 QualType ThisType = ImplicitThis->getType();
3386 if (!ThisType->isPointerType()) {
3387 assert(!ThisType->isReferenceType());
3388 ThisType = Context.getPointerType(ThisType);
3389 }
3390
3391 QualType ThisTypeFromDecl = Context.getPointerType(
3392 cast<CXXMethodDecl>(FDecl)->getFunctionObjectParameterType());
3393
3394 CheckArgAlignment(TheCall->getRParenLoc(), FDecl, "'this'", ThisType,
3395 ThisTypeFromDecl);
3396 }
3397
3398 checkCall(FDecl, Proto, ImplicitThis, llvm::ArrayRef(Args, NumArgs),
3399 IsMemberFunction, TheCall->getRParenLoc(),
3400 TheCall->getCallee()->getSourceRange(), CallType);
3401
3402 IdentifierInfo *FnInfo = FDecl->getIdentifier();
3403 // None of the checks below are needed for functions that don't have
3404 // simple names (e.g., C++ conversion functions).
3405 if (!FnInfo)
3406 return false;
3407
3408 // Enforce TCB except for builtin calls, which are always allowed.
3409 if (FDecl->getBuiltinID() == 0)
3410 CheckTCBEnforcement(TheCall->getExprLoc(), FDecl);
3411
3412 CheckAbsoluteValueFunction(TheCall, FDecl);
3413 CheckMaxUnsignedZero(TheCall, FDecl);
3414 CheckInfNaNFunction(TheCall, FDecl);
3415
3416 if (getLangOpts().ObjC)
3417 ObjC().DiagnoseCStringFormatDirectiveInCFAPI(FDecl, Args, NumArgs);
3418
3419 unsigned CMId = FDecl->getMemoryFunctionKind();
3420
3421 // Handle memory setting and copying functions.
3422 switch (CMId) {
3423 case 0:
3424 return false;
3425 case Builtin::BIstrlcpy: // fallthrough
3426 case Builtin::BIstrlcat:
3427 CheckStrlcpycatArguments(TheCall, FnInfo);
3428 break;
3429 case Builtin::BIstrncat:
3430 CheckStrncatArguments(TheCall, FnInfo);
3431 break;
3432 case Builtin::BIfree:
3433 CheckFreeArguments(TheCall);
3434 break;
3435 default:
3436 CheckMemaccessArguments(TheCall, CMId, FnInfo);
3437 }
3438
3439 return false;
3440 }
3441
CheckPointerCall(NamedDecl * NDecl,CallExpr * TheCall,const FunctionProtoType * Proto)3442 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
3443 const FunctionProtoType *Proto) {
3444 QualType Ty;
3445 if (const auto *V = dyn_cast<VarDecl>(NDecl))
3446 Ty = V->getType().getNonReferenceType();
3447 else if (const auto *F = dyn_cast<FieldDecl>(NDecl))
3448 Ty = F->getType().getNonReferenceType();
3449 else
3450 return false;
3451
3452 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType() &&
3453 !Ty->isFunctionProtoType())
3454 return false;
3455
3456 VariadicCallType CallType;
3457 if (!Proto || !Proto->isVariadic()) {
3458 CallType = VariadicDoesNotApply;
3459 } else if (Ty->isBlockPointerType()) {
3460 CallType = VariadicBlock;
3461 } else { // Ty->isFunctionPointerType()
3462 CallType = VariadicFunction;
3463 }
3464
3465 checkCall(NDecl, Proto, /*ThisArg=*/nullptr,
3466 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3467 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3468 TheCall->getCallee()->getSourceRange(), CallType);
3469
3470 return false;
3471 }
3472
CheckOtherCall(CallExpr * TheCall,const FunctionProtoType * Proto)3473 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) {
3474 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto,
3475 TheCall->getCallee());
3476 checkCall(/*FDecl=*/nullptr, Proto, /*ThisArg=*/nullptr,
3477 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3478 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3479 TheCall->getCallee()->getSourceRange(), CallType);
3480
3481 return false;
3482 }
3483
isValidOrderingForOp(int64_t Ordering,AtomicExpr::AtomicOp Op)3484 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) {
3485 if (!llvm::isValidAtomicOrderingCABI(Ordering))
3486 return false;
3487
3488 auto OrderingCABI = (llvm::AtomicOrderingCABI)Ordering;
3489 switch (Op) {
3490 case AtomicExpr::AO__c11_atomic_init:
3491 case AtomicExpr::AO__opencl_atomic_init:
3492 llvm_unreachable("There is no ordering argument for an init");
3493
3494 case AtomicExpr::AO__c11_atomic_load:
3495 case AtomicExpr::AO__opencl_atomic_load:
3496 case AtomicExpr::AO__hip_atomic_load:
3497 case AtomicExpr::AO__atomic_load_n:
3498 case AtomicExpr::AO__atomic_load:
3499 case AtomicExpr::AO__scoped_atomic_load_n:
3500 case AtomicExpr::AO__scoped_atomic_load:
3501 return OrderingCABI != llvm::AtomicOrderingCABI::release &&
3502 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3503
3504 case AtomicExpr::AO__c11_atomic_store:
3505 case AtomicExpr::AO__opencl_atomic_store:
3506 case AtomicExpr::AO__hip_atomic_store:
3507 case AtomicExpr::AO__atomic_store:
3508 case AtomicExpr::AO__atomic_store_n:
3509 case AtomicExpr::AO__scoped_atomic_store:
3510 case AtomicExpr::AO__scoped_atomic_store_n:
3511 return OrderingCABI != llvm::AtomicOrderingCABI::consume &&
3512 OrderingCABI != llvm::AtomicOrderingCABI::acquire &&
3513 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3514
3515 default:
3516 return true;
3517 }
3518 }
3519
AtomicOpsOverloaded(ExprResult TheCallResult,AtomicExpr::AtomicOp Op)3520 ExprResult Sema::AtomicOpsOverloaded(ExprResult TheCallResult,
3521 AtomicExpr::AtomicOp Op) {
3522 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get());
3523 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
3524 MultiExprArg Args{TheCall->getArgs(), TheCall->getNumArgs()};
3525 return BuildAtomicExpr({TheCall->getBeginLoc(), TheCall->getEndLoc()},
3526 DRE->getSourceRange(), TheCall->getRParenLoc(), Args,
3527 Op);
3528 }
3529
BuildAtomicExpr(SourceRange CallRange,SourceRange ExprRange,SourceLocation RParenLoc,MultiExprArg Args,AtomicExpr::AtomicOp Op,AtomicArgumentOrder ArgOrder)3530 ExprResult Sema::BuildAtomicExpr(SourceRange CallRange, SourceRange ExprRange,
3531 SourceLocation RParenLoc, MultiExprArg Args,
3532 AtomicExpr::AtomicOp Op,
3533 AtomicArgumentOrder ArgOrder) {
3534 // All the non-OpenCL operations take one of the following forms.
3535 // The OpenCL operations take the __c11 forms with one extra argument for
3536 // synchronization scope.
3537 enum {
3538 // C __c11_atomic_init(A *, C)
3539 Init,
3540
3541 // C __c11_atomic_load(A *, int)
3542 Load,
3543
3544 // void __atomic_load(A *, CP, int)
3545 LoadCopy,
3546
3547 // void __atomic_store(A *, CP, int)
3548 Copy,
3549
3550 // C __c11_atomic_add(A *, M, int)
3551 Arithmetic,
3552
3553 // C __atomic_exchange_n(A *, CP, int)
3554 Xchg,
3555
3556 // void __atomic_exchange(A *, C *, CP, int)
3557 GNUXchg,
3558
3559 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int)
3560 C11CmpXchg,
3561
3562 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int)
3563 GNUCmpXchg
3564 } Form = Init;
3565
3566 const unsigned NumForm = GNUCmpXchg + 1;
3567 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 3, 4, 5, 6 };
3568 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 1, 2, 2, 3 };
3569 // where:
3570 // C is an appropriate type,
3571 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins,
3572 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise,
3573 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and
3574 // the int parameters are for orderings.
3575
3576 static_assert(sizeof(NumArgs)/sizeof(NumArgs[0]) == NumForm
3577 && sizeof(NumVals)/sizeof(NumVals[0]) == NumForm,
3578 "need to update code for modified forms");
3579 static_assert(AtomicExpr::AO__atomic_add_fetch == 0 &&
3580 AtomicExpr::AO__atomic_xor_fetch + 1 ==
3581 AtomicExpr::AO__c11_atomic_compare_exchange_strong,
3582 "need to update code for modified C11 atomics");
3583 bool IsOpenCL = Op >= AtomicExpr::AO__opencl_atomic_compare_exchange_strong &&
3584 Op <= AtomicExpr::AO__opencl_atomic_store;
3585 bool IsHIP = Op >= AtomicExpr::AO__hip_atomic_compare_exchange_strong &&
3586 Op <= AtomicExpr::AO__hip_atomic_store;
3587 bool IsScoped = Op >= AtomicExpr::AO__scoped_atomic_add_fetch &&
3588 Op <= AtomicExpr::AO__scoped_atomic_xor_fetch;
3589 bool IsC11 = (Op >= AtomicExpr::AO__c11_atomic_compare_exchange_strong &&
3590 Op <= AtomicExpr::AO__c11_atomic_store) ||
3591 IsOpenCL;
3592 bool IsN = Op == AtomicExpr::AO__atomic_load_n ||
3593 Op == AtomicExpr::AO__atomic_store_n ||
3594 Op == AtomicExpr::AO__atomic_exchange_n ||
3595 Op == AtomicExpr::AO__atomic_compare_exchange_n ||
3596 Op == AtomicExpr::AO__scoped_atomic_load_n ||
3597 Op == AtomicExpr::AO__scoped_atomic_store_n ||
3598 Op == AtomicExpr::AO__scoped_atomic_exchange_n ||
3599 Op == AtomicExpr::AO__scoped_atomic_compare_exchange_n;
3600 // Bit mask for extra allowed value types other than integers for atomic
3601 // arithmetic operations. Add/sub allow pointer and floating point. Min/max
3602 // allow floating point.
3603 enum ArithOpExtraValueType {
3604 AOEVT_None = 0,
3605 AOEVT_Pointer = 1,
3606 AOEVT_FP = 2,
3607 };
3608 unsigned ArithAllows = AOEVT_None;
3609
3610 switch (Op) {
3611 case AtomicExpr::AO__c11_atomic_init:
3612 case AtomicExpr::AO__opencl_atomic_init:
3613 Form = Init;
3614 break;
3615
3616 case AtomicExpr::AO__c11_atomic_load:
3617 case AtomicExpr::AO__opencl_atomic_load:
3618 case AtomicExpr::AO__hip_atomic_load:
3619 case AtomicExpr::AO__atomic_load_n:
3620 case AtomicExpr::AO__scoped_atomic_load_n:
3621 Form = Load;
3622 break;
3623
3624 case AtomicExpr::AO__atomic_load:
3625 case AtomicExpr::AO__scoped_atomic_load:
3626 Form = LoadCopy;
3627 break;
3628
3629 case AtomicExpr::AO__c11_atomic_store:
3630 case AtomicExpr::AO__opencl_atomic_store:
3631 case AtomicExpr::AO__hip_atomic_store:
3632 case AtomicExpr::AO__atomic_store:
3633 case AtomicExpr::AO__atomic_store_n:
3634 case AtomicExpr::AO__scoped_atomic_store:
3635 case AtomicExpr::AO__scoped_atomic_store_n:
3636 Form = Copy;
3637 break;
3638 case AtomicExpr::AO__atomic_fetch_add:
3639 case AtomicExpr::AO__atomic_fetch_sub:
3640 case AtomicExpr::AO__atomic_add_fetch:
3641 case AtomicExpr::AO__atomic_sub_fetch:
3642 case AtomicExpr::AO__scoped_atomic_fetch_add:
3643 case AtomicExpr::AO__scoped_atomic_fetch_sub:
3644 case AtomicExpr::AO__scoped_atomic_add_fetch:
3645 case AtomicExpr::AO__scoped_atomic_sub_fetch:
3646 case AtomicExpr::AO__c11_atomic_fetch_add:
3647 case AtomicExpr::AO__c11_atomic_fetch_sub:
3648 case AtomicExpr::AO__opencl_atomic_fetch_add:
3649 case AtomicExpr::AO__opencl_atomic_fetch_sub:
3650 case AtomicExpr::AO__hip_atomic_fetch_add:
3651 case AtomicExpr::AO__hip_atomic_fetch_sub:
3652 ArithAllows = AOEVT_Pointer | AOEVT_FP;
3653 Form = Arithmetic;
3654 break;
3655 case AtomicExpr::AO__atomic_fetch_max:
3656 case AtomicExpr::AO__atomic_fetch_min:
3657 case AtomicExpr::AO__atomic_max_fetch:
3658 case AtomicExpr::AO__atomic_min_fetch:
3659 case AtomicExpr::AO__scoped_atomic_fetch_max:
3660 case AtomicExpr::AO__scoped_atomic_fetch_min:
3661 case AtomicExpr::AO__scoped_atomic_max_fetch:
3662 case AtomicExpr::AO__scoped_atomic_min_fetch:
3663 case AtomicExpr::AO__c11_atomic_fetch_max:
3664 case AtomicExpr::AO__c11_atomic_fetch_min:
3665 case AtomicExpr::AO__opencl_atomic_fetch_max:
3666 case AtomicExpr::AO__opencl_atomic_fetch_min:
3667 case AtomicExpr::AO__hip_atomic_fetch_max:
3668 case AtomicExpr::AO__hip_atomic_fetch_min:
3669 ArithAllows = AOEVT_FP;
3670 Form = Arithmetic;
3671 break;
3672 case AtomicExpr::AO__c11_atomic_fetch_and:
3673 case AtomicExpr::AO__c11_atomic_fetch_or:
3674 case AtomicExpr::AO__c11_atomic_fetch_xor:
3675 case AtomicExpr::AO__hip_atomic_fetch_and:
3676 case AtomicExpr::AO__hip_atomic_fetch_or:
3677 case AtomicExpr::AO__hip_atomic_fetch_xor:
3678 case AtomicExpr::AO__c11_atomic_fetch_nand:
3679 case AtomicExpr::AO__opencl_atomic_fetch_and:
3680 case AtomicExpr::AO__opencl_atomic_fetch_or:
3681 case AtomicExpr::AO__opencl_atomic_fetch_xor:
3682 case AtomicExpr::AO__atomic_fetch_and:
3683 case AtomicExpr::AO__atomic_fetch_or:
3684 case AtomicExpr::AO__atomic_fetch_xor:
3685 case AtomicExpr::AO__atomic_fetch_nand:
3686 case AtomicExpr::AO__atomic_and_fetch:
3687 case AtomicExpr::AO__atomic_or_fetch:
3688 case AtomicExpr::AO__atomic_xor_fetch:
3689 case AtomicExpr::AO__atomic_nand_fetch:
3690 case AtomicExpr::AO__scoped_atomic_fetch_and:
3691 case AtomicExpr::AO__scoped_atomic_fetch_or:
3692 case AtomicExpr::AO__scoped_atomic_fetch_xor:
3693 case AtomicExpr::AO__scoped_atomic_fetch_nand:
3694 case AtomicExpr::AO__scoped_atomic_and_fetch:
3695 case AtomicExpr::AO__scoped_atomic_or_fetch:
3696 case AtomicExpr::AO__scoped_atomic_xor_fetch:
3697 case AtomicExpr::AO__scoped_atomic_nand_fetch:
3698 Form = Arithmetic;
3699 break;
3700
3701 case AtomicExpr::AO__c11_atomic_exchange:
3702 case AtomicExpr::AO__hip_atomic_exchange:
3703 case AtomicExpr::AO__opencl_atomic_exchange:
3704 case AtomicExpr::AO__atomic_exchange_n:
3705 case AtomicExpr::AO__scoped_atomic_exchange_n:
3706 Form = Xchg;
3707 break;
3708
3709 case AtomicExpr::AO__atomic_exchange:
3710 case AtomicExpr::AO__scoped_atomic_exchange:
3711 Form = GNUXchg;
3712 break;
3713
3714 case AtomicExpr::AO__c11_atomic_compare_exchange_strong:
3715 case AtomicExpr::AO__c11_atomic_compare_exchange_weak:
3716 case AtomicExpr::AO__hip_atomic_compare_exchange_strong:
3717 case AtomicExpr::AO__opencl_atomic_compare_exchange_strong:
3718 case AtomicExpr::AO__opencl_atomic_compare_exchange_weak:
3719 case AtomicExpr::AO__hip_atomic_compare_exchange_weak:
3720 Form = C11CmpXchg;
3721 break;
3722
3723 case AtomicExpr::AO__atomic_compare_exchange:
3724 case AtomicExpr::AO__atomic_compare_exchange_n:
3725 case AtomicExpr::AO__scoped_atomic_compare_exchange:
3726 case AtomicExpr::AO__scoped_atomic_compare_exchange_n:
3727 Form = GNUCmpXchg;
3728 break;
3729 }
3730
3731 unsigned AdjustedNumArgs = NumArgs[Form];
3732 if ((IsOpenCL || IsHIP || IsScoped) &&
3733 Op != AtomicExpr::AO__opencl_atomic_init)
3734 ++AdjustedNumArgs;
3735 // Check we have the right number of arguments.
3736 if (Args.size() < AdjustedNumArgs) {
3737 Diag(CallRange.getEnd(), diag::err_typecheck_call_too_few_args)
3738 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
3739 << /*is non object*/ 0 << ExprRange;
3740 return ExprError();
3741 } else if (Args.size() > AdjustedNumArgs) {
3742 Diag(Args[AdjustedNumArgs]->getBeginLoc(),
3743 diag::err_typecheck_call_too_many_args)
3744 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
3745 << /*is non object*/ 0 << ExprRange;
3746 return ExprError();
3747 }
3748
3749 // Inspect the first argument of the atomic operation.
3750 Expr *Ptr = Args[0];
3751 ExprResult ConvertedPtr = DefaultFunctionArrayLvalueConversion(Ptr);
3752 if (ConvertedPtr.isInvalid())
3753 return ExprError();
3754
3755 Ptr = ConvertedPtr.get();
3756 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>();
3757 if (!pointerType) {
3758 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
3759 << Ptr->getType() << 0 << Ptr->getSourceRange();
3760 return ExprError();
3761 }
3762
3763 // For a __c11 builtin, this should be a pointer to an _Atomic type.
3764 QualType AtomTy = pointerType->getPointeeType(); // 'A'
3765 QualType ValType = AtomTy; // 'C'
3766 if (IsC11) {
3767 if (!AtomTy->isAtomicType()) {
3768 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic)
3769 << Ptr->getType() << Ptr->getSourceRange();
3770 return ExprError();
3771 }
3772 if ((Form != Load && Form != LoadCopy && AtomTy.isConstQualified()) ||
3773 AtomTy.getAddressSpace() == LangAS::opencl_constant) {
3774 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_atomic)
3775 << (AtomTy.isConstQualified() ? 0 : 1) << Ptr->getType()
3776 << Ptr->getSourceRange();
3777 return ExprError();
3778 }
3779 ValType = AtomTy->castAs<AtomicType>()->getValueType();
3780 } else if (Form != Load && Form != LoadCopy) {
3781 if (ValType.isConstQualified()) {
3782 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_pointer)
3783 << Ptr->getType() << Ptr->getSourceRange();
3784 return ExprError();
3785 }
3786 }
3787
3788 // Pointer to object of size zero is not allowed.
3789 if (RequireCompleteType(Ptr->getBeginLoc(), AtomTy,
3790 diag::err_incomplete_type))
3791 return ExprError();
3792 if (Context.getTypeInfoInChars(AtomTy).Width.isZero()) {
3793 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
3794 << Ptr->getType() << 1 << Ptr->getSourceRange();
3795 return ExprError();
3796 }
3797
3798 // For an arithmetic operation, the implied arithmetic must be well-formed.
3799 if (Form == Arithmetic) {
3800 // GCC does not enforce these rules for GNU atomics, but we do to help catch
3801 // trivial type errors.
3802 auto IsAllowedValueType = [&](QualType ValType,
3803 unsigned AllowedType) -> bool {
3804 if (ValType->isIntegerType())
3805 return true;
3806 if (ValType->isPointerType())
3807 return AllowedType & AOEVT_Pointer;
3808 if (!(ValType->isFloatingType() && (AllowedType & AOEVT_FP)))
3809 return false;
3810 // LLVM Parser does not allow atomicrmw with x86_fp80 type.
3811 if (ValType->isSpecificBuiltinType(BuiltinType::LongDouble) &&
3812 &Context.getTargetInfo().getLongDoubleFormat() ==
3813 &llvm::APFloat::x87DoubleExtended())
3814 return false;
3815 return true;
3816 };
3817 if (!IsAllowedValueType(ValType, ArithAllows)) {
3818 auto DID = ArithAllows & AOEVT_FP
3819 ? (ArithAllows & AOEVT_Pointer
3820 ? diag::err_atomic_op_needs_atomic_int_ptr_or_fp
3821 : diag::err_atomic_op_needs_atomic_int_or_fp)
3822 : diag::err_atomic_op_needs_atomic_int;
3823 Diag(ExprRange.getBegin(), DID)
3824 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
3825 return ExprError();
3826 }
3827 if (IsC11 && ValType->isPointerType() &&
3828 RequireCompleteType(Ptr->getBeginLoc(), ValType->getPointeeType(),
3829 diag::err_incomplete_type)) {
3830 return ExprError();
3831 }
3832 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) {
3833 // For __atomic_*_n operations, the value type must be a scalar integral or
3834 // pointer type which is 1, 2, 4, 8 or 16 bytes in length.
3835 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic_int_or_ptr)
3836 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
3837 return ExprError();
3838 }
3839
3840 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) &&
3841 !AtomTy->isScalarType()) {
3842 // For GNU atomics, require a trivially-copyable type. This is not part of
3843 // the GNU atomics specification but we enforce it for consistency with
3844 // other atomics which generally all require a trivially-copyable type. This
3845 // is because atomics just copy bits.
3846 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_trivial_copy)
3847 << Ptr->getType() << Ptr->getSourceRange();
3848 return ExprError();
3849 }
3850
3851 switch (ValType.getObjCLifetime()) {
3852 case Qualifiers::OCL_None:
3853 case Qualifiers::OCL_ExplicitNone:
3854 // okay
3855 break;
3856
3857 case Qualifiers::OCL_Weak:
3858 case Qualifiers::OCL_Strong:
3859 case Qualifiers::OCL_Autoreleasing:
3860 // FIXME: Can this happen? By this point, ValType should be known
3861 // to be trivially copyable.
3862 Diag(ExprRange.getBegin(), diag::err_arc_atomic_ownership)
3863 << ValType << Ptr->getSourceRange();
3864 return ExprError();
3865 }
3866
3867 // All atomic operations have an overload which takes a pointer to a volatile
3868 // 'A'. We shouldn't let the volatile-ness of the pointee-type inject itself
3869 // into the result or the other operands. Similarly atomic_load takes a
3870 // pointer to a const 'A'.
3871 ValType.removeLocalVolatile();
3872 ValType.removeLocalConst();
3873 QualType ResultType = ValType;
3874 if (Form == Copy || Form == LoadCopy || Form == GNUXchg ||
3875 Form == Init)
3876 ResultType = Context.VoidTy;
3877 else if (Form == C11CmpXchg || Form == GNUCmpXchg)
3878 ResultType = Context.BoolTy;
3879
3880 // The type of a parameter passed 'by value'. In the GNU atomics, such
3881 // arguments are actually passed as pointers.
3882 QualType ByValType = ValType; // 'CP'
3883 bool IsPassedByAddress = false;
3884 if (!IsC11 && !IsHIP && !IsN) {
3885 ByValType = Ptr->getType();
3886 IsPassedByAddress = true;
3887 }
3888
3889 SmallVector<Expr *, 5> APIOrderedArgs;
3890 if (ArgOrder == Sema::AtomicArgumentOrder::AST) {
3891 APIOrderedArgs.push_back(Args[0]);
3892 switch (Form) {
3893 case Init:
3894 case Load:
3895 APIOrderedArgs.push_back(Args[1]); // Val1/Order
3896 break;
3897 case LoadCopy:
3898 case Copy:
3899 case Arithmetic:
3900 case Xchg:
3901 APIOrderedArgs.push_back(Args[2]); // Val1
3902 APIOrderedArgs.push_back(Args[1]); // Order
3903 break;
3904 case GNUXchg:
3905 APIOrderedArgs.push_back(Args[2]); // Val1
3906 APIOrderedArgs.push_back(Args[3]); // Val2
3907 APIOrderedArgs.push_back(Args[1]); // Order
3908 break;
3909 case C11CmpXchg:
3910 APIOrderedArgs.push_back(Args[2]); // Val1
3911 APIOrderedArgs.push_back(Args[4]); // Val2
3912 APIOrderedArgs.push_back(Args[1]); // Order
3913 APIOrderedArgs.push_back(Args[3]); // OrderFail
3914 break;
3915 case GNUCmpXchg:
3916 APIOrderedArgs.push_back(Args[2]); // Val1
3917 APIOrderedArgs.push_back(Args[4]); // Val2
3918 APIOrderedArgs.push_back(Args[5]); // Weak
3919 APIOrderedArgs.push_back(Args[1]); // Order
3920 APIOrderedArgs.push_back(Args[3]); // OrderFail
3921 break;
3922 }
3923 } else
3924 APIOrderedArgs.append(Args.begin(), Args.end());
3925
3926 // The first argument's non-CV pointer type is used to deduce the type of
3927 // subsequent arguments, except for:
3928 // - weak flag (always converted to bool)
3929 // - memory order (always converted to int)
3930 // - scope (always converted to int)
3931 for (unsigned i = 0; i != APIOrderedArgs.size(); ++i) {
3932 QualType Ty;
3933 if (i < NumVals[Form] + 1) {
3934 switch (i) {
3935 case 0:
3936 // The first argument is always a pointer. It has a fixed type.
3937 // It is always dereferenced, a nullptr is undefined.
3938 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
3939 // Nothing else to do: we already know all we want about this pointer.
3940 continue;
3941 case 1:
3942 // The second argument is the non-atomic operand. For arithmetic, this
3943 // is always passed by value, and for a compare_exchange it is always
3944 // passed by address. For the rest, GNU uses by-address and C11 uses
3945 // by-value.
3946 assert(Form != Load);
3947 if (Form == Arithmetic && ValType->isPointerType())
3948 Ty = Context.getPointerDiffType();
3949 else if (Form == Init || Form == Arithmetic)
3950 Ty = ValType;
3951 else if (Form == Copy || Form == Xchg) {
3952 if (IsPassedByAddress) {
3953 // The value pointer is always dereferenced, a nullptr is undefined.
3954 CheckNonNullArgument(*this, APIOrderedArgs[i],
3955 ExprRange.getBegin());
3956 }
3957 Ty = ByValType;
3958 } else {
3959 Expr *ValArg = APIOrderedArgs[i];
3960 // The value pointer is always dereferenced, a nullptr is undefined.
3961 CheckNonNullArgument(*this, ValArg, ExprRange.getBegin());
3962 LangAS AS = LangAS::Default;
3963 // Keep address space of non-atomic pointer type.
3964 if (const PointerType *PtrTy =
3965 ValArg->getType()->getAs<PointerType>()) {
3966 AS = PtrTy->getPointeeType().getAddressSpace();
3967 }
3968 Ty = Context.getPointerType(
3969 Context.getAddrSpaceQualType(ValType.getUnqualifiedType(), AS));
3970 }
3971 break;
3972 case 2:
3973 // The third argument to compare_exchange / GNU exchange is the desired
3974 // value, either by-value (for the C11 and *_n variant) or as a pointer.
3975 if (IsPassedByAddress)
3976 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
3977 Ty = ByValType;
3978 break;
3979 case 3:
3980 // The fourth argument to GNU compare_exchange is a 'weak' flag.
3981 Ty = Context.BoolTy;
3982 break;
3983 }
3984 } else {
3985 // The order(s) and scope are always converted to int.
3986 Ty = Context.IntTy;
3987 }
3988
3989 InitializedEntity Entity =
3990 InitializedEntity::InitializeParameter(Context, Ty, false);
3991 ExprResult Arg = APIOrderedArgs[i];
3992 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
3993 if (Arg.isInvalid())
3994 return true;
3995 APIOrderedArgs[i] = Arg.get();
3996 }
3997
3998 // Permute the arguments into a 'consistent' order.
3999 SmallVector<Expr*, 5> SubExprs;
4000 SubExprs.push_back(Ptr);
4001 switch (Form) {
4002 case Init:
4003 // Note, AtomicExpr::getVal1() has a special case for this atomic.
4004 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4005 break;
4006 case Load:
4007 SubExprs.push_back(APIOrderedArgs[1]); // Order
4008 break;
4009 case LoadCopy:
4010 case Copy:
4011 case Arithmetic:
4012 case Xchg:
4013 SubExprs.push_back(APIOrderedArgs[2]); // Order
4014 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4015 break;
4016 case GNUXchg:
4017 // Note, AtomicExpr::getVal2() has a special case for this atomic.
4018 SubExprs.push_back(APIOrderedArgs[3]); // Order
4019 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4020 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4021 break;
4022 case C11CmpXchg:
4023 SubExprs.push_back(APIOrderedArgs[3]); // Order
4024 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4025 SubExprs.push_back(APIOrderedArgs[4]); // OrderFail
4026 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4027 break;
4028 case GNUCmpXchg:
4029 SubExprs.push_back(APIOrderedArgs[4]); // Order
4030 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4031 SubExprs.push_back(APIOrderedArgs[5]); // OrderFail
4032 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4033 SubExprs.push_back(APIOrderedArgs[3]); // Weak
4034 break;
4035 }
4036
4037 // If the memory orders are constants, check they are valid.
4038 if (SubExprs.size() >= 2 && Form != Init) {
4039 std::optional<llvm::APSInt> Success =
4040 SubExprs[1]->getIntegerConstantExpr(Context);
4041 if (Success && !isValidOrderingForOp(Success->getSExtValue(), Op)) {
4042 Diag(SubExprs[1]->getBeginLoc(),
4043 diag::warn_atomic_op_has_invalid_memory_order)
4044 << /*success=*/(Form == C11CmpXchg || Form == GNUCmpXchg)
4045 << SubExprs[1]->getSourceRange();
4046 }
4047 if (SubExprs.size() >= 5) {
4048 if (std::optional<llvm::APSInt> Failure =
4049 SubExprs[3]->getIntegerConstantExpr(Context)) {
4050 if (!llvm::is_contained(
4051 {llvm::AtomicOrderingCABI::relaxed,
4052 llvm::AtomicOrderingCABI::consume,
4053 llvm::AtomicOrderingCABI::acquire,
4054 llvm::AtomicOrderingCABI::seq_cst},
4055 (llvm::AtomicOrderingCABI)Failure->getSExtValue())) {
4056 Diag(SubExprs[3]->getBeginLoc(),
4057 diag::warn_atomic_op_has_invalid_memory_order)
4058 << /*failure=*/2 << SubExprs[3]->getSourceRange();
4059 }
4060 }
4061 }
4062 }
4063
4064 if (auto ScopeModel = AtomicExpr::getScopeModel(Op)) {
4065 auto *Scope = Args[Args.size() - 1];
4066 if (std::optional<llvm::APSInt> Result =
4067 Scope->getIntegerConstantExpr(Context)) {
4068 if (!ScopeModel->isValid(Result->getZExtValue()))
4069 Diag(Scope->getBeginLoc(), diag::err_atomic_op_has_invalid_synch_scope)
4070 << Scope->getSourceRange();
4071 }
4072 SubExprs.push_back(Scope);
4073 }
4074
4075 AtomicExpr *AE = new (Context)
4076 AtomicExpr(ExprRange.getBegin(), SubExprs, ResultType, Op, RParenLoc);
4077
4078 if ((Op == AtomicExpr::AO__c11_atomic_load ||
4079 Op == AtomicExpr::AO__c11_atomic_store ||
4080 Op == AtomicExpr::AO__opencl_atomic_load ||
4081 Op == AtomicExpr::AO__hip_atomic_load ||
4082 Op == AtomicExpr::AO__opencl_atomic_store ||
4083 Op == AtomicExpr::AO__hip_atomic_store) &&
4084 Context.AtomicUsesUnsupportedLibcall(AE))
4085 Diag(AE->getBeginLoc(), diag::err_atomic_load_store_uses_lib)
4086 << ((Op == AtomicExpr::AO__c11_atomic_load ||
4087 Op == AtomicExpr::AO__opencl_atomic_load ||
4088 Op == AtomicExpr::AO__hip_atomic_load)
4089 ? 0
4090 : 1);
4091
4092 if (ValType->isBitIntType()) {
4093 Diag(Ptr->getExprLoc(), diag::err_atomic_builtin_bit_int_prohibit);
4094 return ExprError();
4095 }
4096
4097 return AE;
4098 }
4099
4100 /// checkBuiltinArgument - Given a call to a builtin function, perform
4101 /// normal type-checking on the given argument, updating the call in
4102 /// place. This is useful when a builtin function requires custom
4103 /// type-checking for some of its arguments but not necessarily all of
4104 /// them.
4105 ///
4106 /// Returns true on error.
checkBuiltinArgument(Sema & S,CallExpr * E,unsigned ArgIndex)4107 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) {
4108 FunctionDecl *Fn = E->getDirectCallee();
4109 assert(Fn && "builtin call without direct callee!");
4110
4111 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex);
4112 InitializedEntity Entity =
4113 InitializedEntity::InitializeParameter(S.Context, Param);
4114
4115 ExprResult Arg = E->getArg(ArgIndex);
4116 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
4117 if (Arg.isInvalid())
4118 return true;
4119
4120 E->setArg(ArgIndex, Arg.get());
4121 return false;
4122 }
4123
BuiltinAtomicOverloaded(ExprResult TheCallResult)4124 ExprResult Sema::BuiltinAtomicOverloaded(ExprResult TheCallResult) {
4125 CallExpr *TheCall = static_cast<CallExpr *>(TheCallResult.get());
4126 Expr *Callee = TheCall->getCallee();
4127 DeclRefExpr *DRE = cast<DeclRefExpr>(Callee->IgnoreParenCasts());
4128 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4129
4130 // Ensure that we have at least one argument to do type inference from.
4131 if (TheCall->getNumArgs() < 1) {
4132 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4133 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
4134 << Callee->getSourceRange();
4135 return ExprError();
4136 }
4137
4138 // Inspect the first argument of the atomic builtin. This should always be
4139 // a pointer type, whose element is an integral scalar or pointer type.
4140 // Because it is a pointer type, we don't have to worry about any implicit
4141 // casts here.
4142 // FIXME: We don't allow floating point scalars as input.
4143 Expr *FirstArg = TheCall->getArg(0);
4144 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg);
4145 if (FirstArgResult.isInvalid())
4146 return ExprError();
4147 FirstArg = FirstArgResult.get();
4148 TheCall->setArg(0, FirstArg);
4149
4150 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>();
4151 if (!pointerType) {
4152 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer)
4153 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4154 return ExprError();
4155 }
4156
4157 QualType ValType = pointerType->getPointeeType();
4158 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4159 !ValType->isBlockPointerType()) {
4160 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer_intptr)
4161 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4162 return ExprError();
4163 }
4164
4165 if (ValType.isConstQualified()) {
4166 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_cannot_be_const)
4167 << FirstArg->getType() << FirstArg->getSourceRange();
4168 return ExprError();
4169 }
4170
4171 switch (ValType.getObjCLifetime()) {
4172 case Qualifiers::OCL_None:
4173 case Qualifiers::OCL_ExplicitNone:
4174 // okay
4175 break;
4176
4177 case Qualifiers::OCL_Weak:
4178 case Qualifiers::OCL_Strong:
4179 case Qualifiers::OCL_Autoreleasing:
4180 Diag(DRE->getBeginLoc(), diag::err_arc_atomic_ownership)
4181 << ValType << FirstArg->getSourceRange();
4182 return ExprError();
4183 }
4184
4185 // Strip any qualifiers off ValType.
4186 ValType = ValType.getUnqualifiedType();
4187
4188 // The majority of builtins return a value, but a few have special return
4189 // types, so allow them to override appropriately below.
4190 QualType ResultType = ValType;
4191
4192 // We need to figure out which concrete builtin this maps onto. For example,
4193 // __sync_fetch_and_add with a 2 byte object turns into
4194 // __sync_fetch_and_add_2.
4195 #define BUILTIN_ROW(x) \
4196 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \
4197 Builtin::BI##x##_8, Builtin::BI##x##_16 }
4198
4199 static const unsigned BuiltinIndices[][5] = {
4200 BUILTIN_ROW(__sync_fetch_and_add),
4201 BUILTIN_ROW(__sync_fetch_and_sub),
4202 BUILTIN_ROW(__sync_fetch_and_or),
4203 BUILTIN_ROW(__sync_fetch_and_and),
4204 BUILTIN_ROW(__sync_fetch_and_xor),
4205 BUILTIN_ROW(__sync_fetch_and_nand),
4206
4207 BUILTIN_ROW(__sync_add_and_fetch),
4208 BUILTIN_ROW(__sync_sub_and_fetch),
4209 BUILTIN_ROW(__sync_and_and_fetch),
4210 BUILTIN_ROW(__sync_or_and_fetch),
4211 BUILTIN_ROW(__sync_xor_and_fetch),
4212 BUILTIN_ROW(__sync_nand_and_fetch),
4213
4214 BUILTIN_ROW(__sync_val_compare_and_swap),
4215 BUILTIN_ROW(__sync_bool_compare_and_swap),
4216 BUILTIN_ROW(__sync_lock_test_and_set),
4217 BUILTIN_ROW(__sync_lock_release),
4218 BUILTIN_ROW(__sync_swap)
4219 };
4220 #undef BUILTIN_ROW
4221
4222 // Determine the index of the size.
4223 unsigned SizeIndex;
4224 switch (Context.getTypeSizeInChars(ValType).getQuantity()) {
4225 case 1: SizeIndex = 0; break;
4226 case 2: SizeIndex = 1; break;
4227 case 4: SizeIndex = 2; break;
4228 case 8: SizeIndex = 3; break;
4229 case 16: SizeIndex = 4; break;
4230 default:
4231 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_pointer_size)
4232 << FirstArg->getType() << FirstArg->getSourceRange();
4233 return ExprError();
4234 }
4235
4236 // Each of these builtins has one pointer argument, followed by some number of
4237 // values (0, 1 or 2) followed by a potentially empty varags list of stuff
4238 // that we ignore. Find out which row of BuiltinIndices to read from as well
4239 // as the number of fixed args.
4240 unsigned BuiltinID = FDecl->getBuiltinID();
4241 unsigned BuiltinIndex, NumFixed = 1;
4242 bool WarnAboutSemanticsChange = false;
4243 switch (BuiltinID) {
4244 default: llvm_unreachable("Unknown overloaded atomic builtin!");
4245 case Builtin::BI__sync_fetch_and_add:
4246 case Builtin::BI__sync_fetch_and_add_1:
4247 case Builtin::BI__sync_fetch_and_add_2:
4248 case Builtin::BI__sync_fetch_and_add_4:
4249 case Builtin::BI__sync_fetch_and_add_8:
4250 case Builtin::BI__sync_fetch_and_add_16:
4251 BuiltinIndex = 0;
4252 break;
4253
4254 case Builtin::BI__sync_fetch_and_sub:
4255 case Builtin::BI__sync_fetch_and_sub_1:
4256 case Builtin::BI__sync_fetch_and_sub_2:
4257 case Builtin::BI__sync_fetch_and_sub_4:
4258 case Builtin::BI__sync_fetch_and_sub_8:
4259 case Builtin::BI__sync_fetch_and_sub_16:
4260 BuiltinIndex = 1;
4261 break;
4262
4263 case Builtin::BI__sync_fetch_and_or:
4264 case Builtin::BI__sync_fetch_and_or_1:
4265 case Builtin::BI__sync_fetch_and_or_2:
4266 case Builtin::BI__sync_fetch_and_or_4:
4267 case Builtin::BI__sync_fetch_and_or_8:
4268 case Builtin::BI__sync_fetch_and_or_16:
4269 BuiltinIndex = 2;
4270 break;
4271
4272 case Builtin::BI__sync_fetch_and_and:
4273 case Builtin::BI__sync_fetch_and_and_1:
4274 case Builtin::BI__sync_fetch_and_and_2:
4275 case Builtin::BI__sync_fetch_and_and_4:
4276 case Builtin::BI__sync_fetch_and_and_8:
4277 case Builtin::BI__sync_fetch_and_and_16:
4278 BuiltinIndex = 3;
4279 break;
4280
4281 case Builtin::BI__sync_fetch_and_xor:
4282 case Builtin::BI__sync_fetch_and_xor_1:
4283 case Builtin::BI__sync_fetch_and_xor_2:
4284 case Builtin::BI__sync_fetch_and_xor_4:
4285 case Builtin::BI__sync_fetch_and_xor_8:
4286 case Builtin::BI__sync_fetch_and_xor_16:
4287 BuiltinIndex = 4;
4288 break;
4289
4290 case Builtin::BI__sync_fetch_and_nand:
4291 case Builtin::BI__sync_fetch_and_nand_1:
4292 case Builtin::BI__sync_fetch_and_nand_2:
4293 case Builtin::BI__sync_fetch_and_nand_4:
4294 case Builtin::BI__sync_fetch_and_nand_8:
4295 case Builtin::BI__sync_fetch_and_nand_16:
4296 BuiltinIndex = 5;
4297 WarnAboutSemanticsChange = true;
4298 break;
4299
4300 case Builtin::BI__sync_add_and_fetch:
4301 case Builtin::BI__sync_add_and_fetch_1:
4302 case Builtin::BI__sync_add_and_fetch_2:
4303 case Builtin::BI__sync_add_and_fetch_4:
4304 case Builtin::BI__sync_add_and_fetch_8:
4305 case Builtin::BI__sync_add_and_fetch_16:
4306 BuiltinIndex = 6;
4307 break;
4308
4309 case Builtin::BI__sync_sub_and_fetch:
4310 case Builtin::BI__sync_sub_and_fetch_1:
4311 case Builtin::BI__sync_sub_and_fetch_2:
4312 case Builtin::BI__sync_sub_and_fetch_4:
4313 case Builtin::BI__sync_sub_and_fetch_8:
4314 case Builtin::BI__sync_sub_and_fetch_16:
4315 BuiltinIndex = 7;
4316 break;
4317
4318 case Builtin::BI__sync_and_and_fetch:
4319 case Builtin::BI__sync_and_and_fetch_1:
4320 case Builtin::BI__sync_and_and_fetch_2:
4321 case Builtin::BI__sync_and_and_fetch_4:
4322 case Builtin::BI__sync_and_and_fetch_8:
4323 case Builtin::BI__sync_and_and_fetch_16:
4324 BuiltinIndex = 8;
4325 break;
4326
4327 case Builtin::BI__sync_or_and_fetch:
4328 case Builtin::BI__sync_or_and_fetch_1:
4329 case Builtin::BI__sync_or_and_fetch_2:
4330 case Builtin::BI__sync_or_and_fetch_4:
4331 case Builtin::BI__sync_or_and_fetch_8:
4332 case Builtin::BI__sync_or_and_fetch_16:
4333 BuiltinIndex = 9;
4334 break;
4335
4336 case Builtin::BI__sync_xor_and_fetch:
4337 case Builtin::BI__sync_xor_and_fetch_1:
4338 case Builtin::BI__sync_xor_and_fetch_2:
4339 case Builtin::BI__sync_xor_and_fetch_4:
4340 case Builtin::BI__sync_xor_and_fetch_8:
4341 case Builtin::BI__sync_xor_and_fetch_16:
4342 BuiltinIndex = 10;
4343 break;
4344
4345 case Builtin::BI__sync_nand_and_fetch:
4346 case Builtin::BI__sync_nand_and_fetch_1:
4347 case Builtin::BI__sync_nand_and_fetch_2:
4348 case Builtin::BI__sync_nand_and_fetch_4:
4349 case Builtin::BI__sync_nand_and_fetch_8:
4350 case Builtin::BI__sync_nand_and_fetch_16:
4351 BuiltinIndex = 11;
4352 WarnAboutSemanticsChange = true;
4353 break;
4354
4355 case Builtin::BI__sync_val_compare_and_swap:
4356 case Builtin::BI__sync_val_compare_and_swap_1:
4357 case Builtin::BI__sync_val_compare_and_swap_2:
4358 case Builtin::BI__sync_val_compare_and_swap_4:
4359 case Builtin::BI__sync_val_compare_and_swap_8:
4360 case Builtin::BI__sync_val_compare_and_swap_16:
4361 BuiltinIndex = 12;
4362 NumFixed = 2;
4363 break;
4364
4365 case Builtin::BI__sync_bool_compare_and_swap:
4366 case Builtin::BI__sync_bool_compare_and_swap_1:
4367 case Builtin::BI__sync_bool_compare_and_swap_2:
4368 case Builtin::BI__sync_bool_compare_and_swap_4:
4369 case Builtin::BI__sync_bool_compare_and_swap_8:
4370 case Builtin::BI__sync_bool_compare_and_swap_16:
4371 BuiltinIndex = 13;
4372 NumFixed = 2;
4373 ResultType = Context.BoolTy;
4374 break;
4375
4376 case Builtin::BI__sync_lock_test_and_set:
4377 case Builtin::BI__sync_lock_test_and_set_1:
4378 case Builtin::BI__sync_lock_test_and_set_2:
4379 case Builtin::BI__sync_lock_test_and_set_4:
4380 case Builtin::BI__sync_lock_test_and_set_8:
4381 case Builtin::BI__sync_lock_test_and_set_16:
4382 BuiltinIndex = 14;
4383 break;
4384
4385 case Builtin::BI__sync_lock_release:
4386 case Builtin::BI__sync_lock_release_1:
4387 case Builtin::BI__sync_lock_release_2:
4388 case Builtin::BI__sync_lock_release_4:
4389 case Builtin::BI__sync_lock_release_8:
4390 case Builtin::BI__sync_lock_release_16:
4391 BuiltinIndex = 15;
4392 NumFixed = 0;
4393 ResultType = Context.VoidTy;
4394 break;
4395
4396 case Builtin::BI__sync_swap:
4397 case Builtin::BI__sync_swap_1:
4398 case Builtin::BI__sync_swap_2:
4399 case Builtin::BI__sync_swap_4:
4400 case Builtin::BI__sync_swap_8:
4401 case Builtin::BI__sync_swap_16:
4402 BuiltinIndex = 16;
4403 break;
4404 }
4405
4406 // Now that we know how many fixed arguments we expect, first check that we
4407 // have at least that many.
4408 if (TheCall->getNumArgs() < 1+NumFixed) {
4409 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4410 << 0 << 1 + NumFixed << TheCall->getNumArgs() << /*is non object*/ 0
4411 << Callee->getSourceRange();
4412 return ExprError();
4413 }
4414
4415 Diag(TheCall->getEndLoc(), diag::warn_atomic_implicit_seq_cst)
4416 << Callee->getSourceRange();
4417
4418 if (WarnAboutSemanticsChange) {
4419 Diag(TheCall->getEndLoc(), diag::warn_sync_fetch_and_nand_semantics_change)
4420 << Callee->getSourceRange();
4421 }
4422
4423 // Get the decl for the concrete builtin from this, we can tell what the
4424 // concrete integer type we should convert to is.
4425 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex];
4426 StringRef NewBuiltinName = Context.BuiltinInfo.getName(NewBuiltinID);
4427 FunctionDecl *NewBuiltinDecl;
4428 if (NewBuiltinID == BuiltinID)
4429 NewBuiltinDecl = FDecl;
4430 else {
4431 // Perform builtin lookup to avoid redeclaring it.
4432 DeclarationName DN(&Context.Idents.get(NewBuiltinName));
4433 LookupResult Res(*this, DN, DRE->getBeginLoc(), LookupOrdinaryName);
4434 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true);
4435 assert(Res.getFoundDecl());
4436 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl());
4437 if (!NewBuiltinDecl)
4438 return ExprError();
4439 }
4440
4441 // The first argument --- the pointer --- has a fixed type; we
4442 // deduce the types of the rest of the arguments accordingly. Walk
4443 // the remaining arguments, converting them to the deduced value type.
4444 for (unsigned i = 0; i != NumFixed; ++i) {
4445 ExprResult Arg = TheCall->getArg(i+1);
4446
4447 // GCC does an implicit conversion to the pointer or integer ValType. This
4448 // can fail in some cases (1i -> int**), check for this error case now.
4449 // Initialize the argument.
4450 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context,
4451 ValType, /*consume*/ false);
4452 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4453 if (Arg.isInvalid())
4454 return ExprError();
4455
4456 // Okay, we have something that *can* be converted to the right type. Check
4457 // to see if there is a potentially weird extension going on here. This can
4458 // happen when you do an atomic operation on something like an char* and
4459 // pass in 42. The 42 gets converted to char. This is even more strange
4460 // for things like 45.123 -> char, etc.
4461 // FIXME: Do this check.
4462 TheCall->setArg(i+1, Arg.get());
4463 }
4464
4465 // Create a new DeclRefExpr to refer to the new decl.
4466 DeclRefExpr *NewDRE = DeclRefExpr::Create(
4467 Context, DRE->getQualifierLoc(), SourceLocation(), NewBuiltinDecl,
4468 /*enclosing*/ false, DRE->getLocation(), Context.BuiltinFnTy,
4469 DRE->getValueKind(), nullptr, nullptr, DRE->isNonOdrUse());
4470
4471 // Set the callee in the CallExpr.
4472 // FIXME: This loses syntactic information.
4473 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType());
4474 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy,
4475 CK_BuiltinFnToFnPtr);
4476 TheCall->setCallee(PromotedCall.get());
4477
4478 // Change the result type of the call to match the original value type. This
4479 // is arbitrary, but the codegen for these builtins ins design to handle it
4480 // gracefully.
4481 TheCall->setType(ResultType);
4482
4483 // Prohibit problematic uses of bit-precise integer types with atomic
4484 // builtins. The arguments would have already been converted to the first
4485 // argument's type, so only need to check the first argument.
4486 const auto *BitIntValType = ValType->getAs<BitIntType>();
4487 if (BitIntValType && !llvm::isPowerOf2_64(BitIntValType->getNumBits())) {
4488 Diag(FirstArg->getExprLoc(), diag::err_atomic_builtin_ext_int_size);
4489 return ExprError();
4490 }
4491
4492 return TheCallResult;
4493 }
4494
BuiltinNontemporalOverloaded(ExprResult TheCallResult)4495 ExprResult Sema::BuiltinNontemporalOverloaded(ExprResult TheCallResult) {
4496 CallExpr *TheCall = (CallExpr *)TheCallResult.get();
4497 DeclRefExpr *DRE =
4498 cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
4499 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4500 unsigned BuiltinID = FDecl->getBuiltinID();
4501 assert((BuiltinID == Builtin::BI__builtin_nontemporal_store ||
4502 BuiltinID == Builtin::BI__builtin_nontemporal_load) &&
4503 "Unexpected nontemporal load/store builtin!");
4504 bool isStore = BuiltinID == Builtin::BI__builtin_nontemporal_store;
4505 unsigned numArgs = isStore ? 2 : 1;
4506
4507 // Ensure that we have the proper number of arguments.
4508 if (checkArgCount(TheCall, numArgs))
4509 return ExprError();
4510
4511 // Inspect the last argument of the nontemporal builtin. This should always
4512 // be a pointer type, from which we imply the type of the memory access.
4513 // Because it is a pointer type, we don't have to worry about any implicit
4514 // casts here.
4515 Expr *PointerArg = TheCall->getArg(numArgs - 1);
4516 ExprResult PointerArgResult =
4517 DefaultFunctionArrayLvalueConversion(PointerArg);
4518
4519 if (PointerArgResult.isInvalid())
4520 return ExprError();
4521 PointerArg = PointerArgResult.get();
4522 TheCall->setArg(numArgs - 1, PointerArg);
4523
4524 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>();
4525 if (!pointerType) {
4526 Diag(DRE->getBeginLoc(), diag::err_nontemporal_builtin_must_be_pointer)
4527 << PointerArg->getType() << PointerArg->getSourceRange();
4528 return ExprError();
4529 }
4530
4531 QualType ValType = pointerType->getPointeeType();
4532
4533 // Strip any qualifiers off ValType.
4534 ValType = ValType.getUnqualifiedType();
4535 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4536 !ValType->isBlockPointerType() && !ValType->isFloatingType() &&
4537 !ValType->isVectorType()) {
4538 Diag(DRE->getBeginLoc(),
4539 diag::err_nontemporal_builtin_must_be_pointer_intfltptr_or_vector)
4540 << PointerArg->getType() << PointerArg->getSourceRange();
4541 return ExprError();
4542 }
4543
4544 if (!isStore) {
4545 TheCall->setType(ValType);
4546 return TheCallResult;
4547 }
4548
4549 ExprResult ValArg = TheCall->getArg(0);
4550 InitializedEntity Entity = InitializedEntity::InitializeParameter(
4551 Context, ValType, /*consume*/ false);
4552 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg);
4553 if (ValArg.isInvalid())
4554 return ExprError();
4555
4556 TheCall->setArg(0, ValArg.get());
4557 TheCall->setType(Context.VoidTy);
4558 return TheCallResult;
4559 }
4560
4561 /// CheckObjCString - Checks that the format string argument to the os_log()
4562 /// and os_trace() functions is correct, and converts it to const char *.
CheckOSLogFormatStringArg(Expr * Arg)4563 ExprResult Sema::CheckOSLogFormatStringArg(Expr *Arg) {
4564 Arg = Arg->IgnoreParenCasts();
4565 auto *Literal = dyn_cast<StringLiteral>(Arg);
4566 if (!Literal) {
4567 if (auto *ObjcLiteral = dyn_cast<ObjCStringLiteral>(Arg)) {
4568 Literal = ObjcLiteral->getString();
4569 }
4570 }
4571
4572 if (!Literal || (!Literal->isOrdinary() && !Literal->isUTF8())) {
4573 return ExprError(
4574 Diag(Arg->getBeginLoc(), diag::err_os_log_format_not_string_constant)
4575 << Arg->getSourceRange());
4576 }
4577
4578 ExprResult Result(Literal);
4579 QualType ResultTy = Context.getPointerType(Context.CharTy.withConst());
4580 InitializedEntity Entity =
4581 InitializedEntity::InitializeParameter(Context, ResultTy, false);
4582 Result = PerformCopyInitialization(Entity, SourceLocation(), Result);
4583 return Result;
4584 }
4585
4586 /// Check that the user is calling the appropriate va_start builtin for the
4587 /// target and calling convention.
checkVAStartABI(Sema & S,unsigned BuiltinID,Expr * Fn)4588 static bool checkVAStartABI(Sema &S, unsigned BuiltinID, Expr *Fn) {
4589 const llvm::Triple &TT = S.Context.getTargetInfo().getTriple();
4590 bool IsX64 = TT.getArch() == llvm::Triple::x86_64;
4591 bool IsAArch64 = (TT.getArch() == llvm::Triple::aarch64 ||
4592 TT.getArch() == llvm::Triple::aarch64_32);
4593 bool IsWindows = TT.isOSWindows();
4594 bool IsMSVAStart = BuiltinID == Builtin::BI__builtin_ms_va_start;
4595 if (IsX64 || IsAArch64) {
4596 CallingConv CC = CC_C;
4597 if (const FunctionDecl *FD = S.getCurFunctionDecl())
4598 CC = FD->getType()->castAs<FunctionType>()->getCallConv();
4599 if (IsMSVAStart) {
4600 // Don't allow this in System V ABI functions.
4601 if (CC == CC_X86_64SysV || (!IsWindows && CC != CC_Win64))
4602 return S.Diag(Fn->getBeginLoc(),
4603 diag::err_ms_va_start_used_in_sysv_function);
4604 } else {
4605 // On x86-64/AArch64 Unix, don't allow this in Win64 ABI functions.
4606 // On x64 Windows, don't allow this in System V ABI functions.
4607 // (Yes, that means there's no corresponding way to support variadic
4608 // System V ABI functions on Windows.)
4609 if ((IsWindows && CC == CC_X86_64SysV) ||
4610 (!IsWindows && CC == CC_Win64))
4611 return S.Diag(Fn->getBeginLoc(),
4612 diag::err_va_start_used_in_wrong_abi_function)
4613 << !IsWindows;
4614 }
4615 return false;
4616 }
4617
4618 if (IsMSVAStart)
4619 return S.Diag(Fn->getBeginLoc(), diag::err_builtin_x64_aarch64_only);
4620 return false;
4621 }
4622
checkVAStartIsInVariadicFunction(Sema & S,Expr * Fn,ParmVarDecl ** LastParam=nullptr)4623 static bool checkVAStartIsInVariadicFunction(Sema &S, Expr *Fn,
4624 ParmVarDecl **LastParam = nullptr) {
4625 // Determine whether the current function, block, or obj-c method is variadic
4626 // and get its parameter list.
4627 bool IsVariadic = false;
4628 ArrayRef<ParmVarDecl *> Params;
4629 DeclContext *Caller = S.CurContext;
4630 if (auto *Block = dyn_cast<BlockDecl>(Caller)) {
4631 IsVariadic = Block->isVariadic();
4632 Params = Block->parameters();
4633 } else if (auto *FD = dyn_cast<FunctionDecl>(Caller)) {
4634 IsVariadic = FD->isVariadic();
4635 Params = FD->parameters();
4636 } else if (auto *MD = dyn_cast<ObjCMethodDecl>(Caller)) {
4637 IsVariadic = MD->isVariadic();
4638 // FIXME: This isn't correct for methods (results in bogus warning).
4639 Params = MD->parameters();
4640 } else if (isa<CapturedDecl>(Caller)) {
4641 // We don't support va_start in a CapturedDecl.
4642 S.Diag(Fn->getBeginLoc(), diag::err_va_start_captured_stmt);
4643 return true;
4644 } else {
4645 // This must be some other declcontext that parses exprs.
4646 S.Diag(Fn->getBeginLoc(), diag::err_va_start_outside_function);
4647 return true;
4648 }
4649
4650 if (!IsVariadic) {
4651 S.Diag(Fn->getBeginLoc(), diag::err_va_start_fixed_function);
4652 return true;
4653 }
4654
4655 if (LastParam)
4656 *LastParam = Params.empty() ? nullptr : Params.back();
4657
4658 return false;
4659 }
4660
BuiltinVAStart(unsigned BuiltinID,CallExpr * TheCall)4661 bool Sema::BuiltinVAStart(unsigned BuiltinID, CallExpr *TheCall) {
4662 Expr *Fn = TheCall->getCallee();
4663
4664 if (checkVAStartABI(*this, BuiltinID, Fn))
4665 return true;
4666
4667 // In C23 mode, va_start only needs one argument. However, the builtin still
4668 // requires two arguments (which matches the behavior of the GCC builtin),
4669 // <stdarg.h> passes `0` as the second argument in C23 mode.
4670 if (checkArgCount(TheCall, 2))
4671 return true;
4672
4673 // Type-check the first argument normally.
4674 if (checkBuiltinArgument(*this, TheCall, 0))
4675 return true;
4676
4677 // Check that the current function is variadic, and get its last parameter.
4678 ParmVarDecl *LastParam;
4679 if (checkVAStartIsInVariadicFunction(*this, Fn, &LastParam))
4680 return true;
4681
4682 // Verify that the second argument to the builtin is the last argument of the
4683 // current function or method. In C23 mode, if the second argument is an
4684 // integer constant expression with value 0, then we don't bother with this
4685 // check.
4686 bool SecondArgIsLastNamedArgument = false;
4687 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts();
4688 if (std::optional<llvm::APSInt> Val =
4689 TheCall->getArg(1)->getIntegerConstantExpr(Context);
4690 Val && LangOpts.C23 && *Val == 0)
4691 return false;
4692
4693 // These are valid if SecondArgIsLastNamedArgument is false after the next
4694 // block.
