1 //===- SemaChecking.cpp - Extra Semantic Checking -------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file implements extra semantic analysis beyond what is enforced
10 // by the C type system.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "CheckExprLifetime.h"
15 #include "clang/AST/APValue.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/ASTDiagnostic.h"
18 #include "clang/AST/Attr.h"
19 #include "clang/AST/AttrIterator.h"
20 #include "clang/AST/CharUnits.h"
21 #include "clang/AST/Decl.h"
22 #include "clang/AST/DeclBase.h"
23 #include "clang/AST/DeclCXX.h"
24 #include "clang/AST/DeclObjC.h"
25 #include "clang/AST/DeclarationName.h"
26 #include "clang/AST/EvaluatedExprVisitor.h"
27 #include "clang/AST/Expr.h"
28 #include "clang/AST/ExprCXX.h"
29 #include "clang/AST/ExprObjC.h"
30 #include "clang/AST/FormatString.h"
31 #include "clang/AST/IgnoreExpr.h"
32 #include "clang/AST/NSAPI.h"
33 #include "clang/AST/NonTrivialTypeVisitor.h"
34 #include "clang/AST/OperationKinds.h"
35 #include "clang/AST/RecordLayout.h"
36 #include "clang/AST/Stmt.h"
37 #include "clang/AST/TemplateBase.h"
38 #include "clang/AST/Type.h"
39 #include "clang/AST/TypeLoc.h"
40 #include "clang/AST/UnresolvedSet.h"
41 #include "clang/Basic/AddressSpaces.h"
42 #include "clang/Basic/Diagnostic.h"
43 #include "clang/Basic/IdentifierTable.h"
44 #include "clang/Basic/LLVM.h"
45 #include "clang/Basic/LangOptions.h"
46 #include "clang/Basic/OpenCLOptions.h"
47 #include "clang/Basic/OperatorKinds.h"
48 #include "clang/Basic/PartialDiagnostic.h"
49 #include "clang/Basic/SourceLocation.h"
50 #include "clang/Basic/SourceManager.h"
51 #include "clang/Basic/Specifiers.h"
52 #include "clang/Basic/SyncScope.h"
53 #include "clang/Basic/TargetInfo.h"
54 #include "clang/Basic/TypeTraits.h"
55 #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.
56 #include "clang/Sema/Initialization.h"
57 #include "clang/Sema/Lookup.h"
58 #include "clang/Sema/Ownership.h"
59 #include "clang/Sema/Scope.h"
60 #include "clang/Sema/ScopeInfo.h"
61 #include "clang/Sema/Sema.h"
62 #include "clang/Sema/SemaAMDGPU.h"
63 #include "clang/Sema/SemaARM.h"
64 #include "clang/Sema/SemaBPF.h"
65 #include "clang/Sema/SemaDirectX.h"
66 #include "clang/Sema/SemaHLSL.h"
67 #include "clang/Sema/SemaHexagon.h"
68 #include "clang/Sema/SemaLoongArch.h"
69 #include "clang/Sema/SemaMIPS.h"
70 #include "clang/Sema/SemaNVPTX.h"
71 #include "clang/Sema/SemaObjC.h"
72 #include "clang/Sema/SemaOpenCL.h"
73 #include "clang/Sema/SemaPPC.h"
74 #include "clang/Sema/SemaRISCV.h"
75 #include "clang/Sema/SemaSPIRV.h"
76 #include "clang/Sema/SemaSystemZ.h"
77 #include "clang/Sema/SemaWasm.h"
78 #include "clang/Sema/SemaX86.h"
79 #include "llvm/ADT/APFloat.h"
80 #include "llvm/ADT/APInt.h"
81 #include "llvm/ADT/APSInt.h"
82 #include "llvm/ADT/ArrayRef.h"
83 #include "llvm/ADT/DenseMap.h"
84 #include "llvm/ADT/FoldingSet.h"
85 #include "llvm/ADT/STLExtras.h"
86 #include "llvm/ADT/STLForwardCompat.h"
87 #include "llvm/ADT/SmallBitVector.h"
88 #include "llvm/ADT/SmallPtrSet.h"
89 #include "llvm/ADT/SmallString.h"
90 #include "llvm/ADT/SmallVector.h"
91 #include "llvm/ADT/StringExtras.h"
92 #include "llvm/ADT/StringRef.h"
93 #include "llvm/ADT/StringSet.h"
94 #include "llvm/ADT/StringSwitch.h"
95 #include "llvm/Support/AtomicOrdering.h"
96 #include "llvm/Support/Compiler.h"
97 #include "llvm/Support/ConvertUTF.h"
98 #include "llvm/Support/ErrorHandling.h"
99 #include "llvm/Support/Format.h"
100 #include "llvm/Support/Locale.h"
101 #include "llvm/Support/MathExtras.h"
102 #include "llvm/Support/SaveAndRestore.h"
103 #include "llvm/Support/raw_ostream.h"
104 #include "llvm/TargetParser/RISCVTargetParser.h"
105 #include "llvm/TargetParser/Triple.h"
106 #include <algorithm>
107 #include <cassert>
108 #include <cctype>
109 #include <cstddef>
110 #include <cstdint>
111 #include <functional>
112 #include <limits>
113 #include <optional>
114 #include <string>
115 #include <tuple>
116 #include <utility>
117
118 using namespace clang;
119 using namespace sema;
120
getLocationOfStringLiteralByte(const StringLiteral * SL,unsigned ByteNo) const121 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
122 unsigned ByteNo) const {
123 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
124 Context.getTargetInfo());
125 }
126
combineFAPK(Sema::FormatArgumentPassingKind A,Sema::FormatArgumentPassingKind B)127 static constexpr unsigned short combineFAPK(Sema::FormatArgumentPassingKind A,
128 Sema::FormatArgumentPassingKind B) {
129 return (A << 8) | B;
130 }
131
checkArgCountAtLeast(CallExpr * Call,unsigned MinArgCount)132 bool Sema::checkArgCountAtLeast(CallExpr *Call, unsigned MinArgCount) {
133 unsigned ArgCount = Call->getNumArgs();
134 if (ArgCount >= MinArgCount)
135 return false;
136
137 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_few_args)
138 << 0 /*function call*/ << MinArgCount << ArgCount
139 << /*is non object*/ 0 << Call->getSourceRange();
140 }
141
checkArgCountAtMost(CallExpr * Call,unsigned MaxArgCount)142 bool Sema::checkArgCountAtMost(CallExpr *Call, unsigned MaxArgCount) {
143 unsigned ArgCount = Call->getNumArgs();
144 if (ArgCount <= MaxArgCount)
145 return false;
146 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_many_args_at_most)
147 << 0 /*function call*/ << MaxArgCount << ArgCount
148 << /*is non object*/ 0 << Call->getSourceRange();
149 }
150
checkArgCountRange(CallExpr * Call,unsigned MinArgCount,unsigned MaxArgCount)151 bool Sema::checkArgCountRange(CallExpr *Call, unsigned MinArgCount,
152 unsigned MaxArgCount) {
153 return checkArgCountAtLeast(Call, MinArgCount) ||
154 checkArgCountAtMost(Call, MaxArgCount);
155 }
156
checkArgCount(CallExpr * Call,unsigned DesiredArgCount)157 bool Sema::checkArgCount(CallExpr *Call, unsigned DesiredArgCount) {
158 unsigned ArgCount = Call->getNumArgs();
159 if (ArgCount == DesiredArgCount)
160 return false;
161
162 if (checkArgCountAtLeast(Call, DesiredArgCount))
163 return true;
164 assert(ArgCount > DesiredArgCount && "should have diagnosed this");
165
166 // Highlight all the excess arguments.
167 SourceRange Range(Call->getArg(DesiredArgCount)->getBeginLoc(),
168 Call->getArg(ArgCount - 1)->getEndLoc());
169
170 return Diag(Range.getBegin(), diag::err_typecheck_call_too_many_args)
171 << 0 /*function call*/ << DesiredArgCount << ArgCount
172 << /*is non object*/ 0 << Range;
173 }
174
checkBuiltinVerboseTrap(CallExpr * Call,Sema & S)175 static bool checkBuiltinVerboseTrap(CallExpr *Call, Sema &S) {
176 bool HasError = false;
177
178 for (unsigned I = 0; I < Call->getNumArgs(); ++I) {
179 Expr *Arg = Call->getArg(I);
180
181 if (Arg->isValueDependent())
182 continue;
183
184 std::optional<std::string> ArgString = Arg->tryEvaluateString(S.Context);
185 int DiagMsgKind = -1;
186 // Arguments must be pointers to constant strings and cannot use '$'.
187 if (!ArgString.has_value())
188 DiagMsgKind = 0;
189 else if (ArgString->find('$') != std::string::npos)
190 DiagMsgKind = 1;
191
192 if (DiagMsgKind >= 0) {
193 S.Diag(Arg->getBeginLoc(), diag::err_builtin_verbose_trap_arg)
194 << DiagMsgKind << Arg->getSourceRange();
195 HasError = true;
196 }
197 }
198
199 return !HasError;
200 }
201
convertArgumentToType(Sema & S,Expr * & Value,QualType Ty)202 static bool convertArgumentToType(Sema &S, Expr *&Value, QualType Ty) {
203 if (Value->isTypeDependent())
204 return false;
205
206 InitializedEntity Entity =
207 InitializedEntity::InitializeParameter(S.Context, Ty, false);
208 ExprResult Result =
209 S.PerformCopyInitialization(Entity, SourceLocation(), Value);
210 if (Result.isInvalid())
211 return true;
212 Value = Result.get();
213 return false;
214 }
215
216 /// Check that the first argument to __builtin_annotation is an integer
217 /// and the second argument is a non-wide string literal.
BuiltinAnnotation(Sema & S,CallExpr * TheCall)218 static bool BuiltinAnnotation(Sema &S, CallExpr *TheCall) {
219 if (S.checkArgCount(TheCall, 2))
220 return true;
221
222 // First argument should be an integer.
223 Expr *ValArg = TheCall->getArg(0);
224 QualType Ty = ValArg->getType();
225 if (!Ty->isIntegerType()) {
226 S.Diag(ValArg->getBeginLoc(), diag::err_builtin_annotation_first_arg)
227 << ValArg->getSourceRange();
228 return true;
229 }
230
231 // Second argument should be a constant string.
232 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts();
233 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg);
234 if (!Literal || !Literal->isOrdinary()) {
235 S.Diag(StrArg->getBeginLoc(), diag::err_builtin_annotation_second_arg)
236 << StrArg->getSourceRange();
237 return true;
238 }
239
240 TheCall->setType(Ty);
241 return false;
242 }
243
BuiltinMSVCAnnotation(Sema & S,CallExpr * TheCall)244 static bool BuiltinMSVCAnnotation(Sema &S, CallExpr *TheCall) {
245 // We need at least one argument.
246 if (TheCall->getNumArgs() < 1) {
247 S.Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
248 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
249 << TheCall->getCallee()->getSourceRange();
250 return true;
251 }
252
253 // All arguments should be wide string literals.
254 for (Expr *Arg : TheCall->arguments()) {
255 auto *Literal = dyn_cast<StringLiteral>(Arg->IgnoreParenCasts());
256 if (!Literal || !Literal->isWide()) {
257 S.Diag(Arg->getBeginLoc(), diag::err_msvc_annotation_wide_str)
258 << Arg->getSourceRange();
259 return true;
260 }
261 }
262
263 return false;
264 }
265
266 /// Check that the argument to __builtin_addressof is a glvalue, and set the
267 /// result type to the corresponding pointer type.
BuiltinAddressof(Sema & S,CallExpr * TheCall)268 static bool BuiltinAddressof(Sema &S, CallExpr *TheCall) {
269 if (S.checkArgCount(TheCall, 1))
270 return true;
271
272 ExprResult Arg(TheCall->getArg(0));
273 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getBeginLoc());
274 if (ResultType.isNull())
275 return true;
276
277 TheCall->setArg(0, Arg.get());
278 TheCall->setType(ResultType);
279 return false;
280 }
281
282 /// Check that the argument to __builtin_function_start is a function.
BuiltinFunctionStart(Sema & S,CallExpr * TheCall)283 static bool BuiltinFunctionStart(Sema &S, CallExpr *TheCall) {
284 if (S.checkArgCount(TheCall, 1))
285 return true;
286
287 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
288 if (Arg.isInvalid())
289 return true;
290
291 TheCall->setArg(0, Arg.get());
292 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(
293 Arg.get()->getAsBuiltinConstantDeclRef(S.getASTContext()));
294
295 if (!FD) {
296 S.Diag(TheCall->getBeginLoc(), diag::err_function_start_invalid_type)
297 << TheCall->getSourceRange();
298 return true;
299 }
300
301 return !S.checkAddressOfFunctionIsAvailable(FD, /*Complain=*/true,
302 TheCall->getBeginLoc());
303 }
304
305 /// Check the number of arguments and set the result type to
306 /// the argument type.
BuiltinPreserveAI(Sema & S,CallExpr * TheCall)307 static bool BuiltinPreserveAI(Sema &S, CallExpr *TheCall) {
308 if (S.checkArgCount(TheCall, 1))
309 return true;
310
311 TheCall->setType(TheCall->getArg(0)->getType());
312 return false;
313 }
314
315 /// Check that the value argument for __builtin_is_aligned(value, alignment) and
316 /// __builtin_aligned_{up,down}(value, alignment) is an integer or a pointer
317 /// type (but not a function pointer) and that the alignment is a power-of-two.
BuiltinAlignment(Sema & S,CallExpr * TheCall,unsigned ID)318 static bool BuiltinAlignment(Sema &S, CallExpr *TheCall, unsigned ID) {
319 if (S.checkArgCount(TheCall, 2))
320 return true;
321
322 clang::Expr *Source = TheCall->getArg(0);
323 bool IsBooleanAlignBuiltin = ID == Builtin::BI__builtin_is_aligned;
324
325 auto IsValidIntegerType = [](QualType Ty) {
326 return Ty->isIntegerType() && !Ty->isEnumeralType() && !Ty->isBooleanType();
327 };
328 QualType SrcTy = Source->getType();
329 // We should also be able to use it with arrays (but not functions!).
330 if (SrcTy->canDecayToPointerType() && SrcTy->isArrayType()) {
331 SrcTy = S.Context.getDecayedType(SrcTy);
332 }
333 if ((!SrcTy->isPointerType() && !IsValidIntegerType(SrcTy)) ||
334 SrcTy->isFunctionPointerType()) {
335 // FIXME: this is not quite the right error message since we don't allow
336 // floating point types, or member pointers.
337 S.Diag(Source->getExprLoc(), diag::err_typecheck_expect_scalar_operand)
338 << SrcTy;
339 return true;
340 }
341
342 clang::Expr *AlignOp = TheCall->getArg(1);
343 if (!IsValidIntegerType(AlignOp->getType())) {
344 S.Diag(AlignOp->getExprLoc(), diag::err_typecheck_expect_int)
345 << AlignOp->getType();
346 return true;
347 }
348 Expr::EvalResult AlignResult;
349 unsigned MaxAlignmentBits = S.Context.getIntWidth(SrcTy) - 1;
350 // We can't check validity of alignment if it is value dependent.
351 if (!AlignOp->isValueDependent() &&
352 AlignOp->EvaluateAsInt(AlignResult, S.Context,
353 Expr::SE_AllowSideEffects)) {
354 llvm::APSInt AlignValue = AlignResult.Val.getInt();
355 llvm::APSInt MaxValue(
356 llvm::APInt::getOneBitSet(MaxAlignmentBits + 1, MaxAlignmentBits));
357 if (AlignValue < 1) {
358 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_small) << 1;
359 return true;
360 }
361 if (llvm::APSInt::compareValues(AlignValue, MaxValue) > 0) {
362 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_big)
363 << toString(MaxValue, 10);
364 return true;
365 }
366 if (!AlignValue.isPowerOf2()) {
367 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_not_power_of_two);
368 return true;
369 }
370 if (AlignValue == 1) {
371 S.Diag(AlignOp->getExprLoc(), diag::warn_alignment_builtin_useless)
372 << IsBooleanAlignBuiltin;
373 }
374 }
375
376 ExprResult SrcArg = S.PerformCopyInitialization(
377 InitializedEntity::InitializeParameter(S.Context, SrcTy, false),
378 SourceLocation(), Source);
379 if (SrcArg.isInvalid())
380 return true;
381 TheCall->setArg(0, SrcArg.get());
382 ExprResult AlignArg =
383 S.PerformCopyInitialization(InitializedEntity::InitializeParameter(
384 S.Context, AlignOp->getType(), false),
385 SourceLocation(), AlignOp);
386 if (AlignArg.isInvalid())
387 return true;
388 TheCall->setArg(1, AlignArg.get());
389 // For align_up/align_down, the return type is the same as the (potentially
390 // decayed) argument type including qualifiers. For is_aligned(), the result
391 // is always bool.
392 TheCall->setType(IsBooleanAlignBuiltin ? S.Context.BoolTy : SrcTy);
393 return false;
394 }
395
BuiltinOverflow(Sema & S,CallExpr * TheCall,unsigned BuiltinID)396 static bool BuiltinOverflow(Sema &S, CallExpr *TheCall, unsigned BuiltinID) {
397 if (S.checkArgCount(TheCall, 3))
398 return true;
399
400 std::pair<unsigned, const char *> Builtins[] = {
401 { Builtin::BI__builtin_add_overflow, "ckd_add" },
402 { Builtin::BI__builtin_sub_overflow, "ckd_sub" },
403 { Builtin::BI__builtin_mul_overflow, "ckd_mul" },
404 };
405
406 bool CkdOperation = llvm::any_of(Builtins, [&](const std::pair<unsigned,
407 const char *> &P) {
408 return BuiltinID == P.first && TheCall->getExprLoc().isMacroID() &&
409 Lexer::getImmediateMacroName(TheCall->getExprLoc(),
410 S.getSourceManager(), S.getLangOpts()) == P.second;
411 });
412
413 auto ValidCkdIntType = [](QualType QT) {
414 // A valid checked integer type is an integer type other than a plain char,
415 // bool, a bit-precise type, or an enumeration type.
416 if (const auto *BT = QT.getCanonicalType()->getAs<BuiltinType>())
417 return (BT->getKind() >= BuiltinType::Short &&
418 BT->getKind() <= BuiltinType::Int128) || (
419 BT->getKind() >= BuiltinType::UShort &&
420 BT->getKind() <= BuiltinType::UInt128) ||
421 BT->getKind() == BuiltinType::UChar ||
422 BT->getKind() == BuiltinType::SChar;
423 return false;
424 };
425
426 // First two arguments should be integers.
427 for (unsigned I = 0; I < 2; ++I) {
428 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(I));
429 if (Arg.isInvalid()) return true;
430 TheCall->setArg(I, Arg.get());
431
432 QualType Ty = Arg.get()->getType();
433 bool IsValid = CkdOperation ? ValidCkdIntType(Ty) : Ty->isIntegerType();
434 if (!IsValid) {
435 S.Diag(Arg.get()->getBeginLoc(), diag::err_overflow_builtin_must_be_int)
436 << CkdOperation << Ty << Arg.get()->getSourceRange();
437 return true;
438 }
439 }
440
441 // Third argument should be a pointer to a non-const integer.
442 // IRGen correctly handles volatile, restrict, and address spaces, and
443 // the other qualifiers aren't possible.
444 {
445 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(2));
446 if (Arg.isInvalid()) return true;
447 TheCall->setArg(2, Arg.get());
448
449 QualType Ty = Arg.get()->getType();
450 const auto *PtrTy = Ty->getAs<PointerType>();
451 if (!PtrTy ||
452 !PtrTy->getPointeeType()->isIntegerType() ||
453 (!ValidCkdIntType(PtrTy->getPointeeType()) && CkdOperation) ||
454 PtrTy->getPointeeType().isConstQualified()) {
455 S.Diag(Arg.get()->getBeginLoc(),
456 diag::err_overflow_builtin_must_be_ptr_int)
457 << CkdOperation << Ty << Arg.get()->getSourceRange();
458 return true;
459 }
460 }
461
462 // Disallow signed bit-precise integer args larger than 128 bits to mul
463 // function until we improve backend support.
464 if (BuiltinID == Builtin::BI__builtin_mul_overflow) {
465 for (unsigned I = 0; I < 3; ++I) {
466 const auto Arg = TheCall->getArg(I);
467 // Third argument will be a pointer.
468 auto Ty = I < 2 ? Arg->getType() : Arg->getType()->getPointeeType();
469 if (Ty->isBitIntType() && Ty->isSignedIntegerType() &&
470 S.getASTContext().getIntWidth(Ty) > 128)
471 return S.Diag(Arg->getBeginLoc(),
472 diag::err_overflow_builtin_bit_int_max_size)
473 << 128;
474 }
475 }
476
477 return false;
478 }
479
480 namespace {
481 struct BuiltinDumpStructGenerator {
482 Sema &S;
483 CallExpr *TheCall;
484 SourceLocation Loc = TheCall->getBeginLoc();
485 SmallVector<Expr *, 32> Actions;
486 DiagnosticErrorTrap ErrorTracker;
487 PrintingPolicy Policy;
488
BuiltinDumpStructGenerator__anon28c3fbb10411::BuiltinDumpStructGenerator489 BuiltinDumpStructGenerator(Sema &S, CallExpr *TheCall)
490 : S(S), TheCall(TheCall), ErrorTracker(S.getDiagnostics()),
491 Policy(S.Context.getPrintingPolicy()) {
492 Policy.AnonymousTagLocations = false;
493 }
494
makeOpaqueValueExpr__anon28c3fbb10411::BuiltinDumpStructGenerator495 Expr *makeOpaqueValueExpr(Expr *Inner) {
496 auto *OVE = new (S.Context)
497 OpaqueValueExpr(Loc, Inner->getType(), Inner->getValueKind(),
498 Inner->getObjectKind(), Inner);
499 Actions.push_back(OVE);
500 return OVE;
501 }
502
getStringLiteral__anon28c3fbb10411::BuiltinDumpStructGenerator503 Expr *getStringLiteral(llvm::StringRef Str) {
504 Expr *Lit = S.Context.getPredefinedStringLiteralFromCache(Str);
505 // Wrap the literal in parentheses to attach a source location.
506 return new (S.Context) ParenExpr(Loc, Loc, Lit);
507 }
508
callPrintFunction__anon28c3fbb10411::BuiltinDumpStructGenerator509 bool callPrintFunction(llvm::StringRef Format,
510 llvm::ArrayRef<Expr *> Exprs = {}) {
511 SmallVector<Expr *, 8> Args;
512 assert(TheCall->getNumArgs() >= 2);
513 Args.reserve((TheCall->getNumArgs() - 2) + /*Format*/ 1 + Exprs.size());
514 Args.assign(TheCall->arg_begin() + 2, TheCall->arg_end());
515 Args.push_back(getStringLiteral(Format));
516 llvm::append_range(Args, Exprs);
517
518 // Register a note to explain why we're performing the call.
519 Sema::CodeSynthesisContext Ctx;
520 Ctx.Kind = Sema::CodeSynthesisContext::BuildingBuiltinDumpStructCall;
521 Ctx.PointOfInstantiation = Loc;
522 Ctx.CallArgs = Args.data();
523 Ctx.NumCallArgs = Args.size();
524 S.pushCodeSynthesisContext(Ctx);
525
526 ExprResult RealCall =
527 S.BuildCallExpr(/*Scope=*/nullptr, TheCall->getArg(1),
528 TheCall->getBeginLoc(), Args, TheCall->getRParenLoc());
529
530 S.popCodeSynthesisContext();
531 if (!RealCall.isInvalid())
532 Actions.push_back(RealCall.get());
533 // Bail out if we've hit any errors, even if we managed to build the
534 // call. We don't want to produce more than one error.
535 return RealCall.isInvalid() || ErrorTracker.hasErrorOccurred();
536 }
537
getIndentString__anon28c3fbb10411::BuiltinDumpStructGenerator538 Expr *getIndentString(unsigned Depth) {
539 if (!Depth)
540 return nullptr;
541
542 llvm::SmallString<32> Indent;
543 Indent.resize(Depth * Policy.Indentation, ' ');
544 return getStringLiteral(Indent);
545 }
546
getTypeString__anon28c3fbb10411::BuiltinDumpStructGenerator547 Expr *getTypeString(QualType T) {
548 return getStringLiteral(T.getAsString(Policy));
549 }
550
appendFormatSpecifier__anon28c3fbb10411::BuiltinDumpStructGenerator551 bool appendFormatSpecifier(QualType T, llvm::SmallVectorImpl<char> &Str) {
552 llvm::raw_svector_ostream OS(Str);
553
554 // Format 'bool', 'char', 'signed char', 'unsigned char' as numbers, rather
555 // than trying to print a single character.
556 if (auto *BT = T->getAs<BuiltinType>()) {
557 switch (BT->getKind()) {
558 case BuiltinType::Bool:
559 OS << "%d";
560 return true;
561 case BuiltinType::Char_U:
562 case BuiltinType::UChar:
563 OS << "%hhu";
564 return true;
565 case BuiltinType::Char_S:
566 case BuiltinType::SChar:
567 OS << "%hhd";
568 return true;
569 default:
570 break;
571 }
572 }
573
574 analyze_printf::PrintfSpecifier Specifier;
575 if (Specifier.fixType(T, S.getLangOpts(), S.Context, /*IsObjCLiteral=*/false)) {
576 // We were able to guess how to format this.
577 if (Specifier.getConversionSpecifier().getKind() ==
578 analyze_printf::PrintfConversionSpecifier::sArg) {
579 // Wrap double-quotes around a '%s' specifier and limit its maximum
580 // length. Ideally we'd also somehow escape special characters in the
581 // contents but printf doesn't support that.
582 // FIXME: '%s' formatting is not safe in general.
583 OS << '"';
584 Specifier.setPrecision(analyze_printf::OptionalAmount(32u));
585 Specifier.toString(OS);
586 OS << '"';
587 // FIXME: It would be nice to include a '...' if the string doesn't fit
588 // in the length limit.
589 } else {
590 Specifier.toString(OS);
591 }
592 return true;
593 }
594
595 if (T->isPointerType()) {
596 // Format all pointers with '%p'.
597 OS << "%p";
598 return true;
599 }
600
601 return false;
602 }
603
dumpUnnamedRecord__anon28c3fbb10411::BuiltinDumpStructGenerator604 bool dumpUnnamedRecord(const RecordDecl *RD, Expr *E, unsigned Depth) {
605 Expr *IndentLit = getIndentString(Depth);
606 Expr *TypeLit = getTypeString(S.Context.getRecordType(RD));
607 if (IndentLit ? callPrintFunction("%s%s", {IndentLit, TypeLit})
608 : callPrintFunction("%s", {TypeLit}))
609 return true;
610
611 return dumpRecordValue(RD, E, IndentLit, Depth);
612 }
613
614 // Dump a record value. E should be a pointer or lvalue referring to an RD.
dumpRecordValue__anon28c3fbb10411::BuiltinDumpStructGenerator615 bool dumpRecordValue(const RecordDecl *RD, Expr *E, Expr *RecordIndent,
616 unsigned Depth) {
617 // FIXME: Decide what to do if RD is a union. At least we should probably
618 // turn off printing `const char*` members with `%s`, because that is very
619 // likely to crash if that's not the active member. Whatever we decide, we
620 // should document it.
621
622 // Build an OpaqueValueExpr so we can refer to E more than once without
623 // triggering re-evaluation.
624 Expr *RecordArg = makeOpaqueValueExpr(E);
625 bool RecordArgIsPtr = RecordArg->getType()->isPointerType();
626
627 if (callPrintFunction(" {\n"))
628 return true;
629
630 // Dump each base class, regardless of whether they're aggregates.
631 if (const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD)) {
632 for (const auto &Base : CXXRD->bases()) {
633 QualType BaseType =
634 RecordArgIsPtr ? S.Context.getPointerType(Base.getType())
635 : S.Context.getLValueReferenceType(Base.getType());
636 ExprResult BasePtr = S.BuildCStyleCastExpr(
637 Loc, S.Context.getTrivialTypeSourceInfo(BaseType, Loc), Loc,
638 RecordArg);
639 if (BasePtr.isInvalid() ||
640 dumpUnnamedRecord(Base.getType()->getAsRecordDecl(), BasePtr.get(),
641 Depth + 1))
642 return true;
643 }
644 }
645
646 Expr *FieldIndentArg = getIndentString(Depth + 1);
647
648 // Dump each field.
649 for (auto *D : RD->decls()) {
650 auto *IFD = dyn_cast<IndirectFieldDecl>(D);
651 auto *FD = IFD ? IFD->getAnonField() : dyn_cast<FieldDecl>(D);
652 if (!FD || FD->isUnnamedBitField() || FD->isAnonymousStructOrUnion())
653 continue;
654
655 llvm::SmallString<20> Format = llvm::StringRef("%s%s %s ");
656 llvm::SmallVector<Expr *, 5> Args = {FieldIndentArg,
657 getTypeString(FD->getType()),
658 getStringLiteral(FD->getName())};
659
660 if (FD->isBitField()) {
661 Format += ": %zu ";
662 QualType SizeT = S.Context.getSizeType();
663 llvm::APInt BitWidth(S.Context.getIntWidth(SizeT),
664 FD->getBitWidthValue());
665 Args.push_back(IntegerLiteral::Create(S.Context, BitWidth, SizeT, Loc));
666 }
667
668 Format += "=";
669
670 ExprResult Field =
671 IFD ? S.BuildAnonymousStructUnionMemberReference(
672 CXXScopeSpec(), Loc, IFD,
673 DeclAccessPair::make(IFD, AS_public), RecordArg, Loc)
674 : S.BuildFieldReferenceExpr(
675 RecordArg, RecordArgIsPtr, Loc, CXXScopeSpec(), FD,
676 DeclAccessPair::make(FD, AS_public),
677 DeclarationNameInfo(FD->getDeclName(), Loc));
678 if (Field.isInvalid())
679 return true;
680
681 auto *InnerRD = FD->getType()->getAsRecordDecl();
682 auto *InnerCXXRD = dyn_cast_or_null<CXXRecordDecl>(InnerRD);
683 if (InnerRD && (!InnerCXXRD || InnerCXXRD->isAggregate())) {
684 // Recursively print the values of members of aggregate record type.
685 if (callPrintFunction(Format, Args) ||
686 dumpRecordValue(InnerRD, Field.get(), FieldIndentArg, Depth + 1))
687 return true;
688 } else {
689 Format += " ";
690 if (appendFormatSpecifier(FD->getType(), Format)) {
691 // We know how to print this field.
692 Args.push_back(Field.get());
693 } else {
694 // We don't know how to print this field. Print out its address
695 // with a format specifier that a smart tool will be able to
696 // recognize and treat specially.
697 Format += "*%p";
698 ExprResult FieldAddr =
699 S.BuildUnaryOp(nullptr, Loc, UO_AddrOf, Field.get());
700 if (FieldAddr.isInvalid())
701 return true;
702 Args.push_back(FieldAddr.get());
703 }
704 Format += "\n";
705 if (callPrintFunction(Format, Args))
706 return true;
707 }
708 }
709
710 return RecordIndent ? callPrintFunction("%s}\n", RecordIndent)
711 : callPrintFunction("}\n");
712 }
713
buildWrapper__anon28c3fbb10411::BuiltinDumpStructGenerator714 Expr *buildWrapper() {
715 auto *Wrapper = PseudoObjectExpr::Create(S.Context, TheCall, Actions,
716 PseudoObjectExpr::NoResult);
717 TheCall->setType(Wrapper->getType());
718 TheCall->setValueKind(Wrapper->getValueKind());
719 return Wrapper;
720 }
721 };
722 } // namespace
723
BuiltinDumpStruct(Sema & S,CallExpr * TheCall)724 static ExprResult BuiltinDumpStruct(Sema &S, CallExpr *TheCall) {
725 if (S.checkArgCountAtLeast(TheCall, 2))
726 return ExprError();
727
728 ExprResult PtrArgResult = S.DefaultLvalueConversion(TheCall->getArg(0));
729 if (PtrArgResult.isInvalid())
730 return ExprError();
731 TheCall->setArg(0, PtrArgResult.get());
732
733 // First argument should be a pointer to a struct.
734 QualType PtrArgType = PtrArgResult.get()->getType();
735 if (!PtrArgType->isPointerType() ||
736 !PtrArgType->getPointeeType()->isRecordType()) {
737 S.Diag(PtrArgResult.get()->getBeginLoc(),
738 diag::err_expected_struct_pointer_argument)
739 << 1 << TheCall->getDirectCallee() << PtrArgType;
740 return ExprError();
741 }
742 QualType Pointee = PtrArgType->getPointeeType();
743 const RecordDecl *RD = Pointee->getAsRecordDecl();
744 // Try to instantiate the class template as appropriate; otherwise, access to
745 // its data() may lead to a crash.
746 if (S.RequireCompleteType(PtrArgResult.get()->getBeginLoc(), Pointee,
747 diag::err_incomplete_type))
748 return ExprError();
749 // Second argument is a callable, but we can't fully validate it until we try
750 // calling it.
751 QualType FnArgType = TheCall->getArg(1)->getType();
752 if (!FnArgType->isFunctionType() && !FnArgType->isFunctionPointerType() &&
753 !FnArgType->isBlockPointerType() &&
754 !(S.getLangOpts().CPlusPlus && FnArgType->isRecordType())) {
755 auto *BT = FnArgType->getAs<BuiltinType>();
756 switch (BT ? BT->getKind() : BuiltinType::Void) {
757 case BuiltinType::Dependent:
758 case BuiltinType::Overload:
759 case BuiltinType::BoundMember:
760 case BuiltinType::PseudoObject:
761 case BuiltinType::UnknownAny:
762 case BuiltinType::BuiltinFn:
763 // This might be a callable.
764 break;
765
766 default:
767 S.Diag(TheCall->getArg(1)->getBeginLoc(),
768 diag::err_expected_callable_argument)
769 << 2 << TheCall->getDirectCallee() << FnArgType;
770 return ExprError();
771 }
772 }
773
774 BuiltinDumpStructGenerator Generator(S, TheCall);
775
776 // Wrap parentheses around the given pointer. This is not necessary for
777 // correct code generation, but it means that when we pretty-print the call
778 // arguments in our diagnostics we will produce '(&s)->n' instead of the
779 // incorrect '&s->n'.
780 Expr *PtrArg = PtrArgResult.get();
781 PtrArg = new (S.Context)
782 ParenExpr(PtrArg->getBeginLoc(),
783 S.getLocForEndOfToken(PtrArg->getEndLoc()), PtrArg);
784 if (Generator.dumpUnnamedRecord(RD, PtrArg, 0))
785 return ExprError();
786
787 return Generator.buildWrapper();
788 }
789
BuiltinCallWithStaticChain(Sema & S,CallExpr * BuiltinCall)790 static bool BuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
791 if (S.checkArgCount(BuiltinCall, 2))
792 return true;
793
794 SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc();
795 Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts();
796 Expr *Call = BuiltinCall->getArg(0);
797 Expr *Chain = BuiltinCall->getArg(1);
798
799 if (Call->getStmtClass() != Stmt::CallExprClass) {
800 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_not_call)
801 << Call->getSourceRange();
802 return true;
803 }
804
805 auto CE = cast<CallExpr>(Call);
806 if (CE->getCallee()->getType()->isBlockPointerType()) {
807 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_block_call)
808 << Call->getSourceRange();
809 return true;
810 }
811
812 const Decl *TargetDecl = CE->getCalleeDecl();
813 if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(TargetDecl))
814 if (FD->getBuiltinID()) {
815 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_builtin_call)
816 << Call->getSourceRange();
817 return true;
818 }
819
820 if (isa<CXXPseudoDestructorExpr>(CE->getCallee()->IgnoreParens())) {
821 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_pdtor_call)
822 << Call->getSourceRange();
823 return true;
824 }
825
826 ExprResult ChainResult = S.UsualUnaryConversions(Chain);
827 if (ChainResult.isInvalid())
828 return true;
829 if (!ChainResult.get()->getType()->isPointerType()) {
830 S.Diag(BuiltinLoc, diag::err_second_argument_to_cwsc_not_pointer)
831 << Chain->getSourceRange();
832 return true;
833 }
834
835 QualType ReturnTy = CE->getCallReturnType(S.Context);
836 QualType ArgTys[2] = { ReturnTy, ChainResult.get()->getType() };
837 QualType BuiltinTy = S.Context.getFunctionType(
838 ReturnTy, ArgTys, FunctionProtoType::ExtProtoInfo());
839 QualType BuiltinPtrTy = S.Context.getPointerType(BuiltinTy);
840
841 Builtin =
842 S.ImpCastExprToType(Builtin, BuiltinPtrTy, CK_BuiltinFnToFnPtr).get();
843
844 BuiltinCall->setType(CE->getType());
845 BuiltinCall->setValueKind(CE->getValueKind());
846 BuiltinCall->setObjectKind(CE->getObjectKind());
847 BuiltinCall->setCallee(Builtin);
848 BuiltinCall->setArg(1, ChainResult.get());
849
850 return false;
851 }
852
853 namespace {
854
855 class ScanfDiagnosticFormatHandler
856 : public analyze_format_string::FormatStringHandler {
857 // Accepts the argument index (relative to the first destination index) of the
858 // argument whose size we want.
859 using ComputeSizeFunction =
860 llvm::function_ref<std::optional<llvm::APSInt>(unsigned)>;
861
862 // Accepts the argument index (relative to the first destination index), the
863 // destination size, and the source size).
864 using DiagnoseFunction =
865 llvm::function_ref<void(unsigned, unsigned, unsigned)>;
866
867 ComputeSizeFunction ComputeSizeArgument;
868 DiagnoseFunction Diagnose;
869
870 public:
ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,DiagnoseFunction Diagnose)871 ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,
872 DiagnoseFunction Diagnose)
873 : ComputeSizeArgument(ComputeSizeArgument), Diagnose(Diagnose) {}
874
HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * StartSpecifier,unsigned specifierLen)875 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
876 const char *StartSpecifier,
877 unsigned specifierLen) override {
878 if (!FS.consumesDataArgument())
879 return true;
880
881 unsigned NulByte = 0;
882 switch ((FS.getConversionSpecifier().getKind())) {
883 default:
884 return true;
885 case analyze_format_string::ConversionSpecifier::sArg:
886 case analyze_format_string::ConversionSpecifier::ScanListArg:
887 NulByte = 1;
888 break;
889 case analyze_format_string::ConversionSpecifier::cArg:
890 break;
891 }
892
893 analyze_format_string::OptionalAmount FW = FS.getFieldWidth();
894 if (FW.getHowSpecified() !=
895 analyze_format_string::OptionalAmount::HowSpecified::Constant)
896 return true;
897
898 unsigned SourceSize = FW.getConstantAmount() + NulByte;
899
900 std::optional<llvm::APSInt> DestSizeAPS =
901 ComputeSizeArgument(FS.getArgIndex());
902 if (!DestSizeAPS)
903 return true;
904
905 unsigned DestSize = DestSizeAPS->getZExtValue();
906
907 if (DestSize < SourceSize)
908 Diagnose(FS.getArgIndex(), DestSize, SourceSize);
909
910 return true;
911 }
912 };
913
914 class EstimateSizeFormatHandler
915 : public analyze_format_string::FormatStringHandler {
916 size_t Size;
917 /// Whether the format string contains Linux kernel's format specifier
918 /// extension.
919 bool IsKernelCompatible = true;
920
921 public:
EstimateSizeFormatHandler(StringRef Format)922 EstimateSizeFormatHandler(StringRef Format)
923 : Size(std::min(Format.find(0), Format.size()) +
924 1 /* null byte always written by sprintf */) {}
925
HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier & FS,const char *,unsigned SpecifierLen,const TargetInfo &)926 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
927 const char *, unsigned SpecifierLen,
928 const TargetInfo &) override {
929
930 const size_t FieldWidth = computeFieldWidth(FS);
931 const size_t Precision = computePrecision(FS);
932
933 // The actual format.
934 switch (FS.getConversionSpecifier().getKind()) {
935 // Just a char.
936 case analyze_format_string::ConversionSpecifier::cArg:
937 case analyze_format_string::ConversionSpecifier::CArg:
938 Size += std::max(FieldWidth, (size_t)1);
939 break;
940 // Just an integer.
941 case analyze_format_string::ConversionSpecifier::dArg:
942 case analyze_format_string::ConversionSpecifier::DArg:
943 case analyze_format_string::ConversionSpecifier::iArg:
944 case analyze_format_string::ConversionSpecifier::oArg:
945 case analyze_format_string::ConversionSpecifier::OArg:
946 case analyze_format_string::ConversionSpecifier::uArg:
947 case analyze_format_string::ConversionSpecifier::UArg:
948 case analyze_format_string::ConversionSpecifier::xArg:
949 case analyze_format_string::ConversionSpecifier::XArg:
950 Size += std::max(FieldWidth, Precision);
951 break;
952
953 // %g style conversion switches between %f or %e style dynamically.
954 // %g removes trailing zeros, and does not print decimal point if there are
955 // no digits that follow it. Thus %g can print a single digit.
956 // FIXME: If it is alternative form:
957 // For g and G conversions, trailing zeros are not removed from the result.
958 case analyze_format_string::ConversionSpecifier::gArg:
959 case analyze_format_string::ConversionSpecifier::GArg:
960 Size += 1;
961 break;
962
963 // Floating point number in the form '[+]ddd.ddd'.
964 case analyze_format_string::ConversionSpecifier::fArg:
965 case analyze_format_string::ConversionSpecifier::FArg:
966 Size += std::max(FieldWidth, 1 /* integer part */ +
967 (Precision ? 1 + Precision
968 : 0) /* period + decimal */);
969 break;
970
971 // Floating point number in the form '[-]d.ddde[+-]dd'.
972 case analyze_format_string::ConversionSpecifier::eArg:
973 case analyze_format_string::ConversionSpecifier::EArg:
974 Size +=
975 std::max(FieldWidth,
976 1 /* integer part */ +
977 (Precision ? 1 + Precision : 0) /* period + decimal */ +
978 1 /* e or E letter */ + 2 /* exponent */);
979 break;
980
981 // Floating point number in the form '[-]0xh.hhhhp±dd'.
982 case analyze_format_string::ConversionSpecifier::aArg:
983 case analyze_format_string::ConversionSpecifier::AArg:
984 Size +=
985 std::max(FieldWidth,
986 2 /* 0x */ + 1 /* integer part */ +
987 (Precision ? 1 + Precision : 0) /* period + decimal */ +
988 1 /* p or P letter */ + 1 /* + or - */ + 1 /* value */);
989 break;
990
991 // Just a string.
992 case analyze_format_string::ConversionSpecifier::sArg:
993 case analyze_format_string::ConversionSpecifier::SArg:
994 Size += FieldWidth;
995 break;
996
997 // Just a pointer in the form '0xddd'.
998 case analyze_format_string::ConversionSpecifier::pArg:
999 // Linux kernel has its own extesion for `%p` specifier.
1000 // Kernel Document:
1001 // https://docs.kernel.org/core-api/printk-formats.html#pointer-types
1002 IsKernelCompatible = false;
1003 Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
1004 break;
1005
1006 // A plain percent.
1007 case analyze_format_string::ConversionSpecifier::PercentArg:
1008 Size += 1;
1009 break;
1010
1011 default:
1012 break;
1013 }
1014
1015 // If field width is specified, the sign/space is already accounted for
1016 // within the field width, so no additional size is needed.
1017 if ((FS.hasPlusPrefix() || FS.hasSpacePrefix()) && FieldWidth == 0)
1018 Size += 1;
1019
1020 if (FS.hasAlternativeForm()) {
1021 switch (FS.getConversionSpecifier().getKind()) {
1022 // For o conversion, it increases the precision, if and only if necessary,
1023 // to force the first digit of the result to be a zero
1024 // (if the value and precision are both 0, a single 0 is printed)
1025 case analyze_format_string::ConversionSpecifier::oArg:
1026 // For b conversion, a nonzero result has 0b prefixed to it.
1027 case analyze_format_string::ConversionSpecifier::bArg:
1028 // For x (or X) conversion, a nonzero result has 0x (or 0X) prefixed to
1029 // it.
1030 case analyze_format_string::ConversionSpecifier::xArg:
1031 case analyze_format_string::ConversionSpecifier::XArg:
1032 // Note: even when the prefix is added, if
1033 // (prefix_width <= FieldWidth - formatted_length) holds,
1034 // the prefix does not increase the format
1035 // size. e.g.(("%#3x", 0xf) is "0xf")
1036
1037 // If the result is zero, o, b, x, X adds nothing.
1038 break;
1039 // For a, A, e, E, f, F, g, and G conversions,
1040 // the result of converting a floating-point number always contains a
1041 // decimal-point
1042 case analyze_format_string::ConversionSpecifier::aArg:
1043 case analyze_format_string::ConversionSpecifier::AArg:
1044 case analyze_format_string::ConversionSpecifier::eArg:
1045 case analyze_format_string::ConversionSpecifier::EArg:
1046 case analyze_format_string::ConversionSpecifier::fArg:
1047 case analyze_format_string::ConversionSpecifier::FArg:
1048 case analyze_format_string::ConversionSpecifier::gArg:
1049 case analyze_format_string::ConversionSpecifier::GArg:
1050 Size += (Precision ? 0 : 1);
1051 break;
1052 // For other conversions, the behavior is undefined.
1053 default:
1054 break;
1055 }
1056 }
1057 assert(SpecifierLen <= Size && "no underflow");
1058 Size -= SpecifierLen;
1059 return true;
1060 }
1061
getSizeLowerBound() const1062 size_t getSizeLowerBound() const { return Size; }
isKernelCompatible() const1063 bool isKernelCompatible() const { return IsKernelCompatible; }
1064
1065 private:
computeFieldWidth(const analyze_printf::PrintfSpecifier & FS)1066 static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
1067 const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
1068 size_t FieldWidth = 0;
1069 if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
1070 FieldWidth = FW.getConstantAmount();
1071 return FieldWidth;
1072 }
1073
computePrecision(const analyze_printf::PrintfSpecifier & FS)1074 static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
1075 const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
1076 size_t Precision = 0;
1077
1078 // See man 3 printf for default precision value based on the specifier.
1079 switch (FW.getHowSpecified()) {
1080 case analyze_format_string::OptionalAmount::NotSpecified:
1081 switch (FS.getConversionSpecifier().getKind()) {
1082 default:
1083 break;
1084 case analyze_format_string::ConversionSpecifier::dArg: // %d
1085 case analyze_format_string::ConversionSpecifier::DArg: // %D
1086 case analyze_format_string::ConversionSpecifier::iArg: // %i
1087 Precision = 1;
1088 break;
1089 case analyze_format_string::ConversionSpecifier::oArg: // %d
1090 case analyze_format_string::ConversionSpecifier::OArg: // %D
1091 case analyze_format_string::ConversionSpecifier::uArg: // %d
1092 case analyze_format_string::ConversionSpecifier::UArg: // %D
1093 case analyze_format_string::ConversionSpecifier::xArg: // %d
1094 case analyze_format_string::ConversionSpecifier::XArg: // %D
1095 Precision = 1;
1096 break;
1097 case analyze_format_string::ConversionSpecifier::fArg: // %f
1098 case analyze_format_string::ConversionSpecifier::FArg: // %F
1099 case analyze_format_string::ConversionSpecifier::eArg: // %e
1100 case analyze_format_string::ConversionSpecifier::EArg: // %E
1101 case analyze_format_string::ConversionSpecifier::gArg: // %g
1102 case analyze_format_string::ConversionSpecifier::GArg: // %G
1103 Precision = 6;
1104 break;
1105 case analyze_format_string::ConversionSpecifier::pArg: // %d
1106 Precision = 1;
1107 break;
1108 }
1109 break;
1110 case analyze_format_string::OptionalAmount::Constant:
1111 Precision = FW.getConstantAmount();
1112 break;
1113 default:
1114 break;
1115 }
1116 return Precision;
1117 }
1118 };
1119
1120 } // namespace
1121
ProcessFormatStringLiteral(const Expr * FormatExpr,StringRef & FormatStrRef,size_t & StrLen,ASTContext & Context)1122 static bool ProcessFormatStringLiteral(const Expr *FormatExpr,
1123 StringRef &FormatStrRef, size_t &StrLen,
1124 ASTContext &Context) {
1125 if (const auto *Format = dyn_cast<StringLiteral>(FormatExpr);
1126 Format && (Format->isOrdinary() || Format->isUTF8())) {
1127 FormatStrRef = Format->getString();
1128 const ConstantArrayType *T =
1129 Context.getAsConstantArrayType(Format->getType());
1130 assert(T && "String literal not of constant array type!");
1131 size_t TypeSize = T->getZExtSize();
1132 // In case there's a null byte somewhere.
1133 StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
1134 return true;
1135 }
1136 return false;
1137 }
1138
checkFortifiedBuiltinMemoryFunction(FunctionDecl * FD,CallExpr * TheCall)1139 void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
1140 CallExpr *TheCall) {
1141 if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
1142 isConstantEvaluatedContext())
1143 return;
1144
1145 bool UseDABAttr = false;
1146 const FunctionDecl *UseDecl = FD;
1147
1148 const auto *DABAttr = FD->getAttr<DiagnoseAsBuiltinAttr>();
1149 if (DABAttr) {
1150 UseDecl = DABAttr->getFunction();
1151 assert(UseDecl && "Missing FunctionDecl in DiagnoseAsBuiltin attribute!");
1152 UseDABAttr = true;
1153 }
1154
1155 unsigned BuiltinID = UseDecl->getBuiltinID(/*ConsiderWrappers=*/true);
1156
1157 if (!BuiltinID)
1158 return;
1159
1160 const TargetInfo &TI = getASTContext().getTargetInfo();
1161 unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
1162
1163 auto TranslateIndex = [&](unsigned Index) -> std::optional<unsigned> {
1164 // If we refer to a diagnose_as_builtin attribute, we need to change the
1165 // argument index to refer to the arguments of the called function. Unless
1166 // the index is out of bounds, which presumably means it's a variadic
1167 // function.
1168 if (!UseDABAttr)
1169 return Index;
1170 unsigned DABIndices = DABAttr->argIndices_size();
1171 unsigned NewIndex = Index < DABIndices
1172 ? DABAttr->argIndices_begin()[Index]
1173 : Index - DABIndices + FD->getNumParams();
1174 if (NewIndex >= TheCall->getNumArgs())
1175 return std::nullopt;
1176 return NewIndex;
1177 };
1178
1179 auto ComputeExplicitObjectSizeArgument =
1180 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1181 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1182 if (!IndexOptional)
1183 return std::nullopt;
1184 unsigned NewIndex = *IndexOptional;
1185 Expr::EvalResult Result;
1186 Expr *SizeArg = TheCall->getArg(NewIndex);
1187 if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
1188 return std::nullopt;
1189 llvm::APSInt Integer = Result.Val.getInt();
1190 Integer.setIsUnsigned(true);
1191 return Integer;
1192 };
1193
1194 auto ComputeSizeArgument =
1195 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1196 // If the parameter has a pass_object_size attribute, then we should use its
1197 // (potentially) more strict checking mode. Otherwise, conservatively assume
1198 // type 0.
1199 int BOSType = 0;
1200 // This check can fail for variadic functions.
1201 if (Index < FD->getNumParams()) {
1202 if (const auto *POS =
1203 FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
1204 BOSType = POS->getType();
1205 }
1206
1207 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1208 if (!IndexOptional)
1209 return std::nullopt;
1210 unsigned NewIndex = *IndexOptional;
1211
1212 if (NewIndex >= TheCall->getNumArgs())
1213 return std::nullopt;
1214
1215 const Expr *ObjArg = TheCall->getArg(NewIndex);
1216 uint64_t Result;
1217 if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
1218 return std::nullopt;
1219
1220 // Get the object size in the target's size_t width.
1221 return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
1222 };
1223
1224 auto ComputeStrLenArgument =
1225 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1226 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1227 if (!IndexOptional)
1228 return std::nullopt;
1229 unsigned NewIndex = *IndexOptional;
1230
1231 const Expr *ObjArg = TheCall->getArg(NewIndex);
1232 uint64_t Result;
1233 if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
1234 return std::nullopt;
1235 // Add 1 for null byte.
1236 return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
1237 };
1238
1239 std::optional<llvm::APSInt> SourceSize;
1240 std::optional<llvm::APSInt> DestinationSize;
1241 unsigned DiagID = 0;
1242 bool IsChkVariant = false;
1243
1244 auto GetFunctionName = [&]() {
1245 std::string FunctionNameStr =
1246 getASTContext().BuiltinInfo.getName(BuiltinID);
1247 llvm::StringRef FunctionName = FunctionNameStr;
1248 // Skim off the details of whichever builtin was called to produce a better
1249 // diagnostic, as it's unlikely that the user wrote the __builtin
1250 // explicitly.
1251 if (IsChkVariant) {
1252 FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
1253 FunctionName = FunctionName.drop_back(std::strlen("_chk"));
1254 } else {
1255 FunctionName.consume_front("__builtin_");
1256 }
1257 return FunctionName.str();
1258 };
1259
1260 switch (BuiltinID) {
1261 default:
1262 return;
1263 case Builtin::BI__builtin_stpcpy:
1264 case Builtin::BIstpcpy:
1265 case Builtin::BI__builtin_strcpy:
1266 case Builtin::BIstrcpy: {
1267 DiagID = diag::warn_fortify_strlen_overflow;
1268 SourceSize = ComputeStrLenArgument(1);
1269 DestinationSize = ComputeSizeArgument(0);
1270 break;
1271 }
1272
1273 case Builtin::BI__builtin___stpcpy_chk:
1274 case Builtin::BI__builtin___strcpy_chk: {
1275 DiagID = diag::warn_fortify_strlen_overflow;
1276 SourceSize = ComputeStrLenArgument(1);
1277 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1278 IsChkVariant = true;
1279 break;
1280 }
1281
1282 case Builtin::BIscanf:
1283 case Builtin::BIfscanf:
1284 case Builtin::BIsscanf: {
1285 unsigned FormatIndex = 1;
1286 unsigned DataIndex = 2;
1287 if (BuiltinID == Builtin::BIscanf) {
1288 FormatIndex = 0;
1289 DataIndex = 1;
1290 }
1291
1292 const auto *FormatExpr =
1293 TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1294
1295 StringRef FormatStrRef;
1296 size_t StrLen;
1297 if (!ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context))
1298 return;
1299
1300 auto Diagnose = [&](unsigned ArgIndex, unsigned DestSize,
1301 unsigned SourceSize) {
1302 DiagID = diag::warn_fortify_scanf_overflow;
1303 unsigned Index = ArgIndex + DataIndex;
1304 std::string FunctionName = GetFunctionName();
1305 DiagRuntimeBehavior(TheCall->getArg(Index)->getBeginLoc(), TheCall,
1306 PDiag(DiagID) << FunctionName << (Index + 1)
1307 << DestSize << SourceSize);
1308 };
1309
1310 auto ShiftedComputeSizeArgument = [&](unsigned Index) {
1311 return ComputeSizeArgument(Index + DataIndex);
1312 };
1313 ScanfDiagnosticFormatHandler H(ShiftedComputeSizeArgument, Diagnose);
1314 const char *FormatBytes = FormatStrRef.data();
1315 analyze_format_string::ParseScanfString(H, FormatBytes,
1316 FormatBytes + StrLen, getLangOpts(),
1317 Context.getTargetInfo());
1318
1319 // Unlike the other cases, in this one we have already issued the diagnostic
1320 // here, so no need to continue (because unlike the other cases, here the
1321 // diagnostic refers to the argument number).
1322 return;
1323 }
1324
1325 case Builtin::BIsprintf:
1326 case Builtin::BI__builtin___sprintf_chk: {
1327 size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
1328 auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1329
1330 StringRef FormatStrRef;
1331 size_t StrLen;
1332 if (ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1333 EstimateSizeFormatHandler H(FormatStrRef);
1334 const char *FormatBytes = FormatStrRef.data();
1335 if (!analyze_format_string::ParsePrintfString(
1336 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1337 Context.getTargetInfo(), false)) {
1338 DiagID = H.isKernelCompatible()
1339 ? diag::warn_format_overflow
1340 : diag::warn_format_overflow_non_kprintf;
1341 SourceSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1342 .extOrTrunc(SizeTypeWidth);
1343 if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
1344 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1345 IsChkVariant = true;
1346 } else {
1347 DestinationSize = ComputeSizeArgument(0);
1348 }
1349 break;
1350 }
1351 }
1352 return;
1353 }
1354 case Builtin::BI__builtin___memcpy_chk:
1355 case Builtin::BI__builtin___memmove_chk:
1356 case Builtin::BI__builtin___memset_chk:
1357 case Builtin::BI__builtin___strlcat_chk:
1358 case Builtin::BI__builtin___strlcpy_chk:
1359 case Builtin::BI__builtin___strncat_chk:
1360 case Builtin::BI__builtin___strncpy_chk:
1361 case Builtin::BI__builtin___stpncpy_chk:
1362 case Builtin::BI__builtin___memccpy_chk:
1363 case Builtin::BI__builtin___mempcpy_chk: {
1364 DiagID = diag::warn_builtin_chk_overflow;
1365 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
1366 DestinationSize =
1367 ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1368 IsChkVariant = true;
1369 break;
1370 }
1371
1372 case Builtin::BI__builtin___snprintf_chk:
1373 case Builtin::BI__builtin___vsnprintf_chk: {
1374 DiagID = diag::warn_builtin_chk_overflow;
1375 SourceSize = ComputeExplicitObjectSizeArgument(1);
1376 DestinationSize = ComputeExplicitObjectSizeArgument(3);
1377 IsChkVariant = true;
1378 break;
1379 }
1380
1381 case Builtin::BIstrncat:
1382 case Builtin::BI__builtin_strncat:
1383 case Builtin::BIstrncpy:
1384 case Builtin::BI__builtin_strncpy:
1385 case Builtin::BIstpncpy:
1386 case Builtin::BI__builtin_stpncpy: {
1387 // Whether these functions overflow depends on the runtime strlen of the
1388 // string, not just the buffer size, so emitting the "always overflow"
1389 // diagnostic isn't quite right. We should still diagnose passing a buffer
1390 // size larger than the destination buffer though; this is a runtime abort
1391 // in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
1392 DiagID = diag::warn_fortify_source_size_mismatch;
1393 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1394 DestinationSize = ComputeSizeArgument(0);
1395 break;
1396 }
1397
1398 case Builtin::BImemcpy:
1399 case Builtin::BI__builtin_memcpy:
1400 case Builtin::BImemmove:
1401 case Builtin::BI__builtin_memmove:
1402 case Builtin::BImemset:
1403 case Builtin::BI__builtin_memset:
1404 case Builtin::BImempcpy:
1405 case Builtin::BI__builtin_mempcpy: {
1406 DiagID = diag::warn_fortify_source_overflow;
1407 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1408 DestinationSize = ComputeSizeArgument(0);
1409 break;
1410 }
1411 case Builtin::BIsnprintf:
1412 case Builtin::BI__builtin_snprintf:
1413 case Builtin::BIvsnprintf:
1414 case Builtin::BI__builtin_vsnprintf: {
1415 DiagID = diag::warn_fortify_source_size_mismatch;
1416 SourceSize = ComputeExplicitObjectSizeArgument(1);
1417 const auto *FormatExpr = TheCall->getArg(2)->IgnoreParenImpCasts();
1418 StringRef FormatStrRef;
1419 size_t StrLen;
1420 if (SourceSize &&
1421 ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1422 EstimateSizeFormatHandler H(FormatStrRef);
1423 const char *FormatBytes = FormatStrRef.data();
1424 if (!analyze_format_string::ParsePrintfString(
1425 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1426 Context.getTargetInfo(), /*isFreeBSDKPrintf=*/false)) {
1427 llvm::APSInt FormatSize =
1428 llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1429 .extOrTrunc(SizeTypeWidth);
1430 if (FormatSize > *SourceSize && *SourceSize != 0) {
1431 unsigned TruncationDiagID =
1432 H.isKernelCompatible() ? diag::warn_format_truncation
1433 : diag::warn_format_truncation_non_kprintf;
1434 SmallString<16> SpecifiedSizeStr;
1435 SmallString<16> FormatSizeStr;
1436 SourceSize->toString(SpecifiedSizeStr, /*Radix=*/10);
1437 FormatSize.toString(FormatSizeStr, /*Radix=*/10);
1438 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1439 PDiag(TruncationDiagID)
1440 << GetFunctionName() << SpecifiedSizeStr
1441 << FormatSizeStr);
1442 }
1443 }
1444 }
1445 DestinationSize = ComputeSizeArgument(0);
1446 }
1447 }
1448
1449 if (!SourceSize || !DestinationSize ||
1450 llvm::APSInt::compareValues(*SourceSize, *DestinationSize) <= 0)
1451 return;
1452
1453 std::string FunctionName = GetFunctionName();
1454
1455 SmallString<16> DestinationStr;
1456 SmallString<16> SourceStr;
1457 DestinationSize->toString(DestinationStr, /*Radix=*/10);
1458 SourceSize->toString(SourceStr, /*Radix=*/10);
1459 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1460 PDiag(DiagID)
1461 << FunctionName << DestinationStr << SourceStr);
1462 }
1463
BuiltinSEHScopeCheck(Sema & SemaRef,CallExpr * TheCall,Scope::ScopeFlags NeededScopeFlags,unsigned DiagID)1464 static bool BuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
1465 Scope::ScopeFlags NeededScopeFlags,
1466 unsigned DiagID) {
1467 // Scopes aren't available during instantiation. Fortunately, builtin
1468 // functions cannot be template args so they cannot be formed through template
1469 // instantiation. Therefore checking once during the parse is sufficient.
