xref: /freebsd/contrib/llvm-project/clang/lib/Sema/AnalysisBasedWarnings.cpp (revision 78cd75393ec79565c63927bf200f06f839a1dc05)
1 //=- AnalysisBasedWarnings.cpp - Sema warnings based on libAnalysis -*- C++ -*-=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines analysis_warnings::[Policy,Executor].
10 // Together they are used by Sema to issue warnings based on inexpensive
11 // static analysis algorithms in libAnalysis.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "clang/Sema/AnalysisBasedWarnings.h"
16 #include "clang/AST/Decl.h"
17 #include "clang/AST/DeclCXX.h"
18 #include "clang/AST/DeclObjC.h"
19 #include "clang/AST/EvaluatedExprVisitor.h"
20 #include "clang/AST/Expr.h"
21 #include "clang/AST/ExprCXX.h"
22 #include "clang/AST/ExprObjC.h"
23 #include "clang/AST/OperationKinds.h"
24 #include "clang/AST/ParentMap.h"
25 #include "clang/AST/RecursiveASTVisitor.h"
26 #include "clang/AST/StmtCXX.h"
27 #include "clang/AST/StmtObjC.h"
28 #include "clang/AST/StmtVisitor.h"
29 #include "clang/AST/RecursiveASTVisitor.h"
30 #include "clang/AST/Type.h"
31 #include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h"
32 #include "clang/Analysis/Analyses/CalledOnceCheck.h"
33 #include "clang/Analysis/Analyses/Consumed.h"
34 #include "clang/Analysis/Analyses/ReachableCode.h"
35 #include "clang/Analysis/Analyses/ThreadSafety.h"
36 #include "clang/Analysis/Analyses/UninitializedValues.h"
37 #include "clang/Analysis/Analyses/UnsafeBufferUsage.h"
38 #include "clang/Analysis/AnalysisDeclContext.h"
39 #include "clang/Analysis/CFG.h"
40 #include "clang/Analysis/CFGStmtMap.h"
41 #include "clang/Basic/Diagnostic.h"
42 #include "clang/Basic/SourceLocation.h"
43 #include "clang/Basic/SourceManager.h"
44 #include "clang/Lex/Preprocessor.h"
45 #include "clang/Sema/ScopeInfo.h"
46 #include "clang/Sema/SemaInternal.h"
47 #include "llvm/ADT/ArrayRef.h"
48 #include "llvm/ADT/BitVector.h"
49 #include "llvm/ADT/MapVector.h"
50 #include "llvm/ADT/STLFunctionalExtras.h"
51 #include "llvm/ADT/SmallString.h"
52 #include "llvm/ADT/SmallVector.h"
53 #include "llvm/ADT/StringRef.h"
54 #include "llvm/Support/Casting.h"
55 #include <algorithm>
56 #include <deque>
57 #include <iterator>
58 #include <optional>
59 
60 using namespace clang;
61 
62 //===----------------------------------------------------------------------===//
63 // Unreachable code analysis.
64 //===----------------------------------------------------------------------===//
65 
66 namespace {
67   class UnreachableCodeHandler : public reachable_code::Callback {
68     Sema &S;
69     SourceRange PreviousSilenceableCondVal;
70 
71   public:
72     UnreachableCodeHandler(Sema &s) : S(s) {}
73 
74     void HandleUnreachable(reachable_code::UnreachableKind UK, SourceLocation L,
75                            SourceRange SilenceableCondVal, SourceRange R1,
76                            SourceRange R2, bool HasFallThroughAttr) override {
77       // If the diagnosed code is `[[fallthrough]];` and
78       // `-Wunreachable-code-fallthrough` is  enabled, suppress `code will never
79       // be executed` warning to avoid generating diagnostic twice
80       if (HasFallThroughAttr &&
81           !S.getDiagnostics().isIgnored(diag::warn_unreachable_fallthrough_attr,
82                                         SourceLocation()))
83         return;
84 
85       // Avoid reporting multiple unreachable code diagnostics that are
86       // triggered by the same conditional value.
87       if (PreviousSilenceableCondVal.isValid() &&
88           SilenceableCondVal.isValid() &&
89           PreviousSilenceableCondVal == SilenceableCondVal)
90         return;
91       PreviousSilenceableCondVal = SilenceableCondVal;
92 
93       unsigned diag = diag::warn_unreachable;
94       switch (UK) {
95         case reachable_code::UK_Break:
96           diag = diag::warn_unreachable_break;
97           break;
98         case reachable_code::UK_Return:
99           diag = diag::warn_unreachable_return;
100           break;
101         case reachable_code::UK_Loop_Increment:
102           diag = diag::warn_unreachable_loop_increment;
103           break;
104         case reachable_code::UK_Other:
105           break;
106       }
107 
108       S.Diag(L, diag) << R1 << R2;
109 
110       SourceLocation Open = SilenceableCondVal.getBegin();
111       if (Open.isValid()) {
112         SourceLocation Close = SilenceableCondVal.getEnd();
113         Close = S.getLocForEndOfToken(Close);
114         if (Close.isValid()) {
115           S.Diag(Open, diag::note_unreachable_silence)
116             << FixItHint::CreateInsertion(Open, "/* DISABLES CODE */ (")
117             << FixItHint::CreateInsertion(Close, ")");
118         }
119       }
120     }
121   };
122 } // anonymous namespace
123 
124 /// CheckUnreachable - Check for unreachable code.
125 static void CheckUnreachable(Sema &S, AnalysisDeclContext &AC) {
126   // As a heuristic prune all diagnostics not in the main file.  Currently
127   // the majority of warnings in headers are false positives.  These
128   // are largely caused by configuration state, e.g. preprocessor
129   // defined code, etc.
130   //
131   // Note that this is also a performance optimization.  Analyzing
132   // headers many times can be expensive.
133   if (!S.getSourceManager().isInMainFile(AC.getDecl()->getBeginLoc()))
134     return;
135 
136   UnreachableCodeHandler UC(S);
137   reachable_code::FindUnreachableCode(AC, S.getPreprocessor(), UC);
138 }
139 
140 namespace {
141 /// Warn on logical operator errors in CFGBuilder
142 class LogicalErrorHandler : public CFGCallback {
143   Sema &S;
144 
145 public:
146   LogicalErrorHandler(Sema &S) : S(S) {}
147 
148   static bool HasMacroID(const Expr *E) {
149     if (E->getExprLoc().isMacroID())
150       return true;
151 
152     // Recurse to children.
153     for (const Stmt *SubStmt : E->children())
154       if (const Expr *SubExpr = dyn_cast_or_null<Expr>(SubStmt))
155         if (HasMacroID(SubExpr))
156           return true;
157 
158     return false;
159   }
160 
161   void compareAlwaysTrue(const BinaryOperator *B, bool isAlwaysTrue) override {
162     if (HasMacroID(B))
163       return;
164 
165     SourceRange DiagRange = B->getSourceRange();
166     S.Diag(B->getExprLoc(), diag::warn_tautological_overlap_comparison)
167         << DiagRange << isAlwaysTrue;
168   }
169 
170   void compareBitwiseEquality(const BinaryOperator *B,
171                               bool isAlwaysTrue) override {
172     if (HasMacroID(B))
173       return;
174 
175     SourceRange DiagRange = B->getSourceRange();
176     S.Diag(B->getExprLoc(), diag::warn_comparison_bitwise_always)
177         << DiagRange << isAlwaysTrue;
178   }
179 
180   void compareBitwiseOr(const BinaryOperator *B) override {
181     if (HasMacroID(B))
182       return;
183 
184     SourceRange DiagRange = B->getSourceRange();
185     S.Diag(B->getExprLoc(), diag::warn_comparison_bitwise_or) << DiagRange;
186   }
187 
188   static bool hasActiveDiagnostics(DiagnosticsEngine &Diags,
189                                    SourceLocation Loc) {
190     return !Diags.isIgnored(diag::warn_tautological_overlap_comparison, Loc) ||
191            !Diags.isIgnored(diag::warn_comparison_bitwise_or, Loc);
192   }
193 };
194 } // anonymous namespace
195 
196 //===----------------------------------------------------------------------===//
197 // Check for infinite self-recursion in functions
198 //===----------------------------------------------------------------------===//
199 
200 // Returns true if the function is called anywhere within the CFGBlock.
201 // For member functions, the additional condition of being call from the
202 // this pointer is required.
203 static bool hasRecursiveCallInPath(const FunctionDecl *FD, CFGBlock &Block) {
204   // Process all the Stmt's in this block to find any calls to FD.
205   for (const auto &B : Block) {
206     if (B.getKind() != CFGElement::Statement)
207       continue;
208 
209     const CallExpr *CE = dyn_cast<CallExpr>(B.getAs<CFGStmt>()->getStmt());
210     if (!CE || !CE->getCalleeDecl() ||
211         CE->getCalleeDecl()->getCanonicalDecl() != FD)
212       continue;
213 
214     // Skip function calls which are qualified with a templated class.
215     if (const DeclRefExpr *DRE =
216             dyn_cast<DeclRefExpr>(CE->getCallee()->IgnoreParenImpCasts())) {
217       if (NestedNameSpecifier *NNS = DRE->getQualifier()) {
218         if (NNS->getKind() == NestedNameSpecifier::TypeSpec &&
219             isa<TemplateSpecializationType>(NNS->getAsType())) {
220           continue;
221         }
222       }
223     }
224 
225     const CXXMemberCallExpr *MCE = dyn_cast<CXXMemberCallExpr>(CE);
226     if (!MCE || isa<CXXThisExpr>(MCE->getImplicitObjectArgument()) ||
227         !MCE->getMethodDecl()->isVirtual())
228       return true;
229   }
230   return false;
231 }
232 
233 // Returns true if every path from the entry block passes through a call to FD.
234 static bool checkForRecursiveFunctionCall(const FunctionDecl *FD, CFG *cfg) {
235   llvm::SmallPtrSet<CFGBlock *, 16> Visited;
236   llvm::SmallVector<CFGBlock *, 16> WorkList;
237   // Keep track of whether we found at least one recursive path.
238   bool foundRecursion = false;
239 
240   const unsigned ExitID = cfg->getExit().getBlockID();
241 
242   // Seed the work list with the entry block.
243   WorkList.push_back(&cfg->getEntry());
244 
245   while (!WorkList.empty()) {
246     CFGBlock *Block = WorkList.pop_back_val();
247 
248     for (auto I = Block->succ_begin(), E = Block->succ_end(); I != E; ++I) {
249       if (CFGBlock *SuccBlock = *I) {
250         if (!Visited.insert(SuccBlock).second)
251           continue;
252 
253         // Found a path to the exit node without a recursive call.
254         if (ExitID == SuccBlock->getBlockID())
255           return false;
256 
257         // If the successor block contains a recursive call, end analysis there.
258         if (hasRecursiveCallInPath(FD, *SuccBlock)) {
259           foundRecursion = true;
260           continue;
261         }
262 
263         WorkList.push_back(SuccBlock);
264       }
265     }
266   }
267   return foundRecursion;
268 }
269 
270 static void checkRecursiveFunction(Sema &S, const FunctionDecl *FD,
271                                    const Stmt *Body, AnalysisDeclContext &AC) {
272   FD = FD->getCanonicalDecl();
273 
274   // Only run on non-templated functions and non-templated members of
275   // templated classes.
276   if (FD->getTemplatedKind() != FunctionDecl::TK_NonTemplate &&
277       FD->getTemplatedKind() != FunctionDecl::TK_MemberSpecialization)
278     return;
279 
280   CFG *cfg = AC.getCFG();
281   if (!cfg) return;
282 
283   // If the exit block is unreachable, skip processing the function.
284   if (cfg->getExit().pred_empty())
285     return;
286 
287   // Emit diagnostic if a recursive function call is detected for all paths.
288   if (checkForRecursiveFunctionCall(FD, cfg))
289     S.Diag(Body->getBeginLoc(), diag::warn_infinite_recursive_function);
290 }
291 
292 //===----------------------------------------------------------------------===//
293 // Check for throw in a non-throwing function.
294 //===----------------------------------------------------------------------===//
295 
296 /// Determine whether an exception thrown by E, unwinding from ThrowBlock,
297 /// can reach ExitBlock.
298 static bool throwEscapes(Sema &S, const CXXThrowExpr *E, CFGBlock &ThrowBlock,
299                          CFG *Body) {
300   SmallVector<CFGBlock *, 16> Stack;
301   llvm::BitVector Queued(Body->getNumBlockIDs());
302 
303   Stack.push_back(&ThrowBlock);
304   Queued[ThrowBlock.getBlockID()] = true;
305 
306   while (!Stack.empty()) {
307     CFGBlock &UnwindBlock = *Stack.back();
308     Stack.pop_back();
309 
310     for (auto &Succ : UnwindBlock.succs()) {
311       if (!Succ.isReachable() || Queued[Succ->getBlockID()])
312         continue;
313 
314       if (Succ->getBlockID() == Body->getExit().getBlockID())
315         return true;
316 
317       if (auto *Catch =
318               dyn_cast_or_null<CXXCatchStmt>(Succ->getLabel())) {
319         QualType Caught = Catch->getCaughtType();
320         if (Caught.isNull() || // catch (...) catches everything
321             !E->getSubExpr() || // throw; is considered cuaght by any handler
322             S.handlerCanCatch(Caught, E->getSubExpr()->getType()))
323           // Exception doesn't escape via this path.
324           break;
325       } else {
326         Stack.push_back(Succ);
327         Queued[Succ->getBlockID()] = true;
328       }
329     }
330   }
331 
332   return false;
333 }
334 
335 static void visitReachableThrows(
336     CFG *BodyCFG,
337     llvm::function_ref<void(const CXXThrowExpr *, CFGBlock &)> Visit) {
338   llvm::BitVector Reachable(BodyCFG->getNumBlockIDs());
339   clang::reachable_code::ScanReachableFromBlock(&BodyCFG->getEntry(), Reachable);
340   for (CFGBlock *B : *BodyCFG) {
341     if (!Reachable[B->getBlockID()])
342       continue;
343     for (CFGElement &E : *B) {
344       std::optional<CFGStmt> S = E.getAs<CFGStmt>();
345       if (!S)
346         continue;
347       if (auto *Throw = dyn_cast<CXXThrowExpr>(S->getStmt()))
348         Visit(Throw, *B);
349     }
350   }
351 }
352 
353 static void EmitDiagForCXXThrowInNonThrowingFunc(Sema &S, SourceLocation OpLoc,
354                                                  const FunctionDecl *FD) {
355   if (!S.getSourceManager().isInSystemHeader(OpLoc) &&
356       FD->getTypeSourceInfo()) {
357     S.Diag(OpLoc, diag::warn_throw_in_noexcept_func) << FD;
358     if (S.getLangOpts().CPlusPlus11 &&
359         (isa<CXXDestructorDecl>(FD) ||
360          FD->getDeclName().getCXXOverloadedOperator() == OO_Delete ||
361          FD->getDeclName().getCXXOverloadedOperator() == OO_Array_Delete)) {
362       if (const auto *Ty = FD->getTypeSourceInfo()->getType()->
363                                          getAs<FunctionProtoType>())
364         S.Diag(FD->getLocation(), diag::note_throw_in_dtor)
365             << !isa<CXXDestructorDecl>(FD) << !Ty->hasExceptionSpec()
366             << FD->getExceptionSpecSourceRange();
367     } else
368       S.Diag(FD->getLocation(), diag::note_throw_in_function)
369           << FD->getExceptionSpecSourceRange();
370   }
371 }
372 
373 static void checkThrowInNonThrowingFunc(Sema &S, const FunctionDecl *FD,
374                                         AnalysisDeclContext &AC) {
375   CFG *BodyCFG = AC.getCFG();
376   if (!BodyCFG)
377     return;
378   if (BodyCFG->getExit().pred_empty())
379     return;
380   visitReachableThrows(BodyCFG, [&](const CXXThrowExpr *Throw, CFGBlock &Block) {
381     if (throwEscapes(S, Throw, Block, BodyCFG))
382       EmitDiagForCXXThrowInNonThrowingFunc(S, Throw->getThrowLoc(), FD);
383   });
384 }
385 
386 static bool isNoexcept(const FunctionDecl *FD) {
387   const auto *FPT = FD->getType()->castAs<FunctionProtoType>();
388   if (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>())
389     return true;
390   return false;
391 }
392 
393 //===----------------------------------------------------------------------===//
394 // Check for missing return value.