4695 QualType Type;
4696 SourceLocation ParamLoc;
4697 bool IsCRegister = false;
4698
4699 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) {
4700 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) {
4701 SecondArgIsLastNamedArgument = PV == LastParam;
4702
4703 Type = PV->getType();
4704 ParamLoc = PV->getLocation();
4705 IsCRegister =
4706 PV->getStorageClass() == SC_Register && !getLangOpts().CPlusPlus;
4707 }
4708 }
4709
4710 if (!SecondArgIsLastNamedArgument)
4711 Diag(TheCall->getArg(1)->getBeginLoc(),
4712 diag::warn_second_arg_of_va_start_not_last_named_param);
4713 else if (IsCRegister || Type->isReferenceType() ||
4714 Type->isSpecificBuiltinType(BuiltinType::Float) || [=] {
4715 // Promotable integers are UB, but enumerations need a bit of
4716 // extra checking to see what their promotable type actually is.
4717 if (!Context.isPromotableIntegerType(Type))
4718 return false;
4719 if (!Type->isEnumeralType())
4720 return true;
4721 const EnumDecl *ED = Type->castAs<EnumType>()->getDecl();
4722 return !(ED &&
4723 Context.typesAreCompatible(ED->getPromotionType(), Type));
4724 }()) {
4725 unsigned Reason = 0;
4726 if (Type->isReferenceType()) Reason = 1;
4727 else if (IsCRegister) Reason = 2;
4728 Diag(Arg->getBeginLoc(), diag::warn_va_start_type_is_undefined) << Reason;
4729 Diag(ParamLoc, diag::note_parameter_type) << Type;
4730 }
4731
4732 return false;
4733 }
4734
BuiltinVAStartARMMicrosoft(CallExpr * Call)4735 bool Sema::BuiltinVAStartARMMicrosoft(CallExpr *Call) {
4736 auto IsSuitablyTypedFormatArgument = [this](const Expr *Arg) -> bool {
4737 const LangOptions &LO = getLangOpts();
4738
4739 if (LO.CPlusPlus)
4740 return Arg->getType()
4741 .getCanonicalType()
4742 .getTypePtr()
4743 ->getPointeeType()
4744 .withoutLocalFastQualifiers() == Context.CharTy;
4745
4746 // In C, allow aliasing through `char *`, this is required for AArch64 at
4747 // least.
4748 return true;
4749 };
4750
4751 // void __va_start(va_list *ap, const char *named_addr, size_t slot_size,
4752 // const char *named_addr);
4753
4754 Expr *Func = Call->getCallee();
4755
4756 if (Call->getNumArgs() < 3)
4757 return Diag(Call->getEndLoc(),
4758 diag::err_typecheck_call_too_few_args_at_least)
4759 << 0 /*function call*/ << 3 << Call->getNumArgs()
4760 << /*is non object*/ 0;
4761
4762 // Type-check the first argument normally.
4763 if (checkBuiltinArgument(*this, Call, 0))
4764 return true;
4765
4766 // Check that the current function is variadic.
4767 if (checkVAStartIsInVariadicFunction(*this, Func))
4768 return true;
4769
4770 // __va_start on Windows does not validate the parameter qualifiers
4771
4772 const Expr *Arg1 = Call->getArg(1)->IgnoreParens();
4773 const Type *Arg1Ty = Arg1->getType().getCanonicalType().getTypePtr();
4774
4775 const Expr *Arg2 = Call->getArg(2)->IgnoreParens();
4776 const Type *Arg2Ty = Arg2->getType().getCanonicalType().getTypePtr();
4777
4778 const QualType &ConstCharPtrTy =
4779 Context.getPointerType(Context.CharTy.withConst());
4780 if (!Arg1Ty->isPointerType() || !IsSuitablyTypedFormatArgument(Arg1))
4781 Diag(Arg1->getBeginLoc(), diag::err_typecheck_convert_incompatible)
4782 << Arg1->getType() << ConstCharPtrTy << 1 /* different class */
4783 << 0 /* qualifier difference */
4784 << 3 /* parameter mismatch */
4785 << 2 << Arg1->getType() << ConstCharPtrTy;
4786
4787 const QualType SizeTy = Context.getSizeType();
4788 if (Arg2Ty->getCanonicalTypeInternal().withoutLocalFastQualifiers() != SizeTy)
4789 Diag(Arg2->getBeginLoc(), diag::err_typecheck_convert_incompatible)
4790 << Arg2->getType() << SizeTy << 1 /* different class */
4791 << 0 /* qualifier difference */
4792 << 3 /* parameter mismatch */
4793 << 3 << Arg2->getType() << SizeTy;
4794
4795 return false;
4796 }
4797
BuiltinUnorderedCompare(CallExpr * TheCall,unsigned BuiltinID)4798 bool Sema::BuiltinUnorderedCompare(CallExpr *TheCall, unsigned BuiltinID) {
4799 if (checkArgCount(TheCall, 2))
4800 return true;
4801
4802 if (BuiltinID == Builtin::BI__builtin_isunordered &&
4803 TheCall->getFPFeaturesInEffect(getLangOpts()).getNoHonorNaNs())
4804 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4805 << 1 << 0 << TheCall->getSourceRange();
4806
4807 ExprResult OrigArg0 = TheCall->getArg(0);
4808 ExprResult OrigArg1 = TheCall->getArg(1);
4809
4810 // Do standard promotions between the two arguments, returning their common
4811 // type.
4812 QualType Res = UsualArithmeticConversions(
4813 OrigArg0, OrigArg1, TheCall->getExprLoc(), ACK_Comparison);
4814 if (OrigArg0.isInvalid() || OrigArg1.isInvalid())
4815 return true;
4816
4817 // Make sure any conversions are pushed back into the call; this is
4818 // type safe since unordered compare builtins are declared as "_Bool
4819 // foo(...)".
4820 TheCall->setArg(0, OrigArg0.get());
4821 TheCall->setArg(1, OrigArg1.get());
4822
4823 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent())
4824 return false;
4825
4826 // If the common type isn't a real floating type, then the arguments were
4827 // invalid for this operation.
4828 if (Res.isNull() || !Res->isRealFloatingType())
4829 return Diag(OrigArg0.get()->getBeginLoc(),
4830 diag::err_typecheck_call_invalid_ordered_compare)
4831 << OrigArg0.get()->getType() << OrigArg1.get()->getType()
4832 << SourceRange(OrigArg0.get()->getBeginLoc(),
4833 OrigArg1.get()->getEndLoc());
4834
4835 return false;
4836 }
4837
BuiltinFPClassification(CallExpr * TheCall,unsigned NumArgs,unsigned BuiltinID)4838 bool Sema::BuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs,
4839 unsigned BuiltinID) {
4840 if (checkArgCount(TheCall, NumArgs))
4841 return true;
4842
4843 FPOptions FPO = TheCall->getFPFeaturesInEffect(getLangOpts());
4844 if (FPO.getNoHonorInfs() && (BuiltinID == Builtin::BI__builtin_isfinite ||
4845 BuiltinID == Builtin::BI__builtin_isinf ||
4846 BuiltinID == Builtin::BI__builtin_isinf_sign))
4847 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4848 << 0 << 0 << TheCall->getSourceRange();
4849
4850 if (FPO.getNoHonorNaNs() && (BuiltinID == Builtin::BI__builtin_isnan ||
4851 BuiltinID == Builtin::BI__builtin_isunordered))
4852 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4853 << 1 << 0 << TheCall->getSourceRange();
4854
4855 bool IsFPClass = NumArgs == 2;
4856
4857 // Find out position of floating-point argument.
4858 unsigned FPArgNo = IsFPClass ? 0 : NumArgs - 1;
4859
4860 // We can count on all parameters preceding the floating-point just being int.
4861 // Try all of those.
4862 for (unsigned i = 0; i < FPArgNo; ++i) {
4863 Expr *Arg = TheCall->getArg(i);
4864
4865 if (Arg->isTypeDependent())
4866 return false;
4867
4868 ExprResult Res = PerformImplicitConversion(Arg, Context.IntTy, AA_Passing);
4869
4870 if (Res.isInvalid())
4871 return true;
4872 TheCall->setArg(i, Res.get());
4873 }
4874
4875 Expr *OrigArg = TheCall->getArg(FPArgNo);
4876
4877 if (OrigArg->isTypeDependent())
4878 return false;
4879
4880 // Usual Unary Conversions will convert half to float, which we want for
4881 // machines that use fp16 conversion intrinsics. Else, we wnat to leave the
4882 // type how it is, but do normal L->Rvalue conversions.
4883 if (Context.getTargetInfo().useFP16ConversionIntrinsics())
4884 OrigArg = UsualUnaryConversions(OrigArg).get();
4885 else
4886 OrigArg = DefaultFunctionArrayLvalueConversion(OrigArg).get();
4887 TheCall->setArg(FPArgNo, OrigArg);
4888
4889 QualType VectorResultTy;
4890 QualType ElementTy = OrigArg->getType();
4891 // TODO: When all classification function are implemented with is_fpclass,
4892 // vector argument can be supported in all of them.
4893 if (ElementTy->isVectorType() && IsFPClass) {
4894 VectorResultTy = GetSignedVectorType(ElementTy);
4895 ElementTy = ElementTy->castAs<VectorType>()->getElementType();
4896 }
4897
4898 // This operation requires a non-_Complex floating-point number.
4899 if (!ElementTy->isRealFloatingType())
4900 return Diag(OrigArg->getBeginLoc(),
4901 diag::err_typecheck_call_invalid_unary_fp)
4902 << OrigArg->getType() << OrigArg->getSourceRange();
4903
4904 // __builtin_isfpclass has integer parameter that specify test mask. It is
4905 // passed in (...), so it should be analyzed completely here.
4906 if (IsFPClass)
4907 if (BuiltinConstantArgRange(TheCall, 1, 0, llvm::fcAllFlags))
4908 return true;
4909
4910 // TODO: enable this code to all classification functions.
4911 if (IsFPClass) {
4912 QualType ResultTy;
4913 if (!VectorResultTy.isNull())
4914 ResultTy = VectorResultTy;
4915 else
4916 ResultTy = Context.IntTy;
4917 TheCall->setType(ResultTy);
4918 }
4919
4920 return false;
4921 }
4922
BuiltinComplex(CallExpr * TheCall)4923 bool Sema::BuiltinComplex(CallExpr *TheCall) {
4924 if (checkArgCount(TheCall, 2))
4925 return true;
4926
4927 bool Dependent = false;
4928 for (unsigned I = 0; I != 2; ++I) {
4929 Expr *Arg = TheCall->getArg(I);
4930 QualType T = Arg->getType();
4931 if (T->isDependentType()) {
4932 Dependent = true;
4933 continue;
4934 }
4935
4936 // Despite supporting _Complex int, GCC requires a real floating point type
4937 // for the operands of __builtin_complex.
4938 if (!T->isRealFloatingType()) {
4939 return Diag(Arg->getBeginLoc(), diag::err_typecheck_call_requires_real_fp)
4940 << Arg->getType() << Arg->getSourceRange();
4941 }
4942
4943 ExprResult Converted = DefaultLvalueConversion(Arg);
4944 if (Converted.isInvalid())
4945 return true;
4946 TheCall->setArg(I, Converted.get());
4947 }
4948
4949 if (Dependent) {
4950 TheCall->setType(Context.DependentTy);
4951 return false;
4952 }
4953
4954 Expr *Real = TheCall->getArg(0);
4955 Expr *Imag = TheCall->getArg(1);
4956 if (!Context.hasSameType(Real->getType(), Imag->getType())) {
4957 return Diag(Real->getBeginLoc(),
4958 diag::err_typecheck_call_different_arg_types)
4959 << Real->getType() << Imag->getType()
4960 << Real->getSourceRange() << Imag->getSourceRange();
4961 }
4962
4963 // We don't allow _Complex _Float16 nor _Complex __fp16 as type specifiers;
4964 // don't allow this builtin to form those types either.
4965 // FIXME: Should we allow these types?
4966 if (Real->getType()->isFloat16Type())
4967 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
4968 << "_Float16";
4969 if (Real->getType()->isHalfType())
4970 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
4971 << "half";
4972
4973 TheCall->setType(Context.getComplexType(Real->getType()));
4974 return false;
4975 }
4976
4977 /// BuiltinShuffleVector - Handle __builtin_shufflevector.
4978 // This is declared to take (...), so we have to check everything.
BuiltinShuffleVector(CallExpr * TheCall)4979 ExprResult Sema::BuiltinShuffleVector(CallExpr *TheCall) {
4980 if (TheCall->getNumArgs() < 2)
4981 return ExprError(Diag(TheCall->getEndLoc(),
4982 diag::err_typecheck_call_too_few_args_at_least)
4983 << 0 /*function call*/ << 2 << TheCall->getNumArgs()
4984 << /*is non object*/ 0 << TheCall->getSourceRange());
4985
4986 // Determine which of the following types of shufflevector we're checking:
4987 // 1) unary, vector mask: (lhs, mask)
4988 // 2) binary, scalar mask: (lhs, rhs, index, ..., index)
4989 QualType resType = TheCall->getArg(0)->getType();
4990 unsigned numElements = 0;
4991
4992 if (!TheCall->getArg(0)->isTypeDependent() &&
4993 !TheCall->getArg(1)->isTypeDependent()) {
4994 QualType LHSType = TheCall->getArg(0)->getType();
4995 QualType RHSType = TheCall->getArg(1)->getType();
4996
4997 if (!LHSType->isVectorType() || !RHSType->isVectorType())
4998 return ExprError(
4999 Diag(TheCall->getBeginLoc(), diag::err_vec_builtin_non_vector)
5000 << TheCall->getDirectCallee() << /*isMorethantwoArgs*/ false
5001 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5002 TheCall->getArg(1)->getEndLoc()));
5003
5004 numElements = LHSType->castAs<VectorType>()->getNumElements();
5005 unsigned numResElements = TheCall->getNumArgs() - 2;
5006
5007 // Check to see if we have a call with 2 vector arguments, the unary shuffle
5008 // with mask. If so, verify that RHS is an integer vector type with the
5009 // same number of elts as lhs.
5010 if (TheCall->getNumArgs() == 2) {
5011 if (!RHSType->hasIntegerRepresentation() ||
5012 RHSType->castAs<VectorType>()->getNumElements() != numElements)
5013 return ExprError(Diag(TheCall->getBeginLoc(),
5014 diag::err_vec_builtin_incompatible_vector)
5015 << TheCall->getDirectCallee()
5016 << /*isMorethantwoArgs*/ false
5017 << SourceRange(TheCall->getArg(1)->getBeginLoc(),
5018 TheCall->getArg(1)->getEndLoc()));
5019 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) {
5020 return ExprError(Diag(TheCall->getBeginLoc(),
5021 diag::err_vec_builtin_incompatible_vector)
5022 << TheCall->getDirectCallee()
5023 << /*isMorethantwoArgs*/ false
5024 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5025 TheCall->getArg(1)->getEndLoc()));
5026 } else if (numElements != numResElements) {
5027 QualType eltType = LHSType->castAs<VectorType>()->getElementType();
5028 resType =
5029 Context.getVectorType(eltType, numResElements, VectorKind::Generic);
5030 }
5031 }
5032
5033 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) {
5034 if (TheCall->getArg(i)->isTypeDependent() ||
5035 TheCall->getArg(i)->isValueDependent())
5036 continue;
5037
5038 std::optional<llvm::APSInt> Result;
5039 if (!(Result = TheCall->getArg(i)->getIntegerConstantExpr(Context)))
5040 return ExprError(Diag(TheCall->getBeginLoc(),
5041 diag::err_shufflevector_nonconstant_argument)
5042 << TheCall->getArg(i)->getSourceRange());
5043
5044 // Allow -1 which will be translated to undef in the IR.
5045 if (Result->isSigned() && Result->isAllOnes())
5046 continue;
5047
5048 if (Result->getActiveBits() > 64 ||
5049 Result->getZExtValue() >= numElements * 2)
5050 return ExprError(Diag(TheCall->getBeginLoc(),
5051 diag::err_shufflevector_argument_too_large)
5052 << TheCall->getArg(i)->getSourceRange());
5053 }
5054
5055 SmallVector<Expr*, 32> exprs;
5056
5057 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) {
5058 exprs.push_back(TheCall->getArg(i));
5059 TheCall->setArg(i, nullptr);
5060 }
5061
5062 return new (Context) ShuffleVectorExpr(Context, exprs, resType,
5063 TheCall->getCallee()->getBeginLoc(),
5064 TheCall->getRParenLoc());
5065 }
5066
ConvertVectorExpr(Expr * E,TypeSourceInfo * TInfo,SourceLocation BuiltinLoc,SourceLocation RParenLoc)5067 ExprResult Sema::ConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo,
5068 SourceLocation BuiltinLoc,
5069 SourceLocation RParenLoc) {
5070 ExprValueKind VK = VK_PRValue;
5071 ExprObjectKind OK = OK_Ordinary;
5072 QualType DstTy = TInfo->getType();
5073 QualType SrcTy = E->getType();
5074
5075 if (!SrcTy->isVectorType() && !SrcTy->isDependentType())
5076 return ExprError(Diag(BuiltinLoc,
5077 diag::err_convertvector_non_vector)
5078 << E->getSourceRange());
5079 if (!DstTy->isVectorType() && !DstTy->isDependentType())
5080 return ExprError(Diag(BuiltinLoc, diag::err_builtin_non_vector_type)
5081 << "second"
5082 << "__builtin_convertvector");
5083
5084 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) {
5085 unsigned SrcElts = SrcTy->castAs<VectorType>()->getNumElements();
5086 unsigned DstElts = DstTy->castAs<VectorType>()->getNumElements();
5087 if (SrcElts != DstElts)
5088 return ExprError(Diag(BuiltinLoc,
5089 diag::err_convertvector_incompatible_vector)
5090 << E->getSourceRange());
5091 }
5092
5093 return new (Context) class ConvertVectorExpr(E, TInfo, DstTy, VK, OK,
5094 BuiltinLoc, RParenLoc);
5095 }
5096
BuiltinPrefetch(CallExpr * TheCall)5097 bool Sema::BuiltinPrefetch(CallExpr *TheCall) {
5098 unsigned NumArgs = TheCall->getNumArgs();
5099
5100 if (NumArgs > 3)
5101 return Diag(TheCall->getEndLoc(),
5102 diag::err_typecheck_call_too_many_args_at_most)
5103 << 0 /*function call*/ << 3 << NumArgs << /*is non object*/ 0
5104 << TheCall->getSourceRange();
5105
5106 // Argument 0 is checked for us and the remaining arguments must be
5107 // constant integers.
5108 for (unsigned i = 1; i != NumArgs; ++i)
5109 if (BuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3))
5110 return true;
5111
5112 return false;
5113 }
5114
BuiltinArithmeticFence(CallExpr * TheCall)5115 bool Sema::BuiltinArithmeticFence(CallExpr *TheCall) {
5116 if (!Context.getTargetInfo().checkArithmeticFenceSupported())
5117 return Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
5118 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5119 if (checkArgCount(TheCall, 1))
5120 return true;
5121 Expr *Arg = TheCall->getArg(0);
5122 if (Arg->isInstantiationDependent())
5123 return false;
5124
5125 QualType ArgTy = Arg->getType();
5126 if (!ArgTy->hasFloatingRepresentation())
5127 return Diag(TheCall->getEndLoc(), diag::err_typecheck_expect_flt_or_vector)
5128 << ArgTy;
5129 if (Arg->isLValue()) {
5130 ExprResult FirstArg = DefaultLvalueConversion(Arg);
5131 TheCall->setArg(0, FirstArg.get());
5132 }
5133 TheCall->setType(TheCall->getArg(0)->getType());
5134 return false;
5135 }
5136
BuiltinAssume(CallExpr * TheCall)5137 bool Sema::BuiltinAssume(CallExpr *TheCall) {
5138 Expr *Arg = TheCall->getArg(0);
5139 if (Arg->isInstantiationDependent()) return false;
5140
5141 if (Arg->HasSideEffects(Context))
5142 Diag(Arg->getBeginLoc(), diag::warn_assume_side_effects)
5143 << Arg->getSourceRange()
5144 << cast<FunctionDecl>(TheCall->getCalleeDecl())->getIdentifier();
5145
5146 return false;
5147 }
5148
BuiltinAllocaWithAlign(CallExpr * TheCall)5149 bool Sema::BuiltinAllocaWithAlign(CallExpr *TheCall) {
5150 // The alignment must be a constant integer.
5151 Expr *Arg = TheCall->getArg(1);
5152
5153 // We can't check the value of a dependent argument.
5154 if (!Arg->isTypeDependent() && !Arg->isValueDependent()) {
5155 if (const auto *UE =
5156 dyn_cast<UnaryExprOrTypeTraitExpr>(Arg->IgnoreParenImpCasts()))
5157 if (UE->getKind() == UETT_AlignOf ||
5158 UE->getKind() == UETT_PreferredAlignOf)
5159 Diag(TheCall->getBeginLoc(), diag::warn_alloca_align_alignof)
5160 << Arg->getSourceRange();
5161
5162 llvm::APSInt Result = Arg->EvaluateKnownConstInt(Context);
5163
5164 if (!Result.isPowerOf2())
5165 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5166 << Arg->getSourceRange();
5167
5168 if (Result < Context.getCharWidth())
5169 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_small)
5170 << (unsigned)Context.getCharWidth() << Arg->getSourceRange();
5171
5172 if (Result > std::numeric_limits<int32_t>::max())
5173 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_big)
5174 << std::numeric_limits<int32_t>::max() << Arg->getSourceRange();
5175 }
5176
5177 return false;
5178 }
5179
BuiltinAssumeAligned(CallExpr * TheCall)5180 bool Sema::BuiltinAssumeAligned(CallExpr *TheCall) {
5181 if (checkArgCountRange(TheCall, 2, 3))
5182 return true;
5183
5184 unsigned NumArgs = TheCall->getNumArgs();
5185 Expr *FirstArg = TheCall->getArg(0);
5186
5187 {
5188 ExprResult FirstArgResult =
5189 DefaultFunctionArrayLvalueConversion(FirstArg);
5190 if (checkBuiltinArgument(*this, TheCall, 0))
5191 return true;
5192 /// In-place updation of FirstArg by checkBuiltinArgument is ignored.
5193 TheCall->setArg(0, FirstArgResult.get());
5194 }
5195
5196 // The alignment must be a constant integer.
5197 Expr *SecondArg = TheCall->getArg(1);
5198
5199 // We can't check the value of a dependent argument.
5200 if (!SecondArg->isValueDependent()) {
5201 llvm::APSInt Result;
5202 if (BuiltinConstantArg(TheCall, 1, Result))
5203 return true;
5204
5205 if (!Result.isPowerOf2())
5206 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5207 << SecondArg->getSourceRange();
5208
5209 if (Result > Sema::MaximumAlignment)
5210 Diag(TheCall->getBeginLoc(), diag::warn_assume_aligned_too_great)
5211 << SecondArg->getSourceRange() << Sema::MaximumAlignment;
5212 }
5213
5214 if (NumArgs > 2) {
5215 Expr *ThirdArg = TheCall->getArg(2);
5216 if (convertArgumentToType(*this, ThirdArg, Context.getSizeType()))
5217 return true;
5218 TheCall->setArg(2, ThirdArg);
5219 }
5220
5221 return false;
5222 }
5223
BuiltinOSLogFormat(CallExpr * TheCall)5224 bool Sema::BuiltinOSLogFormat(CallExpr *TheCall) {
5225 unsigned BuiltinID =
5226 cast<FunctionDecl>(TheCall->getCalleeDecl())->getBuiltinID();
5227 bool IsSizeCall = BuiltinID == Builtin::BI__builtin_os_log_format_buffer_size;
5228
5229 unsigned NumArgs = TheCall->getNumArgs();
5230 unsigned NumRequiredArgs = IsSizeCall ? 1 : 2;
5231 if (NumArgs < NumRequiredArgs) {
5232 return Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args)
5233 << 0 /* function call */ << NumRequiredArgs << NumArgs
5234 << /*is non object*/ 0 << TheCall->getSourceRange();
5235 }
5236 if (NumArgs >= NumRequiredArgs + 0x100) {
5237 return Diag(TheCall->getEndLoc(),
5238 diag::err_typecheck_call_too_many_args_at_most)
5239 << 0 /* function call */ << (NumRequiredArgs + 0xff) << NumArgs
5240 << /*is non object*/ 0 << TheCall->getSourceRange();
5241 }
5242 unsigned i = 0;
5243
5244 // For formatting call, check buffer arg.
5245 if (!IsSizeCall) {
5246 ExprResult Arg(TheCall->getArg(i));
5247 InitializedEntity Entity = InitializedEntity::InitializeParameter(
5248 Context, Context.VoidPtrTy, false);
5249 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
5250 if (Arg.isInvalid())
5251 return true;
5252 TheCall->setArg(i, Arg.get());
5253 i++;
5254 }
5255
5256 // Check string literal arg.
5257 unsigned FormatIdx = i;
5258 {
5259 ExprResult Arg = CheckOSLogFormatStringArg(TheCall->getArg(i));
5260 if (Arg.isInvalid())
5261 return true;
5262 TheCall->setArg(i, Arg.get());
5263 i++;
5264 }
5265
5266 // Make sure variadic args are scalar.
5267 unsigned FirstDataArg = i;
5268 while (i < NumArgs) {
5269 ExprResult Arg = DefaultVariadicArgumentPromotion(
5270 TheCall->getArg(i), VariadicFunction, nullptr);
5271 if (Arg.isInvalid())
5272 return true;
5273 CharUnits ArgSize = Context.getTypeSizeInChars(Arg.get()->getType());
5274 if (ArgSize.getQuantity() >= 0x100) {
5275 return Diag(Arg.get()->getEndLoc(), diag::err_os_log_argument_too_big)
5276 << i << (int)ArgSize.getQuantity() << 0xff
5277 << TheCall->getSourceRange();
5278 }
5279 TheCall->setArg(i, Arg.get());
5280 i++;
5281 }
5282
5283 // Check formatting specifiers. NOTE: We're only doing this for the non-size
5284 // call to avoid duplicate diagnostics.
5285 if (!IsSizeCall) {
5286 llvm::SmallBitVector CheckedVarArgs(NumArgs, false);
5287 ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs());
5288 bool Success = CheckFormatArguments(
5289 Args, FAPK_Variadic, FormatIdx, FirstDataArg, FST_OSLog,
5290 VariadicFunction, TheCall->getBeginLoc(), SourceRange(),
5291 CheckedVarArgs);
5292 if (!Success)
5293 return true;
5294 }
5295
5296 if (IsSizeCall) {
5297 TheCall->setType(Context.getSizeType());
5298 } else {
5299 TheCall->setType(Context.VoidPtrTy);
5300 }
5301 return false;
5302 }
5303
BuiltinConstantArg(CallExpr * TheCall,int ArgNum,llvm::APSInt & Result)5304 bool Sema::BuiltinConstantArg(CallExpr *TheCall, int ArgNum,
5305 llvm::APSInt &Result) {
5306 Expr *Arg = TheCall->getArg(ArgNum);
5307 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
5308 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
5309
5310 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false;
5311
5312 std::optional<llvm::APSInt> R;
5313 if (!(R = Arg->getIntegerConstantExpr(Context)))
5314 return Diag(TheCall->getBeginLoc(), diag::err_constant_integer_arg_type)
5315 << FDecl->getDeclName() << Arg->getSourceRange();
5316 Result = *R;
5317 return false;
5318 }
5319
BuiltinConstantArgRange(CallExpr * TheCall,int ArgNum,int Low,int High,bool RangeIsError)5320 bool Sema::BuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, int Low,
5321 int High, bool RangeIsError) {
5322 if (isConstantEvaluatedContext())
5323 return false;
5324 llvm::APSInt Result;
5325
5326 // We can't check the value of a dependent argument.
5327 Expr *Arg = TheCall->getArg(ArgNum);
5328 if (Arg->isTypeDependent() || Arg->isValueDependent())
5329 return false;
5330
5331 // Check constant-ness first.
5332 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5333 return true;
5334
5335 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) {
5336 if (RangeIsError)
5337 return Diag(TheCall->getBeginLoc(), diag::err_argument_invalid_range)
5338 << toString(Result, 10) << Low << High << Arg->getSourceRange();
5339 else
5340 // Defer the warning until we know if the code will be emitted so that
5341 // dead code can ignore this.
5342 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
5343 PDiag(diag::warn_argument_invalid_range)
5344 << toString(Result, 10) << Low << High
5345 << Arg->getSourceRange());
5346 }
5347
5348 return false;
5349 }
5350
BuiltinConstantArgMultiple(CallExpr * TheCall,int ArgNum,unsigned Num)5351 bool Sema::BuiltinConstantArgMultiple(CallExpr *TheCall, int ArgNum,
5352 unsigned Num) {
5353 llvm::APSInt Result;
5354
5355 // We can't check the value of a dependent argument.
5356 Expr *Arg = TheCall->getArg(ArgNum);
5357 if (Arg->isTypeDependent() || Arg->isValueDependent())
5358 return false;
5359
5360 // Check constant-ness first.
5361 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5362 return true;
5363
5364 if (Result.getSExtValue() % Num != 0)
5365 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_multiple)
5366 << Num << Arg->getSourceRange();
5367
5368 return false;
5369 }
5370
BuiltinConstantArgPower2(CallExpr * TheCall,int ArgNum)5371 bool Sema::BuiltinConstantArgPower2(CallExpr *TheCall, int ArgNum) {
5372 llvm::APSInt Result;
5373
5374 // We can't check the value of a dependent argument.
5375 Expr *Arg = TheCall->getArg(ArgNum);
5376 if (Arg->isTypeDependent() || Arg->isValueDependent())
5377 return false;
5378
5379 // Check constant-ness first.
5380 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5381 return true;
5382
5383 // Bit-twiddling to test for a power of 2: for x > 0, x & (x-1) is zero if
5384 // and only if x is a power of 2.
5385 if (Result.isStrictlyPositive() && (Result & (Result - 1)) == 0)
5386 return false;
5387
5388 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_power_of_2)
5389 << Arg->getSourceRange();
5390 }
5391
IsShiftedByte(llvm::APSInt Value)5392 static bool IsShiftedByte(llvm::APSInt Value) {
5393 if (Value.isNegative())
5394 return false;
5395
5396 // Check if it's a shifted byte, by shifting it down
5397 while (true) {
5398 // If the value fits in the bottom byte, the check passes.
5399 if (Value < 0x100)
5400 return true;
5401
5402 // Otherwise, if the value has _any_ bits in the bottom byte, the check
5403 // fails.
5404 if ((Value & 0xFF) != 0)
5405 return false;
5406
5407 // If the bottom 8 bits are all 0, but something above that is nonzero,
5408 // then shifting the value right by 8 bits won't affect whether it's a
5409 // shifted byte or not. So do that, and go round again.
5410 Value >>= 8;
5411 }
5412 }
5413
BuiltinConstantArgShiftedByte(CallExpr * TheCall,int ArgNum,unsigned ArgBits)5414 bool Sema::BuiltinConstantArgShiftedByte(CallExpr *TheCall, int ArgNum,
5415 unsigned ArgBits) {
5416 llvm::APSInt Result;
5417
5418 // We can't check the value of a dependent argument.
5419 Expr *Arg = TheCall->getArg(ArgNum);
5420 if (Arg->isTypeDependent() || Arg->isValueDependent())
5421 return false;
5422
5423 // Check constant-ness first.
5424 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5425 return true;
5426
5427 // Truncate to the given size.
5428 Result = Result.getLoBits(ArgBits);
5429 Result.setIsUnsigned(true);
5430
5431 if (IsShiftedByte(Result))
5432 return false;
5433
5434 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_shifted_byte)
5435 << Arg->getSourceRange();
5436 }
5437
BuiltinConstantArgShiftedByteOrXXFF(CallExpr * TheCall,int ArgNum,unsigned ArgBits)5438 bool Sema::BuiltinConstantArgShiftedByteOrXXFF(CallExpr *TheCall, int ArgNum,
5439 unsigned ArgBits) {
5440 llvm::APSInt Result;
5441
5442 // We can't check the value of a dependent argument.
5443 Expr *Arg = TheCall->getArg(ArgNum);
5444 if (Arg->isTypeDependent() || Arg->isValueDependent())
5445 return false;
5446
5447 // Check constant-ness first.
5448 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5449 return true;
5450
5451 // Truncate to the given size.
5452 Result = Result.getLoBits(ArgBits);
5453 Result.setIsUnsigned(true);
5454
5455 // Check to see if it's in either of the required forms.
5456 if (IsShiftedByte(Result) ||
5457 (Result > 0 && Result < 0x10000 && (Result & 0xFF) == 0xFF))
5458 return false;
5459
5460 return Diag(TheCall->getBeginLoc(),
5461 diag::err_argument_not_shifted_byte_or_xxff)
5462 << Arg->getSourceRange();
5463 }
5464
BuiltinLongjmp(CallExpr * TheCall)5465 bool Sema::BuiltinLongjmp(CallExpr *TheCall) {
5466 if (!Context.getTargetInfo().hasSjLjLowering())
5467 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_unsupported)
5468 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5469
5470 Expr *Arg = TheCall->getArg(1);
5471 llvm::APSInt Result;
5472
5473 // TODO: This is less than ideal. Overload this to take a value.
5474 if (BuiltinConstantArg(TheCall, 1, Result))
5475 return true;
5476
5477 if (Result != 1)
5478 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_invalid_val)
5479 << SourceRange(Arg->getBeginLoc(), Arg->getEndLoc());
5480
5481 return false;
5482 }
5483
BuiltinSetjmp(CallExpr * TheCall)5484 bool Sema::BuiltinSetjmp(CallExpr *TheCall) {
5485 if (!Context.getTargetInfo().hasSjLjLowering())
5486 return Diag(TheCall->getBeginLoc(), diag::err_builtin_setjmp_unsupported)
5487 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5488 return false;
5489 }
5490
5491 namespace {
5492
5493 class UncoveredArgHandler {
5494 enum { Unknown = -1, AllCovered = -2 };
5495
5496 signed FirstUncoveredArg = Unknown;
5497 SmallVector<const Expr *, 4> DiagnosticExprs;
5498
5499 public:
5500 UncoveredArgHandler() = default;
5501
hasUncoveredArg() const5502 bool hasUncoveredArg() const {
5503 return (FirstUncoveredArg >= 0);
5504 }
5505
getUncoveredArg() const5506 unsigned getUncoveredArg() const {
5507 assert(hasUncoveredArg() && "no uncovered argument");
5508 return FirstUncoveredArg;
5509 }
5510
setAllCovered()5511 void setAllCovered() {
5512 // A string has been found with all arguments covered, so clear out
5513 // the diagnostics.
5514 DiagnosticExprs.clear();
5515 FirstUncoveredArg = AllCovered;
5516 }
5517
Update(signed NewFirstUncoveredArg,const Expr * StrExpr)5518 void Update(signed NewFirstUncoveredArg, const Expr *StrExpr) {
5519 assert(NewFirstUncoveredArg >= 0 && "Outside range");
5520
5521 // Don't update if a previous string covers all arguments.
5522 if (FirstUncoveredArg == AllCovered)
5523 return;
5524
5525 // UncoveredArgHandler tracks the highest uncovered argument index
5526 // and with it all the strings that match this index.
5527 if (NewFirstUncoveredArg == FirstUncoveredArg)
5528 DiagnosticExprs.push_back(StrExpr);
5529 else if (NewFirstUncoveredArg > FirstUncoveredArg) {
5530 DiagnosticExprs.clear();
5531 DiagnosticExprs.push_back(StrExpr);
5532 FirstUncoveredArg = NewFirstUncoveredArg;
5533 }
5534 }
5535
5536 void Diagnose(Sema &S, bool IsFunctionCall, const Expr *ArgExpr);
5537 };
5538
5539 enum StringLiteralCheckType {
5540 SLCT_NotALiteral,
5541 SLCT_UncheckedLiteral,
5542 SLCT_CheckedLiteral
5543 };
5544
5545 } // namespace
5546
sumOffsets(llvm::APSInt & Offset,llvm::APSInt Addend,BinaryOperatorKind BinOpKind,bool AddendIsRight)5547 static void sumOffsets(llvm::APSInt &Offset, llvm::APSInt Addend,
5548 BinaryOperatorKind BinOpKind,
5549 bool AddendIsRight) {
5550 unsigned BitWidth = Offset.getBitWidth();
5551 unsigned AddendBitWidth = Addend.getBitWidth();
5552 // There might be negative interim results.
5553 if (Addend.isUnsigned()) {
5554 Addend = Addend.zext(++AddendBitWidth);
5555 Addend.setIsSigned(true);
5556 }
5557 // Adjust the bit width of the APSInts.
5558 if (AddendBitWidth > BitWidth) {
5559 Offset = Offset.sext(AddendBitWidth);
5560 BitWidth = AddendBitWidth;
5561 } else if (BitWidth > AddendBitWidth) {
5562 Addend = Addend.sext(BitWidth);
5563 }
5564
5565 bool Ov = false;
5566 llvm::APSInt ResOffset = Offset;
5567 if (BinOpKind == BO_Add)
5568 ResOffset = Offset.sadd_ov(Addend, Ov);
5569 else {
5570 assert(AddendIsRight && BinOpKind == BO_Sub &&
5571 "operator must be add or sub with addend on the right");
5572 ResOffset = Offset.ssub_ov(Addend, Ov);
5573 }
5574
5575 // We add an offset to a pointer here so we should support an offset as big as
5576 // possible.
5577 if (Ov) {
5578 assert(BitWidth <= std::numeric_limits<unsigned>::max() / 2 &&
5579 "index (intermediate) result too big");
5580 Offset = Offset.sext(2 * BitWidth);
5581 sumOffsets(Offset, Addend, BinOpKind, AddendIsRight);
5582 return;
5583 }
5584
5585 Offset = ResOffset;
5586 }
5587
5588 namespace {
5589
5590 // This is a wrapper class around StringLiteral to support offsetted string
5591 // literals as format strings. It takes the offset into account when returning
5592 // the string and its length or the source locations to display notes correctly.
5593 class FormatStringLiteral {
5594 const StringLiteral *FExpr;
5595 int64_t Offset;
5596
5597 public:
FormatStringLiteral(const StringLiteral * fexpr,int64_t Offset=0)5598 FormatStringLiteral(const StringLiteral *fexpr, int64_t Offset = 0)
5599 : FExpr(fexpr), Offset(Offset) {}
5600
getString() const5601 StringRef getString() const {
5602 return FExpr->getString().drop_front(Offset);
5603 }
5604
getByteLength() const5605 unsigned getByteLength() const {
5606 return FExpr->getByteLength() - getCharByteWidth() * Offset;
5607 }
5608
getLength() const5609 unsigned getLength() const { return FExpr->getLength() - Offset; }
getCharByteWidth() const5610 unsigned getCharByteWidth() const { return FExpr->getCharByteWidth(); }
5611
getKind() const5612 StringLiteralKind getKind() const { return FExpr->getKind(); }
5613
getType() const5614 QualType getType() const { return FExpr->getType(); }
5615
isAscii() const5616 bool isAscii() const { return FExpr->isOrdinary(); }
isWide() const5617 bool isWide() const { return FExpr->isWide(); }
isUTF8() const5618 bool isUTF8() const { return FExpr->isUTF8(); }
isUTF16() const5619 bool isUTF16() const { return FExpr->isUTF16(); }
isUTF32() const5620 bool isUTF32() const { return FExpr->isUTF32(); }
isPascal() const5621 bool isPascal() const { return FExpr->isPascal(); }
5622
getLocationOfByte(unsigned ByteNo,const SourceManager & SM,const LangOptions & Features,const TargetInfo & Target,unsigned * StartToken=nullptr,unsigned * StartTokenByteOffset=nullptr) const5623 SourceLocation getLocationOfByte(
5624 unsigned ByteNo, const SourceManager &SM, const LangOptions &Features,
5625 const TargetInfo &Target, unsigned *StartToken = nullptr,
5626 unsigned *StartTokenByteOffset = nullptr) const {
5627 return FExpr->getLocationOfByte(ByteNo + Offset, SM, Features, Target,
5628 StartToken, StartTokenByteOffset);
5629 }
5630
getBeginLoc() const5631 SourceLocation getBeginLoc() const LLVM_READONLY {
5632 return FExpr->getBeginLoc().getLocWithOffset(Offset);
5633 }
5634
getEndLoc() const5635 SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); }
5636 };
5637
5638 } // namespace
5639
5640 static void CheckFormatString(
5641 Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
5642 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
5643 unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
5644 bool inFunctionCall, Sema::VariadicCallType CallType,
5645 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
5646 bool IgnoreStringsWithoutSpecifiers);
5647
5648 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
5649 const Expr *E);
5650
5651 // Determine if an expression is a string literal or constant string.
5652 // If this function returns false on the arguments to a function expecting a
5653 // format string, we will usually need to emit a warning.
5654 // True string literals are then checked by CheckFormatString.
5655 static StringLiteralCheckType
checkFormatStringExpr(Sema & S,const Expr * E,ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,unsigned format_idx,unsigned firstDataArg,Sema::FormatStringType Type,Sema::VariadicCallType CallType,bool InFunctionCall,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg,llvm::APSInt Offset,bool IgnoreStringsWithoutSpecifiers=false)5656 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args,
5657 Sema::FormatArgumentPassingKind APK, unsigned format_idx,
5658 unsigned firstDataArg, Sema::FormatStringType Type,
5659 Sema::VariadicCallType CallType, bool InFunctionCall,
5660 llvm::SmallBitVector &CheckedVarArgs,
5661 UncoveredArgHandler &UncoveredArg, llvm::APSInt Offset,
5662 bool IgnoreStringsWithoutSpecifiers = false) {
5663 if (S.isConstantEvaluatedContext())
5664 return SLCT_NotALiteral;
5665 tryAgain:
5666 assert(Offset.isSigned() && "invalid offset");
5667
5668 if (E->isTypeDependent() || E->isValueDependent())
5669 return SLCT_NotALiteral;
5670
5671 E = E->IgnoreParenCasts();
5672
5673 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
5674 // Technically -Wformat-nonliteral does not warn about this case.
5675 // The behavior of printf and friends in this case is implementation
5676 // dependent. Ideally if the format string cannot be null then
5677 // it should have a 'nonnull' attribute in the function prototype.
5678 return SLCT_UncheckedLiteral;
5679
5680 switch (E->getStmtClass()) {
5681 case Stmt::InitListExprClass:
5682 // Handle expressions like {"foobar"}.
5683 if (const clang::Expr *SLE = maybeConstEvalStringLiteral(S.Context, E)) {
5684 return checkFormatStringExpr(S, SLE, Args, APK, format_idx, firstDataArg,
5685 Type, CallType, /*InFunctionCall*/ false,
5686 CheckedVarArgs, UncoveredArg, Offset,
5687 IgnoreStringsWithoutSpecifiers);
5688 }
5689 return SLCT_NotALiteral;
5690 case Stmt::BinaryConditionalOperatorClass:
5691 case Stmt::ConditionalOperatorClass: {
5692 // The expression is a literal if both sub-expressions were, and it was
5693 // completely checked only if both sub-expressions were checked.
5694 const AbstractConditionalOperator *C =
5695 cast<AbstractConditionalOperator>(E);
5696
5697 // Determine whether it is necessary to check both sub-expressions, for
5698 // example, because the condition expression is a constant that can be
5699 // evaluated at compile time.
5700 bool CheckLeft = true, CheckRight = true;
5701
5702 bool Cond;
5703 if (C->getCond()->EvaluateAsBooleanCondition(
5704 Cond, S.getASTContext(), S.isConstantEvaluatedContext())) {
5705 if (Cond)
5706 CheckRight = false;
5707 else
5708 CheckLeft = false;
5709 }
5710
5711 // We need to maintain the offsets for the right and the left hand side
5712 // separately to check if every possible indexed expression is a valid
5713 // string literal. They might have different offsets for different string
5714 // literals in the end.
5715 StringLiteralCheckType Left;
5716 if (!CheckLeft)
5717 Left = SLCT_UncheckedLiteral;
5718 else {
5719 Left = checkFormatStringExpr(S, C->getTrueExpr(), Args, APK, format_idx,
5720 firstDataArg, Type, CallType, InFunctionCall,
5721 CheckedVarArgs, UncoveredArg, Offset,
5722 IgnoreStringsWithoutSpecifiers);
5723 if (Left == SLCT_NotALiteral || !CheckRight) {
5724 return Left;
5725 }
5726 }
5727
5728 StringLiteralCheckType Right = checkFormatStringExpr(
5729 S, C->getFalseExpr(), Args, APK, format_idx, firstDataArg, Type,
5730 CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
5731 IgnoreStringsWithoutSpecifiers);
5732
5733 return (CheckLeft && Left < Right) ? Left : Right;
5734 }
5735
5736 case Stmt::ImplicitCastExprClass:
5737 E = cast<ImplicitCastExpr>(E)->getSubExpr();
5738 goto tryAgain;
5739
5740 case Stmt::OpaqueValueExprClass:
5741 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) {
5742 E = src;
5743 goto tryAgain;
5744 }
5745 return SLCT_NotALiteral;
5746
5747 case Stmt::PredefinedExprClass:
5748 // While __func__, etc., are technically not string literals, they
5749 // cannot contain format specifiers and thus are not a security
5750 // liability.
5751 return SLCT_UncheckedLiteral;
5752
5753 case Stmt::DeclRefExprClass: {
5754 const DeclRefExpr *DR = cast<DeclRefExpr>(E);
5755
5756 // As an exception, do not flag errors for variables binding to
5757 // const string literals.
5758 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
5759 bool isConstant = false;
5760 QualType T = DR->getType();
5761
5762 if (const ArrayType *AT = S.Context.getAsArrayType(T)) {
5763 isConstant = AT->getElementType().isConstant(S.Context);
5764 } else if (const PointerType *PT = T->getAs<PointerType>()) {
5765 isConstant = T.isConstant(S.Context) &&
5766 PT->getPointeeType().isConstant(S.Context);
5767 } else if (T->isObjCObjectPointerType()) {
5768 // In ObjC, there is usually no "const ObjectPointer" type,
5769 // so don't check if the pointee type is constant.
5770 isConstant = T.isConstant(S.Context);
5771 }
5772
5773 if (isConstant) {
5774 if (const Expr *Init = VD->getAnyInitializer()) {
5775 // Look through initializers like const char c[] = { "foo" }
5776 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
5777 if (InitList->isStringLiteralInit())
5778 Init = InitList->getInit(0)->IgnoreParenImpCasts();
5779 }
5780 return checkFormatStringExpr(
5781 S, Init, Args, APK, format_idx, firstDataArg, Type, CallType,
5782 /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
5783 }
5784 }
5785
5786 // When the format argument is an argument of this function, and this
5787 // function also has the format attribute, there are several interactions
5788 // for which there shouldn't be a warning. For instance, when calling
5789 // v*printf from a function that has the printf format attribute, we
5790 // should not emit a warning about using `fmt`, even though it's not
5791 // constant, because the arguments have already been checked for the
5792 // caller of `logmessage`:
5793 //
5794 // __attribute__((format(printf, 1, 2)))
5795 // void logmessage(char const *fmt, ...) {
5796 // va_list ap;
5797 // va_start(ap, fmt);
5798 // vprintf(fmt, ap); /* do not emit a warning about "fmt" */
5799 // ...
5800 // }
5801 //
5802 // Another interaction that we need to support is calling a variadic
5803 // format function from a format function that has fixed arguments. For
5804 // instance:
5805 //
5806 // __attribute__((format(printf, 1, 2)))
5807 // void logstring(char const *fmt, char const *str) {
5808 // printf(fmt, str); /* do not emit a warning about "fmt" */
5809 // }
5810 //
5811 // Same (and perhaps more relatably) for the variadic template case:
5812 //
5813 // template<typename... Args>
5814 // __attribute__((format(printf, 1, 2)))
5815 // void log(const char *fmt, Args&&... args) {
5816 // printf(fmt, forward<Args>(args)...);
5817 // /* do not emit a warning about "fmt" */
5818 // }
5819 //
5820 // Due to implementation difficulty, we only check the format, not the
5821 // format arguments, in all cases.
5822 //
5823 if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
5824 if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
5825 for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) {
5826 bool IsCXXMember = false;
5827 if (const auto *MD = dyn_cast<CXXMethodDecl>(D))
5828 IsCXXMember = MD->isInstance();
5829
5830 bool IsVariadic = false;
5831 if (const FunctionType *FnTy = D->getFunctionType())
5832 IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();
5833 else if (const auto *BD = dyn_cast<BlockDecl>(D))
5834 IsVariadic = BD->isVariadic();
5835 else if (const auto *OMD = dyn_cast<ObjCMethodDecl>(D))
5836 IsVariadic = OMD->isVariadic();
5837
5838 Sema::FormatStringInfo CallerFSI;
5839 if (Sema::getFormatStringInfo(PVFormat, IsCXXMember, IsVariadic,
5840 &CallerFSI)) {
5841 // We also check if the formats are compatible.
5842 // We can't pass a 'scanf' string to a 'printf' function.
5843 if (PV->getFunctionScopeIndex() == CallerFSI.FormatIdx &&
5844 Type == S.GetFormatStringType(PVFormat)) {
5845 // Lastly, check that argument passing kinds transition in a
5846 // way that makes sense:
5847 // from a caller with FAPK_VAList, allow FAPK_VAList
5848 // from a caller with FAPK_Fixed, allow FAPK_Fixed
5849 // from a caller with FAPK_Fixed, allow FAPK_Variadic
5850 // from a caller with FAPK_Variadic, allow FAPK_VAList
5851 switch (combineFAPK(CallerFSI.ArgPassingKind, APK)) {
5852 case combineFAPK(Sema::FAPK_VAList, Sema::FAPK_VAList):
5853 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Fixed):
5854 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Variadic):
5855 case combineFAPK(Sema::FAPK_Variadic, Sema::FAPK_VAList):
5856 return SLCT_UncheckedLiteral;
5857 }
5858 }
5859 }
5860 }
5861 }
5862 }
5863 }
5864
5865 return SLCT_NotALiteral;
5866 }
5867
5868 case Stmt::CallExprClass:
5869 case Stmt::CXXMemberCallExprClass: {
5870 const CallExpr *CE = cast<CallExpr>(E);
5871 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
5872 bool IsFirst = true;
5873 StringLiteralCheckType CommonResult;
5874 for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) {
5875 const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex());
5876 StringLiteralCheckType Result = checkFormatStringExpr(
5877 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
5878 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
5879 IgnoreStringsWithoutSpecifiers);
5880 if (IsFirst) {
5881 CommonResult = Result;
5882 IsFirst = false;
5883 }
5884 }
5885 if (!IsFirst)
5886 return CommonResult;
5887
5888 if (const auto *FD = dyn_cast<FunctionDecl>(ND)) {
5889 unsigned BuiltinID = FD->getBuiltinID();
5890 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
5891 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
5892 const Expr *Arg = CE->getArg(0);
5893 return checkFormatStringExpr(
5894 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
5895 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
5896 IgnoreStringsWithoutSpecifiers);
5897 }
5898 }
5899 }
5900 if (const Expr *SLE = maybeConstEvalStringLiteral(S.Context, E))
5901 return checkFormatStringExpr(S, SLE, Args, APK, format_idx, firstDataArg,
5902 Type, CallType, /*InFunctionCall*/ false,
5903 CheckedVarArgs, UncoveredArg, Offset,
5904 IgnoreStringsWithoutSpecifiers);
5905 return SLCT_NotALiteral;
5906 }
5907 case Stmt::ObjCMessageExprClass: {
5908 const auto *ME = cast<ObjCMessageExpr>(E);
5909 if (const auto *MD = ME->getMethodDecl()) {
5910 if (const auto *FA = MD->getAttr<FormatArgAttr>()) {
5911 // As a special case heuristic, if we're using the method -[NSBundle
5912 // localizedStringForKey:value:table:], ignore any key strings that lack
5913 // format specifiers. The idea is that if the key doesn't have any
5914 // format specifiers then its probably just a key to map to the
5915 // localized strings. If it does have format specifiers though, then its
5916 // likely that the text of the key is the format string in the
5917 // programmer's language, and should be checked.
5918 const ObjCInterfaceDecl *IFace;
5919 if (MD->isInstanceMethod() && (IFace = MD->getClassInterface()) &&
5920 IFace->getIdentifier()->isStr("NSBundle") &&
5921 MD->getSelector().isKeywordSelector(
5922 {"localizedStringForKey", "value", "table"})) {
5923 IgnoreStringsWithoutSpecifiers = true;
5924 }
5925
5926 const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex());
5927 return checkFormatStringExpr(
5928 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
5929 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
5930 IgnoreStringsWithoutSpecifiers);
5931 }
5932 }
5933
5934 return SLCT_NotALiteral;
5935 }
5936 case Stmt::ObjCStringLiteralClass:
5937 case Stmt::StringLiteralClass: {
5938 const StringLiteral *StrE = nullptr;
5939
5940 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
5941 StrE = ObjCFExpr->getString();
5942 else
5943 StrE = cast<StringLiteral>(E);
5944
5945 if (StrE) {
5946 if (Offset.isNegative() || Offset > StrE->getLength()) {
5947 // TODO: It would be better to have an explicit warning for out of
5948 // bounds literals.
5949 return SLCT_NotALiteral;
5950 }
5951 FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue());
5952 CheckFormatString(S, &FStr, E, Args, APK, format_idx, firstDataArg, Type,
5953 InFunctionCall, CallType, CheckedVarArgs, UncoveredArg,
5954 IgnoreStringsWithoutSpecifiers);
5955 return SLCT_CheckedLiteral;
5956 }
5957
5958 return SLCT_NotALiteral;
5959 }
5960 case Stmt::BinaryOperatorClass: {
5961 const BinaryOperator *BinOp = cast<BinaryOperator>(E);
5962
5963 // A string literal + an int offset is still a string literal.
5964 if (BinOp->isAdditiveOp()) {
5965 Expr::EvalResult LResult, RResult;
5966
5967 bool LIsInt = BinOp->getLHS()->EvaluateAsInt(
5968 LResult, S.Context, Expr::SE_NoSideEffects,
5969 S.isConstantEvaluatedContext());
5970 bool RIsInt = BinOp->getRHS()->EvaluateAsInt(
5971 RResult, S.Context, Expr::SE_NoSideEffects,
5972 S.isConstantEvaluatedContext());
5973
5974 if (LIsInt != RIsInt) {
5975 BinaryOperatorKind BinOpKind = BinOp->getOpcode();
5976
5977 if (LIsInt) {
5978 if (BinOpKind == BO_Add) {
5979 sumOffsets(Offset, LResult.Val.getInt(), BinOpKind, RIsInt);
5980 E = BinOp->getRHS();
5981 goto tryAgain;
5982 }
5983 } else {
5984 sumOffsets(Offset, RResult.Val.getInt(), BinOpKind, RIsInt);
5985 E = BinOp->getLHS();
5986 goto tryAgain;
5987 }
5988 }
5989 }
5990
5991 return SLCT_NotALiteral;
5992 }
5993 case Stmt::UnaryOperatorClass: {
5994 const UnaryOperator *UnaOp = cast<UnaryOperator>(E);
5995 auto ASE = dyn_cast<ArraySubscriptExpr>(UnaOp->getSubExpr());
5996 if (UnaOp->getOpcode() == UO_AddrOf && ASE) {
5997 Expr::EvalResult IndexResult;
5998 if (ASE->getRHS()->EvaluateAsInt(IndexResult, S.Context,
5999 Expr::SE_NoSideEffects,
6000 S.isConstantEvaluatedContext())) {
6001 sumOffsets(Offset, IndexResult.Val.getInt(), BO_Add,
6002 /*RHS is int*/ true);
6003 E = ASE->getBase();
6004 goto tryAgain;
6005 }
6006 }
6007
6008 return SLCT_NotALiteral;
6009 }
6010
6011 default:
6012 return SLCT_NotALiteral;
6013 }
6014 }
6015
6016 // If this expression can be evaluated at compile-time,
6017 // check if the result is a StringLiteral and return it
6018 // otherwise return nullptr
maybeConstEvalStringLiteral(ASTContext & Context,const Expr * E)6019 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6020 const Expr *E) {
6021 Expr::EvalResult Result;
6022 if (E->EvaluateAsRValue(Result, Context) && Result.Val.isLValue()) {
6023 const auto *LVE = Result.Val.getLValueBase().dyn_cast<const Expr *>();
6024 if (isa_and_nonnull<StringLiteral>(LVE))
6025 return LVE;
6026 }
6027 return nullptr;
6028 }
6029
GetFormatStringType(const FormatAttr * Format)6030 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) {
6031 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName())
6032 .Case("scanf", FST_Scanf)
6033 .Cases("printf", "printf0", FST_Printf)
6034 .Cases("NSString", "CFString", FST_NSString)
6035 .Case("strftime", FST_Strftime)
6036 .Case("strfmon", FST_Strfmon)
6037 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf)
6038 .Case("freebsd_kprintf", FST_FreeBSDKPrintf)
6039 .Case("os_trace", FST_OSLog)
6040 .Case("os_log", FST_OSLog)
6041 .Default(FST_Unknown);
6042 }
6043
CheckFormatArguments(const FormatAttr * Format,ArrayRef<const Expr * > Args,bool IsCXXMember,VariadicCallType CallType,SourceLocation Loc,SourceRange Range,llvm::SmallBitVector & CheckedVarArgs)6044 bool Sema::CheckFormatArguments(const FormatAttr *Format,
6045 ArrayRef<const Expr *> Args, bool IsCXXMember,
6046 VariadicCallType CallType, SourceLocation Loc,
6047 SourceRange Range,
6048 llvm::SmallBitVector &CheckedVarArgs) {
6049 FormatStringInfo FSI;
6050 if (getFormatStringInfo(Format, IsCXXMember, CallType != VariadicDoesNotApply,
6051 &FSI))
6052 return CheckFormatArguments(Args, FSI.ArgPassingKind, FSI.FormatIdx,
6053 FSI.FirstDataArg, GetFormatStringType(Format),
6054 CallType, Loc, Range, CheckedVarArgs);
6055 return false;
6056 }
6057
CheckFormatArguments(ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,unsigned format_idx,unsigned firstDataArg,FormatStringType Type,VariadicCallType CallType,SourceLocation Loc,SourceRange Range,llvm::SmallBitVector & CheckedVarArgs)6058 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
6059 Sema::FormatArgumentPassingKind APK,
6060 unsigned format_idx, unsigned firstDataArg,
6061 FormatStringType Type,
6062 VariadicCallType CallType, SourceLocation Loc,
6063 SourceRange Range,
6064 llvm::SmallBitVector &CheckedVarArgs) {
6065 // CHECK: printf/scanf-like function is called with no format string.
6066 if (format_idx >= Args.size()) {
6067 Diag(Loc, diag::warn_missing_format_string) << Range;
6068 return false;
6069 }
6070
6071 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
6072
6073 // CHECK: format string is not a string literal.
6074 //
6075 // Dynamically generated format strings are difficult to
6076 // automatically vet at compile time. Requiring that format strings
6077 // are string literals: (1) permits the checking of format strings by
6078 // the compiler and thereby (2) can practically remove the source of
6079 // many format string exploits.
6080
6081 // Format string can be either ObjC string (e.g. @"%d") or
6082 // C string (e.g. "%d")
6083 // ObjC string uses the same format specifiers as C string, so we can use
6084 // the same format string checking logic for both ObjC and C strings.
6085 UncoveredArgHandler UncoveredArg;
6086 StringLiteralCheckType CT = checkFormatStringExpr(
6087 *this, OrigFormatExpr, Args, APK, format_idx, firstDataArg, Type,
6088 CallType,
6089 /*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
6090 /*no string offset*/ llvm::APSInt(64, false) = 0);
6091
6092 // Generate a diagnostic where an uncovered argument is detected.
6093 if (UncoveredArg.hasUncoveredArg()) {
6094 unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg;
6095 assert(ArgIdx < Args.size() && "ArgIdx outside bounds");
6096 UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]);
6097 }
6098
6099 if (CT != SLCT_NotALiteral)
6100 // Literal format string found, check done!
6101 return CT == SLCT_CheckedLiteral;
6102
6103 // Strftime is particular as it always uses a single 'time' argument,
6104 // so it is safe to pass a non-literal string.
6105 if (Type == FST_Strftime)
6106 return false;
6107
6108 // Do not emit diag when the string param is a macro expansion and the
6109 // format is either NSString or CFString. This is a hack to prevent
6110 // diag when using the NSLocalizedString and CFCopyLocalizedString macros
6111 // which are usually used in place of NS and CF string literals.