1470 if (SemaRef.inTemplateInstantiation())
1471 return false;
1472
1473 Scope *S = SemaRef.getCurScope();
1474 while (S && !S->isSEHExceptScope())
1475 S = S->getParent();
1476 if (!S || !(S->getFlags() & NeededScopeFlags)) {
1477 auto *DRE = cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1478 SemaRef.Diag(TheCall->getExprLoc(), DiagID)
1479 << DRE->getDecl()->getIdentifier();
1480 return true;
1481 }
1482
1483 return false;
1484 }
1485
1486 // In OpenCL, __builtin_alloca_* should return a pointer to address space
1487 // that corresponds to the stack address space i.e private address space.
builtinAllocaAddrSpace(Sema & S,CallExpr * TheCall)1488 static void builtinAllocaAddrSpace(Sema &S, CallExpr *TheCall) {
1489 QualType RT = TheCall->getType();
1490 assert((RT->isPointerType() && !(RT->getPointeeType().hasAddressSpace())) &&
1491 "__builtin_alloca has invalid address space");
1492
1493 RT = RT->getPointeeType();
1494 RT = S.Context.getAddrSpaceQualType(RT, LangAS::opencl_private);
1495 TheCall->setType(S.Context.getPointerType(RT));
1496 }
1497
1498 namespace {
1499 enum PointerAuthOpKind {
1500 PAO_Strip,
1501 PAO_Sign,
1502 PAO_Auth,
1503 PAO_SignGeneric,
1504 PAO_Discriminator,
1505 PAO_BlendPointer,
1506 PAO_BlendInteger
1507 };
1508 }
1509
checkPointerAuthEnabled(SourceLocation Loc,SourceRange Range)1510 bool Sema::checkPointerAuthEnabled(SourceLocation Loc, SourceRange Range) {
1511 if (getLangOpts().PointerAuthIntrinsics)
1512 return false;
1513
1514 Diag(Loc, diag::err_ptrauth_disabled) << Range;
1515 return true;
1516 }
1517
checkPointerAuthEnabled(Sema & S,Expr * E)1518 static bool checkPointerAuthEnabled(Sema &S, Expr *E) {
1519 return S.checkPointerAuthEnabled(E->getExprLoc(), E->getSourceRange());
1520 }
1521
checkPointerAuthKey(Sema & S,Expr * & Arg)1522 static bool checkPointerAuthKey(Sema &S, Expr *&Arg) {
1523 // Convert it to type 'int'.
1524 if (convertArgumentToType(S, Arg, S.Context.IntTy))
1525 return true;
1526
1527 // Value-dependent expressions are okay; wait for template instantiation.
1528 if (Arg->isValueDependent())
1529 return false;
1530
1531 unsigned KeyValue;
1532 return S.checkConstantPointerAuthKey(Arg, KeyValue);
1533 }
1534
checkConstantPointerAuthKey(Expr * Arg,unsigned & Result)1535 bool Sema::checkConstantPointerAuthKey(Expr *Arg, unsigned &Result) {
1536 // Attempt to constant-evaluate the expression.
1537 std::optional<llvm::APSInt> KeyValue = Arg->getIntegerConstantExpr(Context);
1538 if (!KeyValue) {
1539 Diag(Arg->getExprLoc(), diag::err_expr_not_ice)
1540 << 0 << Arg->getSourceRange();
1541 return true;
1542 }
1543
1544 // Ask the target to validate the key parameter.
1545 if (!Context.getTargetInfo().validatePointerAuthKey(*KeyValue)) {
1546 llvm::SmallString<32> Value;
1547 {
1548 llvm::raw_svector_ostream Str(Value);
1549 Str << *KeyValue;
1550 }
1551
1552 Diag(Arg->getExprLoc(), diag::err_ptrauth_invalid_key)
1553 << Value << Arg->getSourceRange();
1554 return true;
1555 }
1556
1557 Result = KeyValue->getZExtValue();
1558 return false;
1559 }
1560
checkPointerAuthDiscriminatorArg(Expr * Arg,PointerAuthDiscArgKind Kind,unsigned & IntVal)1561 bool Sema::checkPointerAuthDiscriminatorArg(Expr *Arg,
1562 PointerAuthDiscArgKind Kind,
1563 unsigned &IntVal) {
1564 if (!Arg) {
1565 IntVal = 0;
1566 return true;
1567 }
1568
1569 std::optional<llvm::APSInt> Result = Arg->getIntegerConstantExpr(Context);
1570 if (!Result) {
1571 Diag(Arg->getExprLoc(), diag::err_ptrauth_arg_not_ice);
1572 return false;
1573 }
1574
1575 unsigned Max;
1576 bool IsAddrDiscArg = false;
1577
1578 switch (Kind) {
1579 case PointerAuthDiscArgKind::Addr:
1580 Max = 1;
1581 IsAddrDiscArg = true;
1582 break;
1583 case PointerAuthDiscArgKind::Extra:
1584 Max = PointerAuthQualifier::MaxDiscriminator;
1585 break;
1586 };
1587
1588 if (*Result < 0 || *Result > Max) {
1589 if (IsAddrDiscArg)
1590 Diag(Arg->getExprLoc(), diag::err_ptrauth_address_discrimination_invalid)
1591 << Result->getExtValue();
1592 else
1593 Diag(Arg->getExprLoc(), diag::err_ptrauth_extra_discriminator_invalid)
1594 << Result->getExtValue() << Max;
1595
1596 return false;
1597 };
1598
1599 IntVal = Result->getZExtValue();
1600 return true;
1601 }
1602
1603 static std::pair<const ValueDecl *, CharUnits>
findConstantBaseAndOffset(Sema & S,Expr * E)1604 findConstantBaseAndOffset(Sema &S, Expr *E) {
1605 // Must evaluate as a pointer.
1606 Expr::EvalResult Result;
1607 if (!E->EvaluateAsRValue(Result, S.Context) || !Result.Val.isLValue())
1608 return {nullptr, CharUnits()};
1609
1610 const auto *BaseDecl =
1611 Result.Val.getLValueBase().dyn_cast<const ValueDecl *>();
1612 if (!BaseDecl)
1613 return {nullptr, CharUnits()};
1614
1615 return {BaseDecl, Result.Val.getLValueOffset()};
1616 }
1617
checkPointerAuthValue(Sema & S,Expr * & Arg,PointerAuthOpKind OpKind,bool RequireConstant=false)1618 static bool checkPointerAuthValue(Sema &S, Expr *&Arg, PointerAuthOpKind OpKind,
1619 bool RequireConstant = false) {
1620 if (Arg->hasPlaceholderType()) {
1621 ExprResult R = S.CheckPlaceholderExpr(Arg);
1622 if (R.isInvalid())
1623 return true;
1624 Arg = R.get();
1625 }
1626
1627 auto AllowsPointer = [](PointerAuthOpKind OpKind) {
1628 return OpKind != PAO_BlendInteger;
1629 };
1630 auto AllowsInteger = [](PointerAuthOpKind OpKind) {
1631 return OpKind == PAO_Discriminator || OpKind == PAO_BlendInteger ||
1632 OpKind == PAO_SignGeneric;
1633 };
1634
1635 // Require the value to have the right range of type.
1636 QualType ExpectedTy;
1637 if (AllowsPointer(OpKind) && Arg->getType()->isPointerType()) {
1638 ExpectedTy = Arg->getType().getUnqualifiedType();
1639 } else if (AllowsPointer(OpKind) && Arg->getType()->isNullPtrType()) {
1640 ExpectedTy = S.Context.VoidPtrTy;
1641 } else if (AllowsInteger(OpKind) &&
1642 Arg->getType()->isIntegralOrUnscopedEnumerationType()) {
1643 ExpectedTy = S.Context.getUIntPtrType();
1644
1645 } else {
1646 // Diagnose the failures.
1647 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_value_bad_type)
1648 << unsigned(OpKind == PAO_Discriminator ? 1
1649 : OpKind == PAO_BlendPointer ? 2
1650 : OpKind == PAO_BlendInteger ? 3
1651 : 0)
1652 << unsigned(AllowsInteger(OpKind) ? (AllowsPointer(OpKind) ? 2 : 1) : 0)
1653 << Arg->getType() << Arg->getSourceRange();
1654 return true;
1655 }
1656
1657 // Convert to that type. This should just be an lvalue-to-rvalue
1658 // conversion.
1659 if (convertArgumentToType(S, Arg, ExpectedTy))
1660 return true;
1661
1662 if (!RequireConstant) {
1663 // Warn about null pointers for non-generic sign and auth operations.
1664 if ((OpKind == PAO_Sign || OpKind == PAO_Auth) &&
1665 Arg->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNull)) {
1666 S.Diag(Arg->getExprLoc(), OpKind == PAO_Sign
1667 ? diag::warn_ptrauth_sign_null_pointer
1668 : diag::warn_ptrauth_auth_null_pointer)
1669 << Arg->getSourceRange();
1670 }
1671
1672 return false;
1673 }
1674
1675 // Perform special checking on the arguments to ptrauth_sign_constant.
1676
1677 // The main argument.
1678 if (OpKind == PAO_Sign) {
1679 // Require the value we're signing to have a special form.
1680 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Arg);
1681 bool Invalid;
1682
1683 // Must be rooted in a declaration reference.
1684 if (!BaseDecl)
1685 Invalid = true;
1686
1687 // If it's a function declaration, we can't have an offset.
1688 else if (isa<FunctionDecl>(BaseDecl))
1689 Invalid = !Offset.isZero();
1690
1691 // Otherwise we're fine.
1692 else
1693 Invalid = false;
1694
1695 if (Invalid)
1696 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_pointer);
1697 return Invalid;
1698 }
1699
1700 // The discriminator argument.
1701 assert(OpKind == PAO_Discriminator);
1702
1703 // Must be a pointer or integer or blend thereof.
1704 Expr *Pointer = nullptr;
1705 Expr *Integer = nullptr;
1706 if (auto *Call = dyn_cast<CallExpr>(Arg->IgnoreParens())) {
1707 if (Call->getBuiltinCallee() ==
1708 Builtin::BI__builtin_ptrauth_blend_discriminator) {
1709 Pointer = Call->getArg(0);
1710 Integer = Call->getArg(1);
1711 }
1712 }
1713 if (!Pointer && !Integer) {
1714 if (Arg->getType()->isPointerType())
1715 Pointer = Arg;
1716 else
1717 Integer = Arg;
1718 }
1719
1720 // Check the pointer.
1721 bool Invalid = false;
1722 if (Pointer) {
1723 assert(Pointer->getType()->isPointerType());
1724
1725 // TODO: if we're initializing a global, check that the address is
1726 // somehow related to what we're initializing. This probably will
1727 // never really be feasible and we'll have to catch it at link-time.
1728 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Pointer);
1729 if (!BaseDecl || !isa<VarDecl>(BaseDecl))
1730 Invalid = true;
1731 }
1732
1733 // Check the integer.
1734 if (Integer) {
1735 assert(Integer->getType()->isIntegerType());
1736 if (!Integer->isEvaluatable(S.Context))
1737 Invalid = true;
1738 }
1739
1740 if (Invalid)
1741 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_discriminator);
1742 return Invalid;
1743 }
1744
PointerAuthStrip(Sema & S,CallExpr * Call)1745 static ExprResult PointerAuthStrip(Sema &S, CallExpr *Call) {
1746 if (S.checkArgCount(Call, 2))
1747 return ExprError();
1748 if (checkPointerAuthEnabled(S, Call))
1749 return ExprError();
1750 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Strip) ||
1751 checkPointerAuthKey(S, Call->getArgs()[1]))
1752 return ExprError();
1753
1754 Call->setType(Call->getArgs()[0]->getType());
1755 return Call;
1756 }
1757
PointerAuthBlendDiscriminator(Sema & S,CallExpr * Call)1758 static ExprResult PointerAuthBlendDiscriminator(Sema &S, CallExpr *Call) {
1759 if (S.checkArgCount(Call, 2))
1760 return ExprError();
1761 if (checkPointerAuthEnabled(S, Call))
1762 return ExprError();
1763 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_BlendPointer) ||
1764 checkPointerAuthValue(S, Call->getArgs()[1], PAO_BlendInteger))
1765 return ExprError();
1766
1767 Call->setType(S.Context.getUIntPtrType());
1768 return Call;
1769 }
1770
PointerAuthSignGenericData(Sema & S,CallExpr * Call)1771 static ExprResult PointerAuthSignGenericData(Sema &S, CallExpr *Call) {
1772 if (S.checkArgCount(Call, 2))
1773 return ExprError();
1774 if (checkPointerAuthEnabled(S, Call))
1775 return ExprError();
1776 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_SignGeneric) ||
1777 checkPointerAuthValue(S, Call->getArgs()[1], PAO_Discriminator))
1778 return ExprError();
1779
1780 Call->setType(S.Context.getUIntPtrType());
1781 return Call;
1782 }
1783
PointerAuthSignOrAuth(Sema & S,CallExpr * Call,PointerAuthOpKind OpKind,bool RequireConstant)1784 static ExprResult PointerAuthSignOrAuth(Sema &S, CallExpr *Call,
1785 PointerAuthOpKind OpKind,
1786 bool RequireConstant) {
1787 if (S.checkArgCount(Call, 3))
1788 return ExprError();
1789 if (checkPointerAuthEnabled(S, Call))
1790 return ExprError();
1791 if (checkPointerAuthValue(S, Call->getArgs()[0], OpKind, RequireConstant) ||
1792 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1793 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator,
1794 RequireConstant))
1795 return ExprError();
1796
1797 Call->setType(Call->getArgs()[0]->getType());
1798 return Call;
1799 }
1800
PointerAuthAuthAndResign(Sema & S,CallExpr * Call)1801 static ExprResult PointerAuthAuthAndResign(Sema &S, CallExpr *Call) {
1802 if (S.checkArgCount(Call, 5))
1803 return ExprError();
1804 if (checkPointerAuthEnabled(S, Call))
1805 return ExprError();
1806 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Auth) ||
1807 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1808 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator) ||
1809 checkPointerAuthKey(S, Call->getArgs()[3]) ||
1810 checkPointerAuthValue(S, Call->getArgs()[4], PAO_Discriminator))
1811 return ExprError();
1812
1813 Call->setType(Call->getArgs()[0]->getType());
1814 return Call;
1815 }
1816
PointerAuthStringDiscriminator(Sema & S,CallExpr * Call)1817 static ExprResult PointerAuthStringDiscriminator(Sema &S, CallExpr *Call) {
1818 if (checkPointerAuthEnabled(S, Call))
1819 return ExprError();
1820
1821 // We've already performed normal call type-checking.
1822 const Expr *Arg = Call->getArg(0)->IgnoreParenImpCasts();
1823
1824 // Operand must be an ordinary or UTF-8 string literal.
1825 const auto *Literal = dyn_cast<StringLiteral>(Arg);
1826 if (!Literal || Literal->getCharByteWidth() != 1) {
1827 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_string_not_literal)
1828 << (Literal ? 1 : 0) << Arg->getSourceRange();
1829 return ExprError();
1830 }
1831
1832 return Call;
1833 }
1834
GetVTablePointer(Sema & S,CallExpr * Call)1835 static ExprResult GetVTablePointer(Sema &S, CallExpr *Call) {
1836 if (S.checkArgCount(Call, 1))
1837 return ExprError();
1838 Expr *FirstArg = Call->getArg(0);
1839 ExprResult FirstValue = S.DefaultFunctionArrayLvalueConversion(FirstArg);
1840 if (FirstValue.isInvalid())
1841 return ExprError();
1842 Call->setArg(0, FirstValue.get());
1843 QualType FirstArgType = FirstArg->getType();
1844 if (FirstArgType->canDecayToPointerType() && FirstArgType->isArrayType())
1845 FirstArgType = S.Context.getDecayedType(FirstArgType);
1846
1847 const CXXRecordDecl *FirstArgRecord = FirstArgType->getPointeeCXXRecordDecl();
1848 if (!FirstArgRecord) {
1849 S.Diag(FirstArg->getBeginLoc(), diag::err_get_vtable_pointer_incorrect_type)
1850 << /*isPolymorphic=*/0 << FirstArgType;
1851 return ExprError();
1852 }
1853 if (S.RequireCompleteType(
1854 FirstArg->getBeginLoc(), FirstArgType->getPointeeType(),
1855 diag::err_get_vtable_pointer_requires_complete_type)) {
1856 return ExprError();
1857 }
1858
1859 if (!FirstArgRecord->isPolymorphic()) {
1860 S.Diag(FirstArg->getBeginLoc(), diag::err_get_vtable_pointer_incorrect_type)
1861 << /*isPolymorphic=*/1 << FirstArgRecord;
1862 return ExprError();
1863 }
1864 QualType ReturnType = S.Context.getPointerType(S.Context.VoidTy.withConst());
1865 Call->setType(ReturnType);
1866 return Call;
1867 }
1868
BuiltinLaunder(Sema & S,CallExpr * TheCall)1869 static ExprResult BuiltinLaunder(Sema &S, CallExpr *TheCall) {
1870 if (S.checkArgCount(TheCall, 1))
1871 return ExprError();
1872
1873 // Compute __builtin_launder's parameter type from the argument.
1874 // The parameter type is:
1875 // * The type of the argument if it's not an array or function type,
1876 // Otherwise,
1877 // * The decayed argument type.
1878 QualType ParamTy = [&]() {
1879 QualType ArgTy = TheCall->getArg(0)->getType();
1880 if (const ArrayType *Ty = ArgTy->getAsArrayTypeUnsafe())
1881 return S.Context.getPointerType(Ty->getElementType());
1882 if (ArgTy->isFunctionType()) {
1883 return S.Context.getPointerType(ArgTy);
1884 }
1885 return ArgTy;
1886 }();
1887
1888 TheCall->setType(ParamTy);
1889
1890 auto DiagSelect = [&]() -> std::optional<unsigned> {
1891 if (!ParamTy->isPointerType())
1892 return 0;
1893 if (ParamTy->isFunctionPointerType())
1894 return 1;
1895 if (ParamTy->isVoidPointerType())
1896 return 2;
1897 return std::optional<unsigned>{};
1898 }();
1899 if (DiagSelect) {
1900 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_launder_invalid_arg)
1901 << *DiagSelect << TheCall->getSourceRange();
1902 return ExprError();
1903 }
1904
1905 // We either have an incomplete class type, or we have a class template
1906 // whose instantiation has not been forced. Example:
1907 //
1908 // template <class T> struct Foo { T value; };
1909 // Foo<int> *p = nullptr;
1910 // auto *d = __builtin_launder(p);
1911 if (S.RequireCompleteType(TheCall->getBeginLoc(), ParamTy->getPointeeType(),
1912 diag::err_incomplete_type))
1913 return ExprError();
1914
1915 assert(ParamTy->getPointeeType()->isObjectType() &&
1916 "Unhandled non-object pointer case");
1917
1918 InitializedEntity Entity =
1919 InitializedEntity::InitializeParameter(S.Context, ParamTy, false);
1920 ExprResult Arg =
1921 S.PerformCopyInitialization(Entity, SourceLocation(), TheCall->getArg(0));
1922 if (Arg.isInvalid())
1923 return ExprError();
1924 TheCall->setArg(0, Arg.get());
1925
1926 return TheCall;
1927 }
1928
BuiltinIsWithinLifetime(Sema & S,CallExpr * TheCall)1929 static ExprResult BuiltinIsWithinLifetime(Sema &S, CallExpr *TheCall) {
1930 if (S.checkArgCount(TheCall, 1))
1931 return ExprError();
1932
1933 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
1934 if (Arg.isInvalid())
1935 return ExprError();
1936 QualType ParamTy = Arg.get()->getType();
1937 TheCall->setArg(0, Arg.get());
1938 TheCall->setType(S.Context.BoolTy);
1939
1940 // Only accept pointers to objects as arguments, which should have object
1941 // pointer or void pointer types.
1942 if (const auto *PT = ParamTy->getAs<PointerType>()) {
1943 // LWG4138: Function pointer types not allowed
1944 if (PT->getPointeeType()->isFunctionType()) {
1945 S.Diag(TheCall->getArg(0)->getExprLoc(),
1946 diag::err_builtin_is_within_lifetime_invalid_arg)
1947 << 1;
1948 return ExprError();
1949 }
1950 // Disallow VLAs too since those shouldn't be able to
1951 // be a template parameter for `std::is_within_lifetime`
1952 if (PT->getPointeeType()->isVariableArrayType()) {
1953 S.Diag(TheCall->getArg(0)->getExprLoc(), diag::err_vla_unsupported)
1954 << 1 << "__builtin_is_within_lifetime";
1955 return ExprError();
1956 }
1957 } else {
1958 S.Diag(TheCall->getArg(0)->getExprLoc(),
1959 diag::err_builtin_is_within_lifetime_invalid_arg)
1960 << 0;
1961 return ExprError();
1962 }
1963 return TheCall;
1964 }
1965
BuiltinTriviallyRelocate(Sema & S,CallExpr * TheCall)1966 static ExprResult BuiltinTriviallyRelocate(Sema &S, CallExpr *TheCall) {
1967 if (S.checkArgCount(TheCall, 3))
1968 return ExprError();
1969
1970 QualType Dest = TheCall->getArg(0)->getType();
1971 if (!Dest->isPointerType() || Dest.getCVRQualifiers() != 0) {
1972 S.Diag(TheCall->getArg(0)->getExprLoc(),
1973 diag::err_builtin_trivially_relocate_invalid_arg_type)
1974 << /*a pointer*/ 0;
1975 return ExprError();
1976 }
1977
1978 QualType T = Dest->getPointeeType();
1979 if (S.RequireCompleteType(TheCall->getBeginLoc(), T,
1980 diag::err_incomplete_type))
1981 return ExprError();
1982
1983 if (T.isConstQualified() || !S.IsCXXTriviallyRelocatableType(T) ||
1984 T->isIncompleteArrayType()) {
1985 S.Diag(TheCall->getArg(0)->getExprLoc(),
1986 diag::err_builtin_trivially_relocate_invalid_arg_type)
1987 << (T.isConstQualified() ? /*non-const*/ 1 : /*relocatable*/ 2);
1988 return ExprError();
1989 }
1990
1991 TheCall->setType(Dest);
1992
1993 QualType Src = TheCall->getArg(1)->getType();
1994 if (Src.getCanonicalType() != Dest.getCanonicalType()) {
1995 S.Diag(TheCall->getArg(1)->getExprLoc(),
1996 diag::err_builtin_trivially_relocate_invalid_arg_type)
1997 << /*the same*/ 3;
1998 return ExprError();
1999 }
2000
2001 Expr *SizeExpr = TheCall->getArg(2);
2002 ExprResult Size = S.DefaultLvalueConversion(SizeExpr);
2003 if (Size.isInvalid())
2004 return ExprError();
2005
2006 Size = S.tryConvertExprToType(Size.get(), S.getASTContext().getSizeType());
2007 if (Size.isInvalid())
2008 return ExprError();
2009 SizeExpr = Size.get();
2010 TheCall->setArg(2, SizeExpr);
2011
2012 return TheCall;
2013 }
2014
2015 // Emit an error and return true if the current object format type is in the
2016 // list of unsupported types.
CheckBuiltinTargetNotInUnsupported(Sema & S,unsigned BuiltinID,CallExpr * TheCall,ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes)2017 static bool CheckBuiltinTargetNotInUnsupported(
2018 Sema &S, unsigned BuiltinID, CallExpr *TheCall,
2019 ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes) {
2020 llvm::Triple::ObjectFormatType CurObjFormat =
2021 S.getASTContext().getTargetInfo().getTriple().getObjectFormat();
2022 if (llvm::is_contained(UnsupportedObjectFormatTypes, CurObjFormat)) {
2023 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2024 << TheCall->getSourceRange();
2025 return true;
2026 }
2027 return false;
2028 }
2029
2030 // Emit an error and return true if the current architecture is not in the list
2031 // of supported architectures.
2032 static bool
CheckBuiltinTargetInSupported(Sema & S,CallExpr * TheCall,ArrayRef<llvm::Triple::ArchType> SupportedArchs)2033 CheckBuiltinTargetInSupported(Sema &S, CallExpr *TheCall,
2034 ArrayRef<llvm::Triple::ArchType> SupportedArchs) {
2035 llvm::Triple::ArchType CurArch =
2036 S.getASTContext().getTargetInfo().getTriple().getArch();
2037 if (llvm::is_contained(SupportedArchs, CurArch))
2038 return false;
2039 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2040 << TheCall->getSourceRange();
2041 return true;
2042 }
2043
2044 static void CheckNonNullArgument(Sema &S, const Expr *ArgExpr,
2045 SourceLocation CallSiteLoc);
2046
CheckTSBuiltinFunctionCall(const TargetInfo & TI,unsigned BuiltinID,CallExpr * TheCall)2047 bool Sema::CheckTSBuiltinFunctionCall(const TargetInfo &TI, unsigned BuiltinID,
2048 CallExpr *TheCall) {
2049 switch (TI.getTriple().getArch()) {
2050 default:
2051 // Some builtins don't require additional checking, so just consider these
2052 // acceptable.
2053 return false;
2054 case llvm::Triple::arm:
2055 case llvm::Triple::armeb:
2056 case llvm::Triple::thumb:
2057 case llvm::Triple::thumbeb:
2058 return ARM().CheckARMBuiltinFunctionCall(TI, BuiltinID, TheCall);
2059 case llvm::Triple::aarch64:
2060 case llvm::Triple::aarch64_32:
2061 case llvm::Triple::aarch64_be:
2062 return ARM().CheckAArch64BuiltinFunctionCall(TI, BuiltinID, TheCall);
2063 case llvm::Triple::bpfeb:
2064 case llvm::Triple::bpfel:
2065 return BPF().CheckBPFBuiltinFunctionCall(BuiltinID, TheCall);
2066 case llvm::Triple::dxil:
2067 return DirectX().CheckDirectXBuiltinFunctionCall(BuiltinID, TheCall);
2068 case llvm::Triple::hexagon:
2069 return Hexagon().CheckHexagonBuiltinFunctionCall(BuiltinID, TheCall);
2070 case llvm::Triple::mips:
2071 case llvm::Triple::mipsel:
2072 case llvm::Triple::mips64:
2073 case llvm::Triple::mips64el:
2074 return MIPS().CheckMipsBuiltinFunctionCall(TI, BuiltinID, TheCall);
2075 case llvm::Triple::spirv:
2076 case llvm::Triple::spirv32:
2077 case llvm::Triple::spirv64:
2078 if (TI.getTriple().getOS() != llvm::Triple::OSType::AMDHSA)
2079 return SPIRV().CheckSPIRVBuiltinFunctionCall(TI, BuiltinID, TheCall);
2080 return false;
2081 case llvm::Triple::systemz:
2082 return SystemZ().CheckSystemZBuiltinFunctionCall(BuiltinID, TheCall);
2083 case llvm::Triple::x86:
2084 case llvm::Triple::x86_64:
2085 return X86().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
2086 case llvm::Triple::ppc:
2087 case llvm::Triple::ppcle:
2088 case llvm::Triple::ppc64:
2089 case llvm::Triple::ppc64le:
2090 return PPC().CheckPPCBuiltinFunctionCall(TI, BuiltinID, TheCall);
2091 case llvm::Triple::amdgcn:
2092 return AMDGPU().CheckAMDGCNBuiltinFunctionCall(BuiltinID, TheCall);
2093 case llvm::Triple::riscv32:
2094 case llvm::Triple::riscv64:
2095 return RISCV().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
2096 case llvm::Triple::loongarch32:
2097 case llvm::Triple::loongarch64:
2098 return LoongArch().CheckLoongArchBuiltinFunctionCall(TI, BuiltinID,
2099 TheCall);
2100 case llvm::Triple::wasm32:
2101 case llvm::Triple::wasm64:
2102 return Wasm().CheckWebAssemblyBuiltinFunctionCall(TI, BuiltinID, TheCall);
2103 case llvm::Triple::nvptx:
2104 case llvm::Triple::nvptx64:
2105 return NVPTX().CheckNVPTXBuiltinFunctionCall(TI, BuiltinID, TheCall);
2106 }
2107 }
2108
2109 // Check if \p Ty is a valid type for the elementwise math builtins. If it is
2110 // not a valid type, emit an error message and return true. Otherwise return
2111 // false.
2112 static bool
checkMathBuiltinElementType(Sema & S,SourceLocation Loc,QualType ArgTy,Sema::EltwiseBuiltinArgTyRestriction ArgTyRestr,int ArgOrdinal)2113 checkMathBuiltinElementType(Sema &S, SourceLocation Loc, QualType ArgTy,
2114 Sema::EltwiseBuiltinArgTyRestriction ArgTyRestr,
2115 int ArgOrdinal) {
2116 QualType EltTy = ArgTy;
2117 if (auto *VecTy = EltTy->getAs<VectorType>())
2118 EltTy = VecTy->getElementType();
2119
2120 switch (ArgTyRestr) {
2121 case Sema::EltwiseBuiltinArgTyRestriction::None:
2122 if (!ArgTy->getAs<VectorType>() &&
2123 !ConstantMatrixType::isValidElementType(ArgTy)) {
2124 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2125 << ArgOrdinal << /* vector */ 2 << /* integer */ 1 << /* fp */ 1
2126 << ArgTy;
2127 }
2128 break;
2129 case Sema::EltwiseBuiltinArgTyRestriction::FloatTy:
2130 if (!EltTy->isRealFloatingType()) {
2131 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2132 << ArgOrdinal << /* scalar or vector */ 5 << /* no int */ 0
2133 << /* floating-point */ 1 << ArgTy;
2134 }
2135 break;
2136 case Sema::EltwiseBuiltinArgTyRestriction::IntegerTy:
2137 if (!EltTy->isIntegerType()) {
2138 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2139 << ArgOrdinal << /* scalar or vector */ 5 << /* integer */ 1
2140 << /* no fp */ 0 << ArgTy;
2141 }
2142 break;
2143 case Sema::EltwiseBuiltinArgTyRestriction::SignedIntOrFloatTy:
2144 if (EltTy->isUnsignedIntegerType()) {
2145 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2146 << 1 << /* scalar or vector */ 5 << /* signed int */ 2
2147 << /* or fp */ 1 << ArgTy;
2148 }
2149 break;
2150 }
2151
2152 return false;
2153 }
2154
2155 /// BuiltinCpu{Supports|Is} - Handle __builtin_cpu_{supports|is}(char *).
2156 /// This checks that the target supports the builtin and that the string
2157 /// argument is constant and valid.
BuiltinCpu(Sema & S,const TargetInfo & TI,CallExpr * TheCall,const TargetInfo * AuxTI,unsigned BuiltinID)2158 static bool BuiltinCpu(Sema &S, const TargetInfo &TI, CallExpr *TheCall,
2159 const TargetInfo *AuxTI, unsigned BuiltinID) {
2160 assert((BuiltinID == Builtin::BI__builtin_cpu_supports ||
2161 BuiltinID == Builtin::BI__builtin_cpu_is) &&
2162 "Expecting __builtin_cpu_...");
2163
2164 bool IsCPUSupports = BuiltinID == Builtin::BI__builtin_cpu_supports;
2165 const TargetInfo *TheTI = &TI;
2166 auto SupportsBI = [=](const TargetInfo *TInfo) {
2167 return TInfo && ((IsCPUSupports && TInfo->supportsCpuSupports()) ||
2168 (!IsCPUSupports && TInfo->supportsCpuIs()));
2169 };
2170 if (!SupportsBI(&TI) && SupportsBI(AuxTI))
2171 TheTI = AuxTI;
2172
2173 if ((!IsCPUSupports && !TheTI->supportsCpuIs()) ||
2174 (IsCPUSupports && !TheTI->supportsCpuSupports()))
2175 return S.Diag(TheCall->getBeginLoc(),
2176 TI.getTriple().isOSAIX()
2177 ? diag::err_builtin_aix_os_unsupported
2178 : diag::err_builtin_target_unsupported)
2179 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2180
2181 Expr *Arg = TheCall->getArg(0)->IgnoreParenImpCasts();
2182 // Check if the argument is a string literal.
2183 if (!isa<StringLiteral>(Arg))
2184 return S.Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
2185 << Arg->getSourceRange();
2186
2187 // Check the contents of the string.
2188 StringRef Feature = cast<StringLiteral>(Arg)->getString();
2189 if (IsCPUSupports && !TheTI->validateCpuSupports(Feature)) {
2190 S.Diag(TheCall->getBeginLoc(), diag::warn_invalid_cpu_supports)
2191 << Arg->getSourceRange();
2192 return false;
2193 }
2194 if (!IsCPUSupports && !TheTI->validateCpuIs(Feature))
2195 return S.Diag(TheCall->getBeginLoc(), diag::err_invalid_cpu_is)
2196 << Arg->getSourceRange();
2197 return false;
2198 }
2199
2200 /// Checks that __builtin_popcountg was called with a single argument, which is
2201 /// an unsigned integer.
BuiltinPopcountg(Sema & S,CallExpr * TheCall)2202 static bool BuiltinPopcountg(Sema &S, CallExpr *TheCall) {
2203 if (S.checkArgCount(TheCall, 1))
2204 return true;
2205
2206 ExprResult ArgRes = S.DefaultLvalueConversion(TheCall->getArg(0));
2207 if (ArgRes.isInvalid())
2208 return true;
2209
2210 Expr *Arg = ArgRes.get();
2211 TheCall->setArg(0, Arg);
2212
2213 QualType ArgTy = Arg->getType();
2214
2215 if (!ArgTy->isUnsignedIntegerType()) {
2216 S.Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2217 << 1 << /* scalar */ 1 << /* unsigned integer ty */ 3 << /* no fp */ 0
2218 << ArgTy;
2219 return true;
2220 }
2221 return false;
2222 }
2223
2224 /// Checks that __builtin_{clzg,ctzg} was called with a first argument, which is
2225 /// an unsigned integer, and an optional second argument, which is promoted to
2226 /// an 'int'.
BuiltinCountZeroBitsGeneric(Sema & S,CallExpr * TheCall)2227 static bool BuiltinCountZeroBitsGeneric(Sema &S, CallExpr *TheCall) {
2228 if (S.checkArgCountRange(TheCall, 1, 2))
2229 return true;
2230
2231 ExprResult Arg0Res = S.DefaultLvalueConversion(TheCall->getArg(0));
2232 if (Arg0Res.isInvalid())
2233 return true;
2234
2235 Expr *Arg0 = Arg0Res.get();
2236 TheCall->setArg(0, Arg0);
2237
2238 QualType Arg0Ty = Arg0->getType();
2239
2240 if (!Arg0Ty->isUnsignedIntegerType()) {
2241 S.Diag(Arg0->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2242 << 1 << /* scalar */ 1 << /* unsigned integer ty */ 3 << /* no fp */ 0
2243 << Arg0Ty;
2244 return true;
2245 }
2246
2247 if (TheCall->getNumArgs() > 1) {
2248 ExprResult Arg1Res = S.UsualUnaryConversions(TheCall->getArg(1));
2249 if (Arg1Res.isInvalid())
2250 return true;
2251
2252 Expr *Arg1 = Arg1Res.get();
2253 TheCall->setArg(1, Arg1);
2254
2255 QualType Arg1Ty = Arg1->getType();
2256
2257 if (!Arg1Ty->isSpecificBuiltinType(BuiltinType::Int)) {
2258 S.Diag(Arg1->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2259 << 2 << /* scalar */ 1 << /* 'int' ty */ 4 << /* no fp */ 0 << Arg1Ty;
2260 return true;
2261 }
2262 }
2263
2264 return false;
2265 }
2266
BuiltinInvoke(Sema & S,CallExpr * TheCall)2267 static ExprResult BuiltinInvoke(Sema &S, CallExpr *TheCall) {
2268 SourceLocation Loc = TheCall->getBeginLoc();
2269 MutableArrayRef Args(TheCall->getArgs(), TheCall->getNumArgs());
2270 assert(llvm::none_of(Args, [](Expr *Arg) { return Arg->isTypeDependent(); }));
2271
2272 if (Args.size() == 0) {
2273 S.Diag(TheCall->getBeginLoc(),
2274 diag::err_typecheck_call_too_few_args_at_least)
2275 << /*callee_type=*/0 << /*min_arg_count=*/1 << /*actual_arg_count=*/0
2276 << /*is_non_object=*/0 << TheCall->getSourceRange();
2277 return ExprError();
2278 }
2279
2280 QualType FuncT = Args[0]->getType();
2281
2282 if (const auto *MPT = FuncT->getAs<MemberPointerType>()) {
2283 if (Args.size() < 2) {
2284 S.Diag(TheCall->getBeginLoc(),
2285 diag::err_typecheck_call_too_few_args_at_least)
2286 << /*callee_type=*/0 << /*min_arg_count=*/2 << /*actual_arg_count=*/1
2287 << /*is_non_object=*/0 << TheCall->getSourceRange();
2288 return ExprError();
2289 }
2290
2291 const Type *MemPtrClass = MPT->getQualifier()->getAsType();
2292 QualType ObjectT = Args[1]->getType();
2293
2294 if (MPT->isMemberDataPointer() && S.checkArgCount(TheCall, 2))
2295 return ExprError();
2296
2297 ExprResult ObjectArg = [&]() -> ExprResult {
2298 // (1.1): (t1.*f)(t2, ..., tN) when f is a pointer to a member function of
2299 // a class T and is_same_v<T, remove_cvref_t<decltype(t1)>> ||
2300 // is_base_of_v<T, remove_cvref_t<decltype(t1)>> is true;
2301 // (1.4): t1.*f when N=1 and f is a pointer to data member of a class T
2302 // and is_same_v<T, remove_cvref_t<decltype(t1)>> ||
2303 // is_base_of_v<T, remove_cvref_t<decltype(t1)>> is true;
2304 if (S.Context.hasSameType(QualType(MemPtrClass, 0),
2305 S.BuiltinRemoveCVRef(ObjectT, Loc)) ||
2306 S.BuiltinIsBaseOf(Args[1]->getBeginLoc(), QualType(MemPtrClass, 0),
2307 S.BuiltinRemoveCVRef(ObjectT, Loc))) {
2308 return Args[1];
2309 }
2310
2311 // (t1.get().*f)(t2, ..., tN) when f is a pointer to a member function of
2312 // a class T and remove_cvref_t<decltype(t1)> is a specialization of
2313 // reference_wrapper;
2314 if (const auto *RD = ObjectT->getAsCXXRecordDecl()) {
2315 if (RD->isInStdNamespace() &&
2316 RD->getDeclName().getAsString() == "reference_wrapper") {
2317 CXXScopeSpec SS;
2318 IdentifierInfo *GetName = &S.Context.Idents.get("get");
2319 UnqualifiedId GetID;
2320 GetID.setIdentifier(GetName, Loc);
2321
2322 ExprResult MemExpr = S.ActOnMemberAccessExpr(
2323 S.getCurScope(), Args[1], Loc, tok::period, SS,
2324 /*TemplateKWLoc=*/SourceLocation(), GetID, nullptr);
2325
2326 if (MemExpr.isInvalid())
2327 return ExprError();
2328
2329 return S.ActOnCallExpr(S.getCurScope(), MemExpr.get(), Loc, {}, Loc);
2330 }
2331 }
2332
2333 // ((*t1).*f)(t2, ..., tN) when f is a pointer to a member function of a
2334 // class T and t1 does not satisfy the previous two items;
2335
2336 return S.ActOnUnaryOp(S.getCurScope(), Loc, tok::star, Args[1]);
2337 }();
2338
2339 if (ObjectArg.isInvalid())
2340 return ExprError();
2341
2342 ExprResult BinOp = S.ActOnBinOp(S.getCurScope(), TheCall->getBeginLoc(),
2343 tok::periodstar, ObjectArg.get(), Args[0]);
2344 if (BinOp.isInvalid())
2345 return ExprError();
2346
2347 if (MPT->isMemberDataPointer())
2348 return BinOp;
2349
2350 auto *MemCall = new (S.Context)
2351 ParenExpr(SourceLocation(), SourceLocation(), BinOp.get());
2352
2353 return S.ActOnCallExpr(S.getCurScope(), MemCall, TheCall->getBeginLoc(),
2354 Args.drop_front(2), TheCall->getRParenLoc());
2355 }
2356 return S.ActOnCallExpr(S.getCurScope(), Args.front(), TheCall->getBeginLoc(),
2357 Args.drop_front(), TheCall->getRParenLoc());
2358 }
2359
2360 ExprResult
CheckBuiltinFunctionCall(FunctionDecl * FDecl,unsigned BuiltinID,CallExpr * TheCall)2361 Sema::CheckBuiltinFunctionCall(FunctionDecl *FDecl, unsigned BuiltinID,
2362 CallExpr *TheCall) {
2363 ExprResult TheCallResult(TheCall);
2364
2365 // Find out if any arguments are required to be integer constant expressions.
2366 unsigned ICEArguments = 0;
2367 ASTContext::GetBuiltinTypeError Error;
2368 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments);
2369 if (Error != ASTContext::GE_None)
2370 ICEArguments = 0; // Don't diagnose previously diagnosed errors.
2371
2372 // If any arguments are required to be ICE's, check and diagnose.
2373 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) {
2374 // Skip arguments not required to be ICE's.
2375 if ((ICEArguments & (1 << ArgNo)) == 0) continue;
2376
2377 llvm::APSInt Result;
2378 // If we don't have enough arguments, continue so we can issue better
2379 // diagnostic in checkArgCount(...)
2380 if (ArgNo < TheCall->getNumArgs() &&
2381 BuiltinConstantArg(TheCall, ArgNo, Result))
2382 return true;
2383 ICEArguments &= ~(1 << ArgNo);
2384 }
2385
2386 FPOptions FPO;
2387 switch (BuiltinID) {
2388 case Builtin::BI__builtin_cpu_supports:
2389 case Builtin::BI__builtin_cpu_is:
2390 if (BuiltinCpu(*this, Context.getTargetInfo(), TheCall,
2391 Context.getAuxTargetInfo(), BuiltinID))
2392 return ExprError();
2393 break;
2394 case Builtin::BI__builtin_cpu_init:
2395 if (!Context.getTargetInfo().supportsCpuInit()) {
2396 Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2397 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2398 return ExprError();
2399 }
2400 break;
2401 case Builtin::BI__builtin___CFStringMakeConstantString:
2402 // CFStringMakeConstantString is currently not implemented for GOFF (i.e.,
2403 // on z/OS) and for XCOFF (i.e., on AIX). Emit unsupported
2404 if (CheckBuiltinTargetNotInUnsupported(
2405 *this, BuiltinID, TheCall,
2406 {llvm::Triple::GOFF, llvm::Triple::XCOFF}))
2407 return ExprError();
2408 assert(TheCall->getNumArgs() == 1 &&
2409 "Wrong # arguments to builtin CFStringMakeConstantString");
2410 if (ObjC().CheckObjCString(TheCall->getArg(0)))
2411 return ExprError();
2412 break;
2413 case Builtin::BI__builtin_ms_va_start:
2414 case Builtin::BI__builtin_stdarg_start:
2415 case Builtin::BI__builtin_va_start:
2416 case Builtin::BI__builtin_c23_va_start:
2417 if (BuiltinVAStart(BuiltinID, TheCall))
2418 return ExprError();
2419 break;
2420 case Builtin::BI__va_start: {
2421 switch (Context.getTargetInfo().getTriple().getArch()) {
2422 case llvm::Triple::aarch64:
2423 case llvm::Triple::arm:
2424 case llvm::Triple::thumb:
2425 if (BuiltinVAStartARMMicrosoft(TheCall))
2426 return ExprError();
2427 break;
2428 default:
2429 if (BuiltinVAStart(BuiltinID, TheCall))
2430 return ExprError();
2431 break;
2432 }
2433 break;
2434 }
2435
2436 // The acquire, release, and no fence variants are ARM and AArch64 only.
2437 case Builtin::BI_interlockedbittestandset_acq:
2438 case Builtin::BI_interlockedbittestandset_rel:
2439 case Builtin::BI_interlockedbittestandset_nf:
2440 case Builtin::BI_interlockedbittestandreset_acq:
2441 case Builtin::BI_interlockedbittestandreset_rel:
2442 case Builtin::BI_interlockedbittestandreset_nf:
2443 if (CheckBuiltinTargetInSupported(
2444 *this, TheCall,
2445 {llvm::Triple::arm, llvm::Triple::thumb, llvm::Triple::aarch64}))
2446 return ExprError();
2447 break;
2448
2449 // The 64-bit bittest variants are x64, ARM, and AArch64 only.
2450 case Builtin::BI_bittest64:
2451 case Builtin::BI_bittestandcomplement64:
2452 case Builtin::BI_bittestandreset64:
2453 case Builtin::BI_bittestandset64:
2454 case Builtin::BI_interlockedbittestandreset64:
2455 case Builtin::BI_interlockedbittestandset64:
2456 if (CheckBuiltinTargetInSupported(
2457 *this, TheCall,
2458 {llvm::Triple::x86_64, llvm::Triple::arm, llvm::Triple::thumb,
2459 llvm::Triple::aarch64, llvm::Triple::amdgcn}))
2460 return ExprError();
2461 break;
2462
2463 // The 64-bit acquire, release, and no fence variants are AArch64 only.
2464 case Builtin::BI_interlockedbittestandreset64_acq:
2465 case Builtin::BI_interlockedbittestandreset64_rel:
2466 case Builtin::BI_interlockedbittestandreset64_nf:
2467 case Builtin::BI_interlockedbittestandset64_acq:
2468 case Builtin::BI_interlockedbittestandset64_rel:
2469 case Builtin::BI_interlockedbittestandset64_nf:
2470 if (CheckBuiltinTargetInSupported(*this, TheCall, {llvm::Triple::aarch64}))
2471 return ExprError();
2472 break;
2473
2474 case Builtin::BI__builtin_set_flt_rounds:
2475 if (CheckBuiltinTargetInSupported(
2476 *this, TheCall,
2477 {llvm::Triple::x86, llvm::Triple::x86_64, llvm::Triple::arm,
2478 llvm::Triple::thumb, llvm::Triple::aarch64, llvm::Triple::amdgcn,
2479 llvm::Triple::ppc, llvm::Triple::ppc64, llvm::Triple::ppcle,
2480 llvm::Triple::ppc64le}))
2481 return ExprError();
2482 break;
2483
2484 case Builtin::BI__builtin_isgreater:
2485 case Builtin::BI__builtin_isgreaterequal:
2486 case Builtin::BI__builtin_isless:
2487 case Builtin::BI__builtin_islessequal:
2488 case Builtin::BI__builtin_islessgreater:
2489 case Builtin::BI__builtin_isunordered:
2490 if (BuiltinUnorderedCompare(TheCall, BuiltinID))
2491 return ExprError();
2492 break;
2493 case Builtin::BI__builtin_fpclassify:
2494 if (BuiltinFPClassification(TheCall, 6, BuiltinID))
2495 return ExprError();
2496 break;
2497 case Builtin::BI__builtin_isfpclass:
2498 if (BuiltinFPClassification(TheCall, 2, BuiltinID))
2499 return ExprError();
2500 break;
2501 case Builtin::BI__builtin_isfinite:
2502 case Builtin::BI__builtin_isinf:
2503 case Builtin::BI__builtin_isinf_sign:
2504 case Builtin::BI__builtin_isnan:
2505 case Builtin::BI__builtin_issignaling:
2506 case Builtin::BI__builtin_isnormal:
2507 case Builtin::BI__builtin_issubnormal:
2508 case Builtin::BI__builtin_iszero:
2509 case Builtin::BI__builtin_signbit:
2510 case Builtin::BI__builtin_signbitf:
2511 case Builtin::BI__builtin_signbitl:
2512 if (BuiltinFPClassification(TheCall, 1, BuiltinID))
2513 return ExprError();
2514 break;
2515 case Builtin::BI__builtin_shufflevector:
2516 return BuiltinShuffleVector(TheCall);
2517 // TheCall will be freed by the smart pointer here, but that's fine, since
2518 // BuiltinShuffleVector guts it, but then doesn't release it.
2519 case Builtin::BI__builtin_invoke:
2520 return BuiltinInvoke(*this, TheCall);
2521 case Builtin::BI__builtin_prefetch:
2522 if (BuiltinPrefetch(TheCall))
2523 return ExprError();
2524 break;
2525 case Builtin::BI__builtin_alloca_with_align:
2526 case Builtin::BI__builtin_alloca_with_align_uninitialized:
2527 if (BuiltinAllocaWithAlign(TheCall))
2528 return ExprError();
2529 [[fallthrough]];
2530 case Builtin::BI__builtin_alloca:
2531 case Builtin::BI__builtin_alloca_uninitialized:
2532 Diag(TheCall->getBeginLoc(), diag::warn_alloca)
2533 << TheCall->getDirectCallee();
2534 if (getLangOpts().OpenCL) {
2535 builtinAllocaAddrSpace(*this, TheCall);
2536 }
2537 break;
2538 case Builtin::BI__arithmetic_fence:
2539 if (BuiltinArithmeticFence(TheCall))
2540 return ExprError();
2541 break;
2542 case Builtin::BI__assume:
2543 case Builtin::BI__builtin_assume:
2544 if (BuiltinAssume(TheCall))
2545 return ExprError();
2546 break;
2547 case Builtin::BI__builtin_assume_aligned:
2548 if (BuiltinAssumeAligned(TheCall))
2549 return ExprError();
2550 break;
2551 case Builtin::BI__builtin_dynamic_object_size:
2552 case Builtin::BI__builtin_object_size:
2553 if (BuiltinConstantArgRange(TheCall, 1, 0, 3))
2554 return ExprError();
2555 break;
2556 case Builtin::BI__builtin_longjmp:
2557 if (BuiltinLongjmp(TheCall))
2558 return ExprError();
2559 break;
2560 case Builtin::BI__builtin_setjmp:
2561 if (BuiltinSetjmp(TheCall))
2562 return ExprError();
2563 break;
2564 case Builtin::BI__builtin_classify_type:
2565 if (checkArgCount(TheCall, 1))
2566 return true;
2567 TheCall->setType(Context.IntTy);
2568 break;
2569 case Builtin::BI__builtin_complex:
2570 if (BuiltinComplex(TheCall))
2571 return ExprError();
2572 break;
2573 case Builtin::BI__builtin_constant_p: {
2574 if (checkArgCount(TheCall, 1))
2575 return true;
2576 ExprResult Arg = DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
2577 if (Arg.isInvalid()) return true;
2578 TheCall->setArg(0, Arg.get());
2579 TheCall->setType(Context.IntTy);
2580 break;
2581 }
2582 case Builtin::BI__builtin_launder:
2583 return BuiltinLaunder(*this, TheCall);
2584 case Builtin::BI__builtin_is_within_lifetime:
2585 return BuiltinIsWithinLifetime(*this, TheCall);
2586 case Builtin::BI__builtin_trivially_relocate:
2587 return BuiltinTriviallyRelocate(*this, TheCall);
2588
2589 case Builtin::BI__sync_fetch_and_add:
2590 case Builtin::BI__sync_fetch_and_add_1:
2591 case Builtin::BI__sync_fetch_and_add_2:
2592 case Builtin::BI__sync_fetch_and_add_4:
2593 case Builtin::BI__sync_fetch_and_add_8:
2594 case Builtin::BI__sync_fetch_and_add_16:
2595 case Builtin::BI__sync_fetch_and_sub:
2596 case Builtin::BI__sync_fetch_and_sub_1:
2597 case Builtin::BI__sync_fetch_and_sub_2:
2598 case Builtin::BI__sync_fetch_and_sub_4:
2599 case Builtin::BI__sync_fetch_and_sub_8:
2600 case Builtin::BI__sync_fetch_and_sub_16:
2601 case Builtin::BI__sync_fetch_and_or:
2602 case Builtin::BI__sync_fetch_and_or_1:
2603 case Builtin::BI__sync_fetch_and_or_2:
2604 case Builtin::BI__sync_fetch_and_or_4:
2605 case Builtin::BI__sync_fetch_and_or_8:
2606 case Builtin::BI__sync_fetch_and_or_16:
2607 case Builtin::BI__sync_fetch_and_and:
2608 case Builtin::BI__sync_fetch_and_and_1:
2609 case Builtin::BI__sync_fetch_and_and_2:
2610 case Builtin::BI__sync_fetch_and_and_4:
2611 case Builtin::BI__sync_fetch_and_and_8:
2612 case Builtin::BI__sync_fetch_and_and_16:
2613 case Builtin::BI__sync_fetch_and_xor:
2614 case Builtin::BI__sync_fetch_and_xor_1:
2615 case Builtin::BI__sync_fetch_and_xor_2:
2616 case Builtin::BI__sync_fetch_and_xor_4:
2617 case Builtin::BI__sync_fetch_and_xor_8:
2618 case Builtin::BI__sync_fetch_and_xor_16:
2619 case Builtin::BI__sync_fetch_and_nand:
2620 case Builtin::BI__sync_fetch_and_nand_1:
2621 case Builtin::BI__sync_fetch_and_nand_2:
2622 case Builtin::BI__sync_fetch_and_nand_4:
2623 case Builtin::BI__sync_fetch_and_nand_8:
2624 case Builtin::BI__sync_fetch_and_nand_16:
2625 case Builtin::BI__sync_add_and_fetch:
2626 case Builtin::BI__sync_add_and_fetch_1:
2627 case Builtin::BI__sync_add_and_fetch_2:
2628 case Builtin::BI__sync_add_and_fetch_4:
2629 case Builtin::BI__sync_add_and_fetch_8:
2630 case Builtin::BI__sync_add_and_fetch_16:
2631 case Builtin::BI__sync_sub_and_fetch:
2632 case Builtin::BI__sync_sub_and_fetch_1:
2633 case Builtin::BI__sync_sub_and_fetch_2:
2634 case Builtin::BI__sync_sub_and_fetch_4:
2635 case Builtin::BI__sync_sub_and_fetch_8:
2636 case Builtin::BI__sync_sub_and_fetch_16:
2637 case Builtin::BI__sync_and_and_fetch:
2638 case Builtin::BI__sync_and_and_fetch_1:
2639 case Builtin::BI__sync_and_and_fetch_2:
2640 case Builtin::BI__sync_and_and_fetch_4:
2641 case Builtin::BI__sync_and_and_fetch_8:
2642 case Builtin::BI__sync_and_and_fetch_16:
2643 case Builtin::BI__sync_or_and_fetch:
2644 case Builtin::BI__sync_or_and_fetch_1:
2645 case Builtin::BI__sync_or_and_fetch_2:
2646 case Builtin::BI__sync_or_and_fetch_4:
2647 case Builtin::BI__sync_or_and_fetch_8:
2648 case Builtin::BI__sync_or_and_fetch_16:
2649 case Builtin::BI__sync_xor_and_fetch:
2650 case Builtin::BI__sync_xor_and_fetch_1:
2651 case Builtin::BI__sync_xor_and_fetch_2:
2652 case Builtin::BI__sync_xor_and_fetch_4:
2653 case Builtin::BI__sync_xor_and_fetch_8:
2654 case Builtin::BI__sync_xor_and_fetch_16:
2655 case Builtin::BI__sync_nand_and_fetch:
2656 case Builtin::BI__sync_nand_and_fetch_1:
2657 case Builtin::BI__sync_nand_and_fetch_2:
2658 case Builtin::BI__sync_nand_and_fetch_4:
2659 case Builtin::BI__sync_nand_and_fetch_8:
2660 case Builtin::BI__sync_nand_and_fetch_16:
2661 case Builtin::BI__sync_val_compare_and_swap:
2662 case Builtin::BI__sync_val_compare_and_swap_1:
2663 case Builtin::BI__sync_val_compare_and_swap_2:
2664 case Builtin::BI__sync_val_compare_and_swap_4:
2665 case Builtin::BI__sync_val_compare_and_swap_8:
2666 case Builtin::BI__sync_val_compare_and_swap_16:
2667 case Builtin::BI__sync_bool_compare_and_swap:
2668 case Builtin::BI__sync_bool_compare_and_swap_1:
2669 case Builtin::BI__sync_bool_compare_and_swap_2:
2670 case Builtin::BI__sync_bool_compare_and_swap_4:
2671 case Builtin::BI__sync_bool_compare_and_swap_8:
2672 case Builtin::BI__sync_bool_compare_and_swap_16:
2673 case Builtin::BI__sync_lock_test_and_set:
2674 case Builtin::BI__sync_lock_test_and_set_1:
2675 case Builtin::BI__sync_lock_test_and_set_2:
2676 case Builtin::BI__sync_lock_test_and_set_4:
2677 case Builtin::BI__sync_lock_test_and_set_8:
2678 case Builtin::BI__sync_lock_test_and_set_16:
2679 case Builtin::BI__sync_lock_release:
2680 case Builtin::BI__sync_lock_release_1:
2681 case Builtin::BI__sync_lock_release_2:
2682 case Builtin::BI__sync_lock_release_4:
2683 case Builtin::BI__sync_lock_release_8:
2684 case Builtin::BI__sync_lock_release_16:
2685 case Builtin::BI__sync_swap:
2686 case Builtin::BI__sync_swap_1:
2687 case Builtin::BI__sync_swap_2:
2688 case Builtin::BI__sync_swap_4:
2689 case Builtin::BI__sync_swap_8:
2690 case Builtin::BI__sync_swap_16:
2691 return BuiltinAtomicOverloaded(TheCallResult);
2692 case Builtin::BI__sync_synchronize:
2693 Diag(TheCall->getBeginLoc(), diag::warn_atomic_implicit_seq_cst)
2694 << TheCall->getCallee()->getSourceRange();
2695 break;
2696 case Builtin::BI__builtin_nontemporal_load:
2697 case Builtin::BI__builtin_nontemporal_store:
2698 return BuiltinNontemporalOverloaded(TheCallResult);
2699 case Builtin::BI__builtin_memcpy_inline: {
2700 clang::Expr *SizeOp = TheCall->getArg(2);
2701 // We warn about copying to or from `nullptr` pointers when `size` is
2702 // greater than 0. When `size` is value dependent we cannot evaluate its
2703 // value so we bail out.
2704 if (SizeOp->isValueDependent())
2705 break;
2706 if (!SizeOp->EvaluateKnownConstInt(Context).isZero()) {
2707 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2708 CheckNonNullArgument(*this, TheCall->getArg(1), TheCall->getExprLoc());
2709 }
2710 break;
2711 }
2712 case Builtin::BI__builtin_memset_inline: {
2713 clang::Expr *SizeOp = TheCall->getArg(2);
2714 // We warn about filling to `nullptr` pointers when `size` is greater than
2715 // 0. When `size` is value dependent we cannot evaluate its value so we bail
2716 // out.