395 //===----------------------------------------------------------------------===//
396 
397 enum ControlFlowKind {
398   UnknownFallThrough,
399   NeverFallThrough,
400   MaybeFallThrough,
401   AlwaysFallThrough,
402   NeverFallThroughOrReturn
403 };
404 
405 /// CheckFallThrough - Check that we don't fall off the end of a
406 /// Statement that should return a value.
407 ///
408 /// \returns AlwaysFallThrough iff we always fall off the end of the statement,
409 /// MaybeFallThrough iff we might or might not fall off the end,
410 /// NeverFallThroughOrReturn iff we never fall off the end of the statement or
411 /// return.  We assume NeverFallThrough iff we never fall off the end of the
412 /// statement but we may return.  We assume that functions not marked noreturn
413 /// will return.
414 static ControlFlowKind CheckFallThrough(AnalysisDeclContext &AC) {
415   CFG *cfg = AC.getCFG();
416   if (!cfg) return UnknownFallThrough;
417 
418   // The CFG leaves in dead things, and we don't want the dead code paths to
419   // confuse us, so we mark all live things first.
420   llvm::BitVector live(cfg->getNumBlockIDs());
421   unsigned count = reachable_code::ScanReachableFromBlock(&cfg->getEntry(),
422                                                           live);
423 
424   bool AddEHEdges = AC.getAddEHEdges();
425   if (!AddEHEdges && count != cfg->getNumBlockIDs())
426     // When there are things remaining dead, and we didn't add EH edges
427     // from CallExprs to the catch clauses, we have to go back and
428     // mark them as live.
429     for (const auto *B : *cfg) {
430       if (!live[B->getBlockID()]) {
431         if (B->pred_begin() == B->pred_end()) {
432           const Stmt *Term = B->getTerminatorStmt();
433           if (Term && isa<CXXTryStmt>(Term))
434             // When not adding EH edges from calls, catch clauses
435             // can otherwise seem dead.  Avoid noting them as dead.
436             count += reachable_code::ScanReachableFromBlock(B, live);
437           continue;
438         }
439       }
440     }
441 
442   // Now we know what is live, we check the live precessors of the exit block
443   // and look for fall through paths, being careful to ignore normal returns,
444   // and exceptional paths.
445   bool HasLiveReturn = false;
446   bool HasFakeEdge = false;
447   bool HasPlainEdge = false;
448   bool HasAbnormalEdge = false;
449 
450   // Ignore default cases that aren't likely to be reachable because all
451   // enums in a switch(X) have explicit case statements.
452   CFGBlock::FilterOptions FO;
453   FO.IgnoreDefaultsWithCoveredEnums = 1;
454 
455   for (CFGBlock::filtered_pred_iterator I =
456            cfg->getExit().filtered_pred_start_end(FO);
457        I.hasMore(); ++I) {
458     const CFGBlock &B = **I;
459     if (!live[B.getBlockID()])
460       continue;
461 
462     // Skip blocks which contain an element marked as no-return. They don't
463     // represent actually viable edges into the exit block, so mark them as
464     // abnormal.
465     if (B.hasNoReturnElement()) {
466       HasAbnormalEdge = true;
467       continue;
468     }
469 
470     // Destructors can appear after the 'return' in the CFG.  This is
471     // normal.  We need to look pass the destructors for the return
472     // statement (if it exists).
473     CFGBlock::const_reverse_iterator ri = B.rbegin(), re = B.rend();
474 
475     for ( ; ri != re ; ++ri)
476       if (ri->getAs<CFGStmt>())
477         break;
478 
479     // No more CFGElements in the block?
480     if (ri == re) {
481       const Stmt *Term = B.getTerminatorStmt();
482       if (Term && (isa<CXXTryStmt>(Term) || isa<ObjCAtTryStmt>(Term))) {
483         HasAbnormalEdge = true;
484         continue;
485       }
486       // A labeled empty statement, or the entry block...
487       HasPlainEdge = true;
488       continue;
489     }
490 
491     CFGStmt CS = ri->castAs<CFGStmt>();
492     const Stmt *S = CS.getStmt();
493     if (isa<ReturnStmt>(S) || isa<CoreturnStmt>(S)) {
494       HasLiveReturn = true;
495       continue;
496     }
497     if (isa<ObjCAtThrowStmt>(S)) {
498       HasFakeEdge = true;
499       continue;
500     }
501     if (isa<CXXThrowExpr>(S)) {
502       HasFakeEdge = true;
503       continue;
504     }
505     if (isa<MSAsmStmt>(S)) {
506       // TODO: Verify this is correct.
507       HasFakeEdge = true;
508       HasLiveReturn = true;
509       continue;
510     }
511     if (isa<CXXTryStmt>(S)) {
512       HasAbnormalEdge = true;
513       continue;
514     }
515     if (!llvm::is_contained(B.succs(), &cfg->getExit())) {
516       HasAbnormalEdge = true;
517       continue;
518     }
519 
520     HasPlainEdge = true;
521   }
522   if (!HasPlainEdge) {
523     if (HasLiveReturn)
524       return NeverFallThrough;
525     return NeverFallThroughOrReturn;
526   }
527   if (HasAbnormalEdge || HasFakeEdge || HasLiveReturn)
528     return MaybeFallThrough;
529   // This says AlwaysFallThrough for calls to functions that are not marked
530   // noreturn, that don't return.  If people would like this warning to be more
531   // accurate, such functions should be marked as noreturn.
532   return AlwaysFallThrough;
533 }
534 
535 namespace {
536 
537 struct CheckFallThroughDiagnostics {
538   unsigned diag_MaybeFallThrough_HasNoReturn;
539   unsigned diag_MaybeFallThrough_ReturnsNonVoid;
540   unsigned diag_AlwaysFallThrough_HasNoReturn;
541   unsigned diag_AlwaysFallThrough_ReturnsNonVoid;
542   unsigned diag_NeverFallThroughOrReturn;
543   enum { Function, Block, Lambda, Coroutine } funMode;
544   SourceLocation FuncLoc;
545 
546   static CheckFallThroughDiagnostics MakeForFunction(const Decl *Func) {
547     CheckFallThroughDiagnostics D;
548     D.FuncLoc = Func->getLocation();
549     D.diag_MaybeFallThrough_HasNoReturn =
550       diag::warn_falloff_noreturn_function;
551     D.diag_MaybeFallThrough_ReturnsNonVoid =
552       diag::warn_maybe_falloff_nonvoid_function;
553     D.diag_AlwaysFallThrough_HasNoReturn =
554       diag::warn_falloff_noreturn_function;
555     D.diag_AlwaysFallThrough_ReturnsNonVoid =
556       diag::warn_falloff_nonvoid_function;
557 
558     // Don't suggest that virtual functions be marked "noreturn", since they
559     // might be overridden by non-noreturn functions.
560     bool isVirtualMethod = false;
561     if (const CXXMethodDecl *Method = dyn_cast<CXXMethodDecl>(Func))
562       isVirtualMethod = Method->isVirtual();
563 
564     // Don't suggest that template instantiations be marked "noreturn"
565     bool isTemplateInstantiation = false;
566     if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(Func))
567       isTemplateInstantiation = Function->isTemplateInstantiation();
568 
569     if (!isVirtualMethod && !isTemplateInstantiation)
570       D.diag_NeverFallThroughOrReturn =
571         diag::warn_suggest_noreturn_function;
572     else
573       D.diag_NeverFallThroughOrReturn = 0;
574 
575     D.funMode = Function;
576     return D;
577   }
578 
579   static CheckFallThroughDiagnostics MakeForCoroutine(const Decl *Func) {
580     CheckFallThroughDiagnostics D;
581     D.FuncLoc = Func->getLocation();
582     D.diag_MaybeFallThrough_HasNoReturn = 0;
583     D.diag_MaybeFallThrough_ReturnsNonVoid =
584         diag::warn_maybe_falloff_nonvoid_coroutine;
585     D.diag_AlwaysFallThrough_HasNoReturn = 0;
586     D.diag_AlwaysFallThrough_ReturnsNonVoid =
587         diag::warn_falloff_nonvoid_coroutine;
588     D.diag_NeverFallThroughOrReturn = 0;
589     D.funMode = Coroutine;
590     return D;
591   }
592 
593   static CheckFallThroughDiagnostics MakeForBlock() {
594     CheckFallThroughDiagnostics D;
595     D.diag_MaybeFallThrough_HasNoReturn =
596       diag::err_noreturn_block_has_return_expr;
597     D.diag_MaybeFallThrough_ReturnsNonVoid =
598       diag::err_maybe_falloff_nonvoid_block;
599     D.diag_AlwaysFallThrough_HasNoReturn =
600       diag::err_noreturn_block_has_return_expr;
601     D.diag_AlwaysFallThrough_ReturnsNonVoid =
602       diag::err_falloff_nonvoid_block;
603     D.diag_NeverFallThroughOrReturn = 0;
604     D.funMode = Block;
605     return D;
606   }
607 
608   static CheckFallThroughDiagnostics MakeForLambda() {
609     CheckFallThroughDiagnostics D;
610     D.diag_MaybeFallThrough_HasNoReturn =
611       diag::err_noreturn_lambda_has_return_expr;
612     D.diag_MaybeFallThrough_ReturnsNonVoid =
613       diag::warn_maybe_falloff_nonvoid_lambda;
614     D.diag_AlwaysFallThrough_HasNoReturn =
615       diag::err_noreturn_lambda_has_return_expr;
616     D.diag_AlwaysFallThrough_ReturnsNonVoid =
617       diag::warn_falloff_nonvoid_lambda;
618     D.diag_NeverFallThroughOrReturn = 0;
619     D.funMode = Lambda;
620     return D;
621   }
622 
623   bool checkDiagnostics(DiagnosticsEngine &D, bool ReturnsVoid,
624                         bool HasNoReturn) const {
625     if (funMode == Function) {
626       return (ReturnsVoid ||
627               D.isIgnored(diag::warn_maybe_falloff_nonvoid_function,
628                           FuncLoc)) &&
629              (!HasNoReturn ||
630               D.isIgnored(diag::warn_noreturn_function_has_return_expr,
631                           FuncLoc)) &&
632              (!ReturnsVoid ||
633               D.isIgnored(diag::warn_suggest_noreturn_block, FuncLoc));
634     }
635     if (funMode == Coroutine) {
636       return (ReturnsVoid ||
637               D.isIgnored(diag::warn_maybe_falloff_nonvoid_function, FuncLoc) ||
638               D.isIgnored(diag::warn_maybe_falloff_nonvoid_coroutine,
639                           FuncLoc)) &&
640              (!HasNoReturn);
641     }
642     // For blocks / lambdas.
643     return ReturnsVoid && !HasNoReturn;
644   }
645 };
646 
647 } // anonymous namespace
648 
649 /// CheckFallThroughForBody - Check that we don't fall off the end of a
650 /// function that should return a value.  Check that we don't fall off the end
651 /// of a noreturn function.  We assume that functions and blocks not marked
652 /// noreturn will return.
653 static void CheckFallThroughForBody(Sema &S, const Decl *D, const Stmt *Body,
654                                     QualType BlockType,
655                                     const CheckFallThroughDiagnostics &CD,
656                                     AnalysisDeclContext &AC,
657                                     sema::FunctionScopeInfo *FSI) {
658 
659   bool ReturnsVoid = false;
660   bool HasNoReturn = false;
661   bool IsCoroutine = FSI->isCoroutine();
662 
663   if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
664     if (const auto *CBody = dyn_cast<CoroutineBodyStmt>(Body))
665       ReturnsVoid = CBody->getFallthroughHandler() != nullptr;
666     else
667       ReturnsVoid = FD->getReturnType()->isVoidType();
668     HasNoReturn = FD->isNoReturn();
669   }
670   else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) {
671     ReturnsVoid = MD->getReturnType()->isVoidType();
672     HasNoReturn = MD->hasAttr<NoReturnAttr>();
673   }
674   else if (isa<BlockDecl>(D)) {
675     if (const FunctionType *FT =
676           BlockType->getPointeeType()->getAs<FunctionType>()) {
677       if (FT->getReturnType()->isVoidType())
678         ReturnsVoid = true;
679       if (FT->getNoReturnAttr())
680         HasNoReturn = true;
681     }
682   }
683 
684   DiagnosticsEngine &Diags = S.getDiagnostics();
685 
686   // Short circuit for compilation speed.
687   if (CD.checkDiagnostics(Diags, ReturnsVoid, HasNoReturn))
688       return;
689   SourceLocation LBrace = Body->getBeginLoc(), RBrace = Body->getEndLoc();
690   auto EmitDiag = [&](SourceLocation Loc, unsigned DiagID) {
691     if (IsCoroutine)
692       S.Diag(Loc, DiagID) << FSI->CoroutinePromise->getType();
693     else
694       S.Diag(Loc, DiagID);
695   };
696 
697   // cpu_dispatch functions permit empty function bodies for ICC compatibility.
698   if (D->getAsFunction() && D->getAsFunction()->isCPUDispatchMultiVersion())
699     return;
700 
701   // Either in a function body compound statement, or a function-try-block.