6112 SourceLocation FormatLoc = Args[format_idx]->getBeginLoc();
6113 if (Type == FST_NSString && SourceMgr.isInSystemMacro(FormatLoc))
6114 return false;
6115
6116 // If there are no arguments specified, warn with -Wformat-security, otherwise
6117 // warn only with -Wformat-nonliteral.
6118 if (Args.size() == firstDataArg) {
6119 Diag(FormatLoc, diag::warn_format_nonliteral_noargs)
6120 << OrigFormatExpr->getSourceRange();
6121 switch (Type) {
6122 default:
6123 break;
6124 case FST_Kprintf:
6125 case FST_FreeBSDKPrintf:
6126 case FST_Printf:
6127 Diag(FormatLoc, diag::note_format_security_fixit)
6128 << FixItHint::CreateInsertion(FormatLoc, "\"%s\", ");
6129 break;
6130 case FST_NSString:
6131 Diag(FormatLoc, diag::note_format_security_fixit)
6132 << FixItHint::CreateInsertion(FormatLoc, "@\"%@\", ");
6133 break;
6134 }
6135 } else {
6136 Diag(FormatLoc, diag::warn_format_nonliteral)
6137 << OrigFormatExpr->getSourceRange();
6138 }
6139 return false;
6140 }
6141
6142 namespace {
6143
6144 class CheckFormatHandler : public analyze_format_string::FormatStringHandler {
6145 protected:
6146 Sema &S;
6147 const FormatStringLiteral *FExpr;
6148 const Expr *OrigFormatExpr;
6149 const Sema::FormatStringType FSType;
6150 const unsigned FirstDataArg;
6151 const unsigned NumDataArgs;
6152 const char *Beg; // Start of format string.
6153 const Sema::FormatArgumentPassingKind ArgPassingKind;
6154 ArrayRef<const Expr *> Args;
6155 unsigned FormatIdx;
6156 llvm::SmallBitVector CoveredArgs;
6157 bool usesPositionalArgs = false;
6158 bool atFirstArg = true;
6159 bool inFunctionCall;
6160 Sema::VariadicCallType CallType;
6161 llvm::SmallBitVector &CheckedVarArgs;
6162 UncoveredArgHandler &UncoveredArg;
6163
6164 public:
CheckFormatHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,const Sema::FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,Sema::VariadicCallType callType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)6165 CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr,
6166 const Expr *origFormatExpr,
6167 const Sema::FormatStringType type, unsigned firstDataArg,
6168 unsigned numDataArgs, const char *beg,
6169 Sema::FormatArgumentPassingKind APK,
6170 ArrayRef<const Expr *> Args, unsigned formatIdx,
6171 bool inFunctionCall, Sema::VariadicCallType callType,
6172 llvm::SmallBitVector &CheckedVarArgs,
6173 UncoveredArgHandler &UncoveredArg)
6174 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type),
6175 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg),
6176 ArgPassingKind(APK), Args(Args), FormatIdx(formatIdx),
6177 inFunctionCall(inFunctionCall), CallType(callType),
6178 CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) {
6179 CoveredArgs.resize(numDataArgs);
6180 CoveredArgs.reset();
6181 }
6182
6183 void DoneProcessing();
6184
6185 void HandleIncompleteSpecifier(const char *startSpecifier,
6186 unsigned specifierLen) override;
6187
6188 void HandleInvalidLengthModifier(
6189 const analyze_format_string::FormatSpecifier &FS,
6190 const analyze_format_string::ConversionSpecifier &CS,
6191 const char *startSpecifier, unsigned specifierLen,
6192 unsigned DiagID);
6193
6194 void HandleNonStandardLengthModifier(
6195 const analyze_format_string::FormatSpecifier &FS,
6196 const char *startSpecifier, unsigned specifierLen);
6197
6198 void HandleNonStandardConversionSpecifier(
6199 const analyze_format_string::ConversionSpecifier &CS,
6200 const char *startSpecifier, unsigned specifierLen);
6201
6202 void HandlePosition(const char *startPos, unsigned posLen) override;
6203
6204 void HandleInvalidPosition(const char *startSpecifier,
6205 unsigned specifierLen,
6206 analyze_format_string::PositionContext p) override;
6207
6208 void HandleZeroPosition(const char *startPos, unsigned posLen) override;
6209
6210 void HandleNullChar(const char *nullCharacter) override;
6211
6212 template <typename Range>
6213 static void
6214 EmitFormatDiagnostic(Sema &S, bool inFunctionCall, const Expr *ArgumentExpr,
6215 const PartialDiagnostic &PDiag, SourceLocation StringLoc,
6216 bool IsStringLocation, Range StringRange,
6217 ArrayRef<FixItHint> Fixit = std::nullopt);
6218
6219 protected:
6220 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc,
6221 const char *startSpec,
6222 unsigned specifierLen,
6223 const char *csStart, unsigned csLen);
6224
6225 void HandlePositionalNonpositionalArgs(SourceLocation Loc,
6226 const char *startSpec,
6227 unsigned specifierLen);
6228
6229 SourceRange getFormatStringRange();
6230 CharSourceRange getSpecifierRange(const char *startSpecifier,
6231 unsigned specifierLen);
6232 SourceLocation getLocationOfByte(const char *x);
6233
6234 const Expr *getDataArg(unsigned i) const;
6235
6236 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS,
6237 const analyze_format_string::ConversionSpecifier &CS,
6238 const char *startSpecifier, unsigned specifierLen,
6239 unsigned argIndex);
6240
6241 template <typename Range>
6242 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc,
6243 bool IsStringLocation, Range StringRange,
6244 ArrayRef<FixItHint> Fixit = std::nullopt);
6245 };
6246
6247 } // namespace
6248
getFormatStringRange()6249 SourceRange CheckFormatHandler::getFormatStringRange() {
6250 return OrigFormatExpr->getSourceRange();
6251 }
6252
6253 CharSourceRange CheckFormatHandler::
getSpecifierRange(const char * startSpecifier,unsigned specifierLen)6254 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) {
6255 SourceLocation Start = getLocationOfByte(startSpecifier);
6256 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1);
6257
6258 // Advance the end SourceLocation by one due to half-open ranges.
6259 End = End.getLocWithOffset(1);
6260
6261 return CharSourceRange::getCharRange(Start, End);
6262 }
6263
getLocationOfByte(const char * x)6264 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) {
6265 return FExpr->getLocationOfByte(x - Beg, S.getSourceManager(),
6266 S.getLangOpts(), S.Context.getTargetInfo());
6267 }
6268
HandleIncompleteSpecifier(const char * startSpecifier,unsigned specifierLen)6269 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier,
6270 unsigned specifierLen){
6271 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier),
6272 getLocationOfByte(startSpecifier),
6273 /*IsStringLocation*/true,
6274 getSpecifierRange(startSpecifier, specifierLen));
6275 }
6276
HandleInvalidLengthModifier(const analyze_format_string::FormatSpecifier & FS,const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen,unsigned DiagID)6277 void CheckFormatHandler::HandleInvalidLengthModifier(
6278 const analyze_format_string::FormatSpecifier &FS,
6279 const analyze_format_string::ConversionSpecifier &CS,
6280 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) {
6281 using namespace analyze_format_string;
6282
6283 const LengthModifier &LM = FS.getLengthModifier();
6284 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6285
6286 // See if we know how to fix this length modifier.
6287 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6288 if (FixedLM) {
6289 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6290 getLocationOfByte(LM.getStart()),
6291 /*IsStringLocation*/true,
6292 getSpecifierRange(startSpecifier, specifierLen));
6293
6294 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6295 << FixedLM->toString()
6296 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6297
6298 } else {
6299 FixItHint Hint;
6300 if (DiagID == diag::warn_format_nonsensical_length)
6301 Hint = FixItHint::CreateRemoval(LMRange);
6302
6303 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6304 getLocationOfByte(LM.getStart()),
6305 /*IsStringLocation*/true,
6306 getSpecifierRange(startSpecifier, specifierLen),
6307 Hint);
6308 }
6309 }
6310
HandleNonStandardLengthModifier(const analyze_format_string::FormatSpecifier & FS,const char * startSpecifier,unsigned specifierLen)6311 void CheckFormatHandler::HandleNonStandardLengthModifier(
6312 const analyze_format_string::FormatSpecifier &FS,
6313 const char *startSpecifier, unsigned specifierLen) {
6314 using namespace analyze_format_string;
6315
6316 const LengthModifier &LM = FS.getLengthModifier();
6317 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6318
6319 // See if we know how to fix this length modifier.
6320 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6321 if (FixedLM) {
6322 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6323 << LM.toString() << 0,
6324 getLocationOfByte(LM.getStart()),
6325 /*IsStringLocation*/true,
6326 getSpecifierRange(startSpecifier, specifierLen));
6327
6328 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6329 << FixedLM->toString()
6330 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6331
6332 } else {
6333 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6334 << LM.toString() << 0,
6335 getLocationOfByte(LM.getStart()),
6336 /*IsStringLocation*/true,
6337 getSpecifierRange(startSpecifier, specifierLen));
6338 }
6339 }
6340
HandleNonStandardConversionSpecifier(const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen)6341 void CheckFormatHandler::HandleNonStandardConversionSpecifier(
6342 const analyze_format_string::ConversionSpecifier &CS,
6343 const char *startSpecifier, unsigned specifierLen) {
6344 using namespace analyze_format_string;
6345
6346 // See if we know how to fix this conversion specifier.
6347 std::optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier();
6348 if (FixedCS) {
6349 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6350 << CS.toString() << /*conversion specifier*/1,
6351 getLocationOfByte(CS.getStart()),
6352 /*IsStringLocation*/true,
6353 getSpecifierRange(startSpecifier, specifierLen));
6354
6355 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength());
6356 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier)
6357 << FixedCS->toString()
6358 << FixItHint::CreateReplacement(CSRange, FixedCS->toString());
6359 } else {
6360 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6361 << CS.toString() << /*conversion specifier*/1,
6362 getLocationOfByte(CS.getStart()),
6363 /*IsStringLocation*/true,
6364 getSpecifierRange(startSpecifier, specifierLen));
6365 }
6366 }
6367
HandlePosition(const char * startPos,unsigned posLen)6368 void CheckFormatHandler::HandlePosition(const char *startPos,
6369 unsigned posLen) {
6370 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg),
6371 getLocationOfByte(startPos),
6372 /*IsStringLocation*/true,
6373 getSpecifierRange(startPos, posLen));
6374 }
6375
HandleInvalidPosition(const char * startSpecifier,unsigned specifierLen,analyze_format_string::PositionContext p)6376 void CheckFormatHandler::HandleInvalidPosition(
6377 const char *startSpecifier, unsigned specifierLen,
6378 analyze_format_string::PositionContext p) {
6379 EmitFormatDiagnostic(
6380 S.PDiag(diag::warn_format_invalid_positional_specifier) << (unsigned)p,
6381 getLocationOfByte(startSpecifier), /*IsStringLocation*/ true,
6382 getSpecifierRange(startSpecifier, specifierLen));
6383 }
6384
HandleZeroPosition(const char * startPos,unsigned posLen)6385 void CheckFormatHandler::HandleZeroPosition(const char *startPos,
6386 unsigned posLen) {
6387 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier),
6388 getLocationOfByte(startPos),
6389 /*IsStringLocation*/true,
6390 getSpecifierRange(startPos, posLen));
6391 }
6392
HandleNullChar(const char * nullCharacter)6393 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) {
6394 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) {
6395 // The presence of a null character is likely an error.
6396 EmitFormatDiagnostic(
6397 S.PDiag(diag::warn_printf_format_string_contains_null_char),
6398 getLocationOfByte(nullCharacter), /*IsStringLocation*/true,
6399 getFormatStringRange());
6400 }
6401 }
6402
6403 // Note that this may return NULL if there was an error parsing or building
6404 // one of the argument expressions.
getDataArg(unsigned i) const6405 const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
6406 return Args[FirstDataArg + i];
6407 }
6408
DoneProcessing()6409 void CheckFormatHandler::DoneProcessing() {
6410 // Does the number of data arguments exceed the number of
6411 // format conversions in the format string?
6412 if (ArgPassingKind != Sema::FAPK_VAList) {
6413 // Find any arguments that weren't covered.
6414 CoveredArgs.flip();
6415 signed notCoveredArg = CoveredArgs.find_first();
6416 if (notCoveredArg >= 0) {
6417 assert((unsigned)notCoveredArg < NumDataArgs);
6418 UncoveredArg.Update(notCoveredArg, OrigFormatExpr);
6419 } else {
6420 UncoveredArg.setAllCovered();
6421 }
6422 }
6423 }
6424
Diagnose(Sema & S,bool IsFunctionCall,const Expr * ArgExpr)6425 void UncoveredArgHandler::Diagnose(Sema &S, bool IsFunctionCall,
6426 const Expr *ArgExpr) {
6427 assert(hasUncoveredArg() && !DiagnosticExprs.empty() &&
6428 "Invalid state");
6429
6430 if (!ArgExpr)
6431 return;
6432
6433 SourceLocation Loc = ArgExpr->getBeginLoc();
6434
6435 if (S.getSourceManager().isInSystemMacro(Loc))
6436 return;
6437
6438 PartialDiagnostic PDiag = S.PDiag(diag::warn_printf_data_arg_not_used);
6439 for (auto E : DiagnosticExprs)
6440 PDiag << E->getSourceRange();
6441
6442 CheckFormatHandler::EmitFormatDiagnostic(
6443 S, IsFunctionCall, DiagnosticExprs[0],
6444 PDiag, Loc, /*IsStringLocation*/false,
6445 DiagnosticExprs[0]->getSourceRange());
6446 }
6447
6448 bool
HandleInvalidConversionSpecifier(unsigned argIndex,SourceLocation Loc,const char * startSpec,unsigned specifierLen,const char * csStart,unsigned csLen)6449 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex,
6450 SourceLocation Loc,
6451 const char *startSpec,
6452 unsigned specifierLen,
6453 const char *csStart,
6454 unsigned csLen) {
6455 bool keepGoing = true;
6456 if (argIndex < NumDataArgs) {
6457 // Consider the argument coverered, even though the specifier doesn't
6458 // make sense.
6459 CoveredArgs.set(argIndex);
6460 }
6461 else {
6462 // If argIndex exceeds the number of data arguments we
6463 // don't issue a warning because that is just a cascade of warnings (and
6464 // they may have intended '%%' anyway). We don't want to continue processing
6465 // the format string after this point, however, as we will like just get
6466 // gibberish when trying to match arguments.
6467 keepGoing = false;
6468 }
6469
6470 StringRef Specifier(csStart, csLen);
6471
6472 // If the specifier in non-printable, it could be the first byte of a UTF-8
6473 // sequence. In that case, print the UTF-8 code point. If not, print the byte
6474 // hex value.
6475 std::string CodePointStr;
6476 if (!llvm::sys::locale::isPrint(*csStart)) {
6477 llvm::UTF32 CodePoint;
6478 const llvm::UTF8 **B = reinterpret_cast<const llvm::UTF8 **>(&csStart);
6479 const llvm::UTF8 *E =
6480 reinterpret_cast<const llvm::UTF8 *>(csStart + csLen);
6481 llvm::ConversionResult Result =
6482 llvm::convertUTF8Sequence(B, E, &CodePoint, llvm::strictConversion);
6483
6484 if (Result != llvm::conversionOK) {
6485 unsigned char FirstChar = *csStart;
6486 CodePoint = (llvm::UTF32)FirstChar;
6487 }
6488
6489 llvm::raw_string_ostream OS(CodePointStr);
6490 if (CodePoint < 256)
6491 OS << "\\x" << llvm::format("%02x", CodePoint);
6492 else if (CodePoint <= 0xFFFF)
6493 OS << "\\u" << llvm::format("%04x", CodePoint);
6494 else
6495 OS << "\\U" << llvm::format("%08x", CodePoint);
6496 OS.flush();
6497 Specifier = CodePointStr;
6498 }
6499
6500 EmitFormatDiagnostic(
6501 S.PDiag(diag::warn_format_invalid_conversion) << Specifier, Loc,
6502 /*IsStringLocation*/ true, getSpecifierRange(startSpec, specifierLen));
6503
6504 return keepGoing;
6505 }
6506
6507 void
HandlePositionalNonpositionalArgs(SourceLocation Loc,const char * startSpec,unsigned specifierLen)6508 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc,
6509 const char *startSpec,
6510 unsigned specifierLen) {
6511 EmitFormatDiagnostic(
6512 S.PDiag(diag::warn_format_mix_positional_nonpositional_args),
6513 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen));
6514 }
6515
6516 bool
CheckNumArgs(const analyze_format_string::FormatSpecifier & FS,const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen,unsigned argIndex)6517 CheckFormatHandler::CheckNumArgs(
6518 const analyze_format_string::FormatSpecifier &FS,
6519 const analyze_format_string::ConversionSpecifier &CS,
6520 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) {
6521
6522 if (argIndex >= NumDataArgs) {
6523 PartialDiagnostic PDiag = FS.usesPositionalArg()
6524 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args)
6525 << (argIndex+1) << NumDataArgs)
6526 : S.PDiag(diag::warn_printf_insufficient_data_args);
6527 EmitFormatDiagnostic(
6528 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true,
6529 getSpecifierRange(startSpecifier, specifierLen));
6530
6531 // Since more arguments than conversion tokens are given, by extension
6532 // all arguments are covered, so mark this as so.
6533 UncoveredArg.setAllCovered();
6534 return false;
6535 }
6536 return true;
6537 }
6538
6539 template<typename Range>
EmitFormatDiagnostic(PartialDiagnostic PDiag,SourceLocation Loc,bool IsStringLocation,Range StringRange,ArrayRef<FixItHint> FixIt)6540 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag,
6541 SourceLocation Loc,
6542 bool IsStringLocation,
6543 Range StringRange,
6544 ArrayRef<FixItHint> FixIt) {
6545 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag,
6546 Loc, IsStringLocation, StringRange, FixIt);
6547 }
6548
6549 /// If the format string is not within the function call, emit a note
6550 /// so that the function call and string are in diagnostic messages.
6551 ///
6552 /// \param InFunctionCall if true, the format string is within the function
6553 /// call and only one diagnostic message will be produced. Otherwise, an
6554 /// extra note will be emitted pointing to location of the format string.
6555 ///
6556 /// \param ArgumentExpr the expression that is passed as the format string
6557 /// argument in the function call. Used for getting locations when two
6558 /// diagnostics are emitted.
6559 ///
6560 /// \param PDiag the callee should already have provided any strings for the
6561 /// diagnostic message. This function only adds locations and fixits
6562 /// to diagnostics.
6563 ///
6564 /// \param Loc primary location for diagnostic. If two diagnostics are
6565 /// required, one will be at Loc and a new SourceLocation will be created for
6566 /// the other one.
6567 ///
6568 /// \param IsStringLocation if true, Loc points to the format string should be
6569 /// used for the note. Otherwise, Loc points to the argument list and will
6570 /// be used with PDiag.
6571 ///
6572 /// \param StringRange some or all of the string to highlight. This is
6573 /// templated so it can accept either a CharSourceRange or a SourceRange.
6574 ///
6575 /// \param FixIt optional fix it hint for the format string.
6576 template <typename Range>
EmitFormatDiagnostic(Sema & S,bool InFunctionCall,const Expr * ArgumentExpr,const PartialDiagnostic & PDiag,SourceLocation Loc,bool IsStringLocation,Range StringRange,ArrayRef<FixItHint> FixIt)6577 void CheckFormatHandler::EmitFormatDiagnostic(
6578 Sema &S, bool InFunctionCall, const Expr *ArgumentExpr,
6579 const PartialDiagnostic &PDiag, SourceLocation Loc, bool IsStringLocation,
6580 Range StringRange, ArrayRef<FixItHint> FixIt) {
6581 if (InFunctionCall) {
6582 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag);
6583 D << StringRange;
6584 D << FixIt;
6585 } else {
6586 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag)
6587 << ArgumentExpr->getSourceRange();
6588
6589 const Sema::SemaDiagnosticBuilder &Note =
6590 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(),
6591 diag::note_format_string_defined);
6592
6593 Note << StringRange;
6594 Note << FixIt;
6595 }
6596 }
6597
6598 //===--- CHECK: Printf format string checking -----------------------------===//
6599
6600 namespace {
6601
6602 class CheckPrintfHandler : public CheckFormatHandler {
6603 public:
CheckPrintfHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,const Sema::FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,bool isObjC,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,Sema::VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)6604 CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
6605 const Expr *origFormatExpr,
6606 const Sema::FormatStringType type, unsigned firstDataArg,
6607 unsigned numDataArgs, bool isObjC, const char *beg,
6608 Sema::FormatArgumentPassingKind APK,
6609 ArrayRef<const Expr *> Args, unsigned formatIdx,
6610 bool inFunctionCall, Sema::VariadicCallType CallType,
6611 llvm::SmallBitVector &CheckedVarArgs,
6612 UncoveredArgHandler &UncoveredArg)
6613 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
6614 numDataArgs, beg, APK, Args, formatIdx,
6615 inFunctionCall, CallType, CheckedVarArgs,
6616 UncoveredArg) {}
6617
isObjCContext() const6618 bool isObjCContext() const { return FSType == Sema::FST_NSString; }
6619
6620 /// Returns true if '%@' specifiers are allowed in the format string.
allowsObjCArg() const6621 bool allowsObjCArg() const {
6622 return FSType == Sema::FST_NSString || FSType == Sema::FST_OSLog ||
6623 FSType == Sema::FST_OSTrace;
6624 }
6625
6626 bool HandleInvalidPrintfConversionSpecifier(
6627 const analyze_printf::PrintfSpecifier &FS,
6628 const char *startSpecifier,
6629 unsigned specifierLen) override;
6630
6631 void handleInvalidMaskType(StringRef MaskType) override;
6632
6633 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
6634 const char *startSpecifier, unsigned specifierLen,
6635 const TargetInfo &Target) override;
6636 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
6637 const char *StartSpecifier,
6638 unsigned SpecifierLen,
6639 const Expr *E);
6640
6641 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k,
6642 const char *startSpecifier, unsigned specifierLen);
6643 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS,
6644 const analyze_printf::OptionalAmount &Amt,
6645 unsigned type,
6646 const char *startSpecifier, unsigned specifierLen);
6647 void HandleFlag(const analyze_printf::PrintfSpecifier &FS,
6648 const analyze_printf::OptionalFlag &flag,
6649 const char *startSpecifier, unsigned specifierLen);
6650 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS,
6651 const analyze_printf::OptionalFlag &ignoredFlag,
6652 const analyze_printf::OptionalFlag &flag,
6653 const char *startSpecifier, unsigned specifierLen);
6654 bool checkForCStrMembers(const analyze_printf::ArgType &AT,
6655 const Expr *E);
6656
6657 void HandleEmptyObjCModifierFlag(const char *startFlag,
6658 unsigned flagLen) override;
6659
6660 void HandleInvalidObjCModifierFlag(const char *startFlag,
6661 unsigned flagLen) override;
6662
6663 void HandleObjCFlagsWithNonObjCConversion(const char *flagsStart,
6664 const char *flagsEnd,
6665 const char *conversionPosition)
6666 override;
6667 };
6668
6669 } // namespace
6670
HandleInvalidPrintfConversionSpecifier(const analyze_printf::PrintfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)6671 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier(
6672 const analyze_printf::PrintfSpecifier &FS,
6673 const char *startSpecifier,
6674 unsigned specifierLen) {
6675 const analyze_printf::PrintfConversionSpecifier &CS =
6676 FS.getConversionSpecifier();
6677
6678 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
6679 getLocationOfByte(CS.getStart()),
6680 startSpecifier, specifierLen,
6681 CS.getStart(), CS.getLength());
6682 }
6683
handleInvalidMaskType(StringRef MaskType)6684 void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) {
6685 S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size);
6686 }
6687
HandleAmount(const analyze_format_string::OptionalAmount & Amt,unsigned k,const char * startSpecifier,unsigned specifierLen)6688 bool CheckPrintfHandler::HandleAmount(
6689 const analyze_format_string::OptionalAmount &Amt, unsigned k,
6690 const char *startSpecifier, unsigned specifierLen) {
6691 if (Amt.hasDataArgument()) {
6692 if (ArgPassingKind != Sema::FAPK_VAList) {
6693 unsigned argIndex = Amt.getArgIndex();
6694 if (argIndex >= NumDataArgs) {
6695 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
6696 << k,
6697 getLocationOfByte(Amt.getStart()),
6698 /*IsStringLocation*/ true,
6699 getSpecifierRange(startSpecifier, specifierLen));
6700 // Don't do any more checking. We will just emit
6701 // spurious errors.
6702 return false;
6703 }
6704
6705 // Type check the data argument. It should be an 'int'.
6706 // Although not in conformance with C99, we also allow the argument to be
6707 // an 'unsigned int' as that is a reasonably safe case. GCC also
6708 // doesn't emit a warning for that case.
6709 CoveredArgs.set(argIndex);
6710 const Expr *Arg = getDataArg(argIndex);
6711 if (!Arg)
6712 return false;
6713
6714 QualType T = Arg->getType();
6715
6716 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context);
6717 assert(AT.isValid());
6718
6719 if (!AT.matchesType(S.Context, T)) {
6720 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type)
6721 << k << AT.getRepresentativeTypeName(S.Context)
6722 << T << Arg->getSourceRange(),
6723 getLocationOfByte(Amt.getStart()),
6724 /*IsStringLocation*/true,
6725 getSpecifierRange(startSpecifier, specifierLen));
6726 // Don't do any more checking. We will just emit
6727 // spurious errors.
6728 return false;
6729 }
6730 }
6731 }
6732 return true;
6733 }
6734
HandleInvalidAmount(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalAmount & Amt,unsigned type,const char * startSpecifier,unsigned specifierLen)6735 void CheckPrintfHandler::HandleInvalidAmount(
6736 const analyze_printf::PrintfSpecifier &FS,
6737 const analyze_printf::OptionalAmount &Amt,
6738 unsigned type,
6739 const char *startSpecifier,
6740 unsigned specifierLen) {
6741 const analyze_printf::PrintfConversionSpecifier &CS =
6742 FS.getConversionSpecifier();
6743
6744 FixItHint fixit =
6745 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant
6746 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(),
6747 Amt.getConstantLength()))
6748 : FixItHint();
6749
6750 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount)
6751 << type << CS.toString(),
6752 getLocationOfByte(Amt.getStart()),
6753 /*IsStringLocation*/true,
6754 getSpecifierRange(startSpecifier, specifierLen),
6755 fixit);
6756 }
6757
HandleFlag(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalFlag & flag,const char * startSpecifier,unsigned specifierLen)6758 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS,
6759 const analyze_printf::OptionalFlag &flag,
6760 const char *startSpecifier,
6761 unsigned specifierLen) {
6762 // Warn about pointless flag with a fixit removal.
6763 const analyze_printf::PrintfConversionSpecifier &CS =
6764 FS.getConversionSpecifier();
6765 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag)
6766 << flag.toString() << CS.toString(),
6767 getLocationOfByte(flag.getPosition()),
6768 /*IsStringLocation*/true,
6769 getSpecifierRange(startSpecifier, specifierLen),
6770 FixItHint::CreateRemoval(
6771 getSpecifierRange(flag.getPosition(), 1)));
6772 }
6773
HandleIgnoredFlag(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalFlag & ignoredFlag,const analyze_printf::OptionalFlag & flag,const char * startSpecifier,unsigned specifierLen)6774 void CheckPrintfHandler::HandleIgnoredFlag(
6775 const analyze_printf::PrintfSpecifier &FS,
6776 const analyze_printf::OptionalFlag &ignoredFlag,
6777 const analyze_printf::OptionalFlag &flag,
6778 const char *startSpecifier,
6779 unsigned specifierLen) {
6780 // Warn about ignored flag with a fixit removal.
6781 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag)
6782 << ignoredFlag.toString() << flag.toString(),
6783 getLocationOfByte(ignoredFlag.getPosition()),
6784 /*IsStringLocation*/true,
6785 getSpecifierRange(startSpecifier, specifierLen),
6786 FixItHint::CreateRemoval(
6787 getSpecifierRange(ignoredFlag.getPosition(), 1)));
6788 }
6789
HandleEmptyObjCModifierFlag(const char * startFlag,unsigned flagLen)6790 void CheckPrintfHandler::HandleEmptyObjCModifierFlag(const char *startFlag,
6791 unsigned flagLen) {
6792 // Warn about an empty flag.
6793 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_empty_objc_flag),
6794 getLocationOfByte(startFlag),
6795 /*IsStringLocation*/true,
6796 getSpecifierRange(startFlag, flagLen));
6797 }
6798
HandleInvalidObjCModifierFlag(const char * startFlag,unsigned flagLen)6799 void CheckPrintfHandler::HandleInvalidObjCModifierFlag(const char *startFlag,
6800 unsigned flagLen) {
6801 // Warn about an invalid flag.
6802 auto Range = getSpecifierRange(startFlag, flagLen);
6803 StringRef flag(startFlag, flagLen);
6804 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_invalid_objc_flag) << flag,
6805 getLocationOfByte(startFlag),
6806 /*IsStringLocation*/true,
6807 Range, FixItHint::CreateRemoval(Range));
6808 }
6809
HandleObjCFlagsWithNonObjCConversion(const char * flagsStart,const char * flagsEnd,const char * conversionPosition)6810 void CheckPrintfHandler::HandleObjCFlagsWithNonObjCConversion(
6811 const char *flagsStart, const char *flagsEnd, const char *conversionPosition) {
6812 // Warn about using '[...]' without a '@' conversion.
6813 auto Range = getSpecifierRange(flagsStart, flagsEnd - flagsStart + 1);
6814 auto diag = diag::warn_printf_ObjCflags_without_ObjCConversion;
6815 EmitFormatDiagnostic(S.PDiag(diag) << StringRef(conversionPosition, 1),
6816 getLocationOfByte(conversionPosition),
6817 /*IsStringLocation*/true,
6818 Range, FixItHint::CreateRemoval(Range));
6819 }
6820
6821 // Determines if the specified is a C++ class or struct containing
6822 // a member with the specified name and kind (e.g. a CXXMethodDecl named
6823 // "c_str()").
6824 template<typename MemberKind>
6825 static llvm::SmallPtrSet<MemberKind*, 1>
CXXRecordMembersNamed(StringRef Name,Sema & S,QualType Ty)6826 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) {
6827 const RecordType *RT = Ty->getAs<RecordType>();
6828 llvm::SmallPtrSet<MemberKind*, 1> Results;
6829
6830 if (!RT)
6831 return Results;
6832 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl());
6833 if (!RD || !RD->getDefinition())
6834 return Results;
6835
6836 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(),
6837 Sema::LookupMemberName);
6838 R.suppressDiagnostics();
6839
6840 // We just need to include all members of the right kind turned up by the
6841 // filter, at this point.
6842 if (S.LookupQualifiedName(R, RT->getDecl()))
6843 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) {
6844 NamedDecl *decl = (*I)->getUnderlyingDecl();
6845 if (MemberKind *FK = dyn_cast<MemberKind>(decl))
6846 Results.insert(FK);
6847 }
6848 return Results;
6849 }
6850
6851 /// Check if we could call '.c_str()' on an object.
6852 ///
6853 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't
6854 /// allow the call, or if it would be ambiguous).
hasCStrMethod(const Expr * E)6855 bool Sema::hasCStrMethod(const Expr *E) {
6856 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
6857
6858 MethodSet Results =
6859 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType());
6860 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
6861 MI != ME; ++MI)
6862 if ((*MI)->getMinRequiredArguments() == 0)
6863 return true;
6864 return false;
6865 }
6866
6867 // Check if a (w)string was passed when a (w)char* was needed, and offer a
6868 // better diagnostic if so. AT is assumed to be valid.
6869 // Returns true when a c_str() conversion method is found.
checkForCStrMembers(const analyze_printf::ArgType & AT,const Expr * E)6870 bool CheckPrintfHandler::checkForCStrMembers(
6871 const analyze_printf::ArgType &AT, const Expr *E) {
6872 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
6873
6874 MethodSet Results =
6875 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType());
6876
6877 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
6878 MI != ME; ++MI) {
6879 const CXXMethodDecl *Method = *MI;
6880 if (Method->getMinRequiredArguments() == 0 &&
6881 AT.matchesType(S.Context, Method->getReturnType())) {
6882 // FIXME: Suggest parens if the expression needs them.
6883 SourceLocation EndLoc = S.getLocForEndOfToken(E->getEndLoc());
6884 S.Diag(E->getBeginLoc(), diag::note_printf_c_str)
6885 << "c_str()" << FixItHint::CreateInsertion(EndLoc, ".c_str()");
6886 return true;
6887 }
6888 }
6889
6890 return false;
6891 }
6892
HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier & FS,const char * startSpecifier,unsigned specifierLen,const TargetInfo & Target)6893 bool CheckPrintfHandler::HandlePrintfSpecifier(
6894 const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
6895 unsigned specifierLen, const TargetInfo &Target) {
6896 using namespace analyze_format_string;
6897 using namespace analyze_printf;
6898
6899 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier();
6900
6901 if (FS.consumesDataArgument()) {
6902 if (atFirstArg) {
6903 atFirstArg = false;
6904 usesPositionalArgs = FS.usesPositionalArg();
6905 }
6906 else if (usesPositionalArgs != FS.usesPositionalArg()) {
6907 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
6908 startSpecifier, specifierLen);
6909 return false;
6910 }
6911 }
6912
6913 // First check if the field width, precision, and conversion specifier
6914 // have matching data arguments.
6915 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0,
6916 startSpecifier, specifierLen)) {
6917 return false;
6918 }
6919
6920 if (!HandleAmount(FS.getPrecision(), /* precision */ 1,
6921 startSpecifier, specifierLen)) {
6922 return false;
6923 }
6924
6925 if (!CS.consumesDataArgument()) {
6926 // FIXME: Technically specifying a precision or field width here
6927 // makes no sense. Worth issuing a warning at some point.
6928 return true;
6929 }
6930
6931 // Consume the argument.
6932 unsigned argIndex = FS.getArgIndex();
6933 if (argIndex < NumDataArgs) {
6934 // The check to see if the argIndex is valid will come later.
6935 // We set the bit here because we may exit early from this
6936 // function if we encounter some other error.
6937 CoveredArgs.set(argIndex);
6938 }
6939
6940 // FreeBSD kernel extensions.
6941 if (CS.getKind() == ConversionSpecifier::FreeBSDbArg ||
6942 CS.getKind() == ConversionSpecifier::FreeBSDDArg) {
6943 // We need at least two arguments.
6944 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex + 1))
6945 return false;
6946
6947 // Claim the second argument.
6948 CoveredArgs.set(argIndex + 1);
6949
6950 // Type check the first argument (int for %b, pointer for %D)
6951 const Expr *Ex = getDataArg(argIndex);
6952 const analyze_printf::ArgType &AT =
6953 (CS.getKind() == ConversionSpecifier::FreeBSDbArg) ?
6954 ArgType(S.Context.IntTy) : ArgType::CPointerTy;
6955 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType()))
6956 EmitFormatDiagnostic(
6957 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
6958 << AT.getRepresentativeTypeName(S.Context) << Ex->getType()
6959 << false << Ex->getSourceRange(),
6960 Ex->getBeginLoc(), /*IsStringLocation*/ false,
6961 getSpecifierRange(startSpecifier, specifierLen));
6962
6963 // Type check the second argument (char * for both %b and %D)
6964 Ex = getDataArg(argIndex + 1);
6965 const analyze_printf::ArgType &AT2 = ArgType::CStrTy;
6966 if (AT2.isValid() && !AT2.matchesType(S.Context, Ex->getType()))
6967 EmitFormatDiagnostic(
6968 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
6969 << AT2.getRepresentativeTypeName(S.Context) << Ex->getType()
6970 << false << Ex->getSourceRange(),
6971 Ex->getBeginLoc(), /*IsStringLocation*/ false,
6972 getSpecifierRange(startSpecifier, specifierLen));
6973
6974 return true;
6975 }
6976
6977 // Check for using an Objective-C specific conversion specifier
6978 // in a non-ObjC literal.
6979 if (!allowsObjCArg() && CS.isObjCArg()) {
6980 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
6981 specifierLen);
6982 }
6983
6984 // %P can only be used with os_log.
6985 if (FSType != Sema::FST_OSLog && CS.getKind() == ConversionSpecifier::PArg) {
6986 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
6987 specifierLen);
6988 }
6989
6990 // %n is not allowed with os_log.
6991 if (FSType == Sema::FST_OSLog && CS.getKind() == ConversionSpecifier::nArg) {
6992 EmitFormatDiagnostic(S.PDiag(diag::warn_os_log_format_narg),
6993 getLocationOfByte(CS.getStart()),
6994 /*IsStringLocation*/ false,
6995 getSpecifierRange(startSpecifier, specifierLen));
6996
6997 return true;
6998 }
6999
7000 // Only scalars are allowed for os_trace.
7001 if (FSType == Sema::FST_OSTrace &&
7002 (CS.getKind() == ConversionSpecifier::PArg ||
7003 CS.getKind() == ConversionSpecifier::sArg ||
7004 CS.getKind() == ConversionSpecifier::ObjCObjArg)) {
7005 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7006 specifierLen);
7007 }
7008
7009 // Check for use of public/private annotation outside of os_log().
7010 if (FSType != Sema::FST_OSLog) {
7011 if (FS.isPublic().isSet()) {
7012 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7013 << "public",
7014 getLocationOfByte(FS.isPublic().getPosition()),
7015 /*IsStringLocation*/ false,
7016 getSpecifierRange(startSpecifier, specifierLen));
7017 }
7018 if (FS.isPrivate().isSet()) {
7019 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7020 << "private",
7021 getLocationOfByte(FS.isPrivate().getPosition()),
7022 /*IsStringLocation*/ false,
7023 getSpecifierRange(startSpecifier, specifierLen));
7024 }
7025 }
7026
7027 const llvm::Triple &Triple = Target.getTriple();
7028 if (CS.getKind() == ConversionSpecifier::nArg &&
7029 (Triple.isAndroid() || Triple.isOSFuchsia())) {
7030 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_narg_not_supported),
7031 getLocationOfByte(CS.getStart()),
7032 /*IsStringLocation*/ false,
7033 getSpecifierRange(startSpecifier, specifierLen));
7034 }
7035
7036 // Check for invalid use of field width
7037 if (!FS.hasValidFieldWidth()) {
7038 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0,
7039 startSpecifier, specifierLen);
7040 }
7041
7042 // Check for invalid use of precision
7043 if (!FS.hasValidPrecision()) {
7044 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1,
7045 startSpecifier, specifierLen);
7046 }
7047
7048 // Precision is mandatory for %P specifier.
7049 if (CS.getKind() == ConversionSpecifier::PArg &&
7050 FS.getPrecision().getHowSpecified() == OptionalAmount::NotSpecified) {
7051 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_no_precision),
7052 getLocationOfByte(startSpecifier),
7053 /*IsStringLocation*/ false,
7054 getSpecifierRange(startSpecifier, specifierLen));
7055 }
7056
7057 // Check each flag does not conflict with any other component.
7058 if (!FS.hasValidThousandsGroupingPrefix())
7059 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen);
7060 if (!FS.hasValidLeadingZeros())
7061 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen);
7062 if (!FS.hasValidPlusPrefix())
7063 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen);
7064 if (!FS.hasValidSpacePrefix())
7065 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen);
7066 if (!FS.hasValidAlternativeForm())
7067 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen);
7068 if (!FS.hasValidLeftJustified())
7069 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen);
7070
7071 // Check that flags are not ignored by another flag
7072 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+'
7073 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(),
7074 startSpecifier, specifierLen);
7075 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-'
7076 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(),
7077 startSpecifier, specifierLen);
7078
7079 // Check the length modifier is valid with the given conversion specifier.
7080 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
7081 S.getLangOpts()))
7082 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7083 diag::warn_format_nonsensical_length);
7084 else if (!FS.hasStandardLengthModifier())
7085 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
7086 else if (!FS.hasStandardLengthConversionCombination())
7087 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7088 diag::warn_format_non_standard_conversion_spec);
7089
7090 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
7091 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
7092
7093 // The remaining checks depend on the data arguments.
7094 if (ArgPassingKind == Sema::FAPK_VAList)
7095 return true;
7096
7097 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
7098 return false;
7099
7100 const Expr *Arg = getDataArg(argIndex);
7101 if (!Arg)
7102 return true;
7103
7104 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg);
7105 }
7106
requiresParensToAddCast(const Expr * E)7107 static bool requiresParensToAddCast(const Expr *E) {
7108 // FIXME: We should have a general way to reason about operator
7109 // precedence and whether parens are actually needed here.
7110 // Take care of a few common cases where they aren't.
7111 const Expr *Inside = E->IgnoreImpCasts();
7112 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside))
7113 Inside = POE->getSyntacticForm()->IgnoreImpCasts();
7114
7115 switch (Inside->getStmtClass()) {
7116 case Stmt::ArraySubscriptExprClass:
7117 case Stmt::CallExprClass:
7118 case Stmt::CharacterLiteralClass:
7119 case Stmt::CXXBoolLiteralExprClass:
7120 case Stmt::DeclRefExprClass:
7121 case Stmt::FloatingLiteralClass:
7122 case Stmt::IntegerLiteralClass:
7123 case Stmt::MemberExprClass:
7124 case Stmt::ObjCArrayLiteralClass:
7125 case Stmt::ObjCBoolLiteralExprClass:
7126 case Stmt::ObjCBoxedExprClass:
7127 case Stmt::ObjCDictionaryLiteralClass:
7128 case Stmt::ObjCEncodeExprClass:
7129 case Stmt::ObjCIvarRefExprClass:
7130 case Stmt::ObjCMessageExprClass:
7131 case Stmt::ObjCPropertyRefExprClass:
7132 case Stmt::ObjCStringLiteralClass:
7133 case Stmt::ObjCSubscriptRefExprClass:
7134 case Stmt::ParenExprClass:
7135 case Stmt::StringLiteralClass:
7136 case Stmt::UnaryOperatorClass:
7137 return false;
7138 default:
7139 return true;
7140 }
7141 }
7142
7143 static std::pair<QualType, StringRef>
shouldNotPrintDirectly(const ASTContext & Context,QualType IntendedTy,const Expr * E)7144 shouldNotPrintDirectly(const ASTContext &Context,
7145 QualType IntendedTy,
7146 const Expr *E) {
7147 // Use a 'while' to peel off layers of typedefs.
7148 QualType TyTy = IntendedTy;
7149 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) {
7150 StringRef Name = UserTy->getDecl()->getName();
7151 QualType CastTy = llvm::StringSwitch<QualType>(Name)
7152 .Case("CFIndex", Context.getNSIntegerType())
7153 .Case("NSInteger", Context.getNSIntegerType())
7154 .Case("NSUInteger", Context.getNSUIntegerType())
7155 .Case("SInt32", Context.IntTy)
7156 .Case("UInt32", Context.UnsignedIntTy)
7157 .Default(QualType());
7158
7159 if (!CastTy.isNull())
7160 return std::make_pair(CastTy, Name);
7161
7162 TyTy = UserTy->desugar();
7163 }
7164
7165 // Strip parens if necessary.
7166 if (const ParenExpr *PE = dyn_cast<ParenExpr>(E))
7167 return shouldNotPrintDirectly(Context,
7168 PE->getSubExpr()->getType(),
7169 PE->getSubExpr());
7170
7171 // If this is a conditional expression, then its result type is constructed
7172 // via usual arithmetic conversions and thus there might be no necessary
7173 // typedef sugar there. Recurse to operands to check for NSInteger &
7174 // Co. usage condition.
7175 if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) {
7176 QualType TrueTy, FalseTy;
7177 StringRef TrueName, FalseName;
7178
7179 std::tie(TrueTy, TrueName) =
7180 shouldNotPrintDirectly(Context,
7181 CO->getTrueExpr()->getType(),
7182 CO->getTrueExpr());
7183 std::tie(FalseTy, FalseName) =
7184 shouldNotPrintDirectly(Context,
7185 CO->getFalseExpr()->getType(),
7186 CO->getFalseExpr());
7187
7188 if (TrueTy == FalseTy)
7189 return std::make_pair(TrueTy, TrueName);
7190 else if (TrueTy.isNull())
7191 return std::make_pair(FalseTy, FalseName);
7192 else if (FalseTy.isNull())
7193 return std::make_pair(TrueTy, TrueName);
7194 }
7195
7196 return std::make_pair(QualType(), StringRef());
7197 }
7198
7199 /// Return true if \p ICE is an implicit argument promotion of an arithmetic
7200 /// type. Bit-field 'promotions' from a higher ranked type to a lower ranked
7201 /// type do not count.
7202 static bool
isArithmeticArgumentPromotion(Sema & S,const ImplicitCastExpr * ICE)7203 isArithmeticArgumentPromotion(Sema &S, const ImplicitCastExpr *ICE) {
7204 QualType From = ICE->getSubExpr()->getType();
7205 QualType To = ICE->getType();
7206 // It's an integer promotion if the destination type is the promoted
7207 // source type.
7208 if (ICE->getCastKind() == CK_IntegralCast &&
7209 S.Context.isPromotableIntegerType(From) &&
7210 S.Context.getPromotedIntegerType(From) == To)
7211 return true;
7212 // Look through vector types, since we do default argument promotion for
7213 // those in OpenCL.
7214 if (const auto *VecTy = From->getAs<ExtVectorType>())
7215 From = VecTy->getElementType();
7216 if (const auto *VecTy = To->getAs<ExtVectorType>())
7217 To = VecTy->getElementType();
7218 // It's a floating promotion if the source type is a lower rank.
7219 return ICE->getCastKind() == CK_FloatingCast &&
7220 S.Context.getFloatingTypeOrder(From, To) < 0;
7221 }
7222
7223 static analyze_format_string::ArgType::MatchKind
handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,DiagnosticsEngine & Diags,SourceLocation Loc)7224 handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,
7225 DiagnosticsEngine &Diags, SourceLocation Loc) {
7226 if (Match == analyze_format_string::ArgType::NoMatchSignedness) {
7227 Match =
7228 Diags.isIgnored(
7229 diag::warn_format_conversion_argument_type_mismatch_signedness, Loc)
7230 ? analyze_format_string::ArgType::Match
7231 : analyze_format_string::ArgType::NoMatch;
7232 }
7233 return Match;
7234 }
7235
7236 bool
checkFormatExpr(const analyze_printf::PrintfSpecifier & FS,const char * StartSpecifier,unsigned SpecifierLen,const Expr * E)7237 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
7238 const char *StartSpecifier,
7239 unsigned SpecifierLen,
7240 const Expr *E) {
7241 using namespace analyze_format_string;
7242 using namespace analyze_printf;
7243
7244 // Now type check the data expression that matches the
7245 // format specifier.
7246 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, isObjCContext());
7247 if (!AT.isValid())
7248 return true;
7249
7250 QualType ExprTy = E->getType();
7251 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
7252 ExprTy = TET->getUnderlyingExpr()->getType();
7253 }
7254
7255 // When using the format attribute in C++, you can receive a function or an
7256 // array that will necessarily decay to a pointer when passed to the final
7257 // format consumer. Apply decay before type comparison.
7258 if (ExprTy->canDecayToPointerType())
7259 ExprTy = S.Context.getDecayedType(ExprTy);
7260
7261 // Diagnose attempts to print a boolean value as a character. Unlike other
7262 // -Wformat diagnostics, this is fine from a type perspective, but it still
7263 // doesn't make sense.
7264 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg &&
7265 E->isKnownToHaveBooleanValue()) {
7266 const CharSourceRange &CSR =
7267 getSpecifierRange(StartSpecifier, SpecifierLen);
7268 SmallString<4> FSString;
7269 llvm::raw_svector_ostream os(FSString);
7270 FS.toString(os);
7271 EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character)
7272 << FSString,
7273 E->getExprLoc(), false, CSR);
7274 return true;
7275 }
7276
7277 // Diagnose attempts to use '%P' with ObjC object types, which will result in
7278 // dumping raw class data (like is-a pointer), not actual data.
7279 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::PArg &&
7280 ExprTy->isObjCObjectPointerType()) {
7281 const CharSourceRange &CSR =
7282 getSpecifierRange(StartSpecifier, SpecifierLen);
7283 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_with_objc_pointer),
7284 E->getExprLoc(), false, CSR);
7285 return true;
7286 }
7287
7288 ArgType::MatchKind ImplicitMatch = ArgType::NoMatch;
7289 ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy);
7290 ArgType::MatchKind OrigMatch = Match;
7291
7292 Match = handleFormatSignedness(Match, S.getDiagnostics(), E->getExprLoc());
7293 if (Match == ArgType::Match)
7294 return true;
7295
7296 // NoMatchPromotionTypeConfusion should be only returned in ImplictCastExpr
7297 assert(Match != ArgType::NoMatchPromotionTypeConfusion);
7298
7299 // Look through argument promotions for our error message's reported type.
7300 // This includes the integral and floating promotions, but excludes array
7301 // and function pointer decay (seeing that an argument intended to be a
7302 // string has type 'char [6]' is probably more confusing than 'char *') and
7303 // certain bitfield promotions (bitfields can be 'demoted' to a lesser type).
7304 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
7305 if (isArithmeticArgumentPromotion(S, ICE)) {
7306 E = ICE->getSubExpr();
7307 ExprTy = E->getType();
7308
7309 // Check if we didn't match because of an implicit cast from a 'char'
7310 // or 'short' to an 'int'. This is done because printf is a varargs
7311 // function.
7312 if (ICE->getType() == S.Context.IntTy ||
7313 ICE->getType() == S.Context.UnsignedIntTy) {
7314 // All further checking is done on the subexpression
7315 ImplicitMatch = AT.matchesType(S.Context, ExprTy);
7316 if (OrigMatch == ArgType::NoMatchSignedness &&
7317 ImplicitMatch != ArgType::NoMatchSignedness)
7318 // If the original match was a signedness match this match on the
7319 // implicit cast type also need to be signedness match otherwise we
7320 // might introduce new unexpected warnings from -Wformat-signedness.
7321 return true;
7322 ImplicitMatch = handleFormatSignedness(
7323 ImplicitMatch, S.getDiagnostics(), E->getExprLoc());
7324 if (ImplicitMatch == ArgType::Match)
7325 return true;
7326 }
7327 }
7328 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) {
7329 // Special case for 'a', which has type 'int' in C.
7330 // Note, however, that we do /not/ want to treat multibyte constants like
7331 // 'MooV' as characters! This form is deprecated but still exists. In
7332 // addition, don't treat expressions as of type 'char' if one byte length
7333 // modifier is provided.
7334 if (ExprTy == S.Context.IntTy &&
7335 FS.getLengthModifier().getKind() != LengthModifier::AsChar)
7336 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) {
7337 ExprTy = S.Context.CharTy;
7338 // To improve check results, we consider a character literal in C
7339 // to be a 'char' rather than an 'int'. 'printf("%hd", 'a');' is
7340 // more likely a type confusion situation, so we will suggest to
7341 // use '%hhd' instead by discarding the MatchPromotion.
7342 if (Match == ArgType::MatchPromotion)
7343 Match = ArgType::NoMatch;
7344 }
7345 }
7346 if (Match == ArgType::MatchPromotion) {
7347 // WG14 N2562 only clarified promotions in *printf
7348 // For NSLog in ObjC, just preserve -Wformat behavior
7349 if (!S.getLangOpts().ObjC &&
7350 ImplicitMatch != ArgType::NoMatchPromotionTypeConfusion &&
7351 ImplicitMatch != ArgType::NoMatchTypeConfusion)
7352 return true;
7353 Match = ArgType::NoMatch;
7354 }
7355 if (ImplicitMatch == ArgType::NoMatchPedantic ||
7356 ImplicitMatch == ArgType::NoMatchTypeConfusion)
7357 Match = ImplicitMatch;
7358 assert(Match != ArgType::MatchPromotion);
7359
7360 // Look through unscoped enums to their underlying type.
7361 bool IsEnum = false;
7362 bool IsScopedEnum = false;
7363 QualType IntendedTy = ExprTy;
7364 if (auto EnumTy = ExprTy->getAs<EnumType>()) {
7365 IntendedTy = EnumTy->getDecl()->getIntegerType();
7366 if (EnumTy->isUnscopedEnumerationType()) {
7367 ExprTy = IntendedTy;
7368 // This controls whether we're talking about the underlying type or not,
7369 // which we only want to do when it's an unscoped enum.
7370 IsEnum = true;
7371 } else {
7372 IsScopedEnum = true;
7373 }
7374 }
7375
7376 // %C in an Objective-C context prints a unichar, not a wchar_t.
7377 // If the argument is an integer of some kind, believe the %C and suggest
7378 // a cast instead of changing the conversion specifier.
7379 if (isObjCContext() &&
7380 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) {
7381 if (ExprTy->isIntegralOrUnscopedEnumerationType() &&
7382 !ExprTy->isCharType()) {
7383 // 'unichar' is defined as a typedef of unsigned short, but we should
7384 // prefer using the typedef if it is visible.
7385 IntendedTy = S.Context.UnsignedShortTy;
7386
7387 // While we are here, check if the value is an IntegerLiteral that happens
7388 // to be within the valid range.
7389 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) {
7390 const llvm::APInt &V = IL->getValue();
7391 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy))
7392 return true;
7393 }
7394
7395 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getBeginLoc(),
7396 Sema::LookupOrdinaryName);
7397 if (S.LookupName(Result, S.getCurScope())) {
7398 NamedDecl *ND = Result.getFoundDecl();
7399 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND))
7400 if (TD->getUnderlyingType() == IntendedTy)
7401 IntendedTy = S.Context.getTypedefType(TD);
7402 }
7403 }
7404 }
7405
7406 // Special-case some of Darwin's platform-independence types by suggesting
7407 // casts to primitive types that are known to be large enough.
7408 bool ShouldNotPrintDirectly = false; StringRef CastTyName;
7409 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) {
7410 QualType CastTy;
7411 std::tie(CastTy, CastTyName) = shouldNotPrintDirectly(S.Context, IntendedTy, E);
7412 if (!CastTy.isNull()) {
7413 // %zi/%zu and %td/%tu are OK to use for NSInteger/NSUInteger of type int
7414 // (long in ASTContext). Only complain to pedants or when they're the
7415 // underlying type of a scoped enum (which always needs a cast).
7416 if (!IsScopedEnum &&
7417 (CastTyName == "NSInteger" || CastTyName == "NSUInteger") &&
7418 (AT.isSizeT() || AT.isPtrdiffT()) &&
7419 AT.matchesType(S.Context, CastTy))
7420 Match = ArgType::NoMatchPedantic;
7421 IntendedTy = CastTy;
7422 ShouldNotPrintDirectly = true;
7423 }
7424 }
7425
7426 // We may be able to offer a FixItHint if it is a supported type.
7427 PrintfSpecifier fixedFS = FS;
7428 bool Success =
7429 fixedFS.fixType(IntendedTy, S.getLangOpts(), S.Context, isObjCContext());
7430
7431 if (Success) {
7432 // Get the fix string from the fixed format specifier
7433 SmallString<16> buf;
7434 llvm::raw_svector_ostream os(buf);
7435 fixedFS.toString(os);
7436
7437 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen);
7438
7439 if (IntendedTy == ExprTy && !ShouldNotPrintDirectly && !IsScopedEnum) {
7440 unsigned Diag;
7441 switch (Match) {
7442 case ArgType::Match:
7443 case ArgType::MatchPromotion:
7444 case ArgType::NoMatchPromotionTypeConfusion:
7445 case ArgType::NoMatchSignedness:
7446 llvm_unreachable("expected non-matching");
7447 case ArgType::NoMatchPedantic:
7448 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
7449 break;
7450 case ArgType::NoMatchTypeConfusion:
7451 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
7452 break;
7453 case ArgType::NoMatch:
7454 Diag = diag::warn_format_conversion_argument_type_mismatch;
7455 break;
7456 }
7457
7458 // In this case, the specifier is wrong and should be changed to match
7459 // the argument.
7460 EmitFormatDiagnostic(S.PDiag(Diag)
7461 << AT.getRepresentativeTypeName(S.Context)
7462 << IntendedTy << IsEnum << E->getSourceRange(),
7463 E->getBeginLoc(),
7464 /*IsStringLocation*/ false, SpecRange,
7465 FixItHint::CreateReplacement(SpecRange, os.str()));
7466 } else {
7467 // The canonical type for formatting this value is different from the
7468 // actual type of the expression. (This occurs, for example, with Darwin's
7469 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but
7470 // should be printed as 'long' for 64-bit compatibility.)
7471 // Rather than emitting a normal format/argument mismatch, we want to
7472 // add a cast to the recommended type (and correct the format string
7473 // if necessary). We should also do so for scoped enumerations.
7474 SmallString<16> CastBuf;
7475 llvm::raw_svector_ostream CastFix(CastBuf);
7476 CastFix << (S.LangOpts.CPlusPlus ? "static_cast<" : "(");
7477 IntendedTy.print(CastFix, S.Context.getPrintingPolicy());
7478 CastFix << (S.LangOpts.CPlusPlus ? ">" : ")");
7479
7480 SmallVector<FixItHint,4> Hints;
7481 ArgType::MatchKind IntendedMatch = AT.matchesType(S.Context, IntendedTy);
7482 IntendedMatch = handleFormatSignedness(IntendedMatch, S.getDiagnostics(),
7483 E->getExprLoc());
7484 if ((IntendedMatch != ArgType::Match) || ShouldNotPrintDirectly)
7485 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str()));
7486
7487 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) {
7488 // If there's already a cast present, just replace it.
7489 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc());
7490 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str()));
7491
7492 } else if (!requiresParensToAddCast(E) && !S.LangOpts.CPlusPlus) {
7493 // If the expression has high enough precedence,
7494 // just write the C-style cast.
7495 Hints.push_back(
7496 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
7497 } else {
7498 // Otherwise, add parens around the expression as well as the cast.
7499 CastFix << "(";
7500 Hints.push_back(
7501 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
7502
7503 // We don't use getLocForEndOfToken because it returns invalid source
7504 // locations for macro expansions (by design).
7505 SourceLocation EndLoc = S.SourceMgr.getSpellingLoc(E->getEndLoc());
7506 SourceLocation After = EndLoc.getLocWithOffset(
7507 Lexer::MeasureTokenLength(EndLoc, S.SourceMgr, S.LangOpts));
7508 Hints.push_back(FixItHint::CreateInsertion(After, ")"));
7509 }
7510
7511 if (ShouldNotPrintDirectly && !IsScopedEnum) {
7512 // The expression has a type that should not be printed directly.
7513 // We extract the name from the typedef because we don't want to show
7514 // the underlying type in the diagnostic.
7515 StringRef Name;
7516 if (const auto *TypedefTy = ExprTy->getAs<TypedefType>())
7517 Name = TypedefTy->getDecl()->getName();
7518 else
7519 Name = CastTyName;
7520 unsigned Diag = Match == ArgType::NoMatchPedantic
7521 ? diag::warn_format_argument_needs_cast_pedantic
7522 : diag::warn_format_argument_needs_cast;
7523 EmitFormatDiagnostic(S.PDiag(Diag) << Name << IntendedTy << IsEnum
7524 << E->getSourceRange(),
7525 E->getBeginLoc(), /*IsStringLocation=*/false,
7526 SpecRange, Hints);
7527 } else {
7528 // In this case, the expression could be printed using a different
7529 // specifier, but we've decided that the specifier is probably correct
7530 // and we should cast instead. Just use the normal warning message.
7531
7532 unsigned Diag =
7533 IsScopedEnum
7534 ? diag::warn_format_conversion_argument_type_mismatch_pedantic
7535 : diag::warn_format_conversion_argument_type_mismatch;
7536
7537 EmitFormatDiagnostic(
7538 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
7539 << IsEnum << E->getSourceRange(),
7540 E->getBeginLoc(), /*IsStringLocation*/ false, SpecRange, Hints);
7541 }
7542 }
7543 } else {
7544 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
7545 SpecifierLen);
7546 // Since the warning for passing non-POD types to variadic functions
7547 // was deferred until now, we emit a warning for non-POD
7548 // arguments here.