2717 if (SizeOp->isValueDependent())
2718 break;
2719 if (!SizeOp->EvaluateKnownConstInt(Context).isZero())
2720 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2721 break;
2722 }
2723 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \
2724 case Builtin::BI##ID: \
2725 return AtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID);
2726 #include "clang/Basic/Builtins.inc"
2727 case Builtin::BI__annotation:
2728 if (BuiltinMSVCAnnotation(*this, TheCall))
2729 return ExprError();
2730 break;
2731 case Builtin::BI__builtin_annotation:
2732 if (BuiltinAnnotation(*this, TheCall))
2733 return ExprError();
2734 break;
2735 case Builtin::BI__builtin_addressof:
2736 if (BuiltinAddressof(*this, TheCall))
2737 return ExprError();
2738 break;
2739 case Builtin::BI__builtin_function_start:
2740 if (BuiltinFunctionStart(*this, TheCall))
2741 return ExprError();
2742 break;
2743 case Builtin::BI__builtin_is_aligned:
2744 case Builtin::BI__builtin_align_up:
2745 case Builtin::BI__builtin_align_down:
2746 if (BuiltinAlignment(*this, TheCall, BuiltinID))
2747 return ExprError();
2748 break;
2749 case Builtin::BI__builtin_add_overflow:
2750 case Builtin::BI__builtin_sub_overflow:
2751 case Builtin::BI__builtin_mul_overflow:
2752 if (BuiltinOverflow(*this, TheCall, BuiltinID))
2753 return ExprError();
2754 break;
2755 case Builtin::BI__builtin_operator_new:
2756 case Builtin::BI__builtin_operator_delete: {
2757 bool IsDelete = BuiltinID == Builtin::BI__builtin_operator_delete;
2758 ExprResult Res =
2759 BuiltinOperatorNewDeleteOverloaded(TheCallResult, IsDelete);
2760 return Res;
2761 }
2762 case Builtin::BI__builtin_dump_struct:
2763 return BuiltinDumpStruct(*this, TheCall);
2764 case Builtin::BI__builtin_expect_with_probability: {
2765 // We first want to ensure we are called with 3 arguments
2766 if (checkArgCount(TheCall, 3))
2767 return ExprError();
2768 // then check probability is constant float in range [0.0, 1.0]
2769 const Expr *ProbArg = TheCall->getArg(2);
2770 SmallVector<PartialDiagnosticAt, 8> Notes;
2771 Expr::EvalResult Eval;
2772 Eval.Diag = &Notes;
2773 if ((!ProbArg->EvaluateAsConstantExpr(Eval, Context)) ||
2774 !Eval.Val.isFloat()) {
2775 Diag(ProbArg->getBeginLoc(), diag::err_probability_not_constant_float)
2776 << ProbArg->getSourceRange();
2777 for (const PartialDiagnosticAt &PDiag : Notes)
2778 Diag(PDiag.first, PDiag.second);
2779 return ExprError();
2780 }
2781 llvm::APFloat Probability = Eval.Val.getFloat();
2782 bool LoseInfo = false;
2783 Probability.convert(llvm::APFloat::IEEEdouble(),
2784 llvm::RoundingMode::Dynamic, &LoseInfo);
2785 if (!(Probability >= llvm::APFloat(0.0) &&
2786 Probability <= llvm::APFloat(1.0))) {
2787 Diag(ProbArg->getBeginLoc(), diag::err_probability_out_of_range)
2788 << ProbArg->getSourceRange();
2789 return ExprError();
2790 }
2791 break;
2792 }
2793 case Builtin::BI__builtin_preserve_access_index:
2794 if (BuiltinPreserveAI(*this, TheCall))
2795 return ExprError();
2796 break;
2797 case Builtin::BI__builtin_call_with_static_chain:
2798 if (BuiltinCallWithStaticChain(*this, TheCall))
2799 return ExprError();
2800 break;
2801 case Builtin::BI__exception_code:
2802 case Builtin::BI_exception_code:
2803 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope,
2804 diag::err_seh___except_block))
2805 return ExprError();
2806 break;
2807 case Builtin::BI__exception_info:
2808 case Builtin::BI_exception_info:
2809 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHFilterScope,
2810 diag::err_seh___except_filter))
2811 return ExprError();
2812 break;
2813 case Builtin::BI__GetExceptionInfo:
2814 if (checkArgCount(TheCall, 1))
2815 return ExprError();
2816
2817 if (CheckCXXThrowOperand(
2818 TheCall->getBeginLoc(),
2819 Context.getExceptionObjectType(FDecl->getParamDecl(0)->getType()),
2820 TheCall))
2821 return ExprError();
2822
2823 TheCall->setType(Context.VoidPtrTy);
2824 break;
2825 case Builtin::BIaddressof:
2826 case Builtin::BI__addressof:
2827 case Builtin::BIforward:
2828 case Builtin::BIforward_like:
2829 case Builtin::BImove:
2830 case Builtin::BImove_if_noexcept:
2831 case Builtin::BIas_const: {
2832 // These are all expected to be of the form
2833 // T &/&&/* f(U &/&&)
2834 // where T and U only differ in qualification.
2835 if (checkArgCount(TheCall, 1))
2836 return ExprError();
2837 QualType Param = FDecl->getParamDecl(0)->getType();
2838 QualType Result = FDecl->getReturnType();
2839 bool ReturnsPointer = BuiltinID == Builtin::BIaddressof ||
2840 BuiltinID == Builtin::BI__addressof;
2841 if (!(Param->isReferenceType() &&
2842 (ReturnsPointer ? Result->isAnyPointerType()
2843 : Result->isReferenceType()) &&
2844 Context.hasSameUnqualifiedType(Param->getPointeeType(),
2845 Result->getPointeeType()))) {
2846 Diag(TheCall->getBeginLoc(), diag::err_builtin_move_forward_unsupported)
2847 << FDecl;
2848 return ExprError();
2849 }
2850 break;
2851 }
2852 case Builtin::BI__builtin_ptrauth_strip:
2853 return PointerAuthStrip(*this, TheCall);
2854 case Builtin::BI__builtin_ptrauth_blend_discriminator:
2855 return PointerAuthBlendDiscriminator(*this, TheCall);
2856 case Builtin::BI__builtin_ptrauth_sign_constant:
2857 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2858 /*RequireConstant=*/true);
2859 case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
2860 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2861 /*RequireConstant=*/false);
2862 case Builtin::BI__builtin_ptrauth_auth:
2863 return PointerAuthSignOrAuth(*this, TheCall, PAO_Auth,
2864 /*RequireConstant=*/false);
2865 case Builtin::BI__builtin_ptrauth_sign_generic_data:
2866 return PointerAuthSignGenericData(*this, TheCall);
2867 case Builtin::BI__builtin_ptrauth_auth_and_resign:
2868 return PointerAuthAuthAndResign(*this, TheCall);
2869 case Builtin::BI__builtin_ptrauth_string_discriminator:
2870 return PointerAuthStringDiscriminator(*this, TheCall);
2871
2872 case Builtin::BI__builtin_get_vtable_pointer:
2873 return GetVTablePointer(*this, TheCall);
2874
2875 // OpenCL v2.0, s6.13.16 - Pipe functions
2876 case Builtin::BIread_pipe:
2877 case Builtin::BIwrite_pipe:
2878 // Since those two functions are declared with var args, we need a semantic
2879 // check for the argument.
2880 if (OpenCL().checkBuiltinRWPipe(TheCall))
2881 return ExprError();
2882 break;
2883 case Builtin::BIreserve_read_pipe:
2884 case Builtin::BIreserve_write_pipe:
2885 case Builtin::BIwork_group_reserve_read_pipe:
2886 case Builtin::BIwork_group_reserve_write_pipe:
2887 if (OpenCL().checkBuiltinReserveRWPipe(TheCall))
2888 return ExprError();
2889 break;
2890 case Builtin::BIsub_group_reserve_read_pipe:
2891 case Builtin::BIsub_group_reserve_write_pipe:
2892 if (OpenCL().checkSubgroupExt(TheCall) ||
2893 OpenCL().checkBuiltinReserveRWPipe(TheCall))
2894 return ExprError();
2895 break;
2896 case Builtin::BIcommit_read_pipe:
2897 case Builtin::BIcommit_write_pipe:
2898 case Builtin::BIwork_group_commit_read_pipe:
2899 case Builtin::BIwork_group_commit_write_pipe:
2900 if (OpenCL().checkBuiltinCommitRWPipe(TheCall))
2901 return ExprError();
2902 break;
2903 case Builtin::BIsub_group_commit_read_pipe:
2904 case Builtin::BIsub_group_commit_write_pipe:
2905 if (OpenCL().checkSubgroupExt(TheCall) ||
2906 OpenCL().checkBuiltinCommitRWPipe(TheCall))
2907 return ExprError();
2908 break;
2909 case Builtin::BIget_pipe_num_packets:
2910 case Builtin::BIget_pipe_max_packets:
2911 if (OpenCL().checkBuiltinPipePackets(TheCall))
2912 return ExprError();
2913 break;
2914 case Builtin::BIto_global:
2915 case Builtin::BIto_local:
2916 case Builtin::BIto_private:
2917 if (OpenCL().checkBuiltinToAddr(BuiltinID, TheCall))
2918 return ExprError();
2919 break;
2920 // OpenCL v2.0, s6.13.17 - Enqueue kernel functions.
2921 case Builtin::BIenqueue_kernel:
2922 if (OpenCL().checkBuiltinEnqueueKernel(TheCall))
2923 return ExprError();
2924 break;
2925 case Builtin::BIget_kernel_work_group_size:
2926 case Builtin::BIget_kernel_preferred_work_group_size_multiple:
2927 if (OpenCL().checkBuiltinKernelWorkGroupSize(TheCall))
2928 return ExprError();
2929 break;
2930 case Builtin::BIget_kernel_max_sub_group_size_for_ndrange:
2931 case Builtin::BIget_kernel_sub_group_count_for_ndrange:
2932 if (OpenCL().checkBuiltinNDRangeAndBlock(TheCall))
2933 return ExprError();
2934 break;
2935 case Builtin::BI__builtin_os_log_format:
2936 Cleanup.setExprNeedsCleanups(true);
2937 [[fallthrough]];
2938 case Builtin::BI__builtin_os_log_format_buffer_size:
2939 if (BuiltinOSLogFormat(TheCall))
2940 return ExprError();
2941 break;
2942 case Builtin::BI__builtin_frame_address:
2943 case Builtin::BI__builtin_return_address: {
2944 if (BuiltinConstantArgRange(TheCall, 0, 0, 0xFFFF))
2945 return ExprError();
2946
2947 // -Wframe-address warning if non-zero passed to builtin
2948 // return/frame address.
2949 Expr::EvalResult Result;
2950 if (!TheCall->getArg(0)->isValueDependent() &&
2951 TheCall->getArg(0)->EvaluateAsInt(Result, getASTContext()) &&
2952 Result.Val.getInt() != 0)
2953 Diag(TheCall->getBeginLoc(), diag::warn_frame_address)
2954 << ((BuiltinID == Builtin::BI__builtin_return_address)
2955 ? "__builtin_return_address"
2956 : "__builtin_frame_address")
2957 << TheCall->getSourceRange();
2958 break;
2959 }
2960
2961 case Builtin::BI__builtin_nondeterministic_value: {
2962 if (BuiltinNonDeterministicValue(TheCall))
2963 return ExprError();
2964 break;
2965 }
2966
2967 // __builtin_elementwise_abs restricts the element type to signed integers or
2968 // floating point types only.
2969 case Builtin::BI__builtin_elementwise_abs:
2970 if (PrepareBuiltinElementwiseMathOneArgCall(
2971 TheCall, EltwiseBuiltinArgTyRestriction::SignedIntOrFloatTy))
2972 return ExprError();
2973 break;
2974
2975 // These builtins restrict the element type to floating point
2976 // types only.
2977 case Builtin::BI__builtin_elementwise_acos:
2978 case Builtin::BI__builtin_elementwise_asin:
2979 case Builtin::BI__builtin_elementwise_atan:
2980 case Builtin::BI__builtin_elementwise_ceil:
2981 case Builtin::BI__builtin_elementwise_cos:
2982 case Builtin::BI__builtin_elementwise_cosh:
2983 case Builtin::BI__builtin_elementwise_exp:
2984 case Builtin::BI__builtin_elementwise_exp2:
2985 case Builtin::BI__builtin_elementwise_exp10:
2986 case Builtin::BI__builtin_elementwise_floor:
2987 case Builtin::BI__builtin_elementwise_log:
2988 case Builtin::BI__builtin_elementwise_log2:
2989 case Builtin::BI__builtin_elementwise_log10:
2990 case Builtin::BI__builtin_elementwise_roundeven:
2991 case Builtin::BI__builtin_elementwise_round:
2992 case Builtin::BI__builtin_elementwise_rint:
2993 case Builtin::BI__builtin_elementwise_nearbyint:
2994 case Builtin::BI__builtin_elementwise_sin:
2995 case Builtin::BI__builtin_elementwise_sinh:
2996 case Builtin::BI__builtin_elementwise_sqrt:
2997 case Builtin::BI__builtin_elementwise_tan:
2998 case Builtin::BI__builtin_elementwise_tanh:
2999 case Builtin::BI__builtin_elementwise_trunc:
3000 case Builtin::BI__builtin_elementwise_canonicalize:
3001 if (PrepareBuiltinElementwiseMathOneArgCall(
3002 TheCall, EltwiseBuiltinArgTyRestriction::FloatTy))
3003 return ExprError();
3004 break;
3005 case Builtin::BI__builtin_elementwise_fma:
3006 if (BuiltinElementwiseTernaryMath(TheCall))
3007 return ExprError();
3008 break;
3009
3010 // These builtins restrict the element type to floating point
3011 // types only, and take in two arguments.
3012 case Builtin::BI__builtin_elementwise_minnum:
3013 case Builtin::BI__builtin_elementwise_maxnum:
3014 case Builtin::BI__builtin_elementwise_minimum:
3015 case Builtin::BI__builtin_elementwise_maximum:
3016 case Builtin::BI__builtin_elementwise_atan2:
3017 case Builtin::BI__builtin_elementwise_fmod:
3018 case Builtin::BI__builtin_elementwise_pow:
3019 if (BuiltinElementwiseMath(TheCall,
3020 EltwiseBuiltinArgTyRestriction::FloatTy))
3021 return ExprError();
3022 break;
3023 // These builtins restrict the element type to integer
3024 // types only.
3025 case Builtin::BI__builtin_elementwise_add_sat:
3026 case Builtin::BI__builtin_elementwise_sub_sat:
3027 if (BuiltinElementwiseMath(TheCall,
3028 EltwiseBuiltinArgTyRestriction::IntegerTy))
3029 return ExprError();
3030 break;
3031 case Builtin::BI__builtin_elementwise_min:
3032 case Builtin::BI__builtin_elementwise_max:
3033 if (BuiltinElementwiseMath(TheCall))
3034 return ExprError();
3035 break;
3036 case Builtin::BI__builtin_elementwise_popcount:
3037 case Builtin::BI__builtin_elementwise_bitreverse:
3038 if (PrepareBuiltinElementwiseMathOneArgCall(
3039 TheCall, EltwiseBuiltinArgTyRestriction::IntegerTy))
3040 return ExprError();
3041 break;
3042 case Builtin::BI__builtin_elementwise_copysign: {
3043 if (checkArgCount(TheCall, 2))
3044 return ExprError();
3045
3046 ExprResult Magnitude = UsualUnaryConversions(TheCall->getArg(0));
3047 ExprResult Sign = UsualUnaryConversions(TheCall->getArg(1));
3048 if (Magnitude.isInvalid() || Sign.isInvalid())
3049 return ExprError();
3050
3051 QualType MagnitudeTy = Magnitude.get()->getType();
3052 QualType SignTy = Sign.get()->getType();
3053 if (checkMathBuiltinElementType(
3054 *this, TheCall->getArg(0)->getBeginLoc(), MagnitudeTy,
3055 EltwiseBuiltinArgTyRestriction::FloatTy, 1) ||
3056 checkMathBuiltinElementType(
3057 *this, TheCall->getArg(1)->getBeginLoc(), SignTy,
3058 EltwiseBuiltinArgTyRestriction::FloatTy, 2)) {
3059 return ExprError();
3060 }
3061
3062 if (MagnitudeTy.getCanonicalType() != SignTy.getCanonicalType()) {
3063 return Diag(Sign.get()->getBeginLoc(),
3064 diag::err_typecheck_call_different_arg_types)
3065 << MagnitudeTy << SignTy;
3066 }
3067
3068 TheCall->setArg(0, Magnitude.get());
3069 TheCall->setArg(1, Sign.get());
3070 TheCall->setType(Magnitude.get()->getType());
3071 break;
3072 }
3073 case Builtin::BI__builtin_reduce_max:
3074 case Builtin::BI__builtin_reduce_min: {
3075 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3076 return ExprError();
3077
3078 const Expr *Arg = TheCall->getArg(0);
3079 const auto *TyA = Arg->getType()->getAs<VectorType>();
3080
3081 QualType ElTy;
3082 if (TyA)
3083 ElTy = TyA->getElementType();
3084 else if (Arg->getType()->isSizelessVectorType())
3085 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3086
3087 if (ElTy.isNull()) {
3088 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3089 << 1 << /* vector ty */ 2 << /* no int */ 0 << /* no fp */ 0
3090 << Arg->getType();
3091 return ExprError();
3092 }
3093
3094 TheCall->setType(ElTy);
3095 break;
3096 }
3097 case Builtin::BI__builtin_reduce_maximum:
3098 case Builtin::BI__builtin_reduce_minimum: {
3099 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3100 return ExprError();
3101
3102 const Expr *Arg = TheCall->getArg(0);
3103 const auto *TyA = Arg->getType()->getAs<VectorType>();
3104
3105 QualType ElTy;
3106 if (TyA)
3107 ElTy = TyA->getElementType();
3108 else if (Arg->getType()->isSizelessVectorType())
3109 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3110
3111 if (ElTy.isNull() || !ElTy->isFloatingType()) {
3112 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3113 << 1 << /* vector of */ 4 << /* no int */ 0 << /* fp */ 1
3114 << Arg->getType();
3115 return ExprError();
3116 }
3117
3118 TheCall->setType(ElTy);
3119 break;
3120 }
3121
3122 // These builtins support vectors of integers only.
3123 // TODO: ADD/MUL should support floating-point types.
3124 case Builtin::BI__builtin_reduce_add:
3125 case Builtin::BI__builtin_reduce_mul:
3126 case Builtin::BI__builtin_reduce_xor:
3127 case Builtin::BI__builtin_reduce_or:
3128 case Builtin::BI__builtin_reduce_and: {
3129 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3130 return ExprError();
3131
3132 const Expr *Arg = TheCall->getArg(0);
3133 const auto *TyA = Arg->getType()->getAs<VectorType>();
3134
3135 QualType ElTy;
3136 if (TyA)
3137 ElTy = TyA->getElementType();
3138 else if (Arg->getType()->isSizelessVectorType())
3139 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3140
3141 if (ElTy.isNull() || !ElTy->isIntegerType()) {
3142 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3143 << 1 << /* vector of */ 4 << /* int */ 1 << /* no fp */ 0
3144 << Arg->getType();
3145 return ExprError();
3146 }
3147
3148 TheCall->setType(ElTy);
3149 break;
3150 }
3151
3152 case Builtin::BI__builtin_matrix_transpose:
3153 return BuiltinMatrixTranspose(TheCall, TheCallResult);
3154
3155 case Builtin::BI__builtin_matrix_column_major_load:
3156 return BuiltinMatrixColumnMajorLoad(TheCall, TheCallResult);
3157
3158 case Builtin::BI__builtin_matrix_column_major_store:
3159 return BuiltinMatrixColumnMajorStore(TheCall, TheCallResult);
3160
3161 case Builtin::BI__builtin_verbose_trap:
3162 if (!checkBuiltinVerboseTrap(TheCall, *this))
3163 return ExprError();
3164 break;
3165
3166 case Builtin::BI__builtin_get_device_side_mangled_name: {
3167 auto Check = [](CallExpr *TheCall) {
3168 if (TheCall->getNumArgs() != 1)
3169 return false;
3170 auto *DRE = dyn_cast<DeclRefExpr>(TheCall->getArg(0)->IgnoreImpCasts());
3171 if (!DRE)
3172 return false;
3173 auto *D = DRE->getDecl();
3174 if (!isa<FunctionDecl>(D) && !isa<VarDecl>(D))
3175 return false;
3176 return D->hasAttr<CUDAGlobalAttr>() || D->hasAttr<CUDADeviceAttr>() ||
3177 D->hasAttr<CUDAConstantAttr>() || D->hasAttr<HIPManagedAttr>();
3178 };
3179 if (!Check(TheCall)) {
3180 Diag(TheCall->getBeginLoc(),
3181 diag::err_hip_invalid_args_builtin_mangled_name);
3182 return ExprError();
3183 }
3184 break;
3185 }
3186 case Builtin::BI__builtin_popcountg:
3187 if (BuiltinPopcountg(*this, TheCall))
3188 return ExprError();
3189 break;
3190 case Builtin::BI__builtin_clzg:
3191 case Builtin::BI__builtin_ctzg:
3192 if (BuiltinCountZeroBitsGeneric(*this, TheCall))
3193 return ExprError();
3194 break;
3195
3196 case Builtin::BI__builtin_allow_runtime_check: {
3197 Expr *Arg = TheCall->getArg(0);
3198 // Check if the argument is a string literal.
3199 if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) {
3200 Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
3201 << Arg->getSourceRange();
3202 return ExprError();
3203 }
3204 break;
3205 }
3206 case Builtin::BI__builtin_counted_by_ref:
3207 if (BuiltinCountedByRef(TheCall))
3208 return ExprError();
3209 break;
3210 }
3211
3212 if (getLangOpts().HLSL && HLSL().CheckBuiltinFunctionCall(BuiltinID, TheCall))
3213 return ExprError();
3214
3215 // Since the target specific builtins for each arch overlap, only check those
3216 // of the arch we are compiling for.
3217 if (Context.BuiltinInfo.isTSBuiltin(BuiltinID)) {
3218 if (Context.BuiltinInfo.isAuxBuiltinID(BuiltinID)) {
3219 assert(Context.getAuxTargetInfo() &&
3220 "Aux Target Builtin, but not an aux target?");
3221
3222 if (CheckTSBuiltinFunctionCall(
3223 *Context.getAuxTargetInfo(),
3224 Context.BuiltinInfo.getAuxBuiltinID(BuiltinID), TheCall))
3225 return ExprError();
3226 } else {
3227 if (CheckTSBuiltinFunctionCall(Context.getTargetInfo(), BuiltinID,
3228 TheCall))
3229 return ExprError();
3230 }
3231 }
3232
3233 return TheCallResult;
3234 }
3235
ValueIsRunOfOnes(CallExpr * TheCall,unsigned ArgNum)3236 bool Sema::ValueIsRunOfOnes(CallExpr *TheCall, unsigned ArgNum) {
3237 llvm::APSInt Result;
3238 // We can't check the value of a dependent argument.
3239 Expr *Arg = TheCall->getArg(ArgNum);
3240 if (Arg->isTypeDependent() || Arg->isValueDependent())
3241 return false;
3242
3243 // Check constant-ness first.
3244 if (BuiltinConstantArg(TheCall, ArgNum, Result))
3245 return true;
3246
3247 // Check contiguous run of 1s, 0xFF0000FF is also a run of 1s.
3248 if (Result.isShiftedMask() || (~Result).isShiftedMask())
3249 return false;
3250
3251 return Diag(TheCall->getBeginLoc(),
3252 diag::err_argument_not_contiguous_bit_field)
3253 << ArgNum << Arg->getSourceRange();
3254 }
3255
getFormatStringInfo(const Decl * D,unsigned FormatIdx,unsigned FirstArg,FormatStringInfo * FSI)3256 bool Sema::getFormatStringInfo(const Decl *D, unsigned FormatIdx,
3257 unsigned FirstArg, FormatStringInfo *FSI) {
3258 bool IsCXXMember = false;
3259 if (const auto *MD = dyn_cast<CXXMethodDecl>(D))
3260 IsCXXMember = MD->isInstance();
3261 bool IsVariadic = false;
3262 if (const FunctionType *FnTy = D->getFunctionType())
3263 IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();
3264 else if (const auto *BD = dyn_cast<BlockDecl>(D))
3265 IsVariadic = BD->isVariadic();
3266 else if (const auto *OMD = dyn_cast<ObjCMethodDecl>(D))
3267 IsVariadic = OMD->isVariadic();
3268
3269 return getFormatStringInfo(FormatIdx, FirstArg, IsCXXMember, IsVariadic, FSI);
3270 }
3271
getFormatStringInfo(unsigned FormatIdx,unsigned FirstArg,bool IsCXXMember,bool IsVariadic,FormatStringInfo * FSI)3272 bool Sema::getFormatStringInfo(unsigned FormatIdx, unsigned FirstArg,
3273 bool IsCXXMember, bool IsVariadic,
3274 FormatStringInfo *FSI) {
3275 if (FirstArg == 0)
3276 FSI->ArgPassingKind = FAPK_VAList;
3277 else if (IsVariadic)
3278 FSI->ArgPassingKind = FAPK_Variadic;
3279 else
3280 FSI->ArgPassingKind = FAPK_Fixed;
3281 FSI->FormatIdx = FormatIdx - 1;
3282 FSI->FirstDataArg = FSI->ArgPassingKind == FAPK_VAList ? 0 : FirstArg - 1;
3283
3284 // The way the format attribute works in GCC, the implicit this argument
3285 // of member functions is counted. However, it doesn't appear in our own
3286 // lists, so decrement format_idx in that case.
3287 if (IsCXXMember) {
3288 if(FSI->FormatIdx == 0)
3289 return false;
3290 --FSI->FormatIdx;
3291 if (FSI->FirstDataArg != 0)
3292 --FSI->FirstDataArg;
3293 }
3294 return true;
3295 }
3296
3297 /// Checks if a the given expression evaluates to null.
3298 ///
3299 /// Returns true if the value evaluates to null.
CheckNonNullExpr(Sema & S,const Expr * Expr)3300 static bool CheckNonNullExpr(Sema &S, const Expr *Expr) {
3301 // Treat (smart) pointers constructed from nullptr as null, whether we can
3302 // const-evaluate them or not.
3303 // This must happen first: the smart pointer expr might have _Nonnull type!
3304 if (isa<CXXNullPtrLiteralExpr>(
3305 IgnoreExprNodes(Expr, IgnoreImplicitAsWrittenSingleStep,
3306 IgnoreElidableImplicitConstructorSingleStep)))
3307 return true;
3308
3309 // If the expression has non-null type, it doesn't evaluate to null.
3310 if (auto nullability = Expr->IgnoreImplicit()->getType()->getNullability()) {
3311 if (*nullability == NullabilityKind::NonNull)
3312 return false;
3313 }
3314
3315 // As a special case, transparent unions initialized with zero are
3316 // considered null for the purposes of the nonnull attribute.
3317 if (const RecordType *UT = Expr->getType()->getAsUnionType();
3318 UT && UT->getDecl()->hasAttr<TransparentUnionAttr>()) {
3319 if (const auto *CLE = dyn_cast<CompoundLiteralExpr>(Expr))
3320 if (const auto *ILE = dyn_cast<InitListExpr>(CLE->getInitializer()))
3321 Expr = ILE->getInit(0);
3322 }
3323
3324 bool Result;
3325 return (!Expr->isValueDependent() &&
3326 Expr->EvaluateAsBooleanCondition(Result, S.Context) &&
3327 !Result);
3328 }
3329
CheckNonNullArgument(Sema & S,const Expr * ArgExpr,SourceLocation CallSiteLoc)3330 static void CheckNonNullArgument(Sema &S,
3331 const Expr *ArgExpr,
3332 SourceLocation CallSiteLoc) {
3333 if (CheckNonNullExpr(S, ArgExpr))
3334 S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr,
3335 S.PDiag(diag::warn_null_arg)
3336 << ArgExpr->getSourceRange());
3337 }
3338
3339 /// Determine whether the given type has a non-null nullability annotation.
isNonNullType(QualType type)3340 static bool isNonNullType(QualType type) {
3341 if (auto nullability = type->getNullability())
3342 return *nullability == NullabilityKind::NonNull;
3343
3344 return false;
3345 }
3346
CheckNonNullArguments(Sema & S,const NamedDecl * FDecl,const FunctionProtoType * Proto,ArrayRef<const Expr * > Args,SourceLocation CallSiteLoc)3347 static void CheckNonNullArguments(Sema &S,
3348 const NamedDecl *FDecl,
3349 const FunctionProtoType *Proto,
3350 ArrayRef<const Expr *> Args,
3351 SourceLocation CallSiteLoc) {
3352 assert((FDecl || Proto) && "Need a function declaration or prototype");
3353
3354 // Already checked by constant evaluator.
3355 if (S.isConstantEvaluatedContext())
3356 return;
3357 // Check the attributes attached to the method/function itself.
3358 llvm::SmallBitVector NonNullArgs;
3359 if (FDecl) {
3360 // Handle the nonnull attribute on the function/method declaration itself.
3361 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) {
3362 if (!NonNull->args_size()) {
3363 // Easy case: all pointer arguments are nonnull.
3364 for (const auto *Arg : Args)
3365 if (S.isValidPointerAttrType(Arg->getType()))
3366 CheckNonNullArgument(S, Arg, CallSiteLoc);
3367 return;
3368 }
3369
3370 for (const ParamIdx &Idx : NonNull->args()) {
3371 unsigned IdxAST = Idx.getASTIndex();
3372 if (IdxAST >= Args.size())
3373 continue;
3374 if (NonNullArgs.empty())
3375 NonNullArgs.resize(Args.size());
3376 NonNullArgs.set(IdxAST);
3377 }
3378 }
3379 }
3380
3381 if (FDecl && (isa<FunctionDecl>(FDecl) || isa<ObjCMethodDecl>(FDecl))) {
3382 // Handle the nonnull attribute on the parameters of the
3383 // function/method.
3384 ArrayRef<ParmVarDecl*> parms;
3385 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl))
3386 parms = FD->parameters();
3387 else
3388 parms = cast<ObjCMethodDecl>(FDecl)->parameters();
3389
3390 unsigned ParamIndex = 0;
3391 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end();
3392 I != E; ++I, ++ParamIndex) {
3393 const ParmVarDecl *PVD = *I;
3394 if (PVD->hasAttr<NonNullAttr>() || isNonNullType(PVD->getType())) {
3395 if (NonNullArgs.empty())
3396 NonNullArgs.resize(Args.size());
3397
3398 NonNullArgs.set(ParamIndex);
3399 }
3400 }
3401 } else {
3402 // If we have a non-function, non-method declaration but no
3403 // function prototype, try to dig out the function prototype.
3404 if (!Proto) {
3405 if (const ValueDecl *VD = dyn_cast<ValueDecl>(FDecl)) {
3406 QualType type = VD->getType().getNonReferenceType();
3407 if (auto pointerType = type->getAs<PointerType>())
3408 type = pointerType->getPointeeType();
3409 else if (auto blockType = type->getAs<BlockPointerType>())
3410 type = blockType->getPointeeType();
3411 // FIXME: data member pointers?
3412
3413 // Dig out the function prototype, if there is one.
3414 Proto = type->getAs<FunctionProtoType>();
3415 }
3416 }
3417
3418 // Fill in non-null argument information from the nullability
3419 // information on the parameter types (if we have them).
3420 if (Proto) {
3421 unsigned Index = 0;
3422 for (auto paramType : Proto->getParamTypes()) {
3423 if (isNonNullType(paramType)) {
3424 if (NonNullArgs.empty())
3425 NonNullArgs.resize(Args.size());
3426
3427 NonNullArgs.set(Index);
3428 }
3429
3430 ++Index;
3431 }
3432 }
3433 }
3434
3435 // Check for non-null arguments.
3436 for (unsigned ArgIndex = 0, ArgIndexEnd = NonNullArgs.size();
3437 ArgIndex != ArgIndexEnd; ++ArgIndex) {
3438 if (NonNullArgs[ArgIndex])
3439 CheckNonNullArgument(S, Args[ArgIndex], Args[ArgIndex]->getExprLoc());
3440 }
3441 }
3442
CheckArgAlignment(SourceLocation Loc,NamedDecl * FDecl,StringRef ParamName,QualType ArgTy,QualType ParamTy)3443 void Sema::CheckArgAlignment(SourceLocation Loc, NamedDecl *FDecl,
3444 StringRef ParamName, QualType ArgTy,
3445 QualType ParamTy) {
3446
3447 // If a function accepts a pointer or reference type
3448 if (!ParamTy->isPointerType() && !ParamTy->isReferenceType())
3449 return;
3450
3451 // If the parameter is a pointer type, get the pointee type for the
3452 // argument too. If the parameter is a reference type, don't try to get
3453 // the pointee type for the argument.
3454 if (ParamTy->isPointerType())
3455 ArgTy = ArgTy->getPointeeType();
3456
3457 // Remove reference or pointer
3458 ParamTy = ParamTy->getPointeeType();
3459
3460 // Find expected alignment, and the actual alignment of the passed object.
3461 // getTypeAlignInChars requires complete types
3462 if (ArgTy.isNull() || ParamTy->isDependentType() ||
3463 ParamTy->isIncompleteType() || ArgTy->isIncompleteType() ||
3464 ParamTy->isUndeducedType() || ArgTy->isUndeducedType())
3465 return;
3466
3467 CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy);
3468 CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy);
3469
3470 // If the argument is less aligned than the parameter, there is a
3471 // potential alignment issue.
3472 if (ArgAlign < ParamAlign)
3473 Diag(Loc, diag::warn_param_mismatched_alignment)
3474 << (int)ArgAlign.getQuantity() << (int)ParamAlign.getQuantity()
3475 << ParamName << (FDecl != nullptr) << FDecl;
3476 }
3477
checkLifetimeCaptureBy(FunctionDecl * FD,bool IsMemberFunction,const Expr * ThisArg,ArrayRef<const Expr * > Args)3478 void Sema::checkLifetimeCaptureBy(FunctionDecl *FD, bool IsMemberFunction,
3479 const Expr *ThisArg,
3480 ArrayRef<const Expr *> Args) {
3481 if (!FD || Args.empty())
3482 return;
3483 auto GetArgAt = [&](int Idx) -> const Expr * {
3484 if (Idx == LifetimeCaptureByAttr::Global ||
3485 Idx == LifetimeCaptureByAttr::Unknown)
3486 return nullptr;
3487 if (IsMemberFunction && Idx == 0)
3488 return ThisArg;
3489 return Args[Idx - IsMemberFunction];
3490 };
3491 auto HandleCaptureByAttr = [&](const LifetimeCaptureByAttr *Attr,
3492 unsigned ArgIdx) {
3493 if (!Attr)
3494 return;
3495
3496 Expr *Captured = const_cast<Expr *>(GetArgAt(ArgIdx));
3497 for (int CapturingParamIdx : Attr->params()) {
3498 // lifetime_capture_by(this) case is handled in the lifetimebound expr
3499 // initialization codepath.
3500 if (CapturingParamIdx == LifetimeCaptureByAttr::This &&
3501 isa<CXXConstructorDecl>(FD))
3502 continue;
3503 Expr *Capturing = const_cast<Expr *>(GetArgAt(CapturingParamIdx));
3504 CapturingEntity CE{Capturing};
3505 // Ensure that 'Captured' outlives the 'Capturing' entity.
3506 checkCaptureByLifetime(*this, CE, Captured);
3507 }
3508 };
3509 for (unsigned I = 0; I < FD->getNumParams(); ++I)
3510 HandleCaptureByAttr(FD->getParamDecl(I)->getAttr<LifetimeCaptureByAttr>(),
3511 I + IsMemberFunction);
3512 // Check when the implicit object param is captured.
3513 if (IsMemberFunction) {
3514 TypeSourceInfo *TSI = FD->getTypeSourceInfo();
3515 if (!TSI)
3516 return;
3517 AttributedTypeLoc ATL;
3518 for (TypeLoc TL = TSI->getTypeLoc();
3519 (ATL = TL.getAsAdjusted<AttributedTypeLoc>());
3520 TL = ATL.getModifiedLoc())
3521 HandleCaptureByAttr(ATL.getAttrAs<LifetimeCaptureByAttr>(), 0);
3522 }
3523 }
3524
checkCall(NamedDecl * FDecl,const FunctionProtoType * Proto,const Expr * ThisArg,ArrayRef<const Expr * > Args,bool IsMemberFunction,SourceLocation Loc,SourceRange Range,VariadicCallType CallType)3525 void Sema::checkCall(NamedDecl *FDecl, const FunctionProtoType *Proto,
3526 const Expr *ThisArg, ArrayRef<const Expr *> Args,
3527 bool IsMemberFunction, SourceLocation Loc,
3528 SourceRange Range, VariadicCallType CallType) {
3529 // FIXME: We should check as much as we can in the template definition.
3530 if (CurContext->isDependentContext())
3531 return;
3532
3533 // Printf and scanf checking.
3534 llvm::SmallBitVector CheckedVarArgs;
3535 if (FDecl) {
3536 for (const auto *I : FDecl->specific_attrs<FormatMatchesAttr>()) {
3537 // Only create vector if there are format attributes.
3538 CheckedVarArgs.resize(Args.size());
3539 CheckFormatString(I, Args, IsMemberFunction, CallType, Loc, Range,
3540 CheckedVarArgs);
3541 }
3542
3543 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) {
3544 CheckedVarArgs.resize(Args.size());
3545 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range,
3546 CheckedVarArgs);
3547 }
3548 }
3549
3550 // Refuse POD arguments that weren't caught by the format string
3551 // checks above.
3552 auto *FD = dyn_cast_or_null<FunctionDecl>(FDecl);
3553 if (CallType != VariadicCallType::DoesNotApply &&
3554 (!FD || FD->getBuiltinID() != Builtin::BI__noop)) {
3555 unsigned NumParams = Proto ? Proto->getNumParams()
3556 : isa_and_nonnull<FunctionDecl>(FDecl)
3557 ? cast<FunctionDecl>(FDecl)->getNumParams()
3558 : isa_and_nonnull<ObjCMethodDecl>(FDecl)
3559 ? cast<ObjCMethodDecl>(FDecl)->param_size()
3560 : 0;
3561
3562 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) {
3563 // Args[ArgIdx] can be null in malformed code.
3564 if (const Expr *Arg = Args[ArgIdx]) {
3565 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx])
3566 checkVariadicArgument(Arg, CallType);
3567 }
3568 }
3569 }
3570 if (FD)
3571 checkLifetimeCaptureBy(FD, IsMemberFunction, ThisArg, Args);
3572 if (FDecl || Proto) {
3573 CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);
3574
3575 // Type safety checking.
3576 if (FDecl) {
3577 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
3578 CheckArgumentWithTypeTag(I, Args, Loc);
3579 }
3580 }
3581
3582 // Check that passed arguments match the alignment of original arguments.
3583 // Try to get the missing prototype from the declaration.
3584 if (!Proto && FDecl) {
3585 const auto *FT = FDecl->getFunctionType();
3586 if (isa_and_nonnull<FunctionProtoType>(FT))
3587 Proto = cast<FunctionProtoType>(FDecl->getFunctionType());
3588 }
3589 if (Proto) {
3590 // For variadic functions, we may have more args than parameters.
3591 // For some K&R functions, we may have less args than parameters.
3592 const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size());
3593 bool IsScalableRet = Proto->getReturnType()->isSizelessVectorType();
3594 bool IsScalableArg = false;
3595 for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) {
3596 // Args[ArgIdx] can be null in malformed code.
3597 if (const Expr *Arg = Args[ArgIdx]) {
3598 if (Arg->containsErrors())
3599 continue;
3600
3601 if (Context.getTargetInfo().getTriple().isOSAIX() && FDecl && Arg &&
3602 FDecl->hasLinkage() &&
3603 FDecl->getFormalLinkage() != Linkage::Internal &&
3604 CallType == VariadicCallType::DoesNotApply)
3605 PPC().checkAIXMemberAlignment((Arg->getExprLoc()), Arg);
3606
3607 QualType ParamTy = Proto->getParamType(ArgIdx);
3608 if (ParamTy->isSizelessVectorType())
3609 IsScalableArg = true;
3610 QualType ArgTy = Arg->getType();
3611 CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1),
3612 ArgTy, ParamTy);
3613 }
3614 }
3615
3616 // If the callee has an AArch64 SME attribute to indicate that it is an
3617 // __arm_streaming function, then the caller requires SME to be available.
3618 FunctionProtoType::ExtProtoInfo ExtInfo = Proto->getExtProtoInfo();
3619 if (ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask) {
3620 if (auto *CallerFD = dyn_cast<FunctionDecl>(CurContext)) {
3621 llvm::StringMap<bool> CallerFeatureMap;
3622 Context.getFunctionFeatureMap(CallerFeatureMap, CallerFD);
3623 if (!CallerFeatureMap.contains("sme"))
3624 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3625 } else if (!Context.getTargetInfo().hasFeature("sme")) {
3626 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3627 }
3628 }
3629
3630 // If the call requires a streaming-mode change and has scalable vector
3631 // arguments or return values, then warn the user that the streaming and
3632 // non-streaming vector lengths may be different.
3633 const auto *CallerFD = dyn_cast<FunctionDecl>(CurContext);
3634 if (CallerFD && (!FD || !FD->getBuiltinID()) &&
3635 (IsScalableArg || IsScalableRet)) {
3636 bool IsCalleeStreaming =
3637 ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask;
3638 bool IsCalleeStreamingCompatible =
3639 ExtInfo.AArch64SMEAttributes &
3640 FunctionType::SME_PStateSMCompatibleMask;
3641 SemaARM::ArmStreamingType CallerFnType = getArmStreamingFnType(CallerFD);
3642 if (!IsCalleeStreamingCompatible &&
3643 (CallerFnType == SemaARM::ArmStreamingCompatible ||
3644 ((CallerFnType == SemaARM::ArmStreaming) ^ IsCalleeStreaming))) {
3645 if (IsScalableArg)
3646 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3647 << /*IsArg=*/true;
3648 if (IsScalableRet)
3649 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3650 << /*IsArg=*/false;
3651 }
3652 }
3653
3654 FunctionType::ArmStateValue CalleeArmZAState =
3655 FunctionType::getArmZAState(ExtInfo.AArch64SMEAttributes);
3656 FunctionType::ArmStateValue CalleeArmZT0State =
3657 FunctionType::getArmZT0State(ExtInfo.AArch64SMEAttributes);
3658 if (CalleeArmZAState != FunctionType::ARM_None ||
3659 CalleeArmZT0State != FunctionType::ARM_None) {
3660 bool CallerHasZAState = false;
3661 bool CallerHasZT0State = false;
3662 if (CallerFD) {
3663 auto *Attr = CallerFD->getAttr<ArmNewAttr>();
3664 if (Attr && Attr->isNewZA())
3665 CallerHasZAState = true;
3666 if (Attr && Attr->isNewZT0())
3667 CallerHasZT0State = true;
3668 if (const auto *FPT = CallerFD->getType()->getAs<FunctionProtoType>()) {
3669 CallerHasZAState |=
3670 FunctionType::getArmZAState(
3671 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3672 FunctionType::ARM_None;
3673 CallerHasZT0State |=
3674 FunctionType::getArmZT0State(
3675 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3676 FunctionType::ARM_None;
3677 }
3678 }
3679
3680 if (CalleeArmZAState != FunctionType::ARM_None && !CallerHasZAState)
3681 Diag(Loc, diag::err_sme_za_call_no_za_state);
3682
3683 if (CalleeArmZT0State != FunctionType::ARM_None && !CallerHasZT0State)
3684 Diag(Loc, diag::err_sme_zt0_call_no_zt0_state);
3685
3686 if (CallerHasZAState && CalleeArmZAState == FunctionType::ARM_None &&
3687 CalleeArmZT0State != FunctionType::ARM_None) {
3688 Diag(Loc, diag::err_sme_unimplemented_za_save_restore);
3689 Diag(Loc, diag::note_sme_use_preserves_za);
3690 }
3691 }
3692 }
3693
3694 if (FDecl && FDecl->hasAttr<AllocAlignAttr>()) {
3695 auto *AA = FDecl->getAttr<AllocAlignAttr>();
3696 const Expr *Arg = Args[AA->getParamIndex().getASTIndex()];
3697 if (!Arg->isValueDependent()) {
3698 Expr::EvalResult Align;
3699 if (Arg->EvaluateAsInt(Align, Context)) {
3700 const llvm::APSInt &I = Align.Val.getInt();
3701 if (!I.isPowerOf2())
3702 Diag(Arg->getExprLoc(), diag::warn_alignment_not_power_of_two)
3703 << Arg->getSourceRange();
3704
3705 if (I > Sema::MaximumAlignment)
3706 Diag(Arg->getExprLoc(), diag::warn_assume_aligned_too_great)
3707 << Arg->getSourceRange() << Sema::MaximumAlignment;
3708 }
3709 }
3710 }
3711
3712 if (FD)
3713 diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);
3714 }
3715
CheckConstrainedAuto(const AutoType * AutoT,SourceLocation Loc)3716 void Sema::CheckConstrainedAuto(const AutoType *AutoT, SourceLocation Loc) {
3717 if (ConceptDecl *Decl = AutoT->getTypeConstraintConcept()) {
3718 DiagnoseUseOfDecl(Decl, Loc);
3719 }
3720 }
3721
CheckConstructorCall(FunctionDecl * FDecl,QualType ThisType,ArrayRef<const Expr * > Args,const FunctionProtoType * Proto,SourceLocation Loc)3722 void Sema::CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType,
3723 ArrayRef<const Expr *> Args,
3724 const FunctionProtoType *Proto,
3725 SourceLocation Loc) {
3726 VariadicCallType CallType = Proto->isVariadic()
3727 ? VariadicCallType::Constructor
3728 : VariadicCallType::DoesNotApply;
3729
3730 auto *Ctor = cast<CXXConstructorDecl>(FDecl);
3731 CheckArgAlignment(
3732 Loc, FDecl, "'this'", Context.getPointerType(ThisType),
3733 Context.getPointerType(Ctor->getFunctionObjectParameterType()));
3734
3735 checkCall(FDecl, Proto, /*ThisArg=*/nullptr, Args, /*IsMemberFunction=*/true,
3736 Loc, SourceRange(), CallType);
3737 }
3738
CheckFunctionCall(FunctionDecl * FDecl,CallExpr * TheCall,const FunctionProtoType * Proto)3739 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
3740 const FunctionProtoType *Proto) {
3741 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) &&
3742 isa<CXXMethodDecl>(FDecl);
3743 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) ||
3744 IsMemberOperatorCall;
3745 VariadicCallType CallType = getVariadicCallType(FDecl, Proto,
3746 TheCall->getCallee());
3747 Expr** Args = TheCall->getArgs();
3748 unsigned NumArgs = TheCall->getNumArgs();
3749
3750 Expr *ImplicitThis = nullptr;
3751 if (IsMemberOperatorCall && !FDecl->hasCXXExplicitFunctionObjectParameter()) {
3752 // If this is a call to a member operator, hide the first
3753 // argument from checkCall.
3754 // FIXME: Our choice of AST representation here is less than ideal.
3755 ImplicitThis = Args[0];
3756 ++Args;
3757 --NumArgs;
3758 } else if (IsMemberFunction && !FDecl->isStatic() &&
3759 !FDecl->hasCXXExplicitFunctionObjectParameter())
3760 ImplicitThis =
3761 cast<CXXMemberCallExpr>(TheCall)->getImplicitObjectArgument();
3762
3763 if (ImplicitThis) {
3764 // ImplicitThis may or may not be a pointer, depending on whether . or -> is
3765 // used.
3766 QualType ThisType = ImplicitThis->getType();
3767 if (!ThisType->isPointerType()) {
3768 assert(!ThisType->isReferenceType());
3769 ThisType = Context.getPointerType(ThisType);
3770 }
3771
3772 QualType ThisTypeFromDecl = Context.getPointerType(
3773 cast<CXXMethodDecl>(FDecl)->getFunctionObjectParameterType());
3774
3775 CheckArgAlignment(TheCall->getRParenLoc(), FDecl, "'this'", ThisType,
3776 ThisTypeFromDecl);
3777 }
3778
3779 checkCall(FDecl, Proto, ImplicitThis, llvm::ArrayRef(Args, NumArgs),
3780 IsMemberFunction, TheCall->getRParenLoc(),
3781 TheCall->getCallee()->getSourceRange(), CallType);
3782
3783 IdentifierInfo *FnInfo = FDecl->getIdentifier();
3784 // None of the checks below are needed for functions that don't have
3785 // simple names (e.g., C++ conversion functions).
3786 if (!FnInfo)
3787 return false;
3788
3789 // Enforce TCB except for builtin calls, which are always allowed.
3790 if (FDecl->getBuiltinID() == 0)
3791 CheckTCBEnforcement(TheCall->getExprLoc(), FDecl);
3792
3793 CheckAbsoluteValueFunction(TheCall, FDecl);
3794 CheckMaxUnsignedZero(TheCall, FDecl);
3795 CheckInfNaNFunction(TheCall, FDecl);
3796
3797 if (getLangOpts().ObjC)
3798 ObjC().DiagnoseCStringFormatDirectiveInCFAPI(FDecl, Args, NumArgs);
3799
3800 unsigned CMId = FDecl->getMemoryFunctionKind();
3801
3802 // Handle memory setting and copying functions.
3803 switch (CMId) {
3804 case 0:
3805 return false;
3806 case Builtin::BIstrlcpy: // fallthrough
3807 case Builtin::BIstrlcat:
3808 CheckStrlcpycatArguments(TheCall, FnInfo);
3809 break;
3810 case Builtin::BIstrncat:
3811 CheckStrncatArguments(TheCall, FnInfo);
3812 break;
3813 case Builtin::BIfree:
3814 CheckFreeArguments(TheCall);
3815 break;
3816 default:
3817 CheckMemaccessArguments(TheCall, CMId, FnInfo);
3818 }
3819
3820 return false;
3821 }
3822
CheckPointerCall(NamedDecl * NDecl,CallExpr * TheCall,const FunctionProtoType * Proto)3823 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
3824 const FunctionProtoType *Proto) {
3825 QualType Ty;
3826 if (const auto *V = dyn_cast<VarDecl>(NDecl))
3827 Ty = V->getType().getNonReferenceType();
3828 else if (const auto *F = dyn_cast<FieldDecl>(NDecl))
3829 Ty = F->getType().getNonReferenceType();
3830 else
3831 return false;
3832
3833 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType() &&
3834 !Ty->isFunctionProtoType())
3835 return false;
3836
3837 VariadicCallType CallType;
3838 if (!Proto || !Proto->isVariadic()) {
3839 CallType = VariadicCallType::DoesNotApply;
3840 } else if (Ty->isBlockPointerType()) {
3841 CallType = VariadicCallType::Block;
3842 } else { // Ty->isFunctionPointerType()
3843 CallType = VariadicCallType::Function;
3844 }
3845
3846 checkCall(NDecl, Proto, /*ThisArg=*/nullptr,
3847 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3848 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3849 TheCall->getCallee()->getSourceRange(), CallType);
3850
3851 return false;
3852 }
3853
CheckOtherCall(CallExpr * TheCall,const FunctionProtoType * Proto)3854 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) {
3855 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto,
3856 TheCall->getCallee());
3857 checkCall(/*FDecl=*/nullptr, Proto, /*ThisArg=*/nullptr,
3858 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3859 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3860 TheCall->getCallee()->getSourceRange(), CallType);
3861
3862 return false;
3863 }
3864
isValidOrderingForOp(int64_t Ordering,AtomicExpr::AtomicOp Op)3865 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) {
3866 if (!llvm::isValidAtomicOrderingCABI(Ordering))
3867 return false;
3868
3869 auto OrderingCABI = (llvm::AtomicOrderingCABI)Ordering;
3870 switch (Op) {
3871 case AtomicExpr::AO__c11_atomic_init:
3872 case AtomicExpr::AO__opencl_atomic_init:
3873 llvm_unreachable("There is no ordering argument for an init");
3874
3875 case AtomicExpr::AO__c11_atomic_load:
3876 case AtomicExpr::AO__opencl_atomic_load:
3877 case AtomicExpr::AO__hip_atomic_load:
3878 case AtomicExpr::AO__atomic_load_n:
3879 case AtomicExpr::AO__atomic_load:
3880 case AtomicExpr::AO__scoped_atomic_load_n:
3881 case AtomicExpr::AO__scoped_atomic_load:
3882 return OrderingCABI != llvm::AtomicOrderingCABI::release &&
3883 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3884
3885 case AtomicExpr::AO__c11_atomic_store:
3886 case AtomicExpr::AO__opencl_atomic_store:
3887 case AtomicExpr::AO__hip_atomic_store:
3888 case AtomicExpr::AO__atomic_store:
3889 case AtomicExpr::AO__atomic_store_n:
3890 case AtomicExpr::AO__scoped_atomic_store:
3891 case AtomicExpr::AO__scoped_atomic_store_n:
3892 case AtomicExpr::AO__atomic_clear:
3893 return OrderingCABI != llvm::AtomicOrderingCABI::consume &&
3894 OrderingCABI != llvm::AtomicOrderingCABI::acquire &&
3895 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3896
3897 default:
3898 return true;
3899 }
3900 }
3901
AtomicOpsOverloaded(ExprResult TheCallResult,AtomicExpr::AtomicOp Op)3902 ExprResult Sema::AtomicOpsOverloaded(ExprResult TheCallResult,
3903 AtomicExpr::AtomicOp Op) {
3904 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get());
3905 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
3906 MultiExprArg Args{TheCall->getArgs(), TheCall->getNumArgs()};
3907 return BuildAtomicExpr({TheCall->getBeginLoc(), TheCall->getEndLoc()},
3908 DRE->getSourceRange(), TheCall->getRParenLoc(), Args,
3909 Op);
3910 }
3911
BuildAtomicExpr(SourceRange CallRange,SourceRange ExprRange,SourceLocation RParenLoc,MultiExprArg Args,AtomicExpr::AtomicOp Op,AtomicArgumentOrder ArgOrder)3912 ExprResult Sema::BuildAtomicExpr(SourceRange CallRange, SourceRange ExprRange,
3913 SourceLocation RParenLoc, MultiExprArg Args,
3914 AtomicExpr::AtomicOp Op,
3915 AtomicArgumentOrder ArgOrder) {
3916 // All the non-OpenCL operations take one of the following forms.
3917 // The OpenCL operations take the __c11 forms with one extra argument for
3918 // synchronization scope.
3919 enum {
3920 // C __c11_atomic_init(A *, C)
3921 Init,
3922
3923 // C __c11_atomic_load(A *, int)
3924 Load,
3925
3926 // void __atomic_load(A *, CP, int)
3927 LoadCopy,
3928
3929 // void __atomic_store(A *, CP, int)
3930 Copy,
3931
3932 // C __c11_atomic_add(A *, M, int)
3933 Arithmetic,
3934
3935 // C __atomic_exchange_n(A *, CP, int)
3936 Xchg,
3937
3938 // void __atomic_exchange(A *, C *, CP, int)
3939 GNUXchg,
3940
3941 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int)
3942 C11CmpXchg,
3943
3944 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int)
3945 GNUCmpXchg,
3946
3947 // bool __atomic_test_and_set(A *, int)
3948 TestAndSetByte,
3949
3950 // void __atomic_clear(A *, int)
3951 ClearByte,
3952 } Form = Init;
3953
3954 const unsigned NumForm = ClearByte + 1;
3955 const unsigned NumArgs[] = {2, 2, 3, 3, 3, 3, 4, 5, 6, 2, 2};
3956 const unsigned NumVals[] = {1, 0, 1, 1, 1, 1, 2, 2, 3, 0, 0};
3957 // where:
3958 // C is an appropriate type,
3959 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins,
3960 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise,
3961 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and
3962 // the int parameters are for orderings.
3963
3964 static_assert(sizeof(NumArgs)/sizeof(NumArgs[0]) == NumForm
3965 && sizeof(NumVals)/sizeof(NumVals[0]) == NumForm,
3966 "need to update code for modified forms");
3967 static_assert(AtomicExpr::AO__atomic_add_fetch == 0 &&
3968 AtomicExpr::AO__atomic_xor_fetch + 1 ==
3969 AtomicExpr::AO__c11_atomic_compare_exchange_strong,
3970 "need to update code for modified C11 atomics");
3971 bool IsOpenCL = Op >= AtomicExpr::AO__opencl_atomic_compare_exchange_strong &&
3972 Op <= AtomicExpr::AO__opencl_atomic_store;
3973 bool IsHIP = Op >= AtomicExpr::AO__hip_atomic_compare_exchange_strong &&
3974 Op <= AtomicExpr::AO__hip_atomic_store;
3975 bool IsScoped = Op >= AtomicExpr::AO__scoped_atomic_add_fetch &&
3976 Op <= AtomicExpr::AO__scoped_atomic_xor_fetch;
3977 bool IsC11 = (Op >= AtomicExpr::AO__c11_atomic_compare_exchange_strong &&
3978 Op <= AtomicExpr::AO__c11_atomic_store) ||
3979 IsOpenCL;
3980 bool IsN = Op == AtomicExpr::AO__atomic_load_n ||
3981 Op == AtomicExpr::AO__atomic_store_n ||
3982 Op == AtomicExpr::AO__atomic_exchange_n ||
3983 Op == AtomicExpr::AO__atomic_compare_exchange_n ||
3984 Op == AtomicExpr::AO__scoped_atomic_load_n ||
3985 Op == AtomicExpr::AO__scoped_atomic_store_n ||
3986 Op == AtomicExpr::AO__scoped_atomic_exchange_n ||
3987 Op == AtomicExpr::AO__scoped_atomic_compare_exchange_n;
3988 // Bit mask for extra allowed value types other than integers for atomic
3989 // arithmetic operations. Add/sub allow pointer and floating point. Min/max
3990 // allow floating point.