702   switch (CheckFallThrough(AC)) {
703     case UnknownFallThrough:
704       break;
705 
706     case MaybeFallThrough:
707       if (HasNoReturn)
708         EmitDiag(RBrace, CD.diag_MaybeFallThrough_HasNoReturn);
709       else if (!ReturnsVoid)
710         EmitDiag(RBrace, CD.diag_MaybeFallThrough_ReturnsNonVoid);
711       break;
712     case AlwaysFallThrough:
713       if (HasNoReturn)
714         EmitDiag(RBrace, CD.diag_AlwaysFallThrough_HasNoReturn);
715       else if (!ReturnsVoid)
716         EmitDiag(RBrace, CD.diag_AlwaysFallThrough_ReturnsNonVoid);
717       break;
718     case NeverFallThroughOrReturn:
719       if (ReturnsVoid && !HasNoReturn && CD.diag_NeverFallThroughOrReturn) {
720         if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
721           S.Diag(LBrace, CD.diag_NeverFallThroughOrReturn) << 0 << FD;
722         } else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) {
723           S.Diag(LBrace, CD.diag_NeverFallThroughOrReturn) << 1 << MD;
724         } else {
725           S.Diag(LBrace, CD.diag_NeverFallThroughOrReturn);
726         }
727       }
728       break;
729     case NeverFallThrough:
730       break;
731   }
732 }
733 
734 //===----------------------------------------------------------------------===//
735 // -Wuninitialized
736 //===----------------------------------------------------------------------===//
737 
738 namespace {
739 /// ContainsReference - A visitor class to search for references to
740 /// a particular declaration (the needle) within any evaluated component of an
741 /// expression (recursively).
742 class ContainsReference : public ConstEvaluatedExprVisitor<ContainsReference> {
743   bool FoundReference;
744   const DeclRefExpr *Needle;
745 
746 public:
747   typedef ConstEvaluatedExprVisitor<ContainsReference> Inherited;
748 
749   ContainsReference(ASTContext &Context, const DeclRefExpr *Needle)
750     : Inherited(Context), FoundReference(false), Needle(Needle) {}
751 
752   void VisitExpr(const Expr *E) {
753     // Stop evaluating if we already have a reference.
754     if (FoundReference)
755       return;
756 
757     Inherited::VisitExpr(E);
758   }
759 
760   void VisitDeclRefExpr(const DeclRefExpr *E) {
761     if (E == Needle)
762       FoundReference = true;
763     else
764       Inherited::VisitDeclRefExpr(E);
765   }
766 
767   bool doesContainReference() const { return FoundReference; }
768 };
769 } // anonymous namespace
770 
771 static bool SuggestInitializationFixit(Sema &S, const VarDecl *VD) {
772   QualType VariableTy = VD->getType().getCanonicalType();
773   if (VariableTy->isBlockPointerType() &&
774       !VD->hasAttr<BlocksAttr>()) {
775     S.Diag(VD->getLocation(), diag::note_block_var_fixit_add_initialization)
776         << VD->getDeclName()
777         << FixItHint::CreateInsertion(VD->getLocation(), "__block ");
778     return true;
779   }
780 
781   // Don't issue a fixit if there is already an initializer.
782   if (VD->getInit())
783     return false;
784 
785   // Don't suggest a fixit inside macros.
786   if (VD->getEndLoc().isMacroID())
787     return false;
788 
789   SourceLocation Loc = S.getLocForEndOfToken(VD->getEndLoc());
790 
791   // Suggest possible initialization (if any).
792   std::string Init = S.getFixItZeroInitializerForType(VariableTy, Loc);
793   if (Init.empty())
794     return false;
795 
796   S.Diag(Loc, diag::note_var_fixit_add_initialization) << VD->getDeclName()
797     << FixItHint::CreateInsertion(Loc, Init);
798   return true;
799 }
800 
801 /// Create a fixit to remove an if-like statement, on the assumption that its
802 /// condition is CondVal.
803 static void CreateIfFixit(Sema &S, const Stmt *If, const Stmt *Then,
804                           const Stmt *Else, bool CondVal,
805                           FixItHint &Fixit1, FixItHint &Fixit2) {
806   if (CondVal) {
807     // If condition is always true, remove all but the 'then'.
808     Fixit1 = FixItHint::CreateRemoval(
809         CharSourceRange::getCharRange(If->getBeginLoc(), Then->getBeginLoc()));
810     if (Else) {
811       SourceLocation ElseKwLoc = S.getLocForEndOfToken(Then->getEndLoc());
812       Fixit2 =
813           FixItHint::CreateRemoval(SourceRange(ElseKwLoc, Else->getEndLoc()));
814     }
815   } else {
816     // If condition is always false, remove all but the 'else'.
817     if (Else)
818       Fixit1 = FixItHint::CreateRemoval(CharSourceRange::getCharRange(
819           If->getBeginLoc(), Else->getBeginLoc()));
820     else
821       Fixit1 = FixItHint::CreateRemoval(If->getSourceRange());
822   }
823 }
824 
825 /// DiagUninitUse -- Helper function to produce a diagnostic for an
826 /// uninitialized use of a variable.
827 static void DiagUninitUse(Sema &S, const VarDecl *VD, const UninitUse &Use,
828                           bool IsCapturedByBlock) {
829   bool Diagnosed = false;
830 
831   switch (Use.getKind()) {
832   case UninitUse::Always:
833     S.Diag(Use.getUser()->getBeginLoc(), diag::warn_uninit_var)
834         << VD->getDeclName() << IsCapturedByBlock
835         << Use.getUser()->getSourceRange();
836     return;
837 
838   case UninitUse::AfterDecl:
839   case UninitUse::AfterCall:
840     S.Diag(VD->getLocation(), diag::warn_sometimes_uninit_var)
841       << VD->getDeclName() << IsCapturedByBlock
842       << (Use.getKind() == UninitUse::AfterDecl ? 4 : 5)
843       << const_cast<DeclContext*>(VD->getLexicalDeclContext())
844       << VD->getSourceRange();
845     S.Diag(Use.getUser()->getBeginLoc(), diag::note_uninit_var_use)
846         << IsCapturedByBlock << Use.getUser()->getSourceRange();
847     return;
848 
849   case UninitUse::Maybe:
850   case UninitUse::Sometimes:
851     // Carry on to report sometimes-uninitialized branches, if possible,
852     // or a 'may be used uninitialized' diagnostic otherwise.
853     break;
854   }
855 
856   // Diagnose each branch which leads to a sometimes-uninitialized use.
857   for (UninitUse::branch_iterator I = Use.branch_begin(), E = Use.branch_end();
858        I != E; ++I) {
859     assert(Use.getKind() == UninitUse::Sometimes);
860 
861     const Expr *User = Use.getUser();
862     const Stmt *Term = I->Terminator;
863 
864     // Information used when building the diagnostic.
865     unsigned DiagKind;
866     StringRef Str;
867     SourceRange Range;
868 
869     // FixIts to suppress the diagnostic by removing the dead condition.
870     // For all binary terminators, branch 0 is taken if the condition is true,
871     // and branch 1 is taken if the condition is false.
872     int RemoveDiagKind = -1;
873     const char *FixitStr =
874         S.getLangOpts().CPlusPlus ? (I->Output ? "true" : "false")
875                                   : (I->Output ? "1" : "0");
876     FixItHint Fixit1, Fixit2;
877 
878     switch (Term ? Term->getStmtClass() : Stmt::DeclStmtClass) {
879     default:
880       // Don't know how to report this. Just fall back to 'may be used
881       // uninitialized'. FIXME: Can this happen?
882       continue;
883 
884     // "condition is true / condition is false".
885     case Stmt::IfStmtClass: {
886       const IfStmt *IS = cast<IfStmt>(Term);
887       DiagKind = 0;
888       Str = "if";
889       Range = IS->getCond()->getSourceRange();
890       RemoveDiagKind = 0;
891       CreateIfFixit(S, IS, IS->getThen(), IS->getElse(),
892                     I->Output, Fixit1, Fixit2);
893       break;
894     }
895     case Stmt::ConditionalOperatorClass: {
896       const ConditionalOperator *CO = cast<ConditionalOperator>(Term);
897       DiagKind = 0;
898       Str = "?:";
899       Range = CO->getCond()->getSourceRange();
900       RemoveDiagKind = 0;
901       CreateIfFixit(S, CO, CO->getTrueExpr(), CO->getFalseExpr(),
902                     I->Output, Fixit1, Fixit2);
903       break;
904     }
905     case Stmt::BinaryOperatorClass: {
906       const BinaryOperator *BO = cast<BinaryOperator>(Term);
907       if (!BO->isLogicalOp())
908         continue;
909       DiagKind = 0;
910       Str = BO->getOpcodeStr();
911       Range = BO->getLHS()->getSourceRange();
912       RemoveDiagKind = 0;
913       if ((BO->getOpcode() == BO_LAnd && I->Output) ||
914           (BO->getOpcode() == BO_LOr && !I->Output))
915         // true && y -> y, false || y -> y.
916         Fixit1 = FixItHint::CreateRemoval(
917             SourceRange(BO->getBeginLoc(), BO->getOperatorLoc()));
918       else
919         // false && y -> false, true || y -> true.
920         Fixit1 = FixItHint::CreateReplacement(BO->getSourceRange(), FixitStr);
921       break;
922     }
923 
924     // "loop is entered / loop is exited".
925     case Stmt::WhileStmtClass:
926       DiagKind = 1;
927       Str = "while";
928       Range = cast<WhileStmt>(Term)->getCond()->getSourceRange();
929       RemoveDiagKind = 1;
930       Fixit1 = FixItHint::CreateReplacement(Range, FixitStr);
931       break;
932     case Stmt::ForStmtClass:
933       DiagKind = 1;
934       Str = "for";
935       Range = cast<ForStmt>(Term)->getCond()->getSourceRange();
936       RemoveDiagKind = 1;
937       if (I->Output)
938         Fixit1 = FixItHint::CreateRemoval(Range);
939       else
940         Fixit1 = FixItHint::CreateReplacement(Range, FixitStr);
941       break;
942     case Stmt::CXXForRangeStmtClass:
943       if (I->Output == 1) {
944         // The use occurs if a range-based for loop's body never executes.
945         // That may be impossible, and there's no syntactic fix for this,
946         // so treat it as a 'may be uninitialized' case.
947         continue;
948       }
949       DiagKind = 1;
950       Str = "for";
951       Range = cast<CXXForRangeStmt>(Term)->getRangeInit()->getSourceRange();
952       break;
953 
954     // "condition is true / loop is exited".
955     case Stmt::DoStmtClass:
956       DiagKind = 2;
957       Str = "do";
958       Range = cast<DoStmt>(Term)->getCond()->getSourceRange();
959       RemoveDiagKind = 1;
960       Fixit1 = FixItHint::CreateReplacement(Range, FixitStr);
961       break;
962 
963     // "switch case is taken".
964     case Stmt::CaseStmtClass:
965       DiagKind = 3;
966       Str = "case";
967       Range = cast<CaseStmt>(Term)->getLHS()->getSourceRange();
968       break;
969     case Stmt::DefaultStmtClass:
970       DiagKind = 3;
971       Str = "default";
972       Range = cast<DefaultStmt>(Term)->getDefaultLoc();
973       break;
974     }
975 
976     S.Diag(Range.getBegin(), diag::warn_sometimes_uninit_var)
977       << VD->getDeclName() << IsCapturedByBlock << DiagKind
978       << Str << I->Output << Range;
979     S.Diag(User->getBeginLoc(), diag::note_uninit_var_use)
980         << IsCapturedByBlock << User->getSourceRange();
981     if (RemoveDiagKind != -1)
982       S.Diag(Fixit1.RemoveRange.getBegin(), diag::note_uninit_fixit_remove_cond)
983         << RemoveDiagKind << Str << I->Output << Fixit1 << Fixit2;
984 
985     Diagnosed = true;
986   }
987 
988   if (!Diagnosed)
989     S.Diag(Use.getUser()->getBeginLoc(), diag::warn_maybe_uninit_var)
990         << VD->getDeclName() << IsCapturedByBlock
991         << Use.getUser()->getSourceRange();
992 }
993 
994 /// Diagnose uninitialized const reference usages.
995 static bool DiagnoseUninitializedConstRefUse(Sema &S, const VarDecl *VD,
996                                              const UninitUse &Use) {
997   S.Diag(Use.getUser()->getBeginLoc(), diag::warn_uninit_const_reference)
998       << VD->getDeclName() << Use.getUser()->getSourceRange();
999   return true;
1000 }
1001 
1002 /// DiagnoseUninitializedUse -- Helper function for diagnosing uses of an
1003 /// uninitialized variable. This manages the different forms of diagnostic
1004 /// emitted for particular types of uses. Returns true if the use was diagnosed
1005 /// as a warning. If a particular use is one we omit warnings for, returns
1006 /// false.
1007 static bool DiagnoseUninitializedUse(Sema &S, const VarDecl *VD,
1008                                      const UninitUse &Use,
1009                                      bool alwaysReportSelfInit = false) {
1010   if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Use.getUser())) {
1011     // Inspect the initializer of the variable declaration which is
1012     // being referenced prior to its initialization. We emit
1013     // specialized diagnostics for self-initialization, and we
1014     // specifically avoid warning about self references which take the
1015     // form of:
1016     //
1017     //   int x = x;
1018     //
1019     // This is used to indicate to GCC that 'x' is intentionally left
1020     // uninitialized. Proven code paths which access 'x' in
1021     // an uninitialized state after this will still warn.
1022     if (const Expr *Initializer = VD->getInit()) {
1023       if (!alwaysReportSelfInit && DRE == Initializer->IgnoreParenImpCasts())
1024         return false;
1025 
1026       ContainsReference CR(S.Context, DRE);
1027       CR.Visit(Initializer);
1028       if (CR.doesContainReference()) {
1029         S.Diag(DRE->getBeginLoc(), diag::warn_uninit_self_reference_in_init)
1030             << VD->getDeclName() << VD->getLocation() << DRE->getSourceRange();
1031         return true;
1032       }
1033     }
1034 
1035     DiagUninitUse(S, VD, Use, false);
1036   } else {
1037     const BlockExpr *BE = cast<BlockExpr>(Use.getUser());
1038     if (VD->getType()->isBlockPointerType() && !VD->hasAttr<BlocksAttr>())
1039       S.Diag(BE->getBeginLoc(),
1040              diag::warn_uninit_byref_blockvar_captured_by_block)
1041           << VD->getDeclName()
1042           << VD->getType().getQualifiers().hasObjCLifetime();
1043     else
1044       DiagUninitUse(S, VD, Use, true);
1045   }
1046 
1047   // Report where the variable was declared when the use wasn't within
1048   // the initializer of that declaration & we didn't already suggest
1049   // an initialization fixit.