7549 bool EmitTypeMismatch = false;
7550 switch (S.isValidVarArgType(ExprTy)) {
7551 case Sema::VAK_Valid:
7552 case Sema::VAK_ValidInCXX11: {
7553 unsigned Diag;
7554 switch (Match) {
7555 case ArgType::Match:
7556 case ArgType::MatchPromotion:
7557 case ArgType::NoMatchPromotionTypeConfusion:
7558 case ArgType::NoMatchSignedness:
7559 llvm_unreachable("expected non-matching");
7560 case ArgType::NoMatchPedantic:
7561 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
7562 break;
7563 case ArgType::NoMatchTypeConfusion:
7564 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
7565 break;
7566 case ArgType::NoMatch:
7567 Diag = diag::warn_format_conversion_argument_type_mismatch;
7568 break;
7569 }
7570
7571 EmitFormatDiagnostic(
7572 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
7573 << IsEnum << CSR << E->getSourceRange(),
7574 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7575 break;
7576 }
7577 case Sema::VAK_Undefined:
7578 case Sema::VAK_MSVCUndefined:
7579 if (CallType == Sema::VariadicDoesNotApply) {
7580 EmitTypeMismatch = true;
7581 } else {
7582 EmitFormatDiagnostic(
7583 S.PDiag(diag::warn_non_pod_vararg_with_format_string)
7584 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
7585 << AT.getRepresentativeTypeName(S.Context) << CSR
7586 << E->getSourceRange(),
7587 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7588 checkForCStrMembers(AT, E);
7589 }
7590 break;
7591
7592 case Sema::VAK_Invalid:
7593 if (CallType == Sema::VariadicDoesNotApply)
7594 EmitTypeMismatch = true;
7595 else if (ExprTy->isObjCObjectType())
7596 EmitFormatDiagnostic(
7597 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
7598 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
7599 << AT.getRepresentativeTypeName(S.Context) << CSR
7600 << E->getSourceRange(),
7601 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7602 else
7603 // FIXME: If this is an initializer list, suggest removing the braces
7604 // or inserting a cast to the target type.
7605 S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format)
7606 << isa<InitListExpr>(E) << ExprTy << CallType
7607 << AT.getRepresentativeTypeName(S.Context) << E->getSourceRange();
7608 break;
7609 }
7610
7611 if (EmitTypeMismatch) {
7612 // The function is not variadic, so we do not generate warnings about
7613 // being allowed to pass that object as a variadic argument. Instead,
7614 // since there are inherently no printf specifiers for types which cannot
7615 // be passed as variadic arguments, emit a plain old specifier mismatch
7616 // argument.
7617 EmitFormatDiagnostic(
7618 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7619 << AT.getRepresentativeTypeName(S.Context) << ExprTy << false
7620 << E->getSourceRange(),
7621 E->getBeginLoc(), false, CSR);
7622 }
7623
7624 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
7625 "format string specifier index out of range");
7626 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
7627 }
7628
7629 return true;
7630 }
7631
7632 //===--- CHECK: Scanf format string checking ------------------------------===//
7633
7634 namespace {
7635
7636 class CheckScanfHandler : public CheckFormatHandler {
7637 public:
CheckScanfHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,Sema::FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,Sema::VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)7638 CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr,
7639 const Expr *origFormatExpr, Sema::FormatStringType type,
7640 unsigned firstDataArg, unsigned numDataArgs,
7641 const char *beg, Sema::FormatArgumentPassingKind APK,
7642 ArrayRef<const Expr *> Args, unsigned formatIdx,
7643 bool inFunctionCall, Sema::VariadicCallType CallType,
7644 llvm::SmallBitVector &CheckedVarArgs,
7645 UncoveredArgHandler &UncoveredArg)
7646 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7647 numDataArgs, beg, APK, Args, formatIdx,
7648 inFunctionCall, CallType, CheckedVarArgs,
7649 UncoveredArg) {}
7650
7651 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
7652 const char *startSpecifier,
7653 unsigned specifierLen) override;
7654
7655 bool HandleInvalidScanfConversionSpecifier(
7656 const analyze_scanf::ScanfSpecifier &FS,
7657 const char *startSpecifier,
7658 unsigned specifierLen) override;
7659
7660 void HandleIncompleteScanList(const char *start, const char *end) override;
7661 };
7662
7663 } // namespace
7664
HandleIncompleteScanList(const char * start,const char * end)7665 void CheckScanfHandler::HandleIncompleteScanList(const char *start,
7666 const char *end) {
7667 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete),
7668 getLocationOfByte(end), /*IsStringLocation*/true,
7669 getSpecifierRange(start, end - start));
7670 }
7671
HandleInvalidScanfConversionSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)7672 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier(
7673 const analyze_scanf::ScanfSpecifier &FS,
7674 const char *startSpecifier,
7675 unsigned specifierLen) {
7676 const analyze_scanf::ScanfConversionSpecifier &CS =
7677 FS.getConversionSpecifier();
7678
7679 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
7680 getLocationOfByte(CS.getStart()),
7681 startSpecifier, specifierLen,
7682 CS.getStart(), CS.getLength());
7683 }
7684
HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)7685 bool CheckScanfHandler::HandleScanfSpecifier(
7686 const analyze_scanf::ScanfSpecifier &FS,
7687 const char *startSpecifier,
7688 unsigned specifierLen) {
7689 using namespace analyze_scanf;
7690 using namespace analyze_format_string;
7691
7692 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier();
7693
7694 // Handle case where '%' and '*' don't consume an argument. These shouldn't
7695 // be used to decide if we are using positional arguments consistently.
7696 if (FS.consumesDataArgument()) {
7697 if (atFirstArg) {
7698 atFirstArg = false;
7699 usesPositionalArgs = FS.usesPositionalArg();
7700 }
7701 else if (usesPositionalArgs != FS.usesPositionalArg()) {
7702 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
7703 startSpecifier, specifierLen);
7704 return false;
7705 }
7706 }
7707
7708 // Check if the field with is non-zero.
7709 const OptionalAmount &Amt = FS.getFieldWidth();
7710 if (Amt.getHowSpecified() == OptionalAmount::Constant) {
7711 if (Amt.getConstantAmount() == 0) {
7712 const CharSourceRange &R = getSpecifierRange(Amt.getStart(),
7713 Amt.getConstantLength());
7714 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width),
7715 getLocationOfByte(Amt.getStart()),
7716 /*IsStringLocation*/true, R,
7717 FixItHint::CreateRemoval(R));
7718 }
7719 }
7720
7721 if (!FS.consumesDataArgument()) {
7722 // FIXME: Technically specifying a precision or field width here
7723 // makes no sense. Worth issuing a warning at some point.
7724 return true;
7725 }
7726
7727 // Consume the argument.
7728 unsigned argIndex = FS.getArgIndex();
7729 if (argIndex < NumDataArgs) {
7730 // The check to see if the argIndex is valid will come later.
7731 // We set the bit here because we may exit early from this
7732 // function if we encounter some other error.
7733 CoveredArgs.set(argIndex);
7734 }
7735
7736 // Check the length modifier is valid with the given conversion specifier.
7737 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
7738 S.getLangOpts()))
7739 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7740 diag::warn_format_nonsensical_length);
7741 else if (!FS.hasStandardLengthModifier())
7742 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
7743 else if (!FS.hasStandardLengthConversionCombination())
7744 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7745 diag::warn_format_non_standard_conversion_spec);
7746
7747 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
7748 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
7749
7750 // The remaining checks depend on the data arguments.
7751 if (ArgPassingKind == Sema::FAPK_VAList)
7752 return true;
7753
7754 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
7755 return false;
7756
7757 // Check that the argument type matches the format specifier.
7758 const Expr *Ex = getDataArg(argIndex);
7759 if (!Ex)
7760 return true;
7761
7762 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context);
7763
7764 if (!AT.isValid()) {
7765 return true;
7766 }
7767
7768 analyze_format_string::ArgType::MatchKind Match =
7769 AT.matchesType(S.Context, Ex->getType());
7770 Match = handleFormatSignedness(Match, S.getDiagnostics(), Ex->getExprLoc());
7771 bool Pedantic = Match == analyze_format_string::ArgType::NoMatchPedantic;
7772 if (Match == analyze_format_string::ArgType::Match)
7773 return true;
7774
7775 ScanfSpecifier fixedFS = FS;
7776 bool Success = fixedFS.fixType(Ex->getType(), Ex->IgnoreImpCasts()->getType(),
7777 S.getLangOpts(), S.Context);
7778
7779 unsigned Diag =
7780 Pedantic ? diag::warn_format_conversion_argument_type_mismatch_pedantic
7781 : diag::warn_format_conversion_argument_type_mismatch;
7782
7783 if (Success) {
7784 // Get the fix string from the fixed format specifier.
7785 SmallString<128> buf;
7786 llvm::raw_svector_ostream os(buf);
7787 fixedFS.toString(os);
7788
7789 EmitFormatDiagnostic(
7790 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context)
7791 << Ex->getType() << false << Ex->getSourceRange(),
7792 Ex->getBeginLoc(),
7793 /*IsStringLocation*/ false,
7794 getSpecifierRange(startSpecifier, specifierLen),
7795 FixItHint::CreateReplacement(
7796 getSpecifierRange(startSpecifier, specifierLen), os.str()));
7797 } else {
7798 EmitFormatDiagnostic(S.PDiag(Diag)
7799 << AT.getRepresentativeTypeName(S.Context)
7800 << Ex->getType() << false << Ex->getSourceRange(),
7801 Ex->getBeginLoc(),
7802 /*IsStringLocation*/ false,
7803 getSpecifierRange(startSpecifier, specifierLen));
7804 }
7805
7806 return true;
7807 }
7808
CheckFormatString(Sema & S,const FormatStringLiteral * FExpr,const Expr * OrigFormatExpr,ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,unsigned format_idx,unsigned firstDataArg,Sema::FormatStringType Type,bool inFunctionCall,Sema::VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg,bool IgnoreStringsWithoutSpecifiers)7809 static void CheckFormatString(
7810 Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
7811 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
7812 unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
7813 bool inFunctionCall, Sema::VariadicCallType CallType,
7814 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
7815 bool IgnoreStringsWithoutSpecifiers) {
7816 // CHECK: is the format string a wide literal?
7817 if (!FExpr->isAscii() && !FExpr->isUTF8()) {
7818 CheckFormatHandler::EmitFormatDiagnostic(
7819 S, inFunctionCall, Args[format_idx],
7820 S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(),
7821 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
7822 return;
7823 }
7824
7825 // Str - The format string. NOTE: this is NOT null-terminated!
7826 StringRef StrRef = FExpr->getString();
7827 const char *Str = StrRef.data();
7828 // Account for cases where the string literal is truncated in a declaration.
7829 const ConstantArrayType *T =
7830 S.Context.getAsConstantArrayType(FExpr->getType());
7831 assert(T && "String literal not of constant array type!");
7832 size_t TypeSize = T->getZExtSize();
7833 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
7834 const unsigned numDataArgs = Args.size() - firstDataArg;
7835
7836 if (IgnoreStringsWithoutSpecifiers &&
7837 !analyze_format_string::parseFormatStringHasFormattingSpecifiers(
7838 Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
7839 return;
7840
7841 // Emit a warning if the string literal is truncated and does not contain an
7842 // embedded null character.
7843 if (TypeSize <= StrRef.size() && !StrRef.substr(0, TypeSize).contains('\0')) {
7844 CheckFormatHandler::EmitFormatDiagnostic(
7845 S, inFunctionCall, Args[format_idx],
7846 S.PDiag(diag::warn_printf_format_string_not_null_terminated),
7847 FExpr->getBeginLoc(),
7848 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange());
7849 return;
7850 }
7851
7852 // CHECK: empty format string?
7853 if (StrLen == 0 && numDataArgs > 0) {
7854 CheckFormatHandler::EmitFormatDiagnostic(
7855 S, inFunctionCall, Args[format_idx],
7856 S.PDiag(diag::warn_empty_format_string), FExpr->getBeginLoc(),
7857 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
7858 return;
7859 }
7860
7861 if (Type == Sema::FST_Printf || Type == Sema::FST_NSString ||
7862 Type == Sema::FST_FreeBSDKPrintf || Type == Sema::FST_OSLog ||
7863 Type == Sema::FST_OSTrace) {
7864 CheckPrintfHandler H(
7865 S, FExpr, OrigFormatExpr, Type, firstDataArg, numDataArgs,
7866 (Type == Sema::FST_NSString || Type == Sema::FST_OSTrace), Str, APK,
7867 Args, format_idx, inFunctionCall, CallType, CheckedVarArgs,
7868 UncoveredArg);
7869
7870 if (!analyze_format_string::ParsePrintfString(
7871 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo(),
7872 Type == Sema::FST_FreeBSDKPrintf))
7873 H.DoneProcessing();
7874 } else if (Type == Sema::FST_Scanf) {
7875 CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
7876 numDataArgs, Str, APK, Args, format_idx, inFunctionCall,
7877 CallType, CheckedVarArgs, UncoveredArg);
7878
7879 if (!analyze_format_string::ParseScanfString(
7880 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
7881 H.DoneProcessing();
7882 } // TODO: handle other formats
7883 }
7884
FormatStringHasSArg(const StringLiteral * FExpr)7885 bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) {
7886 // Str - The format string. NOTE: this is NOT null-terminated!
7887 StringRef StrRef = FExpr->getString();
7888 const char *Str = StrRef.data();
7889 // Account for cases where the string literal is truncated in a declaration.
7890 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType());
7891 assert(T && "String literal not of constant array type!");
7892 size_t TypeSize = T->getZExtSize();
7893 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
7894 return analyze_format_string::ParseFormatStringHasSArg(Str, Str + StrLen,
7895 getLangOpts(),
7896 Context.getTargetInfo());
7897 }
7898
7899 //===--- CHECK: Warn on use of wrong absolute value function. -------------===//
7900
7901 // Returns the related absolute value function that is larger, of 0 if one
7902 // does not exist.
getLargerAbsoluteValueFunction(unsigned AbsFunction)7903 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) {
7904 switch (AbsFunction) {
7905 default:
7906 return 0;
7907
7908 case Builtin::BI__builtin_abs:
7909 return Builtin::BI__builtin_labs;
7910 case Builtin::BI__builtin_labs:
7911 return Builtin::BI__builtin_llabs;
7912 case Builtin::BI__builtin_llabs:
7913 return 0;
7914
7915 case Builtin::BI__builtin_fabsf:
7916 return Builtin::BI__builtin_fabs;
7917 case Builtin::BI__builtin_fabs:
7918 return Builtin::BI__builtin_fabsl;
7919 case Builtin::BI__builtin_fabsl:
7920 return 0;
7921
7922 case Builtin::BI__builtin_cabsf:
7923 return Builtin::BI__builtin_cabs;
7924 case Builtin::BI__builtin_cabs:
7925 return Builtin::BI__builtin_cabsl;
7926 case Builtin::BI__builtin_cabsl:
7927 return 0;
7928
7929 case Builtin::BIabs:
7930 return Builtin::BIlabs;
7931 case Builtin::BIlabs:
7932 return Builtin::BIllabs;
7933 case Builtin::BIllabs:
7934 return 0;
7935
7936 case Builtin::BIfabsf:
7937 return Builtin::BIfabs;
7938 case Builtin::BIfabs:
7939 return Builtin::BIfabsl;
7940 case Builtin::BIfabsl:
7941 return 0;
7942
7943 case Builtin::BIcabsf:
7944 return Builtin::BIcabs;
7945 case Builtin::BIcabs:
7946 return Builtin::BIcabsl;
7947 case Builtin::BIcabsl:
7948 return 0;
7949 }
7950 }
7951
7952 // Returns the argument type of the absolute value function.
getAbsoluteValueArgumentType(ASTContext & Context,unsigned AbsType)7953 static QualType getAbsoluteValueArgumentType(ASTContext &Context,
7954 unsigned AbsType) {
7955 if (AbsType == 0)
7956 return QualType();
7957
7958 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None;
7959 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error);
7960 if (Error != ASTContext::GE_None)
7961 return QualType();
7962
7963 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>();
7964 if (!FT)
7965 return QualType();
7966
7967 if (FT->getNumParams() != 1)
7968 return QualType();
7969
7970 return FT->getParamType(0);
7971 }
7972
7973 // Returns the best absolute value function, or zero, based on type and
7974 // current absolute value function.
getBestAbsFunction(ASTContext & Context,QualType ArgType,unsigned AbsFunctionKind)7975 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType,
7976 unsigned AbsFunctionKind) {
7977 unsigned BestKind = 0;
7978 uint64_t ArgSize = Context.getTypeSize(ArgType);
7979 for (unsigned Kind = AbsFunctionKind; Kind != 0;
7980 Kind = getLargerAbsoluteValueFunction(Kind)) {
7981 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind);
7982 if (Context.getTypeSize(ParamType) >= ArgSize) {
7983 if (BestKind == 0)
7984 BestKind = Kind;
7985 else if (Context.hasSameType(ParamType, ArgType)) {
7986 BestKind = Kind;
7987 break;
7988 }
7989 }
7990 }
7991 return BestKind;
7992 }
7993
7994 enum AbsoluteValueKind {
7995 AVK_Integer,
7996 AVK_Floating,
7997 AVK_Complex
7998 };
7999
getAbsoluteValueKind(QualType T)8000 static AbsoluteValueKind getAbsoluteValueKind(QualType T) {
8001 if (T->isIntegralOrEnumerationType())
8002 return AVK_Integer;
8003 if (T->isRealFloatingType())
8004 return AVK_Floating;
8005 if (T->isAnyComplexType())
8006 return AVK_Complex;
8007
8008 llvm_unreachable("Type not integer, floating, or complex");
8009 }
8010
8011 // Changes the absolute value function to a different type. Preserves whether
8012 // the function is a builtin.
changeAbsFunction(unsigned AbsKind,AbsoluteValueKind ValueKind)8013 static unsigned changeAbsFunction(unsigned AbsKind,
8014 AbsoluteValueKind ValueKind) {
8015 switch (ValueKind) {
8016 case AVK_Integer:
8017 switch (AbsKind) {
8018 default:
8019 return 0;
8020 case Builtin::BI__builtin_fabsf:
8021 case Builtin::BI__builtin_fabs:
8022 case Builtin::BI__builtin_fabsl:
8023 case Builtin::BI__builtin_cabsf:
8024 case Builtin::BI__builtin_cabs:
8025 case Builtin::BI__builtin_cabsl:
8026 return Builtin::BI__builtin_abs;
8027 case Builtin::BIfabsf:
8028 case Builtin::BIfabs:
8029 case Builtin::BIfabsl:
8030 case Builtin::BIcabsf:
8031 case Builtin::BIcabs:
8032 case Builtin::BIcabsl:
8033 return Builtin::BIabs;
8034 }
8035 case AVK_Floating:
8036 switch (AbsKind) {
8037 default:
8038 return 0;
8039 case Builtin::BI__builtin_abs:
8040 case Builtin::BI__builtin_labs:
8041 case Builtin::BI__builtin_llabs:
8042 case Builtin::BI__builtin_cabsf:
8043 case Builtin::BI__builtin_cabs:
8044 case Builtin::BI__builtin_cabsl:
8045 return Builtin::BI__builtin_fabsf;
8046 case Builtin::BIabs:
8047 case Builtin::BIlabs:
8048 case Builtin::BIllabs:
8049 case Builtin::BIcabsf:
8050 case Builtin::BIcabs:
8051 case Builtin::BIcabsl:
8052 return Builtin::BIfabsf;
8053 }
8054 case AVK_Complex:
8055 switch (AbsKind) {
8056 default:
8057 return 0;
8058 case Builtin::BI__builtin_abs:
8059 case Builtin::BI__builtin_labs:
8060 case Builtin::BI__builtin_llabs:
8061 case Builtin::BI__builtin_fabsf:
8062 case Builtin::BI__builtin_fabs:
8063 case Builtin::BI__builtin_fabsl:
8064 return Builtin::BI__builtin_cabsf;
8065 case Builtin::BIabs:
8066 case Builtin::BIlabs:
8067 case Builtin::BIllabs:
8068 case Builtin::BIfabsf:
8069 case Builtin::BIfabs:
8070 case Builtin::BIfabsl:
8071 return Builtin::BIcabsf;
8072 }
8073 }
8074 llvm_unreachable("Unable to convert function");
8075 }
8076
getAbsoluteValueFunctionKind(const FunctionDecl * FDecl)8077 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) {
8078 const IdentifierInfo *FnInfo = FDecl->getIdentifier();
8079 if (!FnInfo)
8080 return 0;
8081
8082 switch (FDecl->getBuiltinID()) {
8083 default:
8084 return 0;
8085 case Builtin::BI__builtin_abs:
8086 case Builtin::BI__builtin_fabs:
8087 case Builtin::BI__builtin_fabsf:
8088 case Builtin::BI__builtin_fabsl:
8089 case Builtin::BI__builtin_labs:
8090 case Builtin::BI__builtin_llabs:
8091 case Builtin::BI__builtin_cabs:
8092 case Builtin::BI__builtin_cabsf:
8093 case Builtin::BI__builtin_cabsl:
8094 case Builtin::BIabs:
8095 case Builtin::BIlabs:
8096 case Builtin::BIllabs:
8097 case Builtin::BIfabs:
8098 case Builtin::BIfabsf:
8099 case Builtin::BIfabsl:
8100 case Builtin::BIcabs:
8101 case Builtin::BIcabsf:
8102 case Builtin::BIcabsl:
8103 return FDecl->getBuiltinID();
8104 }
8105 llvm_unreachable("Unknown Builtin type");
8106 }
8107
8108 // If the replacement is valid, emit a note with replacement function.
8109 // Additionally, suggest including the proper header if not already included.
emitReplacement(Sema & S,SourceLocation Loc,SourceRange Range,unsigned AbsKind,QualType ArgType)8110 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range,
8111 unsigned AbsKind, QualType ArgType) {
8112 bool EmitHeaderHint = true;
8113 const char *HeaderName = nullptr;
8114 StringRef FunctionName;
8115 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) {
8116 FunctionName = "std::abs";
8117 if (ArgType->isIntegralOrEnumerationType()) {
8118 HeaderName = "cstdlib";
8119 } else if (ArgType->isRealFloatingType()) {
8120 HeaderName = "cmath";
8121 } else {
8122 llvm_unreachable("Invalid Type");
8123 }
8124
8125 // Lookup all std::abs
8126 if (NamespaceDecl *Std = S.getStdNamespace()) {
8127 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName);
8128 R.suppressDiagnostics();
8129 S.LookupQualifiedName(R, Std);
8130
8131 for (const auto *I : R) {
8132 const FunctionDecl *FDecl = nullptr;
8133 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) {
8134 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl());
8135 } else {
8136 FDecl = dyn_cast<FunctionDecl>(I);
8137 }
8138 if (!FDecl)
8139 continue;
8140
8141 // Found std::abs(), check that they are the right ones.
8142 if (FDecl->getNumParams() != 1)
8143 continue;
8144
8145 // Check that the parameter type can handle the argument.
8146 QualType ParamType = FDecl->getParamDecl(0)->getType();
8147 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) &&
8148 S.Context.getTypeSize(ArgType) <=
8149 S.Context.getTypeSize(ParamType)) {
8150 // Found a function, don't need the header hint.
8151 EmitHeaderHint = false;
8152 break;
8153 }
8154 }
8155 }
8156 } else {
8157 FunctionName = S.Context.BuiltinInfo.getName(AbsKind);
8158 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind);
8159
8160 if (HeaderName) {
8161 DeclarationName DN(&S.Context.Idents.get(FunctionName));
8162 LookupResult R(S, DN, Loc, Sema::LookupAnyName);
8163 R.suppressDiagnostics();
8164 S.LookupName(R, S.getCurScope());
8165
8166 if (R.isSingleResult()) {
8167 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl());
8168 if (FD && FD->getBuiltinID() == AbsKind) {
8169 EmitHeaderHint = false;
8170 } else {
8171 return;
8172 }
8173 } else if (!R.empty()) {
8174 return;
8175 }
8176 }
8177 }
8178
8179 S.Diag(Loc, diag::note_replace_abs_function)
8180 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName);
8181
8182 if (!HeaderName)
8183 return;
8184
8185 if (!EmitHeaderHint)
8186 return;
8187
8188 S.Diag(Loc, diag::note_include_header_or_declare) << HeaderName
8189 << FunctionName;
8190 }
8191
8192 template <std::size_t StrLen>
IsStdFunction(const FunctionDecl * FDecl,const char (& Str)[StrLen])8193 static bool IsStdFunction(const FunctionDecl *FDecl,
8194 const char (&Str)[StrLen]) {
8195 if (!FDecl)
8196 return false;
8197 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr(Str))
8198 return false;
8199 if (!FDecl->isInStdNamespace())
8200 return false;
8201
8202 return true;
8203 }
8204
CheckInfNaNFunction(const CallExpr * Call,const FunctionDecl * FDecl)8205 void Sema::CheckInfNaNFunction(const CallExpr *Call,
8206 const FunctionDecl *FDecl) {
8207 FPOptions FPO = Call->getFPFeaturesInEffect(getLangOpts());
8208 if ((IsStdFunction(FDecl, "isnan") || IsStdFunction(FDecl, "isunordered") ||
8209 (Call->getBuiltinCallee() == Builtin::BI__builtin_nanf)) &&
8210 FPO.getNoHonorNaNs())
8211 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
8212 << 1 << 0 << Call->getSourceRange();
8213 else if ((IsStdFunction(FDecl, "isinf") ||
8214 (IsStdFunction(FDecl, "isfinite") ||
8215 (FDecl->getIdentifier() && FDecl->getName() == "infinity"))) &&
8216 FPO.getNoHonorInfs())
8217 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
8218 << 0 << 0 << Call->getSourceRange();
8219 }
8220
CheckAbsoluteValueFunction(const CallExpr * Call,const FunctionDecl * FDecl)8221 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call,
8222 const FunctionDecl *FDecl) {
8223 if (Call->getNumArgs() != 1)
8224 return;
8225
8226 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl);
8227 bool IsStdAbs = IsStdFunction(FDecl, "abs");
8228 if (AbsKind == 0 && !IsStdAbs)
8229 return;
8230
8231 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType();
8232 QualType ParamType = Call->getArg(0)->getType();
8233
8234 // Unsigned types cannot be negative. Suggest removing the absolute value
8235 // function call.
8236 if (ArgType->isUnsignedIntegerType()) {
8237 StringRef FunctionName =
8238 IsStdAbs ? "std::abs" : Context.BuiltinInfo.getName(AbsKind);
8239 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType;
8240 Diag(Call->getExprLoc(), diag::note_remove_abs)
8241 << FunctionName
8242 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange());
8243 return;
8244 }
8245
8246 // Taking the absolute value of a pointer is very suspicious, they probably
8247 // wanted to index into an array, dereference a pointer, call a function, etc.
8248 if (ArgType->isPointerType() || ArgType->canDecayToPointerType()) {
8249 unsigned DiagType = 0;
8250 if (ArgType->isFunctionType())
8251 DiagType = 1;
8252 else if (ArgType->isArrayType())
8253 DiagType = 2;
8254
8255 Diag(Call->getExprLoc(), diag::warn_pointer_abs) << DiagType << ArgType;
8256 return;
8257 }
8258
8259 // std::abs has overloads which prevent most of the absolute value problems
8260 // from occurring.
8261 if (IsStdAbs)
8262 return;
8263
8264 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType);
8265 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType);
8266
8267 // The argument and parameter are the same kind. Check if they are the right
8268 // size.
8269 if (ArgValueKind == ParamValueKind) {
8270 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType))
8271 return;
8272
8273 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind);
8274 Diag(Call->getExprLoc(), diag::warn_abs_too_small)
8275 << FDecl << ArgType << ParamType;
8276
8277 if (NewAbsKind == 0)
8278 return;
8279
8280 emitReplacement(*this, Call->getExprLoc(),
8281 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
8282 return;
8283 }
8284
8285 // ArgValueKind != ParamValueKind
8286 // The wrong type of absolute value function was used. Attempt to find the
8287 // proper one.
8288 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind);
8289 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind);
8290 if (NewAbsKind == 0)
8291 return;
8292
8293 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type)
8294 << FDecl << ParamValueKind << ArgValueKind;
8295
8296 emitReplacement(*this, Call->getExprLoc(),
8297 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
8298 }
8299
8300 //===--- CHECK: Warn on use of std::max and unsigned zero. r---------------===//
CheckMaxUnsignedZero(const CallExpr * Call,const FunctionDecl * FDecl)8301 void Sema::CheckMaxUnsignedZero(const CallExpr *Call,
8302 const FunctionDecl *FDecl) {
8303 if (!Call || !FDecl) return;
8304
8305 // Ignore template specializations and macros.
8306 if (inTemplateInstantiation()) return;
8307 if (Call->getExprLoc().isMacroID()) return;
8308
8309 // Only care about the one template argument, two function parameter std::max
8310 if (Call->getNumArgs() != 2) return;
8311 if (!IsStdFunction(FDecl, "max")) return;
8312 const auto * ArgList = FDecl->getTemplateSpecializationArgs();
8313 if (!ArgList) return;
8314 if (ArgList->size() != 1) return;
8315
8316 // Check that template type argument is unsigned integer.
8317 const auto& TA = ArgList->get(0);
8318 if (TA.getKind() != TemplateArgument::Type) return;
8319 QualType ArgType = TA.getAsType();
8320 if (!ArgType->isUnsignedIntegerType()) return;
8321
8322 // See if either argument is a literal zero.
8323 auto IsLiteralZeroArg = [](const Expr* E) -> bool {
8324 const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(E);
8325 if (!MTE) return false;
8326 const auto *Num = dyn_cast<IntegerLiteral>(MTE->getSubExpr());
8327 if (!Num) return false;
8328 if (Num->getValue() != 0) return false;
8329 return true;
8330 };
8331
8332 const Expr *FirstArg = Call->getArg(0);
8333 const Expr *SecondArg = Call->getArg(1);
8334 const bool IsFirstArgZero = IsLiteralZeroArg(FirstArg);
8335 const bool IsSecondArgZero = IsLiteralZeroArg(SecondArg);
8336
8337 // Only warn when exactly one argument is zero.
8338 if (IsFirstArgZero == IsSecondArgZero) return;
8339
8340 SourceRange FirstRange = FirstArg->getSourceRange();
8341 SourceRange SecondRange = SecondArg->getSourceRange();
8342
8343 SourceRange ZeroRange = IsFirstArgZero ? FirstRange : SecondRange;
8344
8345 Diag(Call->getExprLoc(), diag::warn_max_unsigned_zero)
8346 << IsFirstArgZero << Call->getCallee()->getSourceRange() << ZeroRange;
8347
8348 // Deduce what parts to remove so that "std::max(0u, foo)" becomes "(foo)".
8349 SourceRange RemovalRange;
8350 if (IsFirstArgZero) {
8351 RemovalRange = SourceRange(FirstRange.getBegin(),
8352 SecondRange.getBegin().getLocWithOffset(-1));
8353 } else {
8354 RemovalRange = SourceRange(getLocForEndOfToken(FirstRange.getEnd()),
8355 SecondRange.getEnd());
8356 }
8357
8358 Diag(Call->getExprLoc(), diag::note_remove_max_call)
8359 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange())
8360 << FixItHint::CreateRemoval(RemovalRange);
8361 }
8362
8363 //===--- CHECK: Standard memory functions ---------------------------------===//
8364
8365 /// Takes the expression passed to the size_t parameter of functions
8366 /// such as memcmp, strncat, etc and warns if it's a comparison.
8367 ///
8368 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`.
CheckMemorySizeofForComparison(Sema & S,const Expr * E,IdentifierInfo * FnName,SourceLocation FnLoc,SourceLocation RParenLoc)8369 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E,
8370 IdentifierInfo *FnName,
8371 SourceLocation FnLoc,
8372 SourceLocation RParenLoc) {
8373 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E);
8374 if (!Size)
8375 return false;
8376
8377 // if E is binop and op is <=>, >, <, >=, <=, ==, &&, ||:
8378 if (!Size->isComparisonOp() && !Size->isLogicalOp())
8379 return false;
8380
8381 SourceRange SizeRange = Size->getSourceRange();
8382 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison)
8383 << SizeRange << FnName;
8384 S.Diag(FnLoc, diag::note_memsize_comparison_paren)
8385 << FnName
8386 << FixItHint::CreateInsertion(
8387 S.getLocForEndOfToken(Size->getLHS()->getEndLoc()), ")")
8388 << FixItHint::CreateRemoval(RParenLoc);
8389 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence)
8390 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(")
8391 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()),
8392 ")");
8393
8394 return true;
8395 }
8396
8397 /// Determine whether the given type is or contains a dynamic class type
8398 /// (e.g., whether it has a vtable).
getContainedDynamicClass(QualType T,bool & IsContained)8399 static const CXXRecordDecl *getContainedDynamicClass(QualType T,
8400 bool &IsContained) {
8401 // Look through array types while ignoring qualifiers.
8402 const Type *Ty = T->getBaseElementTypeUnsafe();
8403 IsContained = false;
8404
8405 const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
8406 RD = RD ? RD->getDefinition() : nullptr;
8407 if (!RD || RD->isInvalidDecl())
8408 return nullptr;
8409
8410 if (RD->isDynamicClass())
8411 return RD;
8412
8413 // Check all the fields. If any bases were dynamic, the class is dynamic.
8414 // It's impossible for a class to transitively contain itself by value, so
8415 // infinite recursion is impossible.
8416 for (auto *FD : RD->fields()) {
8417 bool SubContained;
8418 if (const CXXRecordDecl *ContainedRD =
8419 getContainedDynamicClass(FD->getType(), SubContained)) {
8420 IsContained = true;
8421 return ContainedRD;
8422 }
8423 }
8424
8425 return nullptr;
8426 }
8427
getAsSizeOfExpr(const Expr * E)8428 static const UnaryExprOrTypeTraitExpr *getAsSizeOfExpr(const Expr *E) {
8429 if (const auto *Unary = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
8430 if (Unary->getKind() == UETT_SizeOf)
8431 return Unary;
8432 return nullptr;
8433 }
8434
8435 /// If E is a sizeof expression, returns its argument expression,
8436 /// otherwise returns NULL.
getSizeOfExprArg(const Expr * E)8437 static const Expr *getSizeOfExprArg(const Expr *E) {
8438 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
8439 if (!SizeOf->isArgumentType())
8440 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts();
8441 return nullptr;
8442 }
8443
8444 /// If E is a sizeof expression, returns its argument type.
getSizeOfArgType(const Expr * E)8445 static QualType getSizeOfArgType(const Expr *E) {
8446 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
8447 return SizeOf->getTypeOfArgument();
8448 return QualType();
8449 }
8450
8451 namespace {
8452
8453 struct SearchNonTrivialToInitializeField
8454 : DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField> {
8455 using Super =
8456 DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField>;
8457
SearchNonTrivialToInitializeField__anon28c3fbb11f11::SearchNonTrivialToInitializeField8458 SearchNonTrivialToInitializeField(const Expr *E, Sema &S) : E(E), S(S) {}
8459
visitWithKind__anon28c3fbb11f11::SearchNonTrivialToInitializeField8460 void visitWithKind(QualType::PrimitiveDefaultInitializeKind PDIK, QualType FT,
8461 SourceLocation SL) {
8462 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
8463 asDerived().visitArray(PDIK, AT, SL);
8464 return;
8465 }
8466
8467 Super::visitWithKind(PDIK, FT, SL);
8468 }
8469
visitARCStrong__anon28c3fbb11f11::SearchNonTrivialToInitializeField8470 void visitARCStrong(QualType FT, SourceLocation SL) {
8471 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
8472 }
visitARCWeak__anon28c3fbb11f11::SearchNonTrivialToInitializeField8473 void visitARCWeak(QualType FT, SourceLocation SL) {
8474 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
8475 }
visitStruct__anon28c3fbb11f11::SearchNonTrivialToInitializeField8476 void visitStruct(QualType FT, SourceLocation SL) {
8477 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
8478 visit(FD->getType(), FD->getLocation());
8479 }
visitArray__anon28c3fbb11f11::SearchNonTrivialToInitializeField8480 void visitArray(QualType::PrimitiveDefaultInitializeKind PDIK,
8481 const ArrayType *AT, SourceLocation SL) {
8482 visit(getContext().getBaseElementType(AT), SL);
8483 }
visitTrivial__anon28c3fbb11f11::SearchNonTrivialToInitializeField8484 void visitTrivial(QualType FT, SourceLocation SL) {}
8485
diag__anon28c3fbb11f11::SearchNonTrivialToInitializeField8486 static void diag(QualType RT, const Expr *E, Sema &S) {
8487 SearchNonTrivialToInitializeField(E, S).visitStruct(RT, SourceLocation());
8488 }
8489
getContext__anon28c3fbb11f11::SearchNonTrivialToInitializeField8490 ASTContext &getContext() { return S.getASTContext(); }
8491
8492 const Expr *E;
8493 Sema &S;
8494 };
8495
8496 struct SearchNonTrivialToCopyField
8497 : CopiedTypeVisitor<SearchNonTrivialToCopyField, false> {
8498 using Super = CopiedTypeVisitor<SearchNonTrivialToCopyField, false>;
8499
SearchNonTrivialToCopyField__anon28c3fbb11f11::SearchNonTrivialToCopyField8500 SearchNonTrivialToCopyField(const Expr *E, Sema &S) : E(E), S(S) {}
8501
visitWithKind__anon28c3fbb11f11::SearchNonTrivialToCopyField8502 void visitWithKind(QualType::PrimitiveCopyKind PCK, QualType FT,
8503 SourceLocation SL) {
8504 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
8505 asDerived().visitArray(PCK, AT, SL);
8506 return;
8507 }
8508
8509 Super::visitWithKind(PCK, FT, SL);
8510 }
8511
visitARCStrong__anon28c3fbb11f11::SearchNonTrivialToCopyField8512 void visitARCStrong(QualType FT, SourceLocation SL) {
8513 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
8514 }
visitARCWeak__anon28c3fbb11f11::SearchNonTrivialToCopyField8515 void visitARCWeak(QualType FT, SourceLocation SL) {
8516 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
8517 }
visitStruct__anon28c3fbb11f11::SearchNonTrivialToCopyField8518 void visitStruct(QualType FT, SourceLocation SL) {
8519 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
8520 visit(FD->getType(), FD->getLocation());
8521 }
visitArray__anon28c3fbb11f11::SearchNonTrivialToCopyField8522 void visitArray(QualType::PrimitiveCopyKind PCK, const ArrayType *AT,
8523 SourceLocation SL) {
8524 visit(getContext().getBaseElementType(AT), SL);
8525 }
preVisit__anon28c3fbb11f11::SearchNonTrivialToCopyField8526 void preVisit(QualType::PrimitiveCopyKind PCK, QualType FT,
8527 SourceLocation SL) {}
visitTrivial__anon28c3fbb11f11::SearchNonTrivialToCopyField8528 void visitTrivial(QualType FT, SourceLocation SL) {}
visitVolatileTrivial__anon28c3fbb11f11::SearchNonTrivialToCopyField8529 void visitVolatileTrivial(QualType FT, SourceLocation SL) {}
8530
diag__anon28c3fbb11f11::SearchNonTrivialToCopyField8531 static void diag(QualType RT, const Expr *E, Sema &S) {
8532 SearchNonTrivialToCopyField(E, S).visitStruct(RT, SourceLocation());
8533 }
8534
getContext__anon28c3fbb11f11::SearchNonTrivialToCopyField8535 ASTContext &getContext() { return S.getASTContext(); }
8536
8537 const Expr *E;
8538 Sema &S;
8539 };
8540
8541 }
8542
8543 /// Detect if \c SizeofExpr is likely to calculate the sizeof an object.
doesExprLikelyComputeSize(const Expr * SizeofExpr)8544 static bool doesExprLikelyComputeSize(const Expr *SizeofExpr) {
8545 SizeofExpr = SizeofExpr->IgnoreParenImpCasts();
8546
8547 if (const auto *BO = dyn_cast<BinaryOperator>(SizeofExpr)) {
8548 if (BO->getOpcode() != BO_Mul && BO->getOpcode() != BO_Add)
8549 return false;
8550
8551 return doesExprLikelyComputeSize(BO->getLHS()) ||
8552 doesExprLikelyComputeSize(BO->getRHS());
8553 }
8554
8555 return getAsSizeOfExpr(SizeofExpr) != nullptr;
8556 }
8557
8558 /// Check if the ArgLoc originated from a macro passed to the call at CallLoc.
8559 ///
8560 /// \code
8561 /// #define MACRO 0
8562 /// foo(MACRO);
8563 /// foo(0);
8564 /// \endcode
8565 ///
8566 /// This should return true for the first call to foo, but not for the second
8567 /// (regardless of whether foo is a macro or function).
isArgumentExpandedFromMacro(SourceManager & SM,SourceLocation CallLoc,SourceLocation ArgLoc)8568 static bool isArgumentExpandedFromMacro(SourceManager &SM,
8569 SourceLocation CallLoc,
8570 SourceLocation ArgLoc) {
8571 if (!CallLoc.isMacroID())
8572 return SM.getFileID(CallLoc) != SM.getFileID(ArgLoc);
8573
8574 return SM.getFileID(SM.getImmediateMacroCallerLoc(CallLoc)) !=
8575 SM.getFileID(SM.getImmediateMacroCallerLoc(ArgLoc));
8576 }
8577
8578 /// Diagnose cases like 'memset(buf, sizeof(buf), 0)', which should have the
8579 /// last two arguments transposed.
CheckMemaccessSize(Sema & S,unsigned BId,const CallExpr * Call)8580 static void CheckMemaccessSize(Sema &S, unsigned BId, const CallExpr *Call) {
8581 if (BId != Builtin::BImemset && BId != Builtin::BIbzero)
8582 return;
8583
8584 const Expr *SizeArg =
8585 Call->getArg(BId == Builtin::BImemset ? 2 : 1)->IgnoreImpCasts();
8586
8587 auto isLiteralZero = [](const Expr *E) {
8588 return (isa<IntegerLiteral>(E) &&
8589 cast<IntegerLiteral>(E)->getValue() == 0) ||
8590 (isa<CharacterLiteral>(E) &&
8591 cast<CharacterLiteral>(E)->getValue() == 0);
8592 };
8593
8594 // If we're memsetting or bzeroing 0 bytes, then this is likely an error.
8595 SourceLocation CallLoc = Call->getRParenLoc();
8596 SourceManager &SM = S.getSourceManager();
8597 if (isLiteralZero(SizeArg) &&
8598 !isArgumentExpandedFromMacro(SM, CallLoc, SizeArg->getExprLoc())) {
8599
8600 SourceLocation DiagLoc = SizeArg->getExprLoc();
8601
8602 // Some platforms #define bzero to __builtin_memset. See if this is the
8603 // case, and if so, emit a better diagnostic.
8604 if (BId == Builtin::BIbzero ||
8605 (CallLoc.isMacroID() && Lexer::getImmediateMacroName(
8606 CallLoc, SM, S.getLangOpts()) == "bzero")) {
8607 S.Diag(DiagLoc, diag::warn_suspicious_bzero_size);
8608 S.Diag(DiagLoc, diag::note_suspicious_bzero_size_silence);
8609 } else if (!isLiteralZero(Call->getArg(1)->IgnoreImpCasts())) {
8610 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 0;
8611 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 0;
8612 }
8613 return;
8614 }
8615
8616 // If the second argument to a memset is a sizeof expression and the third
8617 // isn't, this is also likely an error. This should catch
8618 // 'memset(buf, sizeof(buf), 0xff)'.
8619 if (BId == Builtin::BImemset &&
8620 doesExprLikelyComputeSize(Call->getArg(1)) &&
8621 !doesExprLikelyComputeSize(Call->getArg(2))) {
8622 SourceLocation DiagLoc = Call->getArg(1)->getExprLoc();
8623 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 1;
8624 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 1;
8625 return;
8626 }
8627 }
8628
CheckMemaccessArguments(const CallExpr * Call,unsigned BId,IdentifierInfo * FnName)8629 void Sema::CheckMemaccessArguments(const CallExpr *Call,
8630 unsigned BId,
8631 IdentifierInfo *FnName) {
8632 assert(BId != 0);
8633
8634 // It is possible to have a non-standard definition of memset. Validate
8635 // we have enough arguments, and if not, abort further checking.
8636 unsigned ExpectedNumArgs =
8637 (BId == Builtin::BIstrndup || BId == Builtin::BIbzero ? 2 : 3);
8638 if (Call->getNumArgs() < ExpectedNumArgs)
8639 return;
8640
8641 unsigned LastArg = (BId == Builtin::BImemset || BId == Builtin::BIbzero ||
8642 BId == Builtin::BIstrndup ? 1 : 2);
8643 unsigned LenArg =
8644 (BId == Builtin::BIbzero || BId == Builtin::BIstrndup ? 1 : 2);
8645 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts();
8646
8647 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName,
8648 Call->getBeginLoc(), Call->getRParenLoc()))
8649 return;
8650
8651 // Catch cases like 'memset(buf, sizeof(buf), 0)'.
8652 CheckMemaccessSize(*this, BId, Call);
8653
8654 // We have special checking when the length is a sizeof expression.
8655 QualType SizeOfArgTy = getSizeOfArgType(LenExpr);
8656 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr);
8657 llvm::FoldingSetNodeID SizeOfArgID;
8658
8659 // Although widely used, 'bzero' is not a standard function. Be more strict
8660 // with the argument types before allowing diagnostics and only allow the
8661 // form bzero(ptr, sizeof(...)).
8662 QualType FirstArgTy = Call->getArg(0)->IgnoreParenImpCasts()->getType();
8663 if (BId == Builtin::BIbzero && !FirstArgTy->getAs<PointerType>())
8664 return;
8665
8666 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) {
8667 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts();
8668 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange();
8669
8670 QualType DestTy = Dest->getType();
8671 QualType PointeeTy;
8672 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) {
8673 PointeeTy = DestPtrTy->getPointeeType();
8674
8675 // Never warn about void type pointers. This can be used to suppress
8676 // false positives.
8677 if (PointeeTy->isVoidType())
8678 continue;
8679
8680 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by
8681 // actually comparing the expressions for equality. Because computing the
8682 // expression IDs can be expensive, we only do this if the diagnostic is
8683 // enabled.
8684 if (SizeOfArg &&
8685 !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess,
8686 SizeOfArg->getExprLoc())) {
8687 // We only compute IDs for expressions if the warning is enabled, and
8688 // cache the sizeof arg's ID.
8689 if (SizeOfArgID == llvm::FoldingSetNodeID())
8690 SizeOfArg->Profile(SizeOfArgID, Context, true);
8691 llvm::FoldingSetNodeID DestID;
8692 Dest->Profile(DestID, Context, true);
8693 if (DestID == SizeOfArgID) {
8694 // TODO: For strncpy() and friends, this could suggest sizeof(dst)
8695 // over sizeof(src) as well.
8696 unsigned ActionIdx = 0; // Default is to suggest dereferencing.
8697 StringRef ReadableName = FnName->getName();
8698
8699 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest))
8700 if (UnaryOp->getOpcode() == UO_AddrOf)
8701 ActionIdx = 1; // If its an address-of operator, just remove it.
8702 if (!PointeeTy->isIncompleteType() &&
8703 (Context.getTypeSize(PointeeTy) == Context.getCharWidth()))
8704 ActionIdx = 2; // If the pointee's size is sizeof(char),
8705 // suggest an explicit length.
8706
8707 // If the function is defined as a builtin macro, do not show macro
8708 // expansion.
8709 SourceLocation SL = SizeOfArg->getExprLoc();
8710 SourceRange DSR = Dest->getSourceRange();
8711 SourceRange SSR = SizeOfArg->getSourceRange();
8712 SourceManager &SM = getSourceManager();
8713
8714 if (SM.isMacroArgExpansion(SL)) {
8715 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts);
8716 SL = SM.getSpellingLoc(SL);
8717 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()),
8718 SM.getSpellingLoc(DSR.getEnd()));
8719 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()),
8720 SM.getSpellingLoc(SSR.getEnd()));
8721 }
8722
8723 DiagRuntimeBehavior(SL, SizeOfArg,
8724 PDiag(diag::warn_sizeof_pointer_expr_memaccess)
8725 << ReadableName
8726 << PointeeTy
8727 << DestTy
8728 << DSR
8729 << SSR);
8730 DiagRuntimeBehavior(SL, SizeOfArg,
8731 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note)
8732 << ActionIdx
8733 << SSR);
8734
8735 break;
8736 }
8737 }
8738
8739 // Also check for cases where the sizeof argument is the exact same
8740 // type as the memory argument, and where it points to a user-defined
8741 // record type.
8742 if (SizeOfArgTy != QualType()) {
8743 if (PointeeTy->isRecordType() &&
8744 Context.typesAreCompatible(SizeOfArgTy, DestTy)) {
8745 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest,
8746 PDiag(diag::warn_sizeof_pointer_type_memaccess)
8747 << FnName << SizeOfArgTy << ArgIdx
8748 << PointeeTy << Dest->getSourceRange()
8749 << LenExpr->getSourceRange());
8750 break;
8751 }
8752 }
8753 } else if (DestTy->isArrayType()) {
8754 PointeeTy = DestTy;
8755 }
8756
8757 if (PointeeTy == QualType())
8758 continue;
8759
8760 // Always complain about dynamic classes.
8761 bool IsContained;
8762 if (const CXXRecordDecl *ContainedRD =
8763 getContainedDynamicClass(PointeeTy, IsContained)) {
8764
8765 unsigned OperationType = 0;
8766 const bool IsCmp = BId == Builtin::BImemcmp || BId == Builtin::BIbcmp;
8767 // "overwritten" if we're warning about the destination for any call
8768 // but memcmp; otherwise a verb appropriate to the call.
8769 if (ArgIdx != 0 || IsCmp) {
8770 if (BId == Builtin::BImemcpy)
8771 OperationType = 1;
8772 else if(BId == Builtin::BImemmove)
8773 OperationType = 2;
8774 else if (IsCmp)
8775 OperationType = 3;
8776 }
8777
8778 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
8779 PDiag(diag::warn_dyn_class_memaccess)
8780 << (IsCmp ? ArgIdx + 2 : ArgIdx) << FnName
8781 << IsContained << ContainedRD << OperationType
8782 << Call->getCallee()->getSourceRange());
8783 } else if (PointeeTy.hasNonTrivialObjCLifetime() &&
8784 BId != Builtin::BImemset)
8785 DiagRuntimeBehavior(
8786 Dest->getExprLoc(), Dest,
8787 PDiag(diag::warn_arc_object_memaccess)
8788 << ArgIdx << FnName << PointeeTy
8789 << Call->getCallee()->getSourceRange());
8790 else if (const auto *RT = PointeeTy->getAs<RecordType>()) {
8791 if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
8792 RT->getDecl()->isNonTrivialToPrimitiveDefaultInitialize()) {
8793 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
8794 PDiag(diag::warn_cstruct_memaccess)
8795 << ArgIdx << FnName << PointeeTy << 0);
8796 SearchNonTrivialToInitializeField::diag(PointeeTy, Dest, *this);
8797 } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
8798 RT->getDecl()->isNonTrivialToPrimitiveCopy()) {
8799 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
8800 PDiag(diag::warn_cstruct_memaccess)
8801 << ArgIdx << FnName << PointeeTy << 1);
8802 SearchNonTrivialToCopyField::diag(PointeeTy, Dest, *this);
8803 } else {
8804 continue;
8805 }
8806 } else
8807 continue;
8808
8809 DiagRuntimeBehavior(
8810 Dest->getExprLoc(), Dest,
8811 PDiag(diag::note_bad_memaccess_silence)
8812 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)"));
8813 break;
8814 }
8815 }
8816
8817 // A little helper routine: ignore addition and subtraction of integer literals.
8818 // This intentionally does not ignore all integer constant expressions because
8819 // we don't want to remove sizeof().
ignoreLiteralAdditions(const Expr * Ex,ASTContext & Ctx)8820 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) {
8821 Ex = Ex->IgnoreParenCasts();
8822
8823 while (true) {
8824 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex);
8825 if (!BO || !BO->isAdditiveOp())
8826 break;
8827
8828 const Expr *RHS = BO->getRHS()->IgnoreParenCasts();
8829 const Expr *LHS = BO->getLHS()->IgnoreParenCasts();
8830
8831 if (isa<IntegerLiteral>(RHS))
8832 Ex = LHS;
8833 else if (isa<IntegerLiteral>(LHS))
8834 Ex = RHS;
8835 else
8836 break;
8837 }
8838
8839 return Ex;
8840 }
8841
isConstantSizeArrayWithMoreThanOneElement(QualType Ty,ASTContext & Context)8842 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty,
8843 ASTContext &Context) {
8844 // Only handle constant-sized or VLAs, but not flexible members.
8845 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) {
8846 // Only issue the FIXIT for arrays of size > 1.
8847 if (CAT->getZExtSize() <= 1)
8848 return false;
8849 } else if (!Ty->isVariableArrayType()) {
8850 return false;
8851 }
8852 return true;
8853 }
8854
CheckStrlcpycatArguments(const CallExpr * Call,IdentifierInfo * FnName)8855 void Sema::CheckStrlcpycatArguments(const CallExpr *Call,
8856 IdentifierInfo *FnName) {
8857
8858 // Don't crash if the user has the wrong number of arguments
8859 unsigned NumArgs = Call->getNumArgs();
8860 if ((NumArgs != 3) && (NumArgs != 4))
8861 return;
8862
8863 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context);
8864 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context);
8865 const Expr *CompareWithSrc = nullptr;
8866
8867 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName,
8868 Call->getBeginLoc(), Call->getRParenLoc()))
8869 return;
8870
8871 // Look for 'strlcpy(dst, x, sizeof(x))'
8872 if (const Expr *Ex = getSizeOfExprArg(SizeArg))
8873 CompareWithSrc = Ex;
8874 else {
8875 // Look for 'strlcpy(dst, x, strlen(x))'
8876 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) {
8877 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen &&
8878 SizeCall->getNumArgs() == 1)
8879 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context);
8880 }
8881 }
8882
8883 if (!CompareWithSrc)
8884 return;
8885
8886 // Determine if the argument to sizeof/strlen is equal to the source
8887 // argument. In principle there's all kinds of things you could do
8888 // here, for instance creating an == expression and evaluating it with
8889 // EvaluateAsBooleanCondition, but this uses a more direct technique:
8890 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg);
8891 if (!SrcArgDRE)
8892 return;
8893
8894 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc);
8895 if (!CompareWithSrcDRE ||
8896 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl())
8897 return;
8898
8899 const Expr *OriginalSizeArg = Call->getArg(2);
8900 Diag(CompareWithSrcDRE->getBeginLoc(), diag::warn_strlcpycat_wrong_size)
8901 << OriginalSizeArg->getSourceRange() << FnName;
8902
8903 // Output a FIXIT hint if the destination is an array (rather than a
8904 // pointer to an array). This could be enhanced to handle some
8905 // pointers if we know the actual size, like if DstArg is 'array+2'
8906 // we could say 'sizeof(array)-2'.
8907 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts();
8908 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context))
8909 return;
8910
8911 SmallString<128> sizeString;
8912 llvm::raw_svector_ostream OS(sizeString);
8913 OS << "sizeof(";
8914 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
8915 OS << ")";
8916
8917 Diag(OriginalSizeArg->getBeginLoc(), diag::note_strlcpycat_wrong_size)
8918 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(),
8919 OS.str());
8920 }
8921
8922 /// Check if two expressions refer to the same declaration.
referToTheSameDecl(const Expr * E1,const Expr * E2)8923 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) {
8924 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1))
8925 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2))
8926 return D1->getDecl() == D2->getDecl();
8927 return false;
8928 }
8929
getStrlenExprArg(const Expr * E)8930 static const Expr *getStrlenExprArg(const Expr *E) {
8931 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
8932 const FunctionDecl *FD = CE->getDirectCallee();
8933 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen)
8934 return nullptr;
8935 return CE->getArg(0)->IgnoreParenCasts();
8936 }
8937 return nullptr;
8938 }
8939
CheckStrncatArguments(const CallExpr * CE,IdentifierInfo * FnName)8940 void Sema::CheckStrncatArguments(const CallExpr *CE,
8941 IdentifierInfo *FnName) {
8942 // Don't crash if the user has the wrong number of arguments.
8943 if (CE->getNumArgs() < 3)
8944 return;
8945 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts();
8946 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts();
8947 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts();
8948
8949 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getBeginLoc(),
8950 CE->getRParenLoc()))
8951 return;
8952
8953 // Identify common expressions, which are wrongly used as the size argument
8954 // to strncat and may lead to buffer overflows.
8955 unsigned PatternType = 0;
8956 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) {
8957 // - sizeof(dst)
8958 if (referToTheSameDecl(SizeOfArg, DstArg))
8959 PatternType = 1;
8960 // - sizeof(src)
8961 else if (referToTheSameDecl(SizeOfArg, SrcArg))
8962 PatternType = 2;
8963 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) {
8964 if (BE->getOpcode() == BO_Sub) {
8965 const Expr *L = BE->getLHS()->IgnoreParenCasts();
8966 const Expr *R = BE->getRHS()->IgnoreParenCasts();
8967 // - sizeof(dst) - strlen(dst)
8968 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) &&
8969 referToTheSameDecl(DstArg, getStrlenExprArg(R)))
8970 PatternType = 1;
8971 // - sizeof(src) - (anything)
8972 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L)))
8973 PatternType = 2;
8974 }
8975 }
8976
8977 if (PatternType == 0)
8978 return;
8979
8980 // Generate the diagnostic.
8981 SourceLocation SL = LenArg->getBeginLoc();
8982 SourceRange SR = LenArg->getSourceRange();
8983 SourceManager &SM = getSourceManager();
8984
8985 // If the function is defined as a builtin macro, do not show macro expansion.
8986 if (SM.isMacroArgExpansion(SL)) {
8987 SL = SM.getSpellingLoc(SL);
8988 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()),
8989 SM.getSpellingLoc(SR.getEnd()));
8990 }
8991
8992 // Check if the destination is an array (rather than a pointer to an array).