3991 enum ArithOpExtraValueType {
3992 AOEVT_None = 0,
3993 AOEVT_Pointer = 1,
3994 AOEVT_FP = 2,
3995 };
3996 unsigned ArithAllows = AOEVT_None;
3997
3998 switch (Op) {
3999 case AtomicExpr::AO__c11_atomic_init:
4000 case AtomicExpr::AO__opencl_atomic_init:
4001 Form = Init;
4002 break;
4003
4004 case AtomicExpr::AO__c11_atomic_load:
4005 case AtomicExpr::AO__opencl_atomic_load:
4006 case AtomicExpr::AO__hip_atomic_load:
4007 case AtomicExpr::AO__atomic_load_n:
4008 case AtomicExpr::AO__scoped_atomic_load_n:
4009 Form = Load;
4010 break;
4011
4012 case AtomicExpr::AO__atomic_load:
4013 case AtomicExpr::AO__scoped_atomic_load:
4014 Form = LoadCopy;
4015 break;
4016
4017 case AtomicExpr::AO__c11_atomic_store:
4018 case AtomicExpr::AO__opencl_atomic_store:
4019 case AtomicExpr::AO__hip_atomic_store:
4020 case AtomicExpr::AO__atomic_store:
4021 case AtomicExpr::AO__atomic_store_n:
4022 case AtomicExpr::AO__scoped_atomic_store:
4023 case AtomicExpr::AO__scoped_atomic_store_n:
4024 Form = Copy;
4025 break;
4026 case AtomicExpr::AO__atomic_fetch_add:
4027 case AtomicExpr::AO__atomic_fetch_sub:
4028 case AtomicExpr::AO__atomic_add_fetch:
4029 case AtomicExpr::AO__atomic_sub_fetch:
4030 case AtomicExpr::AO__scoped_atomic_fetch_add:
4031 case AtomicExpr::AO__scoped_atomic_fetch_sub:
4032 case AtomicExpr::AO__scoped_atomic_add_fetch:
4033 case AtomicExpr::AO__scoped_atomic_sub_fetch:
4034 case AtomicExpr::AO__c11_atomic_fetch_add:
4035 case AtomicExpr::AO__c11_atomic_fetch_sub:
4036 case AtomicExpr::AO__opencl_atomic_fetch_add:
4037 case AtomicExpr::AO__opencl_atomic_fetch_sub:
4038 case AtomicExpr::AO__hip_atomic_fetch_add:
4039 case AtomicExpr::AO__hip_atomic_fetch_sub:
4040 ArithAllows = AOEVT_Pointer | AOEVT_FP;
4041 Form = Arithmetic;
4042 break;
4043 case AtomicExpr::AO__atomic_fetch_max:
4044 case AtomicExpr::AO__atomic_fetch_min:
4045 case AtomicExpr::AO__atomic_max_fetch:
4046 case AtomicExpr::AO__atomic_min_fetch:
4047 case AtomicExpr::AO__scoped_atomic_fetch_max:
4048 case AtomicExpr::AO__scoped_atomic_fetch_min:
4049 case AtomicExpr::AO__scoped_atomic_max_fetch:
4050 case AtomicExpr::AO__scoped_atomic_min_fetch:
4051 case AtomicExpr::AO__c11_atomic_fetch_max:
4052 case AtomicExpr::AO__c11_atomic_fetch_min:
4053 case AtomicExpr::AO__opencl_atomic_fetch_max:
4054 case AtomicExpr::AO__opencl_atomic_fetch_min:
4055 case AtomicExpr::AO__hip_atomic_fetch_max:
4056 case AtomicExpr::AO__hip_atomic_fetch_min:
4057 ArithAllows = AOEVT_FP;
4058 Form = Arithmetic;
4059 break;
4060 case AtomicExpr::AO__c11_atomic_fetch_and:
4061 case AtomicExpr::AO__c11_atomic_fetch_or:
4062 case AtomicExpr::AO__c11_atomic_fetch_xor:
4063 case AtomicExpr::AO__hip_atomic_fetch_and:
4064 case AtomicExpr::AO__hip_atomic_fetch_or:
4065 case AtomicExpr::AO__hip_atomic_fetch_xor:
4066 case AtomicExpr::AO__c11_atomic_fetch_nand:
4067 case AtomicExpr::AO__opencl_atomic_fetch_and:
4068 case AtomicExpr::AO__opencl_atomic_fetch_or:
4069 case AtomicExpr::AO__opencl_atomic_fetch_xor:
4070 case AtomicExpr::AO__atomic_fetch_and:
4071 case AtomicExpr::AO__atomic_fetch_or:
4072 case AtomicExpr::AO__atomic_fetch_xor:
4073 case AtomicExpr::AO__atomic_fetch_nand:
4074 case AtomicExpr::AO__atomic_and_fetch:
4075 case AtomicExpr::AO__atomic_or_fetch:
4076 case AtomicExpr::AO__atomic_xor_fetch:
4077 case AtomicExpr::AO__atomic_nand_fetch:
4078 case AtomicExpr::AO__scoped_atomic_fetch_and:
4079 case AtomicExpr::AO__scoped_atomic_fetch_or:
4080 case AtomicExpr::AO__scoped_atomic_fetch_xor:
4081 case AtomicExpr::AO__scoped_atomic_fetch_nand:
4082 case AtomicExpr::AO__scoped_atomic_and_fetch:
4083 case AtomicExpr::AO__scoped_atomic_or_fetch:
4084 case AtomicExpr::AO__scoped_atomic_xor_fetch:
4085 case AtomicExpr::AO__scoped_atomic_nand_fetch:
4086 Form = Arithmetic;
4087 break;
4088
4089 case AtomicExpr::AO__c11_atomic_exchange:
4090 case AtomicExpr::AO__hip_atomic_exchange:
4091 case AtomicExpr::AO__opencl_atomic_exchange:
4092 case AtomicExpr::AO__atomic_exchange_n:
4093 case AtomicExpr::AO__scoped_atomic_exchange_n:
4094 Form = Xchg;
4095 break;
4096
4097 case AtomicExpr::AO__atomic_exchange:
4098 case AtomicExpr::AO__scoped_atomic_exchange:
4099 Form = GNUXchg;
4100 break;
4101
4102 case AtomicExpr::AO__c11_atomic_compare_exchange_strong:
4103 case AtomicExpr::AO__c11_atomic_compare_exchange_weak:
4104 case AtomicExpr::AO__hip_atomic_compare_exchange_strong:
4105 case AtomicExpr::AO__opencl_atomic_compare_exchange_strong:
4106 case AtomicExpr::AO__opencl_atomic_compare_exchange_weak:
4107 case AtomicExpr::AO__hip_atomic_compare_exchange_weak:
4108 Form = C11CmpXchg;
4109 break;
4110
4111 case AtomicExpr::AO__atomic_compare_exchange:
4112 case AtomicExpr::AO__atomic_compare_exchange_n:
4113 case AtomicExpr::AO__scoped_atomic_compare_exchange:
4114 case AtomicExpr::AO__scoped_atomic_compare_exchange_n:
4115 Form = GNUCmpXchg;
4116 break;
4117
4118 case AtomicExpr::AO__atomic_test_and_set:
4119 Form = TestAndSetByte;
4120 break;
4121
4122 case AtomicExpr::AO__atomic_clear:
4123 Form = ClearByte;
4124 break;
4125 }
4126
4127 unsigned AdjustedNumArgs = NumArgs[Form];
4128 if ((IsOpenCL || IsHIP || IsScoped) &&
4129 Op != AtomicExpr::AO__opencl_atomic_init)
4130 ++AdjustedNumArgs;
4131 // Check we have the right number of arguments.
4132 if (Args.size() < AdjustedNumArgs) {
4133 Diag(CallRange.getEnd(), diag::err_typecheck_call_too_few_args)
4134 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
4135 << /*is non object*/ 0 << ExprRange;
4136 return ExprError();
4137 } else if (Args.size() > AdjustedNumArgs) {
4138 Diag(Args[AdjustedNumArgs]->getBeginLoc(),
4139 diag::err_typecheck_call_too_many_args)
4140 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
4141 << /*is non object*/ 0 << ExprRange;
4142 return ExprError();
4143 }
4144
4145 // Inspect the first argument of the atomic operation.
4146 Expr *Ptr = Args[0];
4147 ExprResult ConvertedPtr = DefaultFunctionArrayLvalueConversion(Ptr);
4148 if (ConvertedPtr.isInvalid())
4149 return ExprError();
4150
4151 Ptr = ConvertedPtr.get();
4152 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>();
4153 if (!pointerType) {
4154 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
4155 << Ptr->getType() << 0 << Ptr->getSourceRange();
4156 return ExprError();
4157 }
4158
4159 // For a __c11 builtin, this should be a pointer to an _Atomic type.
4160 QualType AtomTy = pointerType->getPointeeType(); // 'A'
4161 QualType ValType = AtomTy; // 'C'
4162 if (IsC11) {
4163 if (!AtomTy->isAtomicType()) {
4164 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic)
4165 << Ptr->getType() << Ptr->getSourceRange();
4166 return ExprError();
4167 }
4168 if ((Form != Load && Form != LoadCopy && AtomTy.isConstQualified()) ||
4169 AtomTy.getAddressSpace() == LangAS::opencl_constant) {
4170 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_atomic)
4171 << (AtomTy.isConstQualified() ? 0 : 1) << Ptr->getType()
4172 << Ptr->getSourceRange();
4173 return ExprError();
4174 }
4175 ValType = AtomTy->castAs<AtomicType>()->getValueType();
4176 } else if (Form != Load && Form != LoadCopy) {
4177 if (ValType.isConstQualified()) {
4178 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_pointer)
4179 << Ptr->getType() << Ptr->getSourceRange();
4180 return ExprError();
4181 }
4182 }
4183
4184 if (Form != TestAndSetByte && Form != ClearByte) {
4185 // Pointer to object of size zero is not allowed.
4186 if (RequireCompleteType(Ptr->getBeginLoc(), AtomTy,
4187 diag::err_incomplete_type))
4188 return ExprError();
4189
4190 if (Context.getTypeInfoInChars(AtomTy).Width.isZero()) {
4191 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
4192 << Ptr->getType() << 1 << Ptr->getSourceRange();
4193 return ExprError();
4194 }
4195 } else {
4196 // The __atomic_clear and __atomic_test_and_set intrinsics accept any
4197 // non-const pointer type, including void* and pointers to incomplete
4198 // structs, but only access the first byte.
4199 AtomTy = Context.CharTy;
4200 AtomTy = AtomTy.withCVRQualifiers(
4201 pointerType->getPointeeType().getCVRQualifiers());
4202 QualType PointerQT = Context.getPointerType(AtomTy);
4203 pointerType = PointerQT->getAs<PointerType>();
4204 Ptr = ImpCastExprToType(Ptr, PointerQT, CK_BitCast).get();
4205 ValType = AtomTy;
4206 }
4207
4208 PointerAuthQualifier PointerAuth = AtomTy.getPointerAuth();
4209 if (PointerAuth && PointerAuth.isAddressDiscriminated()) {
4210 Diag(ExprRange.getBegin(),
4211 diag::err_atomic_op_needs_non_address_discriminated_pointer)
4212 << 0 << Ptr->getType() << Ptr->getSourceRange();
4213 return ExprError();
4214 }
4215
4216 // For an arithmetic operation, the implied arithmetic must be well-formed.
4217 if (Form == Arithmetic) {
4218 // GCC does not enforce these rules for GNU atomics, but we do to help catch
4219 // trivial type errors.
4220 auto IsAllowedValueType = [&](QualType ValType,
4221 unsigned AllowedType) -> bool {
4222 if (ValType->isIntegerType())
4223 return true;
4224 if (ValType->isPointerType())
4225 return AllowedType & AOEVT_Pointer;
4226 if (!(ValType->isFloatingType() && (AllowedType & AOEVT_FP)))
4227 return false;
4228 // LLVM Parser does not allow atomicrmw with x86_fp80 type.
4229 if (ValType->isSpecificBuiltinType(BuiltinType::LongDouble) &&
4230 &Context.getTargetInfo().getLongDoubleFormat() ==
4231 &llvm::APFloat::x87DoubleExtended())
4232 return false;
4233 return true;
4234 };
4235 if (!IsAllowedValueType(ValType, ArithAllows)) {
4236 auto DID = ArithAllows & AOEVT_FP
4237 ? (ArithAllows & AOEVT_Pointer
4238 ? diag::err_atomic_op_needs_atomic_int_ptr_or_fp
4239 : diag::err_atomic_op_needs_atomic_int_or_fp)
4240 : diag::err_atomic_op_needs_atomic_int;
4241 Diag(ExprRange.getBegin(), DID)
4242 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
4243 return ExprError();
4244 }
4245 if (IsC11 && ValType->isPointerType() &&
4246 RequireCompleteType(Ptr->getBeginLoc(), ValType->getPointeeType(),
4247 diag::err_incomplete_type)) {
4248 return ExprError();
4249 }
4250 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) {
4251 // For __atomic_*_n operations, the value type must be a scalar integral or
4252 // pointer type which is 1, 2, 4, 8 or 16 bytes in length.
4253 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic_int_or_ptr)
4254 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
4255 return ExprError();
4256 }
4257
4258 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) &&
4259 !AtomTy->isScalarType()) {
4260 // For GNU atomics, require a trivially-copyable type. This is not part of
4261 // the GNU atomics specification but we enforce it for consistency with
4262 // other atomics which generally all require a trivially-copyable type. This
4263 // is because atomics just copy bits.
4264 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_trivial_copy)
4265 << Ptr->getType() << Ptr->getSourceRange();
4266 return ExprError();
4267 }
4268
4269 switch (ValType.getObjCLifetime()) {
4270 case Qualifiers::OCL_None:
4271 case Qualifiers::OCL_ExplicitNone:
4272 // okay
4273 break;
4274
4275 case Qualifiers::OCL_Weak:
4276 case Qualifiers::OCL_Strong:
4277 case Qualifiers::OCL_Autoreleasing:
4278 // FIXME: Can this happen? By this point, ValType should be known
4279 // to be trivially copyable.
4280 Diag(ExprRange.getBegin(), diag::err_arc_atomic_ownership)
4281 << ValType << Ptr->getSourceRange();
4282 return ExprError();
4283 }
4284
4285 // All atomic operations have an overload which takes a pointer to a volatile
4286 // 'A'. We shouldn't let the volatile-ness of the pointee-type inject itself
4287 // into the result or the other operands. Similarly atomic_load takes a
4288 // pointer to a const 'A'.
4289 ValType.removeLocalVolatile();
4290 ValType.removeLocalConst();
4291 QualType ResultType = ValType;
4292 if (Form == Copy || Form == LoadCopy || Form == GNUXchg || Form == Init ||
4293 Form == ClearByte)
4294 ResultType = Context.VoidTy;
4295 else if (Form == C11CmpXchg || Form == GNUCmpXchg || Form == TestAndSetByte)
4296 ResultType = Context.BoolTy;
4297
4298 // The type of a parameter passed 'by value'. In the GNU atomics, such
4299 // arguments are actually passed as pointers.
4300 QualType ByValType = ValType; // 'CP'
4301 bool IsPassedByAddress = false;
4302 if (!IsC11 && !IsHIP && !IsN) {
4303 ByValType = Ptr->getType();
4304 IsPassedByAddress = true;
4305 }
4306
4307 SmallVector<Expr *, 5> APIOrderedArgs;
4308 if (ArgOrder == Sema::AtomicArgumentOrder::AST) {
4309 APIOrderedArgs.push_back(Args[0]);
4310 switch (Form) {
4311 case Init:
4312 case Load:
4313 APIOrderedArgs.push_back(Args[1]); // Val1/Order
4314 break;
4315 case LoadCopy:
4316 case Copy:
4317 case Arithmetic:
4318 case Xchg:
4319 APIOrderedArgs.push_back(Args[2]); // Val1
4320 APIOrderedArgs.push_back(Args[1]); // Order
4321 break;
4322 case GNUXchg:
4323 APIOrderedArgs.push_back(Args[2]); // Val1
4324 APIOrderedArgs.push_back(Args[3]); // Val2
4325 APIOrderedArgs.push_back(Args[1]); // Order
4326 break;
4327 case C11CmpXchg:
4328 APIOrderedArgs.push_back(Args[2]); // Val1
4329 APIOrderedArgs.push_back(Args[4]); // Val2
4330 APIOrderedArgs.push_back(Args[1]); // Order
4331 APIOrderedArgs.push_back(Args[3]); // OrderFail
4332 break;
4333 case GNUCmpXchg:
4334 APIOrderedArgs.push_back(Args[2]); // Val1
4335 APIOrderedArgs.push_back(Args[4]); // Val2
4336 APIOrderedArgs.push_back(Args[5]); // Weak
4337 APIOrderedArgs.push_back(Args[1]); // Order
4338 APIOrderedArgs.push_back(Args[3]); // OrderFail
4339 break;
4340 case TestAndSetByte:
4341 case ClearByte:
4342 APIOrderedArgs.push_back(Args[1]); // Order
4343 break;
4344 }
4345 } else
4346 APIOrderedArgs.append(Args.begin(), Args.end());
4347
4348 // The first argument's non-CV pointer type is used to deduce the type of
4349 // subsequent arguments, except for:
4350 // - weak flag (always converted to bool)
4351 // - memory order (always converted to int)
4352 // - scope (always converted to int)
4353 for (unsigned i = 0; i != APIOrderedArgs.size(); ++i) {
4354 QualType Ty;
4355 if (i < NumVals[Form] + 1) {
4356 switch (i) {
4357 case 0:
4358 // The first argument is always a pointer. It has a fixed type.
4359 // It is always dereferenced, a nullptr is undefined.
4360 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4361 // Nothing else to do: we already know all we want about this pointer.
4362 continue;
4363 case 1:
4364 // The second argument is the non-atomic operand. For arithmetic, this
4365 // is always passed by value, and for a compare_exchange it is always
4366 // passed by address. For the rest, GNU uses by-address and C11 uses
4367 // by-value.
4368 assert(Form != Load);
4369 if (Form == Arithmetic && ValType->isPointerType())
4370 Ty = Context.getPointerDiffType();
4371 else if (Form == Init || Form == Arithmetic)
4372 Ty = ValType;
4373 else if (Form == Copy || Form == Xchg) {
4374 if (IsPassedByAddress) {
4375 // The value pointer is always dereferenced, a nullptr is undefined.
4376 CheckNonNullArgument(*this, APIOrderedArgs[i],
4377 ExprRange.getBegin());
4378 }
4379 Ty = ByValType;
4380 } else {
4381 Expr *ValArg = APIOrderedArgs[i];
4382 // The value pointer is always dereferenced, a nullptr is undefined.
4383 CheckNonNullArgument(*this, ValArg, ExprRange.getBegin());
4384 LangAS AS = LangAS::Default;
4385 // Keep address space of non-atomic pointer type.
4386 if (const PointerType *PtrTy =
4387 ValArg->getType()->getAs<PointerType>()) {
4388 AS = PtrTy->getPointeeType().getAddressSpace();
4389 }
4390 Ty = Context.getPointerType(
4391 Context.getAddrSpaceQualType(ValType.getUnqualifiedType(), AS));
4392 }
4393 break;
4394 case 2:
4395 // The third argument to compare_exchange / GNU exchange is the desired
4396 // value, either by-value (for the C11 and *_n variant) or as a pointer.
4397 if (IsPassedByAddress)
4398 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4399 Ty = ByValType;
4400 break;
4401 case 3:
4402 // The fourth argument to GNU compare_exchange is a 'weak' flag.
4403 Ty = Context.BoolTy;
4404 break;
4405 }
4406 } else {
4407 // The order(s) and scope are always converted to int.
4408 Ty = Context.IntTy;
4409 }
4410
4411 InitializedEntity Entity =
4412 InitializedEntity::InitializeParameter(Context, Ty, false);
4413 ExprResult Arg = APIOrderedArgs[i];
4414 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4415 if (Arg.isInvalid())
4416 return true;
4417 APIOrderedArgs[i] = Arg.get();
4418 }
4419
4420 // Permute the arguments into a 'consistent' order.
4421 SmallVector<Expr*, 5> SubExprs;
4422 SubExprs.push_back(Ptr);
4423 switch (Form) {
4424 case Init:
4425 // Note, AtomicExpr::getVal1() has a special case for this atomic.
4426 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4427 break;
4428 case Load:
4429 case TestAndSetByte:
4430 case ClearByte:
4431 SubExprs.push_back(APIOrderedArgs[1]); // Order
4432 break;
4433 case LoadCopy:
4434 case Copy:
4435 case Arithmetic:
4436 case Xchg:
4437 SubExprs.push_back(APIOrderedArgs[2]); // Order
4438 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4439 break;
4440 case GNUXchg:
4441 // Note, AtomicExpr::getVal2() has a special case for this atomic.
4442 SubExprs.push_back(APIOrderedArgs[3]); // Order
4443 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4444 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4445 break;
4446 case C11CmpXchg:
4447 SubExprs.push_back(APIOrderedArgs[3]); // Order
4448 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4449 SubExprs.push_back(APIOrderedArgs[4]); // OrderFail
4450 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4451 break;
4452 case GNUCmpXchg:
4453 SubExprs.push_back(APIOrderedArgs[4]); // Order
4454 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4455 SubExprs.push_back(APIOrderedArgs[5]); // OrderFail
4456 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4457 SubExprs.push_back(APIOrderedArgs[3]); // Weak
4458 break;
4459 }
4460
4461 // If the memory orders are constants, check they are valid.
4462 if (SubExprs.size() >= 2 && Form != Init) {
4463 std::optional<llvm::APSInt> Success =
4464 SubExprs[1]->getIntegerConstantExpr(Context);
4465 if (Success && !isValidOrderingForOp(Success->getSExtValue(), Op)) {
4466 Diag(SubExprs[1]->getBeginLoc(),
4467 diag::warn_atomic_op_has_invalid_memory_order)
4468 << /*success=*/(Form == C11CmpXchg || Form == GNUCmpXchg)
4469 << SubExprs[1]->getSourceRange();
4470 }
4471 if (SubExprs.size() >= 5) {
4472 if (std::optional<llvm::APSInt> Failure =
4473 SubExprs[3]->getIntegerConstantExpr(Context)) {
4474 if (!llvm::is_contained(
4475 {llvm::AtomicOrderingCABI::relaxed,
4476 llvm::AtomicOrderingCABI::consume,
4477 llvm::AtomicOrderingCABI::acquire,
4478 llvm::AtomicOrderingCABI::seq_cst},
4479 (llvm::AtomicOrderingCABI)Failure->getSExtValue())) {
4480 Diag(SubExprs[3]->getBeginLoc(),
4481 diag::warn_atomic_op_has_invalid_memory_order)
4482 << /*failure=*/2 << SubExprs[3]->getSourceRange();
4483 }
4484 }
4485 }
4486 }
4487
4488 if (auto ScopeModel = AtomicExpr::getScopeModel(Op)) {
4489 auto *Scope = Args[Args.size() - 1];
4490 if (std::optional<llvm::APSInt> Result =
4491 Scope->getIntegerConstantExpr(Context)) {
4492 if (!ScopeModel->isValid(Result->getZExtValue()))
4493 Diag(Scope->getBeginLoc(), diag::err_atomic_op_has_invalid_sync_scope)
4494 << Scope->getSourceRange();
4495 }
4496 SubExprs.push_back(Scope);
4497 }
4498
4499 AtomicExpr *AE = new (Context)
4500 AtomicExpr(ExprRange.getBegin(), SubExprs, ResultType, Op, RParenLoc);
4501
4502 if ((Op == AtomicExpr::AO__c11_atomic_load ||
4503 Op == AtomicExpr::AO__c11_atomic_store ||
4504 Op == AtomicExpr::AO__opencl_atomic_load ||
4505 Op == AtomicExpr::AO__hip_atomic_load ||
4506 Op == AtomicExpr::AO__opencl_atomic_store ||
4507 Op == AtomicExpr::AO__hip_atomic_store) &&
4508 Context.AtomicUsesUnsupportedLibcall(AE))
4509 Diag(AE->getBeginLoc(), diag::err_atomic_load_store_uses_lib)
4510 << ((Op == AtomicExpr::AO__c11_atomic_load ||
4511 Op == AtomicExpr::AO__opencl_atomic_load ||
4512 Op == AtomicExpr::AO__hip_atomic_load)
4513 ? 0
4514 : 1);
4515
4516 if (ValType->isBitIntType()) {
4517 Diag(Ptr->getExprLoc(), diag::err_atomic_builtin_bit_int_prohibit);
4518 return ExprError();
4519 }
4520
4521 return AE;
4522 }
4523
4524 /// checkBuiltinArgument - Given a call to a builtin function, perform
4525 /// normal type-checking on the given argument, updating the call in
4526 /// place. This is useful when a builtin function requires custom
4527 /// type-checking for some of its arguments but not necessarily all of
4528 /// them.
4529 ///
4530 /// Returns true on error.
checkBuiltinArgument(Sema & S,CallExpr * E,unsigned ArgIndex)4531 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) {
4532 FunctionDecl *Fn = E->getDirectCallee();
4533 assert(Fn && "builtin call without direct callee!");
4534
4535 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex);
4536 InitializedEntity Entity =
4537 InitializedEntity::InitializeParameter(S.Context, Param);
4538
4539 ExprResult Arg = E->getArg(ArgIndex);
4540 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
4541 if (Arg.isInvalid())
4542 return true;
4543
4544 E->setArg(ArgIndex, Arg.get());
4545 return false;
4546 }
4547
BuiltinAtomicOverloaded(ExprResult TheCallResult)4548 ExprResult Sema::BuiltinAtomicOverloaded(ExprResult TheCallResult) {
4549 CallExpr *TheCall = static_cast<CallExpr *>(TheCallResult.get());
4550 Expr *Callee = TheCall->getCallee();
4551 DeclRefExpr *DRE = cast<DeclRefExpr>(Callee->IgnoreParenCasts());
4552 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4553
4554 // Ensure that we have at least one argument to do type inference from.
4555 if (TheCall->getNumArgs() < 1) {
4556 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4557 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
4558 << Callee->getSourceRange();
4559 return ExprError();
4560 }
4561
4562 // Inspect the first argument of the atomic builtin. This should always be
4563 // a pointer type, whose element is an integral scalar or pointer type.
4564 // Because it is a pointer type, we don't have to worry about any implicit
4565 // casts here.
4566 // FIXME: We don't allow floating point scalars as input.
4567 Expr *FirstArg = TheCall->getArg(0);
4568 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg);
4569 if (FirstArgResult.isInvalid())
4570 return ExprError();
4571 FirstArg = FirstArgResult.get();
4572 TheCall->setArg(0, FirstArg);
4573
4574 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>();
4575 if (!pointerType) {
4576 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer)
4577 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4578 return ExprError();
4579 }
4580
4581 QualType ValType = pointerType->getPointeeType();
4582 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4583 !ValType->isBlockPointerType()) {
4584 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer_intptr)
4585 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4586 return ExprError();
4587 }
4588 PointerAuthQualifier PointerAuth = ValType.getPointerAuth();
4589 if (PointerAuth && PointerAuth.isAddressDiscriminated()) {
4590 Diag(FirstArg->getBeginLoc(),
4591 diag::err_atomic_op_needs_non_address_discriminated_pointer)
4592 << 1 << ValType << FirstArg->getSourceRange();
4593 return ExprError();
4594 }
4595
4596 if (ValType.isConstQualified()) {
4597 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_cannot_be_const)
4598 << FirstArg->getType() << FirstArg->getSourceRange();
4599 return ExprError();
4600 }
4601
4602 switch (ValType.getObjCLifetime()) {
4603 case Qualifiers::OCL_None:
4604 case Qualifiers::OCL_ExplicitNone:
4605 // okay
4606 break;
4607
4608 case Qualifiers::OCL_Weak:
4609 case Qualifiers::OCL_Strong:
4610 case Qualifiers::OCL_Autoreleasing:
4611 Diag(DRE->getBeginLoc(), diag::err_arc_atomic_ownership)
4612 << ValType << FirstArg->getSourceRange();
4613 return ExprError();
4614 }
4615
4616 // Strip any qualifiers off ValType.
4617 ValType = ValType.getUnqualifiedType();
4618
4619 // The majority of builtins return a value, but a few have special return
4620 // types, so allow them to override appropriately below.
4621 QualType ResultType = ValType;
4622
4623 // We need to figure out which concrete builtin this maps onto. For example,
4624 // __sync_fetch_and_add with a 2 byte object turns into
4625 // __sync_fetch_and_add_2.
4626 #define BUILTIN_ROW(x) \
4627 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \
4628 Builtin::BI##x##_8, Builtin::BI##x##_16 }
4629
4630 static const unsigned BuiltinIndices[][5] = {
4631 BUILTIN_ROW(__sync_fetch_and_add),
4632 BUILTIN_ROW(__sync_fetch_and_sub),
4633 BUILTIN_ROW(__sync_fetch_and_or),
4634 BUILTIN_ROW(__sync_fetch_and_and),
4635 BUILTIN_ROW(__sync_fetch_and_xor),
4636 BUILTIN_ROW(__sync_fetch_and_nand),
4637
4638 BUILTIN_ROW(__sync_add_and_fetch),
4639 BUILTIN_ROW(__sync_sub_and_fetch),
4640 BUILTIN_ROW(__sync_and_and_fetch),
4641 BUILTIN_ROW(__sync_or_and_fetch),
4642 BUILTIN_ROW(__sync_xor_and_fetch),
4643 BUILTIN_ROW(__sync_nand_and_fetch),
4644
4645 BUILTIN_ROW(__sync_val_compare_and_swap),
4646 BUILTIN_ROW(__sync_bool_compare_and_swap),
4647 BUILTIN_ROW(__sync_lock_test_and_set),
4648 BUILTIN_ROW(__sync_lock_release),
4649 BUILTIN_ROW(__sync_swap)
4650 };
4651 #undef BUILTIN_ROW
4652
4653 // Determine the index of the size.
4654 unsigned SizeIndex;
4655 switch (Context.getTypeSizeInChars(ValType).getQuantity()) {
4656 case 1: SizeIndex = 0; break;
4657 case 2: SizeIndex = 1; break;
4658 case 4: SizeIndex = 2; break;
4659 case 8: SizeIndex = 3; break;
4660 case 16: SizeIndex = 4; break;
4661 default:
4662 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_pointer_size)
4663 << FirstArg->getType() << FirstArg->getSourceRange();
4664 return ExprError();
4665 }
4666
4667 // Each of these builtins has one pointer argument, followed by some number of
4668 // values (0, 1 or 2) followed by a potentially empty varags list of stuff
4669 // that we ignore. Find out which row of BuiltinIndices to read from as well
4670 // as the number of fixed args.
4671 unsigned BuiltinID = FDecl->getBuiltinID();
4672 unsigned BuiltinIndex, NumFixed = 1;
4673 bool WarnAboutSemanticsChange = false;
4674 switch (BuiltinID) {
4675 default: llvm_unreachable("Unknown overloaded atomic builtin!");
4676 case Builtin::BI__sync_fetch_and_add:
4677 case Builtin::BI__sync_fetch_and_add_1:
4678 case Builtin::BI__sync_fetch_and_add_2:
4679 case Builtin::BI__sync_fetch_and_add_4:
4680 case Builtin::BI__sync_fetch_and_add_8:
4681 case Builtin::BI__sync_fetch_and_add_16:
4682 BuiltinIndex = 0;
4683 break;
4684
4685 case Builtin::BI__sync_fetch_and_sub:
4686 case Builtin::BI__sync_fetch_and_sub_1:
4687 case Builtin::BI__sync_fetch_and_sub_2:
4688 case Builtin::BI__sync_fetch_and_sub_4:
4689 case Builtin::BI__sync_fetch_and_sub_8:
4690 case Builtin::BI__sync_fetch_and_sub_16:
4691 BuiltinIndex = 1;
4692 break;
4693
4694 case Builtin::BI__sync_fetch_and_or:
4695 case Builtin::BI__sync_fetch_and_or_1:
4696 case Builtin::BI__sync_fetch_and_or_2:
4697 case Builtin::BI__sync_fetch_and_or_4:
4698 case Builtin::BI__sync_fetch_and_or_8:
4699 case Builtin::BI__sync_fetch_and_or_16:
4700 BuiltinIndex = 2;
4701 break;
4702
4703 case Builtin::BI__sync_fetch_and_and:
4704 case Builtin::BI__sync_fetch_and_and_1:
4705 case Builtin::BI__sync_fetch_and_and_2:
4706 case Builtin::BI__sync_fetch_and_and_4:
4707 case Builtin::BI__sync_fetch_and_and_8:
4708 case Builtin::BI__sync_fetch_and_and_16:
4709 BuiltinIndex = 3;
4710 break;
4711
4712 case Builtin::BI__sync_fetch_and_xor:
4713 case Builtin::BI__sync_fetch_and_xor_1:
4714 case Builtin::BI__sync_fetch_and_xor_2:
4715 case Builtin::BI__sync_fetch_and_xor_4:
4716 case Builtin::BI__sync_fetch_and_xor_8:
4717 case Builtin::BI__sync_fetch_and_xor_16:
4718 BuiltinIndex = 4;
4719 break;
4720
4721 case Builtin::BI__sync_fetch_and_nand:
4722 case Builtin::BI__sync_fetch_and_nand_1:
4723 case Builtin::BI__sync_fetch_and_nand_2:
4724 case Builtin::BI__sync_fetch_and_nand_4:
4725 case Builtin::BI__sync_fetch_and_nand_8:
4726 case Builtin::BI__sync_fetch_and_nand_16:
4727 BuiltinIndex = 5;
4728 WarnAboutSemanticsChange = true;
4729 break;
4730
4731 case Builtin::BI__sync_add_and_fetch:
4732 case Builtin::BI__sync_add_and_fetch_1:
4733 case Builtin::BI__sync_add_and_fetch_2:
4734 case Builtin::BI__sync_add_and_fetch_4:
4735 case Builtin::BI__sync_add_and_fetch_8:
4736 case Builtin::BI__sync_add_and_fetch_16:
4737 BuiltinIndex = 6;
4738 break;
4739
4740 case Builtin::BI__sync_sub_and_fetch:
4741 case Builtin::BI__sync_sub_and_fetch_1:
4742 case Builtin::BI__sync_sub_and_fetch_2:
4743 case Builtin::BI__sync_sub_and_fetch_4:
4744 case Builtin::BI__sync_sub_and_fetch_8:
4745 case Builtin::BI__sync_sub_and_fetch_16:
4746 BuiltinIndex = 7;
4747 break;
4748
4749 case Builtin::BI__sync_and_and_fetch:
4750 case Builtin::BI__sync_and_and_fetch_1:
4751 case Builtin::BI__sync_and_and_fetch_2:
4752 case Builtin::BI__sync_and_and_fetch_4:
4753 case Builtin::BI__sync_and_and_fetch_8:
4754 case Builtin::BI__sync_and_and_fetch_16:
4755 BuiltinIndex = 8;
4756 break;
4757
4758 case Builtin::BI__sync_or_and_fetch:
4759 case Builtin::BI__sync_or_and_fetch_1:
4760 case Builtin::BI__sync_or_and_fetch_2:
4761 case Builtin::BI__sync_or_and_fetch_4:
4762 case Builtin::BI__sync_or_and_fetch_8:
4763 case Builtin::BI__sync_or_and_fetch_16:
4764 BuiltinIndex = 9;
4765 break;
4766
4767 case Builtin::BI__sync_xor_and_fetch:
4768 case Builtin::BI__sync_xor_and_fetch_1:
4769 case Builtin::BI__sync_xor_and_fetch_2:
4770 case Builtin::BI__sync_xor_and_fetch_4:
4771 case Builtin::BI__sync_xor_and_fetch_8:
4772 case Builtin::BI__sync_xor_and_fetch_16:
4773 BuiltinIndex = 10;
4774 break;
4775
4776 case Builtin::BI__sync_nand_and_fetch:
4777 case Builtin::BI__sync_nand_and_fetch_1:
4778 case Builtin::BI__sync_nand_and_fetch_2:
4779 case Builtin::BI__sync_nand_and_fetch_4:
4780 case Builtin::BI__sync_nand_and_fetch_8:
4781 case Builtin::BI__sync_nand_and_fetch_16:
4782 BuiltinIndex = 11;
4783 WarnAboutSemanticsChange = true;
4784 break;
4785
4786 case Builtin::BI__sync_val_compare_and_swap:
4787 case Builtin::BI__sync_val_compare_and_swap_1:
4788 case Builtin::BI__sync_val_compare_and_swap_2:
4789 case Builtin::BI__sync_val_compare_and_swap_4:
4790 case Builtin::BI__sync_val_compare_and_swap_8:
4791 case Builtin::BI__sync_val_compare_and_swap_16:
4792 BuiltinIndex = 12;
4793 NumFixed = 2;
4794 break;
4795
4796 case Builtin::BI__sync_bool_compare_and_swap:
4797 case Builtin::BI__sync_bool_compare_and_swap_1:
4798 case Builtin::BI__sync_bool_compare_and_swap_2:
4799 case Builtin::BI__sync_bool_compare_and_swap_4:
4800 case Builtin::BI__sync_bool_compare_and_swap_8:
4801 case Builtin::BI__sync_bool_compare_and_swap_16:
4802 BuiltinIndex = 13;
4803 NumFixed = 2;
4804 ResultType = Context.BoolTy;
4805 break;
4806
4807 case Builtin::BI__sync_lock_test_and_set:
4808 case Builtin::BI__sync_lock_test_and_set_1:
4809 case Builtin::BI__sync_lock_test_and_set_2:
4810 case Builtin::BI__sync_lock_test_and_set_4:
4811 case Builtin::BI__sync_lock_test_and_set_8:
4812 case Builtin::BI__sync_lock_test_and_set_16:
4813 BuiltinIndex = 14;
4814 break;
4815
4816 case Builtin::BI__sync_lock_release:
4817 case Builtin::BI__sync_lock_release_1:
4818 case Builtin::BI__sync_lock_release_2:
4819 case Builtin::BI__sync_lock_release_4:
4820 case Builtin::BI__sync_lock_release_8:
4821 case Builtin::BI__sync_lock_release_16:
4822 BuiltinIndex = 15;
4823 NumFixed = 0;
4824 ResultType = Context.VoidTy;
4825 break;
4826
4827 case Builtin::BI__sync_swap:
4828 case Builtin::BI__sync_swap_1:
4829 case Builtin::BI__sync_swap_2:
4830 case Builtin::BI__sync_swap_4:
4831 case Builtin::BI__sync_swap_8:
4832 case Builtin::BI__sync_swap_16:
4833 BuiltinIndex = 16;
4834 break;
4835 }
4836
4837 // Now that we know how many fixed arguments we expect, first check that we
4838 // have at least that many.
4839 if (TheCall->getNumArgs() < 1+NumFixed) {
4840 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4841 << 0 << 1 + NumFixed << TheCall->getNumArgs() << /*is non object*/ 0
4842 << Callee->getSourceRange();
4843 return ExprError();
4844 }
4845
4846 Diag(TheCall->getEndLoc(), diag::warn_atomic_implicit_seq_cst)
4847 << Callee->getSourceRange();
4848
4849 if (WarnAboutSemanticsChange) {
4850 Diag(TheCall->getEndLoc(), diag::warn_sync_fetch_and_nand_semantics_change)
4851 << Callee->getSourceRange();
4852 }
4853
4854 // Get the decl for the concrete builtin from this, we can tell what the
4855 // concrete integer type we should convert to is.
4856 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex];
4857 std::string NewBuiltinName = Context.BuiltinInfo.getName(NewBuiltinID);
4858 FunctionDecl *NewBuiltinDecl;
4859 if (NewBuiltinID == BuiltinID)
4860 NewBuiltinDecl = FDecl;
4861 else {
4862 // Perform builtin lookup to avoid redeclaring it.
4863 DeclarationName DN(&Context.Idents.get(NewBuiltinName));
4864 LookupResult Res(*this, DN, DRE->getBeginLoc(), LookupOrdinaryName);
4865 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true);
4866 assert(Res.getFoundDecl());
4867 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl());
4868 if (!NewBuiltinDecl)
4869 return ExprError();
4870 }
4871
4872 // The first argument --- the pointer --- has a fixed type; we
4873 // deduce the types of the rest of the arguments accordingly. Walk
4874 // the remaining arguments, converting them to the deduced value type.
4875 for (unsigned i = 0; i != NumFixed; ++i) {
4876 ExprResult Arg = TheCall->getArg(i+1);
4877
4878 // GCC does an implicit conversion to the pointer or integer ValType. This
4879 // can fail in some cases (1i -> int**), check for this error case now.
4880 // Initialize the argument.
4881 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context,
4882 ValType, /*consume*/ false);
4883 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4884 if (Arg.isInvalid())
4885 return ExprError();
4886
4887 // Okay, we have something that *can* be converted to the right type. Check
4888 // to see if there is a potentially weird extension going on here. This can
4889 // happen when you do an atomic operation on something like an char* and
4890 // pass in 42. The 42 gets converted to char. This is even more strange
4891 // for things like 45.123 -> char, etc.
4892 // FIXME: Do this check.
4893 TheCall->setArg(i+1, Arg.get());
4894 }
4895
4896 // Create a new DeclRefExpr to refer to the new decl.
4897 DeclRefExpr *NewDRE = DeclRefExpr::Create(
4898 Context, DRE->getQualifierLoc(), SourceLocation(), NewBuiltinDecl,
4899 /*enclosing*/ false, DRE->getLocation(), Context.BuiltinFnTy,
4900 DRE->getValueKind(), nullptr, nullptr, DRE->isNonOdrUse());
4901
4902 // Set the callee in the CallExpr.
4903 // FIXME: This loses syntactic information.
4904 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType());
4905 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy,
4906 CK_BuiltinFnToFnPtr);
4907 TheCall->setCallee(PromotedCall.get());
4908
4909 // Change the result type of the call to match the original value type. This
4910 // is arbitrary, but the codegen for these builtins ins design to handle it
4911 // gracefully.
4912 TheCall->setType(ResultType);
4913
4914 // Prohibit problematic uses of bit-precise integer types with atomic
4915 // builtins. The arguments would have already been converted to the first
4916 // argument's type, so only need to check the first argument.
4917 const auto *BitIntValType = ValType->getAs<BitIntType>();
4918 if (BitIntValType && !llvm::isPowerOf2_64(BitIntValType->getNumBits())) {
4919 Diag(FirstArg->getExprLoc(), diag::err_atomic_builtin_ext_int_size);
4920 return ExprError();
4921 }
4922
4923 return TheCallResult;
4924 }
4925
BuiltinNontemporalOverloaded(ExprResult TheCallResult)4926 ExprResult Sema::BuiltinNontemporalOverloaded(ExprResult TheCallResult) {
4927 CallExpr *TheCall = (CallExpr *)TheCallResult.get();
4928 DeclRefExpr *DRE =
4929 cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
4930 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4931 unsigned BuiltinID = FDecl->getBuiltinID();
4932 assert((BuiltinID == Builtin::BI__builtin_nontemporal_store ||
4933 BuiltinID == Builtin::BI__builtin_nontemporal_load) &&
4934 "Unexpected nontemporal load/store builtin!");
4935 bool isStore = BuiltinID == Builtin::BI__builtin_nontemporal_store;
4936 unsigned numArgs = isStore ? 2 : 1;
4937
4938 // Ensure that we have the proper number of arguments.
4939 if (checkArgCount(TheCall, numArgs))
4940 return ExprError();
4941
4942 // Inspect the last argument of the nontemporal builtin. This should always
4943 // be a pointer type, from which we imply the type of the memory access.
4944 // Because it is a pointer type, we don't have to worry about any implicit
4945 // casts here.
4946 Expr *PointerArg = TheCall->getArg(numArgs - 1);
4947 ExprResult PointerArgResult =
4948 DefaultFunctionArrayLvalueConversion(PointerArg);
4949
4950 if (PointerArgResult.isInvalid())
4951 return ExprError();
4952 PointerArg = PointerArgResult.get();
4953 TheCall->setArg(numArgs - 1, PointerArg);
4954
4955 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>();
4956 if (!pointerType) {
4957 Diag(DRE->getBeginLoc(), diag::err_nontemporal_builtin_must_be_pointer)
4958 << PointerArg->getType() << PointerArg->getSourceRange();
4959 return ExprError();
4960 }
4961
4962 QualType ValType = pointerType->getPointeeType();
4963
4964 // Strip any qualifiers off ValType.
4965 ValType = ValType.getUnqualifiedType();
4966 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4967 !ValType->isBlockPointerType() && !ValType->isFloatingType() &&
4968 !ValType->isVectorType()) {
4969 Diag(DRE->getBeginLoc(),
4970 diag::err_nontemporal_builtin_must_be_pointer_intfltptr_or_vector)
4971 << PointerArg->getType() << PointerArg->getSourceRange();
4972 return ExprError();
4973 }
4974
4975 if (!isStore) {
4976 TheCall->setType(ValType);
4977 return TheCallResult;
4978 }
4979
4980 ExprResult ValArg = TheCall->getArg(0);
4981 InitializedEntity Entity = InitializedEntity::InitializeParameter(
4982 Context, ValType, /*consume*/ false);
4983 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg);
4984 if (ValArg.isInvalid())
4985 return ExprError();
4986
4987 TheCall->setArg(0, ValArg.get());
4988 TheCall->setType(Context.VoidTy);
4989 return TheCallResult;
4990 }
4991
4992 /// CheckObjCString - Checks that the format string argument to the os_log()
4993 /// and os_trace() functions is correct, and converts it to const char *.
CheckOSLogFormatStringArg(Expr * Arg)4994 ExprResult Sema::CheckOSLogFormatStringArg(Expr *Arg) {
4995 Arg = Arg->IgnoreParenCasts();
4996 auto *Literal = dyn_cast<StringLiteral>(Arg);
4997 if (!Literal) {
4998 if (auto *ObjcLiteral = dyn_cast<ObjCStringLiteral>(Arg)) {
4999 Literal = ObjcLiteral->getString();
5000 }
5001 }
5002
5003 if (!Literal || (!Literal->isOrdinary() && !Literal->isUTF8())) {
5004 return ExprError(
5005 Diag(Arg->getBeginLoc(), diag::err_os_log_format_not_string_constant)
5006 << Arg->getSourceRange());
5007 }
5008
5009 ExprResult Result(Literal);
5010 QualType ResultTy = Context.getPointerType(Context.CharTy.withConst());
5011 InitializedEntity Entity =
5012 InitializedEntity::InitializeParameter(Context, ResultTy, false);
5013 Result = PerformCopyInitialization(Entity, SourceLocation(), Result);
5014 return Result;
5015 }
5016
5017 /// Check that the user is calling the appropriate va_start builtin for the
5018 /// target and calling convention.
checkVAStartABI(Sema & S,unsigned BuiltinID,Expr * Fn)5019 static bool checkVAStartABI(Sema &S, unsigned BuiltinID, Expr *Fn) {
5020 const llvm::Triple &TT = S.Context.getTargetInfo().getTriple();
5021 bool IsX64 = TT.getArch() == llvm::Triple::x86_64;
5022 bool IsAArch64 = (TT.getArch() == llvm::Triple::aarch64 ||
5023 TT.getArch() == llvm::Triple::aarch64_32);
5024 bool IsWindowsOrUEFI = TT.isOSWindows() || TT.isUEFI();
5025 bool IsMSVAStart = BuiltinID == Builtin::BI__builtin_ms_va_start;
5026 if (IsX64 || IsAArch64) {
5027 CallingConv CC = CC_C;
5028 if (const FunctionDecl *FD = S.getCurFunctionDecl())
5029 CC = FD->getType()->castAs<FunctionType>()->getCallConv();
5030 if (IsMSVAStart) {
5031 // Don't allow this in System V ABI functions.
5032 if (CC == CC_X86_64SysV || (!IsWindowsOrUEFI && CC != CC_Win64))
5033 return S.Diag(Fn->getBeginLoc(),
5034 diag::err_ms_va_start_used_in_sysv_function);
5035 } else {
5036 // On x86-64/AArch64 Unix, don't allow this in Win64 ABI functions.
5037 // On x64 Windows, don't allow this in System V ABI functions.
5038 // (Yes, that means there's no corresponding way to support variadic
5039 // System V ABI functions on Windows.)
5040 if ((IsWindowsOrUEFI && CC == CC_X86_64SysV) ||
5041 (!IsWindowsOrUEFI && CC == CC_Win64))
5042 return S.Diag(Fn->getBeginLoc(),
5043 diag::err_va_start_used_in_wrong_abi_function)
5044 << !IsWindowsOrUEFI;
5045 }
5046 return false;
5047 }
5048
5049 if (IsMSVAStart)
5050 return S.Diag(Fn->getBeginLoc(), diag::err_builtin_x64_aarch64_only);
5051 return false;
5052 }
5053
checkVAStartIsInVariadicFunction(Sema & S,Expr * Fn,ParmVarDecl ** LastParam=nullptr)5054 static bool checkVAStartIsInVariadicFunction(Sema &S, Expr *Fn,
5055 ParmVarDecl **LastParam = nullptr) {
5056 // Determine whether the current function, block, or obj-c method is variadic
5057 // and get its parameter list.
5058 bool IsVariadic = false;
5059 ArrayRef<ParmVarDecl *> Params;
5060 DeclContext *Caller = S.CurContext;
5061 if (auto *Block = dyn_cast<BlockDecl>(Caller)) {
5062 IsVariadic = Block->isVariadic();
5063 Params = Block->parameters();
5064 } else if (auto *FD = dyn_cast<FunctionDecl>(Caller)) {
5065 IsVariadic = FD->isVariadic();
5066 Params = FD->parameters();
5067 } else if (auto *MD = dyn_cast<ObjCMethodDecl>(Caller)) {
5068 IsVariadic = MD->isVariadic();
5069 // FIXME: This isn't correct for methods (results in bogus warning).
5070 Params = MD->parameters();
5071 } else if (isa<CapturedDecl>(Caller)) {
5072 // We don't support va_start in a CapturedDecl.
5073 S.Diag(Fn->getBeginLoc(), diag::err_va_start_captured_stmt);
5074 return true;
5075 } else {
5076 // This must be some other declcontext that parses exprs.
5077 S.Diag(Fn->getBeginLoc(), diag::err_va_start_outside_function);
5078 return true;
5079 }
5080
5081 if (!IsVariadic) {
5082 S.Diag(Fn->getBeginLoc(), diag::err_va_start_fixed_function);
5083 return true;
5084 }
5085
5086 if (LastParam)
5087 *LastParam = Params.empty() ? nullptr : Params.back();
5088
5089 return false;
5090 }
5091
BuiltinVAStart(unsigned BuiltinID,CallExpr * TheCall)5092 bool Sema::BuiltinVAStart(unsigned BuiltinID, CallExpr *TheCall) {
5093 Expr *Fn = TheCall->getCallee();
5094 if (checkVAStartABI(*this, BuiltinID, Fn))
5095 return true;
5096
5097 if (BuiltinID == Builtin::BI__builtin_c23_va_start) {
5098 // This builtin requires one argument (the va_list), allows two arguments,
5099 // but diagnoses more than two arguments. e.g.,
5100 // __builtin_c23_va_start(); // error
5101 // __builtin_c23_va_start(list); // ok
5102 // __builtin_c23_va_start(list, param); // ok
5103 // __builtin_c23_va_start(list, anything, anything); // error
5104 // This differs from the GCC behavior in that they accept the last case
5105 // with a warning, but it doesn't seem like a useful behavior to allow.
5106 if (checkArgCountRange(TheCall, 1, 2))
5107 return true;
5108 } else {
5109 // In C23 mode, va_start only needs one argument. However, the builtin still
5110 // requires two arguments (which matches the behavior of the GCC builtin),
5111 // <stdarg.h> passes `0` as the second argument in C23 mode.
5112 if (checkArgCount(TheCall, 2))
5113 return true;
5114 }
5115
5116 // Type-check the first argument normally.
5117 if (checkBuiltinArgument(*this, TheCall, 0))
5118 return true;
5119
5120 // Check that the current function is variadic, and get its last parameter.
5121 ParmVarDecl *LastParam;
5122 if (checkVAStartIsInVariadicFunction(*this, Fn, &LastParam))
5123 return true;
5124
5125 // Verify that the second argument to the builtin is the last non-variadic
5126 // argument of the current function or method. In C23 mode, if the call is
5127 // not to __builtin_c23_va_start, and the second argument is an integer
5128 // constant expression with value 0, then we don't bother with this check.
5129 // For __builtin_c23_va_start, we only perform the check for the second
5130 // argument being the last argument to the current function if there is a
5131 // second argument present.
5132 if (BuiltinID == Builtin::BI__builtin_c23_va_start &&
5133 TheCall->getNumArgs() < 2) {
5134 Diag(TheCall->getExprLoc(), diag::warn_c17_compat_va_start_one_arg);
5135 return false;
5136 }
5137
5138 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts();
5139 if (std::optional<llvm::APSInt> Val =
5140 TheCall->getArg(1)->getIntegerConstantExpr(Context);
5141 Val && LangOpts.C23 && *Val == 0 &&
5142 BuiltinID != Builtin::BI__builtin_c23_va_start) {
5143 Diag(TheCall->getExprLoc(), diag::warn_c17_compat_va_start_one_arg);
5144 return false;
5145 }
5146
5147 // These are valid if SecondArgIsLastNonVariadicArgument is false after the
5148 // next block.
5149 QualType Type;
5150 SourceLocation ParamLoc;
5151 bool IsCRegister = false;
5152 bool SecondArgIsLastNonVariadicArgument = false;
5153 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) {
5154 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) {
5155 SecondArgIsLastNonVariadicArgument = PV == LastParam;
5156
5157 Type = PV->getType();
5158 ParamLoc = PV->getLocation();
5159 IsCRegister =
5160 PV->getStorageClass() == SC_Register && !getLangOpts().CPlusPlus;
5161 }
5162 }
5163
5164 if (!SecondArgIsLastNonVariadicArgument)
5165 Diag(TheCall->getArg(1)->getBeginLoc(),
5166 diag::warn_second_arg_of_va_start_not_last_non_variadic_param);
5167 else if (IsCRegister || Type->isReferenceType() ||
5168 Type->isSpecificBuiltinType(BuiltinType::Float) || [=] {
5169 // Promotable integers are UB, but enumerations need a bit of
5170 // extra checking to see what their promotable type actually is.
5171 if (!Context.isPromotableIntegerType(Type))
5172 return false;
5173 if (!Type->isEnumeralType())
5174 return true;
5175 const EnumDecl *ED = Type->castAs<EnumType>()->getDecl();
5176 return !(ED &&
5177 Context.typesAreCompatible(ED->getPromotionType(), Type));
5178 }()) {
5179 unsigned Reason = 0;
5180 if (Type->isReferenceType()) Reason = 1;
5181 else if (IsCRegister) Reason = 2;
5182 Diag(Arg->getBeginLoc(), diag::warn_va_start_type_is_undefined) << Reason;
5183 Diag(ParamLoc, diag::note_parameter_type) << Type;
5184 }
5185
5186 return false;
5187 }
5188
BuiltinVAStartARMMicrosoft(CallExpr * Call)5189 bool Sema::BuiltinVAStartARMMicrosoft(CallExpr *Call) {
5190 auto IsSuitablyTypedFormatArgument = [this](const Expr *Arg) -> bool {
5191 const LangOptions &LO = getLangOpts();
5192
5193 if (LO.CPlusPlus)
5194 return Arg->getType()
5195 .getCanonicalType()
5196 .getTypePtr()
5197 ->getPointeeType()
5198 .withoutLocalFastQualifiers() == Context.CharTy;
5199
5200 // In C, allow aliasing through `char *`, this is required for AArch64 at
5201 // least.
5202 return true;
5203 };
5204
5205 // void __va_start(va_list *ap, const char *named_addr, size_t slot_size,
5206 // const char *named_addr);
5207
5208 Expr *Func = Call->getCallee();
5209
5210 if (Call->getNumArgs() < 3)
5211 return Diag(Call->getEndLoc(),
5212 diag::err_typecheck_call_too_few_args_at_least)
5213 << 0 /*function call*/ << 3 << Call->getNumArgs()
5214 << /*is non object*/ 0;
5215
5216 // Type-check the first argument normally.
5217 if (checkBuiltinArgument(*this, Call, 0))
5218 return true;
5219
5220 // Check that the current function is variadic.
5221 if (checkVAStartIsInVariadicFunction(*this, Func))
5222 return true;
5223
5224 // __va_start on Windows does not validate the parameter qualifiers
5225
5226 const Expr *Arg1 = Call->getArg(1)->IgnoreParens();
5227 const Type *Arg1Ty = Arg1->getType().getCanonicalType().getTypePtr();
5228
5229 const Expr *Arg2 = Call->getArg(2)->IgnoreParens();
5230 const Type *Arg2Ty = Arg2->getType().getCanonicalType().getTypePtr();
5231
5232 const QualType &ConstCharPtrTy =
5233 Context.getPointerType(Context.CharTy.withConst());
5234 if (!Arg1Ty->isPointerType() || !IsSuitablyTypedFormatArgument(Arg1))
5235 Diag(Arg1->getBeginLoc(), diag::err_typecheck_convert_incompatible)
5236 << Arg1->getType() << ConstCharPtrTy << 1 /* different class */
5237 << 0 /* qualifier difference */
5238 << 3 /* parameter mismatch */
5239 << 2 << Arg1->getType() << ConstCharPtrTy;
5240
5241 const QualType SizeTy = Context.getSizeType();
5242 if (Arg2Ty->getCanonicalTypeInternal().withoutLocalFastQualifiers() != SizeTy)
5243 Diag(Arg2->getBeginLoc(), diag::err_typecheck_convert_incompatible)
5244 << Arg2->getType() << SizeTy << 1 /* different class */
5245 << 0 /* qualifier difference */
5246 << 3 /* parameter mismatch */
5247 << 3 << Arg2->getType() << SizeTy;
5248
5249 return false;
5250 }
5251
BuiltinUnorderedCompare(CallExpr * TheCall,unsigned BuiltinID)5252 bool Sema::BuiltinUnorderedCompare(CallExpr *TheCall, unsigned BuiltinID) {
5253 if (checkArgCount(TheCall, 2))
5254 return true;
5255
5256 if (BuiltinID == Builtin::BI__builtin_isunordered &&
5257 TheCall->getFPFeaturesInEffect(getLangOpts()).getNoHonorNaNs())
5258 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5259 << 1 << 0 << TheCall->getSourceRange();
5260
5261 ExprResult OrigArg0 = TheCall->getArg(0);
5262 ExprResult OrigArg1 = TheCall->getArg(1);
5263
5264 // Do standard promotions between the two arguments, returning their common
5265 // type.
5266 QualType Res = UsualArithmeticConversions(
5267 OrigArg0, OrigArg1, TheCall->getExprLoc(), ArithConvKind::Comparison);
5268 if (OrigArg0.isInvalid() || OrigArg1.isInvalid())
5269 return true;
5270
5271 // Make sure any conversions are pushed back into the call; this is
5272 // type safe since unordered compare builtins are declared as "_Bool
5273 // foo(...)".
5274 TheCall->setArg(0, OrigArg0.get());
5275 TheCall->setArg(1, OrigArg1.get());
5276
5277 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent())
5278 return false;
5279
5280 // If the common type isn't a real floating type, then the arguments were
5281 // invalid for this operation.
5282 if (Res.isNull() || !Res->isRealFloatingType())
5283 return Diag(OrigArg0.get()->getBeginLoc(),
5284 diag::err_typecheck_call_invalid_ordered_compare)
5285 << OrigArg0.get()->getType() << OrigArg1.get()->getType()
5286 << SourceRange(OrigArg0.get()->getBeginLoc(),
5287 OrigArg1.get()->getEndLoc());
5288
5289 return false;
5290 }
5291
BuiltinFPClassification(CallExpr * TheCall,unsigned NumArgs,unsigned BuiltinID)5292 bool Sema::BuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs,
5293 unsigned BuiltinID) {
5294 if (checkArgCount(TheCall, NumArgs))
5295 return true;
5296
5297 FPOptions FPO = TheCall->getFPFeaturesInEffect(getLangOpts());
5298 if (FPO.getNoHonorInfs() && (BuiltinID == Builtin::BI__builtin_isfinite ||
5299 BuiltinID == Builtin::BI__builtin_isinf ||
5300 BuiltinID == Builtin::BI__builtin_isinf_sign))
5301 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5302 << 0 << 0 << TheCall->getSourceRange();
5303
5304 if (FPO.getNoHonorNaNs() && (BuiltinID == Builtin::BI__builtin_isnan ||
5305 BuiltinID == Builtin::BI__builtin_isunordered))
5306 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5307 << 1 << 0 << TheCall->getSourceRange();
5308
5309 bool IsFPClass = NumArgs == 2;
5310
5311 // Find out position of floating-point argument.
5312 unsigned FPArgNo = IsFPClass ? 0 : NumArgs - 1;
5313
5314 // We can count on all parameters preceding the floating-point just being int.
5315 // Try all of those.
5316 for (unsigned i = 0; i < FPArgNo; ++i) {
5317 Expr *Arg = TheCall->getArg(i);
5318
5319 if (Arg->isTypeDependent())
5320 return false;
5321
5322 ExprResult Res = PerformImplicitConversion(Arg, Context.IntTy,
5323 AssignmentAction::Passing);
5324
5325 if (Res.isInvalid())
5326 return true;
5327 TheCall->setArg(i, Res.get());
5328 }
5329
5330 Expr *OrigArg = TheCall->getArg(FPArgNo);
5331
5332 if (OrigArg->isTypeDependent())
5333 return false;
5334
5335 // Usual Unary Conversions will convert half to float, which we want for
5336 // machines that use fp16 conversion intrinsics. Else, we wnat to leave the
5337 // type how it is, but do normal L->Rvalue conversions.
5338 if (Context.getTargetInfo().useFP16ConversionIntrinsics()) {
5339 ExprResult Res = UsualUnaryConversions(OrigArg);
5340
5341 if (!Res.isUsable())
5342 return true;
5343 OrigArg = Res.get();
5344 } else {
5345 ExprResult Res = DefaultFunctionArrayLvalueConversion(OrigArg);
5346
5347 if (!Res.isUsable())
5348 return true;
5349 OrigArg = Res.get();
5350 }
5351 TheCall->setArg(FPArgNo, OrigArg);
5352
5353 QualType VectorResultTy;
5354 QualType ElementTy = OrigArg->getType();
5355 // TODO: When all classification function are implemented with is_fpclass,
5356 // vector argument can be supported in all of them.
5357 if (ElementTy->isVectorType() && IsFPClass) {
5358 VectorResultTy = GetSignedVectorType(ElementTy);
5359 ElementTy = ElementTy->castAs<VectorType>()->getElementType();
5360 }
5361
5362 // This operation requires a non-_Complex floating-point number.