1050   if (!SuggestInitializationFixit(S, VD))
1051     S.Diag(VD->getBeginLoc(), diag::note_var_declared_here)
1052         << VD->getDeclName();
1053 
1054   return true;
1055 }
1056 
1057 namespace {
1058   class FallthroughMapper : public RecursiveASTVisitor<FallthroughMapper> {
1059   public:
1060     FallthroughMapper(Sema &S)
1061       : FoundSwitchStatements(false),
1062         S(S) {
1063     }
1064 
1065     bool foundSwitchStatements() const { return FoundSwitchStatements; }
1066 
1067     void markFallthroughVisited(const AttributedStmt *Stmt) {
1068       bool Found = FallthroughStmts.erase(Stmt);
1069       assert(Found);
1070       (void)Found;
1071     }
1072 
1073     typedef llvm::SmallPtrSet<const AttributedStmt*, 8> AttrStmts;
1074 
1075     const AttrStmts &getFallthroughStmts() const {
1076       return FallthroughStmts;
1077     }
1078 
1079     void fillReachableBlocks(CFG *Cfg) {
1080       assert(ReachableBlocks.empty() && "ReachableBlocks already filled");
1081       std::deque<const CFGBlock *> BlockQueue;
1082 
1083       ReachableBlocks.insert(&Cfg->getEntry());
1084       BlockQueue.push_back(&Cfg->getEntry());
1085       // Mark all case blocks reachable to avoid problems with switching on
1086       // constants, covered enums, etc.
1087       // These blocks can contain fall-through annotations, and we don't want to
1088       // issue a warn_fallthrough_attr_unreachable for them.
1089       for (const auto *B : *Cfg) {
1090         const Stmt *L = B->getLabel();
1091         if (L && isa<SwitchCase>(L) && ReachableBlocks.insert(B).second)
1092           BlockQueue.push_back(B);
1093       }
1094 
1095       while (!BlockQueue.empty()) {
1096         const CFGBlock *P = BlockQueue.front();
1097         BlockQueue.pop_front();
1098         for (const CFGBlock *B : P->succs()) {
1099           if (B && ReachableBlocks.insert(B).second)
1100             BlockQueue.push_back(B);
1101         }
1102       }
1103     }
1104 
1105     bool checkFallThroughIntoBlock(const CFGBlock &B, int &AnnotatedCnt,
1106                                    bool IsTemplateInstantiation) {
1107       assert(!ReachableBlocks.empty() && "ReachableBlocks empty");
1108 
1109       int UnannotatedCnt = 0;
1110       AnnotatedCnt = 0;
1111 
1112       std::deque<const CFGBlock*> BlockQueue(B.pred_begin(), B.pred_end());
1113       while (!BlockQueue.empty()) {
1114         const CFGBlock *P = BlockQueue.front();
1115         BlockQueue.pop_front();
1116         if (!P) continue;
1117 
1118         const Stmt *Term = P->getTerminatorStmt();
1119         if (Term && isa<SwitchStmt>(Term))
1120           continue; // Switch statement, good.
1121 
1122         const SwitchCase *SW = dyn_cast_or_null<SwitchCase>(P->getLabel());
1123         if (SW && SW->getSubStmt() == B.getLabel() && P->begin() == P->end())
1124           continue; // Previous case label has no statements, good.
1125 
1126         const LabelStmt *L = dyn_cast_or_null<LabelStmt>(P->getLabel());
1127         if (L && L->getSubStmt() == B.getLabel() && P->begin() == P->end())
1128           continue; // Case label is preceded with a normal label, good.
1129 
1130         if (!ReachableBlocks.count(P)) {
1131           for (const CFGElement &Elem : llvm::reverse(*P)) {
1132             if (std::optional<CFGStmt> CS = Elem.getAs<CFGStmt>()) {
1133             if (const AttributedStmt *AS = asFallThroughAttr(CS->getStmt())) {
1134               // Don't issue a warning for an unreachable fallthrough
1135               // attribute in template instantiations as it may not be
1136               // unreachable in all instantiations of the template.
1137               if (!IsTemplateInstantiation)
1138                 S.Diag(AS->getBeginLoc(),
1139                        diag::warn_unreachable_fallthrough_attr);
1140               markFallthroughVisited(AS);
1141               ++AnnotatedCnt;
1142               break;
1143             }
1144             // Don't care about other unreachable statements.
1145             }
1146           }
1147           // If there are no unreachable statements, this may be a special
1148           // case in CFG:
1149           // case X: {
1150           //    A a;  // A has a destructor.
1151           //    break;
1152           // }
1153           // // <<<< This place is represented by a 'hanging' CFG block.
1154           // case Y:
1155           continue;
1156         }
1157 
1158         const Stmt *LastStmt = getLastStmt(*P);
1159         if (const AttributedStmt *AS = asFallThroughAttr(LastStmt)) {
1160           markFallthroughVisited(AS);
1161           ++AnnotatedCnt;
1162           continue; // Fallthrough annotation, good.
1163         }
1164 
1165         if (!LastStmt) { // This block contains no executable statements.
1166           // Traverse its predecessors.
1167           std::copy(P->pred_begin(), P->pred_end(),
1168                     std::back_inserter(BlockQueue));
1169           continue;
1170         }
1171 
1172         ++UnannotatedCnt;
1173       }
1174       return !!UnannotatedCnt;
1175     }
1176 
1177     // RecursiveASTVisitor setup.
1178     bool shouldWalkTypesOfTypeLocs() const { return false; }
1179 
1180     bool VisitAttributedStmt(AttributedStmt *S) {
1181       if (asFallThroughAttr(S))
1182         FallthroughStmts.insert(S);
1183       return true;
1184     }
1185 
1186     bool VisitSwitchStmt(SwitchStmt *S) {
1187       FoundSwitchStatements = true;
1188       return true;
1189     }
1190 
1191     // We don't want to traverse local type declarations. We analyze their
1192     // methods separately.
1193     bool TraverseDecl(Decl *D) { return true; }
1194 
1195     // We analyze lambda bodies separately. Skip them here.
1196     bool TraverseLambdaExpr(LambdaExpr *LE) {
1197       // Traverse the captures, but not the body.
1198       for (const auto C : zip(LE->captures(), LE->capture_inits()))
1199         TraverseLambdaCapture(LE, &std::get<0>(C), std::get<1>(C));
1200       return true;
1201     }
1202 
1203   private:
1204 
1205     static const AttributedStmt *asFallThroughAttr(const Stmt *S) {
1206       if (const AttributedStmt *AS = dyn_cast_or_null<AttributedStmt>(S)) {
1207         if (hasSpecificAttr<FallThroughAttr>(AS->getAttrs()))
1208           return AS;
1209       }
1210       return nullptr;
1211     }
1212 
1213     static const Stmt *getLastStmt(const CFGBlock &B) {
1214       if (const Stmt *Term = B.getTerminatorStmt())
1215         return Term;
1216       for (const CFGElement &Elem : llvm::reverse(B))
1217         if (std::optional<CFGStmt> CS = Elem.getAs<CFGStmt>())
1218           return CS->getStmt();
1219       // Workaround to detect a statement thrown out by CFGBuilder:
1220       //   case X: {} case Y:
1221       //   case X: ; case Y:
1222       if (const SwitchCase *SW = dyn_cast_or_null<SwitchCase>(B.getLabel()))
1223         if (!isa<SwitchCase>(SW->getSubStmt()))
1224           return SW->getSubStmt();
1225 
1226       return nullptr;
1227     }
1228 
1229     bool FoundSwitchStatements;
1230     AttrStmts FallthroughStmts;
1231     Sema &S;
1232     llvm::SmallPtrSet<const CFGBlock *, 16> ReachableBlocks;
1233   };
1234 } // anonymous namespace
1235 
1236 static StringRef getFallthroughAttrSpelling(Preprocessor &PP,
1237                                             SourceLocation Loc) {
1238   TokenValue FallthroughTokens[] = {
1239     tok::l_square, tok::l_square,
1240     PP.getIdentifierInfo("fallthrough"),
1241     tok::r_square, tok::r_square
1242   };
1243 
1244   TokenValue ClangFallthroughTokens[] = {
1245     tok::l_square, tok::l_square, PP.getIdentifierInfo("clang"),
1246     tok::coloncolon, PP.getIdentifierInfo("fallthrough"),
1247     tok::r_square, tok::r_square
1248   };
1249 
1250   bool PreferClangAttr = !PP.getLangOpts().CPlusPlus17 && !PP.getLangOpts().C2x;
1251 
1252   StringRef MacroName;
1253   if (PreferClangAttr)
1254     MacroName = PP.getLastMacroWithSpelling(Loc, ClangFallthroughTokens);
1255   if (MacroName.empty())
1256     MacroName = PP.getLastMacroWithSpelling(Loc, FallthroughTokens);
1257   if (MacroName.empty() && !PreferClangAttr)
1258     MacroName = PP.getLastMacroWithSpelling(Loc, ClangFallthroughTokens);
1259   if (MacroName.empty()) {
1260     if (!PreferClangAttr)
1261       MacroName = "[[fallthrough]]";
1262     else if (PP.getLangOpts().CPlusPlus)
1263       MacroName = "[[clang::fallthrough]]";
1264     else
1265       MacroName = "__attribute__((fallthrough))";
1266   }
1267   return MacroName;
1268 }
1269 
1270 static void DiagnoseSwitchLabelsFallthrough(Sema &S, AnalysisDeclContext &AC,
1271                                             bool PerFunction) {
1272   FallthroughMapper FM(S);
1273   FM.TraverseStmt(AC.getBody());
1274 
1275   if (!FM.foundSwitchStatements())
1276     return;
1277 
1278   if (PerFunction && FM.getFallthroughStmts().empty())
1279     return;
1280 
1281   CFG *Cfg = AC.getCFG();
1282 
1283   if (!Cfg)
1284     return;
1285 
1286   FM.fillReachableBlocks(Cfg);
1287 
1288   for (const CFGBlock *B : llvm::reverse(*Cfg)) {
1289     const Stmt *Label = B->getLabel();
1290 
1291     if (!isa_and_nonnull<SwitchCase>(Label))
1292       continue;
1293 
1294     int AnnotatedCnt;
1295 
1296     bool IsTemplateInstantiation = false;
1297     if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(AC.getDecl()))
1298       IsTemplateInstantiation = Function->isTemplateInstantiation();
1299     if (!FM.checkFallThroughIntoBlock(*B, AnnotatedCnt,
1300                                       IsTemplateInstantiation))
1301       continue;
1302 
1303     S.Diag(Label->getBeginLoc(),
1304            PerFunction ? diag::warn_unannotated_fallthrough_per_function
1305                        : diag::warn_unannotated_fallthrough);
1306 
1307     if (!AnnotatedCnt) {
1308       SourceLocation L = Label->getBeginLoc();
1309       if (L.isMacroID())
1310         continue;
1311 
1312       const Stmt *Term = B->getTerminatorStmt();
1313       // Skip empty cases.
1314       while (B->empty() && !Term && B->succ_size() == 1) {
1315         B = *B->succ_begin();
1316         Term = B->getTerminatorStmt();
1317       }
1318       if (!(B->empty() && Term && isa<BreakStmt>(Term))) {
1319         Preprocessor &PP = S.getPreprocessor();
1320         StringRef AnnotationSpelling = getFallthroughAttrSpelling(PP, L);
1321         SmallString<64> TextToInsert(AnnotationSpelling);
1322         TextToInsert += "; ";
1323         S.Diag(L, diag::note_insert_fallthrough_fixit)
1324             << AnnotationSpelling
1325             << FixItHint::CreateInsertion(L, TextToInsert);
1326       }
1327       S.Diag(L, diag::note_insert_break_fixit)
1328           << FixItHint::CreateInsertion(L, "break; ");
1329     }
1330   }
1331 
1332   for (const auto *F : FM.getFallthroughStmts())
1333     S.Diag(F->getBeginLoc(), diag::err_fallthrough_attr_invalid_placement);
1334 }
1335 
1336 static bool isInLoop(const ASTContext &Ctx, const ParentMap &PM,
1337                      const Stmt *S) {
1338   assert(S);
1339 
1340   do {
1341     switch (S->getStmtClass()) {
1342     case Stmt::ForStmtClass:
1343     case Stmt::WhileStmtClass:
1344     case Stmt::CXXForRangeStmtClass:
1345     case Stmt::ObjCForCollectionStmtClass:
1346       return true;
1347     case Stmt::DoStmtClass: {
1348       Expr::EvalResult Result;
1349       if (!cast<DoStmt>(S)->getCond()->EvaluateAsInt(Result, Ctx))
1350         return true;
1351       return Result.Val.getInt().getBoolValue();
1352     }
1353     default:
1354       break;
1355     }
1356   } while ((S = PM.getParent(S)));
1357 
1358   return false;
1359 }
1360 
1361 static void diagnoseRepeatedUseOfWeak(Sema &S,
1362                                       const sema::FunctionScopeInfo *CurFn,
1363                                       const Decl *D,
1364                                       const ParentMap &PM) {
1365   typedef sema::FunctionScopeInfo::WeakObjectProfileTy WeakObjectProfileTy;
1366   typedef sema::FunctionScopeInfo::WeakObjectUseMap WeakObjectUseMap;
1367   typedef sema::FunctionScopeInfo::WeakUseVector WeakUseVector;
1368   typedef std::pair<const Stmt *, WeakObjectUseMap::const_iterator>
1369   StmtUsesPair;
1370 
1371   ASTContext &Ctx = S.getASTContext();
1372 
1373   const WeakObjectUseMap &WeakMap = CurFn->getWeakObjectUses();
1374 
1375   // Extract all weak objects that are referenced more than once.
1376   SmallVector<StmtUsesPair, 8> UsesByStmt;
1377   for (WeakObjectUseMap::const_iterator I = WeakMap.begin(), E = WeakMap.end();
1378        I != E; ++I) {
1379     const WeakUseVector &Uses = I->second;
1380 
1381     // Find the first read of the weak object.
1382     WeakUseVector::const_iterator UI = Uses.begin(), UE = Uses.end();
1383     for ( ; UI != UE; ++UI) {
1384       if (UI->isUnsafe())
1385         break;
1386     }
1387 
1388     // If there were only writes to this object, don't warn.
1389     if (UI == UE)
1390       continue;
1391 
1392     // If there was only one read, followed by any number of writes, and the
1393     // read is not within a loop, don't warn. Additionally, don't warn in a
1394     // loop if the base object is a local variable -- local variables are often
1395     // changed in loops.
1396     if (UI == Uses.begin()) {
1397       WeakUseVector::const_iterator UI2 = UI;
1398       for (++UI2; UI2 != UE; ++UI2)
1399         if (UI2->isUnsafe())
1400           break;
1401 
1402       if (UI2 == UE) {
1403         if (!isInLoop(Ctx, PM, UI->getUseExpr()))
1404           continue;
1405 
1406         const WeakObjectProfileTy &Profile = I->first;
1407         if (!Profile.isExactProfile())
1408           continue;
1409 
1410         const NamedDecl *Base = Profile.getBase();
1411         if (!Base)
1412           Base = Profile.getProperty();
1413         assert(Base && "A profile always has a base or property.");
1414 
1415         if (const VarDecl *BaseVar = dyn_cast<VarDecl>(Base))
1416           if (BaseVar->hasLocalStorage() && !isa<ParmVarDecl>(Base))
1417             continue;
1418       }
1419     }
1420 
1421     UsesByStmt.push_back(StmtUsesPair(UI->getUseExpr(), I));
1422   }
1423 
1424   if (UsesByStmt.empty())
1425     return;
1426 
1427   // Sort by first use so that we emit the warnings in a deterministic order.