8993 QualType DstTy = DstArg->getType();
8994 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy,
8995 Context);
8996 if (!isKnownSizeArray) {
8997 if (PatternType == 1)
8998 Diag(SL, diag::warn_strncat_wrong_size) << SR;
8999 else
9000 Diag(SL, diag::warn_strncat_src_size) << SR;
9001 return;
9002 }
9003
9004 if (PatternType == 1)
9005 Diag(SL, diag::warn_strncat_large_size) << SR;
9006 else
9007 Diag(SL, diag::warn_strncat_src_size) << SR;
9008
9009 SmallString<128> sizeString;
9010 llvm::raw_svector_ostream OS(sizeString);
9011 OS << "sizeof(";
9012 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
9013 OS << ") - ";
9014 OS << "strlen(";
9015 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
9016 OS << ") - 1";
9017
9018 Diag(SL, diag::note_strncat_wrong_size)
9019 << FixItHint::CreateReplacement(SR, OS.str());
9020 }
9021
9022 namespace {
CheckFreeArgumentsOnLvalue(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr,const Decl * D)9023 void CheckFreeArgumentsOnLvalue(Sema &S, const std::string &CalleeName,
9024 const UnaryOperator *UnaryExpr, const Decl *D) {
9025 if (isa<FieldDecl, FunctionDecl, VarDecl>(D)) {
9026 S.Diag(UnaryExpr->getBeginLoc(), diag::warn_free_nonheap_object)
9027 << CalleeName << 0 /*object: */ << cast<NamedDecl>(D);
9028 return;
9029 }
9030 }
9031
CheckFreeArgumentsAddressof(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr)9032 void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName,
9033 const UnaryOperator *UnaryExpr) {
9034 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) {
9035 const Decl *D = Lvalue->getDecl();
9036 if (isa<DeclaratorDecl>(D))
9037 if (!dyn_cast<DeclaratorDecl>(D)->getType()->isReferenceType())
9038 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D);
9039 }
9040
9041 if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr()))
9042 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr,
9043 Lvalue->getMemberDecl());
9044 }
9045
CheckFreeArgumentsPlus(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr)9046 void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName,
9047 const UnaryOperator *UnaryExpr) {
9048 const auto *Lambda = dyn_cast<LambdaExpr>(
9049 UnaryExpr->getSubExpr()->IgnoreImplicitAsWritten()->IgnoreParens());
9050 if (!Lambda)
9051 return;
9052
9053 S.Diag(Lambda->getBeginLoc(), diag::warn_free_nonheap_object)
9054 << CalleeName << 2 /*object: lambda expression*/;
9055 }
9056
CheckFreeArgumentsStackArray(Sema & S,const std::string & CalleeName,const DeclRefExpr * Lvalue)9057 void CheckFreeArgumentsStackArray(Sema &S, const std::string &CalleeName,
9058 const DeclRefExpr *Lvalue) {
9059 const auto *Var = dyn_cast<VarDecl>(Lvalue->getDecl());
9060 if (Var == nullptr)
9061 return;
9062
9063 S.Diag(Lvalue->getBeginLoc(), diag::warn_free_nonheap_object)
9064 << CalleeName << 0 /*object: */ << Var;
9065 }
9066
CheckFreeArgumentsCast(Sema & S,const std::string & CalleeName,const CastExpr * Cast)9067 void CheckFreeArgumentsCast(Sema &S, const std::string &CalleeName,
9068 const CastExpr *Cast) {
9069 SmallString<128> SizeString;
9070 llvm::raw_svector_ostream OS(SizeString);
9071
9072 clang::CastKind Kind = Cast->getCastKind();
9073 if (Kind == clang::CK_BitCast &&
9074 !Cast->getSubExpr()->getType()->isFunctionPointerType())
9075 return;
9076 if (Kind == clang::CK_IntegralToPointer &&
9077 !isa<IntegerLiteral>(
9078 Cast->getSubExpr()->IgnoreParenImpCasts()->IgnoreParens()))
9079 return;
9080
9081 switch (Cast->getCastKind()) {
9082 case clang::CK_BitCast:
9083 case clang::CK_IntegralToPointer:
9084 case clang::CK_FunctionToPointerDecay:
9085 OS << '\'';
9086 Cast->printPretty(OS, nullptr, S.getPrintingPolicy());
9087 OS << '\'';
9088 break;
9089 default:
9090 return;
9091 }
9092
9093 S.Diag(Cast->getBeginLoc(), diag::warn_free_nonheap_object)
9094 << CalleeName << 0 /*object: */ << OS.str();
9095 }
9096 } // namespace
9097
CheckFreeArguments(const CallExpr * E)9098 void Sema::CheckFreeArguments(const CallExpr *E) {
9099 const std::string CalleeName =
9100 cast<FunctionDecl>(E->getCalleeDecl())->getQualifiedNameAsString();
9101
9102 { // Prefer something that doesn't involve a cast to make things simpler.
9103 const Expr *Arg = E->getArg(0)->IgnoreParenCasts();
9104 if (const auto *UnaryExpr = dyn_cast<UnaryOperator>(Arg))
9105 switch (UnaryExpr->getOpcode()) {
9106 case UnaryOperator::Opcode::UO_AddrOf:
9107 return CheckFreeArgumentsAddressof(*this, CalleeName, UnaryExpr);
9108 case UnaryOperator::Opcode::UO_Plus:
9109 return CheckFreeArgumentsPlus(*this, CalleeName, UnaryExpr);
9110 default:
9111 break;
9112 }
9113
9114 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(Arg))
9115 if (Lvalue->getType()->isArrayType())
9116 return CheckFreeArgumentsStackArray(*this, CalleeName, Lvalue);
9117
9118 if (const auto *Label = dyn_cast<AddrLabelExpr>(Arg)) {
9119 Diag(Label->getBeginLoc(), diag::warn_free_nonheap_object)
9120 << CalleeName << 0 /*object: */ << Label->getLabel()->getIdentifier();
9121 return;
9122 }
9123
9124 if (isa<BlockExpr>(Arg)) {
9125 Diag(Arg->getBeginLoc(), diag::warn_free_nonheap_object)
9126 << CalleeName << 1 /*object: block*/;
9127 return;
9128 }
9129 }
9130 // Maybe the cast was important, check after the other cases.
9131 if (const auto *Cast = dyn_cast<CastExpr>(E->getArg(0)))
9132 return CheckFreeArgumentsCast(*this, CalleeName, Cast);
9133 }
9134
9135 void
CheckReturnValExpr(Expr * RetValExp,QualType lhsType,SourceLocation ReturnLoc,bool isObjCMethod,const AttrVec * Attrs,const FunctionDecl * FD)9136 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType,
9137 SourceLocation ReturnLoc,
9138 bool isObjCMethod,
9139 const AttrVec *Attrs,
9140 const FunctionDecl *FD) {
9141 // Check if the return value is null but should not be.
9142 if (((Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs)) ||
9143 (!isObjCMethod && isNonNullType(lhsType))) &&
9144 CheckNonNullExpr(*this, RetValExp))
9145 Diag(ReturnLoc, diag::warn_null_ret)
9146 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange();
9147
9148 // C++11 [basic.stc.dynamic.allocation]p4:
9149 // If an allocation function declared with a non-throwing
9150 // exception-specification fails to allocate storage, it shall return
9151 // a null pointer. Any other allocation function that fails to allocate
9152 // storage shall indicate failure only by throwing an exception [...]
9153 if (FD) {
9154 OverloadedOperatorKind Op = FD->getOverloadedOperator();
9155 if (Op == OO_New || Op == OO_Array_New) {
9156 const FunctionProtoType *Proto
9157 = FD->getType()->castAs<FunctionProtoType>();
9158 if (!Proto->isNothrow(/*ResultIfDependent*/true) &&
9159 CheckNonNullExpr(*this, RetValExp))
9160 Diag(ReturnLoc, diag::warn_operator_new_returns_null)
9161 << FD << getLangOpts().CPlusPlus11;
9162 }
9163 }
9164
9165 if (RetValExp && RetValExp->getType()->isWebAssemblyTableType()) {
9166 Diag(ReturnLoc, diag::err_wasm_table_art) << 1;
9167 }
9168
9169 // PPC MMA non-pointer types are not allowed as return type. Checking the type
9170 // here prevent the user from using a PPC MMA type as trailing return type.
9171 if (Context.getTargetInfo().getTriple().isPPC64())
9172 PPC().CheckPPCMMAType(RetValExp->getType(), ReturnLoc);
9173 }
9174
CheckFloatComparison(SourceLocation Loc,Expr * LHS,Expr * RHS,BinaryOperatorKind Opcode)9175 void Sema::CheckFloatComparison(SourceLocation Loc, Expr *LHS, Expr *RHS,
9176 BinaryOperatorKind Opcode) {
9177 if (!BinaryOperator::isEqualityOp(Opcode))
9178 return;
9179
9180 // Match and capture subexpressions such as "(float) X == 0.1".
9181 FloatingLiteral *FPLiteral;
9182 CastExpr *FPCast;
9183 auto getCastAndLiteral = [&FPLiteral, &FPCast](Expr *L, Expr *R) {
9184 FPLiteral = dyn_cast<FloatingLiteral>(L->IgnoreParens());
9185 FPCast = dyn_cast<CastExpr>(R->IgnoreParens());
9186 return FPLiteral && FPCast;
9187 };
9188
9189 if (getCastAndLiteral(LHS, RHS) || getCastAndLiteral(RHS, LHS)) {
9190 auto *SourceTy = FPCast->getSubExpr()->getType()->getAs<BuiltinType>();
9191 auto *TargetTy = FPLiteral->getType()->getAs<BuiltinType>();
9192 if (SourceTy && TargetTy && SourceTy->isFloatingPoint() &&
9193 TargetTy->isFloatingPoint()) {
9194 bool Lossy;
9195 llvm::APFloat TargetC = FPLiteral->getValue();
9196 TargetC.convert(Context.getFloatTypeSemantics(QualType(SourceTy, 0)),
9197 llvm::APFloat::rmNearestTiesToEven, &Lossy);
9198 if (Lossy) {
9199 // If the literal cannot be represented in the source type, then a
9200 // check for == is always false and check for != is always true.
9201 Diag(Loc, diag::warn_float_compare_literal)
9202 << (Opcode == BO_EQ) << QualType(SourceTy, 0)
9203 << LHS->getSourceRange() << RHS->getSourceRange();
9204 return;
9205 }
9206 }
9207 }
9208
9209 // Match a more general floating-point equality comparison (-Wfloat-equal).
9210 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts();
9211 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts();
9212
9213 // Special case: check for x == x (which is OK).
9214 // Do not emit warnings for such cases.
9215 if (auto *DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen))
9216 if (auto *DRR = dyn_cast<DeclRefExpr>(RightExprSansParen))
9217 if (DRL->getDecl() == DRR->getDecl())
9218 return;
9219
9220 // Special case: check for comparisons against literals that can be exactly
9221 // represented by APFloat. In such cases, do not emit a warning. This
9222 // is a heuristic: often comparison against such literals are used to
9223 // detect if a value in a variable has not changed. This clearly can
9224 // lead to false negatives.
9225 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) {
9226 if (FLL->isExact())
9227 return;
9228 } else
9229 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen))
9230 if (FLR->isExact())
9231 return;
9232
9233 // Check for comparisons with builtin types.
9234 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen))
9235 if (CL->getBuiltinCallee())
9236 return;
9237
9238 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen))
9239 if (CR->getBuiltinCallee())
9240 return;
9241
9242 // Emit the diagnostic.
9243 Diag(Loc, diag::warn_floatingpoint_eq)
9244 << LHS->getSourceRange() << RHS->getSourceRange();
9245 }
9246
9247 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===//
9248 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===//
9249
9250 namespace {
9251
9252 /// Structure recording the 'active' range of an integer-valued
9253 /// expression.
9254 struct IntRange {
9255 /// The number of bits active in the int. Note that this includes exactly one
9256 /// sign bit if !NonNegative.
9257 unsigned Width;
9258
9259 /// True if the int is known not to have negative values. If so, all leading
9260 /// bits before Width are known zero, otherwise they are known to be the
9261 /// same as the MSB within Width.
9262 bool NonNegative;
9263
IntRange__anon28c3fbb12311::IntRange9264 IntRange(unsigned Width, bool NonNegative)
9265 : Width(Width), NonNegative(NonNegative) {}
9266
9267 /// Number of bits excluding the sign bit.
valueBits__anon28c3fbb12311::IntRange9268 unsigned valueBits() const {
9269 return NonNegative ? Width : Width - 1;
9270 }
9271
9272 /// Returns the range of the bool type.
forBoolType__anon28c3fbb12311::IntRange9273 static IntRange forBoolType() {
9274 return IntRange(1, true);
9275 }
9276
9277 /// Returns the range of an opaque value of the given integral type.
forValueOfType__anon28c3fbb12311::IntRange9278 static IntRange forValueOfType(ASTContext &C, QualType T) {
9279 return forValueOfCanonicalType(C,
9280 T->getCanonicalTypeInternal().getTypePtr());
9281 }
9282
9283 /// Returns the range of an opaque value of a canonical integral type.
forValueOfCanonicalType__anon28c3fbb12311::IntRange9284 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) {
9285 assert(T->isCanonicalUnqualified());
9286
9287 if (const VectorType *VT = dyn_cast<VectorType>(T))
9288 T = VT->getElementType().getTypePtr();
9289 if (const ComplexType *CT = dyn_cast<ComplexType>(T))
9290 T = CT->getElementType().getTypePtr();
9291 if (const AtomicType *AT = dyn_cast<AtomicType>(T))
9292 T = AT->getValueType().getTypePtr();
9293
9294 if (!C.getLangOpts().CPlusPlus) {
9295 // For enum types in C code, use the underlying datatype.
9296 if (const EnumType *ET = dyn_cast<EnumType>(T))
9297 T = ET->getDecl()->getIntegerType().getDesugaredType(C).getTypePtr();
9298 } else if (const EnumType *ET = dyn_cast<EnumType>(T)) {
9299 // For enum types in C++, use the known bit width of the enumerators.
9300 EnumDecl *Enum = ET->getDecl();
9301 // In C++11, enums can have a fixed underlying type. Use this type to
9302 // compute the range.
9303 if (Enum->isFixed()) {
9304 return IntRange(C.getIntWidth(QualType(T, 0)),
9305 !ET->isSignedIntegerOrEnumerationType());
9306 }
9307
9308 unsigned NumPositive = Enum->getNumPositiveBits();
9309 unsigned NumNegative = Enum->getNumNegativeBits();
9310
9311 if (NumNegative == 0)
9312 return IntRange(NumPositive, true/*NonNegative*/);
9313 else
9314 return IntRange(std::max(NumPositive + 1, NumNegative),
9315 false/*NonNegative*/);
9316 }
9317
9318 if (const auto *EIT = dyn_cast<BitIntType>(T))
9319 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
9320
9321 const BuiltinType *BT = cast<BuiltinType>(T);
9322 assert(BT->isInteger());
9323
9324 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
9325 }
9326
9327 /// Returns the "target" range of a canonical integral type, i.e.
9328 /// the range of values expressible in the type.
9329 ///
9330 /// This matches forValueOfCanonicalType except that enums have the
9331 /// full range of their type, not the range of their enumerators.
forTargetOfCanonicalType__anon28c3fbb12311::IntRange9332 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) {
9333 assert(T->isCanonicalUnqualified());
9334
9335 if (const VectorType *VT = dyn_cast<VectorType>(T))
9336 T = VT->getElementType().getTypePtr();
9337 if (const ComplexType *CT = dyn_cast<ComplexType>(T))
9338 T = CT->getElementType().getTypePtr();
9339 if (const AtomicType *AT = dyn_cast<AtomicType>(T))
9340 T = AT->getValueType().getTypePtr();
9341 if (const EnumType *ET = dyn_cast<EnumType>(T))
9342 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr();
9343
9344 if (const auto *EIT = dyn_cast<BitIntType>(T))
9345 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
9346
9347 const BuiltinType *BT = cast<BuiltinType>(T);
9348 assert(BT->isInteger());
9349
9350 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
9351 }
9352
9353 /// Returns the supremum of two ranges: i.e. their conservative merge.
join__anon28c3fbb12311::IntRange9354 static IntRange join(IntRange L, IntRange R) {
9355 bool Unsigned = L.NonNegative && R.NonNegative;
9356 return IntRange(std::max(L.valueBits(), R.valueBits()) + !Unsigned,
9357 L.NonNegative && R.NonNegative);
9358 }
9359
9360 /// Return the range of a bitwise-AND of the two ranges.
bit_and__anon28c3fbb12311::IntRange9361 static IntRange bit_and(IntRange L, IntRange R) {
9362 unsigned Bits = std::max(L.Width, R.Width);
9363 bool NonNegative = false;
9364 if (L.NonNegative) {
9365 Bits = std::min(Bits, L.Width);
9366 NonNegative = true;
9367 }
9368 if (R.NonNegative) {
9369 Bits = std::min(Bits, R.Width);
9370 NonNegative = true;
9371 }
9372 return IntRange(Bits, NonNegative);
9373 }
9374
9375 /// Return the range of a sum of the two ranges.
sum__anon28c3fbb12311::IntRange9376 static IntRange sum(IntRange L, IntRange R) {
9377 bool Unsigned = L.NonNegative && R.NonNegative;
9378 return IntRange(std::max(L.valueBits(), R.valueBits()) + 1 + !Unsigned,
9379 Unsigned);
9380 }
9381
9382 /// Return the range of a difference of the two ranges.
difference__anon28c3fbb12311::IntRange9383 static IntRange difference(IntRange L, IntRange R) {
9384 // We need a 1-bit-wider range if:
9385 // 1) LHS can be negative: least value can be reduced.
9386 // 2) RHS can be negative: greatest value can be increased.
9387 bool CanWiden = !L.NonNegative || !R.NonNegative;
9388 bool Unsigned = L.NonNegative && R.Width == 0;
9389 return IntRange(std::max(L.valueBits(), R.valueBits()) + CanWiden +
9390 !Unsigned,
9391 Unsigned);
9392 }
9393
9394 /// Return the range of a product of the two ranges.
product__anon28c3fbb12311::IntRange9395 static IntRange product(IntRange L, IntRange R) {
9396 // If both LHS and RHS can be negative, we can form
9397 // -2^L * -2^R = 2^(L + R)
9398 // which requires L + R + 1 value bits to represent.
9399 bool CanWiden = !L.NonNegative && !R.NonNegative;
9400 bool Unsigned = L.NonNegative && R.NonNegative;
9401 return IntRange(L.valueBits() + R.valueBits() + CanWiden + !Unsigned,
9402 Unsigned);
9403 }
9404
9405 /// Return the range of a remainder operation between the two ranges.
rem__anon28c3fbb12311::IntRange9406 static IntRange rem(IntRange L, IntRange R) {
9407 // The result of a remainder can't be larger than the result of
9408 // either side. The sign of the result is the sign of the LHS.
9409 bool Unsigned = L.NonNegative;
9410 return IntRange(std::min(L.valueBits(), R.valueBits()) + !Unsigned,
9411 Unsigned);
9412 }
9413 };
9414
9415 } // namespace
9416
GetValueRange(ASTContext & C,llvm::APSInt & value,unsigned MaxWidth)9417 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value,
9418 unsigned MaxWidth) {
9419 if (value.isSigned() && value.isNegative())
9420 return IntRange(value.getSignificantBits(), false);
9421
9422 if (value.getBitWidth() > MaxWidth)
9423 value = value.trunc(MaxWidth);
9424
9425 // isNonNegative() just checks the sign bit without considering
9426 // signedness.
9427 return IntRange(value.getActiveBits(), true);
9428 }
9429
GetValueRange(ASTContext & C,APValue & result,QualType Ty,unsigned MaxWidth)9430 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty,
9431 unsigned MaxWidth) {
9432 if (result.isInt())
9433 return GetValueRange(C, result.getInt(), MaxWidth);
9434
9435 if (result.isVector()) {
9436 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth);
9437 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) {
9438 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth);
9439 R = IntRange::join(R, El);
9440 }
9441 return R;
9442 }
9443
9444 if (result.isComplexInt()) {
9445 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth);
9446 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth);
9447 return IntRange::join(R, I);
9448 }
9449
9450 // This can happen with lossless casts to intptr_t of "based" lvalues.
9451 // Assume it might use arbitrary bits.
9452 // FIXME: The only reason we need to pass the type in here is to get
9453 // the sign right on this one case. It would be nice if APValue
9454 // preserved this.
9455 assert(result.isLValue() || result.isAddrLabelDiff());
9456 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType());
9457 }
9458
GetExprType(const Expr * E)9459 static QualType GetExprType(const Expr *E) {
9460 QualType Ty = E->getType();
9461 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>())
9462 Ty = AtomicRHS->getValueType();
9463 return Ty;
9464 }
9465
9466 /// Pseudo-evaluate the given integer expression, estimating the
9467 /// range of values it might take.
9468 ///
9469 /// \param MaxWidth The width to which the value will be truncated.
9470 /// \param Approximate If \c true, return a likely range for the result: in
9471 /// particular, assume that arithmetic on narrower types doesn't leave
9472 /// those types. If \c false, return a range including all possible
9473 /// result values.
GetExprRange(ASTContext & C,const Expr * E,unsigned MaxWidth,bool InConstantContext,bool Approximate)9474 static IntRange GetExprRange(ASTContext &C, const Expr *E, unsigned MaxWidth,
9475 bool InConstantContext, bool Approximate) {
9476 E = E->IgnoreParens();
9477
9478 // Try a full evaluation first.
9479 Expr::EvalResult result;
9480 if (E->EvaluateAsRValue(result, C, InConstantContext))
9481 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth);
9482
9483 // I think we only want to look through implicit casts here; if the
9484 // user has an explicit widening cast, we should treat the value as
9485 // being of the new, wider type.
9486 if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) {
9487 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue)
9488 return GetExprRange(C, CE->getSubExpr(), MaxWidth, InConstantContext,
9489 Approximate);
9490
9491 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE));
9492
9493 bool isIntegerCast = CE->getCastKind() == CK_IntegralCast ||
9494 CE->getCastKind() == CK_BooleanToSignedIntegral;
9495
9496 // Assume that non-integer casts can span the full range of the type.
9497 if (!isIntegerCast)
9498 return OutputTypeRange;
9499
9500 IntRange SubRange = GetExprRange(C, CE->getSubExpr(),
9501 std::min(MaxWidth, OutputTypeRange.Width),
9502 InConstantContext, Approximate);
9503
9504 // Bail out if the subexpr's range is as wide as the cast type.
9505 if (SubRange.Width >= OutputTypeRange.Width)
9506 return OutputTypeRange;
9507
9508 // Otherwise, we take the smaller width, and we're non-negative if
9509 // either the output type or the subexpr is.
9510 return IntRange(SubRange.Width,
9511 SubRange.NonNegative || OutputTypeRange.NonNegative);
9512 }
9513
9514 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
9515 // If we can fold the condition, just take that operand.
9516 bool CondResult;
9517 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
9518 return GetExprRange(C,
9519 CondResult ? CO->getTrueExpr() : CO->getFalseExpr(),
9520 MaxWidth, InConstantContext, Approximate);
9521
9522 // Otherwise, conservatively merge.
9523 // GetExprRange requires an integer expression, but a throw expression
9524 // results in a void type.
9525 Expr *E = CO->getTrueExpr();
9526 IntRange L = E->getType()->isVoidType()
9527 ? IntRange{0, true}
9528 : GetExprRange(C, E, MaxWidth, InConstantContext, Approximate);
9529 E = CO->getFalseExpr();
9530 IntRange R = E->getType()->isVoidType()
9531 ? IntRange{0, true}
9532 : GetExprRange(C, E, MaxWidth, InConstantContext, Approximate);
9533 return IntRange::join(L, R);
9534 }
9535
9536 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
9537 IntRange (*Combine)(IntRange, IntRange) = IntRange::join;
9538
9539 switch (BO->getOpcode()) {
9540 case BO_Cmp:
9541 llvm_unreachable("builtin <=> should have class type");
9542
9543 // Boolean-valued operations are single-bit and positive.
9544 case BO_LAnd:
9545 case BO_LOr:
9546 case BO_LT:
9547 case BO_GT:
9548 case BO_LE:
9549 case BO_GE:
9550 case BO_EQ:
9551 case BO_NE:
9552 return IntRange::forBoolType();
9553
9554 // The type of the assignments is the type of the LHS, so the RHS
9555 // is not necessarily the same type.
9556 case BO_MulAssign:
9557 case BO_DivAssign:
9558 case BO_RemAssign:
9559 case BO_AddAssign:
9560 case BO_SubAssign:
9561 case BO_XorAssign:
9562 case BO_OrAssign:
9563 // TODO: bitfields?
9564 return IntRange::forValueOfType(C, GetExprType(E));
9565
9566 // Simple assignments just pass through the RHS, which will have
9567 // been coerced to the LHS type.
9568 case BO_Assign:
9569 // TODO: bitfields?
9570 return GetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
9571 Approximate);
9572
9573 // Operations with opaque sources are black-listed.
9574 case BO_PtrMemD:
9575 case BO_PtrMemI:
9576 return IntRange::forValueOfType(C, GetExprType(E));
9577
9578 // Bitwise-and uses the *infinum* of the two source ranges.
9579 case BO_And:
9580 case BO_AndAssign:
9581 Combine = IntRange::bit_and;
9582 break;
9583
9584 // Left shift gets black-listed based on a judgement call.
9585 case BO_Shl:
9586 // ...except that we want to treat '1 << (blah)' as logically
9587 // positive. It's an important idiom.
9588 if (IntegerLiteral *I
9589 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) {
9590 if (I->getValue() == 1) {
9591 IntRange R = IntRange::forValueOfType(C, GetExprType(E));
9592 return IntRange(R.Width, /*NonNegative*/ true);
9593 }
9594 }
9595 [[fallthrough]];
9596
9597 case BO_ShlAssign:
9598 return IntRange::forValueOfType(C, GetExprType(E));
9599
9600 // Right shift by a constant can narrow its left argument.
9601 case BO_Shr:
9602 case BO_ShrAssign: {
9603 IntRange L = GetExprRange(C, BO->getLHS(), MaxWidth, InConstantContext,
9604 Approximate);
9605
9606 // If the shift amount is a positive constant, drop the width by
9607 // that much.
9608 if (std::optional<llvm::APSInt> shift =
9609 BO->getRHS()->getIntegerConstantExpr(C)) {
9610 if (shift->isNonNegative()) {
9611 if (shift->uge(L.Width))
9612 L.Width = (L.NonNegative ? 0 : 1);
9613 else
9614 L.Width -= shift->getZExtValue();
9615 }
9616 }
9617
9618 return L;
9619 }
9620
9621 // Comma acts as its right operand.
9622 case BO_Comma:
9623 return GetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
9624 Approximate);
9625
9626 case BO_Add:
9627 if (!Approximate)
9628 Combine = IntRange::sum;
9629 break;
9630
9631 case BO_Sub:
9632 if (BO->getLHS()->getType()->isPointerType())
9633 return IntRange::forValueOfType(C, GetExprType(E));
9634 if (!Approximate)
9635 Combine = IntRange::difference;
9636 break;
9637
9638 case BO_Mul:
9639 if (!Approximate)
9640 Combine = IntRange::product;
9641 break;
9642
9643 // The width of a division result is mostly determined by the size
9644 // of the LHS.
9645 case BO_Div: {
9646 // Don't 'pre-truncate' the operands.
9647 unsigned opWidth = C.getIntWidth(GetExprType(E));
9648 IntRange L = GetExprRange(C, BO->getLHS(), opWidth, InConstantContext,
9649 Approximate);
9650
9651 // If the divisor is constant, use that.
9652 if (std::optional<llvm::APSInt> divisor =
9653 BO->getRHS()->getIntegerConstantExpr(C)) {
9654 unsigned log2 = divisor->logBase2(); // floor(log_2(divisor))
9655 if (log2 >= L.Width)
9656 L.Width = (L.NonNegative ? 0 : 1);
9657 else
9658 L.Width = std::min(L.Width - log2, MaxWidth);
9659 return L;
9660 }
9661
9662 // Otherwise, just use the LHS's width.
9663 // FIXME: This is wrong if the LHS could be its minimal value and the RHS
9664 // could be -1.
9665 IntRange R = GetExprRange(C, BO->getRHS(), opWidth, InConstantContext,
9666 Approximate);
9667 return IntRange(L.Width, L.NonNegative && R.NonNegative);
9668 }
9669
9670 case BO_Rem:
9671 Combine = IntRange::rem;
9672 break;
9673
9674 // The default behavior is okay for these.
9675 case BO_Xor:
9676 case BO_Or:
9677 break;
9678 }
9679
9680 // Combine the two ranges, but limit the result to the type in which we
9681 // performed the computation.
9682 QualType T = GetExprType(E);
9683 unsigned opWidth = C.getIntWidth(T);
9684 IntRange L =
9685 GetExprRange(C, BO->getLHS(), opWidth, InConstantContext, Approximate);
9686 IntRange R =
9687 GetExprRange(C, BO->getRHS(), opWidth, InConstantContext, Approximate);
9688 IntRange C = Combine(L, R);
9689 C.NonNegative |= T->isUnsignedIntegerOrEnumerationType();
9690 C.Width = std::min(C.Width, MaxWidth);
9691 return C;
9692 }
9693
9694 if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
9695 switch (UO->getOpcode()) {
9696 // Boolean-valued operations are white-listed.
9697 case UO_LNot:
9698 return IntRange::forBoolType();
9699
9700 // Operations with opaque sources are black-listed.
9701 case UO_Deref:
9702 case UO_AddrOf: // should be impossible
9703 return IntRange::forValueOfType(C, GetExprType(E));
9704
9705 default:
9706 return GetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
9707 Approximate);
9708 }
9709 }
9710
9711 if (const auto *OVE = dyn_cast<OpaqueValueExpr>(E))
9712 return GetExprRange(C, OVE->getSourceExpr(), MaxWidth, InConstantContext,
9713 Approximate);
9714
9715 if (const auto *BitField = E->getSourceBitField())
9716 return IntRange(BitField->getBitWidthValue(C),
9717 BitField->getType()->isUnsignedIntegerOrEnumerationType());
9718
9719 return IntRange::forValueOfType(C, GetExprType(E));
9720 }
9721
GetExprRange(ASTContext & C,const Expr * E,bool InConstantContext,bool Approximate)9722 static IntRange GetExprRange(ASTContext &C, const Expr *E,
9723 bool InConstantContext, bool Approximate) {
9724 return GetExprRange(C, E, C.getIntWidth(GetExprType(E)), InConstantContext,
9725 Approximate);
9726 }
9727
9728 /// Checks whether the given value, which currently has the given
9729 /// source semantics, has the same value when coerced through the
9730 /// target semantics.
IsSameFloatAfterCast(const llvm::APFloat & value,const llvm::fltSemantics & Src,const llvm::fltSemantics & Tgt)9731 static bool IsSameFloatAfterCast(const llvm::APFloat &value,
9732 const llvm::fltSemantics &Src,
9733 const llvm::fltSemantics &Tgt) {
9734 llvm::APFloat truncated = value;
9735
9736 bool ignored;
9737 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored);
9738 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored);
9739
9740 return truncated.bitwiseIsEqual(value);
9741 }
9742
9743 /// Checks whether the given value, which currently has the given
9744 /// source semantics, has the same value when coerced through the
9745 /// target semantics.
9746 ///
9747 /// The value might be a vector of floats (or a complex number).
IsSameFloatAfterCast(const APValue & value,const llvm::fltSemantics & Src,const llvm::fltSemantics & Tgt)9748 static bool IsSameFloatAfterCast(const APValue &value,
9749 const llvm::fltSemantics &Src,
9750 const llvm::fltSemantics &Tgt) {
9751 if (value.isFloat())
9752 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt);
9753
9754 if (value.isVector()) {
9755 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i)
9756 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt))
9757 return false;
9758 return true;
9759 }
9760
9761 assert(value.isComplexFloat());
9762 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) &&
9763 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt));
9764 }
9765
9766 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC,
9767 bool IsListInit = false);
9768
IsEnumConstOrFromMacro(Sema & S,Expr * E)9769 static bool IsEnumConstOrFromMacro(Sema &S, Expr *E) {
9770 // Suppress cases where we are comparing against an enum constant.
9771 if (const DeclRefExpr *DR =
9772 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts()))
9773 if (isa<EnumConstantDecl>(DR->getDecl()))
9774 return true;
9775
9776 // Suppress cases where the value is expanded from a macro, unless that macro
9777 // is how a language represents a boolean literal. This is the case in both C
9778 // and Objective-C.
9779 SourceLocation BeginLoc = E->getBeginLoc();
9780 if (BeginLoc.isMacroID()) {
9781 StringRef MacroName = Lexer::getImmediateMacroName(
9782 BeginLoc, S.getSourceManager(), S.getLangOpts());
9783 return MacroName != "YES" && MacroName != "NO" &&
9784 MacroName != "true" && MacroName != "false";
9785 }
9786
9787 return false;
9788 }
9789
isKnownToHaveUnsignedValue(Expr * E)9790 static bool isKnownToHaveUnsignedValue(Expr *E) {
9791 return E->getType()->isIntegerType() &&
9792 (!E->getType()->isSignedIntegerType() ||
9793 !E->IgnoreParenImpCasts()->getType()->isSignedIntegerType());
9794 }
9795
9796 namespace {
9797 /// The promoted range of values of a type. In general this has the
9798 /// following structure:
9799 ///
9800 /// |-----------| . . . |-----------|
9801 /// ^ ^ ^ ^
9802 /// Min HoleMin HoleMax Max
9803 ///
9804 /// ... where there is only a hole if a signed type is promoted to unsigned
9805 /// (in which case Min and Max are the smallest and largest representable
9806 /// values).
9807 struct PromotedRange {
9808 // Min, or HoleMax if there is a hole.
9809 llvm::APSInt PromotedMin;
9810 // Max, or HoleMin if there is a hole.
9811 llvm::APSInt PromotedMax;
9812
PromotedRange__anon28c3fbb12411::PromotedRange9813 PromotedRange(IntRange R, unsigned BitWidth, bool Unsigned) {
9814 if (R.Width == 0)
9815 PromotedMin = PromotedMax = llvm::APSInt(BitWidth, Unsigned);
9816 else if (R.Width >= BitWidth && !Unsigned) {
9817 // Promotion made the type *narrower*. This happens when promoting
9818 // a < 32-bit unsigned / <= 32-bit signed bit-field to 'signed int'.
9819 // Treat all values of 'signed int' as being in range for now.
9820 PromotedMin = llvm::APSInt::getMinValue(BitWidth, Unsigned);
9821 PromotedMax = llvm::APSInt::getMaxValue(BitWidth, Unsigned);
9822 } else {
9823 PromotedMin = llvm::APSInt::getMinValue(R.Width, R.NonNegative)
9824 .extOrTrunc(BitWidth);
9825 PromotedMin.setIsUnsigned(Unsigned);
9826
9827 PromotedMax = llvm::APSInt::getMaxValue(R.Width, R.NonNegative)
9828 .extOrTrunc(BitWidth);
9829 PromotedMax.setIsUnsigned(Unsigned);
9830 }
9831 }
9832
9833 // Determine whether this range is contiguous (has no hole).
isContiguous__anon28c3fbb12411::PromotedRange9834 bool isContiguous() const { return PromotedMin <= PromotedMax; }
9835
9836 // Where a constant value is within the range.
9837 enum ComparisonResult {
9838 LT = 0x1,
9839 LE = 0x2,
9840 GT = 0x4,
9841 GE = 0x8,
9842 EQ = 0x10,
9843 NE = 0x20,
9844 InRangeFlag = 0x40,
9845
9846 Less = LE | LT | NE,
9847 Min = LE | InRangeFlag,
9848 InRange = InRangeFlag,
9849 Max = GE | InRangeFlag,
9850 Greater = GE | GT | NE,
9851
9852 OnlyValue = LE | GE | EQ | InRangeFlag,
9853 InHole = NE
9854 };
9855
compare__anon28c3fbb12411::PromotedRange9856 ComparisonResult compare(const llvm::APSInt &Value) const {
9857 assert(Value.getBitWidth() == PromotedMin.getBitWidth() &&
9858 Value.isUnsigned() == PromotedMin.isUnsigned());
9859 if (!isContiguous()) {
9860 assert(Value.isUnsigned() && "discontiguous range for signed compare");
9861 if (Value.isMinValue()) return Min;
9862 if (Value.isMaxValue()) return Max;
9863 if (Value >= PromotedMin) return InRange;
9864 if (Value <= PromotedMax) return InRange;
9865 return InHole;
9866 }
9867
9868 switch (llvm::APSInt::compareValues(Value, PromotedMin)) {
9869 case -1: return Less;
9870 case 0: return PromotedMin == PromotedMax ? OnlyValue : Min;
9871 case 1:
9872 switch (llvm::APSInt::compareValues(Value, PromotedMax)) {
9873 case -1: return InRange;
9874 case 0: return Max;
9875 case 1: return Greater;
9876 }
9877 }
9878
9879 llvm_unreachable("impossible compare result");
9880 }
9881
9882 static std::optional<StringRef>
constantValue__anon28c3fbb12411::PromotedRange9883 constantValue(BinaryOperatorKind Op, ComparisonResult R, bool ConstantOnRHS) {
9884 if (Op == BO_Cmp) {
9885 ComparisonResult LTFlag = LT, GTFlag = GT;
9886 if (ConstantOnRHS) std::swap(LTFlag, GTFlag);
9887
9888 if (R & EQ) return StringRef("'std::strong_ordering::equal'");
9889 if (R & LTFlag) return StringRef("'std::strong_ordering::less'");
9890 if (R & GTFlag) return StringRef("'std::strong_ordering::greater'");
9891 return std::nullopt;
9892 }
9893
9894 ComparisonResult TrueFlag, FalseFlag;
9895 if (Op == BO_EQ) {
9896 TrueFlag = EQ;
9897 FalseFlag = NE;
9898 } else if (Op == BO_NE) {
9899 TrueFlag = NE;
9900 FalseFlag = EQ;
9901 } else {
9902 if ((Op == BO_LT || Op == BO_GE) ^ ConstantOnRHS) {
9903 TrueFlag = LT;
9904 FalseFlag = GE;
9905 } else {
9906 TrueFlag = GT;
9907 FalseFlag = LE;
9908 }
9909 if (Op == BO_GE || Op == BO_LE)
9910 std::swap(TrueFlag, FalseFlag);
9911 }
9912 if (R & TrueFlag)
9913 return StringRef("true");
9914 if (R & FalseFlag)
9915 return StringRef("false");
9916 return std::nullopt;
9917 }
9918 };
9919 }
9920
HasEnumType(Expr * E)9921 static bool HasEnumType(Expr *E) {
9922 // Strip off implicit integral promotions.
9923 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
9924 if (ICE->getCastKind() != CK_IntegralCast &&
9925 ICE->getCastKind() != CK_NoOp)
9926 break;
9927 E = ICE->getSubExpr();
9928 }
9929
9930 return E->getType()->isEnumeralType();
9931 }
9932
classifyConstantValue(Expr * Constant)9933 static int classifyConstantValue(Expr *Constant) {
9934 // The values of this enumeration are used in the diagnostics
9935 // diag::warn_out_of_range_compare and diag::warn_tautological_bool_compare.
9936 enum ConstantValueKind {
9937 Miscellaneous = 0,
9938 LiteralTrue,
9939 LiteralFalse
9940 };
9941 if (auto *BL = dyn_cast<CXXBoolLiteralExpr>(Constant))
9942 return BL->getValue() ? ConstantValueKind::LiteralTrue
9943 : ConstantValueKind::LiteralFalse;
9944 return ConstantValueKind::Miscellaneous;
9945 }
9946
CheckTautologicalComparison(Sema & S,BinaryOperator * E,Expr * Constant,Expr * Other,const llvm::APSInt & Value,bool RhsConstant)9947 static bool CheckTautologicalComparison(Sema &S, BinaryOperator *E,
9948 Expr *Constant, Expr *Other,
9949 const llvm::APSInt &Value,
9950 bool RhsConstant) {
9951 if (S.inTemplateInstantiation())
9952 return false;
9953
9954 Expr *OriginalOther = Other;
9955
9956 Constant = Constant->IgnoreParenImpCasts();
9957 Other = Other->IgnoreParenImpCasts();
9958
9959 // Suppress warnings on tautological comparisons between values of the same
9960 // enumeration type. There are only two ways we could warn on this:
9961 // - If the constant is outside the range of representable values of
9962 // the enumeration. In such a case, we should warn about the cast
9963 // to enumeration type, not about the comparison.
9964 // - If the constant is the maximum / minimum in-range value. For an
9965 // enumeratin type, such comparisons can be meaningful and useful.
9966 if (Constant->getType()->isEnumeralType() &&
9967 S.Context.hasSameUnqualifiedType(Constant->getType(), Other->getType()))
9968 return false;
9969
9970 IntRange OtherValueRange = GetExprRange(
9971 S.Context, Other, S.isConstantEvaluatedContext(), /*Approximate=*/false);
9972
9973 QualType OtherT = Other->getType();
9974 if (const auto *AT = OtherT->getAs<AtomicType>())
9975 OtherT = AT->getValueType();
9976 IntRange OtherTypeRange = IntRange::forValueOfType(S.Context, OtherT);
9977
9978 // Special case for ObjC BOOL on targets where its a typedef for a signed char
9979 // (Namely, macOS). FIXME: IntRange::forValueOfType should do this.
9980 bool IsObjCSignedCharBool = S.getLangOpts().ObjC &&
9981 S.ObjC().NSAPIObj->isObjCBOOLType(OtherT) &&
9982 OtherT->isSpecificBuiltinType(BuiltinType::SChar);
9983
9984 // Whether we're treating Other as being a bool because of the form of
9985 // expression despite it having another type (typically 'int' in C).
9986 bool OtherIsBooleanDespiteType =
9987 !OtherT->isBooleanType() && Other->isKnownToHaveBooleanValue();
9988 if (OtherIsBooleanDespiteType || IsObjCSignedCharBool)
9989 OtherTypeRange = OtherValueRange = IntRange::forBoolType();
9990
9991 // Check if all values in the range of possible values of this expression
9992 // lead to the same comparison outcome.
9993 PromotedRange OtherPromotedValueRange(OtherValueRange, Value.getBitWidth(),
9994 Value.isUnsigned());
9995 auto Cmp = OtherPromotedValueRange.compare(Value);
9996 auto Result = PromotedRange::constantValue(E->getOpcode(), Cmp, RhsConstant);
9997 if (!Result)
9998 return false;
9999
10000 // Also consider the range determined by the type alone. This allows us to
10001 // classify the warning under the proper diagnostic group.
10002 bool TautologicalTypeCompare = false;
10003 {
10004 PromotedRange OtherPromotedTypeRange(OtherTypeRange, Value.getBitWidth(),
10005 Value.isUnsigned());
10006 auto TypeCmp = OtherPromotedTypeRange.compare(Value);
10007 if (auto TypeResult = PromotedRange::constantValue(E->getOpcode(), TypeCmp,
10008 RhsConstant)) {
10009 TautologicalTypeCompare = true;
10010 Cmp = TypeCmp;
10011 Result = TypeResult;
10012 }
10013 }
10014
10015 // Don't warn if the non-constant operand actually always evaluates to the
10016 // same value.
10017 if (!TautologicalTypeCompare && OtherValueRange.Width == 0)
10018 return false;
10019
10020 // Suppress the diagnostic for an in-range comparison if the constant comes
10021 // from a macro or enumerator. We don't want to diagnose
10022 //
10023 // some_long_value <= INT_MAX
10024 //
10025 // when sizeof(int) == sizeof(long).
10026 bool InRange = Cmp & PromotedRange::InRangeFlag;
10027 if (InRange && IsEnumConstOrFromMacro(S, Constant))
10028 return false;
10029
10030 // A comparison of an unsigned bit-field against 0 is really a type problem,
10031 // even though at the type level the bit-field might promote to 'signed int'.
10032 if (Other->refersToBitField() && InRange && Value == 0 &&
10033 Other->getType()->isUnsignedIntegerOrEnumerationType())
10034 TautologicalTypeCompare = true;
10035
10036 // If this is a comparison to an enum constant, include that
10037 // constant in the diagnostic.
10038 const EnumConstantDecl *ED = nullptr;
10039 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant))
10040 ED = dyn_cast<EnumConstantDecl>(DR->getDecl());
10041
10042 // Should be enough for uint128 (39 decimal digits)
10043 SmallString<64> PrettySourceValue;
10044 llvm::raw_svector_ostream OS(PrettySourceValue);
10045 if (ED) {
10046 OS << '\'' << *ED << "' (" << Value << ")";
10047 } else if (auto *BL = dyn_cast<ObjCBoolLiteralExpr>(
10048 Constant->IgnoreParenImpCasts())) {
10049 OS << (BL->getValue() ? "YES" : "NO");
10050 } else {
10051 OS << Value;
10052 }
10053
10054 if (!TautologicalTypeCompare) {
10055 S.Diag(E->getOperatorLoc(), diag::warn_tautological_compare_value_range)
10056 << RhsConstant << OtherValueRange.Width << OtherValueRange.NonNegative
10057 << E->getOpcodeStr() << OS.str() << *Result
10058 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
10059 return true;
10060 }
10061
10062 if (IsObjCSignedCharBool) {
10063 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
10064 S.PDiag(diag::warn_tautological_compare_objc_bool)
10065 << OS.str() << *Result);
10066 return true;
10067 }
10068
10069 // FIXME: We use a somewhat different formatting for the in-range cases and
10070 // cases involving boolean values for historical reasons. We should pick a
10071 // consistent way of presenting these diagnostics.
10072 if (!InRange || Other->isKnownToHaveBooleanValue()) {
10073
10074 S.DiagRuntimeBehavior(
10075 E->getOperatorLoc(), E,
10076 S.PDiag(!InRange ? diag::warn_out_of_range_compare
10077 : diag::warn_tautological_bool_compare)
10078 << OS.str() << classifyConstantValue(Constant) << OtherT
10079 << OtherIsBooleanDespiteType << *Result
10080 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange());
10081 } else {
10082 bool IsCharTy = OtherT.withoutLocalFastQualifiers() == S.Context.CharTy;
10083 unsigned Diag =
10084 (isKnownToHaveUnsignedValue(OriginalOther) && Value == 0)
10085 ? (HasEnumType(OriginalOther)
10086 ? diag::warn_unsigned_enum_always_true_comparison
10087 : IsCharTy ? diag::warn_unsigned_char_always_true_comparison
10088 : diag::warn_unsigned_always_true_comparison)
10089 : diag::warn_tautological_constant_compare;
10090
10091 S.Diag(E->getOperatorLoc(), Diag)
10092 << RhsConstant << OtherT << E->getOpcodeStr() << OS.str() << *Result
10093 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
10094 }
10095
10096 return true;
10097 }
10098
10099 /// Analyze the operands of the given comparison. Implements the
10100 /// fallback case from AnalyzeComparison.
AnalyzeImpConvsInComparison(Sema & S,BinaryOperator * E)10101 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) {
10102 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10103 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10104 }
10105
10106 /// Implements -Wsign-compare.
10107 ///
10108 /// \param E the binary operator to check for warnings
AnalyzeComparison(Sema & S,BinaryOperator * E)10109 static void AnalyzeComparison(Sema &S, BinaryOperator *E) {
10110 // The type the comparison is being performed in.
10111 QualType T = E->getLHS()->getType();
10112
10113 // Only analyze comparison operators where both sides have been converted to
10114 // the same type.
10115 if (!S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()))
10116 return AnalyzeImpConvsInComparison(S, E);
10117
10118 // Don't analyze value-dependent comparisons directly.
10119 if (E->isValueDependent())
10120 return AnalyzeImpConvsInComparison(S, E);
10121
10122 Expr *LHS = E->getLHS();
10123 Expr *RHS = E->getRHS();
10124
10125 if (T->isIntegralType(S.Context)) {
10126 std::optional<llvm::APSInt> RHSValue =
10127 RHS->getIntegerConstantExpr(S.Context);
10128 std::optional<llvm::APSInt> LHSValue =
10129 LHS->getIntegerConstantExpr(S.Context);
10130
10131 // We don't care about expressions whose result is a constant.
10132 if (RHSValue && LHSValue)
10133 return AnalyzeImpConvsInComparison(S, E);
10134
10135 // We only care about expressions where just one side is literal
10136 if ((bool)RHSValue ^ (bool)LHSValue) {
10137 // Is the constant on the RHS or LHS?
10138 const bool RhsConstant = (bool)RHSValue;
10139 Expr *Const = RhsConstant ? RHS : LHS;
10140 Expr *Other = RhsConstant ? LHS : RHS;
10141 const llvm::APSInt &Value = RhsConstant ? *RHSValue : *LHSValue;
10142
10143 // Check whether an integer constant comparison results in a value
10144 // of 'true' or 'false'.
10145 if (CheckTautologicalComparison(S, E, Const, Other, Value, RhsConstant))
10146 return AnalyzeImpConvsInComparison(S, E);
10147 }
10148 }
10149
10150 if (!T->hasUnsignedIntegerRepresentation()) {
10151 // We don't do anything special if this isn't an unsigned integral
10152 // comparison: we're only interested in integral comparisons, and
10153 // signed comparisons only happen in cases we don't care to warn about.
10154 return AnalyzeImpConvsInComparison(S, E);
10155 }
10156
10157 LHS = LHS->IgnoreParenImpCasts();
10158 RHS = RHS->IgnoreParenImpCasts();
10159
10160 if (!S.getLangOpts().CPlusPlus) {
10161 // Avoid warning about comparison of integers with different signs when
10162 // RHS/LHS has a `typeof(E)` type whose sign is different from the sign of
10163 // the type of `E`.
10164 if (const auto *TET = dyn_cast<TypeOfExprType>(LHS->getType()))
10165 LHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
10166 if (const auto *TET = dyn_cast<TypeOfExprType>(RHS->getType()))
10167 RHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
10168 }
10169
10170 // Check to see if one of the (unmodified) operands is of different
10171 // signedness.
10172 Expr *signedOperand, *unsignedOperand;
10173 if (LHS->getType()->hasSignedIntegerRepresentation()) {
10174 assert(!RHS->getType()->hasSignedIntegerRepresentation() &&
10175 "unsigned comparison between two signed integer expressions?");
10176 signedOperand = LHS;
10177 unsignedOperand = RHS;
10178 } else if (RHS->getType()->hasSignedIntegerRepresentation()) {
10179 signedOperand = RHS;
10180 unsignedOperand = LHS;
10181 } else {
10182 return AnalyzeImpConvsInComparison(S, E);
10183 }
10184
10185 // Otherwise, calculate the effective range of the signed operand.
10186 IntRange signedRange =
10187 GetExprRange(S.Context, signedOperand, S.isConstantEvaluatedContext(),
10188 /*Approximate=*/true);
10189
10190 // Go ahead and analyze implicit conversions in the operands. Note
10191 // that we skip the implicit conversions on both sides.
10192 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc());
10193 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc());
10194
10195 // If the signed range is non-negative, -Wsign-compare won't fire.
10196 if (signedRange.NonNegative)
10197 return;
10198
10199 // For (in)equality comparisons, if the unsigned operand is a
10200 // constant which cannot collide with a overflowed signed operand,
10201 // then reinterpreting the signed operand as unsigned will not
10202 // change the result of the comparison.
10203 if (E->isEqualityOp()) {
10204 unsigned comparisonWidth = S.Context.getIntWidth(T);
10205 IntRange unsignedRange =
10206 GetExprRange(S.Context, unsignedOperand, S.isConstantEvaluatedContext(),
10207 /*Approximate=*/true);
10208
10209 // We should never be unable to prove that the unsigned operand is
10210 // non-negative.
10211 assert(unsignedRange.NonNegative && "unsigned range includes negative?");
10212
10213 if (unsignedRange.Width < comparisonWidth)
10214 return;
10215 }
10216
10217 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
10218 S.PDiag(diag::warn_mixed_sign_comparison)
10219 << LHS->getType() << RHS->getType()
10220 << LHS->getSourceRange() << RHS->getSourceRange());
10221 }
10222
10223 /// Analyzes an attempt to assign the given value to a bitfield.
10224 ///
10225 /// Returns true if there was something fishy about the attempt.
AnalyzeBitFieldAssignment(Sema & S,FieldDecl * Bitfield,Expr * Init,SourceLocation InitLoc)10226 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init,
10227 SourceLocation InitLoc) {
10228 assert(Bitfield->isBitField());
10229 if (Bitfield->isInvalidDecl())
10230 return false;
10231
10232 // White-list bool bitfields.
10233 QualType BitfieldType = Bitfield->getType();
10234 if (BitfieldType->isBooleanType())
10235 return false;
10236
10237 if (BitfieldType->isEnumeralType()) {
10238 EnumDecl *BitfieldEnumDecl = BitfieldType->castAs<EnumType>()->getDecl();
10239 // If the underlying enum type was not explicitly specified as an unsigned
10240 // type and the enum contain only positive values, MSVC++ will cause an
10241 // inconsistency by storing this as a signed type.
10242 if (S.getLangOpts().CPlusPlus11 &&
10243 !BitfieldEnumDecl->getIntegerTypeSourceInfo() &&
10244 BitfieldEnumDecl->getNumPositiveBits() > 0 &&
10245 BitfieldEnumDecl->getNumNegativeBits() == 0) {
10246 S.Diag(InitLoc, diag::warn_no_underlying_type_specified_for_enum_bitfield)
10247 << BitfieldEnumDecl;
10248 }
10249 }
10250
10251 // Ignore value- or type-dependent expressions.
10252 if (Bitfield->getBitWidth()->isValueDependent() ||
10253 Bitfield->getBitWidth()->isTypeDependent() ||
10254 Init->isValueDependent() ||
10255 Init->isTypeDependent())
10256 return false;
10257
10258 Expr *OriginalInit = Init->IgnoreParenImpCasts();
10259 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context);
10260
10261 Expr::EvalResult Result;
10262 if (!OriginalInit->EvaluateAsInt(Result, S.Context,
10263 Expr::SE_AllowSideEffects)) {
10264 // The RHS is not constant. If the RHS has an enum type, make sure the
10265 // bitfield is wide enough to hold all the values of the enum without
10266 // truncation.
10267 if (const auto *EnumTy = OriginalInit->getType()->getAs<EnumType>()) {
10268 EnumDecl *ED = EnumTy->getDecl();
10269 bool SignedBitfield = BitfieldType->isSignedIntegerType();
10270
10271 // Enum types are implicitly signed on Windows, so check if there are any
10272 // negative enumerators to see if the enum was intended to be signed or
10273 // not.
10274 bool SignedEnum = ED->getNumNegativeBits() > 0;
10275
10276 // Check for surprising sign changes when assigning enum values to a
10277 // bitfield of different signedness. If the bitfield is signed and we
10278 // have exactly the right number of bits to store this unsigned enum,
10279 // suggest changing the enum to an unsigned type. This typically happens
10280 // on Windows where unfixed enums always use an underlying type of 'int'.
10281 unsigned DiagID = 0;
10282 if (SignedEnum && !SignedBitfield) {
10283 DiagID = diag::warn_unsigned_bitfield_assigned_signed_enum;
10284 } else if (SignedBitfield && !SignedEnum &&
10285 ED->getNumPositiveBits() == FieldWidth) {
10286 DiagID = diag::warn_signed_bitfield_enum_conversion;
10287 }
10288
10289 if (DiagID) {
10290 S.Diag(InitLoc, DiagID) << Bitfield << ED;
10291 TypeSourceInfo *TSI = Bitfield->getTypeSourceInfo();
10292 SourceRange TypeRange =
10293 TSI ? TSI->getTypeLoc().getSourceRange() : SourceRange();
10294 S.Diag(Bitfield->getTypeSpecStartLoc(), diag::note_change_bitfield_sign)
10295 << SignedEnum << TypeRange;
10296 }
10297
10298 // Compute the required bitwidth. If the enum has negative values, we need
10299 // one more bit than the normal number of positive bits to represent the
10300 // sign bit.
10301 unsigned BitsNeeded = SignedEnum ? std::max(ED->getNumPositiveBits() + 1,
10302 ED->getNumNegativeBits())
10303 : ED->getNumPositiveBits();
10304
10305 // Check the bitwidth.
10306 if (BitsNeeded > FieldWidth) {
10307 Expr *WidthExpr = Bitfield->getBitWidth();
10308 S.Diag(InitLoc, diag::warn_bitfield_too_small_for_enum)
10309 << Bitfield << ED;
10310 S.Diag(WidthExpr->getExprLoc(), diag::note_widen_bitfield)
10311 << BitsNeeded << ED << WidthExpr->getSourceRange();
10312 }
10313 }
10314
10315 return false;
10316 }
10317
10318 llvm::APSInt Value = Result.Val.getInt();
10319
10320 unsigned OriginalWidth = Value.getBitWidth();
10321
10322 // In C, the macro 'true' from stdbool.h will evaluate to '1'; To reduce
10323 // false positives where the user is demonstrating they intend to use the
10324 // bit-field as a Boolean, check to see if the value is 1 and we're assigning
10325 // to a one-bit bit-field to see if the value came from a macro named 'true'.
10326 bool OneAssignedToOneBitBitfield = FieldWidth == 1 && Value == 1;
10327 if (OneAssignedToOneBitBitfield && !S.LangOpts.CPlusPlus) {
10328 SourceLocation MaybeMacroLoc = OriginalInit->getBeginLoc();
10329 if (S.SourceMgr.isInSystemMacro(MaybeMacroLoc) &&
10330 S.findMacroSpelling(MaybeMacroLoc, "true"))
10331 return false;
10332 }
10333
10334 if (!Value.isSigned() || Value.isNegative())
10335 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(OriginalInit))
10336 if (UO->getOpcode() == UO_Minus || UO->getOpcode() == UO_Not)
10337 OriginalWidth = Value.getSignificantBits();
10338
10339 if (OriginalWidth <= FieldWidth)
10340 return false;
10341
10342 // Compute the value which the bitfield will contain.
10343 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth);
10344 TruncatedValue.setIsSigned(BitfieldType->isSignedIntegerType());
10345
10346 // Check whether the stored value is equal to the original value.
10347 TruncatedValue = TruncatedValue.extend(OriginalWidth);
10348 if (llvm::APSInt::isSameValue(Value, TruncatedValue))
10349 return false;
10350
10351 std::string PrettyValue = toString(Value, 10);
10352 std::string PrettyTrunc = toString(TruncatedValue, 10);
10353
10354 S.Diag(InitLoc, OneAssignedToOneBitBitfield
10355 ? diag::warn_impcast_single_bit_bitield_precision_constant
10356 : diag::warn_impcast_bitfield_precision_constant)
10357 << PrettyValue << PrettyTrunc << OriginalInit->getType()
10358 << Init->getSourceRange();
10359
10360 return true;
10361 }
10362
10363 /// Analyze the given simple or compound assignment for warning-worthy
10364 /// operations.
AnalyzeAssignment(Sema & S,BinaryOperator * E)10365 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) {
10366 // Just recurse on the LHS.
10367 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10368
10369 // We want to recurse on the RHS as normal unless we're assigning to
10370 // a bitfield.
10371 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) {
10372 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(),
10373 E->getOperatorLoc())) {
10374 // Recurse, ignoring any implicit conversions on the RHS.
10375 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(),
10376 E->getOperatorLoc());
10377 }
10378 }
10379
10380 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10381
10382 // Diagnose implicitly sequentially-consistent atomic assignment.
10383 if (E->getLHS()->getType()->isAtomicType())
10384 S.Diag(E->getRHS()->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
10385 }
10386
10387 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
DiagnoseImpCast(Sema & S,Expr * E,QualType SourceType,QualType T,SourceLocation CContext,unsigned diag,bool pruneControlFlow=false)10388 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T,
10389 SourceLocation CContext, unsigned diag,
10390 bool pruneControlFlow = false) {
10391 if (pruneControlFlow) {
10392 S.DiagRuntimeBehavior(E->getExprLoc(), E,
10393 S.PDiag(diag)
10394 << SourceType << T << E->getSourceRange()
10395 << SourceRange(CContext));
10396 return;
10397 }
10398 S.Diag(E->getExprLoc(), diag)
10399 << SourceType << T << E->getSourceRange() << SourceRange(CContext);
10400 }
10401
10402 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
DiagnoseImpCast(Sema & S,Expr * E,QualType T,SourceLocation CContext,unsigned diag,bool pruneControlFlow=false)10403 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T,
10404 SourceLocation CContext,
10405 unsigned diag, bool pruneControlFlow = false) {
10406 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow);
10407 }
10408
10409 /// Diagnose an implicit cast from a floating point value to an integer value.
DiagnoseFloatingImpCast(Sema & S,Expr * E,QualType T,SourceLocation CContext)10410 static void DiagnoseFloatingImpCast(Sema &S, Expr *E, QualType T,
10411 SourceLocation CContext) {
10412 const bool IsBool = T->isSpecificBuiltinType(BuiltinType::Bool);
10413 const bool PruneWarnings = S.inTemplateInstantiation();
10414
10415 Expr *InnerE = E->IgnoreParenImpCasts();
10416 // We also want to warn on, e.g., "int i = -1.234"
10417 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE))
10418 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus)
10419 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts();
10420
10421 const bool IsLiteral =
10422 isa<FloatingLiteral>(E) || isa<FloatingLiteral>(InnerE);
10423
10424 llvm::APFloat Value(0.0);
10425 bool IsConstant =
10426 E->EvaluateAsFloat(Value, S.Context, Expr::SE_AllowSideEffects);
10427 if (!IsConstant) {
10428 if (S.ObjC().isSignedCharBool(T)) {
10429 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
10430 E, S.Diag(CContext, diag::warn_impcast_float_to_objc_signed_char_bool)
10431 << E->getType());
10432 }
10433
10434 return DiagnoseImpCast(S, E, T, CContext,
10435 diag::warn_impcast_float_integer, PruneWarnings);
10436 }
10437
10438 bool isExact = false;
10439
10440 llvm::APSInt IntegerValue(S.Context.getIntWidth(T),
10441 T->hasUnsignedIntegerRepresentation());
10442 llvm::APFloat::opStatus Result = Value.convertToInteger(
10443 IntegerValue, llvm::APFloat::rmTowardZero, &isExact);
10444
10445 // FIXME: Force the precision of the source value down so we don't print
10446 // digits which are usually useless (we don't really care here if we
10447 // truncate a digit by accident in edge cases). Ideally, APFloat::toString
10448 // would automatically print the shortest representation, but it's a bit
10449 // tricky to implement.