5363 if (!ElementTy->isRealFloatingType())
5364 return Diag(OrigArg->getBeginLoc(),
5365 diag::err_typecheck_call_invalid_unary_fp)
5366 << OrigArg->getType() << OrigArg->getSourceRange();
5367
5368 // __builtin_isfpclass has integer parameter that specify test mask. It is
5369 // passed in (...), so it should be analyzed completely here.
5370 if (IsFPClass)
5371 if (BuiltinConstantArgRange(TheCall, 1, 0, llvm::fcAllFlags))
5372 return true;
5373
5374 // TODO: enable this code to all classification functions.
5375 if (IsFPClass) {
5376 QualType ResultTy;
5377 if (!VectorResultTy.isNull())
5378 ResultTy = VectorResultTy;
5379 else
5380 ResultTy = Context.IntTy;
5381 TheCall->setType(ResultTy);
5382 }
5383
5384 return false;
5385 }
5386
BuiltinComplex(CallExpr * TheCall)5387 bool Sema::BuiltinComplex(CallExpr *TheCall) {
5388 if (checkArgCount(TheCall, 2))
5389 return true;
5390
5391 bool Dependent = false;
5392 for (unsigned I = 0; I != 2; ++I) {
5393 Expr *Arg = TheCall->getArg(I);
5394 QualType T = Arg->getType();
5395 if (T->isDependentType()) {
5396 Dependent = true;
5397 continue;
5398 }
5399
5400 // Despite supporting _Complex int, GCC requires a real floating point type
5401 // for the operands of __builtin_complex.
5402 if (!T->isRealFloatingType()) {
5403 return Diag(Arg->getBeginLoc(), diag::err_typecheck_call_requires_real_fp)
5404 << Arg->getType() << Arg->getSourceRange();
5405 }
5406
5407 ExprResult Converted = DefaultLvalueConversion(Arg);
5408 if (Converted.isInvalid())
5409 return true;
5410 TheCall->setArg(I, Converted.get());
5411 }
5412
5413 if (Dependent) {
5414 TheCall->setType(Context.DependentTy);
5415 return false;
5416 }
5417
5418 Expr *Real = TheCall->getArg(0);
5419 Expr *Imag = TheCall->getArg(1);
5420 if (!Context.hasSameType(Real->getType(), Imag->getType())) {
5421 return Diag(Real->getBeginLoc(),
5422 diag::err_typecheck_call_different_arg_types)
5423 << Real->getType() << Imag->getType()
5424 << Real->getSourceRange() << Imag->getSourceRange();
5425 }
5426
5427 // We don't allow _Complex _Float16 nor _Complex __fp16 as type specifiers;
5428 // don't allow this builtin to form those types either.
5429 // FIXME: Should we allow these types?
5430 if (Real->getType()->isFloat16Type())
5431 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5432 << "_Float16";
5433 if (Real->getType()->isHalfType())
5434 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5435 << "half";
5436
5437 TheCall->setType(Context.getComplexType(Real->getType()));
5438 return false;
5439 }
5440
5441 /// BuiltinShuffleVector - Handle __builtin_shufflevector.
5442 // This is declared to take (...), so we have to check everything.
BuiltinShuffleVector(CallExpr * TheCall)5443 ExprResult Sema::BuiltinShuffleVector(CallExpr *TheCall) {
5444 if (TheCall->getNumArgs() < 2)
5445 return ExprError(Diag(TheCall->getEndLoc(),
5446 diag::err_typecheck_call_too_few_args_at_least)
5447 << 0 /*function call*/ << 2 << TheCall->getNumArgs()
5448 << /*is non object*/ 0 << TheCall->getSourceRange());
5449
5450 // Determine which of the following types of shufflevector we're checking:
5451 // 1) unary, vector mask: (lhs, mask)
5452 // 2) binary, scalar mask: (lhs, rhs, index, ..., index)
5453 QualType resType = TheCall->getArg(0)->getType();
5454 unsigned numElements = 0;
5455
5456 if (!TheCall->getArg(0)->isTypeDependent() &&
5457 !TheCall->getArg(1)->isTypeDependent()) {
5458 QualType LHSType = TheCall->getArg(0)->getType();
5459 QualType RHSType = TheCall->getArg(1)->getType();
5460
5461 if (!LHSType->isVectorType() || !RHSType->isVectorType())
5462 return ExprError(
5463 Diag(TheCall->getBeginLoc(), diag::err_vec_builtin_non_vector)
5464 << TheCall->getDirectCallee() << /*isMorethantwoArgs*/ false
5465 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5466 TheCall->getArg(1)->getEndLoc()));
5467
5468 numElements = LHSType->castAs<VectorType>()->getNumElements();
5469 unsigned numResElements = TheCall->getNumArgs() - 2;
5470
5471 // Check to see if we have a call with 2 vector arguments, the unary shuffle
5472 // with mask. If so, verify that RHS is an integer vector type with the
5473 // same number of elts as lhs.
5474 if (TheCall->getNumArgs() == 2) {
5475 if (!RHSType->hasIntegerRepresentation() ||
5476 RHSType->castAs<VectorType>()->getNumElements() != numElements)
5477 return ExprError(Diag(TheCall->getBeginLoc(),
5478 diag::err_vec_builtin_incompatible_vector)
5479 << TheCall->getDirectCallee()
5480 << /*isMorethantwoArgs*/ false
5481 << SourceRange(TheCall->getArg(1)->getBeginLoc(),
5482 TheCall->getArg(1)->getEndLoc()));
5483 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) {
5484 return ExprError(Diag(TheCall->getBeginLoc(),
5485 diag::err_vec_builtin_incompatible_vector)
5486 << TheCall->getDirectCallee()
5487 << /*isMorethantwoArgs*/ false
5488 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5489 TheCall->getArg(1)->getEndLoc()));
5490 } else if (numElements != numResElements) {
5491 QualType eltType = LHSType->castAs<VectorType>()->getElementType();
5492 resType =
5493 Context.getVectorType(eltType, numResElements, VectorKind::Generic);
5494 }
5495 }
5496
5497 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) {
5498 Expr *Arg = TheCall->getArg(i);
5499 if (Arg->isTypeDependent() || Arg->isValueDependent())
5500 continue;
5501
5502 std::optional<llvm::APSInt> Result;
5503 if (!(Result = Arg->getIntegerConstantExpr(Context)))
5504 return ExprError(Diag(TheCall->getBeginLoc(),
5505 diag::err_shufflevector_nonconstant_argument)
5506 << Arg->getSourceRange());
5507
5508 // Allow -1 which will be translated to undef in the IR.
5509 if (Result->isSigned() && Result->isAllOnes())
5510 ;
5511 else if (Result->getActiveBits() > 64 ||
5512 Result->getZExtValue() >= numElements * 2)
5513 return ExprError(Diag(TheCall->getBeginLoc(),
5514 diag::err_shufflevector_argument_too_large)
5515 << Arg->getSourceRange());
5516
5517 TheCall->setArg(i, ConstantExpr::Create(Context, Arg, APValue(*Result)));
5518 }
5519
5520 SmallVector<Expr *> exprs;
5521 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) {
5522 exprs.push_back(TheCall->getArg(i));
5523 TheCall->setArg(i, nullptr);
5524 }
5525
5526 return new (Context) ShuffleVectorExpr(Context, exprs, resType,
5527 TheCall->getCallee()->getBeginLoc(),
5528 TheCall->getRParenLoc());
5529 }
5530
ConvertVectorExpr(Expr * E,TypeSourceInfo * TInfo,SourceLocation BuiltinLoc,SourceLocation RParenLoc)5531 ExprResult Sema::ConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo,
5532 SourceLocation BuiltinLoc,
5533 SourceLocation RParenLoc) {
5534 ExprValueKind VK = VK_PRValue;
5535 ExprObjectKind OK = OK_Ordinary;
5536 QualType DstTy = TInfo->getType();
5537 QualType SrcTy = E->getType();
5538
5539 if (!SrcTy->isVectorType() && !SrcTy->isDependentType())
5540 return ExprError(Diag(BuiltinLoc,
5541 diag::err_convertvector_non_vector)
5542 << E->getSourceRange());
5543 if (!DstTy->isVectorType() && !DstTy->isDependentType())
5544 return ExprError(Diag(BuiltinLoc, diag::err_builtin_non_vector_type)
5545 << "second"
5546 << "__builtin_convertvector");
5547
5548 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) {
5549 unsigned SrcElts = SrcTy->castAs<VectorType>()->getNumElements();
5550 unsigned DstElts = DstTy->castAs<VectorType>()->getNumElements();
5551 if (SrcElts != DstElts)
5552 return ExprError(Diag(BuiltinLoc,
5553 diag::err_convertvector_incompatible_vector)
5554 << E->getSourceRange());
5555 }
5556
5557 return ConvertVectorExpr::Create(Context, E, TInfo, DstTy, VK, OK, BuiltinLoc,
5558 RParenLoc, CurFPFeatureOverrides());
5559 }
5560
BuiltinPrefetch(CallExpr * TheCall)5561 bool Sema::BuiltinPrefetch(CallExpr *TheCall) {
5562 unsigned NumArgs = TheCall->getNumArgs();
5563
5564 if (NumArgs > 3)
5565 return Diag(TheCall->getEndLoc(),
5566 diag::err_typecheck_call_too_many_args_at_most)
5567 << 0 /*function call*/ << 3 << NumArgs << /*is non object*/ 0
5568 << TheCall->getSourceRange();
5569
5570 // Argument 0 is checked for us and the remaining arguments must be
5571 // constant integers.
5572 for (unsigned i = 1; i != NumArgs; ++i)
5573 if (BuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3))
5574 return true;
5575
5576 return false;
5577 }
5578
BuiltinArithmeticFence(CallExpr * TheCall)5579 bool Sema::BuiltinArithmeticFence(CallExpr *TheCall) {
5580 if (!Context.getTargetInfo().checkArithmeticFenceSupported())
5581 return Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
5582 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5583 if (checkArgCount(TheCall, 1))
5584 return true;
5585 Expr *Arg = TheCall->getArg(0);
5586 if (Arg->isInstantiationDependent())
5587 return false;
5588
5589 QualType ArgTy = Arg->getType();
5590 if (!ArgTy->hasFloatingRepresentation())
5591 return Diag(TheCall->getEndLoc(), diag::err_typecheck_expect_flt_or_vector)
5592 << ArgTy;
5593 if (Arg->isLValue()) {
5594 ExprResult FirstArg = DefaultLvalueConversion(Arg);
5595 TheCall->setArg(0, FirstArg.get());
5596 }
5597 TheCall->setType(TheCall->getArg(0)->getType());
5598 return false;
5599 }
5600
BuiltinAssume(CallExpr * TheCall)5601 bool Sema::BuiltinAssume(CallExpr *TheCall) {
5602 Expr *Arg = TheCall->getArg(0);
5603 if (Arg->isInstantiationDependent()) return false;
5604
5605 if (Arg->HasSideEffects(Context))
5606 Diag(Arg->getBeginLoc(), diag::warn_assume_side_effects)
5607 << Arg->getSourceRange()
5608 << cast<FunctionDecl>(TheCall->getCalleeDecl())->getIdentifier();
5609
5610 return false;
5611 }
5612
BuiltinAllocaWithAlign(CallExpr * TheCall)5613 bool Sema::BuiltinAllocaWithAlign(CallExpr *TheCall) {
5614 // The alignment must be a constant integer.
5615 Expr *Arg = TheCall->getArg(1);
5616
5617 // We can't check the value of a dependent argument.
5618 if (!Arg->isTypeDependent() && !Arg->isValueDependent()) {
5619 if (const auto *UE =
5620 dyn_cast<UnaryExprOrTypeTraitExpr>(Arg->IgnoreParenImpCasts()))
5621 if (UE->getKind() == UETT_AlignOf ||
5622 UE->getKind() == UETT_PreferredAlignOf)
5623 Diag(TheCall->getBeginLoc(), diag::warn_alloca_align_alignof)
5624 << Arg->getSourceRange();
5625
5626 llvm::APSInt Result = Arg->EvaluateKnownConstInt(Context);
5627
5628 if (!Result.isPowerOf2())
5629 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5630 << Arg->getSourceRange();
5631
5632 if (Result < Context.getCharWidth())
5633 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_small)
5634 << (unsigned)Context.getCharWidth() << Arg->getSourceRange();
5635
5636 if (Result > std::numeric_limits<int32_t>::max())
5637 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_big)
5638 << std::numeric_limits<int32_t>::max() << Arg->getSourceRange();
5639 }
5640
5641 return false;
5642 }
5643
BuiltinAssumeAligned(CallExpr * TheCall)5644 bool Sema::BuiltinAssumeAligned(CallExpr *TheCall) {
5645 if (checkArgCountRange(TheCall, 2, 3))
5646 return true;
5647
5648 unsigned NumArgs = TheCall->getNumArgs();
5649 Expr *FirstArg = TheCall->getArg(0);
5650
5651 {
5652 ExprResult FirstArgResult =
5653 DefaultFunctionArrayLvalueConversion(FirstArg);
5654 if (!FirstArgResult.get()->getType()->isPointerType()) {
5655 Diag(TheCall->getBeginLoc(), diag::err_builtin_assume_aligned_invalid_arg)
5656 << TheCall->getSourceRange();
5657 return true;
5658 }
5659 TheCall->setArg(0, FirstArgResult.get());
5660 }
5661
5662 // The alignment must be a constant integer.
5663 Expr *SecondArg = TheCall->getArg(1);
5664
5665 // We can't check the value of a dependent argument.
5666 if (!SecondArg->isValueDependent()) {
5667 llvm::APSInt Result;
5668 if (BuiltinConstantArg(TheCall, 1, Result))
5669 return true;
5670
5671 if (!Result.isPowerOf2())
5672 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5673 << SecondArg->getSourceRange();
5674
5675 if (Result > Sema::MaximumAlignment)
5676 Diag(TheCall->getBeginLoc(), diag::warn_assume_aligned_too_great)
5677 << SecondArg->getSourceRange() << Sema::MaximumAlignment;
5678 }
5679
5680 if (NumArgs > 2) {
5681 Expr *ThirdArg = TheCall->getArg(2);
5682 if (convertArgumentToType(*this, ThirdArg, Context.getSizeType()))
5683 return true;
5684 TheCall->setArg(2, ThirdArg);
5685 }
5686
5687 return false;
5688 }
5689
BuiltinOSLogFormat(CallExpr * TheCall)5690 bool Sema::BuiltinOSLogFormat(CallExpr *TheCall) {
5691 unsigned BuiltinID =
5692 cast<FunctionDecl>(TheCall->getCalleeDecl())->getBuiltinID();
5693 bool IsSizeCall = BuiltinID == Builtin::BI__builtin_os_log_format_buffer_size;
5694
5695 unsigned NumArgs = TheCall->getNumArgs();
5696 unsigned NumRequiredArgs = IsSizeCall ? 1 : 2;
5697 if (NumArgs < NumRequiredArgs) {
5698 return Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args)
5699 << 0 /* function call */ << NumRequiredArgs << NumArgs
5700 << /*is non object*/ 0 << TheCall->getSourceRange();
5701 }
5702 if (NumArgs >= NumRequiredArgs + 0x100) {
5703 return Diag(TheCall->getEndLoc(),
5704 diag::err_typecheck_call_too_many_args_at_most)
5705 << 0 /* function call */ << (NumRequiredArgs + 0xff) << NumArgs
5706 << /*is non object*/ 0 << TheCall->getSourceRange();
5707 }
5708 unsigned i = 0;
5709
5710 // For formatting call, check buffer arg.
5711 if (!IsSizeCall) {
5712 ExprResult Arg(TheCall->getArg(i));
5713 InitializedEntity Entity = InitializedEntity::InitializeParameter(
5714 Context, Context.VoidPtrTy, false);
5715 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
5716 if (Arg.isInvalid())
5717 return true;
5718 TheCall->setArg(i, Arg.get());
5719 i++;
5720 }
5721
5722 // Check string literal arg.
5723 unsigned FormatIdx = i;
5724 {
5725 ExprResult Arg = CheckOSLogFormatStringArg(TheCall->getArg(i));
5726 if (Arg.isInvalid())
5727 return true;
5728 TheCall->setArg(i, Arg.get());
5729 i++;
5730 }
5731
5732 // Make sure variadic args are scalar.
5733 unsigned FirstDataArg = i;
5734 while (i < NumArgs) {
5735 ExprResult Arg = DefaultVariadicArgumentPromotion(
5736 TheCall->getArg(i), VariadicCallType::Function, nullptr);
5737 if (Arg.isInvalid())
5738 return true;
5739 CharUnits ArgSize = Context.getTypeSizeInChars(Arg.get()->getType());
5740 if (ArgSize.getQuantity() >= 0x100) {
5741 return Diag(Arg.get()->getEndLoc(), diag::err_os_log_argument_too_big)
5742 << i << (int)ArgSize.getQuantity() << 0xff
5743 << TheCall->getSourceRange();
5744 }
5745 TheCall->setArg(i, Arg.get());
5746 i++;
5747 }
5748
5749 // Check formatting specifiers. NOTE: We're only doing this for the non-size
5750 // call to avoid duplicate diagnostics.
5751 if (!IsSizeCall) {
5752 llvm::SmallBitVector CheckedVarArgs(NumArgs, false);
5753 ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs());
5754 bool Success = CheckFormatArguments(
5755 Args, FAPK_Variadic, nullptr, FormatIdx, FirstDataArg,
5756 FormatStringType::OSLog, VariadicCallType::Function,
5757 TheCall->getBeginLoc(), SourceRange(), CheckedVarArgs);
5758 if (!Success)
5759 return true;
5760 }
5761
5762 if (IsSizeCall) {
5763 TheCall->setType(Context.getSizeType());
5764 } else {
5765 TheCall->setType(Context.VoidPtrTy);
5766 }
5767 return false;
5768 }
5769
BuiltinConstantArg(CallExpr * TheCall,int ArgNum,llvm::APSInt & Result)5770 bool Sema::BuiltinConstantArg(CallExpr *TheCall, int ArgNum,
5771 llvm::APSInt &Result) {
5772 Expr *Arg = TheCall->getArg(ArgNum);
5773 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
5774 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
5775
5776 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false;
5777
5778 std::optional<llvm::APSInt> R;
5779 if (!(R = Arg->getIntegerConstantExpr(Context)))
5780 return Diag(TheCall->getBeginLoc(), diag::err_constant_integer_arg_type)
5781 << FDecl->getDeclName() << Arg->getSourceRange();
5782 Result = *R;
5783 return false;
5784 }
5785
BuiltinConstantArgRange(CallExpr * TheCall,int ArgNum,int Low,int High,bool RangeIsError)5786 bool Sema::BuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, int Low,
5787 int High, bool RangeIsError) {
5788 if (isConstantEvaluatedContext())
5789 return false;
5790 llvm::APSInt Result;
5791
5792 // We can't check the value of a dependent argument.
5793 Expr *Arg = TheCall->getArg(ArgNum);
5794 if (Arg->isTypeDependent() || Arg->isValueDependent())
5795 return false;
5796
5797 // Check constant-ness first.
5798 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5799 return true;
5800
5801 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) {
5802 if (RangeIsError)
5803 return Diag(TheCall->getBeginLoc(), diag::err_argument_invalid_range)
5804 << toString(Result, 10) << Low << High << Arg->getSourceRange();
5805 else
5806 // Defer the warning until we know if the code will be emitted so that
5807 // dead code can ignore this.
5808 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
5809 PDiag(diag::warn_argument_invalid_range)
5810 << toString(Result, 10) << Low << High
5811 << Arg->getSourceRange());
5812 }
5813
5814 return false;
5815 }
5816
BuiltinConstantArgMultiple(CallExpr * TheCall,int ArgNum,unsigned Num)5817 bool Sema::BuiltinConstantArgMultiple(CallExpr *TheCall, int ArgNum,
5818 unsigned Num) {
5819 llvm::APSInt Result;
5820
5821 // We can't check the value of a dependent argument.
5822 Expr *Arg = TheCall->getArg(ArgNum);
5823 if (Arg->isTypeDependent() || Arg->isValueDependent())
5824 return false;
5825
5826 // Check constant-ness first.
5827 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5828 return true;
5829
5830 if (Result.getSExtValue() % Num != 0)
5831 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_multiple)
5832 << Num << Arg->getSourceRange();
5833
5834 return false;
5835 }
5836
BuiltinConstantArgPower2(CallExpr * TheCall,int ArgNum)5837 bool Sema::BuiltinConstantArgPower2(CallExpr *TheCall, int ArgNum) {
5838 llvm::APSInt Result;
5839
5840 // We can't check the value of a dependent argument.
5841 Expr *Arg = TheCall->getArg(ArgNum);
5842 if (Arg->isTypeDependent() || Arg->isValueDependent())
5843 return false;
5844
5845 // Check constant-ness first.
5846 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5847 return true;
5848
5849 // Bit-twiddling to test for a power of 2: for x > 0, x & (x-1) is zero if
5850 // and only if x is a power of 2.
5851 if (Result.isStrictlyPositive() && (Result & (Result - 1)) == 0)
5852 return false;
5853
5854 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_power_of_2)
5855 << Arg->getSourceRange();
5856 }
5857
IsShiftedByte(llvm::APSInt Value)5858 static bool IsShiftedByte(llvm::APSInt Value) {
5859 if (Value.isNegative())
5860 return false;
5861
5862 // Check if it's a shifted byte, by shifting it down
5863 while (true) {
5864 // If the value fits in the bottom byte, the check passes.
5865 if (Value < 0x100)
5866 return true;
5867
5868 // Otherwise, if the value has _any_ bits in the bottom byte, the check
5869 // fails.
5870 if ((Value & 0xFF) != 0)
5871 return false;
5872
5873 // If the bottom 8 bits are all 0, but something above that is nonzero,
5874 // then shifting the value right by 8 bits won't affect whether it's a
5875 // shifted byte or not. So do that, and go round again.
5876 Value >>= 8;
5877 }
5878 }
5879
BuiltinConstantArgShiftedByte(CallExpr * TheCall,int ArgNum,unsigned ArgBits)5880 bool Sema::BuiltinConstantArgShiftedByte(CallExpr *TheCall, int ArgNum,
5881 unsigned ArgBits) {
5882 llvm::APSInt Result;
5883
5884 // We can't check the value of a dependent argument.
5885 Expr *Arg = TheCall->getArg(ArgNum);
5886 if (Arg->isTypeDependent() || Arg->isValueDependent())
5887 return false;
5888
5889 // Check constant-ness first.
5890 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5891 return true;
5892
5893 // Truncate to the given size.
5894 Result = Result.getLoBits(ArgBits);
5895 Result.setIsUnsigned(true);
5896
5897 if (IsShiftedByte(Result))
5898 return false;
5899
5900 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_shifted_byte)
5901 << Arg->getSourceRange();
5902 }
5903
BuiltinConstantArgShiftedByteOrXXFF(CallExpr * TheCall,int ArgNum,unsigned ArgBits)5904 bool Sema::BuiltinConstantArgShiftedByteOrXXFF(CallExpr *TheCall, int ArgNum,
5905 unsigned ArgBits) {
5906 llvm::APSInt Result;
5907
5908 // We can't check the value of a dependent argument.
5909 Expr *Arg = TheCall->getArg(ArgNum);
5910 if (Arg->isTypeDependent() || Arg->isValueDependent())
5911 return false;
5912
5913 // Check constant-ness first.
5914 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5915 return true;
5916
5917 // Truncate to the given size.
5918 Result = Result.getLoBits(ArgBits);
5919 Result.setIsUnsigned(true);
5920
5921 // Check to see if it's in either of the required forms.
5922 if (IsShiftedByte(Result) ||
5923 (Result > 0 && Result < 0x10000 && (Result & 0xFF) == 0xFF))
5924 return false;
5925
5926 return Diag(TheCall->getBeginLoc(),
5927 diag::err_argument_not_shifted_byte_or_xxff)
5928 << Arg->getSourceRange();
5929 }
5930
BuiltinLongjmp(CallExpr * TheCall)5931 bool Sema::BuiltinLongjmp(CallExpr *TheCall) {
5932 if (!Context.getTargetInfo().hasSjLjLowering())
5933 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_unsupported)
5934 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5935
5936 Expr *Arg = TheCall->getArg(1);
5937 llvm::APSInt Result;
5938
5939 // TODO: This is less than ideal. Overload this to take a value.
5940 if (BuiltinConstantArg(TheCall, 1, Result))
5941 return true;
5942
5943 if (Result != 1)
5944 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_invalid_val)
5945 << SourceRange(Arg->getBeginLoc(), Arg->getEndLoc());
5946
5947 return false;
5948 }
5949
BuiltinSetjmp(CallExpr * TheCall)5950 bool Sema::BuiltinSetjmp(CallExpr *TheCall) {
5951 if (!Context.getTargetInfo().hasSjLjLowering())
5952 return Diag(TheCall->getBeginLoc(), diag::err_builtin_setjmp_unsupported)
5953 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5954 return false;
5955 }
5956
BuiltinCountedByRef(CallExpr * TheCall)5957 bool Sema::BuiltinCountedByRef(CallExpr *TheCall) {
5958 if (checkArgCount(TheCall, 1))
5959 return true;
5960
5961 ExprResult ArgRes = UsualUnaryConversions(TheCall->getArg(0));
5962 if (ArgRes.isInvalid())
5963 return true;
5964
5965 // For simplicity, we support only limited expressions for the argument.
5966 // Specifically a pointer to a flexible array member:'ptr->array'. This
5967 // allows us to reject arguments with complex casting, which really shouldn't
5968 // be a huge problem.
5969 const Expr *Arg = ArgRes.get()->IgnoreParenImpCasts();
5970 if (!isa<PointerType>(Arg->getType()) && !Arg->getType()->isArrayType())
5971 return Diag(Arg->getBeginLoc(),
5972 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5973 << Arg->getSourceRange();
5974
5975 if (Arg->HasSideEffects(Context))
5976 return Diag(Arg->getBeginLoc(),
5977 diag::err_builtin_counted_by_ref_has_side_effects)
5978 << Arg->getSourceRange();
5979
5980 if (const auto *ME = dyn_cast<MemberExpr>(Arg)) {
5981 if (!ME->isFlexibleArrayMemberLike(
5982 Context, getLangOpts().getStrictFlexArraysLevel()))
5983 return Diag(Arg->getBeginLoc(),
5984 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5985 << Arg->getSourceRange();
5986
5987 if (auto *CATy =
5988 ME->getMemberDecl()->getType()->getAs<CountAttributedType>();
5989 CATy && CATy->getKind() == CountAttributedType::CountedBy) {
5990 const auto *FAMDecl = cast<FieldDecl>(ME->getMemberDecl());
5991 if (const FieldDecl *CountFD = FAMDecl->findCountedByField()) {
5992 TheCall->setType(Context.getPointerType(CountFD->getType()));
5993 return false;
5994 }
5995 }
5996 } else {
5997 return Diag(Arg->getBeginLoc(),
5998 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5999 << Arg->getSourceRange();
6000 }
6001
6002 TheCall->setType(Context.getPointerType(Context.VoidTy));
6003 return false;
6004 }
6005
6006 /// The result of __builtin_counted_by_ref cannot be assigned to a variable.
6007 /// It allows leaking and modification of bounds safety information.
CheckInvalidBuiltinCountedByRef(const Expr * E,BuiltinCountedByRefKind K)6008 bool Sema::CheckInvalidBuiltinCountedByRef(const Expr *E,
6009 BuiltinCountedByRefKind K) {
6010 const CallExpr *CE =
6011 E ? dyn_cast<CallExpr>(E->IgnoreParenImpCasts()) : nullptr;
6012 if (!CE || CE->getBuiltinCallee() != Builtin::BI__builtin_counted_by_ref)
6013 return false;
6014
6015 switch (K) {
6016 case BuiltinCountedByRefKind::Assignment:
6017 case BuiltinCountedByRefKind::Initializer:
6018 Diag(E->getExprLoc(),
6019 diag::err_builtin_counted_by_ref_cannot_leak_reference)
6020 << 0 << E->getSourceRange();
6021 break;
6022 case BuiltinCountedByRefKind::FunctionArg:
6023 Diag(E->getExprLoc(),
6024 diag::err_builtin_counted_by_ref_cannot_leak_reference)
6025 << 1 << E->getSourceRange();
6026 break;
6027 case BuiltinCountedByRefKind::ReturnArg:
6028 Diag(E->getExprLoc(),
6029 diag::err_builtin_counted_by_ref_cannot_leak_reference)
6030 << 2 << E->getSourceRange();
6031 break;
6032 case BuiltinCountedByRefKind::ArraySubscript:
6033 Diag(E->getExprLoc(), diag::err_builtin_counted_by_ref_invalid_use)
6034 << 0 << E->getSourceRange();
6035 break;
6036 case BuiltinCountedByRefKind::BinaryExpr:
6037 Diag(E->getExprLoc(), diag::err_builtin_counted_by_ref_invalid_use)
6038 << 1 << E->getSourceRange();
6039 break;
6040 }
6041
6042 return true;
6043 }
6044
6045 namespace {
6046
6047 class UncoveredArgHandler {
6048 enum { Unknown = -1, AllCovered = -2 };
6049
6050 signed FirstUncoveredArg = Unknown;
6051 SmallVector<const Expr *, 4> DiagnosticExprs;
6052
6053 public:
6054 UncoveredArgHandler() = default;
6055
hasUncoveredArg() const6056 bool hasUncoveredArg() const {
6057 return (FirstUncoveredArg >= 0);
6058 }
6059
getUncoveredArg() const6060 unsigned getUncoveredArg() const {
6061 assert(hasUncoveredArg() && "no uncovered argument");
6062 return FirstUncoveredArg;
6063 }
6064
setAllCovered()6065 void setAllCovered() {
6066 // A string has been found with all arguments covered, so clear out
6067 // the diagnostics.
6068 DiagnosticExprs.clear();
6069 FirstUncoveredArg = AllCovered;
6070 }
6071
Update(signed NewFirstUncoveredArg,const Expr * StrExpr)6072 void Update(signed NewFirstUncoveredArg, const Expr *StrExpr) {
6073 assert(NewFirstUncoveredArg >= 0 && "Outside range");
6074
6075 // Don't update if a previous string covers all arguments.
6076 if (FirstUncoveredArg == AllCovered)
6077 return;
6078
6079 // UncoveredArgHandler tracks the highest uncovered argument index
6080 // and with it all the strings that match this index.
6081 if (NewFirstUncoveredArg == FirstUncoveredArg)
6082 DiagnosticExprs.push_back(StrExpr);
6083 else if (NewFirstUncoveredArg > FirstUncoveredArg) {
6084 DiagnosticExprs.clear();
6085 DiagnosticExprs.push_back(StrExpr);
6086 FirstUncoveredArg = NewFirstUncoveredArg;
6087 }
6088 }
6089
6090 void Diagnose(Sema &S, bool IsFunctionCall, const Expr *ArgExpr);
6091 };
6092
6093 enum StringLiteralCheckType {
6094 SLCT_NotALiteral,
6095 SLCT_UncheckedLiteral,
6096 SLCT_CheckedLiteral
6097 };
6098
6099 } // namespace
6100
sumOffsets(llvm::APSInt & Offset,llvm::APSInt Addend,BinaryOperatorKind BinOpKind,bool AddendIsRight)6101 static void sumOffsets(llvm::APSInt &Offset, llvm::APSInt Addend,
6102 BinaryOperatorKind BinOpKind,
6103 bool AddendIsRight) {
6104 unsigned BitWidth = Offset.getBitWidth();
6105 unsigned AddendBitWidth = Addend.getBitWidth();
6106 // There might be negative interim results.
6107 if (Addend.isUnsigned()) {
6108 Addend = Addend.zext(++AddendBitWidth);
6109 Addend.setIsSigned(true);
6110 }
6111 // Adjust the bit width of the APSInts.
6112 if (AddendBitWidth > BitWidth) {
6113 Offset = Offset.sext(AddendBitWidth);
6114 BitWidth = AddendBitWidth;
6115 } else if (BitWidth > AddendBitWidth) {
6116 Addend = Addend.sext(BitWidth);
6117 }
6118
6119 bool Ov = false;
6120 llvm::APSInt ResOffset = Offset;
6121 if (BinOpKind == BO_Add)
6122 ResOffset = Offset.sadd_ov(Addend, Ov);
6123 else {
6124 assert(AddendIsRight && BinOpKind == BO_Sub &&
6125 "operator must be add or sub with addend on the right");
6126 ResOffset = Offset.ssub_ov(Addend, Ov);
6127 }
6128
6129 // We add an offset to a pointer here so we should support an offset as big as
6130 // possible.
6131 if (Ov) {
6132 assert(BitWidth <= std::numeric_limits<unsigned>::max() / 2 &&
6133 "index (intermediate) result too big");
6134 Offset = Offset.sext(2 * BitWidth);
6135 sumOffsets(Offset, Addend, BinOpKind, AddendIsRight);
6136 return;
6137 }
6138
6139 Offset = ResOffset;
6140 }
6141
6142 namespace {
6143
6144 // This is a wrapper class around StringLiteral to support offsetted string
6145 // literals as format strings. It takes the offset into account when returning
6146 // the string and its length or the source locations to display notes correctly.
6147 class FormatStringLiteral {
6148 const StringLiteral *FExpr;
6149 int64_t Offset;
6150
6151 public:
FormatStringLiteral(const StringLiteral * fexpr,int64_t Offset=0)6152 FormatStringLiteral(const StringLiteral *fexpr, int64_t Offset = 0)
6153 : FExpr(fexpr), Offset(Offset) {}
6154
getFormatString() const6155 const StringLiteral *getFormatString() const { return FExpr; }
6156
getString() const6157 StringRef getString() const { return FExpr->getString().drop_front(Offset); }
6158
getByteLength() const6159 unsigned getByteLength() const {
6160 return FExpr->getByteLength() - getCharByteWidth() * Offset;
6161 }
6162
getLength() const6163 unsigned getLength() const { return FExpr->getLength() - Offset; }
getCharByteWidth() const6164 unsigned getCharByteWidth() const { return FExpr->getCharByteWidth(); }
6165
getKind() const6166 StringLiteralKind getKind() const { return FExpr->getKind(); }
6167
getType() const6168 QualType getType() const { return FExpr->getType(); }
6169
isAscii() const6170 bool isAscii() const { return FExpr->isOrdinary(); }
isWide() const6171 bool isWide() const { return FExpr->isWide(); }
isUTF8() const6172 bool isUTF8() const { return FExpr->isUTF8(); }
isUTF16() const6173 bool isUTF16() const { return FExpr->isUTF16(); }
isUTF32() const6174 bool isUTF32() const { return FExpr->isUTF32(); }
isPascal() const6175 bool isPascal() const { return FExpr->isPascal(); }
6176
getLocationOfByte(unsigned ByteNo,const SourceManager & SM,const LangOptions & Features,const TargetInfo & Target,unsigned * StartToken=nullptr,unsigned * StartTokenByteOffset=nullptr) const6177 SourceLocation getLocationOfByte(
6178 unsigned ByteNo, const SourceManager &SM, const LangOptions &Features,
6179 const TargetInfo &Target, unsigned *StartToken = nullptr,
6180 unsigned *StartTokenByteOffset = nullptr) const {
6181 return FExpr->getLocationOfByte(ByteNo + Offset, SM, Features, Target,
6182 StartToken, StartTokenByteOffset);
6183 }
6184
getBeginLoc() const6185 SourceLocation getBeginLoc() const LLVM_READONLY {
6186 return FExpr->getBeginLoc().getLocWithOffset(Offset);
6187 }
6188
getEndLoc() const6189 SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); }
6190 };
6191
6192 } // namespace
6193
6194 static void CheckFormatString(
6195 Sema &S, const FormatStringLiteral *FExpr,
6196 const StringLiteral *ReferenceFormatString, const Expr *OrigFormatExpr,
6197 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
6198 unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
6199 bool inFunctionCall, VariadicCallType CallType,
6200 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
6201 bool IgnoreStringsWithoutSpecifiers);
6202
6203 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6204 const Expr *E);
6205
6206 // Determine if an expression is a string literal or constant string.
6207 // If this function returns false on the arguments to a function expecting a
6208 // format string, we will usually need to emit a warning.
6209 // True string literals are then checked by CheckFormatString.
checkFormatStringExpr(Sema & S,const StringLiteral * ReferenceFormatString,const Expr * E,ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,unsigned format_idx,unsigned firstDataArg,FormatStringType Type,VariadicCallType CallType,bool InFunctionCall,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg,llvm::APSInt Offset,bool IgnoreStringsWithoutSpecifiers=false)6210 static StringLiteralCheckType checkFormatStringExpr(
6211 Sema &S, const StringLiteral *ReferenceFormatString, const Expr *E,
6212 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
6213 unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
6214 VariadicCallType CallType, bool InFunctionCall,
6215 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
6216 llvm::APSInt Offset, bool IgnoreStringsWithoutSpecifiers = false) {
6217 if (S.isConstantEvaluatedContext())
6218 return SLCT_NotALiteral;
6219 tryAgain:
6220 assert(Offset.isSigned() && "invalid offset");
6221
6222 if (E->isTypeDependent() || E->isValueDependent())
6223 return SLCT_NotALiteral;
6224
6225 E = E->IgnoreParenCasts();
6226
6227 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
6228 // Technically -Wformat-nonliteral does not warn about this case.
6229 // The behavior of printf and friends in this case is implementation
6230 // dependent. Ideally if the format string cannot be null then
6231 // it should have a 'nonnull' attribute in the function prototype.
6232 return SLCT_UncheckedLiteral;
6233
6234 switch (E->getStmtClass()) {
6235 case Stmt::InitListExprClass:
6236 // Handle expressions like {"foobar"}.
6237 if (const clang::Expr *SLE = maybeConstEvalStringLiteral(S.Context, E)) {
6238 return checkFormatStringExpr(
6239 S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
6240 Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
6241 UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6242 }
6243 return SLCT_NotALiteral;
6244 case Stmt::BinaryConditionalOperatorClass:
6245 case Stmt::ConditionalOperatorClass: {
6246 // The expression is a literal if both sub-expressions were, and it was
6247 // completely checked only if both sub-expressions were checked.
6248 const AbstractConditionalOperator *C =
6249 cast<AbstractConditionalOperator>(E);
6250
6251 // Determine whether it is necessary to check both sub-expressions, for
6252 // example, because the condition expression is a constant that can be
6253 // evaluated at compile time.
6254 bool CheckLeft = true, CheckRight = true;
6255
6256 bool Cond;
6257 if (C->getCond()->EvaluateAsBooleanCondition(
6258 Cond, S.getASTContext(), S.isConstantEvaluatedContext())) {
6259 if (Cond)
6260 CheckRight = false;
6261 else
6262 CheckLeft = false;
6263 }
6264
6265 // We need to maintain the offsets for the right and the left hand side
6266 // separately to check if every possible indexed expression is a valid
6267 // string literal. They might have different offsets for different string
6268 // literals in the end.
6269 StringLiteralCheckType Left;
6270 if (!CheckLeft)
6271 Left = SLCT_UncheckedLiteral;
6272 else {
6273 Left = checkFormatStringExpr(
6274 S, ReferenceFormatString, C->getTrueExpr(), Args, APK, format_idx,
6275 firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6276 UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6277 if (Left == SLCT_NotALiteral || !CheckRight) {
6278 return Left;
6279 }
6280 }
6281
6282 StringLiteralCheckType Right = checkFormatStringExpr(
6283 S, ReferenceFormatString, C->getFalseExpr(), Args, APK, format_idx,
6284 firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6285 UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6286
6287 return (CheckLeft && Left < Right) ? Left : Right;
6288 }
6289
6290 case Stmt::ImplicitCastExprClass:
6291 E = cast<ImplicitCastExpr>(E)->getSubExpr();
6292 goto tryAgain;
6293
6294 case Stmt::OpaqueValueExprClass:
6295 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) {
6296 E = src;
6297 goto tryAgain;
6298 }
6299 return SLCT_NotALiteral;
6300
6301 case Stmt::PredefinedExprClass:
6302 // While __func__, etc., are technically not string literals, they
6303 // cannot contain format specifiers and thus are not a security
6304 // liability.
6305 return SLCT_UncheckedLiteral;
6306
6307 case Stmt::DeclRefExprClass: {
6308 const DeclRefExpr *DR = cast<DeclRefExpr>(E);
6309
6310 // As an exception, do not flag errors for variables binding to
6311 // const string literals.
6312 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
6313 bool isConstant = false;
6314 QualType T = DR->getType();
6315
6316 if (const ArrayType *AT = S.Context.getAsArrayType(T)) {
6317 isConstant = AT->getElementType().isConstant(S.Context);
6318 } else if (const PointerType *PT = T->getAs<PointerType>()) {
6319 isConstant = T.isConstant(S.Context) &&
6320 PT->getPointeeType().isConstant(S.Context);
6321 } else if (T->isObjCObjectPointerType()) {
6322 // In ObjC, there is usually no "const ObjectPointer" type,
6323 // so don't check if the pointee type is constant.
6324 isConstant = T.isConstant(S.Context);
6325 }
6326
6327 if (isConstant) {
6328 if (const Expr *Init = VD->getAnyInitializer()) {
6329 // Look through initializers like const char c[] = { "foo" }
6330 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
6331 if (InitList->isStringLiteralInit())
6332 Init = InitList->getInit(0)->IgnoreParenImpCasts();
6333 }
6334 return checkFormatStringExpr(
6335 S, ReferenceFormatString, Init, Args, APK, format_idx,
6336 firstDataArg, Type, CallType,
6337 /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
6338 }
6339 }
6340
6341 // When the format argument is an argument of this function, and this
6342 // function also has the format attribute, there are several interactions
6343 // for which there shouldn't be a warning. For instance, when calling
6344 // v*printf from a function that has the printf format attribute, we
6345 // should not emit a warning about using `fmt`, even though it's not
6346 // constant, because the arguments have already been checked for the
6347 // caller of `logmessage`:
6348 //
6349 // __attribute__((format(printf, 1, 2)))
6350 // void logmessage(char const *fmt, ...) {
6351 // va_list ap;
6352 // va_start(ap, fmt);
6353 // vprintf(fmt, ap); /* do not emit a warning about "fmt" */
6354 // ...
6355 // }
6356 //
6357 // Another interaction that we need to support is using a format string
6358 // specified by the format_matches attribute:
6359 //
6360 // __attribute__((format_matches(printf, 1, "%s %d")))
6361 // void logmessage(char const *fmt, const char *a, int b) {
6362 // printf(fmt, a, b); /* do not emit a warning about "fmt" */
6363 // printf(fmt, 123.4); /* emit warnings that "%s %d" is incompatible */
6364 // ...
6365 // }
6366 //
6367 // Yet another interaction that we need to support is calling a variadic
6368 // format function from a format function that has fixed arguments. For
6369 // instance:
6370 //
6371 // __attribute__((format(printf, 1, 2)))
6372 // void logstring(char const *fmt, char const *str) {
6373 // printf(fmt, str); /* do not emit a warning about "fmt" */
6374 // }
6375 //
6376 // Same (and perhaps more relatably) for the variadic template case:
6377 //
6378 // template<typename... Args>
6379 // __attribute__((format(printf, 1, 2)))
6380 // void log(const char *fmt, Args&&... args) {
6381 // printf(fmt, forward<Args>(args)...);
6382 // /* do not emit a warning about "fmt" */
6383 // }
6384 //
6385 // Due to implementation difficulty, we only check the format, not the
6386 // format arguments, in all cases.
6387 //
6388 if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
6389 if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
6390 for (const auto *PVFormatMatches :
6391 D->specific_attrs<FormatMatchesAttr>()) {
6392 Sema::FormatStringInfo CalleeFSI;
6393 if (!Sema::getFormatStringInfo(D, PVFormatMatches->getFormatIdx(),
6394 0, &CalleeFSI))
6395 continue;
6396 if (PV->getFunctionScopeIndex() == CalleeFSI.FormatIdx) {
6397 // If using the wrong type of format string, emit a diagnostic
6398 // here and stop checking to avoid irrelevant diagnostics.
6399 if (Type != S.GetFormatStringType(PVFormatMatches)) {
6400 S.Diag(Args[format_idx]->getBeginLoc(),
6401 diag::warn_format_string_type_incompatible)
6402 << PVFormatMatches->getType()->getName()
6403 << S.GetFormatStringTypeName(Type);
6404 if (!InFunctionCall) {
6405 S.Diag(PVFormatMatches->getFormatString()->getBeginLoc(),
6406 diag::note_format_string_defined);
6407 }
6408 return SLCT_UncheckedLiteral;
6409 }
6410 return checkFormatStringExpr(
6411 S, ReferenceFormatString, PVFormatMatches->getFormatString(),
6412 Args, APK, format_idx, firstDataArg, Type, CallType,
6413 /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg,
6414 Offset, IgnoreStringsWithoutSpecifiers);
6415 }
6416 }
6417
6418 for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) {
6419 Sema::FormatStringInfo CallerFSI;
6420 if (!Sema::getFormatStringInfo(D, PVFormat->getFormatIdx(),
6421 PVFormat->getFirstArg(), &CallerFSI))
6422 continue;
6423 if (PV->getFunctionScopeIndex() == CallerFSI.FormatIdx) {
6424 // We also check if the formats are compatible.
6425 // We can't pass a 'scanf' string to a 'printf' function.
6426 if (Type != S.GetFormatStringType(PVFormat)) {
6427 S.Diag(Args[format_idx]->getBeginLoc(),
6428 diag::warn_format_string_type_incompatible)
6429 << PVFormat->getType()->getName()
6430 << S.GetFormatStringTypeName(Type);
6431 if (!InFunctionCall) {
6432 S.Diag(E->getBeginLoc(), diag::note_format_string_defined);
6433 }
6434 return SLCT_UncheckedLiteral;
6435 }
6436 // Lastly, check that argument passing kinds transition in a
6437 // way that makes sense:
6438 // from a caller with FAPK_VAList, allow FAPK_VAList
6439 // from a caller with FAPK_Fixed, allow FAPK_Fixed
6440 // from a caller with FAPK_Fixed, allow FAPK_Variadic
6441 // from a caller with FAPK_Variadic, allow FAPK_VAList
6442 switch (combineFAPK(CallerFSI.ArgPassingKind, APK)) {
6443 case combineFAPK(Sema::FAPK_VAList, Sema::FAPK_VAList):
6444 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Fixed):
6445 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Variadic):
6446 case combineFAPK(Sema::FAPK_Variadic, Sema::FAPK_VAList):
6447 return SLCT_UncheckedLiteral;
6448 }
6449 }
6450 }
6451 }
6452 }
6453 }
6454
6455 return SLCT_NotALiteral;
6456 }
6457
6458 case Stmt::CallExprClass:
6459 case Stmt::CXXMemberCallExprClass: {
6460 const CallExpr *CE = cast<CallExpr>(E);
6461 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
6462 bool IsFirst = true;
6463 StringLiteralCheckType CommonResult;
6464 for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) {
6465 const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex());
6466 StringLiteralCheckType Result = checkFormatStringExpr(
6467 S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
6468 Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
6469 Offset, IgnoreStringsWithoutSpecifiers);
6470 if (IsFirst) {
6471 CommonResult = Result;
6472 IsFirst = false;
6473 }
6474 }
6475 if (!IsFirst)
6476 return CommonResult;
6477
6478 if (const auto *FD = dyn_cast<FunctionDecl>(ND)) {
6479 unsigned BuiltinID = FD->getBuiltinID();
6480 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
6481 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
6482 const Expr *Arg = CE->getArg(0);
6483 return checkFormatStringExpr(
6484 S, ReferenceFormatString, Arg, Args, APK, format_idx,
6485 firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6486 UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6487 }
6488 }
6489 }
6490 if (const Expr *SLE = maybeConstEvalStringLiteral(S.Context, E))
6491 return checkFormatStringExpr(
6492 S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
6493 Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
6494 UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6495 return SLCT_NotALiteral;
6496 }
6497 case Stmt::ObjCMessageExprClass: {
6498 const auto *ME = cast<ObjCMessageExpr>(E);
6499 if (const auto *MD = ME->getMethodDecl()) {
6500 if (const auto *FA = MD->getAttr<FormatArgAttr>()) {
6501 // As a special case heuristic, if we're using the method -[NSBundle
6502 // localizedStringForKey:value:table:], ignore any key strings that lack
6503 // format specifiers. The idea is that if the key doesn't have any
6504 // format specifiers then its probably just a key to map to the
6505 // localized strings. If it does have format specifiers though, then its
6506 // likely that the text of the key is the format string in the
6507 // programmer's language, and should be checked.
6508 const ObjCInterfaceDecl *IFace;
6509 if (MD->isInstanceMethod() && (IFace = MD->getClassInterface()) &&
6510 IFace->getIdentifier()->isStr("NSBundle") &&
6511 MD->getSelector().isKeywordSelector(
6512 {"localizedStringForKey", "value", "table"})) {
6513 IgnoreStringsWithoutSpecifiers = true;
6514 }
6515
6516 const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex());
6517 return checkFormatStringExpr(
6518 S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
6519 Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
6520 Offset, IgnoreStringsWithoutSpecifiers);
6521 }
6522 }
6523
6524 return SLCT_NotALiteral;
6525 }
6526 case Stmt::ObjCStringLiteralClass:
6527 case Stmt::StringLiteralClass: {
6528 const StringLiteral *StrE = nullptr;
6529
6530 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
6531 StrE = ObjCFExpr->getString();
6532 else
6533 StrE = cast<StringLiteral>(E);
6534
6535 if (StrE) {
6536 if (Offset.isNegative() || Offset > StrE->getLength()) {
6537 // TODO: It would be better to have an explicit warning for out of
6538 // bounds literals.
6539 return SLCT_NotALiteral;
6540 }
6541 FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue());
6542 CheckFormatString(S, &FStr, ReferenceFormatString, E, Args, APK,
6543 format_idx, firstDataArg, Type, InFunctionCall,
6544 CallType, CheckedVarArgs, UncoveredArg,
6545 IgnoreStringsWithoutSpecifiers);
6546 return SLCT_CheckedLiteral;
6547 }
6548
6549 return SLCT_NotALiteral;
6550 }
6551 case Stmt::BinaryOperatorClass: {
6552 const BinaryOperator *BinOp = cast<BinaryOperator>(E);
6553
6554 // A string literal + an int offset is still a string literal.
6555 if (BinOp->isAdditiveOp()) {
6556 Expr::EvalResult LResult, RResult;
6557
6558 bool LIsInt = BinOp->getLHS()->EvaluateAsInt(
6559 LResult, S.Context, Expr::SE_NoSideEffects,
6560 S.isConstantEvaluatedContext());
6561 bool RIsInt = BinOp->getRHS()->EvaluateAsInt(
6562 RResult, S.Context, Expr::SE_NoSideEffects,
6563 S.isConstantEvaluatedContext());
6564
6565 if (LIsInt != RIsInt) {
6566 BinaryOperatorKind BinOpKind = BinOp->getOpcode();
6567
6568 if (LIsInt) {
6569 if (BinOpKind == BO_Add) {
6570 sumOffsets(Offset, LResult.Val.getInt(), BinOpKind, RIsInt);
6571 E = BinOp->getRHS();
6572 goto tryAgain;
6573 }
6574 } else {
6575 sumOffsets(Offset, RResult.Val.getInt(), BinOpKind, RIsInt);
6576 E = BinOp->getLHS();
6577 goto tryAgain;
6578 }
6579 }
6580 }
6581
6582 return SLCT_NotALiteral;
6583 }
6584 case Stmt::UnaryOperatorClass: {
6585 const UnaryOperator *UnaOp = cast<UnaryOperator>(E);
6586 auto ASE = dyn_cast<ArraySubscriptExpr>(UnaOp->getSubExpr());
6587 if (UnaOp->getOpcode() == UO_AddrOf && ASE) {
6588 Expr::EvalResult IndexResult;
6589 if (ASE->getRHS()->EvaluateAsInt(IndexResult, S.Context,
6590 Expr::SE_NoSideEffects,
6591 S.isConstantEvaluatedContext())) {
6592 sumOffsets(Offset, IndexResult.Val.getInt(), BO_Add,
6593 /*RHS is int*/ true);
6594 E = ASE->getBase();
6595 goto tryAgain;
6596 }
6597 }
6598
6599 return SLCT_NotALiteral;
6600 }
6601
6602 default:
6603 return SLCT_NotALiteral;
6604 }
6605 }
6606
6607 // If this expression can be evaluated at compile-time,
6608 // check if the result is a StringLiteral and return it
6609 // otherwise return nullptr
maybeConstEvalStringLiteral(ASTContext & Context,const Expr * E)6610 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6611 const Expr *E) {
6612 Expr::EvalResult Result;
6613 if (E->EvaluateAsRValue(Result, Context) && Result.Val.isLValue()) {
6614 const auto *LVE = Result.Val.getLValueBase().dyn_cast<const Expr *>();
6615 if (isa_and_nonnull<StringLiteral>(LVE))
6616 return LVE;
6617 }
6618 return nullptr;
6619 }
6620
GetFormatStringTypeName(FormatStringType FST)6621 StringRef Sema::GetFormatStringTypeName(FormatStringType FST) {
6622 switch (FST) {
6623 case FormatStringType::Scanf:
6624 return "scanf";
6625 case FormatStringType::Printf:
6626 return "printf";
6627 case FormatStringType::NSString:
6628 return "NSString";
6629 case FormatStringType::Strftime:
6630 return "strftime";
6631 case FormatStringType::Strfmon:
6632 return "strfmon";
6633 case FormatStringType::Kprintf:
6634 return "kprintf";
6635 case FormatStringType::FreeBSDKPrintf:
6636 return "freebsd_kprintf";
6637 case FormatStringType::OSLog:
6638 return "os_log";
6639 default:
6640 return "<unknown>";
6641 }
6642 }
6643
GetFormatStringType(StringRef Flavor)6644 FormatStringType Sema::GetFormatStringType(StringRef Flavor) {
6645 return llvm::StringSwitch<FormatStringType>(Flavor)
6646 .Case("scanf", FormatStringType::Scanf)
6647 .Cases("printf", "printf0", "syslog", FormatStringType::Printf)
6648 .Cases("NSString", "CFString", FormatStringType::NSString)
6649 .Case("strftime", FormatStringType::Strftime)
6650 .Case("strfmon", FormatStringType::Strfmon)
6651 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err",
6652 FormatStringType::Kprintf)
6653 .Case("freebsd_kprintf", FormatStringType::FreeBSDKPrintf)
6654 .Case("os_trace", FormatStringType::OSLog)
6655 .Case("os_log", FormatStringType::OSLog)
6656 .Default(FormatStringType::Unknown);
6657 }
6658
GetFormatStringType(const FormatAttr * Format)6659 FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) {
6660 return GetFormatStringType(Format->getType()->getName());
6661 }
6662
GetFormatStringType(const FormatMatchesAttr * Format)6663 FormatStringType Sema::GetFormatStringType(const FormatMatchesAttr *Format) {
6664 return GetFormatStringType(Format->getType()->getName());
6665 }
6666
CheckFormatArguments(const FormatAttr * Format,ArrayRef<const Expr * > Args,bool IsCXXMember,VariadicCallType CallType,SourceLocation Loc,SourceRange Range,llvm::SmallBitVector & CheckedVarArgs)6667 bool Sema::CheckFormatArguments(const FormatAttr *Format,
6668 ArrayRef<const Expr *> Args, bool IsCXXMember,
6669 VariadicCallType CallType, SourceLocation Loc,
6670 SourceRange Range,
6671 llvm::SmallBitVector &CheckedVarArgs) {
6672 FormatStringInfo FSI;
6673 if (getFormatStringInfo(Format->getFormatIdx(), Format->getFirstArg(),
6674 IsCXXMember,
6675 CallType != VariadicCallType::DoesNotApply, &FSI))
6676 return CheckFormatArguments(
6677 Args, FSI.ArgPassingKind, nullptr, FSI.FormatIdx, FSI.FirstDataArg,
6678 GetFormatStringType(Format), CallType, Loc, Range, CheckedVarArgs);
6679 return false;
6680 }
6681
CheckFormatString(const FormatMatchesAttr * Format,ArrayRef<const Expr * > Args,bool IsCXXMember,VariadicCallType CallType,SourceLocation Loc,SourceRange Range,llvm::SmallBitVector & CheckedVarArgs)6682 bool Sema::CheckFormatString(const FormatMatchesAttr *Format,
6683 ArrayRef<const Expr *> Args, bool IsCXXMember,
6684 VariadicCallType CallType, SourceLocation Loc,
6685 SourceRange Range,
6686 llvm::SmallBitVector &CheckedVarArgs) {
6687 FormatStringInfo FSI;
6688 if (getFormatStringInfo(Format->getFormatIdx(), 0, IsCXXMember, false,
6689 &FSI)) {
6690 FSI.ArgPassingKind = Sema::FAPK_Elsewhere;
6691 return CheckFormatArguments(Args, FSI.ArgPassingKind,
6692 Format->getFormatString(), FSI.FormatIdx,
6693 FSI.FirstDataArg, GetFormatStringType(Format),
6694 CallType, Loc, Range, CheckedVarArgs);
6695 }
6696 return false;
6697 }
6698
CheckFormatArguments(ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,const StringLiteral * ReferenceFormatString,unsigned format_idx,unsigned firstDataArg,FormatStringType Type,VariadicCallType CallType,SourceLocation Loc,SourceRange Range,llvm::SmallBitVector & CheckedVarArgs)6699 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
6700 Sema::FormatArgumentPassingKind APK,
6701 const StringLiteral *ReferenceFormatString,
6702 unsigned format_idx, unsigned firstDataArg,
6703 FormatStringType Type,
6704 VariadicCallType CallType, SourceLocation Loc,
6705 SourceRange Range,
6706 llvm::SmallBitVector &CheckedVarArgs) {
6707 // CHECK: printf/scanf-like function is called with no format string.
6708 if (format_idx >= Args.size()) {
6709 Diag(Loc, diag::warn_missing_format_string) << Range;
6710 return false;
6711 }
6712
6713 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
6714
6715 // CHECK: format string is not a string literal.
6716 //
6717 // Dynamically generated format strings are difficult to
6718 // automatically vet at compile time. Requiring that format strings
6719 // are string literals: (1) permits the checking of format strings by
6720 // the compiler and thereby (2) can practically remove the source of
6721 // many format string exploits.
6722
6723 // Format string can be either ObjC string (e.g. @"%d") or
6724 // C string (e.g. "%d")
6725 // ObjC string uses the same format specifiers as C string, so we can use
6726 // the same format string checking logic for both ObjC and C strings.
6727 UncoveredArgHandler UncoveredArg;
6728 StringLiteralCheckType CT = checkFormatStringExpr(
6729 *this, ReferenceFormatString, OrigFormatExpr, Args, APK, format_idx,
6730 firstDataArg, Type, CallType,
6731 /*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
6732 /*no string offset*/ llvm::APSInt(64, false) = 0);
6733
6734 // Generate a diagnostic where an uncovered argument is detected.
6735 if (UncoveredArg.hasUncoveredArg()) {
6736 unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg;
6737 assert(ArgIdx < Args.size() && "ArgIdx outside bounds");
6738 UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]);
6739 }
6740
6741 if (CT != SLCT_NotALiteral)
6742 // Literal format string found, check done!
6743 return CT == SLCT_CheckedLiteral;
6744
6745 // Strftime is particular as it always uses a single 'time' argument,
6746 // so it is safe to pass a non-literal string.
6747 if (Type == FormatStringType::Strftime)
6748 return false;
6749
6750 // Do not emit diag when the string param is a macro expansion and the
6751 // format is either NSString or CFString. This is a hack to prevent
6752 // diag when using the NSLocalizedString and CFCopyLocalizedString macros
6753 // which are usually used in place of NS and CF string literals.
6754 SourceLocation FormatLoc = Args[format_idx]->getBeginLoc();
6755 if (Type == FormatStringType::NSString &&
6756 SourceMgr.isInSystemMacro(FormatLoc))
6757 return false;
6758
6759 // If there are no arguments specified, warn with -Wformat-security, otherwise
6760 // warn only with -Wformat-nonliteral.