1428   SourceManager &SM = S.getSourceManager();
1429   llvm::sort(UsesByStmt,
1430              [&SM](const StmtUsesPair &LHS, const StmtUsesPair &RHS) {
1431                return SM.isBeforeInTranslationUnit(LHS.first->getBeginLoc(),
1432                                                    RHS.first->getBeginLoc());
1433              });
1434 
1435   // Classify the current code body for better warning text.
1436   // This enum should stay in sync with the cases in
1437   // warn_arc_repeated_use_of_weak and warn_arc_possible_repeated_use_of_weak.
1438   // FIXME: Should we use a common classification enum and the same set of
1439   // possibilities all throughout Sema?
1440   enum {
1441     Function,
1442     Method,
1443     Block,
1444     Lambda
1445   } FunctionKind;
1446 
1447   if (isa<sema::BlockScopeInfo>(CurFn))
1448     FunctionKind = Block;
1449   else if (isa<sema::LambdaScopeInfo>(CurFn))
1450     FunctionKind = Lambda;
1451   else if (isa<ObjCMethodDecl>(D))
1452     FunctionKind = Method;
1453   else
1454     FunctionKind = Function;
1455 
1456   // Iterate through the sorted problems and emit warnings for each.
1457   for (const auto &P : UsesByStmt) {
1458     const Stmt *FirstRead = P.first;
1459     const WeakObjectProfileTy &Key = P.second->first;
1460     const WeakUseVector &Uses = P.second->second;
1461 
1462     // For complicated expressions like 'a.b.c' and 'x.b.c', WeakObjectProfileTy
1463     // may not contain enough information to determine that these are different
1464     // properties. We can only be 100% sure of a repeated use in certain cases,
1465     // and we adjust the diagnostic kind accordingly so that the less certain
1466     // case can be turned off if it is too noisy.
1467     unsigned DiagKind;
1468     if (Key.isExactProfile())
1469       DiagKind = diag::warn_arc_repeated_use_of_weak;
1470     else
1471       DiagKind = diag::warn_arc_possible_repeated_use_of_weak;
1472 
1473     // Classify the weak object being accessed for better warning text.
1474     // This enum should stay in sync with the cases in
1475     // warn_arc_repeated_use_of_weak and warn_arc_possible_repeated_use_of_weak.
1476     enum {
1477       Variable,
1478       Property,
1479       ImplicitProperty,
1480       Ivar
1481     } ObjectKind;
1482 
1483     const NamedDecl *KeyProp = Key.getProperty();
1484     if (isa<VarDecl>(KeyProp))
1485       ObjectKind = Variable;
1486     else if (isa<ObjCPropertyDecl>(KeyProp))
1487       ObjectKind = Property;
1488     else if (isa<ObjCMethodDecl>(KeyProp))
1489       ObjectKind = ImplicitProperty;
1490     else if (isa<ObjCIvarDecl>(KeyProp))
1491       ObjectKind = Ivar;
1492     else
1493       llvm_unreachable("Unexpected weak object kind!");
1494 
1495     // Do not warn about IBOutlet weak property receivers being set to null
1496     // since they are typically only used from the main thread.
1497     if (const ObjCPropertyDecl *Prop = dyn_cast<ObjCPropertyDecl>(KeyProp))
1498       if (Prop->hasAttr<IBOutletAttr>())
1499         continue;
1500 
1501     // Show the first time the object was read.
1502     S.Diag(FirstRead->getBeginLoc(), DiagKind)
1503         << int(ObjectKind) << KeyProp << int(FunctionKind)
1504         << FirstRead->getSourceRange();
1505 
1506     // Print all the other accesses as notes.
1507     for (const auto &Use : Uses) {
1508       if (Use.getUseExpr() == FirstRead)
1509         continue;
1510       S.Diag(Use.getUseExpr()->getBeginLoc(),
1511              diag::note_arc_weak_also_accessed_here)
1512           << Use.getUseExpr()->getSourceRange();
1513     }
1514   }
1515 }
1516 
1517 namespace clang {
1518 namespace {
1519 typedef SmallVector<PartialDiagnosticAt, 1> OptionalNotes;
1520 typedef std::pair<PartialDiagnosticAt, OptionalNotes> DelayedDiag;
1521 typedef std::list<DelayedDiag> DiagList;
1522 
1523 struct SortDiagBySourceLocation {
1524   SourceManager &SM;
1525   SortDiagBySourceLocation(SourceManager &SM) : SM(SM) {}
1526 
1527   bool operator()(const DelayedDiag &left, const DelayedDiag &right) {
1528     // Although this call will be slow, this is only called when outputting
1529     // multiple warnings.
1530     return SM.isBeforeInTranslationUnit(left.first.first, right.first.first);
1531   }
1532 };
1533 } // anonymous namespace
1534 } // namespace clang
1535 
1536 namespace {
1537 class UninitValsDiagReporter : public UninitVariablesHandler {
1538   Sema &S;
1539   typedef SmallVector<UninitUse, 2> UsesVec;
1540   typedef llvm::PointerIntPair<UsesVec *, 1, bool> MappedType;
1541   // Prefer using MapVector to DenseMap, so that iteration order will be
1542   // the same as insertion order. This is needed to obtain a deterministic
1543   // order of diagnostics when calling flushDiagnostics().
1544   typedef llvm::MapVector<const VarDecl *, MappedType> UsesMap;
1545   UsesMap uses;
1546   UsesMap constRefUses;
1547 
1548 public:
1549   UninitValsDiagReporter(Sema &S) : S(S) {}
1550   ~UninitValsDiagReporter() override { flushDiagnostics(); }
1551 
1552   MappedType &getUses(UsesMap &um, const VarDecl *vd) {
1553     MappedType &V = um[vd];
1554     if (!V.getPointer())
1555       V.setPointer(new UsesVec());
1556     return V;
1557   }
1558 
1559   void handleUseOfUninitVariable(const VarDecl *vd,
1560                                  const UninitUse &use) override {
1561     getUses(uses, vd).getPointer()->push_back(use);
1562   }
1563 
1564   void handleConstRefUseOfUninitVariable(const VarDecl *vd,
1565                                          const UninitUse &use) override {
1566     getUses(constRefUses, vd).getPointer()->push_back(use);
1567   }
1568 
1569   void handleSelfInit(const VarDecl *vd) override {
1570     getUses(uses, vd).setInt(true);
1571     getUses(constRefUses, vd).setInt(true);
1572   }
1573 
1574   void flushDiagnostics() {
1575     for (const auto &P : uses) {
1576       const VarDecl *vd = P.first;
1577       const MappedType &V = P.second;
1578 
1579       UsesVec *vec = V.getPointer();
1580       bool hasSelfInit = V.getInt();
1581 
1582       // Specially handle the case where we have uses of an uninitialized
1583       // variable, but the root cause is an idiomatic self-init.  We want
1584       // to report the diagnostic at the self-init since that is the root cause.
1585       if (!vec->empty() && hasSelfInit && hasAlwaysUninitializedUse(vec))
1586         DiagnoseUninitializedUse(S, vd,
1587                                  UninitUse(vd->getInit()->IgnoreParenCasts(),
1588                                            /* isAlwaysUninit */ true),
1589                                  /* alwaysReportSelfInit */ true);
1590       else {
1591         // Sort the uses by their SourceLocations.  While not strictly
1592         // guaranteed to produce them in line/column order, this will provide
1593         // a stable ordering.
1594         llvm::sort(*vec, [](const UninitUse &a, const UninitUse &b) {
1595           // Prefer a more confident report over a less confident one.
1596           if (a.getKind() != b.getKind())
1597             return a.getKind() > b.getKind();
1598           return a.getUser()->getBeginLoc() < b.getUser()->getBeginLoc();
1599         });
1600 
1601         for (const auto &U : *vec) {
1602           // If we have self-init, downgrade all uses to 'may be uninitialized'.
1603           UninitUse Use = hasSelfInit ? UninitUse(U.getUser(), false) : U;
1604 
1605           if (DiagnoseUninitializedUse(S, vd, Use))
1606             // Skip further diagnostics for this variable. We try to warn only
1607             // on the first point at which a variable is used uninitialized.
1608             break;
1609         }
1610       }
1611 
1612       // Release the uses vector.
1613       delete vec;
1614     }
1615 
1616     uses.clear();
1617 
1618     // Flush all const reference uses diags.
1619     for (const auto &P : constRefUses) {
1620       const VarDecl *vd = P.first;
1621       const MappedType &V = P.second;
1622 
1623       UsesVec *vec = V.getPointer();
1624       bool hasSelfInit = V.getInt();
1625 
1626       if (!vec->empty() && hasSelfInit && hasAlwaysUninitializedUse(vec))
1627         DiagnoseUninitializedUse(S, vd,
1628                                  UninitUse(vd->getInit()->IgnoreParenCasts(),
1629                                            /* isAlwaysUninit */ true),
1630                                  /* alwaysReportSelfInit */ true);
1631       else {
1632         for (const auto &U : *vec) {
1633           if (DiagnoseUninitializedConstRefUse(S, vd, U))
1634             break;
1635         }
1636       }
1637 
1638       // Release the uses vector.
1639       delete vec;
1640     }
1641 
1642     constRefUses.clear();
1643   }
1644 
1645 private:
1646   static bool hasAlwaysUninitializedUse(const UsesVec* vec) {
1647     return llvm::any_of(*vec, [](const UninitUse &U) {
1648       return U.getKind() == UninitUse::Always ||
1649              U.getKind() == UninitUse::AfterCall ||
1650              U.getKind() == UninitUse::AfterDecl;
1651     });
1652   }
1653 };
1654 
1655 /// Inter-procedural data for the called-once checker.
1656 class CalledOnceInterProceduralData {
1657 public:
1658   // Add the delayed warning for the given block.
1659   void addDelayedWarning(const BlockDecl *Block,
1660                          PartialDiagnosticAt &&Warning) {
1661     DelayedBlockWarnings[Block].emplace_back(std::move(Warning));
1662   }
1663   // Report all of the warnings we've gathered for the given block.
1664   void flushWarnings(const BlockDecl *Block, Sema &S) {
1665     for (const PartialDiagnosticAt &Delayed : DelayedBlockWarnings[Block])
1666       S.Diag(Delayed.first, Delayed.second);
1667 
1668     discardWarnings(Block);
1669   }
1670   // Discard all of the warnings we've gathered for the given block.
1671   void discardWarnings(const BlockDecl *Block) {
1672     DelayedBlockWarnings.erase(Block);
1673   }
1674 
1675 private:
1676   using DelayedDiagnostics = SmallVector<PartialDiagnosticAt, 2>;
1677   llvm::DenseMap<const BlockDecl *, DelayedDiagnostics> DelayedBlockWarnings;
1678 };
1679 
1680 class CalledOnceCheckReporter : public CalledOnceCheckHandler {
1681 public:
1682   CalledOnceCheckReporter(Sema &S, CalledOnceInterProceduralData &Data)
1683       : S(S), Data(Data) {}
1684   void handleDoubleCall(const ParmVarDecl *Parameter, const Expr *Call,
1685                         const Expr *PrevCall, bool IsCompletionHandler,
1686                         bool Poised) override {
1687     auto DiagToReport = IsCompletionHandler
1688                             ? diag::warn_completion_handler_called_twice
1689                             : diag::warn_called_once_gets_called_twice;
1690     S.Diag(Call->getBeginLoc(), DiagToReport) << Parameter;
1691     S.Diag(PrevCall->getBeginLoc(), diag::note_called_once_gets_called_twice)
1692         << Poised;
1693   }
1694 
1695   void handleNeverCalled(const ParmVarDecl *Parameter,
1696                          bool IsCompletionHandler) override {
1697     auto DiagToReport = IsCompletionHandler
1698                             ? diag::warn_completion_handler_never_called
1699                             : diag::warn_called_once_never_called;
1700     S.Diag(Parameter->getBeginLoc(), DiagToReport)
1701         << Parameter << /* Captured */ false;
1702   }
1703 
1704   void handleNeverCalled(const ParmVarDecl *Parameter, const Decl *Function,
1705                          const Stmt *Where, NeverCalledReason Reason,
1706                          bool IsCalledDirectly,
1707                          bool IsCompletionHandler) override {
1708     auto DiagToReport = IsCompletionHandler
1709                             ? diag::warn_completion_handler_never_called_when
1710                             : diag::warn_called_once_never_called_when;
1711     PartialDiagnosticAt Warning(Where->getBeginLoc(), S.PDiag(DiagToReport)
1712                                                           << Parameter
1713                                                           << IsCalledDirectly
1714                                                           << (unsigned)Reason);
1715 
1716     if (const auto *Block = dyn_cast<BlockDecl>(Function)) {
1717       // We shouldn't report these warnings on blocks immediately
1718       Data.addDelayedWarning(Block, std::move(Warning));
1719     } else {
1720       S.Diag(Warning.first, Warning.second);
1721     }
1722   }
1723 
1724   void handleCapturedNeverCalled(const ParmVarDecl *Parameter,
1725                                  const Decl *Where,
1726                                  bool IsCompletionHandler) override {
1727     auto DiagToReport = IsCompletionHandler
1728                             ? diag::warn_completion_handler_never_called
1729                             : diag::warn_called_once_never_called;
1730     S.Diag(Where->getBeginLoc(), DiagToReport)
1731         << Parameter << /* Captured */ true;
1732   }
1733 
1734   void
1735   handleBlockThatIsGuaranteedToBeCalledOnce(const BlockDecl *Block) override {
1736     Data.flushWarnings(Block, S);
1737   }
1738 
1739   void handleBlockWithNoGuarantees(const BlockDecl *Block) override {
1740     Data.discardWarnings(Block);
1741   }
1742 
1743 private:
1744   Sema &S;
1745   CalledOnceInterProceduralData &Data;
1746 };
1747 
1748 constexpr unsigned CalledOnceWarnings[] = {
1749     diag::warn_called_once_never_called,
1750     diag::warn_called_once_never_called_when,
1751     diag::warn_called_once_gets_called_twice};
1752 
1753 constexpr unsigned CompletionHandlerWarnings[]{
1754     diag::warn_completion_handler_never_called,
1755     diag::warn_completion_handler_never_called_when,
1756     diag::warn_completion_handler_called_twice};
1757 
1758 bool shouldAnalyzeCalledOnceImpl(llvm::ArrayRef<unsigned> DiagIDs,
1759                                  const DiagnosticsEngine &Diags,
1760                                  SourceLocation At) {
1761   return llvm::any_of(DiagIDs, [&Diags, At](unsigned DiagID) {
1762     return !Diags.isIgnored(DiagID, At);
1763   });
1764 }
1765 
1766 bool shouldAnalyzeCalledOnceConventions(const DiagnosticsEngine &Diags,
1767                                         SourceLocation At) {
1768   return shouldAnalyzeCalledOnceImpl(CompletionHandlerWarnings, Diags, At);
1769 }
1770 
1771 bool shouldAnalyzeCalledOnceParameters(const DiagnosticsEngine &Diags,
1772                                        SourceLocation At) {
1773   return shouldAnalyzeCalledOnceImpl(CalledOnceWarnings, Diags, At) ||
1774          shouldAnalyzeCalledOnceConventions(Diags, At);
1775 }
1776 } // anonymous namespace
1777 
1778 //===----------------------------------------------------------------------===//
1779 // -Wthread-safety
1780 //===----------------------------------------------------------------------===//
1781 namespace clang {
1782 namespace threadSafety {
1783 namespace {
1784 class ThreadSafetyReporter : public clang::threadSafety::ThreadSafetyHandler {
1785   Sema &S;
1786   DiagList Warnings;
1787   SourceLocation FunLocation, FunEndLocation;
1788 
1789   const FunctionDecl *CurrentFunction;
1790   bool Verbose;
1791 
1792   OptionalNotes getNotes() const {
1793     if (Verbose && CurrentFunction) {
1794       PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1795                                 S.PDiag(diag::note_thread_warning_in_fun)
1796                                     << CurrentFunction);
1797       return OptionalNotes(1, FNote);
1798     }
1799     return OptionalNotes();
1800   }
1801 
1802   OptionalNotes getNotes(const PartialDiagnosticAt &Note) const {
1803     OptionalNotes ONS(1, Note);
1804     if (Verbose && CurrentFunction) {
1805       PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1806                                 S.PDiag(diag::note_thread_warning_in_fun)
1807                                     << CurrentFunction);
1808       ONS.push_back(std::move(FNote));
1809     }
1810     return ONS;
1811   }
1812 
1813   OptionalNotes getNotes(const PartialDiagnosticAt &Note1,
1814                          const PartialDiagnosticAt &Note2) const {
1815     OptionalNotes ONS;
1816     ONS.push_back(Note1);
1817     ONS.push_back(Note2);
1818     if (Verbose && CurrentFunction) {
1819       PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1820                                 S.PDiag(diag::note_thread_warning_in_fun)
1821                                     << CurrentFunction);
1822       ONS.push_back(std::move(FNote));
1823     }
1824     return ONS;
1825   }
1826 
1827   OptionalNotes makeLockedHereNote(SourceLocation LocLocked, StringRef Kind) {
1828     return LocLocked.isValid()
1829                ? getNotes(PartialDiagnosticAt(
1830                      LocLocked, S.PDiag(diag::note_locked_here) << Kind))
1831                : getNotes();
1832   }
1833 
1834   OptionalNotes makeUnlockedHereNote(SourceLocation LocUnlocked,
1835                                      StringRef Kind) {
1836     return LocUnlocked.isValid()
1837                ? getNotes(PartialDiagnosticAt(
1838                      LocUnlocked, S.PDiag(diag::note_unlocked_here) << Kind))
1839                : getNotes();
1840   }
1841 
1842  public:
1843   ThreadSafetyReporter(Sema &S, SourceLocation FL, SourceLocation FEL)
1844     : S(S), FunLocation(FL), FunEndLocation(FEL),
1845       CurrentFunction(nullptr), Verbose(false) {}
1846 
1847   void setVerbose(bool b) { Verbose = b; }
1848 
1849   /// Emit all buffered diagnostics in order of sourcelocation.