10450 SmallString<16> PrettySourceValue;
10451 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics());
10452 precision = (precision * 59 + 195) / 196;
10453 Value.toString(PrettySourceValue, precision);
10454
10455 if (S.ObjC().isSignedCharBool(T) && IntegerValue != 0 && IntegerValue != 1) {
10456 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
10457 E, S.Diag(CContext, diag::warn_impcast_constant_value_to_objc_bool)
10458 << PrettySourceValue);
10459 }
10460
10461 if (Result == llvm::APFloat::opOK && isExact) {
10462 if (IsLiteral) return;
10463 return DiagnoseImpCast(S, E, T, CContext, diag::warn_impcast_float_integer,
10464 PruneWarnings);
10465 }
10466
10467 // Conversion of a floating-point value to a non-bool integer where the
10468 // integral part cannot be represented by the integer type is undefined.
10469 if (!IsBool && Result == llvm::APFloat::opInvalidOp)
10470 return DiagnoseImpCast(
10471 S, E, T, CContext,
10472 IsLiteral ? diag::warn_impcast_literal_float_to_integer_out_of_range
10473 : diag::warn_impcast_float_to_integer_out_of_range,
10474 PruneWarnings);
10475
10476 unsigned DiagID = 0;
10477 if (IsLiteral) {
10478 // Warn on floating point literal to integer.
10479 DiagID = diag::warn_impcast_literal_float_to_integer;
10480 } else if (IntegerValue == 0) {
10481 if (Value.isZero()) { // Skip -0.0 to 0 conversion.
10482 return DiagnoseImpCast(S, E, T, CContext,
10483 diag::warn_impcast_float_integer, PruneWarnings);
10484 }
10485 // Warn on non-zero to zero conversion.
10486 DiagID = diag::warn_impcast_float_to_integer_zero;
10487 } else {
10488 if (IntegerValue.isUnsigned()) {
10489 if (!IntegerValue.isMaxValue()) {
10490 return DiagnoseImpCast(S, E, T, CContext,
10491 diag::warn_impcast_float_integer, PruneWarnings);
10492 }
10493 } else { // IntegerValue.isSigned()
10494 if (!IntegerValue.isMaxSignedValue() &&
10495 !IntegerValue.isMinSignedValue()) {
10496 return DiagnoseImpCast(S, E, T, CContext,
10497 diag::warn_impcast_float_integer, PruneWarnings);
10498 }
10499 }
10500 // Warn on evaluatable floating point expression to integer conversion.
10501 DiagID = diag::warn_impcast_float_to_integer;
10502 }
10503
10504 SmallString<16> PrettyTargetValue;
10505 if (IsBool)
10506 PrettyTargetValue = Value.isZero() ? "false" : "true";
10507 else
10508 IntegerValue.toString(PrettyTargetValue);
10509
10510 if (PruneWarnings) {
10511 S.DiagRuntimeBehavior(E->getExprLoc(), E,
10512 S.PDiag(DiagID)
10513 << E->getType() << T.getUnqualifiedType()
10514 << PrettySourceValue << PrettyTargetValue
10515 << E->getSourceRange() << SourceRange(CContext));
10516 } else {
10517 S.Diag(E->getExprLoc(), DiagID)
10518 << E->getType() << T.getUnqualifiedType() << PrettySourceValue
10519 << PrettyTargetValue << E->getSourceRange() << SourceRange(CContext);
10520 }
10521 }
10522
10523 /// Analyze the given compound assignment for the possible losing of
10524 /// floating-point precision.
AnalyzeCompoundAssignment(Sema & S,BinaryOperator * E)10525 static void AnalyzeCompoundAssignment(Sema &S, BinaryOperator *E) {
10526 assert(isa<CompoundAssignOperator>(E) &&
10527 "Must be compound assignment operation");
10528 // Recurse on the LHS and RHS in here
10529 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10530 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10531
10532 if (E->getLHS()->getType()->isAtomicType())
10533 S.Diag(E->getOperatorLoc(), diag::warn_atomic_implicit_seq_cst);
10534
10535 // Now check the outermost expression
10536 const auto *ResultBT = E->getLHS()->getType()->getAs<BuiltinType>();
10537 const auto *RBT = cast<CompoundAssignOperator>(E)
10538 ->getComputationResultType()
10539 ->getAs<BuiltinType>();
10540
10541 // The below checks assume source is floating point.
10542 if (!ResultBT || !RBT || !RBT->isFloatingPoint()) return;
10543
10544 // If source is floating point but target is an integer.
10545 if (ResultBT->isInteger())
10546 return DiagnoseImpCast(S, E, E->getRHS()->getType(), E->getLHS()->getType(),
10547 E->getExprLoc(), diag::warn_impcast_float_integer);
10548
10549 if (!ResultBT->isFloatingPoint())
10550 return;
10551
10552 // If both source and target are floating points, warn about losing precision.
10553 int Order = S.getASTContext().getFloatingTypeSemanticOrder(
10554 QualType(ResultBT, 0), QualType(RBT, 0));
10555 if (Order < 0 && !S.SourceMgr.isInSystemMacro(E->getOperatorLoc()))
10556 // warn about dropping FP rank.
10557 DiagnoseImpCast(S, E->getRHS(), E->getLHS()->getType(), E->getOperatorLoc(),
10558 diag::warn_impcast_float_result_precision);
10559 }
10560
PrettyPrintInRange(const llvm::APSInt & Value,IntRange Range)10561 static std::string PrettyPrintInRange(const llvm::APSInt &Value,
10562 IntRange Range) {
10563 if (!Range.Width) return "0";
10564
10565 llvm::APSInt ValueInRange = Value;
10566 ValueInRange.setIsSigned(!Range.NonNegative);
10567 ValueInRange = ValueInRange.trunc(Range.Width);
10568 return toString(ValueInRange, 10);
10569 }
10570
IsImplicitBoolFloatConversion(Sema & S,Expr * Ex,bool ToBool)10571 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) {
10572 if (!isa<ImplicitCastExpr>(Ex))
10573 return false;
10574
10575 Expr *InnerE = Ex->IgnoreParenImpCasts();
10576 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr();
10577 const Type *Source =
10578 S.Context.getCanonicalType(InnerE->getType()).getTypePtr();
10579 if (Target->isDependentType())
10580 return false;
10581
10582 const BuiltinType *FloatCandidateBT =
10583 dyn_cast<BuiltinType>(ToBool ? Source : Target);
10584 const Type *BoolCandidateType = ToBool ? Target : Source;
10585
10586 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) &&
10587 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint()));
10588 }
10589
CheckImplicitArgumentConversions(Sema & S,CallExpr * TheCall,SourceLocation CC)10590 static void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall,
10591 SourceLocation CC) {
10592 unsigned NumArgs = TheCall->getNumArgs();
10593 for (unsigned i = 0; i < NumArgs; ++i) {
10594 Expr *CurrA = TheCall->getArg(i);
10595 if (!IsImplicitBoolFloatConversion(S, CurrA, true))
10596 continue;
10597
10598 bool IsSwapped = ((i > 0) &&
10599 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false));
10600 IsSwapped |= ((i < (NumArgs - 1)) &&
10601 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false));
10602 if (IsSwapped) {
10603 // Warn on this floating-point to bool conversion.
10604 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(),
10605 CurrA->getType(), CC,
10606 diag::warn_impcast_floating_point_to_bool);
10607 }
10608 }
10609 }
10610
DiagnoseNullConversion(Sema & S,Expr * E,QualType T,SourceLocation CC)10611 static void DiagnoseNullConversion(Sema &S, Expr *E, QualType T,
10612 SourceLocation CC) {
10613 if (S.Diags.isIgnored(diag::warn_impcast_null_pointer_to_integer,
10614 E->getExprLoc()))
10615 return;
10616
10617 // Don't warn on functions which have return type nullptr_t.
10618 if (isa<CallExpr>(E))
10619 return;
10620
10621 // Check for NULL (GNUNull) or nullptr (CXX11_nullptr).
10622 const Expr *NewE = E->IgnoreParenImpCasts();
10623 bool IsGNUNullExpr = isa<GNUNullExpr>(NewE);
10624 bool HasNullPtrType = NewE->getType()->isNullPtrType();
10625 if (!IsGNUNullExpr && !HasNullPtrType)
10626 return;
10627
10628 // Return if target type is a safe conversion.
10629 if (T->isAnyPointerType() || T->isBlockPointerType() ||
10630 T->isMemberPointerType() || !T->isScalarType() || T->isNullPtrType())
10631 return;
10632
10633 SourceLocation Loc = E->getSourceRange().getBegin();
10634
10635 // Venture through the macro stacks to get to the source of macro arguments.
10636 // The new location is a better location than the complete location that was
10637 // passed in.
10638 Loc = S.SourceMgr.getTopMacroCallerLoc(Loc);
10639 CC = S.SourceMgr.getTopMacroCallerLoc(CC);
10640
10641 // __null is usually wrapped in a macro. Go up a macro if that is the case.
10642 if (IsGNUNullExpr && Loc.isMacroID()) {
10643 StringRef MacroName = Lexer::getImmediateMacroNameForDiagnostics(
10644 Loc, S.SourceMgr, S.getLangOpts());
10645 if (MacroName == "NULL")
10646 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).getBegin();
10647 }
10648
10649 // Only warn if the null and context location are in the same macro expansion.
10650 if (S.SourceMgr.getFileID(Loc) != S.SourceMgr.getFileID(CC))
10651 return;
10652
10653 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer)
10654 << HasNullPtrType << T << SourceRange(CC)
10655 << FixItHint::CreateReplacement(Loc,
10656 S.getFixItZeroLiteralForType(T, Loc));
10657 }
10658
10659 // Helper function to filter out cases for constant width constant conversion.
10660 // Don't warn on char array initialization or for non-decimal values.
isSameWidthConstantConversion(Sema & S,Expr * E,QualType T,SourceLocation CC)10661 static bool isSameWidthConstantConversion(Sema &S, Expr *E, QualType T,
10662 SourceLocation CC) {
10663 // If initializing from a constant, and the constant starts with '0',
10664 // then it is a binary, octal, or hexadecimal. Allow these constants
10665 // to fill all the bits, even if there is a sign change.
10666 if (auto *IntLit = dyn_cast<IntegerLiteral>(E->IgnoreParenImpCasts())) {
10667 const char FirstLiteralCharacter =
10668 S.getSourceManager().getCharacterData(IntLit->getBeginLoc())[0];
10669 if (FirstLiteralCharacter == '0')
10670 return false;
10671 }
10672
10673 // If the CC location points to a '{', and the type is char, then assume
10674 // assume it is an array initialization.
10675 if (CC.isValid() && T->isCharType()) {
10676 const char FirstContextCharacter =
10677 S.getSourceManager().getCharacterData(CC)[0];
10678 if (FirstContextCharacter == '{')
10679 return false;
10680 }
10681
10682 return true;
10683 }
10684
getIntegerLiteral(Expr * E)10685 static const IntegerLiteral *getIntegerLiteral(Expr *E) {
10686 const auto *IL = dyn_cast<IntegerLiteral>(E);
10687 if (!IL) {
10688 if (auto *UO = dyn_cast<UnaryOperator>(E)) {
10689 if (UO->getOpcode() == UO_Minus)
10690 return dyn_cast<IntegerLiteral>(UO->getSubExpr());
10691 }
10692 }
10693
10694 return IL;
10695 }
10696
DiagnoseIntInBoolContext(Sema & S,Expr * E)10697 static void DiagnoseIntInBoolContext(Sema &S, Expr *E) {
10698 E = E->IgnoreParenImpCasts();
10699 SourceLocation ExprLoc = E->getExprLoc();
10700
10701 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
10702 BinaryOperator::Opcode Opc = BO->getOpcode();
10703 Expr::EvalResult Result;
10704 // Do not diagnose unsigned shifts.
10705 if (Opc == BO_Shl) {
10706 const auto *LHS = getIntegerLiteral(BO->getLHS());
10707 const auto *RHS = getIntegerLiteral(BO->getRHS());
10708 if (LHS && LHS->getValue() == 0)
10709 S.Diag(ExprLoc, diag::warn_left_shift_always) << 0;
10710 else if (!E->isValueDependent() && LHS && RHS &&
10711 RHS->getValue().isNonNegative() &&
10712 E->EvaluateAsInt(Result, S.Context, Expr::SE_AllowSideEffects))
10713 S.Diag(ExprLoc, diag::warn_left_shift_always)
10714 << (Result.Val.getInt() != 0);
10715 else if (E->getType()->isSignedIntegerType())
10716 S.Diag(ExprLoc, diag::warn_left_shift_in_bool_context) << E;
10717 }
10718 }
10719
10720 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
10721 const auto *LHS = getIntegerLiteral(CO->getTrueExpr());
10722 const auto *RHS = getIntegerLiteral(CO->getFalseExpr());
10723 if (!LHS || !RHS)
10724 return;
10725 if ((LHS->getValue() == 0 || LHS->getValue() == 1) &&
10726 (RHS->getValue() == 0 || RHS->getValue() == 1))
10727 // Do not diagnose common idioms.
10728 return;
10729 if (LHS->getValue() != 0 && RHS->getValue() != 0)
10730 S.Diag(ExprLoc, diag::warn_integer_constants_in_conditional_always_true);
10731 }
10732 }
10733
CheckImplicitConversion(Expr * E,QualType T,SourceLocation CC,bool * ICContext,bool IsListInit)10734 void Sema::CheckImplicitConversion(Expr *E, QualType T, SourceLocation CC,
10735 bool *ICContext, bool IsListInit) {
10736 if (E->isTypeDependent() || E->isValueDependent()) return;
10737
10738 const Type *Source = Context.getCanonicalType(E->getType()).getTypePtr();
10739 const Type *Target = Context.getCanonicalType(T).getTypePtr();
10740 if (Source == Target) return;
10741 if (Target->isDependentType()) return;
10742
10743 // If the conversion context location is invalid don't complain. We also
10744 // don't want to emit a warning if the issue occurs from the expansion of
10745 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we
10746 // delay this check as long as possible. Once we detect we are in that
10747 // scenario, we just return.
10748 if (CC.isInvalid())
10749 return;
10750
10751 if (Source->isAtomicType())
10752 Diag(E->getExprLoc(), diag::warn_atomic_implicit_seq_cst);
10753
10754 // Diagnose implicit casts to bool.
10755 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {
10756 if (isa<StringLiteral>(E))
10757 // Warn on string literal to bool. Checks for string literals in logical
10758 // and expressions, for instance, assert(0 && "error here"), are
10759 // prevented by a check in AnalyzeImplicitConversions().
10760 return DiagnoseImpCast(*this, E, T, CC,
10761 diag::warn_impcast_string_literal_to_bool);
10762 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) ||
10763 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) {
10764 // This covers the literal expressions that evaluate to Objective-C
10765 // objects.
10766 return DiagnoseImpCast(*this, E, T, CC,
10767 diag::warn_impcast_objective_c_literal_to_bool);
10768 }
10769 if (Source->isPointerType() || Source->canDecayToPointerType()) {
10770 // Warn on pointer to bool conversion that is always true.
10771 DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false,
10772 SourceRange(CC));
10773 }
10774 }
10775
10776 // If the we're converting a constant to an ObjC BOOL on a platform where BOOL
10777 // is a typedef for signed char (macOS), then that constant value has to be 1
10778 // or 0.
10779 if (ObjC().isSignedCharBool(T) && Source->isIntegralType(Context)) {
10780 Expr::EvalResult Result;
10781 if (E->EvaluateAsInt(Result, getASTContext(), Expr::SE_AllowSideEffects)) {
10782 if (Result.Val.getInt() != 1 && Result.Val.getInt() != 0) {
10783 ObjC().adornBoolConversionDiagWithTernaryFixit(
10784 E, Diag(CC, diag::warn_impcast_constant_value_to_objc_bool)
10785 << toString(Result.Val.getInt(), 10));
10786 }
10787 return;
10788 }
10789 }
10790
10791 // Check implicit casts from Objective-C collection literals to specialized
10792 // collection types, e.g., NSArray<NSString *> *.
10793 if (auto *ArrayLiteral = dyn_cast<ObjCArrayLiteral>(E))
10794 ObjC().checkArrayLiteral(QualType(Target, 0), ArrayLiteral);
10795 else if (auto *DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(E))
10796 ObjC().checkDictionaryLiteral(QualType(Target, 0), DictionaryLiteral);
10797
10798 // Strip vector types.
10799 if (isa<VectorType>(Source)) {
10800 if (Target->isSveVLSBuiltinType() &&
10801 (Context.areCompatibleSveTypes(QualType(Target, 0),
10802 QualType(Source, 0)) ||
10803 Context.areLaxCompatibleSveTypes(QualType(Target, 0),
10804 QualType(Source, 0))))
10805 return;
10806
10807 if (Target->isRVVVLSBuiltinType() &&
10808 (Context.areCompatibleRVVTypes(QualType(Target, 0),
10809 QualType(Source, 0)) ||
10810 Context.areLaxCompatibleRVVTypes(QualType(Target, 0),
10811 QualType(Source, 0))))
10812 return;
10813
10814 if (!isa<VectorType>(Target)) {
10815 if (SourceMgr.isInSystemMacro(CC))
10816 return;
10817 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_vector_scalar);
10818 } else if (getLangOpts().HLSL &&
10819 Target->castAs<VectorType>()->getNumElements() <
10820 Source->castAs<VectorType>()->getNumElements()) {
10821 // Diagnose vector truncation but don't return. We may also want to
10822 // diagnose an element conversion.
10823 DiagnoseImpCast(*this, E, T, CC,
10824 diag::warn_hlsl_impcast_vector_truncation);
10825 }
10826
10827 // If the vector cast is cast between two vectors of the same size, it is
10828 // a bitcast, not a conversion, except under HLSL where it is a conversion.
10829 if (!getLangOpts().HLSL &&
10830 Context.getTypeSize(Source) == Context.getTypeSize(Target))
10831 return;
10832
10833 Source = cast<VectorType>(Source)->getElementType().getTypePtr();
10834 Target = cast<VectorType>(Target)->getElementType().getTypePtr();
10835 }
10836 if (auto VecTy = dyn_cast<VectorType>(Target))
10837 Target = VecTy->getElementType().getTypePtr();
10838
10839 // Strip complex types.
10840 if (isa<ComplexType>(Source)) {
10841 if (!isa<ComplexType>(Target)) {
10842 if (SourceMgr.isInSystemMacro(CC) || Target->isBooleanType())
10843 return;
10844
10845 return DiagnoseImpCast(*this, E, T, CC,
10846 getLangOpts().CPlusPlus
10847 ? diag::err_impcast_complex_scalar
10848 : diag::warn_impcast_complex_scalar);
10849 }
10850
10851 Source = cast<ComplexType>(Source)->getElementType().getTypePtr();
10852 Target = cast<ComplexType>(Target)->getElementType().getTypePtr();
10853 }
10854
10855 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source);
10856 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target);
10857
10858 // Strip SVE vector types
10859 if (SourceBT && SourceBT->isSveVLSBuiltinType()) {
10860 // Need the original target type for vector type checks
10861 const Type *OriginalTarget = Context.getCanonicalType(T).getTypePtr();
10862 // Handle conversion from scalable to fixed when msve-vector-bits is
10863 // specified
10864 if (Context.areCompatibleSveTypes(QualType(OriginalTarget, 0),
10865 QualType(Source, 0)) ||
10866 Context.areLaxCompatibleSveTypes(QualType(OriginalTarget, 0),
10867 QualType(Source, 0)))
10868 return;
10869
10870 // If the vector cast is cast between two vectors of the same size, it is
10871 // a bitcast, not a conversion.
10872 if (Context.getTypeSize(Source) == Context.getTypeSize(Target))
10873 return;
10874
10875 Source = SourceBT->getSveEltType(Context).getTypePtr();
10876 }
10877
10878 if (TargetBT && TargetBT->isSveVLSBuiltinType())
10879 Target = TargetBT->getSveEltType(Context).getTypePtr();
10880
10881 // If the source is floating point...
10882 if (SourceBT && SourceBT->isFloatingPoint()) {
10883 // ...and the target is floating point...
10884 if (TargetBT && TargetBT->isFloatingPoint()) {
10885 // ...then warn if we're dropping FP rank.
10886
10887 int Order = getASTContext().getFloatingTypeSemanticOrder(
10888 QualType(SourceBT, 0), QualType(TargetBT, 0));
10889 if (Order > 0) {
10890 // Don't warn about float constants that are precisely
10891 // representable in the target type.
10892 Expr::EvalResult result;
10893 if (E->EvaluateAsRValue(result, Context)) {
10894 // Value might be a float, a float vector, or a float complex.
10895 if (IsSameFloatAfterCast(
10896 result.Val,
10897 Context.getFloatTypeSemantics(QualType(TargetBT, 0)),
10898 Context.getFloatTypeSemantics(QualType(SourceBT, 0))))
10899 return;
10900 }
10901
10902 if (SourceMgr.isInSystemMacro(CC))
10903 return;
10904
10905 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_float_precision);
10906 }
10907 // ... or possibly if we're increasing rank, too
10908 else if (Order < 0) {
10909 if (SourceMgr.isInSystemMacro(CC))
10910 return;
10911
10912 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_double_promotion);
10913 }
10914 return;
10915 }
10916
10917 // If the target is integral, always warn.
10918 if (TargetBT && TargetBT->isInteger()) {
10919 if (SourceMgr.isInSystemMacro(CC))
10920 return;
10921
10922 DiagnoseFloatingImpCast(*this, E, T, CC);
10923 }
10924
10925 // Detect the case where a call result is converted from floating-point to
10926 // to bool, and the final argument to the call is converted from bool, to
10927 // discover this typo:
10928 //
10929 // bool b = fabs(x < 1.0); // should be "bool b = fabs(x) < 1.0;"
10930 //
10931 // FIXME: This is an incredibly special case; is there some more general
10932 // way to detect this class of misplaced-parentheses bug?
10933 if (Target->isBooleanType() && isa<CallExpr>(E)) {
10934 // Check last argument of function call to see if it is an
10935 // implicit cast from a type matching the type the result
10936 // is being cast to.
10937 CallExpr *CEx = cast<CallExpr>(E);
10938 if (unsigned NumArgs = CEx->getNumArgs()) {
10939 Expr *LastA = CEx->getArg(NumArgs - 1);
10940 Expr *InnerE = LastA->IgnoreParenImpCasts();
10941 if (isa<ImplicitCastExpr>(LastA) &&
10942 InnerE->getType()->isBooleanType()) {
10943 // Warn on this floating-point to bool conversion
10944 DiagnoseImpCast(*this, E, T, CC,
10945 diag::warn_impcast_floating_point_to_bool);
10946 }
10947 }
10948 }
10949 return;
10950 }
10951
10952 // Valid casts involving fixed point types should be accounted for here.
10953 if (Source->isFixedPointType()) {
10954 if (Target->isUnsaturatedFixedPointType()) {
10955 Expr::EvalResult Result;
10956 if (E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects,
10957 isConstantEvaluatedContext())) {
10958 llvm::APFixedPoint Value = Result.Val.getFixedPoint();
10959 llvm::APFixedPoint MaxVal = Context.getFixedPointMax(T);
10960 llvm::APFixedPoint MinVal = Context.getFixedPointMin(T);
10961 if (Value > MaxVal || Value < MinVal) {
10962 DiagRuntimeBehavior(E->getExprLoc(), E,
10963 PDiag(diag::warn_impcast_fixed_point_range)
10964 << Value.toString() << T
10965 << E->getSourceRange()
10966 << clang::SourceRange(CC));
10967 return;
10968 }
10969 }
10970 } else if (Target->isIntegerType()) {
10971 Expr::EvalResult Result;
10972 if (!isConstantEvaluatedContext() &&
10973 E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects)) {
10974 llvm::APFixedPoint FXResult = Result.Val.getFixedPoint();
10975
10976 bool Overflowed;
10977 llvm::APSInt IntResult = FXResult.convertToInt(
10978 Context.getIntWidth(T), Target->isSignedIntegerOrEnumerationType(),
10979 &Overflowed);
10980
10981 if (Overflowed) {
10982 DiagRuntimeBehavior(E->getExprLoc(), E,
10983 PDiag(diag::warn_impcast_fixed_point_range)
10984 << FXResult.toString() << T
10985 << E->getSourceRange()
10986 << clang::SourceRange(CC));
10987 return;
10988 }
10989 }
10990 }
10991 } else if (Target->isUnsaturatedFixedPointType()) {
10992 if (Source->isIntegerType()) {
10993 Expr::EvalResult Result;
10994 if (!isConstantEvaluatedContext() &&
10995 E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects)) {
10996 llvm::APSInt Value = Result.Val.getInt();
10997
10998 bool Overflowed;
10999 llvm::APFixedPoint IntResult = llvm::APFixedPoint::getFromIntValue(
11000 Value, Context.getFixedPointSemantics(T), &Overflowed);
11001
11002 if (Overflowed) {
11003 DiagRuntimeBehavior(E->getExprLoc(), E,
11004 PDiag(diag::warn_impcast_fixed_point_range)
11005 << toString(Value, /*Radix=*/10) << T
11006 << E->getSourceRange()
11007 << clang::SourceRange(CC));
11008 return;
11009 }
11010 }
11011 }
11012 }
11013
11014 // If we are casting an integer type to a floating point type without
11015 // initialization-list syntax, we might lose accuracy if the floating
11016 // point type has a narrower significand than the integer type.
11017 if (SourceBT && TargetBT && SourceBT->isIntegerType() &&
11018 TargetBT->isFloatingType() && !IsListInit) {
11019 // Determine the number of precision bits in the source integer type.
11020 IntRange SourceRange =
11021 GetExprRange(Context, E, isConstantEvaluatedContext(),
11022 /*Approximate=*/true);
11023 unsigned int SourcePrecision = SourceRange.Width;
11024
11025 // Determine the number of precision bits in the
11026 // target floating point type.
11027 unsigned int TargetPrecision = llvm::APFloatBase::semanticsPrecision(
11028 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
11029
11030 if (SourcePrecision > 0 && TargetPrecision > 0 &&
11031 SourcePrecision > TargetPrecision) {
11032
11033 if (std::optional<llvm::APSInt> SourceInt =
11034 E->getIntegerConstantExpr(Context)) {
11035 // If the source integer is a constant, convert it to the target
11036 // floating point type. Issue a warning if the value changes
11037 // during the whole conversion.
11038 llvm::APFloat TargetFloatValue(
11039 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
11040 llvm::APFloat::opStatus ConversionStatus =
11041 TargetFloatValue.convertFromAPInt(
11042 *SourceInt, SourceBT->isSignedInteger(),
11043 llvm::APFloat::rmNearestTiesToEven);
11044
11045 if (ConversionStatus != llvm::APFloat::opOK) {
11046 SmallString<32> PrettySourceValue;
11047 SourceInt->toString(PrettySourceValue, 10);
11048 SmallString<32> PrettyTargetValue;
11049 TargetFloatValue.toString(PrettyTargetValue, TargetPrecision);
11050
11051 DiagRuntimeBehavior(
11052 E->getExprLoc(), E,
11053 PDiag(diag::warn_impcast_integer_float_precision_constant)
11054 << PrettySourceValue << PrettyTargetValue << E->getType() << T
11055 << E->getSourceRange() << clang::SourceRange(CC));
11056 }
11057 } else {
11058 // Otherwise, the implicit conversion may lose precision.
11059 DiagnoseImpCast(*this, E, T, CC,
11060 diag::warn_impcast_integer_float_precision);
11061 }
11062 }
11063 }
11064
11065 DiagnoseNullConversion(*this, E, T, CC);
11066
11067 DiscardMisalignedMemberAddress(Target, E);
11068
11069 if (Target->isBooleanType())
11070 DiagnoseIntInBoolContext(*this, E);
11071
11072 if (!Source->isIntegerType() || !Target->isIntegerType())
11073 return;
11074
11075 // TODO: remove this early return once the false positives for constant->bool
11076 // in templates, macros, etc, are reduced or removed.
11077 if (Target->isSpecificBuiltinType(BuiltinType::Bool))
11078 return;
11079
11080 if (ObjC().isSignedCharBool(T) && !Source->isCharType() &&
11081 !E->isKnownToHaveBooleanValue(/*Semantic=*/false)) {
11082 return ObjC().adornBoolConversionDiagWithTernaryFixit(
11083 E, Diag(CC, diag::warn_impcast_int_to_objc_signed_char_bool)
11084 << E->getType());
11085 }
11086
11087 IntRange SourceTypeRange =
11088 IntRange::forTargetOfCanonicalType(Context, Source);
11089 IntRange LikelySourceRange = GetExprRange(
11090 Context, E, isConstantEvaluatedContext(), /*Approximate=*/true);
11091 IntRange TargetRange = IntRange::forTargetOfCanonicalType(Context, Target);
11092
11093 if (LikelySourceRange.Width > TargetRange.Width) {
11094 // If the source is a constant, use a default-on diagnostic.
11095 // TODO: this should happen for bitfield stores, too.
11096 Expr::EvalResult Result;
11097 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects,
11098 isConstantEvaluatedContext())) {
11099 llvm::APSInt Value(32);
11100 Value = Result.Val.getInt();
11101
11102 if (SourceMgr.isInSystemMacro(CC))
11103 return;
11104
11105 std::string PrettySourceValue = toString(Value, 10);
11106 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
11107
11108 DiagRuntimeBehavior(E->getExprLoc(), E,
11109 PDiag(diag::warn_impcast_integer_precision_constant)
11110 << PrettySourceValue << PrettyTargetValue
11111 << E->getType() << T << E->getSourceRange()
11112 << SourceRange(CC));
11113 return;
11114 }
11115
11116 // People want to build with -Wshorten-64-to-32 and not -Wconversion.
11117 if (SourceMgr.isInSystemMacro(CC))
11118 return;
11119
11120 if (TargetRange.Width == 32 && Context.getIntWidth(E->getType()) == 64)
11121 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_integer_64_32,
11122 /* pruneControlFlow */ true);
11123 return DiagnoseImpCast(*this, E, T, CC,
11124 diag::warn_impcast_integer_precision);
11125 }
11126
11127 if (TargetRange.Width > SourceTypeRange.Width) {
11128 if (auto *UO = dyn_cast<UnaryOperator>(E))
11129 if (UO->getOpcode() == UO_Minus)
11130 if (Source->isUnsignedIntegerType()) {
11131 if (Target->isUnsignedIntegerType())
11132 return DiagnoseImpCast(*this, E, T, CC,
11133 diag::warn_impcast_high_order_zero_bits);
11134 if (Target->isSignedIntegerType())
11135 return DiagnoseImpCast(*this, E, T, CC,
11136 diag::warn_impcast_nonnegative_result);
11137 }
11138 }
11139
11140 if (TargetRange.Width == LikelySourceRange.Width &&
11141 !TargetRange.NonNegative && LikelySourceRange.NonNegative &&
11142 Source->isSignedIntegerType()) {
11143 // Warn when doing a signed to signed conversion, warn if the positive
11144 // source value is exactly the width of the target type, which will
11145 // cause a negative value to be stored.
11146
11147 Expr::EvalResult Result;
11148 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects) &&
11149 !SourceMgr.isInSystemMacro(CC)) {
11150 llvm::APSInt Value = Result.Val.getInt();
11151 if (isSameWidthConstantConversion(*this, E, T, CC)) {
11152 std::string PrettySourceValue = toString(Value, 10);
11153 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
11154
11155 Diag(E->getExprLoc(),
11156 PDiag(diag::warn_impcast_integer_precision_constant)
11157 << PrettySourceValue << PrettyTargetValue << E->getType() << T
11158 << E->getSourceRange() << SourceRange(CC));
11159 return;
11160 }
11161 }
11162
11163 // Fall through for non-constants to give a sign conversion warning.
11164 }
11165
11166 if ((!isa<EnumType>(Target) || !isa<EnumType>(Source)) &&
11167 ((TargetRange.NonNegative && !LikelySourceRange.NonNegative) ||
11168 (!TargetRange.NonNegative && LikelySourceRange.NonNegative &&
11169 LikelySourceRange.Width == TargetRange.Width))) {
11170 if (SourceMgr.isInSystemMacro(CC))
11171 return;
11172
11173 if (SourceBT && SourceBT->isInteger() && TargetBT &&
11174 TargetBT->isInteger() &&
11175 Source->isSignedIntegerType() == Target->isSignedIntegerType()) {
11176 return;
11177 }
11178
11179 unsigned DiagID = diag::warn_impcast_integer_sign;
11180
11181 // Traditionally, gcc has warned about this under -Wsign-compare.
11182 // We also want to warn about it in -Wconversion.
11183 // So if -Wconversion is off, use a completely identical diagnostic
11184 // in the sign-compare group.
11185 // The conditional-checking code will
11186 if (ICContext) {
11187 DiagID = diag::warn_impcast_integer_sign_conditional;
11188 *ICContext = true;
11189 }
11190
11191 return DiagnoseImpCast(*this, E, T, CC, DiagID);
11192 }
11193
11194 // Diagnose conversions between different enumeration types.
11195 // In C, we pretend that the type of an EnumConstantDecl is its enumeration
11196 // type, to give us better diagnostics.
11197 QualType SourceType = E->getEnumCoercedType(Context);
11198 Source = Context.getCanonicalType(SourceType).getTypePtr();
11199
11200 if (const EnumType *SourceEnum = Source->getAs<EnumType>())
11201 if (const EnumType *TargetEnum = Target->getAs<EnumType>())
11202 if (SourceEnum->getDecl()->hasNameForLinkage() &&
11203 TargetEnum->getDecl()->hasNameForLinkage() &&
11204 SourceEnum != TargetEnum) {
11205 if (SourceMgr.isInSystemMacro(CC))
11206 return;
11207
11208 return DiagnoseImpCast(*this, E, SourceType, T, CC,
11209 diag::warn_impcast_different_enum_types);
11210 }
11211 }
11212
11213 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
11214 SourceLocation CC, QualType T);
11215
CheckConditionalOperand(Sema & S,Expr * E,QualType T,SourceLocation CC,bool & ICContext)11216 static void CheckConditionalOperand(Sema &S, Expr *E, QualType T,
11217 SourceLocation CC, bool &ICContext) {
11218 E = E->IgnoreParenImpCasts();
11219 // Diagnose incomplete type for second or third operand in C.
11220 if (!S.getLangOpts().CPlusPlus && E->getType()->isRecordType())
11221 S.RequireCompleteExprType(E, diag::err_incomplete_type);
11222
11223 if (auto *CO = dyn_cast<AbstractConditionalOperator>(E))
11224 return CheckConditionalOperator(S, CO, CC, T);
11225
11226 AnalyzeImplicitConversions(S, E, CC);
11227 if (E->getType() != T)
11228 return S.CheckImplicitConversion(E, T, CC, &ICContext);
11229 }
11230
CheckConditionalOperator(Sema & S,AbstractConditionalOperator * E,SourceLocation CC,QualType T)11231 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
11232 SourceLocation CC, QualType T) {
11233 AnalyzeImplicitConversions(S, E->getCond(), E->getQuestionLoc());
11234
11235 Expr *TrueExpr = E->getTrueExpr();
11236 if (auto *BCO = dyn_cast<BinaryConditionalOperator>(E))
11237 TrueExpr = BCO->getCommon();
11238
11239 bool Suspicious = false;
11240 CheckConditionalOperand(S, TrueExpr, T, CC, Suspicious);
11241 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious);
11242
11243 if (T->isBooleanType())
11244 DiagnoseIntInBoolContext(S, E);
11245
11246 // If -Wconversion would have warned about either of the candidates
11247 // for a signedness conversion to the context type...
11248 if (!Suspicious) return;
11249
11250 // ...but it's currently ignored...
11251 if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC))
11252 return;
11253
11254 // ...then check whether it would have warned about either of the
11255 // candidates for a signedness conversion to the condition type.
11256 if (E->getType() == T) return;
11257
11258 Suspicious = false;
11259 S.CheckImplicitConversion(TrueExpr->IgnoreParenImpCasts(), E->getType(), CC,
11260 &Suspicious);
11261 if (!Suspicious)
11262 S.CheckImplicitConversion(E->getFalseExpr()->IgnoreParenImpCasts(),
11263 E->getType(), CC, &Suspicious);
11264 }
11265
11266 /// Check conversion of given expression to boolean.
11267 /// Input argument E is a logical expression.
CheckBoolLikeConversion(Sema & S,Expr * E,SourceLocation CC)11268 static void CheckBoolLikeConversion(Sema &S, Expr *E, SourceLocation CC) {
11269 // Run the bool-like conversion checks only for C since there bools are
11270 // still not used as the return type from "boolean" operators or as the input
11271 // type for conditional operators.
11272 if (S.getLangOpts().CPlusPlus)
11273 return;
11274 if (E->IgnoreParenImpCasts()->getType()->isAtomicType())
11275 return;
11276 S.CheckImplicitConversion(E->IgnoreParenImpCasts(), S.Context.BoolTy, CC);
11277 }
11278
11279 namespace {
11280 struct AnalyzeImplicitConversionsWorkItem {
11281 Expr *E;
11282 SourceLocation CC;
11283 bool IsListInit;
11284 };
11285 }
11286
11287 /// Data recursive variant of AnalyzeImplicitConversions. Subexpressions
11288 /// that should be visited are added to WorkList.
AnalyzeImplicitConversions(Sema & S,AnalyzeImplicitConversionsWorkItem Item,llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> & WorkList)11289 static void AnalyzeImplicitConversions(
11290 Sema &S, AnalyzeImplicitConversionsWorkItem Item,
11291 llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
11292 Expr *OrigE = Item.E;
11293 SourceLocation CC = Item.CC;
11294
11295 QualType T = OrigE->getType();
11296 Expr *E = OrigE->IgnoreParenImpCasts();
11297
11298 // Propagate whether we are in a C++ list initialization expression.
11299 // If so, we do not issue warnings for implicit int-float conversion
11300 // precision loss, because C++11 narrowing already handles it.
11301 bool IsListInit = Item.IsListInit ||
11302 (isa<InitListExpr>(OrigE) && S.getLangOpts().CPlusPlus);
11303
11304 if (E->isTypeDependent() || E->isValueDependent())
11305 return;
11306
11307 Expr *SourceExpr = E;
11308 // Examine, but don't traverse into the source expression of an
11309 // OpaqueValueExpr, since it may have multiple parents and we don't want to
11310 // emit duplicate diagnostics. Its fine to examine the form or attempt to
11311 // evaluate it in the context of checking the specific conversion to T though.
11312 if (auto *OVE = dyn_cast<OpaqueValueExpr>(E))
11313 if (auto *Src = OVE->getSourceExpr())
11314 SourceExpr = Src;
11315
11316 if (const auto *UO = dyn_cast<UnaryOperator>(SourceExpr))
11317 if (UO->getOpcode() == UO_Not &&
11318 UO->getSubExpr()->isKnownToHaveBooleanValue())
11319 S.Diag(UO->getBeginLoc(), diag::warn_bitwise_negation_bool)
11320 << OrigE->getSourceRange() << T->isBooleanType()
11321 << FixItHint::CreateReplacement(UO->getBeginLoc(), "!");
11322
11323 if (const auto *BO = dyn_cast<BinaryOperator>(SourceExpr))
11324 if ((BO->getOpcode() == BO_And || BO->getOpcode() == BO_Or) &&
11325 BO->getLHS()->isKnownToHaveBooleanValue() &&
11326 BO->getRHS()->isKnownToHaveBooleanValue() &&
11327 BO->getLHS()->HasSideEffects(S.Context) &&
11328 BO->getRHS()->HasSideEffects(S.Context)) {
11329 SourceManager &SM = S.getSourceManager();
11330 const LangOptions &LO = S.getLangOpts();
11331 SourceLocation BLoc = BO->getOperatorLoc();
11332 SourceLocation ELoc = Lexer::getLocForEndOfToken(BLoc, 0, SM, LO);
11333 StringRef SR = clang::Lexer::getSourceText(
11334 clang::CharSourceRange::getTokenRange(BLoc, ELoc), SM, LO);
11335 // To reduce false positives, only issue the diagnostic if the operator
11336 // is explicitly spelled as a punctuator. This suppresses the diagnostic
11337 // when using 'bitand' or 'bitor' either as keywords in C++ or as macros
11338 // in C, along with other macro spellings the user might invent.
11339 if (SR.str() == "&" || SR.str() == "|") {
11340
11341 S.Diag(BO->getBeginLoc(), diag::warn_bitwise_instead_of_logical)
11342 << (BO->getOpcode() == BO_And ? "&" : "|")
11343 << OrigE->getSourceRange()
11344 << FixItHint::CreateReplacement(
11345 BO->getOperatorLoc(),
11346 (BO->getOpcode() == BO_And ? "&&" : "||"));
11347 S.Diag(BO->getBeginLoc(), diag::note_cast_operand_to_int);
11348 }
11349 }
11350
11351 // For conditional operators, we analyze the arguments as if they
11352 // were being fed directly into the output.
11353 if (auto *CO = dyn_cast<AbstractConditionalOperator>(SourceExpr)) {
11354 CheckConditionalOperator(S, CO, CC, T);
11355 return;
11356 }
11357
11358 // Check implicit argument conversions for function calls.
11359 if (CallExpr *Call = dyn_cast<CallExpr>(SourceExpr))
11360 CheckImplicitArgumentConversions(S, Call, CC);
11361
11362 // Go ahead and check any implicit conversions we might have skipped.
11363 // The non-canonical typecheck is just an optimization;
11364 // CheckImplicitConversion will filter out dead implicit conversions.
11365 if (SourceExpr->getType() != T)
11366 S.CheckImplicitConversion(SourceExpr, T, CC, nullptr, IsListInit);
11367
11368 // Now continue drilling into this expression.
11369
11370 if (PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E)) {
11371 // The bound subexpressions in a PseudoObjectExpr are not reachable
11372 // as transitive children.
11373 // FIXME: Use a more uniform representation for this.
11374 for (auto *SE : POE->semantics())
11375 if (auto *OVE = dyn_cast<OpaqueValueExpr>(SE))
11376 WorkList.push_back({OVE->getSourceExpr(), CC, IsListInit});
11377 }
11378
11379 // Skip past explicit casts.
11380 if (auto *CE = dyn_cast<ExplicitCastExpr>(E)) {
11381 E = CE->getSubExpr()->IgnoreParenImpCasts();
11382 if (!CE->getType()->isVoidType() && E->getType()->isAtomicType())
11383 S.Diag(E->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
11384 WorkList.push_back({E, CC, IsListInit});
11385 return;
11386 }
11387
11388 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
11389 // Do a somewhat different check with comparison operators.
11390 if (BO->isComparisonOp())
11391 return AnalyzeComparison(S, BO);
11392
11393 // And with simple assignments.
11394 if (BO->getOpcode() == BO_Assign)
11395 return AnalyzeAssignment(S, BO);
11396 // And with compound assignments.
11397 if (BO->isAssignmentOp())
11398 return AnalyzeCompoundAssignment(S, BO);
11399 }
11400
11401 // These break the otherwise-useful invariant below. Fortunately,
11402 // we don't really need to recurse into them, because any internal
11403 // expressions should have been analyzed already when they were
11404 // built into statements.
11405 if (isa<StmtExpr>(E)) return;
11406
11407 // Don't descend into unevaluated contexts.
11408 if (isa<UnaryExprOrTypeTraitExpr>(E)) return;
11409
11410 // Now just recurse over the expression's children.
11411 CC = E->getExprLoc();
11412 BinaryOperator *BO = dyn_cast<BinaryOperator>(E);
11413 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd;
11414 for (Stmt *SubStmt : E->children()) {
11415 Expr *ChildExpr = dyn_cast_or_null<Expr>(SubStmt);
11416 if (!ChildExpr)
11417 continue;
11418
11419 if (auto *CSE = dyn_cast<CoroutineSuspendExpr>(E))
11420 if (ChildExpr == CSE->getOperand())
11421 // Do not recurse over a CoroutineSuspendExpr's operand.
11422 // The operand is also a subexpression of getCommonExpr(), and
11423 // recursing into it directly would produce duplicate diagnostics.
11424 continue;
11425
11426 if (IsLogicalAndOperator &&
11427 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts()))
11428 // Ignore checking string literals that are in logical and operators.
11429 // This is a common pattern for asserts.
11430 continue;
11431 WorkList.push_back({ChildExpr, CC, IsListInit});
11432 }
11433
11434 if (BO && BO->isLogicalOp()) {
11435 Expr *SubExpr = BO->getLHS()->IgnoreParenImpCasts();
11436 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
11437 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
11438
11439 SubExpr = BO->getRHS()->IgnoreParenImpCasts();
11440 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
11441 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
11442 }
11443
11444 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
11445 if (U->getOpcode() == UO_LNot) {
11446 ::CheckBoolLikeConversion(S, U->getSubExpr(), CC);
11447 } else if (U->getOpcode() != UO_AddrOf) {
11448 if (U->getSubExpr()->getType()->isAtomicType())
11449 S.Diag(U->getSubExpr()->getBeginLoc(),
11450 diag::warn_atomic_implicit_seq_cst);
11451 }
11452 }
11453 }
11454
11455 /// AnalyzeImplicitConversions - Find and report any interesting
11456 /// implicit conversions in the given expression. There are a couple
11457 /// of competing diagnostics here, -Wconversion and -Wsign-compare.
AnalyzeImplicitConversions(Sema & S,Expr * OrigE,SourceLocation CC,bool IsListInit)11458 static void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC,
11459 bool IsListInit/*= false*/) {
11460 llvm::SmallVector<AnalyzeImplicitConversionsWorkItem, 16> WorkList;
11461 WorkList.push_back({OrigE, CC, IsListInit});
11462 while (!WorkList.empty())
11463 AnalyzeImplicitConversions(S, WorkList.pop_back_val(), WorkList);
11464 }
11465
11466 // Helper function for Sema::DiagnoseAlwaysNonNullPointer.
11467 // Returns true when emitting a warning about taking the address of a reference.
CheckForReference(Sema & SemaRef,const Expr * E,const PartialDiagnostic & PD)11468 static bool CheckForReference(Sema &SemaRef, const Expr *E,
11469 const PartialDiagnostic &PD) {
11470 E = E->IgnoreParenImpCasts();
11471
11472 const FunctionDecl *FD = nullptr;
11473
11474 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
11475 if (!DRE->getDecl()->getType()->isReferenceType())
11476 return false;
11477 } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) {
11478 if (!M->getMemberDecl()->getType()->isReferenceType())
11479 return false;
11480 } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) {
11481 if (!Call->getCallReturnType(SemaRef.Context)->isReferenceType())
11482 return false;
11483 FD = Call->getDirectCallee();
11484 } else {
11485 return false;
11486 }
11487
11488 SemaRef.Diag(E->getExprLoc(), PD);
11489
11490 // If possible, point to location of function.
11491 if (FD) {
11492 SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD;
11493 }
11494
11495 return true;
11496 }
11497
11498 // Returns true if the SourceLocation is expanded from any macro body.
11499 // Returns false if the SourceLocation is invalid, is from not in a macro
11500 // expansion, or is from expanded from a top-level macro argument.
IsInAnyMacroBody(const SourceManager & SM,SourceLocation Loc)11501 static bool IsInAnyMacroBody(const SourceManager &SM, SourceLocation Loc) {
11502 if (Loc.isInvalid())
11503 return false;
11504
11505 while (Loc.isMacroID()) {
11506 if (SM.isMacroBodyExpansion(Loc))
11507 return true;
11508 Loc = SM.getImmediateMacroCallerLoc(Loc);
11509 }
11510
11511 return false;
11512 }
11513
DiagnoseAlwaysNonNullPointer(Expr * E,Expr::NullPointerConstantKind NullKind,bool IsEqual,SourceRange Range)11514 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E,
11515 Expr::NullPointerConstantKind NullKind,
11516 bool IsEqual, SourceRange Range) {
11517 if (!E)
11518 return;
11519
11520 // Don't warn inside macros.
11521 if (E->getExprLoc().isMacroID()) {
11522 const SourceManager &SM = getSourceManager();
11523 if (IsInAnyMacroBody(SM, E->getExprLoc()) ||
11524 IsInAnyMacroBody(SM, Range.getBegin()))
11525 return;
11526 }
11527 E = E->IgnoreImpCasts();
11528
11529 const bool IsCompare = NullKind != Expr::NPCK_NotNull;
11530
11531 if (isa<CXXThisExpr>(E)) {
11532 unsigned DiagID = IsCompare ? diag::warn_this_null_compare
11533 : diag::warn_this_bool_conversion;
11534 Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual;
11535 return;
11536 }
11537
11538 bool IsAddressOf = false;
11539
11540 if (auto *UO = dyn_cast<UnaryOperator>(E->IgnoreParens())) {
11541 if (UO->getOpcode() != UO_AddrOf)
11542 return;
11543 IsAddressOf = true;
11544 E = UO->getSubExpr();
11545 }
11546
11547 if (IsAddressOf) {
11548 unsigned DiagID = IsCompare
11549 ? diag::warn_address_of_reference_null_compare
11550 : diag::warn_address_of_reference_bool_conversion;
11551 PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range
11552 << IsEqual;
11553 if (CheckForReference(*this, E, PD)) {
11554 return;
11555 }
11556 }
11557
11558 auto ComplainAboutNonnullParamOrCall = [&](const Attr *NonnullAttr) {
11559 bool IsParam = isa<NonNullAttr>(NonnullAttr);
11560 std::string Str;
11561 llvm::raw_string_ostream S(Str);
11562 E->printPretty(S, nullptr, getPrintingPolicy());
11563 unsigned DiagID = IsCompare ? diag::warn_nonnull_expr_compare
11564 : diag::warn_cast_nonnull_to_bool;
11565 Diag(E->getExprLoc(), DiagID) << IsParam << S.str()
11566 << E->getSourceRange() << Range << IsEqual;
11567 Diag(NonnullAttr->getLocation(), diag::note_declared_nonnull) << IsParam;
11568 };
11569
11570 // If we have a CallExpr that is tagged with returns_nonnull, we can complain.
11571 if (auto *Call = dyn_cast<CallExpr>(E->IgnoreParenImpCasts())) {
11572 if (auto *Callee = Call->getDirectCallee()) {
11573 if (const Attr *A = Callee->getAttr<ReturnsNonNullAttr>()) {
11574 ComplainAboutNonnullParamOrCall(A);
11575 return;
11576 }
11577 }
11578 }
11579
11580 // Complain if we are converting a lambda expression to a boolean value
11581 // outside of instantiation.
11582 if (!inTemplateInstantiation()) {
11583 if (const auto *MCallExpr = dyn_cast<CXXMemberCallExpr>(E)) {
11584 if (const auto *MRecordDecl = MCallExpr->getRecordDecl();
11585 MRecordDecl && MRecordDecl->isLambda()) {
11586 Diag(E->getExprLoc(), diag::warn_impcast_pointer_to_bool)
11587 << /*LambdaPointerConversionOperatorType=*/3
11588 << MRecordDecl->getSourceRange() << Range << IsEqual;
11589 return;
11590 }
11591 }
11592 }
11593
11594 // Expect to find a single Decl. Skip anything more complicated.
11595 ValueDecl *D = nullptr;
11596 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) {
11597 D = R->getDecl();
11598 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) {
11599 D = M->getMemberDecl();
11600 }
11601
11602 // Weak Decls can be null.
11603 if (!D || D->isWeak())
11604 return;
11605
11606 // Check for parameter decl with nonnull attribute
11607 if (const auto* PV = dyn_cast<ParmVarDecl>(D)) {
11608 if (getCurFunction() &&
11609 !getCurFunction()->ModifiedNonNullParams.count(PV)) {
11610 if (const Attr *A = PV->getAttr<NonNullAttr>()) {
11611 ComplainAboutNonnullParamOrCall(A);
11612 return;
11613 }
11614
11615 if (const auto *FD = dyn_cast<FunctionDecl>(PV->getDeclContext())) {
11616 // Skip function template not specialized yet.
11617 if (FD->getTemplatedKind() == FunctionDecl::TK_FunctionTemplate)
11618 return;
11619 auto ParamIter = llvm::find(FD->parameters(), PV);
11620 assert(ParamIter != FD->param_end());
11621 unsigned ParamNo = std::distance(FD->param_begin(), ParamIter);
11622
11623 for (const auto *NonNull : FD->specific_attrs<NonNullAttr>()) {
11624 if (!NonNull->args_size()) {
11625 ComplainAboutNonnullParamOrCall(NonNull);
11626 return;
11627 }
11628
11629 for (const ParamIdx &ArgNo : NonNull->args()) {
11630 if (ArgNo.getASTIndex() == ParamNo) {
11631 ComplainAboutNonnullParamOrCall(NonNull);
11632 return;
11633 }
11634 }
11635 }
11636 }
11637 }
11638 }
11639
11640 QualType T = D->getType();
11641 const bool IsArray = T->isArrayType();
11642 const bool IsFunction = T->isFunctionType();
11643
11644 // Address of function is used to silence the function warning.
11645 if (IsAddressOf && IsFunction) {
11646 return;
11647 }
11648
11649 // Found nothing.
11650 if (!IsAddressOf && !IsFunction && !IsArray)
11651 return;
11652
11653 // Pretty print the expression for the diagnostic.
11654 std::string Str;
11655 llvm::raw_string_ostream S(Str);
11656 E->printPretty(S, nullptr, getPrintingPolicy());
11657
11658 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare
11659 : diag::warn_impcast_pointer_to_bool;
11660 enum {
11661 AddressOf,
11662 FunctionPointer,
11663 ArrayPointer
11664 } DiagType;
11665 if (IsAddressOf)
11666 DiagType = AddressOf;
11667 else if (IsFunction)
11668 DiagType = FunctionPointer;
11669 else if (IsArray)
11670 DiagType = ArrayPointer;
11671 else
11672 llvm_unreachable("Could not determine diagnostic.");
11673 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange()
11674 << Range << IsEqual;
11675
11676 if (!IsFunction)
11677 return;
11678
11679 // Suggest '&' to silence the function warning.
11680 Diag(E->getExprLoc(), diag::note_function_warning_silence)
11681 << FixItHint::CreateInsertion(E->getBeginLoc(), "&");
11682
11683 // Check to see if '()' fixit should be emitted.
11684 QualType ReturnType;
11685 UnresolvedSet<4> NonTemplateOverloads;
11686 tryExprAsCall(*E, ReturnType, NonTemplateOverloads);
11687 if (ReturnType.isNull())
11688 return;
11689
11690 if (IsCompare) {
11691 // There are two cases here. If there is null constant, the only suggest
11692 // for a pointer return type. If the null is 0, then suggest if the return
11693 // type is a pointer or an integer type.
11694 if (!ReturnType->isPointerType()) {
11695 if (NullKind == Expr::NPCK_ZeroExpression ||
11696 NullKind == Expr::NPCK_ZeroLiteral) {
11697 if (!ReturnType->isIntegerType())
11698 return;
11699 } else {
11700 return;
11701 }
11702 }
11703 } else { // !IsCompare
11704 // For function to bool, only suggest if the function pointer has bool
11705 // return type.
11706 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool))
11707 return;
11708 }
11709 Diag(E->getExprLoc(), diag::note_function_to_function_call)
11710 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getEndLoc()), "()");
11711 }
11712
CheckImplicitConversions(Expr * E,SourceLocation CC)11713 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) {
11714 // Don't diagnose in unevaluated contexts.
11715 if (isUnevaluatedContext())
11716 return;
11717
11718 // Don't diagnose for value- or type-dependent expressions.
11719 if (E->isTypeDependent() || E->isValueDependent())
11720 return;
11721
11722 // Check for array bounds violations in cases where the check isn't triggered
11723 // elsewhere for other Expr types (like BinaryOperators), e.g. when an
11724 // ArraySubscriptExpr is on the RHS of a variable initialization.
11725 CheckArrayAccess(E);
11726
11727 // This is not the right CC for (e.g.) a variable initialization.
11728 AnalyzeImplicitConversions(*this, E, CC);
11729 }
11730
CheckBoolLikeConversion(Expr * E,SourceLocation CC)11731 void Sema::CheckBoolLikeConversion(Expr *E, SourceLocation CC) {
11732 ::CheckBoolLikeConversion(*this, E, CC);
11733 }
11734
CheckForIntOverflow(const Expr * E)11735 void Sema::CheckForIntOverflow (const Expr *E) {
11736 // Use a work list to deal with nested struct initializers.
11737 SmallVector<const Expr *, 2> Exprs(1, E);
11738
11739 do {
11740 const Expr *OriginalE = Exprs.pop_back_val();
11741 const Expr *E = OriginalE->IgnoreParenCasts();
11742
11743 if (isa<BinaryOperator, UnaryOperator>(E)) {
11744 E->EvaluateForOverflow(Context);
11745 continue;
11746 }
11747
11748 if (const auto *InitList = dyn_cast<InitListExpr>(OriginalE))
11749 Exprs.append(InitList->inits().begin(), InitList->inits().end());
11750 else if (isa<ObjCBoxedExpr>(OriginalE))
11751 E->EvaluateForOverflow(Context);
11752 else if (const auto *Call = dyn_cast<CallExpr>(E))
11753 Exprs.append(Call->arg_begin(), Call->arg_end());
11754 else if (const auto *Message = dyn_cast<ObjCMessageExpr>(E))
11755 Exprs.append(Message->arg_begin(), Message->arg_end());
11756 else if (const auto *Construct = dyn_cast<CXXConstructExpr>(E))
11757 Exprs.append(Construct->arg_begin(), Construct->arg_end());
11758 else if (const auto *Temporary = dyn_cast<CXXBindTemporaryExpr>(E))
11759 Exprs.push_back(Temporary->getSubExpr());
11760 else if (const auto *Array = dyn_cast<ArraySubscriptExpr>(E))
11761 Exprs.push_back(Array->getIdx());
11762 else if (const auto *Compound = dyn_cast<CompoundLiteralExpr>(E))
11763 Exprs.push_back(Compound->getInitializer());
11764 else if (const auto *New = dyn_cast<CXXNewExpr>(E);
11765 New && New->isArray()) {
11766 if (auto ArraySize = New->getArraySize())
11767 Exprs.push_back(*ArraySize);
11768 }
11769 } while (!Exprs.empty());
11770 }
11771
11772 namespace {
11773
11774 /// Visitor for expressions which looks for unsequenced operations on the
11775 /// same object.
11776 class SequenceChecker : public ConstEvaluatedExprVisitor<SequenceChecker> {
11777 using Base = ConstEvaluatedExprVisitor<SequenceChecker>;
11778
11779 /// A tree of sequenced regions within an expression. Two regions are
11780 /// unsequenced if one is an ancestor or a descendent of the other. When we
11781 /// finish processing an expression with sequencing, such as a comma
11782 /// expression, we fold its tree nodes into its parent, since they are
11783 /// unsequenced with respect to nodes we will visit later.
11784 class SequenceTree {
11785 struct Value {
Value__anon28c3fbb12811::SequenceChecker::SequenceTree::Value11786 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {}
11787 unsigned Parent : 31;
11788 LLVM_PREFERRED_TYPE(bool)
11789 unsigned Merged : 1;
11790 };
11791 SmallVector<Value, 8> Values;
11792
11793 public:
11794 /// A region within an expression which may be sequenced with respect
11795 /// to some other region.