6761 if (Args.size() == firstDataArg) {
6762 Diag(FormatLoc, diag::warn_format_nonliteral_noargs)
6763 << OrigFormatExpr->getSourceRange();
6764 switch (Type) {
6765 default:
6766 break;
6767 case FormatStringType::Kprintf:
6768 case FormatStringType::FreeBSDKPrintf:
6769 case FormatStringType::Printf:
6770 case FormatStringType::Syslog:
6771 Diag(FormatLoc, diag::note_format_security_fixit)
6772 << FixItHint::CreateInsertion(FormatLoc, "\"%s\", ");
6773 break;
6774 case FormatStringType::NSString:
6775 Diag(FormatLoc, diag::note_format_security_fixit)
6776 << FixItHint::CreateInsertion(FormatLoc, "@\"%@\", ");
6777 break;
6778 }
6779 } else {
6780 Diag(FormatLoc, diag::warn_format_nonliteral)
6781 << OrigFormatExpr->getSourceRange();
6782 }
6783 return false;
6784 }
6785
6786 namespace {
6787
6788 class CheckFormatHandler : public analyze_format_string::FormatStringHandler {
6789 protected:
6790 Sema &S;
6791 const FormatStringLiteral *FExpr;
6792 const Expr *OrigFormatExpr;
6793 const FormatStringType FSType;
6794 const unsigned FirstDataArg;
6795 const unsigned NumDataArgs;
6796 const char *Beg; // Start of format string.
6797 const Sema::FormatArgumentPassingKind ArgPassingKind;
6798 ArrayRef<const Expr *> Args;
6799 unsigned FormatIdx;
6800 llvm::SmallBitVector CoveredArgs;
6801 bool usesPositionalArgs = false;
6802 bool atFirstArg = true;
6803 bool inFunctionCall;
6804 VariadicCallType CallType;
6805 llvm::SmallBitVector &CheckedVarArgs;
6806 UncoveredArgHandler &UncoveredArg;
6807
6808 public:
CheckFormatHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,const FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,VariadicCallType callType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)6809 CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr,
6810 const Expr *origFormatExpr, const FormatStringType type,
6811 unsigned firstDataArg, unsigned numDataArgs,
6812 const char *beg, Sema::FormatArgumentPassingKind APK,
6813 ArrayRef<const Expr *> Args, unsigned formatIdx,
6814 bool inFunctionCall, VariadicCallType callType,
6815 llvm::SmallBitVector &CheckedVarArgs,
6816 UncoveredArgHandler &UncoveredArg)
6817 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type),
6818 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg),
6819 ArgPassingKind(APK), Args(Args), FormatIdx(formatIdx),
6820 inFunctionCall(inFunctionCall), CallType(callType),
6821 CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) {
6822 CoveredArgs.resize(numDataArgs);
6823 CoveredArgs.reset();
6824 }
6825
HasFormatArguments() const6826 bool HasFormatArguments() const {
6827 return ArgPassingKind == Sema::FAPK_Fixed ||
6828 ArgPassingKind == Sema::FAPK_Variadic;
6829 }
6830
6831 void DoneProcessing();
6832
6833 void HandleIncompleteSpecifier(const char *startSpecifier,
6834 unsigned specifierLen) override;
6835
6836 void HandleInvalidLengthModifier(
6837 const analyze_format_string::FormatSpecifier &FS,
6838 const analyze_format_string::ConversionSpecifier &CS,
6839 const char *startSpecifier, unsigned specifierLen,
6840 unsigned DiagID);
6841
6842 void HandleNonStandardLengthModifier(
6843 const analyze_format_string::FormatSpecifier &FS,
6844 const char *startSpecifier, unsigned specifierLen);
6845
6846 void HandleNonStandardConversionSpecifier(
6847 const analyze_format_string::ConversionSpecifier &CS,
6848 const char *startSpecifier, unsigned specifierLen);
6849
6850 void HandlePosition(const char *startPos, unsigned posLen) override;
6851
6852 void HandleInvalidPosition(const char *startSpecifier,
6853 unsigned specifierLen,
6854 analyze_format_string::PositionContext p) override;
6855
6856 void HandleZeroPosition(const char *startPos, unsigned posLen) override;
6857
6858 void HandleNullChar(const char *nullCharacter) override;
6859
6860 template <typename Range>
6861 static void
6862 EmitFormatDiagnostic(Sema &S, bool inFunctionCall, const Expr *ArgumentExpr,
6863 const PartialDiagnostic &PDiag, SourceLocation StringLoc,
6864 bool IsStringLocation, Range StringRange,
6865 ArrayRef<FixItHint> Fixit = {});
6866
6867 protected:
6868 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc,
6869 const char *startSpec,
6870 unsigned specifierLen,
6871 const char *csStart, unsigned csLen);
6872
6873 void HandlePositionalNonpositionalArgs(SourceLocation Loc,
6874 const char *startSpec,
6875 unsigned specifierLen);
6876
6877 SourceRange getFormatStringRange();
6878 CharSourceRange getSpecifierRange(const char *startSpecifier,
6879 unsigned specifierLen);
6880 SourceLocation getLocationOfByte(const char *x);
6881
6882 const Expr *getDataArg(unsigned i) const;
6883
6884 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS,
6885 const analyze_format_string::ConversionSpecifier &CS,
6886 const char *startSpecifier, unsigned specifierLen,
6887 unsigned argIndex);
6888
6889 template <typename Range>
6890 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc,
6891 bool IsStringLocation, Range StringRange,
6892 ArrayRef<FixItHint> Fixit = {});
6893 };
6894
6895 } // namespace
6896
getFormatStringRange()6897 SourceRange CheckFormatHandler::getFormatStringRange() {
6898 return OrigFormatExpr->getSourceRange();
6899 }
6900
6901 CharSourceRange CheckFormatHandler::
getSpecifierRange(const char * startSpecifier,unsigned specifierLen)6902 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) {
6903 SourceLocation Start = getLocationOfByte(startSpecifier);
6904 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1);
6905
6906 // Advance the end SourceLocation by one due to half-open ranges.
6907 End = End.getLocWithOffset(1);
6908
6909 return CharSourceRange::getCharRange(Start, End);
6910 }
6911
getLocationOfByte(const char * x)6912 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) {
6913 return FExpr->getLocationOfByte(x - Beg, S.getSourceManager(),
6914 S.getLangOpts(), S.Context.getTargetInfo());
6915 }
6916
HandleIncompleteSpecifier(const char * startSpecifier,unsigned specifierLen)6917 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier,
6918 unsigned specifierLen){
6919 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier),
6920 getLocationOfByte(startSpecifier),
6921 /*IsStringLocation*/true,
6922 getSpecifierRange(startSpecifier, specifierLen));
6923 }
6924
HandleInvalidLengthModifier(const analyze_format_string::FormatSpecifier & FS,const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen,unsigned DiagID)6925 void CheckFormatHandler::HandleInvalidLengthModifier(
6926 const analyze_format_string::FormatSpecifier &FS,
6927 const analyze_format_string::ConversionSpecifier &CS,
6928 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) {
6929 using namespace analyze_format_string;
6930
6931 const LengthModifier &LM = FS.getLengthModifier();
6932 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6933
6934 // See if we know how to fix this length modifier.
6935 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6936 if (FixedLM) {
6937 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6938 getLocationOfByte(LM.getStart()),
6939 /*IsStringLocation*/true,
6940 getSpecifierRange(startSpecifier, specifierLen));
6941
6942 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6943 << FixedLM->toString()
6944 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6945
6946 } else {
6947 FixItHint Hint;
6948 if (DiagID == diag::warn_format_nonsensical_length)
6949 Hint = FixItHint::CreateRemoval(LMRange);
6950
6951 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6952 getLocationOfByte(LM.getStart()),
6953 /*IsStringLocation*/true,
6954 getSpecifierRange(startSpecifier, specifierLen),
6955 Hint);
6956 }
6957 }
6958
HandleNonStandardLengthModifier(const analyze_format_string::FormatSpecifier & FS,const char * startSpecifier,unsigned specifierLen)6959 void CheckFormatHandler::HandleNonStandardLengthModifier(
6960 const analyze_format_string::FormatSpecifier &FS,
6961 const char *startSpecifier, unsigned specifierLen) {
6962 using namespace analyze_format_string;
6963
6964 const LengthModifier &LM = FS.getLengthModifier();
6965 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6966
6967 // See if we know how to fix this length modifier.
6968 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6969 if (FixedLM) {
6970 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6971 << LM.toString() << 0,
6972 getLocationOfByte(LM.getStart()),
6973 /*IsStringLocation*/true,
6974 getSpecifierRange(startSpecifier, specifierLen));
6975
6976 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6977 << FixedLM->toString()
6978 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6979
6980 } else {
6981 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6982 << LM.toString() << 0,
6983 getLocationOfByte(LM.getStart()),
6984 /*IsStringLocation*/true,
6985 getSpecifierRange(startSpecifier, specifierLen));
6986 }
6987 }
6988
HandleNonStandardConversionSpecifier(const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen)6989 void CheckFormatHandler::HandleNonStandardConversionSpecifier(
6990 const analyze_format_string::ConversionSpecifier &CS,
6991 const char *startSpecifier, unsigned specifierLen) {
6992 using namespace analyze_format_string;
6993
6994 // See if we know how to fix this conversion specifier.
6995 std::optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier();
6996 if (FixedCS) {
6997 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6998 << CS.toString() << /*conversion specifier*/1,
6999 getLocationOfByte(CS.getStart()),
7000 /*IsStringLocation*/true,
7001 getSpecifierRange(startSpecifier, specifierLen));
7002
7003 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength());
7004 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier)
7005 << FixedCS->toString()
7006 << FixItHint::CreateReplacement(CSRange, FixedCS->toString());
7007 } else {
7008 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
7009 << CS.toString() << /*conversion specifier*/1,
7010 getLocationOfByte(CS.getStart()),
7011 /*IsStringLocation*/true,
7012 getSpecifierRange(startSpecifier, specifierLen));
7013 }
7014 }
7015
HandlePosition(const char * startPos,unsigned posLen)7016 void CheckFormatHandler::HandlePosition(const char *startPos,
7017 unsigned posLen) {
7018 if (!S.getDiagnostics().isIgnored(
7019 diag::warn_format_non_standard_positional_arg, SourceLocation()))
7020 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg),
7021 getLocationOfByte(startPos),
7022 /*IsStringLocation*/ true,
7023 getSpecifierRange(startPos, posLen));
7024 }
7025
HandleInvalidPosition(const char * startSpecifier,unsigned specifierLen,analyze_format_string::PositionContext p)7026 void CheckFormatHandler::HandleInvalidPosition(
7027 const char *startSpecifier, unsigned specifierLen,
7028 analyze_format_string::PositionContext p) {
7029 if (!S.getDiagnostics().isIgnored(
7030 diag::warn_format_invalid_positional_specifier, SourceLocation()))
7031 EmitFormatDiagnostic(
7032 S.PDiag(diag::warn_format_invalid_positional_specifier) << (unsigned)p,
7033 getLocationOfByte(startSpecifier), /*IsStringLocation*/ true,
7034 getSpecifierRange(startSpecifier, specifierLen));
7035 }
7036
HandleZeroPosition(const char * startPos,unsigned posLen)7037 void CheckFormatHandler::HandleZeroPosition(const char *startPos,
7038 unsigned posLen) {
7039 if (!S.getDiagnostics().isIgnored(diag::warn_format_zero_positional_specifier,
7040 SourceLocation()))
7041 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier),
7042 getLocationOfByte(startPos),
7043 /*IsStringLocation*/ true,
7044 getSpecifierRange(startPos, posLen));
7045 }
7046
HandleNullChar(const char * nullCharacter)7047 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) {
7048 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) {
7049 // The presence of a null character is likely an error.
7050 EmitFormatDiagnostic(
7051 S.PDiag(diag::warn_printf_format_string_contains_null_char),
7052 getLocationOfByte(nullCharacter), /*IsStringLocation*/true,
7053 getFormatStringRange());
7054 }
7055 }
7056
7057 // Note that this may return NULL if there was an error parsing or building
7058 // one of the argument expressions.
getDataArg(unsigned i) const7059 const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
7060 return Args[FirstDataArg + i];
7061 }
7062
DoneProcessing()7063 void CheckFormatHandler::DoneProcessing() {
7064 // Does the number of data arguments exceed the number of
7065 // format conversions in the format string?
7066 if (HasFormatArguments()) {
7067 // Find any arguments that weren't covered.
7068 CoveredArgs.flip();
7069 signed notCoveredArg = CoveredArgs.find_first();
7070 if (notCoveredArg >= 0) {
7071 assert((unsigned)notCoveredArg < NumDataArgs);
7072 UncoveredArg.Update(notCoveredArg, OrigFormatExpr);
7073 } else {
7074 UncoveredArg.setAllCovered();
7075 }
7076 }
7077 }
7078
Diagnose(Sema & S,bool IsFunctionCall,const Expr * ArgExpr)7079 void UncoveredArgHandler::Diagnose(Sema &S, bool IsFunctionCall,
7080 const Expr *ArgExpr) {
7081 assert(hasUncoveredArg() && !DiagnosticExprs.empty() &&
7082 "Invalid state");
7083
7084 if (!ArgExpr)
7085 return;
7086
7087 SourceLocation Loc = ArgExpr->getBeginLoc();
7088
7089 if (S.getSourceManager().isInSystemMacro(Loc))
7090 return;
7091
7092 PartialDiagnostic PDiag = S.PDiag(diag::warn_printf_data_arg_not_used);
7093 for (auto E : DiagnosticExprs)
7094 PDiag << E->getSourceRange();
7095
7096 CheckFormatHandler::EmitFormatDiagnostic(
7097 S, IsFunctionCall, DiagnosticExprs[0],
7098 PDiag, Loc, /*IsStringLocation*/false,
7099 DiagnosticExprs[0]->getSourceRange());
7100 }
7101
7102 bool
HandleInvalidConversionSpecifier(unsigned argIndex,SourceLocation Loc,const char * startSpec,unsigned specifierLen,const char * csStart,unsigned csLen)7103 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex,
7104 SourceLocation Loc,
7105 const char *startSpec,
7106 unsigned specifierLen,
7107 const char *csStart,
7108 unsigned csLen) {
7109 bool keepGoing = true;
7110 if (argIndex < NumDataArgs) {
7111 // Consider the argument coverered, even though the specifier doesn't
7112 // make sense.
7113 CoveredArgs.set(argIndex);
7114 }
7115 else {
7116 // If argIndex exceeds the number of data arguments we
7117 // don't issue a warning because that is just a cascade of warnings (and
7118 // they may have intended '%%' anyway). We don't want to continue processing
7119 // the format string after this point, however, as we will like just get
7120 // gibberish when trying to match arguments.
7121 keepGoing = false;
7122 }
7123
7124 StringRef Specifier(csStart, csLen);
7125
7126 // If the specifier in non-printable, it could be the first byte of a UTF-8
7127 // sequence. In that case, print the UTF-8 code point. If not, print the byte
7128 // hex value.
7129 std::string CodePointStr;
7130 if (!llvm::sys::locale::isPrint(*csStart)) {
7131 llvm::UTF32 CodePoint;
7132 const llvm::UTF8 **B = reinterpret_cast<const llvm::UTF8 **>(&csStart);
7133 const llvm::UTF8 *E =
7134 reinterpret_cast<const llvm::UTF8 *>(csStart + csLen);
7135 llvm::ConversionResult Result =
7136 llvm::convertUTF8Sequence(B, E, &CodePoint, llvm::strictConversion);
7137
7138 if (Result != llvm::conversionOK) {
7139 unsigned char FirstChar = *csStart;
7140 CodePoint = (llvm::UTF32)FirstChar;
7141 }
7142
7143 llvm::raw_string_ostream OS(CodePointStr);
7144 if (CodePoint < 256)
7145 OS << "\\x" << llvm::format("%02x", CodePoint);
7146 else if (CodePoint <= 0xFFFF)
7147 OS << "\\u" << llvm::format("%04x", CodePoint);
7148 else
7149 OS << "\\U" << llvm::format("%08x", CodePoint);
7150 Specifier = CodePointStr;
7151 }
7152
7153 EmitFormatDiagnostic(
7154 S.PDiag(diag::warn_format_invalid_conversion) << Specifier, Loc,
7155 /*IsStringLocation*/ true, getSpecifierRange(startSpec, specifierLen));
7156
7157 return keepGoing;
7158 }
7159
7160 void
HandlePositionalNonpositionalArgs(SourceLocation Loc,const char * startSpec,unsigned specifierLen)7161 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc,
7162 const char *startSpec,
7163 unsigned specifierLen) {
7164 EmitFormatDiagnostic(
7165 S.PDiag(diag::warn_format_mix_positional_nonpositional_args),
7166 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen));
7167 }
7168
7169 bool
CheckNumArgs(const analyze_format_string::FormatSpecifier & FS,const analyze_format_string::ConversionSpecifier & CS,const char * startSpecifier,unsigned specifierLen,unsigned argIndex)7170 CheckFormatHandler::CheckNumArgs(
7171 const analyze_format_string::FormatSpecifier &FS,
7172 const analyze_format_string::ConversionSpecifier &CS,
7173 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) {
7174
7175 if (HasFormatArguments() && argIndex >= NumDataArgs) {
7176 PartialDiagnostic PDiag = FS.usesPositionalArg()
7177 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args)
7178 << (argIndex+1) << NumDataArgs)
7179 : S.PDiag(diag::warn_printf_insufficient_data_args);
7180 EmitFormatDiagnostic(
7181 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true,
7182 getSpecifierRange(startSpecifier, specifierLen));
7183
7184 // Since more arguments than conversion tokens are given, by extension
7185 // all arguments are covered, so mark this as so.
7186 UncoveredArg.setAllCovered();
7187 return false;
7188 }
7189 return true;
7190 }
7191
7192 template<typename Range>
EmitFormatDiagnostic(PartialDiagnostic PDiag,SourceLocation Loc,bool IsStringLocation,Range StringRange,ArrayRef<FixItHint> FixIt)7193 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag,
7194 SourceLocation Loc,
7195 bool IsStringLocation,
7196 Range StringRange,
7197 ArrayRef<FixItHint> FixIt) {
7198 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag,
7199 Loc, IsStringLocation, StringRange, FixIt);
7200 }
7201
7202 /// If the format string is not within the function call, emit a note
7203 /// so that the function call and string are in diagnostic messages.
7204 ///
7205 /// \param InFunctionCall if true, the format string is within the function
7206 /// call and only one diagnostic message will be produced. Otherwise, an
7207 /// extra note will be emitted pointing to location of the format string.
7208 ///
7209 /// \param ArgumentExpr the expression that is passed as the format string
7210 /// argument in the function call. Used for getting locations when two
7211 /// diagnostics are emitted.
7212 ///
7213 /// \param PDiag the callee should already have provided any strings for the
7214 /// diagnostic message. This function only adds locations and fixits
7215 /// to diagnostics.
7216 ///
7217 /// \param Loc primary location for diagnostic. If two diagnostics are
7218 /// required, one will be at Loc and a new SourceLocation will be created for
7219 /// the other one.
7220 ///
7221 /// \param IsStringLocation if true, Loc points to the format string should be
7222 /// used for the note. Otherwise, Loc points to the argument list and will
7223 /// be used with PDiag.
7224 ///
7225 /// \param StringRange some or all of the string to highlight. This is
7226 /// templated so it can accept either a CharSourceRange or a SourceRange.
7227 ///
7228 /// \param FixIt optional fix it hint for the format string.
7229 template <typename Range>
EmitFormatDiagnostic(Sema & S,bool InFunctionCall,const Expr * ArgumentExpr,const PartialDiagnostic & PDiag,SourceLocation Loc,bool IsStringLocation,Range StringRange,ArrayRef<FixItHint> FixIt)7230 void CheckFormatHandler::EmitFormatDiagnostic(
7231 Sema &S, bool InFunctionCall, const Expr *ArgumentExpr,
7232 const PartialDiagnostic &PDiag, SourceLocation Loc, bool IsStringLocation,
7233 Range StringRange, ArrayRef<FixItHint> FixIt) {
7234 if (InFunctionCall) {
7235 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag);
7236 D << StringRange;
7237 D << FixIt;
7238 } else {
7239 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag)
7240 << ArgumentExpr->getSourceRange();
7241
7242 const Sema::SemaDiagnosticBuilder &Note =
7243 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(),
7244 diag::note_format_string_defined);
7245
7246 Note << StringRange;
7247 Note << FixIt;
7248 }
7249 }
7250
7251 //===--- CHECK: Printf format string checking -----------------------------===//
7252
7253 namespace {
7254
7255 class CheckPrintfHandler : public CheckFormatHandler {
7256 public:
CheckPrintfHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,const FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,bool isObjC,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)7257 CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
7258 const Expr *origFormatExpr, const FormatStringType type,
7259 unsigned firstDataArg, unsigned numDataArgs, bool isObjC,
7260 const char *beg, Sema::FormatArgumentPassingKind APK,
7261 ArrayRef<const Expr *> Args, unsigned formatIdx,
7262 bool inFunctionCall, VariadicCallType CallType,
7263 llvm::SmallBitVector &CheckedVarArgs,
7264 UncoveredArgHandler &UncoveredArg)
7265 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7266 numDataArgs, beg, APK, Args, formatIdx,
7267 inFunctionCall, CallType, CheckedVarArgs,
7268 UncoveredArg) {}
7269
isObjCContext() const7270 bool isObjCContext() const { return FSType == FormatStringType::NSString; }
7271
7272 /// Returns true if '%@' specifiers are allowed in the format string.
allowsObjCArg() const7273 bool allowsObjCArg() const {
7274 return FSType == FormatStringType::NSString ||
7275 FSType == FormatStringType::OSLog ||
7276 FSType == FormatStringType::OSTrace;
7277 }
7278
7279 bool HandleInvalidPrintfConversionSpecifier(
7280 const analyze_printf::PrintfSpecifier &FS,
7281 const char *startSpecifier,
7282 unsigned specifierLen) override;
7283
7284 void handleInvalidMaskType(StringRef MaskType) override;
7285
7286 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
7287 const char *startSpecifier, unsigned specifierLen,
7288 const TargetInfo &Target) override;
7289 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
7290 const char *StartSpecifier,
7291 unsigned SpecifierLen,
7292 const Expr *E);
7293
7294 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k,
7295 const char *startSpecifier, unsigned specifierLen);
7296 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS,
7297 const analyze_printf::OptionalAmount &Amt,
7298 unsigned type,
7299 const char *startSpecifier, unsigned specifierLen);
7300 void HandleFlag(const analyze_printf::PrintfSpecifier &FS,
7301 const analyze_printf::OptionalFlag &flag,
7302 const char *startSpecifier, unsigned specifierLen);
7303 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS,
7304 const analyze_printf::OptionalFlag &ignoredFlag,
7305 const analyze_printf::OptionalFlag &flag,
7306 const char *startSpecifier, unsigned specifierLen);
7307 bool checkForCStrMembers(const analyze_printf::ArgType &AT,
7308 const Expr *E);
7309
7310 void HandleEmptyObjCModifierFlag(const char *startFlag,
7311 unsigned flagLen) override;
7312
7313 void HandleInvalidObjCModifierFlag(const char *startFlag,
7314 unsigned flagLen) override;
7315
7316 void
7317 HandleObjCFlagsWithNonObjCConversion(const char *flagsStart,
7318 const char *flagsEnd,
7319 const char *conversionPosition) override;
7320 };
7321
7322 /// Keeps around the information needed to verify that two specifiers are
7323 /// compatible.
7324 class EquatableFormatArgument {
7325 public:
7326 enum SpecifierSensitivity : unsigned {
7327 SS_None,
7328 SS_Private,
7329 SS_Public,
7330 SS_Sensitive
7331 };
7332
7333 enum FormatArgumentRole : unsigned {
7334 FAR_Data,
7335 FAR_FieldWidth,
7336 FAR_Precision,
7337 FAR_Auxiliary, // FreeBSD kernel %b and %D
7338 };
7339
7340 private:
7341 analyze_format_string::ArgType ArgType;
7342 analyze_format_string::LengthModifier::Kind LengthMod;
7343 StringRef SpecifierLetter;
7344 CharSourceRange Range;
7345 SourceLocation ElementLoc;
7346 FormatArgumentRole Role : 2;
7347 SpecifierSensitivity Sensitivity : 2; // only set for FAR_Data
7348 unsigned Position : 14;
7349 unsigned ModifierFor : 14; // not set for FAR_Data
7350
7351 void EmitDiagnostic(Sema &S, PartialDiagnostic PDiag, const Expr *FmtExpr,
7352 bool InFunctionCall) const;
7353
7354 public:
EquatableFormatArgument(CharSourceRange Range,SourceLocation ElementLoc,analyze_format_string::LengthModifier::Kind LengthMod,StringRef SpecifierLetter,analyze_format_string::ArgType ArgType,FormatArgumentRole Role,SpecifierSensitivity Sensitivity,unsigned Position,unsigned ModifierFor)7355 EquatableFormatArgument(CharSourceRange Range, SourceLocation ElementLoc,
7356 analyze_format_string::LengthModifier::Kind LengthMod,
7357 StringRef SpecifierLetter,
7358 analyze_format_string::ArgType ArgType,
7359 FormatArgumentRole Role,
7360 SpecifierSensitivity Sensitivity, unsigned Position,
7361 unsigned ModifierFor)
7362 : ArgType(ArgType), LengthMod(LengthMod),
7363 SpecifierLetter(SpecifierLetter), Range(Range), ElementLoc(ElementLoc),
7364 Role(Role), Sensitivity(Sensitivity), Position(Position),
7365 ModifierFor(ModifierFor) {}
7366
getPosition() const7367 unsigned getPosition() const { return Position; }
getSourceLocation() const7368 SourceLocation getSourceLocation() const { return ElementLoc; }
getSourceRange() const7369 CharSourceRange getSourceRange() const { return Range; }
getLengthModifier() const7370 analyze_format_string::LengthModifier getLengthModifier() const {
7371 return analyze_format_string::LengthModifier(nullptr, LengthMod);
7372 }
setModifierFor(unsigned V)7373 void setModifierFor(unsigned V) { ModifierFor = V; }
7374
buildFormatSpecifier() const7375 std::string buildFormatSpecifier() const {
7376 std::string result;
7377 llvm::raw_string_ostream(result)
7378 << getLengthModifier().toString() << SpecifierLetter;
7379 return result;
7380 }
7381
7382 bool VerifyCompatible(Sema &S, const EquatableFormatArgument &Other,
7383 const Expr *FmtExpr, bool InFunctionCall) const;
7384 };
7385
7386 /// Turns format strings into lists of EquatableSpecifier objects.
7387 class DecomposePrintfHandler : public CheckPrintfHandler {
7388 llvm::SmallVectorImpl<EquatableFormatArgument> &Specs;
7389 bool HadError;
7390
DecomposePrintfHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,const FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,bool isObjC,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg,llvm::SmallVectorImpl<EquatableFormatArgument> & Specs)7391 DecomposePrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
7392 const Expr *origFormatExpr,
7393 const FormatStringType type, unsigned firstDataArg,
7394 unsigned numDataArgs, bool isObjC, const char *beg,
7395 Sema::FormatArgumentPassingKind APK,
7396 ArrayRef<const Expr *> Args, unsigned formatIdx,
7397 bool inFunctionCall, VariadicCallType CallType,
7398 llvm::SmallBitVector &CheckedVarArgs,
7399 UncoveredArgHandler &UncoveredArg,
7400 llvm::SmallVectorImpl<EquatableFormatArgument> &Specs)
7401 : CheckPrintfHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7402 numDataArgs, isObjC, beg, APK, Args, formatIdx,
7403 inFunctionCall, CallType, CheckedVarArgs,
7404 UncoveredArg),
7405 Specs(Specs), HadError(false) {}
7406
7407 public:
7408 static bool
7409 GetSpecifiers(Sema &S, const FormatStringLiteral *FSL, const Expr *FmtExpr,
7410 FormatStringType type, bool IsObjC, bool InFunctionCall,
7411 llvm::SmallVectorImpl<EquatableFormatArgument> &Args);
7412
7413 virtual bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
7414 const char *startSpecifier,
7415 unsigned specifierLen,
7416 const TargetInfo &Target) override;
7417 };
7418
7419 } // namespace
7420
HandleInvalidPrintfConversionSpecifier(const analyze_printf::PrintfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)7421 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier(
7422 const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7423 unsigned specifierLen) {
7424 const analyze_printf::PrintfConversionSpecifier &CS =
7425 FS.getConversionSpecifier();
7426
7427 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
7428 getLocationOfByte(CS.getStart()),
7429 startSpecifier, specifierLen,
7430 CS.getStart(), CS.getLength());
7431 }
7432
handleInvalidMaskType(StringRef MaskType)7433 void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) {
7434 S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size);
7435 }
7436
HandleAmount(const analyze_format_string::OptionalAmount & Amt,unsigned k,const char * startSpecifier,unsigned specifierLen)7437 bool CheckPrintfHandler::HandleAmount(
7438 const analyze_format_string::OptionalAmount &Amt, unsigned k,
7439 const char *startSpecifier, unsigned specifierLen) {
7440 if (Amt.hasDataArgument()) {
7441 if (HasFormatArguments()) {
7442 unsigned argIndex = Amt.getArgIndex();
7443 if (argIndex >= NumDataArgs) {
7444 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
7445 << k,
7446 getLocationOfByte(Amt.getStart()),
7447 /*IsStringLocation*/ true,
7448 getSpecifierRange(startSpecifier, specifierLen));
7449 // Don't do any more checking. We will just emit
7450 // spurious errors.
7451 return false;
7452 }
7453
7454 // Type check the data argument. It should be an 'int'.
7455 // Although not in conformance with C99, we also allow the argument to be
7456 // an 'unsigned int' as that is a reasonably safe case. GCC also
7457 // doesn't emit a warning for that case.
7458 CoveredArgs.set(argIndex);
7459 const Expr *Arg = getDataArg(argIndex);
7460 if (!Arg)
7461 return false;
7462
7463 QualType T = Arg->getType();
7464
7465 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context);
7466 assert(AT.isValid());
7467
7468 if (!AT.matchesType(S.Context, T)) {
7469 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type)
7470 << k << AT.getRepresentativeTypeName(S.Context)
7471 << T << Arg->getSourceRange(),
7472 getLocationOfByte(Amt.getStart()),
7473 /*IsStringLocation*/true,
7474 getSpecifierRange(startSpecifier, specifierLen));
7475 // Don't do any more checking. We will just emit
7476 // spurious errors.
7477 return false;
7478 }
7479 }
7480 }
7481 return true;
7482 }
7483
HandleInvalidAmount(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalAmount & Amt,unsigned type,const char * startSpecifier,unsigned specifierLen)7484 void CheckPrintfHandler::HandleInvalidAmount(
7485 const analyze_printf::PrintfSpecifier &FS,
7486 const analyze_printf::OptionalAmount &Amt,
7487 unsigned type,
7488 const char *startSpecifier,
7489 unsigned specifierLen) {
7490 const analyze_printf::PrintfConversionSpecifier &CS =
7491 FS.getConversionSpecifier();
7492
7493 FixItHint fixit =
7494 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant
7495 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(),
7496 Amt.getConstantLength()))
7497 : FixItHint();
7498
7499 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount)
7500 << type << CS.toString(),
7501 getLocationOfByte(Amt.getStart()),
7502 /*IsStringLocation*/true,
7503 getSpecifierRange(startSpecifier, specifierLen),
7504 fixit);
7505 }
7506
HandleFlag(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalFlag & flag,const char * startSpecifier,unsigned specifierLen)7507 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS,
7508 const analyze_printf::OptionalFlag &flag,
7509 const char *startSpecifier,
7510 unsigned specifierLen) {
7511 // Warn about pointless flag with a fixit removal.
7512 const analyze_printf::PrintfConversionSpecifier &CS =
7513 FS.getConversionSpecifier();
7514 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag)
7515 << flag.toString() << CS.toString(),
7516 getLocationOfByte(flag.getPosition()),
7517 /*IsStringLocation*/true,
7518 getSpecifierRange(startSpecifier, specifierLen),
7519 FixItHint::CreateRemoval(
7520 getSpecifierRange(flag.getPosition(), 1)));
7521 }
7522
HandleIgnoredFlag(const analyze_printf::PrintfSpecifier & FS,const analyze_printf::OptionalFlag & ignoredFlag,const analyze_printf::OptionalFlag & flag,const char * startSpecifier,unsigned specifierLen)7523 void CheckPrintfHandler::HandleIgnoredFlag(
7524 const analyze_printf::PrintfSpecifier &FS,
7525 const analyze_printf::OptionalFlag &ignoredFlag,
7526 const analyze_printf::OptionalFlag &flag,
7527 const char *startSpecifier,
7528 unsigned specifierLen) {
7529 // Warn about ignored flag with a fixit removal.
7530 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag)
7531 << ignoredFlag.toString() << flag.toString(),
7532 getLocationOfByte(ignoredFlag.getPosition()),
7533 /*IsStringLocation*/true,
7534 getSpecifierRange(startSpecifier, specifierLen),
7535 FixItHint::CreateRemoval(
7536 getSpecifierRange(ignoredFlag.getPosition(), 1)));
7537 }
7538
HandleEmptyObjCModifierFlag(const char * startFlag,unsigned flagLen)7539 void CheckPrintfHandler::HandleEmptyObjCModifierFlag(const char *startFlag,
7540 unsigned flagLen) {
7541 // Warn about an empty flag.
7542 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_empty_objc_flag),
7543 getLocationOfByte(startFlag),
7544 /*IsStringLocation*/true,
7545 getSpecifierRange(startFlag, flagLen));
7546 }
7547
HandleInvalidObjCModifierFlag(const char * startFlag,unsigned flagLen)7548 void CheckPrintfHandler::HandleInvalidObjCModifierFlag(const char *startFlag,
7549 unsigned flagLen) {
7550 // Warn about an invalid flag.
7551 auto Range = getSpecifierRange(startFlag, flagLen);
7552 StringRef flag(startFlag, flagLen);
7553 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_invalid_objc_flag) << flag,
7554 getLocationOfByte(startFlag),
7555 /*IsStringLocation*/true,
7556 Range, FixItHint::CreateRemoval(Range));
7557 }
7558
HandleObjCFlagsWithNonObjCConversion(const char * flagsStart,const char * flagsEnd,const char * conversionPosition)7559 void CheckPrintfHandler::HandleObjCFlagsWithNonObjCConversion(
7560 const char *flagsStart, const char *flagsEnd, const char *conversionPosition) {
7561 // Warn about using '[...]' without a '@' conversion.
7562 auto Range = getSpecifierRange(flagsStart, flagsEnd - flagsStart + 1);
7563 auto diag = diag::warn_printf_ObjCflags_without_ObjCConversion;
7564 EmitFormatDiagnostic(S.PDiag(diag) << StringRef(conversionPosition, 1),
7565 getLocationOfByte(conversionPosition),
7566 /*IsStringLocation*/ true, Range,
7567 FixItHint::CreateRemoval(Range));
7568 }
7569
EmitDiagnostic(Sema & S,PartialDiagnostic PDiag,const Expr * FmtExpr,bool InFunctionCall) const7570 void EquatableFormatArgument::EmitDiagnostic(Sema &S, PartialDiagnostic PDiag,
7571 const Expr *FmtExpr,
7572 bool InFunctionCall) const {
7573 CheckFormatHandler::EmitFormatDiagnostic(S, InFunctionCall, FmtExpr, PDiag,
7574 ElementLoc, true, Range);
7575 }
7576
VerifyCompatible(Sema & S,const EquatableFormatArgument & Other,const Expr * FmtExpr,bool InFunctionCall) const7577 bool EquatableFormatArgument::VerifyCompatible(
7578 Sema &S, const EquatableFormatArgument &Other, const Expr *FmtExpr,
7579 bool InFunctionCall) const {
7580 using MK = analyze_format_string::ArgType::MatchKind;
7581 if (Role != Other.Role) {
7582 // diagnose and stop
7583 EmitDiagnostic(
7584 S, S.PDiag(diag::warn_format_cmp_role_mismatch) << Role << Other.Role,
7585 FmtExpr, InFunctionCall);
7586 S.Diag(Other.ElementLoc, diag::note_format_cmp_with) << 0 << Other.Range;
7587 return false;
7588 }
7589
7590 if (Role != FAR_Data) {
7591 if (ModifierFor != Other.ModifierFor) {
7592 // diagnose and stop
7593 EmitDiagnostic(S,
7594 S.PDiag(diag::warn_format_cmp_modifierfor_mismatch)
7595 << (ModifierFor + 1) << (Other.ModifierFor + 1),
7596 FmtExpr, InFunctionCall);
7597 S.Diag(Other.ElementLoc, diag::note_format_cmp_with) << 0 << Other.Range;
7598 return false;
7599 }
7600 return true;
7601 }
7602
7603 bool HadError = false;
7604 if (Sensitivity != Other.Sensitivity) {
7605 // diagnose and continue
7606 EmitDiagnostic(S,
7607 S.PDiag(diag::warn_format_cmp_sensitivity_mismatch)
7608 << Sensitivity << Other.Sensitivity,
7609 FmtExpr, InFunctionCall);
7610 HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7611 << 0 << Other.Range;
7612 }
7613
7614 switch (ArgType.matchesArgType(S.Context, Other.ArgType)) {
7615 case MK::Match:
7616 break;
7617
7618 case MK::MatchPromotion:
7619 // Per consensus reached at https://discourse.llvm.org/t/-/83076/12,
7620 // MatchPromotion is treated as a failure by format_matches.
7621 case MK::NoMatch:
7622 case MK::NoMatchTypeConfusion:
7623 case MK::NoMatchPromotionTypeConfusion:
7624 EmitDiagnostic(S,
7625 S.PDiag(diag::warn_format_cmp_specifier_mismatch)
7626 << buildFormatSpecifier()
7627 << Other.buildFormatSpecifier(),
7628 FmtExpr, InFunctionCall);
7629 HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7630 << 0 << Other.Range;
7631 break;
7632
7633 case MK::NoMatchPedantic:
7634 EmitDiagnostic(S,
7635 S.PDiag(diag::warn_format_cmp_specifier_mismatch_pedantic)
7636 << buildFormatSpecifier()
7637 << Other.buildFormatSpecifier(),
7638 FmtExpr, InFunctionCall);
7639 HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7640 << 0 << Other.Range;
7641 break;
7642
7643 case MK::NoMatchSignedness:
7644 if (!S.getDiagnostics().isIgnored(
7645 diag::warn_format_conversion_argument_type_mismatch_signedness,
7646 ElementLoc)) {
7647 EmitDiagnostic(S,
7648 S.PDiag(diag::warn_format_cmp_specifier_sign_mismatch)
7649 << buildFormatSpecifier()
7650 << Other.buildFormatSpecifier(),
7651 FmtExpr, InFunctionCall);
7652 HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7653 << 0 << Other.Range;
7654 }
7655 break;
7656 }
7657 return !HadError;
7658 }
7659
GetSpecifiers(Sema & S,const FormatStringLiteral * FSL,const Expr * FmtExpr,FormatStringType Type,bool IsObjC,bool InFunctionCall,llvm::SmallVectorImpl<EquatableFormatArgument> & Args)7660 bool DecomposePrintfHandler::GetSpecifiers(
7661 Sema &S, const FormatStringLiteral *FSL, const Expr *FmtExpr,
7662 FormatStringType Type, bool IsObjC, bool InFunctionCall,
7663 llvm::SmallVectorImpl<EquatableFormatArgument> &Args) {
7664 StringRef Data = FSL->getString();
7665 const char *Str = Data.data();
7666 llvm::SmallBitVector BV;
7667 UncoveredArgHandler UA;
7668 const Expr *PrintfArgs[] = {FSL->getFormatString()};
7669 DecomposePrintfHandler H(S, FSL, FSL->getFormatString(), Type, 0, 0, IsObjC,
7670 Str, Sema::FAPK_Elsewhere, PrintfArgs, 0,
7671 InFunctionCall, VariadicCallType::DoesNotApply, BV,
7672 UA, Args);
7673
7674 if (!analyze_format_string::ParsePrintfString(
7675 H, Str, Str + Data.size(), S.getLangOpts(), S.Context.getTargetInfo(),
7676 Type == FormatStringType::FreeBSDKPrintf))
7677 H.DoneProcessing();
7678 if (H.HadError)
7679 return false;
7680
7681 llvm::stable_sort(Args, [](const EquatableFormatArgument &A,
7682 const EquatableFormatArgument &B) {
7683 return A.getPosition() < B.getPosition();
7684 });
7685 return true;
7686 }
7687
HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier & FS,const char * startSpecifier,unsigned specifierLen,const TargetInfo & Target)7688 bool DecomposePrintfHandler::HandlePrintfSpecifier(
7689 const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7690 unsigned specifierLen, const TargetInfo &Target) {
7691 if (!CheckPrintfHandler::HandlePrintfSpecifier(FS, startSpecifier,
7692 specifierLen, Target)) {
7693 HadError = true;
7694 return false;
7695 }
7696
7697 // Do not add any specifiers to the list for %%. This is possibly incorrect
7698 // if using a precision/width with a data argument, but that combination is
7699 // meaningless and we wouldn't know which format to attach the
7700 // precision/width to.
7701 const auto &CS = FS.getConversionSpecifier();
7702 if (CS.getKind() == analyze_format_string::ConversionSpecifier::PercentArg)
7703 return true;
7704
7705 // have to patch these to have the right ModifierFor if they are used
7706 const unsigned Unset = ~0;
7707 unsigned FieldWidthIndex = Unset;
7708 unsigned PrecisionIndex = Unset;
7709
7710 // field width?
7711 const auto &FieldWidth = FS.getFieldWidth();
7712 if (!FieldWidth.isInvalid() && FieldWidth.hasDataArgument()) {
7713 FieldWidthIndex = Specs.size();
7714 Specs.emplace_back(getSpecifierRange(startSpecifier, specifierLen),
7715 getLocationOfByte(FieldWidth.getStart()),
7716 analyze_format_string::LengthModifier::None, "*",
7717 FieldWidth.getArgType(S.Context),
7718 EquatableFormatArgument::FAR_FieldWidth,
7719 EquatableFormatArgument::SS_None,
7720 FieldWidth.usesPositionalArg()
7721 ? FieldWidth.getPositionalArgIndex() - 1
7722 : FieldWidthIndex,
7723 0);
7724 }
7725 // precision?
7726 const auto &Precision = FS.getPrecision();
7727 if (!Precision.isInvalid() && Precision.hasDataArgument()) {
7728 PrecisionIndex = Specs.size();
7729 Specs.emplace_back(
7730 getSpecifierRange(startSpecifier, specifierLen),
7731 getLocationOfByte(Precision.getStart()),
7732 analyze_format_string::LengthModifier::None, ".*",
7733 Precision.getArgType(S.Context), EquatableFormatArgument::FAR_Precision,
7734 EquatableFormatArgument::SS_None,
7735 Precision.usesPositionalArg() ? Precision.getPositionalArgIndex() - 1
7736 : PrecisionIndex,
7737 0);
7738 }
7739
7740 // this specifier
7741 unsigned SpecIndex =
7742 FS.usesPositionalArg() ? FS.getPositionalArgIndex() - 1 : Specs.size();
7743 if (FieldWidthIndex != Unset)
7744 Specs[FieldWidthIndex].setModifierFor(SpecIndex);
7745 if (PrecisionIndex != Unset)
7746 Specs[PrecisionIndex].setModifierFor(SpecIndex);
7747
7748 EquatableFormatArgument::SpecifierSensitivity Sensitivity;
7749 if (FS.isPrivate())
7750 Sensitivity = EquatableFormatArgument::SS_Private;
7751 else if (FS.isPublic())
7752 Sensitivity = EquatableFormatArgument::SS_Public;
7753 else if (FS.isSensitive())
7754 Sensitivity = EquatableFormatArgument::SS_Sensitive;
7755 else
7756 Sensitivity = EquatableFormatArgument::SS_None;
7757
7758 Specs.emplace_back(
7759 getSpecifierRange(startSpecifier, specifierLen),
7760 getLocationOfByte(CS.getStart()), FS.getLengthModifier().getKind(),
7761 CS.getCharacters(), FS.getArgType(S.Context, isObjCContext()),
7762 EquatableFormatArgument::FAR_Data, Sensitivity, SpecIndex, 0);
7763
7764 // auxiliary argument?
7765 if (CS.getKind() == analyze_format_string::ConversionSpecifier::FreeBSDbArg ||
7766 CS.getKind() == analyze_format_string::ConversionSpecifier::FreeBSDDArg) {
7767 Specs.emplace_back(getSpecifierRange(startSpecifier, specifierLen),
7768 getLocationOfByte(CS.getStart()),
7769 analyze_format_string::LengthModifier::None,
7770 CS.getCharacters(),
7771 analyze_format_string::ArgType::CStrTy,
7772 EquatableFormatArgument::FAR_Auxiliary, Sensitivity,
7773 SpecIndex + 1, SpecIndex);
7774 }
7775 return true;
7776 }
7777
7778 // Determines if the specified is a C++ class or struct containing
7779 // a member with the specified name and kind (e.g. a CXXMethodDecl named
7780 // "c_str()").
7781 template<typename MemberKind>
7782 static llvm::SmallPtrSet<MemberKind*, 1>
CXXRecordMembersNamed(StringRef Name,Sema & S,QualType Ty)7783 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) {
7784 const RecordType *RT = Ty->getAs<RecordType>();
7785 llvm::SmallPtrSet<MemberKind*, 1> Results;
7786
7787 if (!RT)
7788 return Results;
7789 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl());
7790 if (!RD || !RD->getDefinition())
7791 return Results;
7792
7793 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(),
7794 Sema::LookupMemberName);
7795 R.suppressDiagnostics();
7796
7797 // We just need to include all members of the right kind turned up by the
7798 // filter, at this point.
7799 if (S.LookupQualifiedName(R, RT->getDecl()))
7800 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) {
7801 NamedDecl *decl = (*I)->getUnderlyingDecl();
7802 if (MemberKind *FK = dyn_cast<MemberKind>(decl))
7803 Results.insert(FK);
7804 }
7805 return Results;
7806 }
7807
7808 /// Check if we could call '.c_str()' on an object.
7809 ///
7810 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't
7811 /// allow the call, or if it would be ambiguous).
hasCStrMethod(const Expr * E)7812 bool Sema::hasCStrMethod(const Expr *E) {
7813 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7814
7815 MethodSet Results =
7816 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType());
7817 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7818 MI != ME; ++MI)
7819 if ((*MI)->getMinRequiredArguments() == 0)
7820 return true;
7821 return false;
7822 }
7823
7824 // Check if a (w)string was passed when a (w)char* was needed, and offer a
7825 // better diagnostic if so. AT is assumed to be valid.
7826 // Returns true when a c_str() conversion method is found.
checkForCStrMembers(const analyze_printf::ArgType & AT,const Expr * E)7827 bool CheckPrintfHandler::checkForCStrMembers(
7828 const analyze_printf::ArgType &AT, const Expr *E) {
7829 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7830
7831 MethodSet Results =
7832 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType());
7833
7834 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7835 MI != ME; ++MI) {
7836 const CXXMethodDecl *Method = *MI;
7837 if (Method->getMinRequiredArguments() == 0 &&
7838 AT.matchesType(S.Context, Method->getReturnType())) {
7839 // FIXME: Suggest parens if the expression needs them.
7840 SourceLocation EndLoc = S.getLocForEndOfToken(E->getEndLoc());
7841 S.Diag(E->getBeginLoc(), diag::note_printf_c_str)
7842 << "c_str()" << FixItHint::CreateInsertion(EndLoc, ".c_str()");
7843 return true;
7844 }
7845 }
7846
7847 return false;
7848 }
7849
HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier & FS,const char * startSpecifier,unsigned specifierLen,const TargetInfo & Target)7850 bool CheckPrintfHandler::HandlePrintfSpecifier(
7851 const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7852 unsigned specifierLen, const TargetInfo &Target) {
7853 using namespace analyze_format_string;
7854 using namespace analyze_printf;
7855
7856 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier();
7857
7858 if (FS.consumesDataArgument()) {
7859 if (atFirstArg) {
7860 atFirstArg = false;
7861 usesPositionalArgs = FS.usesPositionalArg();
7862 }
7863 else if (usesPositionalArgs != FS.usesPositionalArg()) {
7864 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
7865 startSpecifier, specifierLen);
7866 return false;
7867 }
7868 }
7869
7870 // First check if the field width, precision, and conversion specifier
7871 // have matching data arguments.
7872 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0,
7873 startSpecifier, specifierLen)) {
7874 return false;
7875 }
7876
7877 if (!HandleAmount(FS.getPrecision(), /* precision */ 1,
7878 startSpecifier, specifierLen)) {
7879 return false;
7880 }
7881
7882 if (!CS.consumesDataArgument()) {
7883 // FIXME: Technically specifying a precision or field width here
7884 // makes no sense. Worth issuing a warning at some point.
7885 return true;
7886 }
7887
7888 // Consume the argument.
7889 unsigned argIndex = FS.getArgIndex();
7890 if (argIndex < NumDataArgs) {
7891 // The check to see if the argIndex is valid will come later.
7892 // We set the bit here because we may exit early from this
7893 // function if we encounter some other error.
7894 CoveredArgs.set(argIndex);
7895 }
7896
7897 // FreeBSD kernel extensions.
7898 if (CS.getKind() == ConversionSpecifier::FreeBSDbArg ||
7899 CS.getKind() == ConversionSpecifier::FreeBSDDArg) {
7900 // We need at least two arguments.
7901 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex + 1))
7902 return false;
7903
7904 if (HasFormatArguments()) {
7905 // Claim the second argument.
7906 CoveredArgs.set(argIndex + 1);
7907
7908 // Type check the first argument (int for %b, pointer for %D)
7909 const Expr *Ex = getDataArg(argIndex);
7910 const analyze_printf::ArgType &AT =
7911 (CS.getKind() == ConversionSpecifier::FreeBSDbArg)
7912 ? ArgType(S.Context.IntTy)
7913 : ArgType::CPointerTy;
7914 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType()))
7915 EmitFormatDiagnostic(
7916 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7917 << AT.getRepresentativeTypeName(S.Context) << Ex->getType()
7918 << false << Ex->getSourceRange(),
7919 Ex->getBeginLoc(), /*IsStringLocation*/ false,
7920 getSpecifierRange(startSpecifier, specifierLen));
7921
7922 // Type check the second argument (char * for both %b and %D)
7923 Ex = getDataArg(argIndex + 1);
7924 const analyze_printf::ArgType &AT2 = ArgType::CStrTy;
7925 if (AT2.isValid() && !AT2.matchesType(S.Context, Ex->getType()))
7926 EmitFormatDiagnostic(
7927 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7928 << AT2.getRepresentativeTypeName(S.Context) << Ex->getType()
7929 << false << Ex->getSourceRange(),
7930 Ex->getBeginLoc(), /*IsStringLocation*/ false,
7931 getSpecifierRange(startSpecifier, specifierLen));
7932 }
7933 return true;
7934 }
7935
7936 // Check for using an Objective-C specific conversion specifier
7937 // in a non-ObjC literal.
7938 if (!allowsObjCArg() && CS.isObjCArg()) {
7939 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7940 specifierLen);
7941 }
7942
7943 // %P can only be used with os_log.
7944 if (FSType != FormatStringType::OSLog &&
7945 CS.getKind() == ConversionSpecifier::PArg) {
7946 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7947 specifierLen);
7948 }
7949
7950 // %n is not allowed with os_log.
7951 if (FSType == FormatStringType::OSLog &&
7952 CS.getKind() == ConversionSpecifier::nArg) {
7953 EmitFormatDiagnostic(S.PDiag(diag::warn_os_log_format_narg),
7954 getLocationOfByte(CS.getStart()),
7955 /*IsStringLocation*/ false,
7956 getSpecifierRange(startSpecifier, specifierLen));
7957
7958 return true;
7959 }
7960
7961 // Only scalars are allowed for os_trace.
7962 if (FSType == FormatStringType::OSTrace &&
7963 (CS.getKind() == ConversionSpecifier::PArg ||
7964 CS.getKind() == ConversionSpecifier::sArg ||
7965 CS.getKind() == ConversionSpecifier::ObjCObjArg)) {
7966 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7967 specifierLen);
7968 }
7969
7970 // Check for use of public/private annotation outside of os_log().
7971 if (FSType != FormatStringType::OSLog) {
7972 if (FS.isPublic().isSet()) {
7973 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7974 << "public",
7975 getLocationOfByte(FS.isPublic().getPosition()),
7976 /*IsStringLocation*/ false,
7977 getSpecifierRange(startSpecifier, specifierLen));
7978 }
7979 if (FS.isPrivate().isSet()) {
7980 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7981 << "private",
7982 getLocationOfByte(FS.isPrivate().getPosition()),
7983 /*IsStringLocation*/ false,
7984 getSpecifierRange(startSpecifier, specifierLen));
7985 }
7986 }
7987
7988 const llvm::Triple &Triple = Target.getTriple();
7989 if (CS.getKind() == ConversionSpecifier::nArg &&
7990 (Triple.isAndroid() || Triple.isOSFuchsia())) {
7991 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_narg_not_supported),
7992 getLocationOfByte(CS.getStart()),
7993 /*IsStringLocation*/ false,
7994 getSpecifierRange(startSpecifier, specifierLen));
7995 }
7996
7997 // Check for invalid use of field width
7998 if (!FS.hasValidFieldWidth()) {
7999 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0,
8000 startSpecifier, specifierLen);
8001 }
8002
8003 // Check for invalid use of precision
8004 if (!FS.hasValidPrecision()) {
8005 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1,
8006 startSpecifier, specifierLen);
8007 }
8008
8009 // Precision is mandatory for %P specifier.
8010 if (CS.getKind() == ConversionSpecifier::PArg &&
8011 FS.getPrecision().getHowSpecified() == OptionalAmount::NotSpecified) {
8012 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_no_precision),
8013 getLocationOfByte(startSpecifier),
8014 /*IsStringLocation*/ false,
8015 getSpecifierRange(startSpecifier, specifierLen));
8016 }
8017
8018 // Check each flag does not conflict with any other component.
8019 if (!FS.hasValidThousandsGroupingPrefix())
8020 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen);
8021 if (!FS.hasValidLeadingZeros())
8022 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen);
8023 if (!FS.hasValidPlusPrefix())
8024 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen);
8025 if (!FS.hasValidSpacePrefix())
8026 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen);
8027 if (!FS.hasValidAlternativeForm())
8028 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen);
8029 if (!FS.hasValidLeftJustified())
8030 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen);
8031
8032 // Check that flags are not ignored by another flag
8033 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+'
8034 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(),
8035 startSpecifier, specifierLen);
8036 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-'
8037 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(),
8038 startSpecifier, specifierLen);
8039
8040 // Check the length modifier is valid with the given conversion specifier.
8041 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
8042 S.getLangOpts()))
8043 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8044 diag::warn_format_nonsensical_length);
8045 else if (!FS.hasStandardLengthModifier())
8046 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
8047 else if (!FS.hasStandardLengthConversionCombination())
8048 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8049 diag::warn_format_non_standard_conversion_spec);
8050
8051 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
8052 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
8053
8054 // The remaining checks depend on the data arguments.
8055 if (!HasFormatArguments())
8056 return true;
8057
8058 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
8059 return false;
8060
8061 const Expr *Arg = getDataArg(argIndex);
8062 if (!Arg)
8063 return true;
8064
8065 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg);
8066 }
8067
requiresParensToAddCast(const Expr * E)8068 static bool requiresParensToAddCast(const Expr *E) {
8069 // FIXME: We should have a general way to reason about operator
8070 // precedence and whether parens are actually needed here.
8071 // Take care of a few common cases where they aren't.
8072 const Expr *Inside = E->IgnoreImpCasts();
8073 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside))
8074 Inside = POE->getSyntacticForm()->IgnoreImpCasts();
8075
8076 switch (Inside->getStmtClass()) {
8077 case Stmt::ArraySubscriptExprClass:
8078 case Stmt::CallExprClass:
8079 case Stmt::CharacterLiteralClass:
8080 case Stmt::CXXBoolLiteralExprClass:
8081 case Stmt::DeclRefExprClass:
8082 case Stmt::FloatingLiteralClass:
8083 case Stmt::IntegerLiteralClass:
8084 case Stmt::MemberExprClass:
8085 case Stmt::ObjCArrayLiteralClass:
8086 case Stmt::ObjCBoolLiteralExprClass:
8087 case Stmt::ObjCBoxedExprClass:
8088 case Stmt::ObjCDictionaryLiteralClass:
8089 case Stmt::ObjCEncodeExprClass:
8090 case Stmt::ObjCIvarRefExprClass:
8091 case Stmt::ObjCMessageExprClass:
8092 case Stmt::ObjCPropertyRefExprClass:
8093 case Stmt::ObjCStringLiteralClass:
8094 case Stmt::ObjCSubscriptRefExprClass:
8095 case Stmt::ParenExprClass:
8096 case Stmt::StringLiteralClass:
8097 case Stmt::UnaryOperatorClass:
8098 return false;
8099 default:
8100 return true;
8101 }
8102 }
8103
8104 static std::pair<QualType, StringRef>
shouldNotPrintDirectly(const ASTContext & Context,QualType IntendedTy,const Expr * E)8105 shouldNotPrintDirectly(const ASTContext &Context,
8106 QualType IntendedTy,
8107 const Expr *E) {
8108 // Use a 'while' to peel off layers of typedefs.
8109 QualType TyTy = IntendedTy;
8110 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) {
8111 StringRef Name = UserTy->getDecl()->getName();
8112 QualType CastTy = llvm::StringSwitch<QualType>(Name)
8113 .Case("CFIndex", Context.getNSIntegerType())
8114 .Case("NSInteger", Context.getNSIntegerType())
8115 .Case("NSUInteger", Context.getNSUIntegerType())
8116 .Case("SInt32", Context.IntTy)
8117 .Case("UInt32", Context.UnsignedIntTy)
8118 .Default(QualType());
8119
8120 if (!CastTy.isNull())
8121 return std::make_pair(CastTy, Name);
8122
8123 TyTy = UserTy->desugar();
8124 }
8125
8126 // Strip parens if necessary.
8127 if (const ParenExpr *PE = dyn_cast<ParenExpr>(E))
8128 return shouldNotPrintDirectly(Context,
8129 PE->getSubExpr()->getType(),
8130 PE->getSubExpr());
8131
8132 // If this is a conditional expression, then its result type is constructed
8133 // via usual arithmetic conversions and thus there might be no necessary
8134 // typedef sugar there. Recurse to operands to check for NSInteger &
8135 // Co. usage condition.
8136 if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) {
8137 QualType TrueTy, FalseTy;
8138 StringRef TrueName, FalseName;
8139
8140 std::tie(TrueTy, TrueName) =
8141 shouldNotPrintDirectly(Context,
8142 CO->getTrueExpr()->getType(),
8143 CO->getTrueExpr());
8144 std::tie(FalseTy, FalseName) =
8145 shouldNotPrintDirectly(Context,
8146 CO->getFalseExpr()->getType(),
8147 CO->getFalseExpr());
8148
8149 if (TrueTy == FalseTy)
8150 return std::make_pair(TrueTy, TrueName);
8151 else if (TrueTy.isNull())
8152 return std::make_pair(FalseTy, FalseName);
8153 else if (FalseTy.isNull())
8154 return std::make_pair(TrueTy, TrueName);
8155 }
8156
8157 return std::make_pair(QualType(), StringRef());
8158 }
8159
8160 /// Return true if \p ICE is an implicit argument promotion of an arithmetic
8161 /// type. Bit-field 'promotions' from a higher ranked type to a lower ranked
8162 /// type do not count.
8163 static bool
isArithmeticArgumentPromotion(Sema & S,const ImplicitCastExpr * ICE)8164 isArithmeticArgumentPromotion(Sema &S, const ImplicitCastExpr *ICE) {
8165 QualType From = ICE->getSubExpr()->getType();
8166 QualType To = ICE->getType();
8167 // It's an integer promotion if the destination type is the promoted
8168 // source type.
8169 if (ICE->getCastKind() == CK_IntegralCast &&
8170 S.Context.isPromotableIntegerType(From) &&
8171 S.Context.getPromotedIntegerType(From) == To)
8172 return true;
8173 // Look through vector types, since we do default argument promotion for
8174 // those in OpenCL.