1850   /// We need to output diagnostics produced while iterating through
1851   /// the lockset in deterministic order, so this function orders diagnostics
1852   /// and outputs them.
1853   void emitDiagnostics() {
1854     Warnings.sort(SortDiagBySourceLocation(S.getSourceManager()));
1855     for (const auto &Diag : Warnings) {
1856       S.Diag(Diag.first.first, Diag.first.second);
1857       for (const auto &Note : Diag.second)
1858         S.Diag(Note.first, Note.second);
1859     }
1860   }
1861 
1862   void handleInvalidLockExp(SourceLocation Loc) override {
1863     PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_cannot_resolve_lock)
1864                                          << Loc);
1865     Warnings.emplace_back(std::move(Warning), getNotes());
1866   }
1867 
1868   void handleUnmatchedUnlock(StringRef Kind, Name LockName, SourceLocation Loc,
1869                              SourceLocation LocPreviousUnlock) override {
1870     if (Loc.isInvalid())
1871       Loc = FunLocation;
1872     PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_unlock_but_no_lock)
1873                                          << Kind << LockName);
1874     Warnings.emplace_back(std::move(Warning),
1875                           makeUnlockedHereNote(LocPreviousUnlock, Kind));
1876   }
1877 
1878   void handleIncorrectUnlockKind(StringRef Kind, Name LockName,
1879                                  LockKind Expected, LockKind Received,
1880                                  SourceLocation LocLocked,
1881                                  SourceLocation LocUnlock) override {
1882     if (LocUnlock.isInvalid())
1883       LocUnlock = FunLocation;
1884     PartialDiagnosticAt Warning(
1885         LocUnlock, S.PDiag(diag::warn_unlock_kind_mismatch)
1886                        << Kind << LockName << Received << Expected);
1887     Warnings.emplace_back(std::move(Warning),
1888                           makeLockedHereNote(LocLocked, Kind));
1889   }
1890 
1891   void handleDoubleLock(StringRef Kind, Name LockName, SourceLocation LocLocked,
1892                         SourceLocation LocDoubleLock) override {
1893     if (LocDoubleLock.isInvalid())
1894       LocDoubleLock = FunLocation;
1895     PartialDiagnosticAt Warning(LocDoubleLock, S.PDiag(diag::warn_double_lock)
1896                                                    << Kind << LockName);
1897     Warnings.emplace_back(std::move(Warning),
1898                           makeLockedHereNote(LocLocked, Kind));
1899   }
1900 
1901   void handleMutexHeldEndOfScope(StringRef Kind, Name LockName,
1902                                  SourceLocation LocLocked,
1903                                  SourceLocation LocEndOfScope,
1904                                  LockErrorKind LEK) override {
1905     unsigned DiagID = 0;
1906     switch (LEK) {
1907       case LEK_LockedSomePredecessors:
1908         DiagID = diag::warn_lock_some_predecessors;
1909         break;
1910       case LEK_LockedSomeLoopIterations:
1911         DiagID = diag::warn_expecting_lock_held_on_loop;
1912         break;
1913       case LEK_LockedAtEndOfFunction:
1914         DiagID = diag::warn_no_unlock;
1915         break;
1916       case LEK_NotLockedAtEndOfFunction:
1917         DiagID = diag::warn_expecting_locked;
1918         break;
1919     }
1920     if (LocEndOfScope.isInvalid())
1921       LocEndOfScope = FunEndLocation;
1922 
1923     PartialDiagnosticAt Warning(LocEndOfScope, S.PDiag(DiagID) << Kind
1924                                                                << LockName);
1925     Warnings.emplace_back(std::move(Warning),
1926                           makeLockedHereNote(LocLocked, Kind));
1927   }
1928 
1929   void handleExclusiveAndShared(StringRef Kind, Name LockName,
1930                                 SourceLocation Loc1,
1931                                 SourceLocation Loc2) override {
1932     PartialDiagnosticAt Warning(Loc1,
1933                                 S.PDiag(diag::warn_lock_exclusive_and_shared)
1934                                     << Kind << LockName);
1935     PartialDiagnosticAt Note(Loc2, S.PDiag(diag::note_lock_exclusive_and_shared)
1936                                        << Kind << LockName);
1937     Warnings.emplace_back(std::move(Warning), getNotes(Note));
1938   }
1939 
1940   void handleNoMutexHeld(const NamedDecl *D, ProtectedOperationKind POK,
1941                          AccessKind AK, SourceLocation Loc) override {
1942     assert((POK == POK_VarAccess || POK == POK_VarDereference) &&
1943            "Only works for variables");
1944     unsigned DiagID = POK == POK_VarAccess?
1945                         diag::warn_variable_requires_any_lock:
1946                         diag::warn_var_deref_requires_any_lock;
1947     PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID)
1948       << D << getLockKindFromAccessKind(AK));
1949     Warnings.emplace_back(std::move(Warning), getNotes());
1950   }
1951 
1952   void handleMutexNotHeld(StringRef Kind, const NamedDecl *D,
1953                           ProtectedOperationKind POK, Name LockName,
1954                           LockKind LK, SourceLocation Loc,
1955                           Name *PossibleMatch) override {
1956     unsigned DiagID = 0;
1957     if (PossibleMatch) {
1958       switch (POK) {
1959         case POK_VarAccess:
1960           DiagID = diag::warn_variable_requires_lock_precise;
1961           break;
1962         case POK_VarDereference:
1963           DiagID = diag::warn_var_deref_requires_lock_precise;
1964           break;
1965         case POK_FunctionCall:
1966           DiagID = diag::warn_fun_requires_lock_precise;
1967           break;
1968         case POK_PassByRef:
1969           DiagID = diag::warn_guarded_pass_by_reference;
1970           break;
1971         case POK_PtPassByRef:
1972           DiagID = diag::warn_pt_guarded_pass_by_reference;
1973           break;
1974       }
1975       PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) << Kind
1976                                                        << D
1977                                                        << LockName << LK);
1978       PartialDiagnosticAt Note(Loc, S.PDiag(diag::note_found_mutex_near_match)
1979                                         << *PossibleMatch);
1980       if (Verbose && POK == POK_VarAccess) {
1981         PartialDiagnosticAt VNote(D->getLocation(),
1982                                   S.PDiag(diag::note_guarded_by_declared_here)
1983                                       << D->getDeclName());
1984         Warnings.emplace_back(std::move(Warning), getNotes(Note, VNote));
1985       } else
1986         Warnings.emplace_back(std::move(Warning), getNotes(Note));
1987     } else {
1988       switch (POK) {
1989         case POK_VarAccess:
1990           DiagID = diag::warn_variable_requires_lock;
1991           break;
1992         case POK_VarDereference:
1993           DiagID = diag::warn_var_deref_requires_lock;
1994           break;
1995         case POK_FunctionCall:
1996           DiagID = diag::warn_fun_requires_lock;
1997           break;
1998         case POK_PassByRef:
1999           DiagID = diag::warn_guarded_pass_by_reference;
2000           break;
2001         case POK_PtPassByRef:
2002           DiagID = diag::warn_pt_guarded_pass_by_reference;
2003           break;
2004       }
2005       PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) << Kind
2006                                                        << D
2007                                                        << LockName << LK);
2008       if (Verbose && POK == POK_VarAccess) {
2009         PartialDiagnosticAt Note(D->getLocation(),
2010                                  S.PDiag(diag::note_guarded_by_declared_here));
2011         Warnings.emplace_back(std::move(Warning), getNotes(Note));
2012       } else
2013         Warnings.emplace_back(std::move(Warning), getNotes());
2014     }
2015   }
2016 
2017   void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg,
2018                              SourceLocation Loc) override {
2019     PartialDiagnosticAt Warning(Loc,
2020         S.PDiag(diag::warn_acquire_requires_negative_cap)
2021         << Kind << LockName << Neg);
2022     Warnings.emplace_back(std::move(Warning), getNotes());
2023   }
2024 
2025   void handleNegativeNotHeld(const NamedDecl *D, Name LockName,
2026                              SourceLocation Loc) override {
2027     PartialDiagnosticAt Warning(
2028         Loc, S.PDiag(diag::warn_fun_requires_negative_cap) << D << LockName);
2029     Warnings.emplace_back(std::move(Warning), getNotes());
2030   }
2031 
2032   void handleFunExcludesLock(StringRef Kind, Name FunName, Name LockName,
2033                              SourceLocation Loc) override {
2034     PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_fun_excludes_mutex)
2035                                          << Kind << FunName << LockName);
2036     Warnings.emplace_back(std::move(Warning), getNotes());
2037   }
2038 
2039   void handleLockAcquiredBefore(StringRef Kind, Name L1Name, Name L2Name,
2040                                 SourceLocation Loc) override {
2041     PartialDiagnosticAt Warning(Loc,
2042       S.PDiag(diag::warn_acquired_before) << Kind << L1Name << L2Name);
2043     Warnings.emplace_back(std::move(Warning), getNotes());
2044   }
2045 
2046   void handleBeforeAfterCycle(Name L1Name, SourceLocation Loc) override {
2047     PartialDiagnosticAt Warning(Loc,
2048       S.PDiag(diag::warn_acquired_before_after_cycle) << L1Name);
2049     Warnings.emplace_back(std::move(Warning), getNotes());
2050   }
2051 
2052   void enterFunction(const FunctionDecl* FD) override {
2053     CurrentFunction = FD;
2054   }
2055 
2056   void leaveFunction(const FunctionDecl* FD) override {
2057     CurrentFunction = nullptr;
2058   }
2059 };
2060 } // anonymous namespace
2061 } // namespace threadSafety
2062 } // namespace clang
2063 
2064 //===----------------------------------------------------------------------===//
2065 // -Wconsumed
2066 //===----------------------------------------------------------------------===//
2067 
2068 namespace clang {
2069 namespace consumed {
2070 namespace {
2071 class ConsumedWarningsHandler : public ConsumedWarningsHandlerBase {
2072 
2073   Sema &S;
2074   DiagList Warnings;
2075 
2076 public:
2077 
2078   ConsumedWarningsHandler(Sema &S) : S(S) {}
2079 
2080   void emitDiagnostics() override {
2081     Warnings.sort(SortDiagBySourceLocation(S.getSourceManager()));
2082     for (const auto &Diag : Warnings) {
2083       S.Diag(Diag.first.first, Diag.first.second);
2084       for (const auto &Note : Diag.second)
2085         S.Diag(Note.first, Note.second);
2086     }
2087   }
2088 
2089   void warnLoopStateMismatch(SourceLocation Loc,
2090                              StringRef VariableName) override {
2091     PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_loop_state_mismatch) <<
2092       VariableName);
2093 
2094     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2095   }
2096 
2097   void warnParamReturnTypestateMismatch(SourceLocation Loc,
2098                                         StringRef VariableName,
2099                                         StringRef ExpectedState,
2100                                         StringRef ObservedState) override {
2101 
2102     PartialDiagnosticAt Warning(Loc, S.PDiag(
2103       diag::warn_param_return_typestate_mismatch) << VariableName <<
2104         ExpectedState << ObservedState);
2105 
2106     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2107   }
2108 
2109   void warnParamTypestateMismatch(SourceLocation Loc, StringRef ExpectedState,
2110                                   StringRef ObservedState) override {
2111 
2112     PartialDiagnosticAt Warning(Loc, S.PDiag(
2113       diag::warn_param_typestate_mismatch) << ExpectedState << ObservedState);
2114 
2115     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2116   }
2117 
2118   void warnReturnTypestateForUnconsumableType(SourceLocation Loc,
2119                                               StringRef TypeName) override {
2120     PartialDiagnosticAt Warning(Loc, S.PDiag(
2121       diag::warn_return_typestate_for_unconsumable_type) << TypeName);
2122 
2123     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2124   }
2125 
2126   void warnReturnTypestateMismatch(SourceLocation Loc, StringRef ExpectedState,
2127                                    StringRef ObservedState) override {
2128 
2129     PartialDiagnosticAt Warning(Loc, S.PDiag(
2130       diag::warn_return_typestate_mismatch) << ExpectedState << ObservedState);
2131 
2132     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2133   }
2134 
2135   void warnUseOfTempInInvalidState(StringRef MethodName, StringRef State,
2136                                    SourceLocation Loc) override {
2137 
2138     PartialDiagnosticAt Warning(Loc, S.PDiag(
2139       diag::warn_use_of_temp_in_invalid_state) << MethodName << State);
2140 
2141     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2142   }
2143 
2144   void warnUseInInvalidState(StringRef MethodName, StringRef VariableName,
2145                              StringRef State, SourceLocation Loc) override {
2146 
2147     PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_use_in_invalid_state) <<
2148                                 MethodName << VariableName << State);
2149 
2150     Warnings.emplace_back(std::move(Warning), OptionalNotes());
2151   }
2152 };
2153 } // anonymous namespace
2154 } // namespace consumed
2155 } // namespace clang
2156 
2157 //===----------------------------------------------------------------------===//
2158 // Unsafe buffer usage analysis.