11796 class Seq {
11797 friend class SequenceTree;
11798
11799 unsigned Index;
11800
Seq(unsigned N)11801 explicit Seq(unsigned N) : Index(N) {}
11802
11803 public:
Seq()11804 Seq() : Index(0) {}
11805 };
11806
SequenceTree()11807 SequenceTree() { Values.push_back(Value(0)); }
root() const11808 Seq root() const { return Seq(0); }
11809
11810 /// Create a new sequence of operations, which is an unsequenced
11811 /// subset of \p Parent. This sequence of operations is sequenced with
11812 /// respect to other children of \p Parent.
allocate(Seq Parent)11813 Seq allocate(Seq Parent) {
11814 Values.push_back(Value(Parent.Index));
11815 return Seq(Values.size() - 1);
11816 }
11817
11818 /// Merge a sequence of operations into its parent.
merge(Seq S)11819 void merge(Seq S) {
11820 Values[S.Index].Merged = true;
11821 }
11822
11823 /// Determine whether two operations are unsequenced. This operation
11824 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old
11825 /// should have been merged into its parent as appropriate.
isUnsequenced(Seq Cur,Seq Old)11826 bool isUnsequenced(Seq Cur, Seq Old) {
11827 unsigned C = representative(Cur.Index);
11828 unsigned Target = representative(Old.Index);
11829 while (C >= Target) {
11830 if (C == Target)
11831 return true;
11832 C = Values[C].Parent;
11833 }
11834 return false;
11835 }
11836
11837 private:
11838 /// Pick a representative for a sequence.
representative(unsigned K)11839 unsigned representative(unsigned K) {
11840 if (Values[K].Merged)
11841 // Perform path compression as we go.
11842 return Values[K].Parent = representative(Values[K].Parent);
11843 return K;
11844 }
11845 };
11846
11847 /// An object for which we can track unsequenced uses.
11848 using Object = const NamedDecl *;
11849
11850 /// Different flavors of object usage which we track. We only track the
11851 /// least-sequenced usage of each kind.
11852 enum UsageKind {
11853 /// A read of an object. Multiple unsequenced reads are OK.
11854 UK_Use,
11855
11856 /// A modification of an object which is sequenced before the value
11857 /// computation of the expression, such as ++n in C++.
11858 UK_ModAsValue,
11859
11860 /// A modification of an object which is not sequenced before the value
11861 /// computation of the expression, such as n++.
11862 UK_ModAsSideEffect,
11863
11864 UK_Count = UK_ModAsSideEffect + 1
11865 };
11866
11867 /// Bundle together a sequencing region and the expression corresponding
11868 /// to a specific usage. One Usage is stored for each usage kind in UsageInfo.
11869 struct Usage {
11870 const Expr *UsageExpr = nullptr;
11871 SequenceTree::Seq Seq;
11872
11873 Usage() = default;
11874 };
11875
11876 struct UsageInfo {
11877 Usage Uses[UK_Count];
11878
11879 /// Have we issued a diagnostic for this object already?
11880 bool Diagnosed = false;
11881
11882 UsageInfo();
11883 };
11884 using UsageInfoMap = llvm::SmallDenseMap<Object, UsageInfo, 16>;
11885
11886 Sema &SemaRef;
11887
11888 /// Sequenced regions within the expression.
11889 SequenceTree Tree;
11890
11891 /// Declaration modifications and references which we have seen.
11892 UsageInfoMap UsageMap;
11893
11894 /// The region we are currently within.
11895 SequenceTree::Seq Region;
11896
11897 /// Filled in with declarations which were modified as a side-effect
11898 /// (that is, post-increment operations).
11899 SmallVectorImpl<std::pair<Object, Usage>> *ModAsSideEffect = nullptr;
11900
11901 /// Expressions to check later. We defer checking these to reduce
11902 /// stack usage.
11903 SmallVectorImpl<const Expr *> &WorkList;
11904
11905 /// RAII object wrapping the visitation of a sequenced subexpression of an
11906 /// expression. At the end of this process, the side-effects of the evaluation
11907 /// become sequenced with respect to the value computation of the result, so
11908 /// we downgrade any UK_ModAsSideEffect within the evaluation to
11909 /// UK_ModAsValue.
11910 struct SequencedSubexpression {
SequencedSubexpression__anon28c3fbb12811::SequenceChecker::SequencedSubexpression11911 SequencedSubexpression(SequenceChecker &Self)
11912 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) {
11913 Self.ModAsSideEffect = &ModAsSideEffect;
11914 }
11915
~SequencedSubexpression__anon28c3fbb12811::SequenceChecker::SequencedSubexpression11916 ~SequencedSubexpression() {
11917 for (const std::pair<Object, Usage> &M : llvm::reverse(ModAsSideEffect)) {
11918 // Add a new usage with usage kind UK_ModAsValue, and then restore
11919 // the previous usage with UK_ModAsSideEffect (thus clearing it if
11920 // the previous one was empty).
11921 UsageInfo &UI = Self.UsageMap[M.first];
11922 auto &SideEffectUsage = UI.Uses[UK_ModAsSideEffect];
11923 Self.addUsage(M.first, UI, SideEffectUsage.UsageExpr, UK_ModAsValue);
11924 SideEffectUsage = M.second;
11925 }
11926 Self.ModAsSideEffect = OldModAsSideEffect;
11927 }
11928
11929 SequenceChecker &Self;
11930 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect;
11931 SmallVectorImpl<std::pair<Object, Usage>> *OldModAsSideEffect;
11932 };
11933
11934 /// RAII object wrapping the visitation of a subexpression which we might
11935 /// choose to evaluate as a constant. If any subexpression is evaluated and
11936 /// found to be non-constant, this allows us to suppress the evaluation of
11937 /// the outer expression.
11938 class EvaluationTracker {
11939 public:
EvaluationTracker(SequenceChecker & Self)11940 EvaluationTracker(SequenceChecker &Self)
11941 : Self(Self), Prev(Self.EvalTracker) {
11942 Self.EvalTracker = this;
11943 }
11944
~EvaluationTracker()11945 ~EvaluationTracker() {
11946 Self.EvalTracker = Prev;
11947 if (Prev)
11948 Prev->EvalOK &= EvalOK;
11949 }
11950
evaluate(const Expr * E,bool & Result)11951 bool evaluate(const Expr *E, bool &Result) {
11952 if (!EvalOK || E->isValueDependent())
11953 return false;
11954 EvalOK = E->EvaluateAsBooleanCondition(
11955 Result, Self.SemaRef.Context,
11956 Self.SemaRef.isConstantEvaluatedContext());
11957 return EvalOK;
11958 }
11959
11960 private:
11961 SequenceChecker &Self;
11962 EvaluationTracker *Prev;
11963 bool EvalOK = true;
11964 } *EvalTracker = nullptr;
11965
11966 /// Find the object which is produced by the specified expression,
11967 /// if any.
getObject(const Expr * E,bool Mod) const11968 Object getObject(const Expr *E, bool Mod) const {
11969 E = E->IgnoreParenCasts();
11970 if (const UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) {
11971 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec))
11972 return getObject(UO->getSubExpr(), Mod);
11973 } else if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
11974 if (BO->getOpcode() == BO_Comma)
11975 return getObject(BO->getRHS(), Mod);
11976 if (Mod && BO->isAssignmentOp())
11977 return getObject(BO->getLHS(), Mod);
11978 } else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
11979 // FIXME: Check for more interesting cases, like "x.n = ++x.n".
11980 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts()))
11981 return ME->getMemberDecl();
11982 } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E))
11983 // FIXME: If this is a reference, map through to its value.
11984 return DRE->getDecl();
11985 return nullptr;
11986 }
11987
11988 /// Note that an object \p O was modified or used by an expression
11989 /// \p UsageExpr with usage kind \p UK. \p UI is the \p UsageInfo for
11990 /// the object \p O as obtained via the \p UsageMap.
addUsage(Object O,UsageInfo & UI,const Expr * UsageExpr,UsageKind UK)11991 void addUsage(Object O, UsageInfo &UI, const Expr *UsageExpr, UsageKind UK) {
11992 // Get the old usage for the given object and usage kind.
11993 Usage &U = UI.Uses[UK];
11994 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq)) {
11995 // If we have a modification as side effect and are in a sequenced
11996 // subexpression, save the old Usage so that we can restore it later
11997 // in SequencedSubexpression::~SequencedSubexpression.
11998 if (UK == UK_ModAsSideEffect && ModAsSideEffect)
11999 ModAsSideEffect->push_back(std::make_pair(O, U));
12000 // Then record the new usage with the current sequencing region.
12001 U.UsageExpr = UsageExpr;
12002 U.Seq = Region;
12003 }
12004 }
12005
12006 /// Check whether a modification or use of an object \p O in an expression
12007 /// \p UsageExpr conflicts with a prior usage of kind \p OtherKind. \p UI is
12008 /// the \p UsageInfo for the object \p O as obtained via the \p UsageMap.
12009 /// \p IsModMod is true when we are checking for a mod-mod unsequenced
12010 /// usage and false we are checking for a mod-use unsequenced usage.
checkUsage(Object O,UsageInfo & UI,const Expr * UsageExpr,UsageKind OtherKind,bool IsModMod)12011 void checkUsage(Object O, UsageInfo &UI, const Expr *UsageExpr,
12012 UsageKind OtherKind, bool IsModMod) {
12013 if (UI.Diagnosed)
12014 return;
12015
12016 const Usage &U = UI.Uses[OtherKind];
12017 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq))
12018 return;
12019
12020 const Expr *Mod = U.UsageExpr;
12021 const Expr *ModOrUse = UsageExpr;
12022 if (OtherKind == UK_Use)
12023 std::swap(Mod, ModOrUse);
12024
12025 SemaRef.DiagRuntimeBehavior(
12026 Mod->getExprLoc(), {Mod, ModOrUse},
12027 SemaRef.PDiag(IsModMod ? diag::warn_unsequenced_mod_mod
12028 : diag::warn_unsequenced_mod_use)
12029 << O << SourceRange(ModOrUse->getExprLoc()));
12030 UI.Diagnosed = true;
12031 }
12032
12033 // A note on note{Pre, Post}{Use, Mod}:
12034 //
12035 // (It helps to follow the algorithm with an expression such as
12036 // "((++k)++, k) = k" or "k = (k++, k++)". Both contain unsequenced
12037 // operations before C++17 and both are well-defined in C++17).
12038 //
12039 // When visiting a node which uses/modify an object we first call notePreUse
12040 // or notePreMod before visiting its sub-expression(s). At this point the
12041 // children of the current node have not yet been visited and so the eventual
12042 // uses/modifications resulting from the children of the current node have not
12043 // been recorded yet.
12044 //
12045 // We then visit the children of the current node. After that notePostUse or
12046 // notePostMod is called. These will 1) detect an unsequenced modification
12047 // as side effect (as in "k++ + k") and 2) add a new usage with the
12048 // appropriate usage kind.
12049 //
12050 // We also have to be careful that some operation sequences modification as
12051 // side effect as well (for example: || or ,). To account for this we wrap
12052 // the visitation of such a sub-expression (for example: the LHS of || or ,)
12053 // with SequencedSubexpression. SequencedSubexpression is an RAII object
12054 // which record usages which are modifications as side effect, and then
12055 // downgrade them (or more accurately restore the previous usage which was a
12056 // modification as side effect) when exiting the scope of the sequenced
12057 // subexpression.
12058
notePreUse(Object O,const Expr * UseExpr)12059 void notePreUse(Object O, const Expr *UseExpr) {
12060 UsageInfo &UI = UsageMap[O];
12061 // Uses conflict with other modifications.
12062 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/false);
12063 }
12064
notePostUse(Object O,const Expr * UseExpr)12065 void notePostUse(Object O, const Expr *UseExpr) {
12066 UsageInfo &UI = UsageMap[O];
12067 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsSideEffect,
12068 /*IsModMod=*/false);
12069 addUsage(O, UI, UseExpr, /*UsageKind=*/UK_Use);
12070 }
12071
notePreMod(Object O,const Expr * ModExpr)12072 void notePreMod(Object O, const Expr *ModExpr) {
12073 UsageInfo &UI = UsageMap[O];
12074 // Modifications conflict with other modifications and with uses.
12075 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/true);
12076 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_Use, /*IsModMod=*/false);
12077 }
12078
notePostMod(Object O,const Expr * ModExpr,UsageKind UK)12079 void notePostMod(Object O, const Expr *ModExpr, UsageKind UK) {
12080 UsageInfo &UI = UsageMap[O];
12081 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsSideEffect,
12082 /*IsModMod=*/true);
12083 addUsage(O, UI, ModExpr, /*UsageKind=*/UK);
12084 }
12085
12086 public:
SequenceChecker(Sema & S,const Expr * E,SmallVectorImpl<const Expr * > & WorkList)12087 SequenceChecker(Sema &S, const Expr *E,
12088 SmallVectorImpl<const Expr *> &WorkList)
12089 : Base(S.Context), SemaRef(S), Region(Tree.root()), WorkList(WorkList) {
12090 Visit(E);
12091 // Silence a -Wunused-private-field since WorkList is now unused.
12092 // TODO: Evaluate if it can be used, and if not remove it.
12093 (void)this->WorkList;
12094 }
12095
VisitStmt(const Stmt * S)12096 void VisitStmt(const Stmt *S) {
12097 // Skip all statements which aren't expressions for now.
12098 }
12099
VisitExpr(const Expr * E)12100 void VisitExpr(const Expr *E) {
12101 // By default, just recurse to evaluated subexpressions.
12102 Base::VisitStmt(E);
12103 }
12104
VisitCoroutineSuspendExpr(const CoroutineSuspendExpr * CSE)12105 void VisitCoroutineSuspendExpr(const CoroutineSuspendExpr *CSE) {
12106 for (auto *Sub : CSE->children()) {
12107 const Expr *ChildExpr = dyn_cast_or_null<Expr>(Sub);
12108 if (!ChildExpr)
12109 continue;
12110
12111 if (ChildExpr == CSE->getOperand())
12112 // Do not recurse over a CoroutineSuspendExpr's operand.
12113 // The operand is also a subexpression of getCommonExpr(), and
12114 // recursing into it directly could confuse object management
12115 // for the sake of sequence tracking.
12116 continue;
12117
12118 Visit(Sub);
12119 }
12120 }
12121
VisitCastExpr(const CastExpr * E)12122 void VisitCastExpr(const CastExpr *E) {
12123 Object O = Object();
12124 if (E->getCastKind() == CK_LValueToRValue)
12125 O = getObject(E->getSubExpr(), false);
12126
12127 if (O)
12128 notePreUse(O, E);
12129 VisitExpr(E);
12130 if (O)
12131 notePostUse(O, E);
12132 }
12133
VisitSequencedExpressions(const Expr * SequencedBefore,const Expr * SequencedAfter)12134 void VisitSequencedExpressions(const Expr *SequencedBefore,
12135 const Expr *SequencedAfter) {
12136 SequenceTree::Seq BeforeRegion = Tree.allocate(Region);
12137 SequenceTree::Seq AfterRegion = Tree.allocate(Region);
12138 SequenceTree::Seq OldRegion = Region;
12139
12140 {
12141 SequencedSubexpression SeqBefore(*this);
12142 Region = BeforeRegion;
12143 Visit(SequencedBefore);
12144 }
12145
12146 Region = AfterRegion;
12147 Visit(SequencedAfter);
12148
12149 Region = OldRegion;
12150
12151 Tree.merge(BeforeRegion);
12152 Tree.merge(AfterRegion);
12153 }
12154
VisitArraySubscriptExpr(const ArraySubscriptExpr * ASE)12155 void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE) {
12156 // C++17 [expr.sub]p1:
12157 // The expression E1[E2] is identical (by definition) to *((E1)+(E2)). The
12158 // expression E1 is sequenced before the expression E2.
12159 if (SemaRef.getLangOpts().CPlusPlus17)
12160 VisitSequencedExpressions(ASE->getLHS(), ASE->getRHS());
12161 else {
12162 Visit(ASE->getLHS());
12163 Visit(ASE->getRHS());
12164 }
12165 }
12166
VisitBinPtrMemD(const BinaryOperator * BO)12167 void VisitBinPtrMemD(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
VisitBinPtrMemI(const BinaryOperator * BO)12168 void VisitBinPtrMemI(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
VisitBinPtrMem(const BinaryOperator * BO)12169 void VisitBinPtrMem(const BinaryOperator *BO) {
12170 // C++17 [expr.mptr.oper]p4:
12171 // Abbreviating pm-expression.*cast-expression as E1.*E2, [...]
12172 // the expression E1 is sequenced before the expression E2.
12173 if (SemaRef.getLangOpts().CPlusPlus17)
12174 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12175 else {
12176 Visit(BO->getLHS());
12177 Visit(BO->getRHS());
12178 }
12179 }
12180
VisitBinShl(const BinaryOperator * BO)12181 void VisitBinShl(const BinaryOperator *BO) { VisitBinShlShr(BO); }
VisitBinShr(const BinaryOperator * BO)12182 void VisitBinShr(const BinaryOperator *BO) { VisitBinShlShr(BO); }
VisitBinShlShr(const BinaryOperator * BO)12183 void VisitBinShlShr(const BinaryOperator *BO) {
12184 // C++17 [expr.shift]p4:
12185 // The expression E1 is sequenced before the expression E2.
12186 if (SemaRef.getLangOpts().CPlusPlus17)
12187 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12188 else {
12189 Visit(BO->getLHS());
12190 Visit(BO->getRHS());
12191 }
12192 }
12193
VisitBinComma(const BinaryOperator * BO)12194 void VisitBinComma(const BinaryOperator *BO) {
12195 // C++11 [expr.comma]p1:
12196 // Every value computation and side effect associated with the left
12197 // expression is sequenced before every value computation and side
12198 // effect associated with the right expression.
12199 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12200 }
12201
VisitBinAssign(const BinaryOperator * BO)12202 void VisitBinAssign(const BinaryOperator *BO) {
12203 SequenceTree::Seq RHSRegion;
12204 SequenceTree::Seq LHSRegion;
12205 if (SemaRef.getLangOpts().CPlusPlus17) {
12206 RHSRegion = Tree.allocate(Region);
12207 LHSRegion = Tree.allocate(Region);
12208 } else {
12209 RHSRegion = Region;
12210 LHSRegion = Region;
12211 }
12212 SequenceTree::Seq OldRegion = Region;
12213
12214 // C++11 [expr.ass]p1:
12215 // [...] the assignment is sequenced after the value computation
12216 // of the right and left operands, [...]
12217 //
12218 // so check it before inspecting the operands and update the
12219 // map afterwards.
12220 Object O = getObject(BO->getLHS(), /*Mod=*/true);
12221 if (O)
12222 notePreMod(O, BO);
12223
12224 if (SemaRef.getLangOpts().CPlusPlus17) {
12225 // C++17 [expr.ass]p1:
12226 // [...] The right operand is sequenced before the left operand. [...]
12227 {
12228 SequencedSubexpression SeqBefore(*this);
12229 Region = RHSRegion;
12230 Visit(BO->getRHS());
12231 }
12232
12233 Region = LHSRegion;
12234 Visit(BO->getLHS());
12235
12236 if (O && isa<CompoundAssignOperator>(BO))
12237 notePostUse(O, BO);
12238
12239 } else {
12240 // C++11 does not specify any sequencing between the LHS and RHS.
12241 Region = LHSRegion;
12242 Visit(BO->getLHS());
12243
12244 if (O && isa<CompoundAssignOperator>(BO))
12245 notePostUse(O, BO);
12246
12247 Region = RHSRegion;
12248 Visit(BO->getRHS());
12249 }
12250
12251 // C++11 [expr.ass]p1:
12252 // the assignment is sequenced [...] before the value computation of the
12253 // assignment expression.
12254 // C11 6.5.16/3 has no such rule.
12255 Region = OldRegion;
12256 if (O)
12257 notePostMod(O, BO,
12258 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
12259 : UK_ModAsSideEffect);
12260 if (SemaRef.getLangOpts().CPlusPlus17) {
12261 Tree.merge(RHSRegion);
12262 Tree.merge(LHSRegion);
12263 }
12264 }
12265
VisitCompoundAssignOperator(const CompoundAssignOperator * CAO)12266 void VisitCompoundAssignOperator(const CompoundAssignOperator *CAO) {
12267 VisitBinAssign(CAO);
12268 }
12269
VisitUnaryPreInc(const UnaryOperator * UO)12270 void VisitUnaryPreInc(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
VisitUnaryPreDec(const UnaryOperator * UO)12271 void VisitUnaryPreDec(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
VisitUnaryPreIncDec(const UnaryOperator * UO)12272 void VisitUnaryPreIncDec(const UnaryOperator *UO) {
12273 Object O = getObject(UO->getSubExpr(), true);
12274 if (!O)
12275 return VisitExpr(UO);
12276
12277 notePreMod(O, UO);
12278 Visit(UO->getSubExpr());
12279 // C++11 [expr.pre.incr]p1:
12280 // the expression ++x is equivalent to x+=1
12281 notePostMod(O, UO,
12282 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
12283 : UK_ModAsSideEffect);
12284 }
12285
VisitUnaryPostInc(const UnaryOperator * UO)12286 void VisitUnaryPostInc(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
VisitUnaryPostDec(const UnaryOperator * UO)12287 void VisitUnaryPostDec(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
VisitUnaryPostIncDec(const UnaryOperator * UO)12288 void VisitUnaryPostIncDec(const UnaryOperator *UO) {
12289 Object O = getObject(UO->getSubExpr(), true);
12290 if (!O)
12291 return VisitExpr(UO);
12292
12293 notePreMod(O, UO);
12294 Visit(UO->getSubExpr());
12295 notePostMod(O, UO, UK_ModAsSideEffect);
12296 }
12297
VisitBinLOr(const BinaryOperator * BO)12298 void VisitBinLOr(const BinaryOperator *BO) {
12299 // C++11 [expr.log.or]p2:
12300 // If the second expression is evaluated, every value computation and
12301 // side effect associated with the first expression is sequenced before
12302 // every value computation and side effect associated with the
12303 // second expression.
12304 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
12305 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
12306 SequenceTree::Seq OldRegion = Region;
12307
12308 EvaluationTracker Eval(*this);
12309 {
12310 SequencedSubexpression Sequenced(*this);
12311 Region = LHSRegion;
12312 Visit(BO->getLHS());
12313 }
12314
12315 // C++11 [expr.log.or]p1:
12316 // [...] the second operand is not evaluated if the first operand
12317 // evaluates to true.
12318 bool EvalResult = false;
12319 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
12320 bool ShouldVisitRHS = !EvalOK || !EvalResult;
12321 if (ShouldVisitRHS) {
12322 Region = RHSRegion;
12323 Visit(BO->getRHS());
12324 }
12325
12326 Region = OldRegion;
12327 Tree.merge(LHSRegion);
12328 Tree.merge(RHSRegion);
12329 }
12330
VisitBinLAnd(const BinaryOperator * BO)12331 void VisitBinLAnd(const BinaryOperator *BO) {
12332 // C++11 [expr.log.and]p2:
12333 // If the second expression is evaluated, every value computation and
12334 // side effect associated with the first expression is sequenced before
12335 // every value computation and side effect associated with the
12336 // second expression.
12337 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
12338 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
12339 SequenceTree::Seq OldRegion = Region;
12340
12341 EvaluationTracker Eval(*this);
12342 {
12343 SequencedSubexpression Sequenced(*this);
12344 Region = LHSRegion;
12345 Visit(BO->getLHS());
12346 }
12347
12348 // C++11 [expr.log.and]p1:
12349 // [...] the second operand is not evaluated if the first operand is false.
12350 bool EvalResult = false;
12351 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
12352 bool ShouldVisitRHS = !EvalOK || EvalResult;
12353 if (ShouldVisitRHS) {
12354 Region = RHSRegion;
12355 Visit(BO->getRHS());
12356 }
12357
12358 Region = OldRegion;
12359 Tree.merge(LHSRegion);
12360 Tree.merge(RHSRegion);
12361 }
12362
VisitAbstractConditionalOperator(const AbstractConditionalOperator * CO)12363 void VisitAbstractConditionalOperator(const AbstractConditionalOperator *CO) {
12364 // C++11 [expr.cond]p1:
12365 // [...] Every value computation and side effect associated with the first
12366 // expression is sequenced before every value computation and side effect
12367 // associated with the second or third expression.
12368 SequenceTree::Seq ConditionRegion = Tree.allocate(Region);
12369
12370 // No sequencing is specified between the true and false expression.
12371 // However since exactly one of both is going to be evaluated we can
12372 // consider them to be sequenced. This is needed to avoid warning on
12373 // something like "x ? y+= 1 : y += 2;" in the case where we will visit
12374 // both the true and false expressions because we can't evaluate x.
12375 // This will still allow us to detect an expression like (pre C++17)
12376 // "(x ? y += 1 : y += 2) = y".
12377 //
12378 // We don't wrap the visitation of the true and false expression with
12379 // SequencedSubexpression because we don't want to downgrade modifications
12380 // as side effect in the true and false expressions after the visition
12381 // is done. (for example in the expression "(x ? y++ : y++) + y" we should
12382 // not warn between the two "y++", but we should warn between the "y++"
12383 // and the "y".
12384 SequenceTree::Seq TrueRegion = Tree.allocate(Region);
12385 SequenceTree::Seq FalseRegion = Tree.allocate(Region);
12386 SequenceTree::Seq OldRegion = Region;
12387
12388 EvaluationTracker Eval(*this);
12389 {
12390 SequencedSubexpression Sequenced(*this);
12391 Region = ConditionRegion;
12392 Visit(CO->getCond());
12393 }
12394
12395 // C++11 [expr.cond]p1:
12396 // [...] The first expression is contextually converted to bool (Clause 4).
12397 // It is evaluated and if it is true, the result of the conditional
12398 // expression is the value of the second expression, otherwise that of the
12399 // third expression. Only one of the second and third expressions is
12400 // evaluated. [...]
12401 bool EvalResult = false;
12402 bool EvalOK = Eval.evaluate(CO->getCond(), EvalResult);
12403 bool ShouldVisitTrueExpr = !EvalOK || EvalResult;
12404 bool ShouldVisitFalseExpr = !EvalOK || !EvalResult;
12405 if (ShouldVisitTrueExpr) {
12406 Region = TrueRegion;
12407 Visit(CO->getTrueExpr());
12408 }
12409 if (ShouldVisitFalseExpr) {
12410 Region = FalseRegion;
12411 Visit(CO->getFalseExpr());
12412 }
12413
12414 Region = OldRegion;
12415 Tree.merge(ConditionRegion);
12416 Tree.merge(TrueRegion);
12417 Tree.merge(FalseRegion);
12418 }
12419
VisitCallExpr(const CallExpr * CE)12420 void VisitCallExpr(const CallExpr *CE) {
12421 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions.
12422
12423 if (CE->isUnevaluatedBuiltinCall(Context))
12424 return;
12425
12426 // C++11 [intro.execution]p15:
12427 // When calling a function [...], every value computation and side effect
12428 // associated with any argument expression, or with the postfix expression
12429 // designating the called function, is sequenced before execution of every
12430 // expression or statement in the body of the function [and thus before
12431 // the value computation of its result].
12432 SequencedSubexpression Sequenced(*this);
12433 SemaRef.runWithSufficientStackSpace(CE->getExprLoc(), [&] {
12434 // C++17 [expr.call]p5
12435 // The postfix-expression is sequenced before each expression in the
12436 // expression-list and any default argument. [...]
12437 SequenceTree::Seq CalleeRegion;
12438 SequenceTree::Seq OtherRegion;
12439 if (SemaRef.getLangOpts().CPlusPlus17) {
12440 CalleeRegion = Tree.allocate(Region);
12441 OtherRegion = Tree.allocate(Region);
12442 } else {
12443 CalleeRegion = Region;
12444 OtherRegion = Region;
12445 }
12446 SequenceTree::Seq OldRegion = Region;
12447
12448 // Visit the callee expression first.
12449 Region = CalleeRegion;
12450 if (SemaRef.getLangOpts().CPlusPlus17) {
12451 SequencedSubexpression Sequenced(*this);
12452 Visit(CE->getCallee());
12453 } else {
12454 Visit(CE->getCallee());
12455 }
12456
12457 // Then visit the argument expressions.
12458 Region = OtherRegion;
12459 for (const Expr *Argument : CE->arguments())
12460 Visit(Argument);
12461
12462 Region = OldRegion;
12463 if (SemaRef.getLangOpts().CPlusPlus17) {
12464 Tree.merge(CalleeRegion);
12465 Tree.merge(OtherRegion);
12466 }
12467 });
12468 }
12469
VisitCXXOperatorCallExpr(const CXXOperatorCallExpr * CXXOCE)12470 void VisitCXXOperatorCallExpr(const CXXOperatorCallExpr *CXXOCE) {
12471 // C++17 [over.match.oper]p2:
12472 // [...] the operator notation is first transformed to the equivalent
12473 // function-call notation as summarized in Table 12 (where @ denotes one
12474 // of the operators covered in the specified subclause). However, the
12475 // operands are sequenced in the order prescribed for the built-in
12476 // operator (Clause 8).
12477 //
12478 // From the above only overloaded binary operators and overloaded call
12479 // operators have sequencing rules in C++17 that we need to handle
12480 // separately.
12481 if (!SemaRef.getLangOpts().CPlusPlus17 ||
12482 (CXXOCE->getNumArgs() != 2 && CXXOCE->getOperator() != OO_Call))
12483 return VisitCallExpr(CXXOCE);
12484
12485 enum {
12486 NoSequencing,
12487 LHSBeforeRHS,
12488 RHSBeforeLHS,
12489 LHSBeforeRest
12490 } SequencingKind;
12491 switch (CXXOCE->getOperator()) {
12492 case OO_Equal:
12493 case OO_PlusEqual:
12494 case OO_MinusEqual:
12495 case OO_StarEqual:
12496 case OO_SlashEqual:
12497 case OO_PercentEqual:
12498 case OO_CaretEqual:
12499 case OO_AmpEqual:
12500 case OO_PipeEqual:
12501 case OO_LessLessEqual:
12502 case OO_GreaterGreaterEqual:
12503 SequencingKind = RHSBeforeLHS;
12504 break;
12505
12506 case OO_LessLess:
12507 case OO_GreaterGreater:
12508 case OO_AmpAmp:
12509 case OO_PipePipe:
12510 case OO_Comma:
12511 case OO_ArrowStar:
12512 case OO_Subscript:
12513 SequencingKind = LHSBeforeRHS;
12514 break;
12515
12516 case OO_Call:
12517 SequencingKind = LHSBeforeRest;
12518 break;
12519
12520 default:
12521 SequencingKind = NoSequencing;
12522 break;
12523 }
12524
12525 if (SequencingKind == NoSequencing)
12526 return VisitCallExpr(CXXOCE);
12527
12528 // This is a call, so all subexpressions are sequenced before the result.
12529 SequencedSubexpression Sequenced(*this);
12530
12531 SemaRef.runWithSufficientStackSpace(CXXOCE->getExprLoc(), [&] {
12532 assert(SemaRef.getLangOpts().CPlusPlus17 &&
12533 "Should only get there with C++17 and above!");
12534 assert((CXXOCE->getNumArgs() == 2 || CXXOCE->getOperator() == OO_Call) &&
12535 "Should only get there with an overloaded binary operator"
12536 " or an overloaded call operator!");
12537
12538 if (SequencingKind == LHSBeforeRest) {
12539 assert(CXXOCE->getOperator() == OO_Call &&
12540 "We should only have an overloaded call operator here!");
12541
12542 // This is very similar to VisitCallExpr, except that we only have the
12543 // C++17 case. The postfix-expression is the first argument of the
12544 // CXXOperatorCallExpr. The expressions in the expression-list, if any,
12545 // are in the following arguments.
12546 //
12547 // Note that we intentionally do not visit the callee expression since
12548 // it is just a decayed reference to a function.
12549 SequenceTree::Seq PostfixExprRegion = Tree.allocate(Region);
12550 SequenceTree::Seq ArgsRegion = Tree.allocate(Region);
12551 SequenceTree::Seq OldRegion = Region;
12552
12553 assert(CXXOCE->getNumArgs() >= 1 &&
12554 "An overloaded call operator must have at least one argument"
12555 " for the postfix-expression!");
12556 const Expr *PostfixExpr = CXXOCE->getArgs()[0];
12557 llvm::ArrayRef<const Expr *> Args(CXXOCE->getArgs() + 1,
12558 CXXOCE->getNumArgs() - 1);
12559
12560 // Visit the postfix-expression first.
12561 {
12562 Region = PostfixExprRegion;
12563 SequencedSubexpression Sequenced(*this);
12564 Visit(PostfixExpr);
12565 }
12566
12567 // Then visit the argument expressions.
12568 Region = ArgsRegion;
12569 for (const Expr *Arg : Args)
12570 Visit(Arg);
12571
12572 Region = OldRegion;
12573 Tree.merge(PostfixExprRegion);
12574 Tree.merge(ArgsRegion);
12575 } else {
12576 assert(CXXOCE->getNumArgs() == 2 &&
12577 "Should only have two arguments here!");
12578 assert((SequencingKind == LHSBeforeRHS ||
12579 SequencingKind == RHSBeforeLHS) &&
12580 "Unexpected sequencing kind!");
12581
12582 // We do not visit the callee expression since it is just a decayed
12583 // reference to a function.
12584 const Expr *E1 = CXXOCE->getArg(0);
12585 const Expr *E2 = CXXOCE->getArg(1);
12586 if (SequencingKind == RHSBeforeLHS)
12587 std::swap(E1, E2);
12588
12589 return VisitSequencedExpressions(E1, E2);
12590 }
12591 });
12592 }
12593
VisitCXXConstructExpr(const CXXConstructExpr * CCE)12594 void VisitCXXConstructExpr(const CXXConstructExpr *CCE) {
12595 // This is a call, so all subexpressions are sequenced before the result.
12596 SequencedSubexpression Sequenced(*this);
12597
12598 if (!CCE->isListInitialization())
12599 return VisitExpr(CCE);
12600
12601 // In C++11, list initializations are sequenced.
12602 SequenceExpressionsInOrder(
12603 llvm::ArrayRef(CCE->getArgs(), CCE->getNumArgs()));
12604 }
12605
VisitInitListExpr(const InitListExpr * ILE)12606 void VisitInitListExpr(const InitListExpr *ILE) {
12607 if (!SemaRef.getLangOpts().CPlusPlus11)
12608 return VisitExpr(ILE);
12609
12610 // In C++11, list initializations are sequenced.
12611 SequenceExpressionsInOrder(ILE->inits());
12612 }
12613
VisitCXXParenListInitExpr(const CXXParenListInitExpr * PLIE)12614 void VisitCXXParenListInitExpr(const CXXParenListInitExpr *PLIE) {
12615 // C++20 parenthesized list initializations are sequenced. See C++20
12616 // [decl.init.general]p16.5 and [decl.init.general]p16.6.2.2.
12617 SequenceExpressionsInOrder(PLIE->getInitExprs());
12618 }
12619
12620 private:
SequenceExpressionsInOrder(ArrayRef<const Expr * > ExpressionList)12621 void SequenceExpressionsInOrder(ArrayRef<const Expr *> ExpressionList) {
12622 SmallVector<SequenceTree::Seq, 32> Elts;
12623 SequenceTree::Seq Parent = Region;
12624 for (const Expr *E : ExpressionList) {
12625 if (!E)
12626 continue;
12627 Region = Tree.allocate(Parent);
12628 Elts.push_back(Region);
12629 Visit(E);
12630 }
12631
12632 // Forget that the initializers are sequenced.
12633 Region = Parent;
12634 for (unsigned I = 0; I < Elts.size(); ++I)
12635 Tree.merge(Elts[I]);
12636 }
12637 };
12638
12639 SequenceChecker::UsageInfo::UsageInfo() = default;
12640
12641 } // namespace
12642
CheckUnsequencedOperations(const Expr * E)12643 void Sema::CheckUnsequencedOperations(const Expr *E) {
12644 SmallVector<const Expr *, 8> WorkList;
12645 WorkList.push_back(E);
12646 while (!WorkList.empty()) {
12647 const Expr *Item = WorkList.pop_back_val();
12648 SequenceChecker(*this, Item, WorkList);
12649 }
12650 }
12651
CheckCompletedExpr(Expr * E,SourceLocation CheckLoc,bool IsConstexpr)12652 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc,
12653 bool IsConstexpr) {
12654 llvm::SaveAndRestore ConstantContext(isConstantEvaluatedOverride,
12655 IsConstexpr || isa<ConstantExpr>(E));
12656 CheckImplicitConversions(E, CheckLoc);
12657 if (!E->isInstantiationDependent())
12658 CheckUnsequencedOperations(E);
12659 if (!IsConstexpr && !E->isValueDependent())
12660 CheckForIntOverflow(E);
12661 DiagnoseMisalignedMembers();
12662 }
12663
CheckBitFieldInitialization(SourceLocation InitLoc,FieldDecl * BitField,Expr * Init)12664 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc,
12665 FieldDecl *BitField,
12666 Expr *Init) {
12667 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc);
12668 }
12669
diagnoseArrayStarInParamType(Sema & S,QualType PType,SourceLocation Loc)12670 static void diagnoseArrayStarInParamType(Sema &S, QualType PType,
12671 SourceLocation Loc) {
12672 if (!PType->isVariablyModifiedType())
12673 return;
12674 if (const auto *PointerTy = dyn_cast<PointerType>(PType)) {
12675 diagnoseArrayStarInParamType(S, PointerTy->getPointeeType(), Loc);
12676 return;
12677 }
12678 if (const auto *ReferenceTy = dyn_cast<ReferenceType>(PType)) {
12679 diagnoseArrayStarInParamType(S, ReferenceTy->getPointeeType(), Loc);
12680 return;
12681 }
12682 if (const auto *ParenTy = dyn_cast<ParenType>(PType)) {
12683 diagnoseArrayStarInParamType(S, ParenTy->getInnerType(), Loc);
12684 return;
12685 }
12686
12687 const ArrayType *AT = S.Context.getAsArrayType(PType);
12688 if (!AT)
12689 return;
12690
12691 if (AT->getSizeModifier() != ArraySizeModifier::Star) {
12692 diagnoseArrayStarInParamType(S, AT->getElementType(), Loc);
12693 return;
12694 }
12695
12696 S.Diag(Loc, diag::err_array_star_in_function_definition);
12697 }
12698
CheckParmsForFunctionDef(ArrayRef<ParmVarDecl * > Parameters,bool CheckParameterNames)12699 bool Sema::CheckParmsForFunctionDef(ArrayRef<ParmVarDecl *> Parameters,
12700 bool CheckParameterNames) {
12701 bool HasInvalidParm = false;
12702 for (ParmVarDecl *Param : Parameters) {
12703 assert(Param && "null in a parameter list");
12704 // C99 6.7.5.3p4: the parameters in a parameter type list in a
12705 // function declarator that is part of a function definition of
12706 // that function shall not have incomplete type.
12707 //
12708 // C++23 [dcl.fct.def.general]/p2
12709 // The type of a parameter [...] for a function definition
12710 // shall not be a (possibly cv-qualified) class type that is incomplete
12711 // or abstract within the function body unless the function is deleted.
12712 if (!Param->isInvalidDecl() &&
12713 (RequireCompleteType(Param->getLocation(), Param->getType(),
12714 diag::err_typecheck_decl_incomplete_type) ||
12715 RequireNonAbstractType(Param->getBeginLoc(), Param->getOriginalType(),
12716 diag::err_abstract_type_in_decl,
12717 AbstractParamType))) {
12718 Param->setInvalidDecl();
12719 HasInvalidParm = true;
12720 }
12721
12722 // C99 6.9.1p5: If the declarator includes a parameter type list, the
12723 // declaration of each parameter shall include an identifier.
12724 if (CheckParameterNames && Param->getIdentifier() == nullptr &&
12725 !Param->isImplicit() && !getLangOpts().CPlusPlus) {
12726 // Diagnose this as an extension in C17 and earlier.
12727 if (!getLangOpts().C23)
12728 Diag(Param->getLocation(), diag::ext_parameter_name_omitted_c23);
12729 }
12730
12731 // C99 6.7.5.3p12:
12732 // If the function declarator is not part of a definition of that
12733 // function, parameters may have incomplete type and may use the [*]
12734 // notation in their sequences of declarator specifiers to specify
12735 // variable length array types.
12736 QualType PType = Param->getOriginalType();
12737 // FIXME: This diagnostic should point the '[*]' if source-location
12738 // information is added for it.
12739 diagnoseArrayStarInParamType(*this, PType, Param->getLocation());
12740
12741 // If the parameter is a c++ class type and it has to be destructed in the
12742 // callee function, declare the destructor so that it can be called by the
12743 // callee function. Do not perform any direct access check on the dtor here.
12744 if (!Param->isInvalidDecl()) {
12745 if (CXXRecordDecl *ClassDecl = Param->getType()->getAsCXXRecordDecl()) {
12746 if (!ClassDecl->isInvalidDecl() &&
12747 !ClassDecl->hasIrrelevantDestructor() &&
12748 !ClassDecl->isDependentContext() &&
12749 ClassDecl->isParamDestroyedInCallee()) {
12750 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl);
12751 MarkFunctionReferenced(Param->getLocation(), Destructor);
12752 DiagnoseUseOfDecl(Destructor, Param->getLocation());
12753 }
12754 }
12755 }
12756
12757 // Parameters with the pass_object_size attribute only need to be marked
12758 // constant at function definitions. Because we lack information about
12759 // whether we're on a declaration or definition when we're instantiating the
12760 // attribute, we need to check for constness here.
12761 if (const auto *Attr = Param->getAttr<PassObjectSizeAttr>())
12762 if (!Param->getType().isConstQualified())
12763 Diag(Param->getLocation(), diag::err_attribute_pointers_only)
12764 << Attr->getSpelling() << 1;
12765
12766 // Check for parameter names shadowing fields from the class.
12767 if (LangOpts.CPlusPlus && !Param->isInvalidDecl()) {
12768 // The owning context for the parameter should be the function, but we
12769 // want to see if this function's declaration context is a record.
12770 DeclContext *DC = Param->getDeclContext();
12771 if (DC && DC->isFunctionOrMethod()) {
12772 if (auto *RD = dyn_cast<CXXRecordDecl>(DC->getParent()))
12773 CheckShadowInheritedFields(Param->getLocation(), Param->getDeclName(),
12774 RD, /*DeclIsField*/ false);
12775 }
12776 }
12777
12778 if (!Param->isInvalidDecl() &&
12779 Param->getOriginalType()->isWebAssemblyTableType()) {
12780 Param->setInvalidDecl();
12781 HasInvalidParm = true;
12782 Diag(Param->getLocation(), diag::err_wasm_table_as_function_parameter);
12783 }
12784 }
12785
12786 return HasInvalidParm;
12787 }
12788
12789 std::optional<std::pair<
12790 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
12791 *E,
12792 ASTContext
12793 &Ctx);
12794
12795 /// Compute the alignment and offset of the base class object given the
12796 /// derived-to-base cast expression and the alignment and offset of the derived
12797 /// class object.
12798 static std::pair<CharUnits, CharUnits>
getDerivedToBaseAlignmentAndOffset(const CastExpr * CE,QualType DerivedType,CharUnits BaseAlignment,CharUnits Offset,ASTContext & Ctx)12799 getDerivedToBaseAlignmentAndOffset(const CastExpr *CE, QualType DerivedType,
12800 CharUnits BaseAlignment, CharUnits Offset,
12801 ASTContext &Ctx) {
12802 for (auto PathI = CE->path_begin(), PathE = CE->path_end(); PathI != PathE;
12803 ++PathI) {
12804 const CXXBaseSpecifier *Base = *PathI;
12805 const CXXRecordDecl *BaseDecl = Base->getType()->getAsCXXRecordDecl();
12806 if (Base->isVirtual()) {
12807 // The complete object may have a lower alignment than the non-virtual
12808 // alignment of the base, in which case the base may be misaligned. Choose
12809 // the smaller of the non-virtual alignment and BaseAlignment, which is a
12810 // conservative lower bound of the complete object alignment.
12811 CharUnits NonVirtualAlignment =
12812 Ctx.getASTRecordLayout(BaseDecl).getNonVirtualAlignment();
12813 BaseAlignment = std::min(BaseAlignment, NonVirtualAlignment);
12814 Offset = CharUnits::Zero();
12815 } else {
12816 const ASTRecordLayout &RL =
12817 Ctx.getASTRecordLayout(DerivedType->getAsCXXRecordDecl());
12818 Offset += RL.getBaseClassOffset(BaseDecl);
12819 }
12820 DerivedType = Base->getType();
12821 }
12822
12823 return std::make_pair(BaseAlignment, Offset);
12824 }
12825
12826 /// Compute the alignment and offset of a binary additive operator.
12827 static std::optional<std::pair<CharUnits, CharUnits>>
getAlignmentAndOffsetFromBinAddOrSub(const Expr * PtrE,const Expr * IntE,bool IsSub,ASTContext & Ctx)12828 getAlignmentAndOffsetFromBinAddOrSub(const Expr *PtrE, const Expr *IntE,
12829 bool IsSub, ASTContext &Ctx) {
12830 QualType PointeeType = PtrE->getType()->getPointeeType();
12831
12832 if (!PointeeType->isConstantSizeType())
12833 return std::nullopt;
12834
12835 auto P = getBaseAlignmentAndOffsetFromPtr(PtrE, Ctx);
12836
12837 if (!P)
12838 return std::nullopt;
12839
12840 CharUnits EltSize = Ctx.getTypeSizeInChars(PointeeType);
12841 if (std::optional<llvm::APSInt> IdxRes = IntE->getIntegerConstantExpr(Ctx)) {
12842 CharUnits Offset = EltSize * IdxRes->getExtValue();
12843 if (IsSub)
12844 Offset = -Offset;
12845 return std::make_pair(P->first, P->second + Offset);
12846 }
12847
12848 // If the integer expression isn't a constant expression, compute the lower
12849 // bound of the alignment using the alignment and offset of the pointer
12850 // expression and the element size.
12851 return std::make_pair(
12852 P->first.alignmentAtOffset(P->second).alignmentAtOffset(EltSize),
12853 CharUnits::Zero());
12854 }
12855
12856 /// This helper function takes an lvalue expression and returns the alignment of
12857 /// a VarDecl and a constant offset from the VarDecl.
12858 std::optional<std::pair<
12859 CharUnits,
getBaseAlignmentAndOffsetFromLValue(const Expr * E,ASTContext & Ctx)12860 CharUnits>> static getBaseAlignmentAndOffsetFromLValue(const Expr *E,
12861 ASTContext &Ctx) {
12862 E = E->IgnoreParens();
12863 switch (E->getStmtClass()) {
12864 default:
12865 break;
12866 case Stmt::CStyleCastExprClass:
12867 case Stmt::CXXStaticCastExprClass:
12868 case Stmt::ImplicitCastExprClass: {
12869 auto *CE = cast<CastExpr>(E);
12870 const Expr *From = CE->getSubExpr();
12871 switch (CE->getCastKind()) {
12872 default:
12873 break;
12874 case CK_NoOp:
12875 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
12876 case CK_UncheckedDerivedToBase:
12877 case CK_DerivedToBase: {
12878 auto P = getBaseAlignmentAndOffsetFromLValue(From, Ctx);
12879 if (!P)
12880 break;
12881 return getDerivedToBaseAlignmentAndOffset(CE, From->getType(), P->first,
12882 P->second, Ctx);
12883 }
12884 }
12885 break;
12886 }
12887 case Stmt::ArraySubscriptExprClass: {
12888 auto *ASE = cast<ArraySubscriptExpr>(E);
12889 return getAlignmentAndOffsetFromBinAddOrSub(ASE->getBase(), ASE->getIdx(),
12890 false, Ctx);
12891 }
12892 case Stmt::DeclRefExprClass: {
12893 if (auto *VD = dyn_cast<VarDecl>(cast<DeclRefExpr>(E)->getDecl())) {
12894 // FIXME: If VD is captured by copy or is an escaping __block variable,
12895 // use the alignment of VD's type.
12896 if (!VD->getType()->isReferenceType()) {
12897 // Dependent alignment cannot be resolved -> bail out.
12898 if (VD->hasDependentAlignment())
12899 break;
12900 return std::make_pair(Ctx.getDeclAlign(VD), CharUnits::Zero());
12901 }
12902 if (VD->hasInit())
12903 return getBaseAlignmentAndOffsetFromLValue(VD->getInit(), Ctx);
12904 }
12905 break;
12906 }
12907 case Stmt::MemberExprClass: {
12908 auto *ME = cast<MemberExpr>(E);
12909 auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl());
12910 if (!FD || FD->getType()->isReferenceType() ||
12911 FD->getParent()->isInvalidDecl())
12912 break;
12913 std::optional<std::pair<CharUnits, CharUnits>> P;
12914 if (ME->isArrow())
12915 P = getBaseAlignmentAndOffsetFromPtr(ME->getBase(), Ctx);
12916 else
12917 P = getBaseAlignmentAndOffsetFromLValue(ME->getBase(), Ctx);
12918 if (!P)
12919 break;
12920 const ASTRecordLayout &Layout = Ctx.getASTRecordLayout(FD->getParent());
12921 uint64_t Offset = Layout.getFieldOffset(FD->getFieldIndex());
12922 return std::make_pair(P->first,
12923 P->second + CharUnits::fromQuantity(Offset));
12924 }
12925 case Stmt::UnaryOperatorClass: {
12926 auto *UO = cast<UnaryOperator>(E);
12927 switch (UO->getOpcode()) {
12928 default:
12929 break;
12930 case UO_Deref:
12931 return getBaseAlignmentAndOffsetFromPtr(UO->getSubExpr(), Ctx);
12932 }
12933 break;
12934 }
12935 case Stmt::BinaryOperatorClass: {
12936 auto *BO = cast<BinaryOperator>(E);
12937 auto Opcode = BO->getOpcode();
12938 switch (Opcode) {
12939 default:
12940 break;
12941 case BO_Comma:
12942 return getBaseAlignmentAndOffsetFromLValue(BO->getRHS(), Ctx);
12943 }
12944 break;
12945 }
12946 }
12947 return std::nullopt;
12948 }
12949
12950 /// This helper function takes a pointer expression and returns the alignment of
12951 /// a VarDecl and a constant offset from the VarDecl.
12952 std::optional<std::pair<
getBaseAlignmentAndOffsetFromPtr(const Expr * E,ASTContext & Ctx)12953 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
12954 *E,
12955 ASTContext
12956 &Ctx) {
12957 E = E->IgnoreParens();
12958 switch (E->getStmtClass()) {
12959 default:
12960 break;
12961 case Stmt::CStyleCastExprClass:
12962 case Stmt::CXXStaticCastExprClass:
12963 case Stmt::ImplicitCastExprClass: {
12964 auto *CE = cast<CastExpr>(E);
12965 const Expr *From = CE->getSubExpr();
12966 switch (CE->getCastKind()) {
12967 default:
12968 break;
12969 case CK_NoOp:
12970 return getBaseAlignmentAndOffsetFromPtr(From, Ctx);
12971 case CK_ArrayToPointerDecay:
12972 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
12973 case CK_UncheckedDerivedToBase:
12974 case CK_DerivedToBase: {
12975 auto P = getBaseAlignmentAndOffsetFromPtr(From, Ctx);
12976 if (!P)
12977 break;
12978 return getDerivedToBaseAlignmentAndOffset(
12979 CE, From->getType()->getPointeeType(), P->first, P->second, Ctx);
12980 }
12981 }
12982 break;
12983 }
12984 case Stmt::CXXThisExprClass: {
12985 auto *RD = E->getType()->getPointeeType()->getAsCXXRecordDecl();
12986 CharUnits Alignment = Ctx.getASTRecordLayout(RD).getNonVirtualAlignment();
12987 return std::make_pair(Alignment, CharUnits::Zero());
12988 }
12989 case Stmt::UnaryOperatorClass: {
12990 auto *UO = cast<UnaryOperator>(E);
12991 if (UO->getOpcode() == UO_AddrOf)
12992 return getBaseAlignmentAndOffsetFromLValue(UO->getSubExpr(), Ctx);
12993 break;
12994 }
12995 case Stmt::BinaryOperatorClass: {
12996 auto *BO = cast<BinaryOperator>(E);
12997 auto Opcode = BO->getOpcode();
12998 switch (Opcode) {
12999 default:
13000 break;
13001 case BO_Add:
13002 case BO_Sub: {
13003 const Expr *LHS = BO->getLHS(), *RHS = BO->getRHS();
13004 if (Opcode == BO_Add && !RHS->getType()->isIntegralOrEnumerationType())
13005 std::swap(LHS, RHS);
13006 return getAlignmentAndOffsetFromBinAddOrSub(LHS, RHS, Opcode == BO_Sub,
13007 Ctx);
13008 }
13009 case BO_Comma:
13010 return getBaseAlignmentAndOffsetFromPtr(BO->getRHS(), Ctx);
13011 }
13012 break;
13013 }
13014 }
13015 return std::nullopt;
13016 }
13017
getPresumedAlignmentOfPointer(const Expr * E,Sema & S)13018 static CharUnits getPresumedAlignmentOfPointer(const Expr *E, Sema &S) {
13019 // See if we can compute the alignment of a VarDecl and an offset from it.
13020 std::optional<std::pair<CharUnits, CharUnits>> P =
13021 getBaseAlignmentAndOffsetFromPtr(E, S.Context);
13022
13023 if (P)
13024 return P->first.alignmentAtOffset(P->second);
13025
13026 // If that failed, return the type's alignment.
13027 return S.Context.getTypeAlignInChars(E->getType()->getPointeeType());
13028 }
13029
CheckCastAlign(Expr * Op,QualType T,SourceRange TRange)13030 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
13031 // This is actually a lot of work to potentially be doing on every
13032 // cast; don't do it if we're ignoring -Wcast_align (as is the default).
13033 if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin()))
13034 return;
13035
13036 // Ignore dependent types.
13037 if (T->isDependentType() || Op->getType()->isDependentType())
13038 return;
13039
13040 // Require that the destination be a pointer type.
13041 const PointerType *DestPtr = T->getAs<PointerType>();
13042 if (!DestPtr) return;
13043
13044 // If the destination has alignment 1, we're done.
13045 QualType DestPointee = DestPtr->getPointeeType();
13046 if (DestPointee->isIncompleteType()) return;
13047 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee);
13048 if (DestAlign.isOne()) return;
13049
13050 // Require that the source be a pointer type.
13051 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();
13052 if (!SrcPtr) return;
13053 QualType SrcPointee = SrcPtr->getPointeeType();
13054
13055 // Explicitly allow casts from cv void*. We already implicitly
13056 // allowed casts to cv void*, since they have alignment 1.
13057 // Also allow casts involving incomplete types, which implicitly
13058 // includes 'void'.
13059 if (SrcPointee->isIncompleteType()) return;
13060
13061 CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);
13062
13063 if (SrcAlign >= DestAlign) return;
13064
13065 Diag(TRange.getBegin(), diag::warn_cast_align)
13066 << Op->getType() << T
13067 << static_cast<unsigned>(SrcAlign.getQuantity())
13068 << static_cast<unsigned>(DestAlign.getQuantity())
13069 << TRange << Op->getSourceRange();
13070 }
13071
CheckArrayAccess(const Expr * BaseExpr,const Expr * IndexExpr,const ArraySubscriptExpr * ASE,bool AllowOnePastEnd,bool IndexNegated)13072 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
13073 const ArraySubscriptExpr *ASE,
13074 bool AllowOnePastEnd, bool IndexNegated) {
13075 // Already diagnosed by the constant evaluator.
13076 if (isConstantEvaluatedContext())
13077 return;
13078
13079 IndexExpr = IndexExpr->IgnoreParenImpCasts();
13080 if (IndexExpr->isValueDependent())
13081 return;
13082
13083 const Type *EffectiveType =
13084 BaseExpr->getType()->getPointeeOrArrayElementType();
13085 BaseExpr = BaseExpr->IgnoreParenCasts();
13086 const ConstantArrayType *ArrayTy =
13087 Context.getAsConstantArrayType(BaseExpr->getType());
13088
13089 LangOptions::StrictFlexArraysLevelKind
13090 StrictFlexArraysLevel = getLangOpts().getStrictFlexArraysLevel();
13091
13092 const Type *BaseType =
13093 ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();
13094 bool IsUnboundedArray =
13095 BaseType == nullptr || BaseExpr->isFlexibleArrayMemberLike(
13096 Context, StrictFlexArraysLevel,
13097 /*IgnoreTemplateOrMacroSubstitution=*/true);
13098 if (EffectiveType->isDependentType() ||
13099 (!IsUnboundedArray && BaseType->isDependentType()))
13100 return;
13101
13102 Expr::EvalResult Result;
13103 if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))
13104 return;
13105
13106 llvm::APSInt index = Result.Val.getInt();
13107 if (IndexNegated) {
13108 index.setIsUnsigned(false);
13109 index = -index;
13110 }
13111
13112 if (IsUnboundedArray) {
13113 if (EffectiveType->isFunctionType())
13114 return;
13115 if (index.isUnsigned() || !index.isNegative()) {
13116 const auto &ASTC = getASTContext();
13117 unsigned AddrBits = ASTC.getTargetInfo().getPointerWidth(
13118 EffectiveType->getCanonicalTypeInternal().getAddressSpace());
13119 if (index.getBitWidth() < AddrBits)
13120 index = index.zext(AddrBits);
13121 std::optional<CharUnits> ElemCharUnits =
13122 ASTC.getTypeSizeInCharsIfKnown(EffectiveType);
13123 // PR50741 - If EffectiveType has unknown size (e.g., if it's a void
13124 // pointer) bounds-checking isn't meaningful.
13125 if (!ElemCharUnits || ElemCharUnits->isZero())
13126 return;
13127 llvm::APInt ElemBytes(index.getBitWidth(), ElemCharUnits->getQuantity());
13128 // If index has more active bits than address space, we already know
13129 // we have a bounds violation to warn about. Otherwise, compute
13130 // address of (index + 1)th element, and warn about bounds violation
13131 // only if that address exceeds address space.
13132 if (index.getActiveBits() <= AddrBits) {
13133 bool Overflow;
13134 llvm::APInt Product(index);
13135 Product += 1;
13136 Product = Product.umul_ov(ElemBytes, Overflow);
13137 if (!Overflow && Product.getActiveBits() <= AddrBits)
13138 return;
13139 }
13140
13141 // Need to compute max possible elements in address space, since that
13142 // is included in diag message.
13143 llvm::APInt MaxElems = llvm::APInt::getMaxValue(AddrBits);
13144 MaxElems = MaxElems.zext(std::max(AddrBits + 1, ElemBytes.getBitWidth()));
13145 MaxElems += 1;
13146 ElemBytes = ElemBytes.zextOrTrunc(MaxElems.getBitWidth());
13147 MaxElems = MaxElems.udiv(ElemBytes);
13148
13149 unsigned DiagID =
13150 ASE ? diag::warn_array_index_exceeds_max_addressable_bounds
13151 : diag::warn_ptr_arith_exceeds_max_addressable_bounds;
13152
13153 // Diag message shows element size in bits and in "bytes" (platform-
13154 // dependent CharUnits)
13155 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
13156 PDiag(DiagID)
13157 << toString(index, 10, true) << AddrBits
13158 << (unsigned)ASTC.toBits(*ElemCharUnits)
13159 << toString(ElemBytes, 10, false)
13160 << toString(MaxElems, 10, false)
13161 << (unsigned)MaxElems.getLimitedValue(~0U)
13162 << IndexExpr->getSourceRange());
13163
13164 const NamedDecl *ND = nullptr;
13165 // Try harder to find a NamedDecl to point at in the note.
13166 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
13167 BaseExpr = ASE->getBase()->IgnoreParenCasts();
13168 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
13169 ND = DRE->getDecl();
13170 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
13171 ND = ME->getMemberDecl();
13172
13173 if (ND)
13174 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
13175 PDiag(diag::note_array_declared_here) << ND);
13176 }
13177 return;
13178 }
13179
13180 if (index.isUnsigned() || !index.isNegative()) {
13181 // It is possible that the type of the base expression after
13182 // IgnoreParenCasts is incomplete, even though the type of the base
13183 // expression before IgnoreParenCasts is complete (see PR39746 for an
13184 // example). In this case we have no information about whether the array
13185 // access exceeds the array bounds. However we can still diagnose an array
13186 // access which precedes the array bounds.
13187 if (BaseType->isIncompleteType())
13188 return;
13189
13190 llvm::APInt size = ArrayTy->getSize();
13191
13192 if (BaseType != EffectiveType) {
13193 // Make sure we're comparing apples to apples when comparing index to
13194 // size.