8175 if (const auto *VecTy = From->getAs<ExtVectorType>())
8176 From = VecTy->getElementType();
8177 if (const auto *VecTy = To->getAs<ExtVectorType>())
8178 To = VecTy->getElementType();
8179 // It's a floating promotion if the source type is a lower rank.
8180 return ICE->getCastKind() == CK_FloatingCast &&
8181 S.Context.getFloatingTypeOrder(From, To) < 0;
8182 }
8183
8184 static analyze_format_string::ArgType::MatchKind
handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,DiagnosticsEngine & Diags,SourceLocation Loc)8185 handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,
8186 DiagnosticsEngine &Diags, SourceLocation Loc) {
8187 if (Match == analyze_format_string::ArgType::NoMatchSignedness) {
8188 Match =
8189 Diags.isIgnored(
8190 diag::warn_format_conversion_argument_type_mismatch_signedness, Loc)
8191 ? analyze_format_string::ArgType::Match
8192 : analyze_format_string::ArgType::NoMatch;
8193 }
8194 return Match;
8195 }
8196
8197 bool
checkFormatExpr(const analyze_printf::PrintfSpecifier & FS,const char * StartSpecifier,unsigned SpecifierLen,const Expr * E)8198 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
8199 const char *StartSpecifier,
8200 unsigned SpecifierLen,
8201 const Expr *E) {
8202 using namespace analyze_format_string;
8203 using namespace analyze_printf;
8204
8205 // Now type check the data expression that matches the
8206 // format specifier.
8207 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, isObjCContext());
8208 if (!AT.isValid())
8209 return true;
8210
8211 QualType ExprTy = E->getType();
8212 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
8213 ExprTy = TET->getUnderlyingExpr()->getType();
8214 }
8215
8216 // When using the format attribute in C++, you can receive a function or an
8217 // array that will necessarily decay to a pointer when passed to the final
8218 // format consumer. Apply decay before type comparison.
8219 if (ExprTy->canDecayToPointerType())
8220 ExprTy = S.Context.getDecayedType(ExprTy);
8221
8222 // Diagnose attempts to print a boolean value as a character. Unlike other
8223 // -Wformat diagnostics, this is fine from a type perspective, but it still
8224 // doesn't make sense.
8225 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg &&
8226 E->isKnownToHaveBooleanValue()) {
8227 const CharSourceRange &CSR =
8228 getSpecifierRange(StartSpecifier, SpecifierLen);
8229 SmallString<4> FSString;
8230 llvm::raw_svector_ostream os(FSString);
8231 FS.toString(os);
8232 EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character)
8233 << FSString,
8234 E->getExprLoc(), false, CSR);
8235 return true;
8236 }
8237
8238 // Diagnose attempts to use '%P' with ObjC object types, which will result in
8239 // dumping raw class data (like is-a pointer), not actual data.
8240 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::PArg &&
8241 ExprTy->isObjCObjectPointerType()) {
8242 const CharSourceRange &CSR =
8243 getSpecifierRange(StartSpecifier, SpecifierLen);
8244 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_with_objc_pointer),
8245 E->getExprLoc(), false, CSR);
8246 return true;
8247 }
8248
8249 ArgType::MatchKind ImplicitMatch = ArgType::NoMatch;
8250 ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy);
8251 ArgType::MatchKind OrigMatch = Match;
8252
8253 Match = handleFormatSignedness(Match, S.getDiagnostics(), E->getExprLoc());
8254 if (Match == ArgType::Match)
8255 return true;
8256
8257 // NoMatchPromotionTypeConfusion should be only returned in ImplictCastExpr
8258 assert(Match != ArgType::NoMatchPromotionTypeConfusion);
8259
8260 // Look through argument promotions for our error message's reported type.
8261 // This includes the integral and floating promotions, but excludes array
8262 // and function pointer decay (seeing that an argument intended to be a
8263 // string has type 'char [6]' is probably more confusing than 'char *') and
8264 // certain bitfield promotions (bitfields can be 'demoted' to a lesser type).
8265 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
8266 if (isArithmeticArgumentPromotion(S, ICE)) {
8267 E = ICE->getSubExpr();
8268 ExprTy = E->getType();
8269
8270 // Check if we didn't match because of an implicit cast from a 'char'
8271 // or 'short' to an 'int'. This is done because printf is a varargs
8272 // function.
8273 if (ICE->getType() == S.Context.IntTy ||
8274 ICE->getType() == S.Context.UnsignedIntTy) {
8275 // All further checking is done on the subexpression
8276 ImplicitMatch = AT.matchesType(S.Context, ExprTy);
8277 if (OrigMatch == ArgType::NoMatchSignedness &&
8278 ImplicitMatch != ArgType::NoMatchSignedness)
8279 // If the original match was a signedness match this match on the
8280 // implicit cast type also need to be signedness match otherwise we
8281 // might introduce new unexpected warnings from -Wformat-signedness.
8282 return true;
8283 ImplicitMatch = handleFormatSignedness(
8284 ImplicitMatch, S.getDiagnostics(), E->getExprLoc());
8285 if (ImplicitMatch == ArgType::Match)
8286 return true;
8287 }
8288 }
8289 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) {
8290 // Special case for 'a', which has type 'int' in C.
8291 // Note, however, that we do /not/ want to treat multibyte constants like
8292 // 'MooV' as characters! This form is deprecated but still exists. In
8293 // addition, don't treat expressions as of type 'char' if one byte length
8294 // modifier is provided.
8295 if (ExprTy == S.Context.IntTy &&
8296 FS.getLengthModifier().getKind() != LengthModifier::AsChar)
8297 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) {
8298 ExprTy = S.Context.CharTy;
8299 // To improve check results, we consider a character literal in C
8300 // to be a 'char' rather than an 'int'. 'printf("%hd", 'a');' is
8301 // more likely a type confusion situation, so we will suggest to
8302 // use '%hhd' instead by discarding the MatchPromotion.
8303 if (Match == ArgType::MatchPromotion)
8304 Match = ArgType::NoMatch;
8305 }
8306 }
8307 if (Match == ArgType::MatchPromotion) {
8308 // WG14 N2562 only clarified promotions in *printf
8309 // For NSLog in ObjC, just preserve -Wformat behavior
8310 if (!S.getLangOpts().ObjC &&
8311 ImplicitMatch != ArgType::NoMatchPromotionTypeConfusion &&
8312 ImplicitMatch != ArgType::NoMatchTypeConfusion)
8313 return true;
8314 Match = ArgType::NoMatch;
8315 }
8316 if (ImplicitMatch == ArgType::NoMatchPedantic ||
8317 ImplicitMatch == ArgType::NoMatchTypeConfusion)
8318 Match = ImplicitMatch;
8319 assert(Match != ArgType::MatchPromotion);
8320
8321 // Look through unscoped enums to their underlying type.
8322 bool IsEnum = false;
8323 bool IsScopedEnum = false;
8324 QualType IntendedTy = ExprTy;
8325 if (auto EnumTy = ExprTy->getAs<EnumType>()) {
8326 IntendedTy = EnumTy->getDecl()->getIntegerType();
8327 if (EnumTy->isUnscopedEnumerationType()) {
8328 ExprTy = IntendedTy;
8329 // This controls whether we're talking about the underlying type or not,
8330 // which we only want to do when it's an unscoped enum.
8331 IsEnum = true;
8332 } else {
8333 IsScopedEnum = true;
8334 }
8335 }
8336
8337 // %C in an Objective-C context prints a unichar, not a wchar_t.
8338 // If the argument is an integer of some kind, believe the %C and suggest
8339 // a cast instead of changing the conversion specifier.
8340 if (isObjCContext() &&
8341 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) {
8342 if (ExprTy->isIntegralOrUnscopedEnumerationType() &&
8343 !ExprTy->isCharType()) {
8344 // 'unichar' is defined as a typedef of unsigned short, but we should
8345 // prefer using the typedef if it is visible.
8346 IntendedTy = S.Context.UnsignedShortTy;
8347
8348 // While we are here, check if the value is an IntegerLiteral that happens
8349 // to be within the valid range.
8350 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) {
8351 const llvm::APInt &V = IL->getValue();
8352 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy))
8353 return true;
8354 }
8355
8356 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getBeginLoc(),
8357 Sema::LookupOrdinaryName);
8358 if (S.LookupName(Result, S.getCurScope())) {
8359 NamedDecl *ND = Result.getFoundDecl();
8360 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND))
8361 if (TD->getUnderlyingType() == IntendedTy)
8362 IntendedTy = S.Context.getTypedefType(TD);
8363 }
8364 }
8365 }
8366
8367 // Special-case some of Darwin's platform-independence types by suggesting
8368 // casts to primitive types that are known to be large enough.
8369 bool ShouldNotPrintDirectly = false; StringRef CastTyName;
8370 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) {
8371 QualType CastTy;
8372 std::tie(CastTy, CastTyName) = shouldNotPrintDirectly(S.Context, IntendedTy, E);
8373 if (!CastTy.isNull()) {
8374 // %zi/%zu and %td/%tu are OK to use for NSInteger/NSUInteger of type int
8375 // (long in ASTContext). Only complain to pedants or when they're the
8376 // underlying type of a scoped enum (which always needs a cast).
8377 if (!IsScopedEnum &&
8378 (CastTyName == "NSInteger" || CastTyName == "NSUInteger") &&
8379 (AT.isSizeT() || AT.isPtrdiffT()) &&
8380 AT.matchesType(S.Context, CastTy))
8381 Match = ArgType::NoMatchPedantic;
8382 IntendedTy = CastTy;
8383 ShouldNotPrintDirectly = true;
8384 }
8385 }
8386
8387 // We may be able to offer a FixItHint if it is a supported type.
8388 PrintfSpecifier fixedFS = FS;
8389 bool Success =
8390 fixedFS.fixType(IntendedTy, S.getLangOpts(), S.Context, isObjCContext());
8391
8392 if (Success) {
8393 // Get the fix string from the fixed format specifier
8394 SmallString<16> buf;
8395 llvm::raw_svector_ostream os(buf);
8396 fixedFS.toString(os);
8397
8398 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen);
8399
8400 if (IntendedTy == ExprTy && !ShouldNotPrintDirectly && !IsScopedEnum) {
8401 unsigned Diag;
8402 switch (Match) {
8403 case ArgType::Match:
8404 case ArgType::MatchPromotion:
8405 case ArgType::NoMatchPromotionTypeConfusion:
8406 case ArgType::NoMatchSignedness:
8407 llvm_unreachable("expected non-matching");
8408 case ArgType::NoMatchPedantic:
8409 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
8410 break;
8411 case ArgType::NoMatchTypeConfusion:
8412 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
8413 break;
8414 case ArgType::NoMatch:
8415 Diag = diag::warn_format_conversion_argument_type_mismatch;
8416 break;
8417 }
8418
8419 // In this case, the specifier is wrong and should be changed to match
8420 // the argument.
8421 EmitFormatDiagnostic(S.PDiag(Diag)
8422 << AT.getRepresentativeTypeName(S.Context)
8423 << IntendedTy << IsEnum << E->getSourceRange(),
8424 E->getBeginLoc(),
8425 /*IsStringLocation*/ false, SpecRange,
8426 FixItHint::CreateReplacement(SpecRange, os.str()));
8427 } else {
8428 // The canonical type for formatting this value is different from the
8429 // actual type of the expression. (This occurs, for example, with Darwin's
8430 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but
8431 // should be printed as 'long' for 64-bit compatibility.)
8432 // Rather than emitting a normal format/argument mismatch, we want to
8433 // add a cast to the recommended type (and correct the format string
8434 // if necessary). We should also do so for scoped enumerations.
8435 SmallString<16> CastBuf;
8436 llvm::raw_svector_ostream CastFix(CastBuf);
8437 CastFix << (S.LangOpts.CPlusPlus ? "static_cast<" : "(");
8438 IntendedTy.print(CastFix, S.Context.getPrintingPolicy());
8439 CastFix << (S.LangOpts.CPlusPlus ? ">" : ")");
8440
8441 SmallVector<FixItHint,4> Hints;
8442 ArgType::MatchKind IntendedMatch = AT.matchesType(S.Context, IntendedTy);
8443 IntendedMatch = handleFormatSignedness(IntendedMatch, S.getDiagnostics(),
8444 E->getExprLoc());
8445 if ((IntendedMatch != ArgType::Match) || ShouldNotPrintDirectly)
8446 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str()));
8447
8448 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) {
8449 // If there's already a cast present, just replace it.
8450 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc());
8451 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str()));
8452
8453 } else if (!requiresParensToAddCast(E) && !S.LangOpts.CPlusPlus) {
8454 // If the expression has high enough precedence,
8455 // just write the C-style cast.
8456 Hints.push_back(
8457 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
8458 } else {
8459 // Otherwise, add parens around the expression as well as the cast.
8460 CastFix << "(";
8461 Hints.push_back(
8462 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
8463
8464 // We don't use getLocForEndOfToken because it returns invalid source
8465 // locations for macro expansions (by design).
8466 SourceLocation EndLoc = S.SourceMgr.getSpellingLoc(E->getEndLoc());
8467 SourceLocation After = EndLoc.getLocWithOffset(
8468 Lexer::MeasureTokenLength(EndLoc, S.SourceMgr, S.LangOpts));
8469 Hints.push_back(FixItHint::CreateInsertion(After, ")"));
8470 }
8471
8472 if (ShouldNotPrintDirectly && !IsScopedEnum) {
8473 // The expression has a type that should not be printed directly.
8474 // We extract the name from the typedef because we don't want to show
8475 // the underlying type in the diagnostic.
8476 StringRef Name;
8477 if (const auto *TypedefTy = ExprTy->getAs<TypedefType>())
8478 Name = TypedefTy->getDecl()->getName();
8479 else
8480 Name = CastTyName;
8481 unsigned Diag = Match == ArgType::NoMatchPedantic
8482 ? diag::warn_format_argument_needs_cast_pedantic
8483 : diag::warn_format_argument_needs_cast;
8484 EmitFormatDiagnostic(S.PDiag(Diag) << Name << IntendedTy << IsEnum
8485 << E->getSourceRange(),
8486 E->getBeginLoc(), /*IsStringLocation=*/false,
8487 SpecRange, Hints);
8488 } else {
8489 // In this case, the expression could be printed using a different
8490 // specifier, but we've decided that the specifier is probably correct
8491 // and we should cast instead. Just use the normal warning message.
8492
8493 unsigned Diag =
8494 IsScopedEnum
8495 ? diag::warn_format_conversion_argument_type_mismatch_pedantic
8496 : diag::warn_format_conversion_argument_type_mismatch;
8497
8498 EmitFormatDiagnostic(
8499 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
8500 << IsEnum << E->getSourceRange(),
8501 E->getBeginLoc(), /*IsStringLocation*/ false, SpecRange, Hints);
8502 }
8503 }
8504 } else {
8505 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
8506 SpecifierLen);
8507 // Since the warning for passing non-POD types to variadic functions
8508 // was deferred until now, we emit a warning for non-POD
8509 // arguments here.
8510 bool EmitTypeMismatch = false;
8511 switch (S.isValidVarArgType(ExprTy)) {
8512 case VarArgKind::Valid:
8513 case VarArgKind::ValidInCXX11: {
8514 unsigned Diag;
8515 switch (Match) {
8516 case ArgType::Match:
8517 case ArgType::MatchPromotion:
8518 case ArgType::NoMatchPromotionTypeConfusion:
8519 case ArgType::NoMatchSignedness:
8520 llvm_unreachable("expected non-matching");
8521 case ArgType::NoMatchPedantic:
8522 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
8523 break;
8524 case ArgType::NoMatchTypeConfusion:
8525 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
8526 break;
8527 case ArgType::NoMatch:
8528 Diag = diag::warn_format_conversion_argument_type_mismatch;
8529 break;
8530 }
8531
8532 EmitFormatDiagnostic(
8533 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
8534 << IsEnum << CSR << E->getSourceRange(),
8535 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8536 break;
8537 }
8538 case VarArgKind::Undefined:
8539 case VarArgKind::MSVCUndefined:
8540 if (CallType == VariadicCallType::DoesNotApply) {
8541 EmitTypeMismatch = true;
8542 } else {
8543 EmitFormatDiagnostic(
8544 S.PDiag(diag::warn_non_pod_vararg_with_format_string)
8545 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
8546 << AT.getRepresentativeTypeName(S.Context) << CSR
8547 << E->getSourceRange(),
8548 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8549 checkForCStrMembers(AT, E);
8550 }
8551 break;
8552
8553 case VarArgKind::Invalid:
8554 if (CallType == VariadicCallType::DoesNotApply)
8555 EmitTypeMismatch = true;
8556 else if (ExprTy->isObjCObjectType())
8557 EmitFormatDiagnostic(
8558 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
8559 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
8560 << AT.getRepresentativeTypeName(S.Context) << CSR
8561 << E->getSourceRange(),
8562 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8563 else
8564 // FIXME: If this is an initializer list, suggest removing the braces
8565 // or inserting a cast to the target type.
8566 S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format)
8567 << isa<InitListExpr>(E) << ExprTy << CallType
8568 << AT.getRepresentativeTypeName(S.Context) << E->getSourceRange();
8569 break;
8570 }
8571
8572 if (EmitTypeMismatch) {
8573 // The function is not variadic, so we do not generate warnings about
8574 // being allowed to pass that object as a variadic argument. Instead,
8575 // since there are inherently no printf specifiers for types which cannot
8576 // be passed as variadic arguments, emit a plain old specifier mismatch
8577 // argument.
8578 EmitFormatDiagnostic(
8579 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
8580 << AT.getRepresentativeTypeName(S.Context) << ExprTy << false
8581 << E->getSourceRange(),
8582 E->getBeginLoc(), false, CSR);
8583 }
8584
8585 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
8586 "format string specifier index out of range");
8587 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
8588 }
8589
8590 return true;
8591 }
8592
8593 //===--- CHECK: Scanf format string checking ------------------------------===//
8594
8595 namespace {
8596
8597 class CheckScanfHandler : public CheckFormatHandler {
8598 public:
CheckScanfHandler(Sema & s,const FormatStringLiteral * fexpr,const Expr * origFormatExpr,FormatStringType type,unsigned firstDataArg,unsigned numDataArgs,const char * beg,Sema::FormatArgumentPassingKind APK,ArrayRef<const Expr * > Args,unsigned formatIdx,bool inFunctionCall,VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg)8599 CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr,
8600 const Expr *origFormatExpr, FormatStringType type,
8601 unsigned firstDataArg, unsigned numDataArgs,
8602 const char *beg, Sema::FormatArgumentPassingKind APK,
8603 ArrayRef<const Expr *> Args, unsigned formatIdx,
8604 bool inFunctionCall, VariadicCallType CallType,
8605 llvm::SmallBitVector &CheckedVarArgs,
8606 UncoveredArgHandler &UncoveredArg)
8607 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
8608 numDataArgs, beg, APK, Args, formatIdx,
8609 inFunctionCall, CallType, CheckedVarArgs,
8610 UncoveredArg) {}
8611
8612 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
8613 const char *startSpecifier,
8614 unsigned specifierLen) override;
8615
8616 bool HandleInvalidScanfConversionSpecifier(
8617 const analyze_scanf::ScanfSpecifier &FS,
8618 const char *startSpecifier,
8619 unsigned specifierLen) override;
8620
8621 void HandleIncompleteScanList(const char *start, const char *end) override;
8622 };
8623
8624 } // namespace
8625
HandleIncompleteScanList(const char * start,const char * end)8626 void CheckScanfHandler::HandleIncompleteScanList(const char *start,
8627 const char *end) {
8628 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete),
8629 getLocationOfByte(end), /*IsStringLocation*/true,
8630 getSpecifierRange(start, end - start));
8631 }
8632
HandleInvalidScanfConversionSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)8633 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier(
8634 const analyze_scanf::ScanfSpecifier &FS,
8635 const char *startSpecifier,
8636 unsigned specifierLen) {
8637 const analyze_scanf::ScanfConversionSpecifier &CS =
8638 FS.getConversionSpecifier();
8639
8640 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
8641 getLocationOfByte(CS.getStart()),
8642 startSpecifier, specifierLen,
8643 CS.getStart(), CS.getLength());
8644 }
8645
HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier & FS,const char * startSpecifier,unsigned specifierLen)8646 bool CheckScanfHandler::HandleScanfSpecifier(
8647 const analyze_scanf::ScanfSpecifier &FS,
8648 const char *startSpecifier,
8649 unsigned specifierLen) {
8650 using namespace analyze_scanf;
8651 using namespace analyze_format_string;
8652
8653 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier();
8654
8655 // Handle case where '%' and '*' don't consume an argument. These shouldn't
8656 // be used to decide if we are using positional arguments consistently.
8657 if (FS.consumesDataArgument()) {
8658 if (atFirstArg) {
8659 atFirstArg = false;
8660 usesPositionalArgs = FS.usesPositionalArg();
8661 }
8662 else if (usesPositionalArgs != FS.usesPositionalArg()) {
8663 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
8664 startSpecifier, specifierLen);
8665 return false;
8666 }
8667 }
8668
8669 // Check if the field with is non-zero.
8670 const OptionalAmount &Amt = FS.getFieldWidth();
8671 if (Amt.getHowSpecified() == OptionalAmount::Constant) {
8672 if (Amt.getConstantAmount() == 0) {
8673 const CharSourceRange &R = getSpecifierRange(Amt.getStart(),
8674 Amt.getConstantLength());
8675 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width),
8676 getLocationOfByte(Amt.getStart()),
8677 /*IsStringLocation*/true, R,
8678 FixItHint::CreateRemoval(R));
8679 }
8680 }
8681
8682 if (!FS.consumesDataArgument()) {
8683 // FIXME: Technically specifying a precision or field width here
8684 // makes no sense. Worth issuing a warning at some point.
8685 return true;
8686 }
8687
8688 // Consume the argument.
8689 unsigned argIndex = FS.getArgIndex();
8690 if (argIndex < NumDataArgs) {
8691 // The check to see if the argIndex is valid will come later.
8692 // We set the bit here because we may exit early from this
8693 // function if we encounter some other error.
8694 CoveredArgs.set(argIndex);
8695 }
8696
8697 // Check the length modifier is valid with the given conversion specifier.
8698 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
8699 S.getLangOpts()))
8700 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8701 diag::warn_format_nonsensical_length);
8702 else if (!FS.hasStandardLengthModifier())
8703 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
8704 else if (!FS.hasStandardLengthConversionCombination())
8705 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8706 diag::warn_format_non_standard_conversion_spec);
8707
8708 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
8709 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
8710
8711 // The remaining checks depend on the data arguments.
8712 if (!HasFormatArguments())
8713 return true;
8714
8715 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
8716 return false;
8717
8718 // Check that the argument type matches the format specifier.
8719 const Expr *Ex = getDataArg(argIndex);
8720 if (!Ex)
8721 return true;
8722
8723 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context);
8724
8725 if (!AT.isValid()) {
8726 return true;
8727 }
8728
8729 analyze_format_string::ArgType::MatchKind Match =
8730 AT.matchesType(S.Context, Ex->getType());
8731 Match = handleFormatSignedness(Match, S.getDiagnostics(), Ex->getExprLoc());
8732 bool Pedantic = Match == analyze_format_string::ArgType::NoMatchPedantic;
8733 if (Match == analyze_format_string::ArgType::Match)
8734 return true;
8735
8736 ScanfSpecifier fixedFS = FS;
8737 bool Success = fixedFS.fixType(Ex->getType(), Ex->IgnoreImpCasts()->getType(),
8738 S.getLangOpts(), S.Context);
8739
8740 unsigned Diag =
8741 Pedantic ? diag::warn_format_conversion_argument_type_mismatch_pedantic
8742 : diag::warn_format_conversion_argument_type_mismatch;
8743
8744 if (Success) {
8745 // Get the fix string from the fixed format specifier.
8746 SmallString<128> buf;
8747 llvm::raw_svector_ostream os(buf);
8748 fixedFS.toString(os);
8749
8750 EmitFormatDiagnostic(
8751 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context)
8752 << Ex->getType() << false << Ex->getSourceRange(),
8753 Ex->getBeginLoc(),
8754 /*IsStringLocation*/ false,
8755 getSpecifierRange(startSpecifier, specifierLen),
8756 FixItHint::CreateReplacement(
8757 getSpecifierRange(startSpecifier, specifierLen), os.str()));
8758 } else {
8759 EmitFormatDiagnostic(S.PDiag(Diag)
8760 << AT.getRepresentativeTypeName(S.Context)
8761 << Ex->getType() << false << Ex->getSourceRange(),
8762 Ex->getBeginLoc(),
8763 /*IsStringLocation*/ false,
8764 getSpecifierRange(startSpecifier, specifierLen));
8765 }
8766
8767 return true;
8768 }
8769
CompareFormatSpecifiers(Sema & S,const StringLiteral * Ref,ArrayRef<EquatableFormatArgument> RefArgs,const StringLiteral * Fmt,ArrayRef<EquatableFormatArgument> FmtArgs,const Expr * FmtExpr,bool InFunctionCall)8770 static bool CompareFormatSpecifiers(Sema &S, const StringLiteral *Ref,
8771 ArrayRef<EquatableFormatArgument> RefArgs,
8772 const StringLiteral *Fmt,
8773 ArrayRef<EquatableFormatArgument> FmtArgs,
8774 const Expr *FmtExpr, bool InFunctionCall) {
8775 bool HadError = false;
8776 auto FmtIter = FmtArgs.begin(), FmtEnd = FmtArgs.end();
8777 auto RefIter = RefArgs.begin(), RefEnd = RefArgs.end();
8778 while (FmtIter < FmtEnd && RefIter < RefEnd) {
8779 // In positional-style format strings, the same specifier can appear
8780 // multiple times (like %2$i %2$d). Specifiers in both RefArgs and FmtArgs
8781 // are sorted by getPosition(), and we process each range of equal
8782 // getPosition() values as one group.
8783 // RefArgs are taken from a string literal that was given to
8784 // attribute(format_matches), and if we got this far, we have already
8785 // verified that if it has positional specifiers that appear in multiple
8786 // locations, then they are all mutually compatible. What's left for us to
8787 // do is verify that all specifiers with the same position in FmtArgs are
8788 // compatible with the RefArgs specifiers. We check each specifier from
8789 // FmtArgs against the first member of the RefArgs group.
8790 for (; FmtIter < FmtEnd; ++FmtIter) {
8791 // Clang does not diagnose missing format specifiers in positional-style
8792 // strings (TODO: which it probably should do, as it is UB to skip over a
8793 // format argument). Skip specifiers if needed.
8794 if (FmtIter->getPosition() < RefIter->getPosition())
8795 continue;
8796
8797 // Delimits a new getPosition() value.
8798 if (FmtIter->getPosition() > RefIter->getPosition())
8799 break;
8800
8801 HadError |=
8802 !FmtIter->VerifyCompatible(S, *RefIter, FmtExpr, InFunctionCall);
8803 }
8804
8805 // Jump RefIter to the start of the next group.
8806 RefIter = std::find_if(RefIter + 1, RefEnd, [=](const auto &Arg) {
8807 return Arg.getPosition() != RefIter->getPosition();
8808 });
8809 }
8810
8811 if (FmtIter < FmtEnd) {
8812 CheckFormatHandler::EmitFormatDiagnostic(
8813 S, InFunctionCall, FmtExpr,
8814 S.PDiag(diag::warn_format_cmp_specifier_arity) << 1,
8815 FmtExpr->getBeginLoc(), false, FmtIter->getSourceRange());
8816 HadError = S.Diag(Ref->getBeginLoc(), diag::note_format_cmp_with) << 1;
8817 } else if (RefIter < RefEnd) {
8818 CheckFormatHandler::EmitFormatDiagnostic(
8819 S, InFunctionCall, FmtExpr,
8820 S.PDiag(diag::warn_format_cmp_specifier_arity) << 0,
8821 FmtExpr->getBeginLoc(), false, Fmt->getSourceRange());
8822 HadError = S.Diag(Ref->getBeginLoc(), diag::note_format_cmp_with)
8823 << 1 << RefIter->getSourceRange();
8824 }
8825 return !HadError;
8826 }
8827
CheckFormatString(Sema & S,const FormatStringLiteral * FExpr,const StringLiteral * ReferenceFormatString,const Expr * OrigFormatExpr,ArrayRef<const Expr * > Args,Sema::FormatArgumentPassingKind APK,unsigned format_idx,unsigned firstDataArg,FormatStringType Type,bool inFunctionCall,VariadicCallType CallType,llvm::SmallBitVector & CheckedVarArgs,UncoveredArgHandler & UncoveredArg,bool IgnoreStringsWithoutSpecifiers)8828 static void CheckFormatString(
8829 Sema &S, const FormatStringLiteral *FExpr,
8830 const StringLiteral *ReferenceFormatString, const Expr *OrigFormatExpr,
8831 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
8832 unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
8833 bool inFunctionCall, VariadicCallType CallType,
8834 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
8835 bool IgnoreStringsWithoutSpecifiers) {
8836 // CHECK: is the format string a wide literal?
8837 if (!FExpr->isAscii() && !FExpr->isUTF8()) {
8838 CheckFormatHandler::EmitFormatDiagnostic(
8839 S, inFunctionCall, Args[format_idx],
8840 S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(),
8841 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
8842 return;
8843 }
8844
8845 // Str - The format string. NOTE: this is NOT null-terminated!
8846 StringRef StrRef = FExpr->getString();
8847 const char *Str = StrRef.data();
8848 // Account for cases where the string literal is truncated in a declaration.
8849 const ConstantArrayType *T =
8850 S.Context.getAsConstantArrayType(FExpr->getType());
8851 assert(T && "String literal not of constant array type!");
8852 size_t TypeSize = T->getZExtSize();
8853 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8854 const unsigned numDataArgs = Args.size() - firstDataArg;
8855
8856 if (IgnoreStringsWithoutSpecifiers &&
8857 !analyze_format_string::parseFormatStringHasFormattingSpecifiers(
8858 Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8859 return;
8860
8861 // Emit a warning if the string literal is truncated and does not contain an
8862 // embedded null character.
8863 if (TypeSize <= StrRef.size() && !StrRef.substr(0, TypeSize).contains('\0')) {
8864 CheckFormatHandler::EmitFormatDiagnostic(
8865 S, inFunctionCall, Args[format_idx],
8866 S.PDiag(diag::warn_printf_format_string_not_null_terminated),
8867 FExpr->getBeginLoc(),
8868 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange());
8869 return;
8870 }
8871
8872 // CHECK: empty format string?
8873 if (StrLen == 0 && numDataArgs > 0) {
8874 CheckFormatHandler::EmitFormatDiagnostic(
8875 S, inFunctionCall, Args[format_idx],
8876 S.PDiag(diag::warn_empty_format_string), FExpr->getBeginLoc(),
8877 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
8878 return;
8879 }
8880
8881 if (Type == FormatStringType::Printf || Type == FormatStringType::NSString ||
8882 Type == FormatStringType::Kprintf ||
8883 Type == FormatStringType::FreeBSDKPrintf ||
8884 Type == FormatStringType::OSLog || Type == FormatStringType::OSTrace ||
8885 Type == FormatStringType::Syslog) {
8886 bool IsObjC =
8887 Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8888 if (ReferenceFormatString == nullptr) {
8889 CheckPrintfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
8890 numDataArgs, IsObjC, Str, APK, Args, format_idx,
8891 inFunctionCall, CallType, CheckedVarArgs,
8892 UncoveredArg);
8893
8894 if (!analyze_format_string::ParsePrintfString(
8895 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo(),
8896 Type == FormatStringType::Kprintf ||
8897 Type == FormatStringType::FreeBSDKPrintf))
8898 H.DoneProcessing();
8899 } else {
8900 S.CheckFormatStringsCompatible(
8901 Type, ReferenceFormatString, FExpr->getFormatString(),
8902 inFunctionCall ? nullptr : Args[format_idx]);
8903 }
8904 } else if (Type == FormatStringType::Scanf) {
8905 CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
8906 numDataArgs, Str, APK, Args, format_idx, inFunctionCall,
8907 CallType, CheckedVarArgs, UncoveredArg);
8908
8909 if (!analyze_format_string::ParseScanfString(
8910 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8911 H.DoneProcessing();
8912 } // TODO: handle other formats
8913 }
8914
CheckFormatStringsCompatible(FormatStringType Type,const StringLiteral * AuthoritativeFormatString,const StringLiteral * TestedFormatString,const Expr * FunctionCallArg)8915 bool Sema::CheckFormatStringsCompatible(
8916 FormatStringType Type, const StringLiteral *AuthoritativeFormatString,
8917 const StringLiteral *TestedFormatString, const Expr *FunctionCallArg) {
8918 if (Type != FormatStringType::Printf && Type != FormatStringType::NSString &&
8919 Type != FormatStringType::Kprintf &&
8920 Type != FormatStringType::FreeBSDKPrintf &&
8921 Type != FormatStringType::OSLog && Type != FormatStringType::OSTrace &&
8922 Type != FormatStringType::Syslog)
8923 return true;
8924
8925 bool IsObjC =
8926 Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8927 llvm::SmallVector<EquatableFormatArgument, 9> RefArgs, FmtArgs;
8928 FormatStringLiteral RefLit = AuthoritativeFormatString;
8929 FormatStringLiteral TestLit = TestedFormatString;
8930 const Expr *Arg;
8931 bool DiagAtStringLiteral;
8932 if (FunctionCallArg) {
8933 Arg = FunctionCallArg;
8934 DiagAtStringLiteral = false;
8935 } else {
8936 Arg = TestedFormatString;
8937 DiagAtStringLiteral = true;
8938 }
8939 if (DecomposePrintfHandler::GetSpecifiers(*this, &RefLit,
8940 AuthoritativeFormatString, Type,
8941 IsObjC, true, RefArgs) &&
8942 DecomposePrintfHandler::GetSpecifiers(*this, &TestLit, Arg, Type, IsObjC,
8943 DiagAtStringLiteral, FmtArgs)) {
8944 return CompareFormatSpecifiers(*this, AuthoritativeFormatString, RefArgs,
8945 TestedFormatString, FmtArgs, Arg,
8946 DiagAtStringLiteral);
8947 }
8948 return false;
8949 }
8950
ValidateFormatString(FormatStringType Type,const StringLiteral * Str)8951 bool Sema::ValidateFormatString(FormatStringType Type,
8952 const StringLiteral *Str) {
8953 if (Type != FormatStringType::Printf && Type != FormatStringType::NSString &&
8954 Type != FormatStringType::Kprintf &&
8955 Type != FormatStringType::FreeBSDKPrintf &&
8956 Type != FormatStringType::OSLog && Type != FormatStringType::OSTrace &&
8957 Type != FormatStringType::Syslog)
8958 return true;
8959
8960 FormatStringLiteral RefLit = Str;
8961 llvm::SmallVector<EquatableFormatArgument, 9> Args;
8962 bool IsObjC =
8963 Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8964 if (!DecomposePrintfHandler::GetSpecifiers(*this, &RefLit, Str, Type, IsObjC,
8965 true, Args))
8966 return false;
8967
8968 // Group arguments by getPosition() value, and check that each member of the
8969 // group is compatible with the first member. This verifies that when
8970 // positional arguments are used multiple times (such as %2$i %2$d), all uses
8971 // are mutually compatible. As an optimization, don't test the first member
8972 // against itself.
8973 bool HadError = false;
8974 auto Iter = Args.begin();
8975 auto End = Args.end();
8976 while (Iter != End) {
8977 const auto &FirstInGroup = *Iter;
8978 for (++Iter;
8979 Iter != End && Iter->getPosition() == FirstInGroup.getPosition();
8980 ++Iter) {
8981 HadError |= !Iter->VerifyCompatible(*this, FirstInGroup, Str, true);
8982 }
8983 }
8984 return !HadError;
8985 }
8986
FormatStringHasSArg(const StringLiteral * FExpr)8987 bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) {
8988 // Str - The format string. NOTE: this is NOT null-terminated!
8989 StringRef StrRef = FExpr->getString();
8990 const char *Str = StrRef.data();
8991 // Account for cases where the string literal is truncated in a declaration.
8992 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType());
8993 assert(T && "String literal not of constant array type!");
8994 size_t TypeSize = T->getZExtSize();
8995 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8996 return analyze_format_string::ParseFormatStringHasSArg(Str, Str + StrLen,
8997 getLangOpts(),
8998 Context.getTargetInfo());
8999 }
9000
9001 //===--- CHECK: Warn on use of wrong absolute value function. -------------===//
9002
9003 // Returns the related absolute value function that is larger, of 0 if one
9004 // does not exist.
getLargerAbsoluteValueFunction(unsigned AbsFunction)9005 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) {
9006 switch (AbsFunction) {
9007 default:
9008 return 0;
9009
9010 case Builtin::BI__builtin_abs:
9011 return Builtin::BI__builtin_labs;
9012 case Builtin::BI__builtin_labs:
9013 return Builtin::BI__builtin_llabs;
9014 case Builtin::BI__builtin_llabs:
9015 return 0;
9016
9017 case Builtin::BI__builtin_fabsf:
9018 return Builtin::BI__builtin_fabs;
9019 case Builtin::BI__builtin_fabs:
9020 return Builtin::BI__builtin_fabsl;
9021 case Builtin::BI__builtin_fabsl:
9022 return 0;
9023
9024 case Builtin::BI__builtin_cabsf:
9025 return Builtin::BI__builtin_cabs;
9026 case Builtin::BI__builtin_cabs:
9027 return Builtin::BI__builtin_cabsl;
9028 case Builtin::BI__builtin_cabsl:
9029 return 0;
9030
9031 case Builtin::BIabs:
9032 return Builtin::BIlabs;
9033 case Builtin::BIlabs:
9034 return Builtin::BIllabs;
9035 case Builtin::BIllabs:
9036 return 0;
9037
9038 case Builtin::BIfabsf:
9039 return Builtin::BIfabs;
9040 case Builtin::BIfabs:
9041 return Builtin::BIfabsl;
9042 case Builtin::BIfabsl:
9043 return 0;
9044
9045 case Builtin::BIcabsf:
9046 return Builtin::BIcabs;
9047 case Builtin::BIcabs:
9048 return Builtin::BIcabsl;
9049 case Builtin::BIcabsl:
9050 return 0;
9051 }
9052 }
9053
9054 // Returns the argument type of the absolute value function.
getAbsoluteValueArgumentType(ASTContext & Context,unsigned AbsType)9055 static QualType getAbsoluteValueArgumentType(ASTContext &Context,
9056 unsigned AbsType) {
9057 if (AbsType == 0)
9058 return QualType();
9059
9060 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None;
9061 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error);
9062 if (Error != ASTContext::GE_None)
9063 return QualType();
9064
9065 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>();
9066 if (!FT)
9067 return QualType();
9068
9069 if (FT->getNumParams() != 1)
9070 return QualType();
9071
9072 return FT->getParamType(0);
9073 }
9074
9075 // Returns the best absolute value function, or zero, based on type and
9076 // current absolute value function.
getBestAbsFunction(ASTContext & Context,QualType ArgType,unsigned AbsFunctionKind)9077 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType,
9078 unsigned AbsFunctionKind) {
9079 unsigned BestKind = 0;
9080 uint64_t ArgSize = Context.getTypeSize(ArgType);
9081 for (unsigned Kind = AbsFunctionKind; Kind != 0;
9082 Kind = getLargerAbsoluteValueFunction(Kind)) {
9083 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind);
9084 if (Context.getTypeSize(ParamType) >= ArgSize) {
9085 if (BestKind == 0)
9086 BestKind = Kind;
9087 else if (Context.hasSameType(ParamType, ArgType)) {
9088 BestKind = Kind;
9089 break;
9090 }
9091 }
9092 }
9093 return BestKind;
9094 }
9095
9096 enum AbsoluteValueKind {
9097 AVK_Integer,
9098 AVK_Floating,
9099 AVK_Complex
9100 };
9101
getAbsoluteValueKind(QualType T)9102 static AbsoluteValueKind getAbsoluteValueKind(QualType T) {
9103 if (T->isIntegralOrEnumerationType())
9104 return AVK_Integer;
9105 if (T->isRealFloatingType())
9106 return AVK_Floating;
9107 if (T->isAnyComplexType())
9108 return AVK_Complex;
9109
9110 llvm_unreachable("Type not integer, floating, or complex");
9111 }
9112
9113 // Changes the absolute value function to a different type. Preserves whether
9114 // the function is a builtin.
changeAbsFunction(unsigned AbsKind,AbsoluteValueKind ValueKind)9115 static unsigned changeAbsFunction(unsigned AbsKind,
9116 AbsoluteValueKind ValueKind) {
9117 switch (ValueKind) {
9118 case AVK_Integer:
9119 switch (AbsKind) {
9120 default:
9121 return 0;
9122 case Builtin::BI__builtin_fabsf:
9123 case Builtin::BI__builtin_fabs:
9124 case Builtin::BI__builtin_fabsl:
9125 case Builtin::BI__builtin_cabsf:
9126 case Builtin::BI__builtin_cabs:
9127 case Builtin::BI__builtin_cabsl:
9128 return Builtin::BI__builtin_abs;
9129 case Builtin::BIfabsf:
9130 case Builtin::BIfabs:
9131 case Builtin::BIfabsl:
9132 case Builtin::BIcabsf:
9133 case Builtin::BIcabs:
9134 case Builtin::BIcabsl:
9135 return Builtin::BIabs;
9136 }
9137 case AVK_Floating:
9138 switch (AbsKind) {
9139 default:
9140 return 0;
9141 case Builtin::BI__builtin_abs:
9142 case Builtin::BI__builtin_labs:
9143 case Builtin::BI__builtin_llabs:
9144 case Builtin::BI__builtin_cabsf:
9145 case Builtin::BI__builtin_cabs:
9146 case Builtin::BI__builtin_cabsl:
9147 return Builtin::BI__builtin_fabsf;
9148 case Builtin::BIabs:
9149 case Builtin::BIlabs:
9150 case Builtin::BIllabs:
9151 case Builtin::BIcabsf:
9152 case Builtin::BIcabs:
9153 case Builtin::BIcabsl:
9154 return Builtin::BIfabsf;
9155 }
9156 case AVK_Complex:
9157 switch (AbsKind) {
9158 default:
9159 return 0;
9160 case Builtin::BI__builtin_abs:
9161 case Builtin::BI__builtin_labs:
9162 case Builtin::BI__builtin_llabs:
9163 case Builtin::BI__builtin_fabsf:
9164 case Builtin::BI__builtin_fabs:
9165 case Builtin::BI__builtin_fabsl:
9166 return Builtin::BI__builtin_cabsf;
9167 case Builtin::BIabs:
9168 case Builtin::BIlabs:
9169 case Builtin::BIllabs:
9170 case Builtin::BIfabsf:
9171 case Builtin::BIfabs:
9172 case Builtin::BIfabsl:
9173 return Builtin::BIcabsf;
9174 }
9175 }
9176 llvm_unreachable("Unable to convert function");
9177 }
9178
getAbsoluteValueFunctionKind(const FunctionDecl * FDecl)9179 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) {
9180 const IdentifierInfo *FnInfo = FDecl->getIdentifier();
9181 if (!FnInfo)
9182 return 0;
9183
9184 switch (FDecl->getBuiltinID()) {
9185 default:
9186 return 0;
9187 case Builtin::BI__builtin_abs:
9188 case Builtin::BI__builtin_fabs:
9189 case Builtin::BI__builtin_fabsf:
9190 case Builtin::BI__builtin_fabsl:
9191 case Builtin::BI__builtin_labs:
9192 case Builtin::BI__builtin_llabs:
9193 case Builtin::BI__builtin_cabs:
9194 case Builtin::BI__builtin_cabsf:
9195 case Builtin::BI__builtin_cabsl:
9196 case Builtin::BIabs:
9197 case Builtin::BIlabs:
9198 case Builtin::BIllabs:
9199 case Builtin::BIfabs:
9200 case Builtin::BIfabsf:
9201 case Builtin::BIfabsl:
9202 case Builtin::BIcabs:
9203 case Builtin::BIcabsf:
9204 case Builtin::BIcabsl:
9205 return FDecl->getBuiltinID();
9206 }
9207 llvm_unreachable("Unknown Builtin type");
9208 }
9209
9210 // If the replacement is valid, emit a note with replacement function.
9211 // Additionally, suggest including the proper header if not already included.
emitReplacement(Sema & S,SourceLocation Loc,SourceRange Range,unsigned AbsKind,QualType ArgType)9212 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range,
9213 unsigned AbsKind, QualType ArgType) {
9214 bool EmitHeaderHint = true;
9215 const char *HeaderName = nullptr;
9216 std::string FunctionName;
9217 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) {
9218 FunctionName = "std::abs";
9219 if (ArgType->isIntegralOrEnumerationType()) {
9220 HeaderName = "cstdlib";
9221 } else if (ArgType->isRealFloatingType()) {
9222 HeaderName = "cmath";
9223 } else {
9224 llvm_unreachable("Invalid Type");
9225 }
9226
9227 // Lookup all std::abs
9228 if (NamespaceDecl *Std = S.getStdNamespace()) {
9229 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName);
9230 R.suppressDiagnostics();
9231 S.LookupQualifiedName(R, Std);
9232
9233 for (const auto *I : R) {
9234 const FunctionDecl *FDecl = nullptr;
9235 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) {
9236 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl());
9237 } else {
9238 FDecl = dyn_cast<FunctionDecl>(I);
9239 }
9240 if (!FDecl)
9241 continue;
9242
9243 // Found std::abs(), check that they are the right ones.
9244 if (FDecl->getNumParams() != 1)
9245 continue;
9246
9247 // Check that the parameter type can handle the argument.
9248 QualType ParamType = FDecl->getParamDecl(0)->getType();
9249 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) &&
9250 S.Context.getTypeSize(ArgType) <=
9251 S.Context.getTypeSize(ParamType)) {
9252 // Found a function, don't need the header hint.
9253 EmitHeaderHint = false;
9254 break;
9255 }
9256 }
9257 }
9258 } else {
9259 FunctionName = S.Context.BuiltinInfo.getName(AbsKind);
9260 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind);
9261
9262 if (HeaderName) {
9263 DeclarationName DN(&S.Context.Idents.get(FunctionName));
9264 LookupResult R(S, DN, Loc, Sema::LookupAnyName);
9265 R.suppressDiagnostics();
9266 S.LookupName(R, S.getCurScope());
9267
9268 if (R.isSingleResult()) {
9269 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl());
9270 if (FD && FD->getBuiltinID() == AbsKind) {
9271 EmitHeaderHint = false;
9272 } else {
9273 return;
9274 }
9275 } else if (!R.empty()) {
9276 return;
9277 }
9278 }
9279 }
9280
9281 S.Diag(Loc, diag::note_replace_abs_function)
9282 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName);
9283
9284 if (!HeaderName)
9285 return;
9286
9287 if (!EmitHeaderHint)
9288 return;
9289
9290 S.Diag(Loc, diag::note_include_header_or_declare) << HeaderName
9291 << FunctionName;
9292 }
9293
9294 template <std::size_t StrLen>
IsStdFunction(const FunctionDecl * FDecl,const char (& Str)[StrLen])9295 static bool IsStdFunction(const FunctionDecl *FDecl,
9296 const char (&Str)[StrLen]) {
9297 if (!FDecl)
9298 return false;
9299 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr(Str))
9300 return false;
9301 if (!FDecl->isInStdNamespace())
9302 return false;
9303
9304 return true;
9305 }
9306
9307 enum class MathCheck { NaN, Inf };
IsInfOrNanFunction(StringRef calleeName,MathCheck Check)9308 static bool IsInfOrNanFunction(StringRef calleeName, MathCheck Check) {
9309 auto MatchesAny = [&](std::initializer_list<llvm::StringRef> names) {
9310 return llvm::is_contained(names, calleeName);
9311 };
9312
9313 switch (Check) {
9314 case MathCheck::NaN:
9315 return MatchesAny({"__builtin_nan", "__builtin_nanf", "__builtin_nanl",
9316 "__builtin_nanf16", "__builtin_nanf128"});
9317 case MathCheck::Inf:
9318 return MatchesAny({"__builtin_inf", "__builtin_inff", "__builtin_infl",
9319 "__builtin_inff16", "__builtin_inff128"});
9320 }
9321 llvm_unreachable("unknown MathCheck");
9322 }
9323
IsInfinityFunction(const FunctionDecl * FDecl)9324 static bool IsInfinityFunction(const FunctionDecl *FDecl) {
9325 if (FDecl->getName() != "infinity")
9326 return false;
9327
9328 if (const CXXMethodDecl *MDecl = dyn_cast<CXXMethodDecl>(FDecl)) {
9329 const CXXRecordDecl *RDecl = MDecl->getParent();
9330 if (RDecl->getName() != "numeric_limits")
9331 return false;
9332
9333 if (const NamespaceDecl *NSDecl =
9334 dyn_cast<NamespaceDecl>(RDecl->getDeclContext()))
9335 return NSDecl->isStdNamespace();
9336 }
9337
9338 return false;
9339 }
9340
CheckInfNaNFunction(const CallExpr * Call,const FunctionDecl * FDecl)9341 void Sema::CheckInfNaNFunction(const CallExpr *Call,
9342 const FunctionDecl *FDecl) {
9343 if (!FDecl->getIdentifier())
9344 return;
9345
9346 FPOptions FPO = Call->getFPFeaturesInEffect(getLangOpts());
9347 if (FPO.getNoHonorNaNs() &&
9348 (IsStdFunction(FDecl, "isnan") || IsStdFunction(FDecl, "isunordered") ||
9349 IsInfOrNanFunction(FDecl->getName(), MathCheck::NaN))) {
9350 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
9351 << 1 << 0 << Call->getSourceRange();
9352 return;
9353 }
9354
9355 if (FPO.getNoHonorInfs() &&
9356 (IsStdFunction(FDecl, "isinf") || IsStdFunction(FDecl, "isfinite") ||
9357 IsInfinityFunction(FDecl) ||
9358 IsInfOrNanFunction(FDecl->getName(), MathCheck::Inf))) {
9359 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
9360 << 0 << 0 << Call->getSourceRange();
9361 }
9362 }
9363
CheckAbsoluteValueFunction(const CallExpr * Call,const FunctionDecl * FDecl)9364 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call,
9365 const FunctionDecl *FDecl) {
9366 if (Call->getNumArgs() != 1)
9367 return;
9368
9369 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl);
9370 bool IsStdAbs = IsStdFunction(FDecl, "abs");
9371 if (AbsKind == 0 && !IsStdAbs)
9372 return;
9373
9374 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType();
9375 QualType ParamType = Call->getArg(0)->getType();
9376
9377 // Unsigned types cannot be negative. Suggest removing the absolute value
9378 // function call.
9379 if (ArgType->isUnsignedIntegerType()) {
9380 std::string FunctionName =
9381 IsStdAbs ? "std::abs" : Context.BuiltinInfo.getName(AbsKind);
9382 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType;
9383 Diag(Call->getExprLoc(), diag::note_remove_abs)
9384 << FunctionName
9385 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange());
9386 return;
9387 }
9388
9389 // Taking the absolute value of a pointer is very suspicious, they probably
9390 // wanted to index into an array, dereference a pointer, call a function, etc.
9391 if (ArgType->isPointerType() || ArgType->canDecayToPointerType()) {
9392 unsigned DiagType = 0;
9393 if (ArgType->isFunctionType())
9394 DiagType = 1;
9395 else if (ArgType->isArrayType())
9396 DiagType = 2;
9397
9398 Diag(Call->getExprLoc(), diag::warn_pointer_abs) << DiagType << ArgType;
9399 return;
9400 }
9401
9402 // std::abs has overloads which prevent most of the absolute value problems
9403 // from occurring.
9404 if (IsStdAbs)
9405 return;
9406
9407 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType);
9408 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType);
9409
9410 // The argument and parameter are the same kind. Check if they are the right
9411 // size.
9412 if (ArgValueKind == ParamValueKind) {
9413 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType))
9414 return;
9415
9416 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind);
9417 Diag(Call->getExprLoc(), diag::warn_abs_too_small)
9418 << FDecl << ArgType << ParamType;
9419
9420 if (NewAbsKind == 0)
9421 return;
9422
9423 emitReplacement(*this, Call->getExprLoc(),
9424 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
9425 return;
9426 }
9427
9428 // ArgValueKind != ParamValueKind
9429 // The wrong type of absolute value function was used. Attempt to find the
9430 // proper one.
9431 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind);
9432 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind);
9433 if (NewAbsKind == 0)
9434 return;
9435
9436 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type)
9437 << FDecl << ParamValueKind << ArgValueKind;
9438
9439 emitReplacement(*this, Call->getExprLoc(),
9440 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
9441 }
9442
9443 //===--- CHECK: Warn on use of std::max and unsigned zero. r---------------===//
CheckMaxUnsignedZero(const CallExpr * Call,const FunctionDecl * FDecl)9444 void Sema::CheckMaxUnsignedZero(const CallExpr *Call,
9445 const FunctionDecl *FDecl) {
9446 if (!Call || !FDecl) return;
9447
9448 // Ignore template specializations and macros.
9449 if (inTemplateInstantiation()) return;
9450 if (Call->getExprLoc().isMacroID()) return;
9451
9452 // Only care about the one template argument, two function parameter std::max
9453 if (Call->getNumArgs() != 2) return;
9454 if (!IsStdFunction(FDecl, "max")) return;
9455 const auto * ArgList = FDecl->getTemplateSpecializationArgs();
9456 if (!ArgList) return;
9457 if (ArgList->size() != 1) return;
9458
9459 // Check that template type argument is unsigned integer.
9460 const auto& TA = ArgList->get(0);
9461 if (TA.getKind() != TemplateArgument::Type) return;
9462 QualType ArgType = TA.getAsType();
9463 if (!ArgType->isUnsignedIntegerType()) return;
9464
9465 // See if either argument is a literal zero.
9466 auto IsLiteralZeroArg = [](const Expr* E) -> bool {
9467 const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(E);
9468 if (!MTE) return false;
9469 const auto *Num = dyn_cast<IntegerLiteral>(MTE->getSubExpr());
9470 if (!Num) return false;
9471 if (Num->getValue() != 0) return false;
9472 return true;
9473 };
9474
9475 const Expr *FirstArg = Call->getArg(0);
9476 const Expr *SecondArg = Call->getArg(1);
9477 const bool IsFirstArgZero = IsLiteralZeroArg(FirstArg);
9478 const bool IsSecondArgZero = IsLiteralZeroArg(SecondArg);
9479
9480 // Only warn when exactly one argument is zero.
9481 if (IsFirstArgZero == IsSecondArgZero) return;
9482
9483 SourceRange FirstRange = FirstArg->getSourceRange();
9484 SourceRange SecondRange = SecondArg->getSourceRange();
9485
9486 SourceRange ZeroRange = IsFirstArgZero ? FirstRange : SecondRange;
9487
9488 Diag(Call->getExprLoc(), diag::warn_max_unsigned_zero)
9489 << IsFirstArgZero << Call->getCallee()->getSourceRange() << ZeroRange;
9490
9491 // Deduce what parts to remove so that "std::max(0u, foo)" becomes "(foo)".
9492 SourceRange RemovalRange;
9493 if (IsFirstArgZero) {
9494 RemovalRange = SourceRange(FirstRange.getBegin(),
9495 SecondRange.getBegin().getLocWithOffset(-1));
9496 } else {
9497 RemovalRange = SourceRange(getLocForEndOfToken(FirstRange.getEnd()),
9498 SecondRange.getEnd());
9499 }
9500
9501 Diag(Call->getExprLoc(), diag::note_remove_max_call)
9502 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange())
9503 << FixItHint::CreateRemoval(RemovalRange);
9504 }
9505
9506 //===--- CHECK: Standard memory functions ---------------------------------===//
9507
9508 /// Takes the expression passed to the size_t parameter of functions
9509 /// such as memcmp, strncat, etc and warns if it's a comparison.
9510 ///
9511 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`.
CheckMemorySizeofForComparison(Sema & S,const Expr * E,const IdentifierInfo * FnName,SourceLocation FnLoc,SourceLocation RParenLoc)9512 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E,
9513 const IdentifierInfo *FnName,
9514 SourceLocation FnLoc,
9515 SourceLocation RParenLoc) {
9516 const auto *Size = dyn_cast<BinaryOperator>(E);
9517 if (!Size)
9518 return false;
9519
9520 // if E is binop and op is <=>, >, <, >=, <=, ==, &&, ||:
9521 if (!Size->isComparisonOp() && !Size->isLogicalOp())
9522 return false;
9523
9524 SourceRange SizeRange = Size->getSourceRange();
9525 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison)
9526 << SizeRange << FnName;
9527 S.Diag(FnLoc, diag::note_memsize_comparison_paren)
9528 << FnName
9529 << FixItHint::CreateInsertion(
9530 S.getLocForEndOfToken(Size->getLHS()->getEndLoc()), ")")
9531 << FixItHint::CreateRemoval(RParenLoc);
9532 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence)
9533 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(")
9534 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()),
9535 ")");
9536
9537 return true;
9538 }
9539
9540 /// Determine whether the given type is or contains a dynamic class type
9541 /// (e.g., whether it has a vtable).
getContainedDynamicClass(QualType T,bool & IsContained)9542 static const CXXRecordDecl *getContainedDynamicClass(QualType T,
9543 bool &IsContained) {
9544 // Look through array types while ignoring qualifiers.
9545 const Type *Ty = T->getBaseElementTypeUnsafe();
9546 IsContained = false;
9547
9548 const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
9549 RD = RD ? RD->getDefinition() : nullptr;
9550 if (!RD || RD->isInvalidDecl())
9551 return nullptr;
9552
9553 if (RD->isDynamicClass())
9554 return RD;
9555
9556 // Check all the fields. If any bases were dynamic, the class is dynamic.
9557 // It's impossible for a class to transitively contain itself by value, so
9558 // infinite recursion is impossible.