2159 //===----------------------------------------------------------------------===//
2160 
2161 namespace {
2162 class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler {
2163   Sema &S;
2164   bool SuggestSuggestions;  // Recommend -fsafe-buffer-usage-suggestions?
2165 
2166 public:
2167   UnsafeBufferUsageReporter(Sema &S, bool SuggestSuggestions)
2168     : S(S), SuggestSuggestions(SuggestSuggestions) {}
2169 
2170   void handleUnsafeOperation(const Stmt *Operation,
2171                              bool IsRelatedToDecl) override {
2172     SourceLocation Loc;
2173     SourceRange Range;
2174     unsigned MsgParam = 0;
2175     if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Operation)) {
2176       Loc = ASE->getBase()->getExprLoc();
2177       Range = ASE->getBase()->getSourceRange();
2178       MsgParam = 2;
2179     } else if (const auto *BO = dyn_cast<BinaryOperator>(Operation)) {
2180       BinaryOperator::Opcode Op = BO->getOpcode();
2181       if (Op == BO_Add || Op == BO_AddAssign || Op == BO_Sub ||
2182           Op == BO_SubAssign) {
2183         if (BO->getRHS()->getType()->isIntegerType()) {
2184           Loc = BO->getLHS()->getExprLoc();
2185           Range = BO->getLHS()->getSourceRange();
2186         } else {
2187           Loc = BO->getRHS()->getExprLoc();
2188           Range = BO->getRHS()->getSourceRange();
2189         }
2190         MsgParam = 1;
2191       }
2192     } else if (const auto *UO = dyn_cast<UnaryOperator>(Operation)) {
2193       UnaryOperator::Opcode Op = UO->getOpcode();
2194       if (Op == UO_PreInc || Op == UO_PreDec || Op == UO_PostInc ||
2195           Op == UO_PostDec) {
2196         Loc = UO->getSubExpr()->getExprLoc();
2197         Range = UO->getSubExpr()->getSourceRange();
2198         MsgParam = 1;
2199       }
2200     } else {
2201       if (isa<CallExpr>(Operation)) {
2202         // note_unsafe_buffer_operation doesn't have this mode yet.
2203         assert(!IsRelatedToDecl && "Not implemented yet!");
2204         MsgParam = 3;
2205       }
2206       Loc = Operation->getBeginLoc();
2207       Range = Operation->getSourceRange();
2208     }
2209     if (IsRelatedToDecl) {
2210       assert(!SuggestSuggestions &&
2211              "Variables blamed for unsafe buffer usage without suggestions!");
2212       S.Diag(Loc, diag::note_unsafe_buffer_operation) << MsgParam << Range;
2213     } else {
2214       S.Diag(Loc, diag::warn_unsafe_buffer_operation) << MsgParam << Range;
2215       if (SuggestSuggestions) {
2216         S.Diag(Loc, diag::note_safe_buffer_usage_suggestions_disabled);
2217       }
2218     }
2219   }
2220 
2221   void handleUnsafeVariableGroup(const VarDecl *Variable,
2222                                  const DefMapTy &VarGrpMap,
2223                              FixItList &&Fixes) override {
2224     assert(!SuggestSuggestions &&
2225            "Unsafe buffer usage fixits displayed without suggestions!");
2226     S.Diag(Variable->getLocation(), diag::warn_unsafe_buffer_variable)
2227         << Variable << (Variable->getType()->isPointerType() ? 0 : 1)
2228         << Variable->getSourceRange();
2229     if (!Fixes.empty()) {
2230       const auto VarGroupForVD = VarGrpMap.find(Variable)->second;
2231       unsigned FixItStrategy = 0; // For now we only have 'std::span' strategy
2232       const auto &FD = S.Diag(Variable->getLocation(),
2233                               diag::note_unsafe_buffer_variable_fixit_group);
2234 
2235       FD << Variable << FixItStrategy;
2236       std::string AllVars = "";
2237       if (VarGroupForVD.size() > 1) {
2238         if (VarGroupForVD.size() == 2) {
2239           if (VarGroupForVD[0] == Variable) {
2240             AllVars.append("'" + VarGroupForVD[1]->getName().str() + "'");
2241           } else {
2242             AllVars.append("'" + VarGroupForVD[0]->getName().str() + "'");
2243           }
2244         } else {
2245           bool first = false;
2246           if (VarGroupForVD.size() == 3) {
2247             for (const VarDecl * V : VarGroupForVD) {
2248               if (V == Variable) {
2249                 continue;
2250               }
2251               if (!first) {
2252                 first = true;
2253                 AllVars.append("'" + V->getName().str() + "'" + " and ");
2254               } else {
2255                 AllVars.append("'" + V->getName().str() + "'");
2256               }
2257             }
2258           } else {
2259             for (const VarDecl * V : VarGroupForVD) {
2260               if (V == Variable) {
2261                 continue;
2262               }
2263               if (VarGroupForVD.back() != V) {
2264                 AllVars.append("'" + V->getName().str() + "'" + ", ");
2265               } else {
2266                 AllVars.append("and '" + V->getName().str() + "'");
2267               }
2268             }
2269           }
2270         }
2271         FD << AllVars << 1;
2272       } else {
2273         FD << "" << 0;
2274       }
2275 
2276       for (const auto &F : Fixes)
2277         FD << F;
2278     }
2279   }
2280 
2281   bool isSafeBufferOptOut(const SourceLocation &Loc) const override {
2282     return S.PP.isSafeBufferOptOut(S.getSourceManager(), Loc);
2283   }
2284 
2285   // Returns the text representation of clang::unsafe_buffer_usage attribute.
2286   // `WSSuffix` holds customized "white-space"s, e.g., newline or whilespace
2287   // characters.
2288   std::string
2289   getUnsafeBufferUsageAttributeTextAt(SourceLocation Loc,
2290                                       StringRef WSSuffix = "") const override {
2291     Preprocessor &PP = S.getPreprocessor();
2292     TokenValue ClangUnsafeBufferUsageTokens[] = {
2293         tok::l_square,
2294         tok::l_square,
2295         PP.getIdentifierInfo("clang"),
2296         tok::coloncolon,
2297         PP.getIdentifierInfo("unsafe_buffer_usage"),
2298         tok::r_square,
2299         tok::r_square};
2300 
2301     StringRef MacroName;
2302 
2303     // The returned macro (it returns) is guaranteed not to be function-like:
2304     MacroName = PP.getLastMacroWithSpelling(Loc, ClangUnsafeBufferUsageTokens);
2305     if (MacroName.empty())
2306       MacroName = "[[clang::unsafe_buffer_usage]]";
2307     return MacroName.str() + WSSuffix.str();
2308   }
2309 };
2310 } // namespace
2311 
2312 //===----------------------------------------------------------------------===//
2313 // AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based
2314 //  warnings on a function, method, or block.
2315 //===----------------------------------------------------------------------===//
2316 
2317 sema::AnalysisBasedWarnings::Policy::Policy() {
2318   enableCheckFallThrough = 1;
2319   enableCheckUnreachable = 0;
2320   enableThreadSafetyAnalysis = 0;
2321   enableConsumedAnalysis = 0;
2322 }
2323 
2324 /// InterProceduralData aims to be a storage of whatever data should be passed
2325 /// between analyses of different functions.
2326 ///
2327 /// At the moment, its primary goal is to make the information gathered during
2328 /// the analysis of the blocks available during the analysis of the enclosing
2329 /// function.  This is important due to the fact that blocks are analyzed before
2330 /// the enclosed function is even parsed fully, so it is not viable to access
2331 /// anything in the outer scope while analyzing the block.  On the other hand,
2332 /// re-building CFG for blocks and re-analyzing them when we do have all the
2333 /// information (i.e. during the analysis of the enclosing function) seems to be
2334 /// ill-designed.
2335 class sema::AnalysisBasedWarnings::InterProceduralData {
2336 public:
2337   // It is important to analyze blocks within functions because it's a very
2338   // common pattern to capture completion handler parameters by blocks.
2339   CalledOnceInterProceduralData CalledOnceData;
2340 };
2341 
2342 static unsigned isEnabled(DiagnosticsEngine &D, unsigned diag) {
2343   return (unsigned)!D.isIgnored(diag, SourceLocation());
2344 }
2345 
2346 sema::AnalysisBasedWarnings::AnalysisBasedWarnings(Sema &s)
2347     : S(s), IPData(std::make_unique<InterProceduralData>()),
2348       NumFunctionsAnalyzed(0), NumFunctionsWithBadCFGs(0), NumCFGBlocks(0),
2349       MaxCFGBlocksPerFunction(0), NumUninitAnalysisFunctions(0),
2350       NumUninitAnalysisVariables(0), MaxUninitAnalysisVariablesPerFunction(0),
2351       NumUninitAnalysisBlockVisits(0),
2352       MaxUninitAnalysisBlockVisitsPerFunction(0) {
2353 
2354   using namespace diag;
2355   DiagnosticsEngine &D = S.getDiagnostics();
2356 
2357   DefaultPolicy.enableCheckUnreachable =
2358       isEnabled(D, warn_unreachable) || isEnabled(D, warn_unreachable_break) ||
2359       isEnabled(D, warn_unreachable_return) ||
2360       isEnabled(D, warn_unreachable_loop_increment);
2361 
2362   DefaultPolicy.enableThreadSafetyAnalysis = isEnabled(D, warn_double_lock);
2363 
2364   DefaultPolicy.enableConsumedAnalysis =
2365       isEnabled(D, warn_use_in_invalid_state);
2366 }
2367 
2368 // We need this here for unique_ptr with forward declared class.
2369 sema::AnalysisBasedWarnings::~AnalysisBasedWarnings() = default;
2370 
2371 static void flushDiagnostics(Sema &S, const sema::FunctionScopeInfo *fscope) {
2372   for (const auto &D : fscope->PossiblyUnreachableDiags)
2373     S.Diag(D.Loc, D.PD);
2374 }
2375 
2376 // An AST Visitor that calls a callback function on each callable DEFINITION
2377 // that is NOT in a dependent context:
2378 class CallableVisitor : public RecursiveASTVisitor<CallableVisitor> {
2379 private:
2380   llvm::function_ref<void(const Decl *)> Callback;
2381 
2382 public:
2383   CallableVisitor(llvm::function_ref<void(const Decl *)> Callback)
2384       : Callback(Callback) {}
2385 
2386   bool VisitFunctionDecl(FunctionDecl *Node) {
2387     if (cast<DeclContext>(Node)->isDependentContext())
2388       return true; // Not to analyze dependent decl
2389     // `FunctionDecl->hasBody()` returns true if the function has a body
2390     // somewhere defined.  But we want to know if this `Node` has a body
2391     // child.  So we use `doesThisDeclarationHaveABody`:
2392     if (Node->doesThisDeclarationHaveABody())
2393       Callback(Node);
2394     return true;
2395   }
2396 
2397   bool VisitBlockDecl(BlockDecl *Node) {
2398     if (cast<DeclContext>(Node)->isDependentContext())
2399       return true; // Not to analyze dependent decl
2400     Callback(Node);
2401     return true;
2402   }
2403 
2404   bool VisitObjCMethodDecl(ObjCMethodDecl *Node) {
2405     if (cast<DeclContext>(Node)->isDependentContext())
2406       return true; // Not to analyze dependent decl
2407     if (Node->hasBody())
2408       Callback(Node);
2409     return true;
2410   }
2411 
2412   bool VisitLambdaExpr(LambdaExpr *Node) {
2413     return VisitFunctionDecl(Node->getCallOperator());
2414   }
2415 
2416   bool shouldVisitTemplateInstantiations() const { return true; }
2417   bool shouldVisitImplicitCode() const { return false; }
2418 };
2419 
2420 void clang::sema::AnalysisBasedWarnings::IssueWarnings(
2421      TranslationUnitDecl *TU) {
2422   if (!TU)
2423     return; // This is unexpected, give up quietly.
2424 
2425   DiagnosticsEngine &Diags = S.getDiagnostics();
2426 
2427   if (S.hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings())
2428     // exit if having uncompilable errors or ignoring all warnings:
2429     return;
2430 
2431   DiagnosticOptions &DiagOpts = Diags.getDiagnosticOptions();
2432 
2433   // UnsafeBufferUsage analysis settings.
2434   bool UnsafeBufferUsageCanEmitSuggestions = S.getLangOpts().CPlusPlus20;
2435   bool UnsafeBufferUsageShouldEmitSuggestions =  // Should != Can.
2436       UnsafeBufferUsageCanEmitSuggestions &&
2437       DiagOpts.ShowSafeBufferUsageSuggestions;
2438   bool UnsafeBufferUsageShouldSuggestSuggestions =
2439       UnsafeBufferUsageCanEmitSuggestions &&
2440       !DiagOpts.ShowSafeBufferUsageSuggestions;
2441   UnsafeBufferUsageReporter R(S, UnsafeBufferUsageShouldSuggestSuggestions);
2442 
2443   // The Callback function that performs analyses:
2444   auto CallAnalyzers = [&](const Decl *Node) -> void {
2445     // Perform unsafe buffer usage analysis:
2446     if (!Diags.isIgnored(diag::warn_unsafe_buffer_operation,
2447                          Node->getBeginLoc()) ||
2448         !Diags.isIgnored(diag::warn_unsafe_buffer_variable,
2449                          Node->getBeginLoc())) {
2450       clang::checkUnsafeBufferUsage(Node, R,
2451                                     UnsafeBufferUsageShouldEmitSuggestions);
2452     }
2453 
2454     // More analysis ...