13195 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);
13196 uint64_t array_typesize = Context.getTypeSize(BaseType);
13197
13198 // Handle ptrarith_typesize being zero, such as when casting to void*.
13199 // Use the size in bits (what "getTypeSize()" returns) rather than bytes.
13200 if (!ptrarith_typesize)
13201 ptrarith_typesize = Context.getCharWidth();
13202
13203 if (ptrarith_typesize != array_typesize) {
13204 // There's a cast to a different size type involved.
13205 uint64_t ratio = array_typesize / ptrarith_typesize;
13206
13207 // TODO: Be smarter about handling cases where array_typesize is not a
13208 // multiple of ptrarith_typesize.
13209 if (ptrarith_typesize * ratio == array_typesize)
13210 size *= llvm::APInt(size.getBitWidth(), ratio);
13211 }
13212 }
13213
13214 if (size.getBitWidth() > index.getBitWidth())
13215 index = index.zext(size.getBitWidth());
13216 else if (size.getBitWidth() < index.getBitWidth())
13217 size = size.zext(index.getBitWidth());
13218
13219 // For array subscripting the index must be less than size, but for pointer
13220 // arithmetic also allow the index (offset) to be equal to size since
13221 // computing the next address after the end of the array is legal and
13222 // commonly done e.g. in C++ iterators and range-based for loops.
13223 if (AllowOnePastEnd ? index.ule(size) : index.ult(size))
13224 return;
13225
13226 // Suppress the warning if the subscript expression (as identified by the
13227 // ']' location) and the index expression are both from macro expansions
13228 // within a system header.
13229 if (ASE) {
13230 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(
13231 ASE->getRBracketLoc());
13232 if (SourceMgr.isInSystemHeader(RBracketLoc)) {
13233 SourceLocation IndexLoc =
13234 SourceMgr.getSpellingLoc(IndexExpr->getBeginLoc());
13235 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc))
13236 return;
13237 }
13238 }
13239
13240 unsigned DiagID = ASE ? diag::warn_array_index_exceeds_bounds
13241 : diag::warn_ptr_arith_exceeds_bounds;
13242 unsigned CastMsg = (!ASE || BaseType == EffectiveType) ? 0 : 1;
13243 QualType CastMsgTy = ASE ? ASE->getLHS()->getType() : QualType();
13244
13245 DiagRuntimeBehavior(
13246 BaseExpr->getBeginLoc(), BaseExpr,
13247 PDiag(DiagID) << toString(index, 10, true) << ArrayTy->desugar()
13248 << CastMsg << CastMsgTy << IndexExpr->getSourceRange());
13249 } else {
13250 unsigned DiagID = diag::warn_array_index_precedes_bounds;
13251 if (!ASE) {
13252 DiagID = diag::warn_ptr_arith_precedes_bounds;
13253 if (index.isNegative()) index = -index;
13254 }
13255
13256 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
13257 PDiag(DiagID) << toString(index, 10, true)
13258 << IndexExpr->getSourceRange());
13259 }
13260
13261 const NamedDecl *ND = nullptr;
13262 // Try harder to find a NamedDecl to point at in the note.
13263 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
13264 BaseExpr = ASE->getBase()->IgnoreParenCasts();
13265 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
13266 ND = DRE->getDecl();
13267 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
13268 ND = ME->getMemberDecl();
13269
13270 if (ND)
13271 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
13272 PDiag(diag::note_array_declared_here) << ND);
13273 }
13274
CheckArrayAccess(const Expr * expr)13275 void Sema::CheckArrayAccess(const Expr *expr) {
13276 int AllowOnePastEnd = 0;
13277 while (expr) {
13278 expr = expr->IgnoreParenImpCasts();
13279 switch (expr->getStmtClass()) {
13280 case Stmt::ArraySubscriptExprClass: {
13281 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr);
13282 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE,
13283 AllowOnePastEnd > 0);
13284 expr = ASE->getBase();
13285 break;
13286 }
13287 case Stmt::MemberExprClass: {
13288 expr = cast<MemberExpr>(expr)->getBase();
13289 break;
13290 }
13291 case Stmt::ArraySectionExprClass: {
13292 const ArraySectionExpr *ASE = cast<ArraySectionExpr>(expr);
13293 // FIXME: We should probably be checking all of the elements to the
13294 // 'length' here as well.
13295 if (ASE->getLowerBound())
13296 CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(),
13297 /*ASE=*/nullptr, AllowOnePastEnd > 0);
13298 return;
13299 }
13300 case Stmt::UnaryOperatorClass: {
13301 // Only unwrap the * and & unary operators
13302 const UnaryOperator *UO = cast<UnaryOperator>(expr);
13303 expr = UO->getSubExpr();
13304 switch (UO->getOpcode()) {
13305 case UO_AddrOf:
13306 AllowOnePastEnd++;
13307 break;
13308 case UO_Deref:
13309 AllowOnePastEnd--;
13310 break;
13311 default:
13312 return;
13313 }
13314 break;
13315 }
13316 case Stmt::ConditionalOperatorClass: {
13317 const ConditionalOperator *cond = cast<ConditionalOperator>(expr);
13318 if (const Expr *lhs = cond->getLHS())
13319 CheckArrayAccess(lhs);
13320 if (const Expr *rhs = cond->getRHS())
13321 CheckArrayAccess(rhs);
13322 return;
13323 }
13324 case Stmt::CXXOperatorCallExprClass: {
13325 const auto *OCE = cast<CXXOperatorCallExpr>(expr);
13326 for (const auto *Arg : OCE->arguments())
13327 CheckArrayAccess(Arg);
13328 return;
13329 }
13330 default:
13331 return;
13332 }
13333 }
13334 }
13335
checkUnsafeAssignLiteral(Sema & S,SourceLocation Loc,Expr * RHS,bool isProperty)13336 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc,
13337 Expr *RHS, bool isProperty) {
13338 // Check if RHS is an Objective-C object literal, which also can get
13339 // immediately zapped in a weak reference. Note that we explicitly
13340 // allow ObjCStringLiterals, since those are designed to never really die.
13341 RHS = RHS->IgnoreParenImpCasts();
13342
13343 // This enum needs to match with the 'select' in
13344 // warn_objc_arc_literal_assign (off-by-1).
13345 SemaObjC::ObjCLiteralKind Kind = S.ObjC().CheckLiteralKind(RHS);
13346 if (Kind == SemaObjC::LK_String || Kind == SemaObjC::LK_None)
13347 return false;
13348
13349 S.Diag(Loc, diag::warn_arc_literal_assign)
13350 << (unsigned) Kind
13351 << (isProperty ? 0 : 1)
13352 << RHS->getSourceRange();
13353
13354 return true;
13355 }
13356
checkUnsafeAssignObject(Sema & S,SourceLocation Loc,Qualifiers::ObjCLifetime LT,Expr * RHS,bool isProperty)13357 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc,
13358 Qualifiers::ObjCLifetime LT,
13359 Expr *RHS, bool isProperty) {
13360 // Strip off any implicit cast added to get to the one ARC-specific.
13361 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
13362 if (cast->getCastKind() == CK_ARCConsumeObject) {
13363 S.Diag(Loc, diag::warn_arc_retained_assign)
13364 << (LT == Qualifiers::OCL_ExplicitNone)
13365 << (isProperty ? 0 : 1)
13366 << RHS->getSourceRange();
13367 return true;
13368 }
13369 RHS = cast->getSubExpr();
13370 }
13371
13372 if (LT == Qualifiers::OCL_Weak &&
13373 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty))
13374 return true;
13375
13376 return false;
13377 }
13378
checkUnsafeAssigns(SourceLocation Loc,QualType LHS,Expr * RHS)13379 bool Sema::checkUnsafeAssigns(SourceLocation Loc,
13380 QualType LHS, Expr *RHS) {
13381 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime();
13382
13383 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone)
13384 return false;
13385
13386 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false))
13387 return true;
13388
13389 return false;
13390 }
13391
checkUnsafeExprAssigns(SourceLocation Loc,Expr * LHS,Expr * RHS)13392 void Sema::checkUnsafeExprAssigns(SourceLocation Loc,
13393 Expr *LHS, Expr *RHS) {
13394 QualType LHSType;
13395 // PropertyRef on LHS type need be directly obtained from
13396 // its declaration as it has a PseudoType.
13397 ObjCPropertyRefExpr *PRE
13398 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens());
13399 if (PRE && !PRE->isImplicitProperty()) {
13400 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
13401 if (PD)
13402 LHSType = PD->getType();
13403 }
13404
13405 if (LHSType.isNull())
13406 LHSType = LHS->getType();
13407
13408 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime();
13409
13410 if (LT == Qualifiers::OCL_Weak) {
13411 if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc))
13412 getCurFunction()->markSafeWeakUse(LHS);
13413 }
13414
13415 if (checkUnsafeAssigns(Loc, LHSType, RHS))
13416 return;
13417
13418 // FIXME. Check for other life times.
13419 if (LT != Qualifiers::OCL_None)
13420 return;
13421
13422 if (PRE) {
13423 if (PRE->isImplicitProperty())
13424 return;
13425 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
13426 if (!PD)
13427 return;
13428
13429 unsigned Attributes = PD->getPropertyAttributes();
13430 if (Attributes & ObjCPropertyAttribute::kind_assign) {
13431 // when 'assign' attribute was not explicitly specified
13432 // by user, ignore it and rely on property type itself
13433 // for lifetime info.
13434 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten();
13435 if (!(AsWrittenAttr & ObjCPropertyAttribute::kind_assign) &&
13436 LHSType->isObjCRetainableType())
13437 return;
13438
13439 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
13440 if (cast->getCastKind() == CK_ARCConsumeObject) {
13441 Diag(Loc, diag::warn_arc_retained_property_assign)
13442 << RHS->getSourceRange();
13443 return;
13444 }
13445 RHS = cast->getSubExpr();
13446 }
13447 } else if (Attributes & ObjCPropertyAttribute::kind_weak) {
13448 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true))
13449 return;
13450 }
13451 }
13452 }
13453
13454 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===//
13455
ShouldDiagnoseEmptyStmtBody(const SourceManager & SourceMgr,SourceLocation StmtLoc,const NullStmt * Body)13456 static bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr,
13457 SourceLocation StmtLoc,
13458 const NullStmt *Body) {
13459 // Do not warn if the body is a macro that expands to nothing, e.g:
13460 //
13461 // #define CALL(x)
13462 // if (condition)
13463 // CALL(0);
13464 if (Body->hasLeadingEmptyMacro())
13465 return false;
13466
13467 // Get line numbers of statement and body.
13468 bool StmtLineInvalid;
13469 unsigned StmtLine = SourceMgr.getPresumedLineNumber(StmtLoc,
13470 &StmtLineInvalid);
13471 if (StmtLineInvalid)
13472 return false;
13473
13474 bool BodyLineInvalid;
13475 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(),
13476 &BodyLineInvalid);
13477 if (BodyLineInvalid)
13478 return false;
13479
13480 // Warn if null statement and body are on the same line.
13481 if (StmtLine != BodyLine)
13482 return false;
13483
13484 return true;
13485 }
13486
DiagnoseEmptyStmtBody(SourceLocation StmtLoc,const Stmt * Body,unsigned DiagID)13487 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc,
13488 const Stmt *Body,
13489 unsigned DiagID) {
13490 // Since this is a syntactic check, don't emit diagnostic for template
13491 // instantiations, this just adds noise.
13492 if (CurrentInstantiationScope)
13493 return;
13494
13495 // The body should be a null statement.
13496 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
13497 if (!NBody)
13498 return;
13499
13500 // Do the usual checks.
13501 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
13502 return;
13503
13504 Diag(NBody->getSemiLoc(), DiagID);
13505 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
13506 }
13507
DiagnoseEmptyLoopBody(const Stmt * S,const Stmt * PossibleBody)13508 void Sema::DiagnoseEmptyLoopBody(const Stmt *S,
13509 const Stmt *PossibleBody) {
13510 assert(!CurrentInstantiationScope); // Ensured by caller
13511
13512 SourceLocation StmtLoc;
13513 const Stmt *Body;
13514 unsigned DiagID;
13515 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) {
13516 StmtLoc = FS->getRParenLoc();
13517 Body = FS->getBody();
13518 DiagID = diag::warn_empty_for_body;
13519 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) {
13520 StmtLoc = WS->getRParenLoc();
13521 Body = WS->getBody();
13522 DiagID = diag::warn_empty_while_body;
13523 } else
13524 return; // Neither `for' nor `while'.
13525
13526 // The body should be a null statement.
13527 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
13528 if (!NBody)
13529 return;
13530
13531 // Skip expensive checks if diagnostic is disabled.
13532 if (Diags.isIgnored(DiagID, NBody->getSemiLoc()))
13533 return;
13534
13535 // Do the usual checks.
13536 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
13537 return;
13538
13539 // `for(...);' and `while(...);' are popular idioms, so in order to keep
13540 // noise level low, emit diagnostics only if for/while is followed by a
13541 // CompoundStmt, e.g.:
13542 // for (int i = 0; i < n; i++);
13543 // {
13544 // a(i);
13545 // }
13546 // or if for/while is followed by a statement with more indentation
13547 // than for/while itself:
13548 // for (int i = 0; i < n; i++);
13549 // a(i);
13550 bool ProbableTypo = isa<CompoundStmt>(PossibleBody);
13551 if (!ProbableTypo) {
13552 bool BodyColInvalid;
13553 unsigned BodyCol = SourceMgr.getPresumedColumnNumber(
13554 PossibleBody->getBeginLoc(), &BodyColInvalid);
13555 if (BodyColInvalid)
13556 return;
13557
13558 bool StmtColInvalid;
13559 unsigned StmtCol =
13560 SourceMgr.getPresumedColumnNumber(S->getBeginLoc(), &StmtColInvalid);
13561 if (StmtColInvalid)
13562 return;
13563
13564 if (BodyCol > StmtCol)
13565 ProbableTypo = true;
13566 }
13567
13568 if (ProbableTypo) {
13569 Diag(NBody->getSemiLoc(), DiagID);
13570 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
13571 }
13572 }
13573
13574 //===--- CHECK: Warn on self move with std::move. -------------------------===//
13575
DiagnoseSelfMove(const Expr * LHSExpr,const Expr * RHSExpr,SourceLocation OpLoc)13576 void Sema::DiagnoseSelfMove(const Expr *LHSExpr, const Expr *RHSExpr,
13577 SourceLocation OpLoc) {
13578 if (Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, OpLoc))
13579 return;
13580
13581 if (inTemplateInstantiation())
13582 return;
13583
13584 // Strip parens and casts away.
13585 LHSExpr = LHSExpr->IgnoreParenImpCasts();
13586 RHSExpr = RHSExpr->IgnoreParenImpCasts();
13587
13588 // Check for a call to std::move or for a static_cast<T&&>(..) to an xvalue
13589 // which we can treat as an inlined std::move
13590 if (const auto *CE = dyn_cast<CallExpr>(RHSExpr);
13591 CE && CE->getNumArgs() == 1 && CE->isCallToStdMove())
13592 RHSExpr = CE->getArg(0);
13593 else if (const auto *CXXSCE = dyn_cast<CXXStaticCastExpr>(RHSExpr);
13594 CXXSCE && CXXSCE->isXValue())
13595 RHSExpr = CXXSCE->getSubExpr();
13596 else
13597 return;
13598
13599 const DeclRefExpr *LHSDeclRef = dyn_cast<DeclRefExpr>(LHSExpr);
13600 const DeclRefExpr *RHSDeclRef = dyn_cast<DeclRefExpr>(RHSExpr);
13601
13602 // Two DeclRefExpr's, check that the decls are the same.
13603 if (LHSDeclRef && RHSDeclRef) {
13604 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
13605 return;
13606 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
13607 RHSDeclRef->getDecl()->getCanonicalDecl())
13608 return;
13609
13610 auto D = Diag(OpLoc, diag::warn_self_move)
13611 << LHSExpr->getType() << LHSExpr->getSourceRange()
13612 << RHSExpr->getSourceRange();
13613 if (const FieldDecl *F =
13614 getSelfAssignmentClassMemberCandidate(RHSDeclRef->getDecl()))
13615 D << 1 << F
13616 << FixItHint::CreateInsertion(LHSDeclRef->getBeginLoc(), "this->");
13617 else
13618 D << 0;
13619 return;
13620 }
13621
13622 // Member variables require a different approach to check for self moves.
13623 // MemberExpr's are the same if every nested MemberExpr refers to the same
13624 // Decl and that the base Expr's are DeclRefExpr's with the same Decl or
13625 // the base Expr's are CXXThisExpr's.
13626 const Expr *LHSBase = LHSExpr;
13627 const Expr *RHSBase = RHSExpr;
13628 const MemberExpr *LHSME = dyn_cast<MemberExpr>(LHSExpr);
13629 const MemberExpr *RHSME = dyn_cast<MemberExpr>(RHSExpr);
13630 if (!LHSME || !RHSME)
13631 return;
13632
13633 while (LHSME && RHSME) {
13634 if (LHSME->getMemberDecl()->getCanonicalDecl() !=
13635 RHSME->getMemberDecl()->getCanonicalDecl())
13636 return;
13637
13638 LHSBase = LHSME->getBase();
13639 RHSBase = RHSME->getBase();
13640 LHSME = dyn_cast<MemberExpr>(LHSBase);
13641 RHSME = dyn_cast<MemberExpr>(RHSBase);
13642 }
13643
13644 LHSDeclRef = dyn_cast<DeclRefExpr>(LHSBase);
13645 RHSDeclRef = dyn_cast<DeclRefExpr>(RHSBase);
13646 if (LHSDeclRef && RHSDeclRef) {
13647 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
13648 return;
13649 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
13650 RHSDeclRef->getDecl()->getCanonicalDecl())
13651 return;
13652
13653 Diag(OpLoc, diag::warn_self_move)
13654 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
13655 << RHSExpr->getSourceRange();
13656 return;
13657 }
13658
13659 if (isa<CXXThisExpr>(LHSBase) && isa<CXXThisExpr>(RHSBase))
13660 Diag(OpLoc, diag::warn_self_move)
13661 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
13662 << RHSExpr->getSourceRange();
13663 }
13664
13665 //===--- Layout compatibility ----------------------------------------------//
13666
13667 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2);
13668
13669 /// Check if two enumeration types are layout-compatible.
isLayoutCompatible(const ASTContext & C,const EnumDecl * ED1,const EnumDecl * ED2)13670 static bool isLayoutCompatible(const ASTContext &C, const EnumDecl *ED1,
13671 const EnumDecl *ED2) {
13672 // C++11 [dcl.enum] p8:
13673 // Two enumeration types are layout-compatible if they have the same
13674 // underlying type.
13675 return ED1->isComplete() && ED2->isComplete() &&
13676 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType());
13677 }
13678
13679 /// Check if two fields are layout-compatible.
13680 /// Can be used on union members, which are exempt from alignment requirement
13681 /// of common initial sequence.
isLayoutCompatible(const ASTContext & C,const FieldDecl * Field1,const FieldDecl * Field2,bool AreUnionMembers=false)13682 static bool isLayoutCompatible(const ASTContext &C, const FieldDecl *Field1,
13683 const FieldDecl *Field2,
13684 bool AreUnionMembers = false) {
13685 [[maybe_unused]] const Type *Field1Parent =
13686 Field1->getParent()->getTypeForDecl();
13687 [[maybe_unused]] const Type *Field2Parent =
13688 Field2->getParent()->getTypeForDecl();
13689 assert(((Field1Parent->isStructureOrClassType() &&
13690 Field2Parent->isStructureOrClassType()) ||
13691 (Field1Parent->isUnionType() && Field2Parent->isUnionType())) &&
13692 "Can't evaluate layout compatibility between a struct field and a "
13693 "union field.");
13694 assert(((!AreUnionMembers && Field1Parent->isStructureOrClassType()) ||
13695 (AreUnionMembers && Field1Parent->isUnionType())) &&
13696 "AreUnionMembers should be 'true' for union fields (only).");
13697
13698 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType()))
13699 return false;
13700
13701 if (Field1->isBitField() != Field2->isBitField())
13702 return false;
13703
13704 if (Field1->isBitField()) {
13705 // Make sure that the bit-fields are the same length.
13706 unsigned Bits1 = Field1->getBitWidthValue(C);
13707 unsigned Bits2 = Field2->getBitWidthValue(C);
13708
13709 if (Bits1 != Bits2)
13710 return false;
13711 }
13712
13713 if (Field1->hasAttr<clang::NoUniqueAddressAttr>() ||
13714 Field2->hasAttr<clang::NoUniqueAddressAttr>())
13715 return false;
13716
13717 if (!AreUnionMembers &&
13718 Field1->getMaxAlignment() != Field2->getMaxAlignment())
13719 return false;
13720
13721 return true;
13722 }
13723
13724 /// Check if two standard-layout structs are layout-compatible.
13725 /// (C++11 [class.mem] p17)
isLayoutCompatibleStruct(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)13726 static bool isLayoutCompatibleStruct(const ASTContext &C, const RecordDecl *RD1,
13727 const RecordDecl *RD2) {
13728 // Get to the class where the fields are declared
13729 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1))
13730 RD1 = D1CXX->getStandardLayoutBaseWithFields();
13731
13732 if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2))
13733 RD2 = D2CXX->getStandardLayoutBaseWithFields();
13734
13735 // Check the fields.
13736 return llvm::equal(RD1->fields(), RD2->fields(),
13737 [&C](const FieldDecl *F1, const FieldDecl *F2) -> bool {
13738 return isLayoutCompatible(C, F1, F2);
13739 });
13740 }
13741
13742 /// Check if two standard-layout unions are layout-compatible.
13743 /// (C++11 [class.mem] p18)
isLayoutCompatibleUnion(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)13744 static bool isLayoutCompatibleUnion(const ASTContext &C, const RecordDecl *RD1,
13745 const RecordDecl *RD2) {
13746 llvm::SmallPtrSet<const FieldDecl *, 8> UnmatchedFields;
13747 for (auto *Field2 : RD2->fields())
13748 UnmatchedFields.insert(Field2);
13749
13750 for (auto *Field1 : RD1->fields()) {
13751 auto I = UnmatchedFields.begin();
13752 auto E = UnmatchedFields.end();
13753
13754 for ( ; I != E; ++I) {
13755 if (isLayoutCompatible(C, Field1, *I, /*IsUnionMember=*/true)) {
13756 bool Result = UnmatchedFields.erase(*I);
13757 (void) Result;
13758 assert(Result);
13759 break;
13760 }
13761 }
13762 if (I == E)
13763 return false;
13764 }
13765
13766 return UnmatchedFields.empty();
13767 }
13768
isLayoutCompatible(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)13769 static bool isLayoutCompatible(const ASTContext &C, const RecordDecl *RD1,
13770 const RecordDecl *RD2) {
13771 if (RD1->isUnion() != RD2->isUnion())
13772 return false;
13773
13774 if (RD1->isUnion())
13775 return isLayoutCompatibleUnion(C, RD1, RD2);
13776 else
13777 return isLayoutCompatibleStruct(C, RD1, RD2);
13778 }
13779
13780 /// Check if two types are layout-compatible in C++11 sense.
isLayoutCompatible(const ASTContext & C,QualType T1,QualType T2)13781 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2) {
13782 if (T1.isNull() || T2.isNull())
13783 return false;
13784
13785 // C++20 [basic.types] p11:
13786 // Two types cv1 T1 and cv2 T2 are layout-compatible types
13787 // if T1 and T2 are the same type, layout-compatible enumerations (9.7.1),
13788 // or layout-compatible standard-layout class types (11.4).
13789 T1 = T1.getCanonicalType().getUnqualifiedType();
13790 T2 = T2.getCanonicalType().getUnqualifiedType();
13791
13792 if (C.hasSameType(T1, T2))
13793 return true;
13794
13795 const Type::TypeClass TC1 = T1->getTypeClass();
13796 const Type::TypeClass TC2 = T2->getTypeClass();
13797
13798 if (TC1 != TC2)
13799 return false;
13800
13801 if (TC1 == Type::Enum) {
13802 return isLayoutCompatible(C,
13803 cast<EnumType>(T1)->getDecl(),
13804 cast<EnumType>(T2)->getDecl());
13805 } else if (TC1 == Type::Record) {
13806 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType())
13807 return false;
13808
13809 return isLayoutCompatible(C,
13810 cast<RecordType>(T1)->getDecl(),
13811 cast<RecordType>(T2)->getDecl());
13812 }
13813
13814 return false;
13815 }
13816
IsLayoutCompatible(QualType T1,QualType T2) const13817 bool Sema::IsLayoutCompatible(QualType T1, QualType T2) const {
13818 return isLayoutCompatible(getASTContext(), T1, T2);
13819 }
13820
13821 //===-------------- Pointer interconvertibility ----------------------------//
13822
IsPointerInterconvertibleBaseOf(const TypeSourceInfo * Base,const TypeSourceInfo * Derived)13823 bool Sema::IsPointerInterconvertibleBaseOf(const TypeSourceInfo *Base,
13824 const TypeSourceInfo *Derived) {
13825 QualType BaseT = Base->getType()->getCanonicalTypeUnqualified();
13826 QualType DerivedT = Derived->getType()->getCanonicalTypeUnqualified();
13827
13828 if (BaseT->isStructureOrClassType() && DerivedT->isStructureOrClassType() &&
13829 getASTContext().hasSameType(BaseT, DerivedT))
13830 return true;
13831
13832 if (!IsDerivedFrom(Derived->getTypeLoc().getBeginLoc(), DerivedT, BaseT))
13833 return false;
13834
13835 // Per [basic.compound]/4.3, containing object has to be standard-layout.
13836 if (DerivedT->getAsCXXRecordDecl()->isStandardLayout())
13837 return true;
13838
13839 return false;
13840 }
13841
13842 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----//
13843
13844 /// Given a type tag expression find the type tag itself.
13845 ///
13846 /// \param TypeExpr Type tag expression, as it appears in user's code.
13847 ///
13848 /// \param VD Declaration of an identifier that appears in a type tag.
13849 ///
13850 /// \param MagicValue Type tag magic value.
13851 ///
13852 /// \param isConstantEvaluated whether the evalaution should be performed in
13853
13854 /// constant context.
FindTypeTagExpr(const Expr * TypeExpr,const ASTContext & Ctx,const ValueDecl ** VD,uint64_t * MagicValue,bool isConstantEvaluated)13855 static bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx,
13856 const ValueDecl **VD, uint64_t *MagicValue,
13857 bool isConstantEvaluated) {
13858 while(true) {
13859 if (!TypeExpr)
13860 return false;
13861
13862 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts();
13863
13864 switch (TypeExpr->getStmtClass()) {
13865 case Stmt::UnaryOperatorClass: {
13866 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr);
13867 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) {
13868 TypeExpr = UO->getSubExpr();
13869 continue;
13870 }
13871 return false;
13872 }
13873
13874 case Stmt::DeclRefExprClass: {
13875 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr);
13876 *VD = DRE->getDecl();
13877 return true;
13878 }
13879
13880 case Stmt::IntegerLiteralClass: {
13881 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr);
13882 llvm::APInt MagicValueAPInt = IL->getValue();
13883 if (MagicValueAPInt.getActiveBits() <= 64) {
13884 *MagicValue = MagicValueAPInt.getZExtValue();
13885 return true;
13886 } else
13887 return false;
13888 }
13889
13890 case Stmt::BinaryConditionalOperatorClass:
13891 case Stmt::ConditionalOperatorClass: {
13892 const AbstractConditionalOperator *ACO =
13893 cast<AbstractConditionalOperator>(TypeExpr);
13894 bool Result;
13895 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx,
13896 isConstantEvaluated)) {
13897 if (Result)
13898 TypeExpr = ACO->getTrueExpr();
13899 else
13900 TypeExpr = ACO->getFalseExpr();
13901 continue;
13902 }
13903 return false;
13904 }
13905
13906 case Stmt::BinaryOperatorClass: {
13907 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr);
13908 if (BO->getOpcode() == BO_Comma) {
13909 TypeExpr = BO->getRHS();
13910 continue;
13911 }
13912 return false;
13913 }
13914
13915 default:
13916 return false;
13917 }
13918 }
13919 }
13920
13921 /// Retrieve the C type corresponding to type tag TypeExpr.
13922 ///
13923 /// \param TypeExpr Expression that specifies a type tag.
13924 ///
13925 /// \param MagicValues Registered magic values.
13926 ///
13927 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong
13928 /// kind.
13929 ///
13930 /// \param TypeInfo Information about the corresponding C type.
13931 ///
13932 /// \param isConstantEvaluated whether the evalaution should be performed in
13933 /// constant context.
13934 ///
13935 /// \returns true if the corresponding C type was found.
GetMatchingCType(const IdentifierInfo * ArgumentKind,const Expr * TypeExpr,const ASTContext & Ctx,const llvm::DenseMap<Sema::TypeTagMagicValue,Sema::TypeTagData> * MagicValues,bool & FoundWrongKind,Sema::TypeTagData & TypeInfo,bool isConstantEvaluated)13936 static bool GetMatchingCType(
13937 const IdentifierInfo *ArgumentKind, const Expr *TypeExpr,
13938 const ASTContext &Ctx,
13939 const llvm::DenseMap<Sema::TypeTagMagicValue, Sema::TypeTagData>
13940 *MagicValues,
13941 bool &FoundWrongKind, Sema::TypeTagData &TypeInfo,
13942 bool isConstantEvaluated) {
13943 FoundWrongKind = false;
13944
13945 // Variable declaration that has type_tag_for_datatype attribute.
13946 const ValueDecl *VD = nullptr;
13947
13948 uint64_t MagicValue;
13949
13950 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue, isConstantEvaluated))
13951 return false;
13952
13953 if (VD) {
13954 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) {
13955 if (I->getArgumentKind() != ArgumentKind) {
13956 FoundWrongKind = true;
13957 return false;
13958 }
13959 TypeInfo.Type = I->getMatchingCType();
13960 TypeInfo.LayoutCompatible = I->getLayoutCompatible();
13961 TypeInfo.MustBeNull = I->getMustBeNull();
13962 return true;
13963 }
13964 return false;
13965 }
13966
13967 if (!MagicValues)
13968 return false;
13969
13970 llvm::DenseMap<Sema::TypeTagMagicValue,
13971 Sema::TypeTagData>::const_iterator I =
13972 MagicValues->find(std::make_pair(ArgumentKind, MagicValue));
13973 if (I == MagicValues->end())
13974 return false;
13975
13976 TypeInfo = I->second;
13977 return true;
13978 }
13979
RegisterTypeTagForDatatype(const IdentifierInfo * ArgumentKind,uint64_t MagicValue,QualType Type,bool LayoutCompatible,bool MustBeNull)13980 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind,
13981 uint64_t MagicValue, QualType Type,
13982 bool LayoutCompatible,
13983 bool MustBeNull) {
13984 if (!TypeTagForDatatypeMagicValues)
13985 TypeTagForDatatypeMagicValues.reset(
13986 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>);
13987
13988 TypeTagMagicValue Magic(ArgumentKind, MagicValue);
13989 (*TypeTagForDatatypeMagicValues)[Magic] =
13990 TypeTagData(Type, LayoutCompatible, MustBeNull);
13991 }
13992
IsSameCharType(QualType T1,QualType T2)13993 static bool IsSameCharType(QualType T1, QualType T2) {
13994 const BuiltinType *BT1 = T1->getAs<BuiltinType>();
13995 if (!BT1)
13996 return false;
13997
13998 const BuiltinType *BT2 = T2->getAs<BuiltinType>();
13999 if (!BT2)
14000 return false;
14001
14002 BuiltinType::Kind T1Kind = BT1->getKind();
14003 BuiltinType::Kind T2Kind = BT2->getKind();
14004
14005 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) ||
14006 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) ||
14007 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) ||
14008 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);
14009 }
14010
CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr * Attr,const ArrayRef<const Expr * > ExprArgs,SourceLocation CallSiteLoc)14011 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
14012 const ArrayRef<const Expr *> ExprArgs,
14013 SourceLocation CallSiteLoc) {
14014 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();
14015 bool IsPointerAttr = Attr->getIsPointer();
14016
14017 // Retrieve the argument representing the 'type_tag'.
14018 unsigned TypeTagIdxAST = Attr->getTypeTagIdx().getASTIndex();
14019 if (TypeTagIdxAST >= ExprArgs.size()) {
14020 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
14021 << 0 << Attr->getTypeTagIdx().getSourceIndex();
14022 return;
14023 }
14024 const Expr *TypeTagExpr = ExprArgs[TypeTagIdxAST];
14025 bool FoundWrongKind;
14026 TypeTagData TypeInfo;
14027 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,
14028 TypeTagForDatatypeMagicValues.get(), FoundWrongKind,
14029 TypeInfo, isConstantEvaluatedContext())) {
14030 if (FoundWrongKind)
14031 Diag(TypeTagExpr->getExprLoc(),
14032 diag::warn_type_tag_for_datatype_wrong_kind)
14033 << TypeTagExpr->getSourceRange();
14034 return;
14035 }
14036
14037 // Retrieve the argument representing the 'arg_idx'.
14038 unsigned ArgumentIdxAST = Attr->getArgumentIdx().getASTIndex();
14039 if (ArgumentIdxAST >= ExprArgs.size()) {
14040 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
14041 << 1 << Attr->getArgumentIdx().getSourceIndex();
14042 return;
14043 }
14044 const Expr *ArgumentExpr = ExprArgs[ArgumentIdxAST];
14045 if (IsPointerAttr) {
14046 // Skip implicit cast of pointer to `void *' (as a function argument).
14047 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))
14048 if (ICE->getType()->isVoidPointerType() &&
14049 ICE->getCastKind() == CK_BitCast)
14050 ArgumentExpr = ICE->getSubExpr();
14051 }
14052 QualType ArgumentType = ArgumentExpr->getType();
14053
14054 // Passing a `void*' pointer shouldn't trigger a warning.
14055 if (IsPointerAttr && ArgumentType->isVoidPointerType())
14056 return;
14057
14058 if (TypeInfo.MustBeNull) {
14059 // Type tag with matching void type requires a null pointer.
14060 if (!ArgumentExpr->isNullPointerConstant(Context,
14061 Expr::NPC_ValueDependentIsNotNull)) {
14062 Diag(ArgumentExpr->getExprLoc(),
14063 diag::warn_type_safety_null_pointer_required)
14064 << ArgumentKind->getName()
14065 << ArgumentExpr->getSourceRange()
14066 << TypeTagExpr->getSourceRange();
14067 }
14068 return;
14069 }
14070
14071 QualType RequiredType = TypeInfo.Type;
14072 if (IsPointerAttr)
14073 RequiredType = Context.getPointerType(RequiredType);
14074
14075 bool mismatch = false;
14076 if (!TypeInfo.LayoutCompatible) {
14077 mismatch = !Context.hasSameType(ArgumentType, RequiredType);
14078
14079 // C++11 [basic.fundamental] p1:
14080 // Plain char, signed char, and unsigned char are three distinct types.
14081 //
14082 // But we treat plain `char' as equivalent to `signed char' or `unsigned
14083 // char' depending on the current char signedness mode.
14084 if (mismatch)
14085 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(),
14086 RequiredType->getPointeeType())) ||
14087 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType)))
14088 mismatch = false;
14089 } else
14090 if (IsPointerAttr)
14091 mismatch = !isLayoutCompatible(Context,
14092 ArgumentType->getPointeeType(),
14093 RequiredType->getPointeeType());
14094 else
14095 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType);
14096
14097 if (mismatch)
14098 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch)
14099 << ArgumentType << ArgumentKind
14100 << TypeInfo.LayoutCompatible << RequiredType
14101 << ArgumentExpr->getSourceRange()
14102 << TypeTagExpr->getSourceRange();
14103 }
14104
AddPotentialMisalignedMembers(Expr * E,RecordDecl * RD,ValueDecl * MD,CharUnits Alignment)14105 void Sema::AddPotentialMisalignedMembers(Expr *E, RecordDecl *RD, ValueDecl *MD,
14106 CharUnits Alignment) {
14107 MisalignedMembers.emplace_back(E, RD, MD, Alignment);
14108 }
14109
DiagnoseMisalignedMembers()14110 void Sema::DiagnoseMisalignedMembers() {
14111 for (MisalignedMember &m : MisalignedMembers) {
14112 const NamedDecl *ND = m.RD;
14113 if (ND->getName().empty()) {
14114 if (const TypedefNameDecl *TD = m.RD->getTypedefNameForAnonDecl())
14115 ND = TD;
14116 }
14117 Diag(m.E->getBeginLoc(), diag::warn_taking_address_of_packed_member)
14118 << m.MD << ND << m.E->getSourceRange();
14119 }
14120 MisalignedMembers.clear();
14121 }
14122
DiscardMisalignedMemberAddress(const Type * T,Expr * E)14123 void Sema::DiscardMisalignedMemberAddress(const Type *T, Expr *E) {
14124 E = E->IgnoreParens();
14125 if (!T->isPointerType() && !T->isIntegerType() && !T->isDependentType())
14126 return;
14127 if (isa<UnaryOperator>(E) &&
14128 cast<UnaryOperator>(E)->getOpcode() == UO_AddrOf) {
14129 auto *Op = cast<UnaryOperator>(E)->getSubExpr()->IgnoreParens();
14130 if (isa<MemberExpr>(Op)) {
14131 auto *MA = llvm::find(MisalignedMembers, MisalignedMember(Op));
14132 if (MA != MisalignedMembers.end() &&
14133 (T->isDependentType() || T->isIntegerType() ||
14134 (T->isPointerType() && (T->getPointeeType()->isIncompleteType() ||
14135 Context.getTypeAlignInChars(
14136 T->getPointeeType()) <= MA->Alignment))))
14137 MisalignedMembers.erase(MA);
14138 }
14139 }
14140 }
14141
RefersToMemberWithReducedAlignment(Expr * E,llvm::function_ref<void (Expr *,RecordDecl *,FieldDecl *,CharUnits)> Action)14142 void Sema::RefersToMemberWithReducedAlignment(
14143 Expr *E,
14144 llvm::function_ref<void(Expr *, RecordDecl *, FieldDecl *, CharUnits)>
14145 Action) {
14146 const auto *ME = dyn_cast<MemberExpr>(E);
14147 if (!ME)
14148 return;
14149
14150 // No need to check expressions with an __unaligned-qualified type.
14151 if (E->getType().getQualifiers().hasUnaligned())
14152 return;
14153
14154 // For a chain of MemberExpr like "a.b.c.d" this list
14155 // will keep FieldDecl's like [d, c, b].
14156 SmallVector<FieldDecl *, 4> ReverseMemberChain;
14157 const MemberExpr *TopME = nullptr;
14158 bool AnyIsPacked = false;
14159 do {
14160 QualType BaseType = ME->getBase()->getType();
14161 if (BaseType->isDependentType())
14162 return;
14163 if (ME->isArrow())
14164 BaseType = BaseType->getPointeeType();
14165 RecordDecl *RD = BaseType->castAs<RecordType>()->getDecl();
14166 if (RD->isInvalidDecl())
14167 return;
14168
14169 ValueDecl *MD = ME->getMemberDecl();
14170 auto *FD = dyn_cast<FieldDecl>(MD);
14171 // We do not care about non-data members.
14172 if (!FD || FD->isInvalidDecl())
14173 return;
14174
14175 AnyIsPacked =
14176 AnyIsPacked || (RD->hasAttr<PackedAttr>() || MD->hasAttr<PackedAttr>());
14177 ReverseMemberChain.push_back(FD);
14178
14179 TopME = ME;
14180 ME = dyn_cast<MemberExpr>(ME->getBase()->IgnoreParens());
14181 } while (ME);
14182 assert(TopME && "We did not compute a topmost MemberExpr!");
14183
14184 // Not the scope of this diagnostic.
14185 if (!AnyIsPacked)
14186 return;
14187
14188 const Expr *TopBase = TopME->getBase()->IgnoreParenImpCasts();
14189 const auto *DRE = dyn_cast<DeclRefExpr>(TopBase);
14190 // TODO: The innermost base of the member expression may be too complicated.
14191 // For now, just disregard these cases. This is left for future
14192 // improvement.
14193 if (!DRE && !isa<CXXThisExpr>(TopBase))
14194 return;
14195
14196 // Alignment expected by the whole expression.
14197 CharUnits ExpectedAlignment = Context.getTypeAlignInChars(E->getType());
14198
14199 // No need to do anything else with this case.
14200 if (ExpectedAlignment.isOne())
14201 return;
14202
14203 // Synthesize offset of the whole access.
14204 CharUnits Offset;
14205 for (const FieldDecl *FD : llvm::reverse(ReverseMemberChain))
14206 Offset += Context.toCharUnitsFromBits(Context.getFieldOffset(FD));
14207
14208 // Compute the CompleteObjectAlignment as the alignment of the whole chain.
14209 CharUnits CompleteObjectAlignment = Context.getTypeAlignInChars(
14210 ReverseMemberChain.back()->getParent()->getTypeForDecl());
14211
14212 // The base expression of the innermost MemberExpr may give
14213 // stronger guarantees than the class containing the member.
14214 if (DRE && !TopME->isArrow()) {
14215 const ValueDecl *VD = DRE->getDecl();
14216 if (!VD->getType()->isReferenceType())
14217 CompleteObjectAlignment =
14218 std::max(CompleteObjectAlignment, Context.getDeclAlign(VD));
14219 }
14220
14221 // Check if the synthesized offset fulfills the alignment.
14222 if (Offset % ExpectedAlignment != 0 ||
14223 // It may fulfill the offset it but the effective alignment may still be
14224 // lower than the expected expression alignment.
14225 CompleteObjectAlignment < ExpectedAlignment) {
14226 // If this happens, we want to determine a sensible culprit of this.
14227 // Intuitively, watching the chain of member expressions from right to
14228 // left, we start with the required alignment (as required by the field
14229 // type) but some packed attribute in that chain has reduced the alignment.
14230 // It may happen that another packed structure increases it again. But if
14231 // we are here such increase has not been enough. So pointing the first
14232 // FieldDecl that either is packed or else its RecordDecl is,
14233 // seems reasonable.
14234 FieldDecl *FD = nullptr;
14235 CharUnits Alignment;
14236 for (FieldDecl *FDI : ReverseMemberChain) {
14237 if (FDI->hasAttr<PackedAttr>() ||
14238 FDI->getParent()->hasAttr<PackedAttr>()) {
14239 FD = FDI;
14240 Alignment = std::min(
14241 Context.getTypeAlignInChars(FD->getType()),
14242 Context.getTypeAlignInChars(FD->getParent()->getTypeForDecl()));
14243 break;
14244 }
14245 }
14246 assert(FD && "We did not find a packed FieldDecl!");
14247 Action(E, FD->getParent(), FD, Alignment);
14248 }
14249 }
14250
CheckAddressOfPackedMember(Expr * rhs)14251 void Sema::CheckAddressOfPackedMember(Expr *rhs) {
14252 using namespace std::placeholders;
14253
14254 RefersToMemberWithReducedAlignment(
14255 rhs, std::bind(&Sema::AddPotentialMisalignedMembers, std::ref(*this), _1,
14256 _2, _3, _4));
14257 }
14258
PrepareBuiltinElementwiseMathOneArgCall(CallExpr * TheCall)14259 bool Sema::PrepareBuiltinElementwiseMathOneArgCall(CallExpr *TheCall) {
14260 if (checkArgCount(TheCall, 1))
14261 return true;
14262
14263 ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
14264 if (A.isInvalid())
14265 return true;
14266
14267 TheCall->setArg(0, A.get());
14268 QualType TyA = A.get()->getType();
14269
14270 if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA, 1))
14271 return true;
14272
14273 TheCall->setType(TyA);
14274 return false;
14275 }
14276
BuiltinElementwiseMath(CallExpr * TheCall)14277 bool Sema::BuiltinElementwiseMath(CallExpr *TheCall) {
14278 QualType Res;
14279 if (BuiltinVectorMath(TheCall, Res))
14280 return true;
14281 TheCall->setType(Res);
14282 return false;
14283 }
14284
BuiltinVectorToScalarMath(CallExpr * TheCall)14285 bool Sema::BuiltinVectorToScalarMath(CallExpr *TheCall) {
14286 QualType Res;
14287 if (BuiltinVectorMath(TheCall, Res))
14288 return true;
14289
14290 if (auto *VecTy0 = Res->getAs<VectorType>())
14291 TheCall->setType(VecTy0->getElementType());
14292 else
14293 TheCall->setType(Res);
14294
14295 return false;
14296 }
14297
BuiltinVectorMath(CallExpr * TheCall,QualType & Res)14298 bool Sema::BuiltinVectorMath(CallExpr *TheCall, QualType &Res) {
14299 if (checkArgCount(TheCall, 2))
14300 return true;
14301
14302 ExprResult A = TheCall->getArg(0);
14303 ExprResult B = TheCall->getArg(1);
14304 // Do standard promotions between the two arguments, returning their common
14305 // type.
14306 Res = UsualArithmeticConversions(A, B, TheCall->getExprLoc(), ACK_Comparison);
14307 if (A.isInvalid() || B.isInvalid())
14308 return true;
14309
14310 QualType TyA = A.get()->getType();
14311 QualType TyB = B.get()->getType();
14312
14313 if (Res.isNull() || TyA.getCanonicalType() != TyB.getCanonicalType())
14314 return Diag(A.get()->getBeginLoc(),
14315 diag::err_typecheck_call_different_arg_types)
14316 << TyA << TyB;
14317
14318 if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA, 1))
14319 return true;
14320
14321 TheCall->setArg(0, A.get());
14322 TheCall->setArg(1, B.get());
14323 return false;
14324 }
14325
BuiltinElementwiseTernaryMath(CallExpr * TheCall,bool CheckForFloatArgs)14326 bool Sema::BuiltinElementwiseTernaryMath(CallExpr *TheCall,
14327 bool CheckForFloatArgs) {
14328 if (checkArgCount(TheCall, 3))
14329 return true;
14330
14331 Expr *Args[3];
14332 for (int I = 0; I < 3; ++I) {
14333 ExprResult Converted = UsualUnaryConversions(TheCall->getArg(I));
14334 if (Converted.isInvalid())
14335 return true;
14336 Args[I] = Converted.get();
14337 }
14338
14339 if (CheckForFloatArgs) {
14340 int ArgOrdinal = 1;
14341 for (Expr *Arg : Args) {
14342 if (checkFPMathBuiltinElementType(*this, Arg->getBeginLoc(),
14343 Arg->getType(), ArgOrdinal++))
14344 return true;
14345 }
14346 } else {
14347 int ArgOrdinal = 1;
14348 for (Expr *Arg : Args) {
14349 if (checkMathBuiltinElementType(*this, Arg->getBeginLoc(), Arg->getType(),
14350 ArgOrdinal++))
14351 return true;
14352 }
14353 }
14354
14355 for (int I = 1; I < 3; ++I) {
14356 if (Args[0]->getType().getCanonicalType() !=
14357 Args[I]->getType().getCanonicalType()) {
14358 return Diag(Args[0]->getBeginLoc(),
14359 diag::err_typecheck_call_different_arg_types)
14360 << Args[0]->getType() << Args[I]->getType();
14361 }
14362
14363 TheCall->setArg(I, Args[I]);
14364 }
14365
14366 TheCall->setType(Args[0]->getType());
14367 return false;
14368 }
14369
PrepareBuiltinReduceMathOneArgCall(CallExpr * TheCall)14370 bool Sema::PrepareBuiltinReduceMathOneArgCall(CallExpr *TheCall) {
14371 if (checkArgCount(TheCall, 1))
14372 return true;
14373
14374 ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
14375 if (A.isInvalid())
14376 return true;
14377
14378 TheCall->setArg(0, A.get());
14379 return false;
14380 }
14381
BuiltinNonDeterministicValue(CallExpr * TheCall)14382 bool Sema::BuiltinNonDeterministicValue(CallExpr *TheCall) {
14383 if (checkArgCount(TheCall, 1))
14384 return true;
14385
14386 ExprResult Arg = TheCall->getArg(0);
14387 QualType TyArg = Arg.get()->getType();
14388
14389 if (!TyArg->isBuiltinType() && !TyArg->isVectorType())
14390 return Diag(TheCall->getArg(0)->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14391 << 1 << /*vector, integer or floating point ty*/ 0 << TyArg;
14392
14393 TheCall->setType(TyArg);
14394 return false;
14395 }
14396
BuiltinMatrixTranspose(CallExpr * TheCall,ExprResult CallResult)14397 ExprResult Sema::BuiltinMatrixTranspose(CallExpr *TheCall,
14398 ExprResult CallResult) {
14399 if (checkArgCount(TheCall, 1))
14400 return ExprError();
14401
14402 ExprResult MatrixArg = DefaultLvalueConversion(TheCall->getArg(0));
14403 if (MatrixArg.isInvalid())
14404 return MatrixArg;
14405 Expr *Matrix = MatrixArg.get();
14406
14407 auto *MType = Matrix->getType()->getAs<ConstantMatrixType>();
14408 if (!MType) {
14409 Diag(Matrix->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14410 << 1 << /* matrix ty*/ 1 << Matrix->getType();
14411 return ExprError();
14412 }
14413
14414 // Create returned matrix type by swapping rows and columns of the argument
14415 // matrix type.
14416 QualType ResultType = Context.getConstantMatrixType(
14417 MType->getElementType(), MType->getNumColumns(), MType->getNumRows());
14418
14419 // Change the return type to the type of the returned matrix.
14420 TheCall->setType(ResultType);
14421
14422 // Update call argument to use the possibly converted matrix argument.
14423 TheCall->setArg(0, Matrix);
14424 return CallResult;
14425 }
14426
14427 // Get and verify the matrix dimensions.
14428 static std::optional<unsigned>
getAndVerifyMatrixDimension(Expr * Expr,StringRef Name,Sema & S)14429 getAndVerifyMatrixDimension(Expr *Expr, StringRef Name, Sema &S) {
14430 SourceLocation ErrorPos;
14431 std::optional<llvm::APSInt> Value =
14432 Expr->getIntegerConstantExpr(S.Context, &ErrorPos);
14433 if (!Value) {
14434 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_scalar_unsigned_arg)
14435 << Name;
14436 return {};
14437 }
14438 uint64_t Dim = Value->getZExtValue();
14439 if (!ConstantMatrixType::isDimensionValid(Dim)) {
14440 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_invalid_dimension)
14441 << Name << ConstantMatrixType::getMaxElementsPerDimension();
14442 return {};
14443 }
14444 return Dim;
14445 }
14446
BuiltinMatrixColumnMajorLoad(CallExpr * TheCall,ExprResult CallResult)14447 ExprResult Sema::BuiltinMatrixColumnMajorLoad(CallExpr *TheCall,
14448 ExprResult CallResult) {
14449 if (!getLangOpts().MatrixTypes) {
14450 Diag(TheCall->getBeginLoc(), diag::err_builtin_matrix_disabled);
14451 return ExprError();
14452 }
14453
14454 if (checkArgCount(TheCall, 4))
14455 return ExprError();
14456
14457 unsigned PtrArgIdx = 0;
14458 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
14459 Expr *RowsExpr = TheCall->getArg(1);
14460 Expr *ColumnsExpr = TheCall->getArg(2);
14461 Expr *StrideExpr = TheCall->getArg(3);
14462
14463 bool ArgError = false;
14464
14465 // Check pointer argument.
14466 {
14467 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
14468 if (PtrConv.isInvalid())
14469 return PtrConv;
14470 PtrExpr = PtrConv.get();
14471 TheCall->setArg(0, PtrExpr);
14472 if (PtrExpr->isTypeDependent()) {
14473 TheCall->setType(Context.DependentTy);
14474 return TheCall;
14475 }
14476 }
14477
14478 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
14479 QualType ElementTy;
14480 if (!PtrTy) {
14481 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14482 << PtrArgIdx + 1 << /*pointer to element ty*/ 2 << PtrExpr->getType();
14483 ArgError = true;
14484 } else {
14485 ElementTy = PtrTy->getPointeeType().getUnqualifiedType();
14486
14487 if (!ConstantMatrixType::isValidElementType(ElementTy)) {
14488 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14489 << PtrArgIdx + 1 << /* pointer to element ty*/ 2
14490 << PtrExpr->getType();
14491 ArgError = true;
14492 }
14493 }
14494
14495 // Apply default Lvalue conversions and convert the expression to size_t.
14496 auto ApplyArgumentConversions = [this](Expr *E) {
14497 ExprResult Conv = DefaultLvalueConversion(E);
14498 if (Conv.isInvalid())
14499 return Conv;
14500
14501 return tryConvertExprToType(Conv.get(), Context.getSizeType());
14502 };
14503
14504 // Apply conversion to row and column expressions.
14505 ExprResult RowsConv = ApplyArgumentConversions(RowsExpr);
14506 if (!RowsConv.isInvalid()) {
14507 RowsExpr = RowsConv.get();
14508 TheCall->setArg(1, RowsExpr);
14509 } else
14510 RowsExpr = nullptr;
14511
14512 ExprResult ColumnsConv = ApplyArgumentConversions(ColumnsExpr);
14513 if (!ColumnsConv.isInvalid()) {
14514 ColumnsExpr = ColumnsConv.get();
14515 TheCall->setArg(2, ColumnsExpr);
14516 } else
14517 ColumnsExpr = nullptr;
14518
14519 // If any part of the result matrix type is still pending, just use
14520 // Context.DependentTy, until all parts are resolved.
14521 if ((RowsExpr && RowsExpr->isTypeDependent()) ||
14522 (ColumnsExpr && ColumnsExpr->isTypeDependent())) {
14523 TheCall->setType(Context.DependentTy);
14524 return CallResult;
14525 }
14526
14527 // Check row and column dimensions.
14528 std::optional<unsigned> MaybeRows;
14529 if (RowsExpr)
14530 MaybeRows = getAndVerifyMatrixDimension(RowsExpr, "row", *this);
14531
14532 std::optional<unsigned> MaybeColumns;
14533 if (ColumnsExpr)
14534 MaybeColumns = getAndVerifyMatrixDimension(ColumnsExpr, "column", *this);
14535
14536 // Check stride argument.
14537 ExprResult StrideConv = ApplyArgumentConversions(StrideExpr);
14538 if (StrideConv.isInvalid())
14539 return ExprError();
14540 StrideExpr = StrideConv.get();
14541 TheCall->setArg(3, StrideExpr);
14542
14543 if (MaybeRows) {
14544 if (std::optional<llvm::APSInt> Value =
14545 StrideExpr->getIntegerConstantExpr(Context)) {
14546 uint64_t Stride = Value->getZExtValue();
14547 if (Stride < *MaybeRows) {
14548 Diag(StrideExpr->getBeginLoc(),
14549 diag::err_builtin_matrix_stride_too_small);
14550 ArgError = true;
14551 }
14552 }
14553 }
14554
14555 if (ArgError || !MaybeRows || !MaybeColumns)
14556 return ExprError();
14557
14558 TheCall->setType(
14559 Context.getConstantMatrixType(ElementTy, *MaybeRows, *MaybeColumns));
14560 return CallResult;
14561 }
14562
BuiltinMatrixColumnMajorStore(CallExpr * TheCall,ExprResult CallResult)14563 ExprResult Sema::BuiltinMatrixColumnMajorStore(CallExpr *TheCall,
14564 ExprResult CallResult) {
14565 if (checkArgCount(TheCall, 3))
14566 return ExprError();
14567
14568 unsigned PtrArgIdx = 1;
14569 Expr *MatrixExpr = TheCall->getArg(0);
14570 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
14571 Expr *StrideExpr = TheCall->getArg(2);
14572
14573 bool ArgError = false;
14574
14575 {
14576 ExprResult MatrixConv = DefaultLvalueConversion(MatrixExpr);
14577 if (MatrixConv.isInvalid())
14578 return MatrixConv;
14579 MatrixExpr = MatrixConv.get();
14580 TheCall->setArg(0, MatrixExpr);
14581 }
14582 if (MatrixExpr->isTypeDependent()) {
14583 TheCall->setType(Context.DependentTy);
14584 return TheCall;
14585 }
14586
14587 auto *MatrixTy = MatrixExpr->getType()->getAs<ConstantMatrixType>();
14588 if (!MatrixTy) {
14589 Diag(MatrixExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14590 << 1 << /*matrix ty */ 1 << MatrixExpr->getType();
14591 ArgError = true;
14592 }
14593
14594 {
14595 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
14596 if (PtrConv.isInvalid())
14597 return PtrConv;
14598 PtrExpr = PtrConv.get();
14599 TheCall->setArg(1, PtrExpr);
14600 if (PtrExpr->isTypeDependent()) {
14601 TheCall->setType(Context.DependentTy);
14602 return TheCall;
14603 }
14604 }
14605
14606 // Check pointer argument.
14607 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
14608 if (!PtrTy) {
14609 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14610 << PtrArgIdx + 1 << /*pointer to element ty*/ 2 << PtrExpr->getType();
14611 ArgError = true;
14612 } else {
14613 QualType ElementTy = PtrTy->getPointeeType();
14614 if (ElementTy.isConstQualified()) {
14615 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_matrix_store_to_const);
14616 ArgError = true;
14617 }
14618 ElementTy = ElementTy.getUnqualifiedType().getCanonicalType();
14619 if (MatrixTy &&
14620 !Context.hasSameType(ElementTy, MatrixTy->getElementType())) {
14621 Diag(PtrExpr->getBeginLoc(),
14622 diag::err_builtin_matrix_pointer_arg_mismatch)
14623 << ElementTy << MatrixTy->getElementType();
14624 ArgError = true;
14625 }
14626 }
14627
14628 // Apply default Lvalue conversions and convert the stride expression to
14629 // size_t.
14630 {
14631 ExprResult StrideConv = DefaultLvalueConversion(StrideExpr);
14632 if (StrideConv.isInvalid())
14633 return StrideConv;
14634
14635 StrideConv = tryConvertExprToType(StrideConv.get(), Context.getSizeType());
14636 if (StrideConv.isInvalid())
14637 return StrideConv;
14638 StrideExpr = StrideConv.get();
14639 TheCall->setArg(2, StrideExpr);
14640 }
14641
14642 // Check stride argument.
14643 if (MatrixTy) {
14644 if (std::optional<llvm::APSInt> Value =
14645 StrideExpr->getIntegerConstantExpr(Context)) {
14646 uint64_t Stride = Value->getZExtValue();
14647 if (Stride < MatrixTy->getNumRows()) {
14648 Diag(StrideExpr->getBeginLoc(),
14649 diag::err_builtin_matrix_stride_too_small);
14650 ArgError = true;
14651 }
14652 }
14653 }
14654
14655 if (ArgError)
14656 return ExprError();
14657
14658 return CallResult;
14659 }
14660
CheckTCBEnforcement(const SourceLocation CallExprLoc,const NamedDecl * Callee)14661 void Sema::CheckTCBEnforcement(const SourceLocation CallExprLoc,
14662 const NamedDecl *Callee) {
14663 // This warning does not make sense in code that has no runtime behavior.
14664 if (isUnevaluatedContext())
14665 return;
14666
14667 const NamedDecl *Caller = getCurFunctionOrMethodDecl();
14668
14669 if (!Caller || !Caller->hasAttr<EnforceTCBAttr>())
14670 return;
14671
14672 // Search through the enforce_tcb and enforce_tcb_leaf attributes to find
14673 // all TCBs the callee is a part of.
14674 llvm::StringSet<> CalleeTCBs;
14675 for (const auto *A : Callee->specific_attrs<EnforceTCBAttr>())
14676 CalleeTCBs.insert(A->getTCBName());
14677 for (const auto *A : Callee->specific_attrs<EnforceTCBLeafAttr>())
14678 CalleeTCBs.insert(A->getTCBName());
14679
14680 // Go through the TCBs the caller is a part of and emit warnings if Caller
14681 // is in a TCB that the Callee is not.
14682 for (const auto *A : Caller->specific_attrs<EnforceTCBAttr>()) {
14683 StringRef CallerTCB = A->getTCBName();
14684 if (CalleeTCBs.count(CallerTCB) == 0) {
14685 this->Diag(CallExprLoc, diag::warn_tcb_enforcement_violation)
14686 << Callee << CallerTCB;
14687 }
14688 }
14689 }
14690