2455   };
2456   // Emit per-function analysis-based warnings that require the whole-TU
2457   // reasoning. Check if any of them is enabled at all before scanning the AST:
2458   if (!Diags.isIgnored(diag::warn_unsafe_buffer_operation, SourceLocation()) ||
2459       !Diags.isIgnored(diag::warn_unsafe_buffer_variable, SourceLocation())) {
2460     CallableVisitor(CallAnalyzers).TraverseTranslationUnitDecl(TU);
2461   }
2462 }
2463 
2464 void clang::sema::AnalysisBasedWarnings::IssueWarnings(
2465     sema::AnalysisBasedWarnings::Policy P, sema::FunctionScopeInfo *fscope,
2466     const Decl *D, QualType BlockType) {
2467 
2468   // We avoid doing analysis-based warnings when there are errors for
2469   // two reasons:
2470   // (1) The CFGs often can't be constructed (if the body is invalid), so
2471   //     don't bother trying.
2472   // (2) The code already has problems; running the analysis just takes more
2473   //     time.
2474   DiagnosticsEngine &Diags = S.getDiagnostics();
2475 
2476   // Do not do any analysis if we are going to just ignore them.
2477   if (Diags.getIgnoreAllWarnings() ||
2478       (Diags.getSuppressSystemWarnings() &&
2479        S.SourceMgr.isInSystemHeader(D->getLocation())))
2480     return;
2481 
2482   // For code in dependent contexts, we'll do this at instantiation time.
2483   if (cast<DeclContext>(D)->isDependentContext())
2484     return;
2485 
2486   if (S.hasUncompilableErrorOccurred()) {
2487     // Flush out any possibly unreachable diagnostics.
2488     flushDiagnostics(S, fscope);
2489     return;
2490   }
2491 
2492   const Stmt *Body = D->getBody();
2493   assert(Body);
2494 
2495   // Construct the analysis context with the specified CFG build options.
2496   AnalysisDeclContext AC(/* AnalysisDeclContextManager */ nullptr, D);
2497 
2498   // Don't generate EH edges for CallExprs as we'd like to avoid the n^2
2499   // explosion for destructors that can result and the compile time hit.
2500   AC.getCFGBuildOptions().PruneTriviallyFalseEdges = true;
2501   AC.getCFGBuildOptions().AddEHEdges = false;
2502   AC.getCFGBuildOptions().AddInitializers = true;
2503   AC.getCFGBuildOptions().AddImplicitDtors = true;
2504   AC.getCFGBuildOptions().AddTemporaryDtors = true;
2505   AC.getCFGBuildOptions().AddCXXNewAllocator = false;
2506   AC.getCFGBuildOptions().AddCXXDefaultInitExprInCtors = true;
2507 
2508   // Force that certain expressions appear as CFGElements in the CFG.  This
2509   // is used to speed up various analyses.
2510   // FIXME: This isn't the right factoring.  This is here for initial
2511   // prototyping, but we need a way for analyses to say what expressions they
2512   // expect to always be CFGElements and then fill in the BuildOptions
2513   // appropriately.  This is essentially a layering violation.
2514   if (P.enableCheckUnreachable || P.enableThreadSafetyAnalysis ||
2515       P.enableConsumedAnalysis) {
2516     // Unreachable code analysis and thread safety require a linearized CFG.
2517     AC.getCFGBuildOptions().setAllAlwaysAdd();
2518   }
2519   else {
2520     AC.getCFGBuildOptions()
2521       .setAlwaysAdd(Stmt::BinaryOperatorClass)
2522       .setAlwaysAdd(Stmt::CompoundAssignOperatorClass)
2523       .setAlwaysAdd(Stmt::BlockExprClass)
2524       .setAlwaysAdd(Stmt::CStyleCastExprClass)
2525       .setAlwaysAdd(Stmt::DeclRefExprClass)
2526       .setAlwaysAdd(Stmt::ImplicitCastExprClass)
2527       .setAlwaysAdd(Stmt::UnaryOperatorClass);
2528   }
2529 
2530   // Install the logical handler.
2531   std::optional<LogicalErrorHandler> LEH;
2532   if (LogicalErrorHandler::hasActiveDiagnostics(Diags, D->getBeginLoc())) {
2533     LEH.emplace(S);
2534     AC.getCFGBuildOptions().Observer = &*LEH;
2535   }
2536 
2537   // Emit delayed diagnostics.
2538   if (!fscope->PossiblyUnreachableDiags.empty()) {
2539     bool analyzed = false;
2540 
2541     // Register the expressions with the CFGBuilder.
2542     for (const auto &D : fscope->PossiblyUnreachableDiags) {
2543       for (const Stmt *S : D.Stmts)
2544         AC.registerForcedBlockExpression(S);
2545     }
2546 
2547     if (AC.getCFG()) {
2548       analyzed = true;
2549       for (const auto &D : fscope->PossiblyUnreachableDiags) {
2550         bool AllReachable = true;
2551         for (const Stmt *S : D.Stmts) {
2552           const CFGBlock *block = AC.getBlockForRegisteredExpression(S);
2553           CFGReverseBlockReachabilityAnalysis *cra =
2554               AC.getCFGReachablityAnalysis();
2555           // FIXME: We should be able to assert that block is non-null, but
2556           // the CFG analysis can skip potentially-evaluated expressions in
2557           // edge cases; see test/Sema/vla-2.c.
2558           if (block && cra) {
2559             // Can this block be reached from the entrance?
2560             if (!cra->isReachable(&AC.getCFG()->getEntry(), block)) {
2561               AllReachable = false;
2562               break;
2563             }
2564           }
2565           // If we cannot map to a basic block, assume the statement is
2566           // reachable.
2567         }
2568 
2569         if (AllReachable)
2570           S.Diag(D.Loc, D.PD);
2571       }
2572     }
2573 
2574     if (!analyzed)
2575       flushDiagnostics(S, fscope);
2576   }
2577 
2578   // Warning: check missing 'return'
2579   if (P.enableCheckFallThrough) {
2580     const CheckFallThroughDiagnostics &CD =
2581         (isa<BlockDecl>(D)
2582              ? CheckFallThroughDiagnostics::MakeForBlock()
2583              : (isa<CXXMethodDecl>(D) &&
2584                 cast<CXXMethodDecl>(D)->getOverloadedOperator() == OO_Call &&
2585                 cast<CXXMethodDecl>(D)->getParent()->isLambda())
2586                    ? CheckFallThroughDiagnostics::MakeForLambda()
2587                    : (fscope->isCoroutine()
2588                           ? CheckFallThroughDiagnostics::MakeForCoroutine(D)
2589                           : CheckFallThroughDiagnostics::MakeForFunction(D)));
2590     CheckFallThroughForBody(S, D, Body, BlockType, CD, AC, fscope);
2591   }
2592 
2593   // Warning: check for unreachable code
2594   if (P.enableCheckUnreachable) {
2595     // Only check for unreachable code on non-template instantiations.
2596     // Different template instantiations can effectively change the control-flow
2597     // and it is very difficult to prove that a snippet of code in a template
2598     // is unreachable for all instantiations.
2599     bool isTemplateInstantiation = false;
2600     if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(D))
2601       isTemplateInstantiation = Function->isTemplateInstantiation();
2602     if (!isTemplateInstantiation)
2603       CheckUnreachable(S, AC);
2604   }
2605 
2606   // Check for thread safety violations
2607   if (P.enableThreadSafetyAnalysis) {
2608     SourceLocation FL = AC.getDecl()->getLocation();
2609     SourceLocation FEL = AC.getDecl()->getEndLoc();
2610     threadSafety::ThreadSafetyReporter Reporter(S, FL, FEL);
2611     if (!Diags.isIgnored(diag::warn_thread_safety_beta, D->getBeginLoc()))
2612       Reporter.setIssueBetaWarnings(true);
2613     if (!Diags.isIgnored(diag::warn_thread_safety_verbose, D->getBeginLoc()))
2614       Reporter.setVerbose(true);
2615 
2616     threadSafety::runThreadSafetyAnalysis(AC, Reporter,
2617                                           &S.ThreadSafetyDeclCache);
2618     Reporter.emitDiagnostics();
2619   }
2620 
2621   // Check for violations of consumed properties.
2622   if (P.enableConsumedAnalysis) {
2623     consumed::ConsumedWarningsHandler WarningHandler(S);
2624     consumed::ConsumedAnalyzer Analyzer(WarningHandler);
2625     Analyzer.run(AC);
2626   }
2627 
2628   if (!Diags.isIgnored(diag::warn_uninit_var, D->getBeginLoc()) ||
2629       !Diags.isIgnored(diag::warn_sometimes_uninit_var, D->getBeginLoc()) ||
2630       !Diags.isIgnored(diag::warn_maybe_uninit_var, D->getBeginLoc()) ||
2631       !Diags.isIgnored(diag::warn_uninit_const_reference, D->getBeginLoc())) {
2632     if (CFG *cfg = AC.getCFG()) {
2633       UninitValsDiagReporter reporter(S);
2634       UninitVariablesAnalysisStats stats;
2635       std::memset(&stats, 0, sizeof(UninitVariablesAnalysisStats));
2636       runUninitializedVariablesAnalysis(*cast<DeclContext>(D), *cfg, AC,
2637                                         reporter, stats);
2638 
2639       if (S.CollectStats && stats.NumVariablesAnalyzed > 0) {
2640         ++NumUninitAnalysisFunctions;
2641         NumUninitAnalysisVariables += stats.NumVariablesAnalyzed;
2642         NumUninitAnalysisBlockVisits += stats.NumBlockVisits;
2643         MaxUninitAnalysisVariablesPerFunction =
2644             std::max(MaxUninitAnalysisVariablesPerFunction,
2645                      stats.NumVariablesAnalyzed);
2646         MaxUninitAnalysisBlockVisitsPerFunction =
2647             std::max(MaxUninitAnalysisBlockVisitsPerFunction,
2648                      stats.NumBlockVisits);
2649       }
2650     }
2651   }
2652 
2653   // Check for violations of "called once" parameter properties.
2654   if (S.getLangOpts().ObjC && !S.getLangOpts().CPlusPlus &&
2655       shouldAnalyzeCalledOnceParameters(Diags, D->getBeginLoc())) {
2656     if (AC.getCFG()) {
2657       CalledOnceCheckReporter Reporter(S, IPData->CalledOnceData);
2658       checkCalledOnceParameters(
2659           AC, Reporter,
2660           shouldAnalyzeCalledOnceConventions(Diags, D->getBeginLoc()));
2661     }
2662   }
2663 
2664   bool FallThroughDiagFull =
2665       !Diags.isIgnored(diag::warn_unannotated_fallthrough, D->getBeginLoc());
2666   bool FallThroughDiagPerFunction = !Diags.isIgnored(
2667       diag::warn_unannotated_fallthrough_per_function, D->getBeginLoc());
2668   if (FallThroughDiagFull || FallThroughDiagPerFunction ||
2669       fscope->HasFallthroughStmt) {
2670     DiagnoseSwitchLabelsFallthrough(S, AC, !FallThroughDiagFull);
2671   }
2672 
2673   if (S.getLangOpts().ObjCWeak &&
2674       !Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, D->getBeginLoc()))
2675     diagnoseRepeatedUseOfWeak(S, fscope, D, AC.getParentMap());
2676 
2677 
2678   // Check for infinite self-recursion in functions
2679   if (!Diags.isIgnored(diag::warn_infinite_recursive_function,
2680                        D->getBeginLoc())) {
2681     if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
2682       checkRecursiveFunction(S, FD, Body, AC);
2683     }
2684   }
2685 
2686   // Check for throw out of non-throwing function.
2687   if (!Diags.isIgnored(diag::warn_throw_in_noexcept_func, D->getBeginLoc()))
2688     if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
2689       if (S.getLangOpts().CPlusPlus && !fscope->isCoroutine() && isNoexcept(FD))
2690         checkThrowInNonThrowingFunc(S, FD, AC);
2691 
2692   // If none of the previous checks caused a CFG build, trigger one here
2693   // for the logical error handler.
2694   if (LogicalErrorHandler::hasActiveDiagnostics(Diags, D->getBeginLoc())) {
2695     AC.getCFG();
2696   }
2697 
2698   // Collect statistics about the CFG if it was built.
2699   if (S.CollectStats && AC.isCFGBuilt()) {
2700     ++NumFunctionsAnalyzed;
2701     if (CFG *cfg = AC.getCFG()) {
2702       // If we successfully built a CFG for this context, record some more
2703       // detail information about it.
2704       NumCFGBlocks += cfg->getNumBlockIDs();
2705       MaxCFGBlocksPerFunction = std::max(MaxCFGBlocksPerFunction,
2706                                          cfg->getNumBlockIDs());
2707     } else {
2708       ++NumFunctionsWithBadCFGs;
2709     }
2710   }
2711 }
2712 
2713 void clang::sema::AnalysisBasedWarnings::PrintStats() const {
2714   llvm::errs() << "\n*** Analysis Based Warnings Stats:\n";
2715 
2716   unsigned NumCFGsBuilt = NumFunctionsAnalyzed - NumFunctionsWithBadCFGs;
2717   unsigned AvgCFGBlocksPerFunction =
2718       !NumCFGsBuilt ? 0 : NumCFGBlocks/NumCFGsBuilt;
2719   llvm::errs() << NumFunctionsAnalyzed << " functions analyzed ("
2720                << NumFunctionsWithBadCFGs << " w/o CFGs).\n"
2721                << "  " << NumCFGBlocks << " CFG blocks built.\n"
2722                << "  " << AvgCFGBlocksPerFunction
2723                << " average CFG blocks per function.\n"
2724                << "  " << MaxCFGBlocksPerFunction
2725                << " max CFG blocks per function.\n";
2726 
2727   unsigned AvgUninitVariablesPerFunction = !NumUninitAnalysisFunctions ? 0
2728       : NumUninitAnalysisVariables/NumUninitAnalysisFunctions;
2729   unsigned AvgUninitBlockVisitsPerFunction = !NumUninitAnalysisFunctions ? 0
2730       : NumUninitAnalysisBlockVisits/NumUninitAnalysisFunctions;
2731   llvm::errs() << NumUninitAnalysisFunctions
2732                << " functions analyzed for uninitialiazed variables\n"
2733                << "  " << NumUninitAnalysisVariables << " variables analyzed.\n"
2734                << "  " << AvgUninitVariablesPerFunction
2735                << " average variables per function.\n"
2736                << "  " << MaxUninitAnalysisVariablesPerFunction
2737                << " max variables per function.\n"
2738                << "  " << NumUninitAnalysisBlockVisits << " block visits.\n"
2739                << "  " << AvgUninitBlockVisitsPerFunction
2740                << " average block visits per function.\n"
2741                << "  " << MaxUninitAnalysisBlockVisitsPerFunction
2742                << " max block visits per function.\n";
2743 }
2744