9559 for (auto *FD : RD->fields()) {
9560 bool SubContained;
9561 if (const CXXRecordDecl *ContainedRD =
9562 getContainedDynamicClass(FD->getType(), SubContained)) {
9563 IsContained = true;
9564 return ContainedRD;
9565 }
9566 }
9567
9568 return nullptr;
9569 }
9570
getAsSizeOfExpr(const Expr * E)9571 static const UnaryExprOrTypeTraitExpr *getAsSizeOfExpr(const Expr *E) {
9572 if (const auto *Unary = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
9573 if (Unary->getKind() == UETT_SizeOf)
9574 return Unary;
9575 return nullptr;
9576 }
9577
9578 /// If E is a sizeof expression, returns its argument expression,
9579 /// otherwise returns NULL.
getSizeOfExprArg(const Expr * E)9580 static const Expr *getSizeOfExprArg(const Expr *E) {
9581 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
9582 if (!SizeOf->isArgumentType())
9583 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts();
9584 return nullptr;
9585 }
9586
9587 /// If E is a sizeof expression, returns its argument type.
getSizeOfArgType(const Expr * E)9588 static QualType getSizeOfArgType(const Expr *E) {
9589 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
9590 return SizeOf->getTypeOfArgument();
9591 return QualType();
9592 }
9593
9594 namespace {
9595
9596 struct SearchNonTrivialToInitializeField
9597 : DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField> {
9598 using Super =
9599 DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField>;
9600
SearchNonTrivialToInitializeField__anon28c3fbb12611::SearchNonTrivialToInitializeField9601 SearchNonTrivialToInitializeField(const Expr *E, Sema &S) : E(E), S(S) {}
9602
visitWithKind__anon28c3fbb12611::SearchNonTrivialToInitializeField9603 void visitWithKind(QualType::PrimitiveDefaultInitializeKind PDIK, QualType FT,
9604 SourceLocation SL) {
9605 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
9606 asDerived().visitArray(PDIK, AT, SL);
9607 return;
9608 }
9609
9610 Super::visitWithKind(PDIK, FT, SL);
9611 }
9612
visitARCStrong__anon28c3fbb12611::SearchNonTrivialToInitializeField9613 void visitARCStrong(QualType FT, SourceLocation SL) {
9614 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
9615 }
visitARCWeak__anon28c3fbb12611::SearchNonTrivialToInitializeField9616 void visitARCWeak(QualType FT, SourceLocation SL) {
9617 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
9618 }
visitStruct__anon28c3fbb12611::SearchNonTrivialToInitializeField9619 void visitStruct(QualType FT, SourceLocation SL) {
9620 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
9621 visit(FD->getType(), FD->getLocation());
9622 }
visitArray__anon28c3fbb12611::SearchNonTrivialToInitializeField9623 void visitArray(QualType::PrimitiveDefaultInitializeKind PDIK,
9624 const ArrayType *AT, SourceLocation SL) {
9625 visit(getContext().getBaseElementType(AT), SL);
9626 }
visitTrivial__anon28c3fbb12611::SearchNonTrivialToInitializeField9627 void visitTrivial(QualType FT, SourceLocation SL) {}
9628
diag__anon28c3fbb12611::SearchNonTrivialToInitializeField9629 static void diag(QualType RT, const Expr *E, Sema &S) {
9630 SearchNonTrivialToInitializeField(E, S).visitStruct(RT, SourceLocation());
9631 }
9632
getContext__anon28c3fbb12611::SearchNonTrivialToInitializeField9633 ASTContext &getContext() { return S.getASTContext(); }
9634
9635 const Expr *E;
9636 Sema &S;
9637 };
9638
9639 struct SearchNonTrivialToCopyField
9640 : CopiedTypeVisitor<SearchNonTrivialToCopyField, false> {
9641 using Super = CopiedTypeVisitor<SearchNonTrivialToCopyField, false>;
9642
SearchNonTrivialToCopyField__anon28c3fbb12611::SearchNonTrivialToCopyField9643 SearchNonTrivialToCopyField(const Expr *E, Sema &S) : E(E), S(S) {}
9644
visitWithKind__anon28c3fbb12611::SearchNonTrivialToCopyField9645 void visitWithKind(QualType::PrimitiveCopyKind PCK, QualType FT,
9646 SourceLocation SL) {
9647 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
9648 asDerived().visitArray(PCK, AT, SL);
9649 return;
9650 }
9651
9652 Super::visitWithKind(PCK, FT, SL);
9653 }
9654
visitARCStrong__anon28c3fbb12611::SearchNonTrivialToCopyField9655 void visitARCStrong(QualType FT, SourceLocation SL) {
9656 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9657 }
visitARCWeak__anon28c3fbb12611::SearchNonTrivialToCopyField9658 void visitARCWeak(QualType FT, SourceLocation SL) {
9659 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9660 }
visitPtrAuth__anon28c3fbb12611::SearchNonTrivialToCopyField9661 void visitPtrAuth(QualType FT, SourceLocation SL) {
9662 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9663 }
visitStruct__anon28c3fbb12611::SearchNonTrivialToCopyField9664 void visitStruct(QualType FT, SourceLocation SL) {
9665 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
9666 visit(FD->getType(), FD->getLocation());
9667 }
visitArray__anon28c3fbb12611::SearchNonTrivialToCopyField9668 void visitArray(QualType::PrimitiveCopyKind PCK, const ArrayType *AT,
9669 SourceLocation SL) {
9670 visit(getContext().getBaseElementType(AT), SL);
9671 }
preVisit__anon28c3fbb12611::SearchNonTrivialToCopyField9672 void preVisit(QualType::PrimitiveCopyKind PCK, QualType FT,
9673 SourceLocation SL) {}
visitTrivial__anon28c3fbb12611::SearchNonTrivialToCopyField9674 void visitTrivial(QualType FT, SourceLocation SL) {}
visitVolatileTrivial__anon28c3fbb12611::SearchNonTrivialToCopyField9675 void visitVolatileTrivial(QualType FT, SourceLocation SL) {}
9676
diag__anon28c3fbb12611::SearchNonTrivialToCopyField9677 static void diag(QualType RT, const Expr *E, Sema &S) {
9678 SearchNonTrivialToCopyField(E, S).visitStruct(RT, SourceLocation());
9679 }
9680
getContext__anon28c3fbb12611::SearchNonTrivialToCopyField9681 ASTContext &getContext() { return S.getASTContext(); }
9682
9683 const Expr *E;
9684 Sema &S;
9685 };
9686
9687 }
9688
9689 /// Detect if \c SizeofExpr is likely to calculate the sizeof an object.
doesExprLikelyComputeSize(const Expr * SizeofExpr)9690 static bool doesExprLikelyComputeSize(const Expr *SizeofExpr) {
9691 SizeofExpr = SizeofExpr->IgnoreParenImpCasts();
9692
9693 if (const auto *BO = dyn_cast<BinaryOperator>(SizeofExpr)) {
9694 if (BO->getOpcode() != BO_Mul && BO->getOpcode() != BO_Add)
9695 return false;
9696
9697 return doesExprLikelyComputeSize(BO->getLHS()) ||
9698 doesExprLikelyComputeSize(BO->getRHS());
9699 }
9700
9701 return getAsSizeOfExpr(SizeofExpr) != nullptr;
9702 }
9703
9704 /// Check if the ArgLoc originated from a macro passed to the call at CallLoc.
9705 ///
9706 /// \code
9707 /// #define MACRO 0
9708 /// foo(MACRO);
9709 /// foo(0);
9710 /// \endcode
9711 ///
9712 /// This should return true for the first call to foo, but not for the second
9713 /// (regardless of whether foo is a macro or function).
isArgumentExpandedFromMacro(SourceManager & SM,SourceLocation CallLoc,SourceLocation ArgLoc)9714 static bool isArgumentExpandedFromMacro(SourceManager &SM,
9715 SourceLocation CallLoc,
9716 SourceLocation ArgLoc) {
9717 if (!CallLoc.isMacroID())
9718 return SM.getFileID(CallLoc) != SM.getFileID(ArgLoc);
9719
9720 return SM.getFileID(SM.getImmediateMacroCallerLoc(CallLoc)) !=
9721 SM.getFileID(SM.getImmediateMacroCallerLoc(ArgLoc));
9722 }
9723
9724 /// Diagnose cases like 'memset(buf, sizeof(buf), 0)', which should have the
9725 /// last two arguments transposed.
CheckMemaccessSize(Sema & S,unsigned BId,const CallExpr * Call)9726 static void CheckMemaccessSize(Sema &S, unsigned BId, const CallExpr *Call) {
9727 if (BId != Builtin::BImemset && BId != Builtin::BIbzero)
9728 return;
9729
9730 const Expr *SizeArg =
9731 Call->getArg(BId == Builtin::BImemset ? 2 : 1)->IgnoreImpCasts();
9732
9733 auto isLiteralZero = [](const Expr *E) {
9734 return (isa<IntegerLiteral>(E) &&
9735 cast<IntegerLiteral>(E)->getValue() == 0) ||
9736 (isa<CharacterLiteral>(E) &&
9737 cast<CharacterLiteral>(E)->getValue() == 0);
9738 };
9739
9740 // If we're memsetting or bzeroing 0 bytes, then this is likely an error.
9741 SourceLocation CallLoc = Call->getRParenLoc();
9742 SourceManager &SM = S.getSourceManager();
9743 if (isLiteralZero(SizeArg) &&
9744 !isArgumentExpandedFromMacro(SM, CallLoc, SizeArg->getExprLoc())) {
9745
9746 SourceLocation DiagLoc = SizeArg->getExprLoc();
9747
9748 // Some platforms #define bzero to __builtin_memset. See if this is the
9749 // case, and if so, emit a better diagnostic.
9750 if (BId == Builtin::BIbzero ||
9751 (CallLoc.isMacroID() && Lexer::getImmediateMacroName(
9752 CallLoc, SM, S.getLangOpts()) == "bzero")) {
9753 S.Diag(DiagLoc, diag::warn_suspicious_bzero_size);
9754 S.Diag(DiagLoc, diag::note_suspicious_bzero_size_silence);
9755 } else if (!isLiteralZero(Call->getArg(1)->IgnoreImpCasts())) {
9756 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 0;
9757 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 0;
9758 }
9759 return;
9760 }
9761
9762 // If the second argument to a memset is a sizeof expression and the third
9763 // isn't, this is also likely an error. This should catch
9764 // 'memset(buf, sizeof(buf), 0xff)'.
9765 if (BId == Builtin::BImemset &&
9766 doesExprLikelyComputeSize(Call->getArg(1)) &&
9767 !doesExprLikelyComputeSize(Call->getArg(2))) {
9768 SourceLocation DiagLoc = Call->getArg(1)->getExprLoc();
9769 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 1;
9770 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 1;
9771 return;
9772 }
9773 }
9774
CheckMemaccessArguments(const CallExpr * Call,unsigned BId,IdentifierInfo * FnName)9775 void Sema::CheckMemaccessArguments(const CallExpr *Call,
9776 unsigned BId,
9777 IdentifierInfo *FnName) {
9778 assert(BId != 0);
9779
9780 // It is possible to have a non-standard definition of memset. Validate
9781 // we have enough arguments, and if not, abort further checking.
9782 unsigned ExpectedNumArgs =
9783 (BId == Builtin::BIstrndup || BId == Builtin::BIbzero ? 2 : 3);
9784 if (Call->getNumArgs() < ExpectedNumArgs)
9785 return;
9786
9787 unsigned LastArg = (BId == Builtin::BImemset || BId == Builtin::BIbzero ||
9788 BId == Builtin::BIstrndup ? 1 : 2);
9789 unsigned LenArg =
9790 (BId == Builtin::BIbzero || BId == Builtin::BIstrndup ? 1 : 2);
9791 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts();
9792
9793 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName,
9794 Call->getBeginLoc(), Call->getRParenLoc()))
9795 return;
9796
9797 // Catch cases like 'memset(buf, sizeof(buf), 0)'.
9798 CheckMemaccessSize(*this, BId, Call);
9799
9800 // We have special checking when the length is a sizeof expression.
9801 QualType SizeOfArgTy = getSizeOfArgType(LenExpr);
9802 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr);
9803 llvm::FoldingSetNodeID SizeOfArgID;
9804
9805 // Although widely used, 'bzero' is not a standard function. Be more strict
9806 // with the argument types before allowing diagnostics and only allow the
9807 // form bzero(ptr, sizeof(...)).
9808 QualType FirstArgTy = Call->getArg(0)->IgnoreParenImpCasts()->getType();
9809 if (BId == Builtin::BIbzero && !FirstArgTy->getAs<PointerType>())
9810 return;
9811
9812 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) {
9813 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts();
9814 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange();
9815
9816 QualType DestTy = Dest->getType();
9817 QualType PointeeTy;
9818 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) {
9819 PointeeTy = DestPtrTy->getPointeeType();
9820
9821 // Never warn about void type pointers. This can be used to suppress
9822 // false positives.
9823 if (PointeeTy->isVoidType())
9824 continue;
9825
9826 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by
9827 // actually comparing the expressions for equality. Because computing the
9828 // expression IDs can be expensive, we only do this if the diagnostic is
9829 // enabled.
9830 if (SizeOfArg &&
9831 !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess,
9832 SizeOfArg->getExprLoc())) {
9833 // We only compute IDs for expressions if the warning is enabled, and
9834 // cache the sizeof arg's ID.
9835 if (SizeOfArgID == llvm::FoldingSetNodeID())
9836 SizeOfArg->Profile(SizeOfArgID, Context, true);
9837 llvm::FoldingSetNodeID DestID;
9838 Dest->Profile(DestID, Context, true);
9839 if (DestID == SizeOfArgID) {
9840 // TODO: For strncpy() and friends, this could suggest sizeof(dst)
9841 // over sizeof(src) as well.
9842 unsigned ActionIdx = 0; // Default is to suggest dereferencing.
9843 StringRef ReadableName = FnName->getName();
9844
9845 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest))
9846 if (UnaryOp->getOpcode() == UO_AddrOf)
9847 ActionIdx = 1; // If its an address-of operator, just remove it.
9848 if (!PointeeTy->isIncompleteType() &&
9849 (Context.getTypeSize(PointeeTy) == Context.getCharWidth()))
9850 ActionIdx = 2; // If the pointee's size is sizeof(char),
9851 // suggest an explicit length.
9852
9853 // If the function is defined as a builtin macro, do not show macro
9854 // expansion.
9855 SourceLocation SL = SizeOfArg->getExprLoc();
9856 SourceRange DSR = Dest->getSourceRange();
9857 SourceRange SSR = SizeOfArg->getSourceRange();
9858 SourceManager &SM = getSourceManager();
9859
9860 if (SM.isMacroArgExpansion(SL)) {
9861 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts);
9862 SL = SM.getSpellingLoc(SL);
9863 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()),
9864 SM.getSpellingLoc(DSR.getEnd()));
9865 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()),
9866 SM.getSpellingLoc(SSR.getEnd()));
9867 }
9868
9869 DiagRuntimeBehavior(SL, SizeOfArg,
9870 PDiag(diag::warn_sizeof_pointer_expr_memaccess)
9871 << ReadableName
9872 << PointeeTy
9873 << DestTy
9874 << DSR
9875 << SSR);
9876 DiagRuntimeBehavior(SL, SizeOfArg,
9877 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note)
9878 << ActionIdx
9879 << SSR);
9880
9881 break;
9882 }
9883 }
9884
9885 // Also check for cases where the sizeof argument is the exact same
9886 // type as the memory argument, and where it points to a user-defined
9887 // record type.
9888 if (SizeOfArgTy != QualType()) {
9889 if (PointeeTy->isRecordType() &&
9890 Context.typesAreCompatible(SizeOfArgTy, DestTy)) {
9891 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest,
9892 PDiag(diag::warn_sizeof_pointer_type_memaccess)
9893 << FnName << SizeOfArgTy << ArgIdx
9894 << PointeeTy << Dest->getSourceRange()
9895 << LenExpr->getSourceRange());
9896 break;
9897 }
9898 }
9899 } else if (DestTy->isArrayType()) {
9900 PointeeTy = DestTy;
9901 }
9902
9903 if (PointeeTy == QualType())
9904 continue;
9905
9906 // Always complain about dynamic classes.
9907 bool IsContained;
9908 if (const CXXRecordDecl *ContainedRD =
9909 getContainedDynamicClass(PointeeTy, IsContained)) {
9910
9911 unsigned OperationType = 0;
9912 const bool IsCmp = BId == Builtin::BImemcmp || BId == Builtin::BIbcmp;
9913 // "overwritten" if we're warning about the destination for any call
9914 // but memcmp; otherwise a verb appropriate to the call.
9915 if (ArgIdx != 0 || IsCmp) {
9916 if (BId == Builtin::BImemcpy)
9917 OperationType = 1;
9918 else if(BId == Builtin::BImemmove)
9919 OperationType = 2;
9920 else if (IsCmp)
9921 OperationType = 3;
9922 }
9923
9924 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9925 PDiag(diag::warn_dyn_class_memaccess)
9926 << (IsCmp ? ArgIdx + 2 : ArgIdx) << FnName
9927 << IsContained << ContainedRD << OperationType
9928 << Call->getCallee()->getSourceRange());
9929 } else if (PointeeTy.hasNonTrivialObjCLifetime() &&
9930 BId != Builtin::BImemset)
9931 DiagRuntimeBehavior(
9932 Dest->getExprLoc(), Dest,
9933 PDiag(diag::warn_arc_object_memaccess)
9934 << ArgIdx << FnName << PointeeTy
9935 << Call->getCallee()->getSourceRange());
9936 else if (const auto *RT = PointeeTy->getAs<RecordType>()) {
9937
9938 // FIXME: Do not consider incomplete types even though they may be
9939 // completed later. GCC does not diagnose such code, but we may want to
9940 // consider diagnosing it in the future, perhaps under a different, but
9941 // related, diagnostic group.
9942 bool NonTriviallyCopyableCXXRecord =
9943 getLangOpts().CPlusPlus && !RT->isIncompleteType() &&
9944 !RT->desugar().isTriviallyCopyableType(Context);
9945
9946 if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9947 RT->getDecl()->isNonTrivialToPrimitiveDefaultInitialize()) {
9948 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9949 PDiag(diag::warn_cstruct_memaccess)
9950 << ArgIdx << FnName << PointeeTy << 0);
9951 SearchNonTrivialToInitializeField::diag(PointeeTy, Dest, *this);
9952 } else if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9953 NonTriviallyCopyableCXXRecord && ArgIdx == 0) {
9954 // FIXME: Limiting this warning to dest argument until we decide
9955 // whether it's valid for source argument too.
9956 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9957 PDiag(diag::warn_cxxstruct_memaccess)
9958 << FnName << PointeeTy);
9959 } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9960 RT->getDecl()->isNonTrivialToPrimitiveCopy()) {
9961 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9962 PDiag(diag::warn_cstruct_memaccess)
9963 << ArgIdx << FnName << PointeeTy << 1);
9964 SearchNonTrivialToCopyField::diag(PointeeTy, Dest, *this);
9965 } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9966 NonTriviallyCopyableCXXRecord && ArgIdx == 0) {
9967 // FIXME: Limiting this warning to dest argument until we decide
9968 // whether it's valid for source argument too.
9969 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9970 PDiag(diag::warn_cxxstruct_memaccess)
9971 << FnName << PointeeTy);
9972 } else {
9973 continue;
9974 }
9975 } else
9976 continue;
9977
9978 DiagRuntimeBehavior(
9979 Dest->getExprLoc(), Dest,
9980 PDiag(diag::note_bad_memaccess_silence)
9981 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)"));
9982 break;
9983 }
9984 }
9985
9986 // A little helper routine: ignore addition and subtraction of integer literals.
9987 // This intentionally does not ignore all integer constant expressions because
9988 // we don't want to remove sizeof().
ignoreLiteralAdditions(const Expr * Ex,ASTContext & Ctx)9989 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) {
9990 Ex = Ex->IgnoreParenCasts();
9991
9992 while (true) {
9993 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex);
9994 if (!BO || !BO->isAdditiveOp())
9995 break;
9996
9997 const Expr *RHS = BO->getRHS()->IgnoreParenCasts();
9998 const Expr *LHS = BO->getLHS()->IgnoreParenCasts();
9999
10000 if (isa<IntegerLiteral>(RHS))
10001 Ex = LHS;
10002 else if (isa<IntegerLiteral>(LHS))
10003 Ex = RHS;
10004 else
10005 break;
10006 }
10007
10008 return Ex;
10009 }
10010
isConstantSizeArrayWithMoreThanOneElement(QualType Ty,ASTContext & Context)10011 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty,
10012 ASTContext &Context) {
10013 // Only handle constant-sized or VLAs, but not flexible members.
10014 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) {
10015 // Only issue the FIXIT for arrays of size > 1.
10016 if (CAT->getZExtSize() <= 1)
10017 return false;
10018 } else if (!Ty->isVariableArrayType()) {
10019 return false;
10020 }
10021 return true;
10022 }
10023
CheckStrlcpycatArguments(const CallExpr * Call,IdentifierInfo * FnName)10024 void Sema::CheckStrlcpycatArguments(const CallExpr *Call,
10025 IdentifierInfo *FnName) {
10026
10027 // Don't crash if the user has the wrong number of arguments
10028 unsigned NumArgs = Call->getNumArgs();
10029 if ((NumArgs != 3) && (NumArgs != 4))
10030 return;
10031
10032 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context);
10033 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context);
10034 const Expr *CompareWithSrc = nullptr;
10035
10036 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName,
10037 Call->getBeginLoc(), Call->getRParenLoc()))
10038 return;
10039
10040 // Look for 'strlcpy(dst, x, sizeof(x))'
10041 if (const Expr *Ex = getSizeOfExprArg(SizeArg))
10042 CompareWithSrc = Ex;
10043 else {
10044 // Look for 'strlcpy(dst, x, strlen(x))'
10045 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) {
10046 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen &&
10047 SizeCall->getNumArgs() == 1)
10048 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context);
10049 }
10050 }
10051
10052 if (!CompareWithSrc)
10053 return;
10054
10055 // Determine if the argument to sizeof/strlen is equal to the source
10056 // argument. In principle there's all kinds of things you could do
10057 // here, for instance creating an == expression and evaluating it with
10058 // EvaluateAsBooleanCondition, but this uses a more direct technique:
10059 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg);
10060 if (!SrcArgDRE)
10061 return;
10062
10063 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc);
10064 if (!CompareWithSrcDRE ||
10065 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl())
10066 return;
10067
10068 const Expr *OriginalSizeArg = Call->getArg(2);
10069 Diag(CompareWithSrcDRE->getBeginLoc(), diag::warn_strlcpycat_wrong_size)
10070 << OriginalSizeArg->getSourceRange() << FnName;
10071
10072 // Output a FIXIT hint if the destination is an array (rather than a
10073 // pointer to an array). This could be enhanced to handle some
10074 // pointers if we know the actual size, like if DstArg is 'array+2'
10075 // we could say 'sizeof(array)-2'.
10076 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts();
10077 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context))
10078 return;
10079
10080 SmallString<128> sizeString;
10081 llvm::raw_svector_ostream OS(sizeString);
10082 OS << "sizeof(";
10083 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10084 OS << ")";
10085
10086 Diag(OriginalSizeArg->getBeginLoc(), diag::note_strlcpycat_wrong_size)
10087 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(),
10088 OS.str());
10089 }
10090
10091 /// Check if two expressions refer to the same declaration.
referToTheSameDecl(const Expr * E1,const Expr * E2)10092 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) {
10093 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1))
10094 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2))
10095 return D1->getDecl() == D2->getDecl();
10096 return false;
10097 }
10098
getStrlenExprArg(const Expr * E)10099 static const Expr *getStrlenExprArg(const Expr *E) {
10100 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
10101 const FunctionDecl *FD = CE->getDirectCallee();
10102 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen)
10103 return nullptr;
10104 return CE->getArg(0)->IgnoreParenCasts();
10105 }
10106 return nullptr;
10107 }
10108
CheckStrncatArguments(const CallExpr * CE,const IdentifierInfo * FnName)10109 void Sema::CheckStrncatArguments(const CallExpr *CE,
10110 const IdentifierInfo *FnName) {
10111 // Don't crash if the user has the wrong number of arguments.
10112 if (CE->getNumArgs() < 3)
10113 return;
10114 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts();
10115 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts();
10116 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts();
10117
10118 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getBeginLoc(),
10119 CE->getRParenLoc()))
10120 return;
10121
10122 // Identify common expressions, which are wrongly used as the size argument
10123 // to strncat and may lead to buffer overflows.
10124 unsigned PatternType = 0;
10125 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) {
10126 // - sizeof(dst)
10127 if (referToTheSameDecl(SizeOfArg, DstArg))
10128 PatternType = 1;
10129 // - sizeof(src)
10130 else if (referToTheSameDecl(SizeOfArg, SrcArg))
10131 PatternType = 2;
10132 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) {
10133 if (BE->getOpcode() == BO_Sub) {
10134 const Expr *L = BE->getLHS()->IgnoreParenCasts();
10135 const Expr *R = BE->getRHS()->IgnoreParenCasts();
10136 // - sizeof(dst) - strlen(dst)
10137 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) &&
10138 referToTheSameDecl(DstArg, getStrlenExprArg(R)))
10139 PatternType = 1;
10140 // - sizeof(src) - (anything)
10141 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L)))
10142 PatternType = 2;
10143 }
10144 }
10145
10146 if (PatternType == 0)
10147 return;
10148
10149 // Generate the diagnostic.
10150 SourceLocation SL = LenArg->getBeginLoc();
10151 SourceRange SR = LenArg->getSourceRange();
10152 SourceManager &SM = getSourceManager();
10153
10154 // If the function is defined as a builtin macro, do not show macro expansion.
10155 if (SM.isMacroArgExpansion(SL)) {
10156 SL = SM.getSpellingLoc(SL);
10157 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()),
10158 SM.getSpellingLoc(SR.getEnd()));
10159 }
10160
10161 // Check if the destination is an array (rather than a pointer to an array).
10162 QualType DstTy = DstArg->getType();
10163 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy,
10164 Context);
10165 if (!isKnownSizeArray) {
10166 if (PatternType == 1)
10167 Diag(SL, diag::warn_strncat_wrong_size) << SR;
10168 else
10169 Diag(SL, diag::warn_strncat_src_size) << SR;
10170 return;
10171 }
10172
10173 if (PatternType == 1)
10174 Diag(SL, diag::warn_strncat_large_size) << SR;
10175 else
10176 Diag(SL, diag::warn_strncat_src_size) << SR;
10177
10178 SmallString<128> sizeString;
10179 llvm::raw_svector_ostream OS(sizeString);
10180 OS << "sizeof(";
10181 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10182 OS << ") - ";
10183 OS << "strlen(";
10184 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10185 OS << ") - 1";
10186
10187 Diag(SL, diag::note_strncat_wrong_size)
10188 << FixItHint::CreateReplacement(SR, OS.str());
10189 }
10190
10191 namespace {
CheckFreeArgumentsOnLvalue(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr,const Decl * D)10192 void CheckFreeArgumentsOnLvalue(Sema &S, const std::string &CalleeName,
10193 const UnaryOperator *UnaryExpr, const Decl *D) {
10194 if (isa<FieldDecl, FunctionDecl, VarDecl>(D)) {
10195 S.Diag(UnaryExpr->getBeginLoc(), diag::warn_free_nonheap_object)
10196 << CalleeName << 0 /*object: */ << cast<NamedDecl>(D);
10197 return;
10198 }
10199 }
10200
CheckFreeArgumentsAddressof(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr)10201 void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName,
10202 const UnaryOperator *UnaryExpr) {
10203 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) {
10204 const Decl *D = Lvalue->getDecl();
10205 if (const auto *DD = dyn_cast<DeclaratorDecl>(D)) {
10206 if (!DD->getType()->isReferenceType())
10207 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D);
10208 }
10209 }
10210
10211 if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr()))
10212 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr,
10213 Lvalue->getMemberDecl());
10214 }
10215
CheckFreeArgumentsPlus(Sema & S,const std::string & CalleeName,const UnaryOperator * UnaryExpr)10216 void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName,
10217 const UnaryOperator *UnaryExpr) {
10218 const auto *Lambda = dyn_cast<LambdaExpr>(
10219 UnaryExpr->getSubExpr()->IgnoreImplicitAsWritten()->IgnoreParens());
10220 if (!Lambda)
10221 return;
10222
10223 S.Diag(Lambda->getBeginLoc(), diag::warn_free_nonheap_object)
10224 << CalleeName << 2 /*object: lambda expression*/;
10225 }
10226
CheckFreeArgumentsStackArray(Sema & S,const std::string & CalleeName,const DeclRefExpr * Lvalue)10227 void CheckFreeArgumentsStackArray(Sema &S, const std::string &CalleeName,
10228 const DeclRefExpr *Lvalue) {
10229 const auto *Var = dyn_cast<VarDecl>(Lvalue->getDecl());
10230 if (Var == nullptr)
10231 return;
10232
10233 S.Diag(Lvalue->getBeginLoc(), diag::warn_free_nonheap_object)
10234 << CalleeName << 0 /*object: */ << Var;
10235 }
10236
CheckFreeArgumentsCast(Sema & S,const std::string & CalleeName,const CastExpr * Cast)10237 void CheckFreeArgumentsCast(Sema &S, const std::string &CalleeName,
10238 const CastExpr *Cast) {
10239 SmallString<128> SizeString;
10240 llvm::raw_svector_ostream OS(SizeString);
10241
10242 clang::CastKind Kind = Cast->getCastKind();
10243 if (Kind == clang::CK_BitCast &&
10244 !Cast->getSubExpr()->getType()->isFunctionPointerType())
10245 return;
10246 if (Kind == clang::CK_IntegralToPointer &&
10247 !isa<IntegerLiteral>(
10248 Cast->getSubExpr()->IgnoreParenImpCasts()->IgnoreParens()))
10249 return;
10250
10251 switch (Cast->getCastKind()) {
10252 case clang::CK_BitCast:
10253 case clang::CK_IntegralToPointer:
10254 case clang::CK_FunctionToPointerDecay:
10255 OS << '\'';
10256 Cast->printPretty(OS, nullptr, S.getPrintingPolicy());
10257 OS << '\'';
10258 break;
10259 default:
10260 return;
10261 }
10262
10263 S.Diag(Cast->getBeginLoc(), diag::warn_free_nonheap_object)
10264 << CalleeName << 0 /*object: */ << OS.str();
10265 }
10266 } // namespace
10267
CheckFreeArguments(const CallExpr * E)10268 void Sema::CheckFreeArguments(const CallExpr *E) {
10269 const std::string CalleeName =
10270 cast<FunctionDecl>(E->getCalleeDecl())->getQualifiedNameAsString();
10271
10272 { // Prefer something that doesn't involve a cast to make things simpler.
10273 const Expr *Arg = E->getArg(0)->IgnoreParenCasts();
10274 if (const auto *UnaryExpr = dyn_cast<UnaryOperator>(Arg))
10275 switch (UnaryExpr->getOpcode()) {
10276 case UnaryOperator::Opcode::UO_AddrOf:
10277 return CheckFreeArgumentsAddressof(*this, CalleeName, UnaryExpr);
10278 case UnaryOperator::Opcode::UO_Plus:
10279 return CheckFreeArgumentsPlus(*this, CalleeName, UnaryExpr);
10280 default:
10281 break;
10282 }
10283
10284 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(Arg))
10285 if (Lvalue->getType()->isArrayType())
10286 return CheckFreeArgumentsStackArray(*this, CalleeName, Lvalue);
10287
10288 if (const auto *Label = dyn_cast<AddrLabelExpr>(Arg)) {
10289 Diag(Label->getBeginLoc(), diag::warn_free_nonheap_object)
10290 << CalleeName << 0 /*object: */ << Label->getLabel()->getIdentifier();
10291 return;
10292 }
10293
10294 if (isa<BlockExpr>(Arg)) {
10295 Diag(Arg->getBeginLoc(), diag::warn_free_nonheap_object)
10296 << CalleeName << 1 /*object: block*/;
10297 return;
10298 }
10299 }
10300 // Maybe the cast was important, check after the other cases.
10301 if (const auto *Cast = dyn_cast<CastExpr>(E->getArg(0)))
10302 return CheckFreeArgumentsCast(*this, CalleeName, Cast);
10303 }
10304
10305 void
CheckReturnValExpr(Expr * RetValExp,QualType lhsType,SourceLocation ReturnLoc,bool isObjCMethod,const AttrVec * Attrs,const FunctionDecl * FD)10306 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType,
10307 SourceLocation ReturnLoc,
10308 bool isObjCMethod,
10309 const AttrVec *Attrs,
10310 const FunctionDecl *FD) {
10311 // Check if the return value is null but should not be.
10312 if (((Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs)) ||
10313 (!isObjCMethod && isNonNullType(lhsType))) &&
10314 CheckNonNullExpr(*this, RetValExp))
10315 Diag(ReturnLoc, diag::warn_null_ret)
10316 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange();
10317
10318 // C++11 [basic.stc.dynamic.allocation]p4:
10319 // If an allocation function declared with a non-throwing
10320 // exception-specification fails to allocate storage, it shall return
10321 // a null pointer. Any other allocation function that fails to allocate
10322 // storage shall indicate failure only by throwing an exception [...]
10323 if (FD) {
10324 OverloadedOperatorKind Op = FD->getOverloadedOperator();
10325 if (Op == OO_New || Op == OO_Array_New) {
10326 const FunctionProtoType *Proto
10327 = FD->getType()->castAs<FunctionProtoType>();
10328 if (!Proto->isNothrow(/*ResultIfDependent*/true) &&
10329 CheckNonNullExpr(*this, RetValExp))
10330 Diag(ReturnLoc, diag::warn_operator_new_returns_null)
10331 << FD << getLangOpts().CPlusPlus11;
10332 }
10333 }
10334
10335 if (RetValExp && RetValExp->getType()->isWebAssemblyTableType()) {
10336 Diag(ReturnLoc, diag::err_wasm_table_art) << 1;
10337 }
10338
10339 // PPC MMA non-pointer types are not allowed as return type. Checking the type
10340 // here prevent the user from using a PPC MMA type as trailing return type.
10341 if (Context.getTargetInfo().getTriple().isPPC64())
10342 PPC().CheckPPCMMAType(RetValExp->getType(), ReturnLoc);
10343 }
10344
CheckFloatComparison(SourceLocation Loc,const Expr * LHS,const Expr * RHS,BinaryOperatorKind Opcode)10345 void Sema::CheckFloatComparison(SourceLocation Loc, const Expr *LHS,
10346 const Expr *RHS, BinaryOperatorKind Opcode) {
10347 if (!BinaryOperator::isEqualityOp(Opcode))
10348 return;
10349
10350 // Match and capture subexpressions such as "(float) X == 0.1".
10351 const FloatingLiteral *FPLiteral;
10352 const CastExpr *FPCast;
10353 auto getCastAndLiteral = [&FPLiteral, &FPCast](const Expr *L, const Expr *R) {
10354 FPLiteral = dyn_cast<FloatingLiteral>(L->IgnoreParens());
10355 FPCast = dyn_cast<CastExpr>(R->IgnoreParens());
10356 return FPLiteral && FPCast;
10357 };
10358
10359 if (getCastAndLiteral(LHS, RHS) || getCastAndLiteral(RHS, LHS)) {
10360 auto *SourceTy = FPCast->getSubExpr()->getType()->getAs<BuiltinType>();
10361 auto *TargetTy = FPLiteral->getType()->getAs<BuiltinType>();
10362 if (SourceTy && TargetTy && SourceTy->isFloatingPoint() &&
10363 TargetTy->isFloatingPoint()) {
10364 bool Lossy;
10365 llvm::APFloat TargetC = FPLiteral->getValue();
10366 TargetC.convert(Context.getFloatTypeSemantics(QualType(SourceTy, 0)),
10367 llvm::APFloat::rmNearestTiesToEven, &Lossy);
10368 if (Lossy) {
10369 // If the literal cannot be represented in the source type, then a
10370 // check for == is always false and check for != is always true.
10371 Diag(Loc, diag::warn_float_compare_literal)
10372 << (Opcode == BO_EQ) << QualType(SourceTy, 0)
10373 << LHS->getSourceRange() << RHS->getSourceRange();
10374 return;
10375 }
10376 }
10377 }
10378
10379 // Match a more general floating-point equality comparison (-Wfloat-equal).
10380 const Expr *LeftExprSansParen = LHS->IgnoreParenImpCasts();
10381 const Expr *RightExprSansParen = RHS->IgnoreParenImpCasts();
10382
10383 // Special case: check for x == x (which is OK).
10384 // Do not emit warnings for such cases.
10385 if (const auto *DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen))
10386 if (const auto *DRR = dyn_cast<DeclRefExpr>(RightExprSansParen))
10387 if (DRL->getDecl() == DRR->getDecl())
10388 return;
10389
10390 // Special case: check for comparisons against literals that can be exactly
10391 // represented by APFloat. In such cases, do not emit a warning. This
10392 // is a heuristic: often comparison against such literals are used to
10393 // detect if a value in a variable has not changed. This clearly can
10394 // lead to false negatives.
10395 if (const auto *FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) {
10396 if (FLL->isExact())
10397 return;
10398 } else if (const auto *FLR = dyn_cast<FloatingLiteral>(RightExprSansParen))
10399 if (FLR->isExact())
10400 return;
10401
10402 // Check for comparisons with builtin types.
10403 if (const auto *CL = dyn_cast<CallExpr>(LeftExprSansParen);
10404 CL && CL->getBuiltinCallee())
10405 return;
10406
10407 if (const auto *CR = dyn_cast<CallExpr>(RightExprSansParen);
10408 CR && CR->getBuiltinCallee())
10409 return;
10410
10411 // Emit the diagnostic.
10412 Diag(Loc, diag::warn_floatingpoint_eq)
10413 << LHS->getSourceRange() << RHS->getSourceRange();
10414 }
10415
10416 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===//
10417 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===//
10418
10419 namespace {
10420
10421 /// Structure recording the 'active' range of an integer-valued
10422 /// expression.
10423 struct IntRange {
10424 /// The number of bits active in the int. Note that this includes exactly one
10425 /// sign bit if !NonNegative.
10426 unsigned Width;
10427
10428 /// True if the int is known not to have negative values. If so, all leading
10429 /// bits before Width are known zero, otherwise they are known to be the
10430 /// same as the MSB within Width.
10431 bool NonNegative;
10432
IntRange__anon28c3fbb12a11::IntRange10433 IntRange(unsigned Width, bool NonNegative)
10434 : Width(Width), NonNegative(NonNegative) {}
10435
10436 /// Number of bits excluding the sign bit.
valueBits__anon28c3fbb12a11::IntRange10437 unsigned valueBits() const {
10438 return NonNegative ? Width : Width - 1;
10439 }
10440
10441 /// Returns the range of the bool type.
forBoolType__anon28c3fbb12a11::IntRange10442 static IntRange forBoolType() {
10443 return IntRange(1, true);
10444 }
10445
10446 /// Returns the range of an opaque value of the given integral type.
forValueOfType__anon28c3fbb12a11::IntRange10447 static IntRange forValueOfType(ASTContext &C, QualType T) {
10448 return forValueOfCanonicalType(C,
10449 T->getCanonicalTypeInternal().getTypePtr());
10450 }
10451
10452 /// Returns the range of an opaque value of a canonical integral type.
forValueOfCanonicalType__anon28c3fbb12a11::IntRange10453 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) {
10454 assert(T->isCanonicalUnqualified());
10455
10456 if (const auto *VT = dyn_cast<VectorType>(T))
10457 T = VT->getElementType().getTypePtr();
10458 if (const auto *CT = dyn_cast<ComplexType>(T))
10459 T = CT->getElementType().getTypePtr();
10460 if (const auto *AT = dyn_cast<AtomicType>(T))
10461 T = AT->getValueType().getTypePtr();
10462
10463 if (!C.getLangOpts().CPlusPlus) {
10464 // For enum types in C code, use the underlying datatype.
10465 if (const auto *ET = dyn_cast<EnumType>(T))
10466 T = ET->getDecl()->getIntegerType().getDesugaredType(C).getTypePtr();
10467 } else if (const auto *ET = dyn_cast<EnumType>(T)) {
10468 // For enum types in C++, use the known bit width of the enumerators.
10469 EnumDecl *Enum = ET->getDecl();
10470 // In C++11, enums can have a fixed underlying type. Use this type to
10471 // compute the range.
10472 if (Enum->isFixed()) {
10473 return IntRange(C.getIntWidth(QualType(T, 0)),
10474 !ET->isSignedIntegerOrEnumerationType());
10475 }
10476
10477 unsigned NumPositive = Enum->getNumPositiveBits();
10478 unsigned NumNegative = Enum->getNumNegativeBits();
10479
10480 if (NumNegative == 0)
10481 return IntRange(NumPositive, true/*NonNegative*/);
10482 else
10483 return IntRange(std::max(NumPositive + 1, NumNegative),
10484 false/*NonNegative*/);
10485 }
10486
10487 if (const auto *EIT = dyn_cast<BitIntType>(T))
10488 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
10489
10490 const BuiltinType *BT = cast<BuiltinType>(T);
10491 assert(BT->isInteger());
10492
10493 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
10494 }
10495
10496 /// Returns the "target" range of a canonical integral type, i.e.
10497 /// the range of values expressible in the type.
10498 ///
10499 /// This matches forValueOfCanonicalType except that enums have the
10500 /// full range of their type, not the range of their enumerators.
forTargetOfCanonicalType__anon28c3fbb12a11::IntRange10501 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) {
10502 assert(T->isCanonicalUnqualified());
10503
10504 if (const VectorType *VT = dyn_cast<VectorType>(T))
10505 T = VT->getElementType().getTypePtr();
10506 if (const ComplexType *CT = dyn_cast<ComplexType>(T))
10507 T = CT->getElementType().getTypePtr();
10508 if (const AtomicType *AT = dyn_cast<AtomicType>(T))
10509 T = AT->getValueType().getTypePtr();
10510 if (const EnumType *ET = dyn_cast<EnumType>(T))
10511 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr();
10512
10513 if (const auto *EIT = dyn_cast<BitIntType>(T))
10514 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
10515
10516 const BuiltinType *BT = cast<BuiltinType>(T);
10517 assert(BT->isInteger());
10518
10519 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
10520 }
10521
10522 /// Returns the supremum of two ranges: i.e. their conservative merge.
join__anon28c3fbb12a11::IntRange10523 static IntRange join(IntRange L, IntRange R) {
10524 bool Unsigned = L.NonNegative && R.NonNegative;
10525 return IntRange(std::max(L.valueBits(), R.valueBits()) + !Unsigned,
10526 L.NonNegative && R.NonNegative);
10527 }
10528
10529 /// Return the range of a bitwise-AND of the two ranges.
bit_and__anon28c3fbb12a11::IntRange10530 static IntRange bit_and(IntRange L, IntRange R) {
10531 unsigned Bits = std::max(L.Width, R.Width);
10532 bool NonNegative = false;
10533 if (L.NonNegative) {
10534 Bits = std::min(Bits, L.Width);
10535 NonNegative = true;
10536 }
10537 if (R.NonNegative) {
10538 Bits = std::min(Bits, R.Width);
10539 NonNegative = true;
10540 }
10541 return IntRange(Bits, NonNegative);
10542 }
10543
10544 /// Return the range of a sum of the two ranges.
sum__anon28c3fbb12a11::IntRange10545 static IntRange sum(IntRange L, IntRange R) {
10546 bool Unsigned = L.NonNegative && R.NonNegative;
10547 return IntRange(std::max(L.valueBits(), R.valueBits()) + 1 + !Unsigned,
10548 Unsigned);
10549 }
10550
10551 /// Return the range of a difference of the two ranges.
difference__anon28c3fbb12a11::IntRange10552 static IntRange difference(IntRange L, IntRange R) {
10553 // We need a 1-bit-wider range if:
10554 // 1) LHS can be negative: least value can be reduced.
10555 // 2) RHS can be negative: greatest value can be increased.
10556 bool CanWiden = !L.NonNegative || !R.NonNegative;
10557 bool Unsigned = L.NonNegative && R.Width == 0;
10558 return IntRange(std::max(L.valueBits(), R.valueBits()) + CanWiden +
10559 !Unsigned,
10560 Unsigned);
10561 }
10562
10563 /// Return the range of a product of the two ranges.
product__anon28c3fbb12a11::IntRange10564 static IntRange product(IntRange L, IntRange R) {
10565 // If both LHS and RHS can be negative, we can form
10566 // -2^L * -2^R = 2^(L + R)
10567 // which requires L + R + 1 value bits to represent.
10568 bool CanWiden = !L.NonNegative && !R.NonNegative;
10569 bool Unsigned = L.NonNegative && R.NonNegative;
10570 return IntRange(L.valueBits() + R.valueBits() + CanWiden + !Unsigned,
10571 Unsigned);
10572 }
10573
10574 /// Return the range of a remainder operation between the two ranges.
rem__anon28c3fbb12a11::IntRange10575 static IntRange rem(IntRange L, IntRange R) {
10576 // The result of a remainder can't be larger than the result of
10577 // either side. The sign of the result is the sign of the LHS.
10578 bool Unsigned = L.NonNegative;
10579 return IntRange(std::min(L.valueBits(), R.valueBits()) + !Unsigned,
10580 Unsigned);
10581 }
10582 };
10583
10584 } // namespace
10585
GetValueRange(llvm::APSInt & value,unsigned MaxWidth)10586 static IntRange GetValueRange(llvm::APSInt &value, unsigned MaxWidth) {
10587 if (value.isSigned() && value.isNegative())
10588 return IntRange(value.getSignificantBits(), false);
10589
10590 if (value.getBitWidth() > MaxWidth)
10591 value = value.trunc(MaxWidth);
10592
10593 // isNonNegative() just checks the sign bit without considering
10594 // signedness.
10595 return IntRange(value.getActiveBits(), true);
10596 }
10597
GetValueRange(APValue & result,QualType Ty,unsigned MaxWidth)10598 static IntRange GetValueRange(APValue &result, QualType Ty, unsigned MaxWidth) {
10599 if (result.isInt())
10600 return GetValueRange(result.getInt(), MaxWidth);
10601
10602 if (result.isVector()) {
10603 IntRange R = GetValueRange(result.getVectorElt(0), Ty, MaxWidth);
10604 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) {
10605 IntRange El = GetValueRange(result.getVectorElt(i), Ty, MaxWidth);
10606 R = IntRange::join(R, El);
10607 }
10608 return R;
10609 }
10610
10611 if (result.isComplexInt()) {
10612 IntRange R = GetValueRange(result.getComplexIntReal(), MaxWidth);
10613 IntRange I = GetValueRange(result.getComplexIntImag(), MaxWidth);
10614 return IntRange::join(R, I);
10615 }
10616
10617 // This can happen with lossless casts to intptr_t of "based" lvalues.
10618 // Assume it might use arbitrary bits.
10619 // FIXME: The only reason we need to pass the type in here is to get
10620 // the sign right on this one case. It would be nice if APValue
10621 // preserved this.
10622 assert(result.isLValue() || result.isAddrLabelDiff());
10623 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType());
10624 }
10625
GetExprType(const Expr * E)10626 static QualType GetExprType(const Expr *E) {
10627 QualType Ty = E->getType();
10628 if (const auto *AtomicRHS = Ty->getAs<AtomicType>())
10629 Ty = AtomicRHS->getValueType();
10630 return Ty;
10631 }
10632
10633 /// Attempts to estimate an approximate range for the given integer expression.
10634 /// Returns a range if successful, otherwise it returns \c std::nullopt if a
10635 /// reliable estimation cannot be determined.
10636 ///
10637 /// \param MaxWidth The width to which the value will be truncated.
10638 /// \param InConstantContext If \c true, interpret the expression within a
10639 /// constant context.
10640 /// \param Approximate If \c true, provide a likely range of values by assuming
10641 /// that arithmetic on narrower types remains within those types.
10642 /// If \c false, return a range that includes all possible values
10643 /// resulting from the expression.
10644 /// \returns A range of values that the expression might take, or
10645 /// std::nullopt if a reliable estimation cannot be determined.
TryGetExprRange(ASTContext & C,const Expr * E,unsigned MaxWidth,bool InConstantContext,bool Approximate)10646 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
10647 unsigned MaxWidth,
10648 bool InConstantContext,
10649 bool Approximate) {
10650 E = E->IgnoreParens();
10651
10652 // Try a full evaluation first.
10653 Expr::EvalResult result;
10654 if (E->EvaluateAsRValue(result, C, InConstantContext))
10655 return GetValueRange(result.Val, GetExprType(E), MaxWidth);
10656
10657 // I think we only want to look through implicit casts here; if the
10658 // user has an explicit widening cast, we should treat the value as
10659 // being of the new, wider type.
10660 if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) {
10661 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue)
10662 return TryGetExprRange(C, CE->getSubExpr(), MaxWidth, InConstantContext,
10663 Approximate);
10664
10665 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE));
10666
10667 bool isIntegerCast = CE->getCastKind() == CK_IntegralCast ||
10668 CE->getCastKind() == CK_BooleanToSignedIntegral;
10669
10670 // Assume that non-integer casts can span the full range of the type.
10671 if (!isIntegerCast)
10672 return OutputTypeRange;
10673
10674 std::optional<IntRange> SubRange = TryGetExprRange(
10675 C, CE->getSubExpr(), std::min(MaxWidth, OutputTypeRange.Width),
10676 InConstantContext, Approximate);
10677 if (!SubRange)
10678 return std::nullopt;
10679
10680 // Bail out if the subexpr's range is as wide as the cast type.
10681 if (SubRange->Width >= OutputTypeRange.Width)
10682 return OutputTypeRange;
10683
10684 // Otherwise, we take the smaller width, and we're non-negative if
10685 // either the output type or the subexpr is.
10686 return IntRange(SubRange->Width,
10687 SubRange->NonNegative || OutputTypeRange.NonNegative);
10688 }
10689
10690 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
10691 // If we can fold the condition, just take that operand.
10692 bool CondResult;
10693 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
10694 return TryGetExprRange(
10695 C, CondResult ? CO->getTrueExpr() : CO->getFalseExpr(), MaxWidth,
10696 InConstantContext, Approximate);
10697
10698 // Otherwise, conservatively merge.
10699 // TryGetExprRange requires an integer expression, but a throw expression
10700 // results in a void type.
10701 Expr *TrueExpr = CO->getTrueExpr();
10702 if (TrueExpr->getType()->isVoidType())
10703 return std::nullopt;
10704
10705 std::optional<IntRange> L =
10706 TryGetExprRange(C, TrueExpr, MaxWidth, InConstantContext, Approximate);
10707 if (!L)
10708 return std::nullopt;
10709
10710 Expr *FalseExpr = CO->getFalseExpr();
10711 if (FalseExpr->getType()->isVoidType())
10712 return std::nullopt;
10713
10714 std::optional<IntRange> R =
10715 TryGetExprRange(C, FalseExpr, MaxWidth, InConstantContext, Approximate);
10716 if (!R)
10717 return std::nullopt;
10718
10719 return IntRange::join(*L, *R);
10720 }
10721
10722 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
10723 IntRange (*Combine)(IntRange, IntRange) = IntRange::join;
10724
10725 switch (BO->getOpcode()) {
10726 case BO_Cmp:
10727 llvm_unreachable("builtin <=> should have class type");
10728
10729 // Boolean-valued operations are single-bit and positive.
10730 case BO_LAnd:
10731 case BO_LOr:
10732 case BO_LT:
10733 case BO_GT:
10734 case BO_LE:
10735 case BO_GE:
10736 case BO_EQ:
10737 case BO_NE:
10738 return IntRange::forBoolType();
10739
10740 // The type of the assignments is the type of the LHS, so the RHS
10741 // is not necessarily the same type.
10742 case BO_MulAssign:
10743 case BO_DivAssign:
10744 case BO_RemAssign:
10745 case BO_AddAssign:
10746 case BO_SubAssign:
10747 case BO_XorAssign:
10748 case BO_OrAssign:
10749 // TODO: bitfields?
10750 return IntRange::forValueOfType(C, GetExprType(E));
10751
10752 // Simple assignments just pass through the RHS, which will have
10753 // been coerced to the LHS type.
10754 case BO_Assign:
10755 // TODO: bitfields?
10756 return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
10757 Approximate);
10758
10759 // Operations with opaque sources are black-listed.
10760 case BO_PtrMemD:
10761 case BO_PtrMemI:
10762 return IntRange::forValueOfType(C, GetExprType(E));
10763
10764 // Bitwise-and uses the *infinum* of the two source ranges.
10765 case BO_And:
10766 case BO_AndAssign:
10767 Combine = IntRange::bit_and;
10768 break;
10769
10770 // Left shift gets black-listed based on a judgement call.
10771 case BO_Shl:
10772 // ...except that we want to treat '1 << (blah)' as logically
10773 // positive. It's an important idiom.
10774 if (IntegerLiteral *I
10775 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) {
10776 if (I->getValue() == 1) {
10777 IntRange R = IntRange::forValueOfType(C, GetExprType(E));
10778 return IntRange(R.Width, /*NonNegative*/ true);
10779 }
10780 }
10781 [[fallthrough]];
10782
10783 case BO_ShlAssign:
10784 return IntRange::forValueOfType(C, GetExprType(E));
10785
10786 // Right shift by a constant can narrow its left argument.
10787 case BO_Shr:
10788 case BO_ShrAssign: {
10789 std::optional<IntRange> L = TryGetExprRange(
10790 C, BO->getLHS(), MaxWidth, InConstantContext, Approximate);
10791 if (!L)
10792 return std::nullopt;
10793
10794 // If the shift amount is a positive constant, drop the width by
10795 // that much.
10796 if (std::optional<llvm::APSInt> shift =
10797 BO->getRHS()->getIntegerConstantExpr(C)) {
10798 if (shift->isNonNegative()) {
10799 if (shift->uge(L->Width))
10800 L->Width = (L->NonNegative ? 0 : 1);
10801 else
10802 L->Width -= shift->getZExtValue();
10803 }
10804 }
10805
10806 return L;
10807 }
10808
10809 // Comma acts as its right operand.
10810 case BO_Comma:
10811 return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
10812 Approximate);
10813
10814 case BO_Add:
10815 if (!Approximate)
10816 Combine = IntRange::sum;
10817 break;
10818
10819 case BO_Sub:
10820 if (BO->getLHS()->getType()->isPointerType())
10821 return IntRange::forValueOfType(C, GetExprType(E));
10822 if (!Approximate)
10823 Combine = IntRange::difference;
10824 break;
10825
10826 case BO_Mul:
10827 if (!Approximate)
10828 Combine = IntRange::product;
10829 break;
10830
10831 // The width of a division result is mostly determined by the size
10832 // of the LHS.
10833 case BO_Div: {
10834 // Don't 'pre-truncate' the operands.
10835 unsigned opWidth = C.getIntWidth(GetExprType(E));
10836 std::optional<IntRange> L = TryGetExprRange(
10837 C, BO->getLHS(), opWidth, InConstantContext, Approximate);
10838 if (!L)
10839 return std::nullopt;
10840
10841 // If the divisor is constant, use that.
10842 if (std::optional<llvm::APSInt> divisor =
10843 BO->getRHS()->getIntegerConstantExpr(C)) {
10844 unsigned log2 = divisor->logBase2(); // floor(log_2(divisor))
10845 if (log2 >= L->Width)
10846 L->Width = (L->NonNegative ? 0 : 1);
10847 else
10848 L->Width = std::min(L->Width - log2, MaxWidth);
10849 return L;
10850 }
10851
10852 // Otherwise, just use the LHS's width.
10853 // FIXME: This is wrong if the LHS could be its minimal value and the RHS
10854 // could be -1.
10855 std::optional<IntRange> R = TryGetExprRange(
10856 C, BO->getRHS(), opWidth, InConstantContext, Approximate);
10857 if (!R)
10858 return std::nullopt;
10859
10860 return IntRange(L->Width, L->NonNegative && R->NonNegative);
10861 }
10862
10863 case BO_Rem:
10864 Combine = IntRange::rem;
10865 break;
10866
10867 // The default behavior is okay for these.
10868 case BO_Xor:
10869 case BO_Or:
10870 break;
10871 }
10872
10873 // Combine the two ranges, but limit the result to the type in which we
10874 // performed the computation.
10875 QualType T = GetExprType(E);
10876 unsigned opWidth = C.getIntWidth(T);
10877 std::optional<IntRange> L = TryGetExprRange(C, BO->getLHS(), opWidth,
10878 InConstantContext, Approximate);
10879 if (!L)
10880 return std::nullopt;
10881
10882 std::optional<IntRange> R = TryGetExprRange(C, BO->getRHS(), opWidth,
10883 InConstantContext, Approximate);
10884 if (!R)
10885 return std::nullopt;
10886
10887 IntRange C = Combine(*L, *R);
10888 C.NonNegative |= T->isUnsignedIntegerOrEnumerationType();
10889 C.Width = std::min(C.Width, MaxWidth);
10890 return C;
10891 }
10892
10893 if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
10894 switch (UO->getOpcode()) {
10895 // Boolean-valued operations are white-listed.
10896 case UO_LNot:
10897 return IntRange::forBoolType();
10898
10899 // Operations with opaque sources are black-listed.
10900 case UO_Deref:
10901 case UO_AddrOf: // should be impossible
10902 return IntRange::forValueOfType(C, GetExprType(E));
10903
10904 case UO_Minus: {
10905 if (E->getType()->isUnsignedIntegerType()) {
10906 return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10907 Approximate);
10908 }
10909
10910 std::optional<IntRange> SubRange = TryGetExprRange(
10911 C, UO->getSubExpr(), MaxWidth, InConstantContext, Approximate);
10912
10913 if (!SubRange)
10914 return std::nullopt;
10915
10916 // If the range was previously non-negative, we need an extra bit for the
10917 // sign bit. Otherwise, we need an extra bit because the negation of the
10918 // most-negative value is one bit wider than that value.
10919 return IntRange(std::min(SubRange->Width + 1, MaxWidth), false);
10920 }
10921
10922 case UO_Not: {
10923 if (E->getType()->isUnsignedIntegerType()) {
10924 return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10925 Approximate);
10926 }
10927
10928 std::optional<IntRange> SubRange = TryGetExprRange(
10929 C, UO->getSubExpr(), MaxWidth, InConstantContext, Approximate);
10930
10931 if (!SubRange)
10932 return std::nullopt;
10933
10934 // The width increments by 1 if the sub-expression cannot be negative
10935 // since it now can be.
10936 return IntRange(
10937 std::min(SubRange->Width + (int)SubRange->NonNegative, MaxWidth),
10938 false);
10939 }
10940
10941 default:
10942 return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10943 Approximate);
10944 }
10945 }
10946
10947 if (const auto *OVE = dyn_cast<OpaqueValueExpr>(E))
10948 return TryGetExprRange(C, OVE->getSourceExpr(), MaxWidth, InConstantContext,
10949 Approximate);
10950
10951 if (const auto *BitField = E->getSourceBitField())
10952 return IntRange(BitField->getBitWidthValue(),
10953 BitField->getType()->isUnsignedIntegerOrEnumerationType());
10954
10955 if (GetExprType(E)->isVoidType())
10956 return std::nullopt;
10957
10958 return IntRange::forValueOfType(C, GetExprType(E));
10959 }
10960
TryGetExprRange(ASTContext & C,const Expr * E,bool InConstantContext,bool Approximate)10961 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
10962 bool InConstantContext,
10963 bool Approximate) {
10964 return TryGetExprRange(C, E, C.getIntWidth(GetExprType(E)), InConstantContext,
10965 Approximate);
10966 }
10967
10968 /// Checks whether the given value, which currently has the given
10969 /// source semantics, has the same value when coerced through the
10970 /// target semantics.
IsSameFloatAfterCast(const llvm::APFloat & value,const llvm::fltSemantics & Src,const llvm::fltSemantics & Tgt)10971 static bool IsSameFloatAfterCast(const llvm::APFloat &value,
10972 const llvm::fltSemantics &Src,
10973 const llvm::fltSemantics &Tgt) {
10974 llvm::APFloat truncated = value;
10975
10976 bool ignored;
10977 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored);
10978 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored);
10979
10980 return truncated.bitwiseIsEqual(value);
10981 }
10982
10983 /// Checks whether the given value, which currently has the given
10984 /// source semantics, has the same value when coerced through the
10985 /// target semantics.
10986 ///
10987 /// The value might be a vector of floats (or a complex number).
IsSameFloatAfterCast(const APValue & value,const llvm::fltSemantics & Src,const llvm::fltSemantics & Tgt)10988 static bool IsSameFloatAfterCast(const APValue &value,
10989 const llvm::fltSemantics &Src,
10990 const llvm::fltSemantics &Tgt) {
10991 if (value.isFloat())
10992 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt);
10993
10994 if (value.isVector()) {
10995 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i)
10996 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt))
10997 return false;
10998 return true;
10999 }
11000
11001 assert(value.isComplexFloat());
11002 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) &&
11003 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt));
11004 }
11005
11006 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC,
11007 bool IsListInit = false);
11008
IsEnumConstOrFromMacro(Sema & S,const Expr * E)11009 static bool IsEnumConstOrFromMacro(Sema &S, const Expr *E) {
11010 // Suppress cases where we are comparing against an enum constant.
11011 if (const auto *DR = dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts()))
11012 if (isa<EnumConstantDecl>(DR->getDecl()))
11013 return true;
11014
11015 // Suppress cases where the value is expanded from a macro, unless that macro
11016 // is how a language represents a boolean literal. This is the case in both C
11017 // and Objective-C.
11018 SourceLocation BeginLoc = E->getBeginLoc();
11019 if (BeginLoc.isMacroID()) {
11020 StringRef MacroName = Lexer::getImmediateMacroName(
11021 BeginLoc, S.getSourceManager(), S.getLangOpts());
11022 return MacroName != "YES" && MacroName != "NO" &&
11023 MacroName != "true" && MacroName != "false";
11024 }
11025
11026 return false;
11027 }
11028
isKnownToHaveUnsignedValue(const Expr * E)11029 static bool isKnownToHaveUnsignedValue(const Expr *E) {
11030 return E->getType()->isIntegerType() &&
11031 (!E->getType()->isSignedIntegerType() ||
11032 !E->IgnoreParenImpCasts()->getType()->isSignedIntegerType());
11033 }
11034
11035 namespace {
11036 /// The promoted range of values of a type. In general this has the
11037 /// following structure:
11038 ///
11039 /// |-----------| . . . |-----------|
11040 /// ^ ^ ^ ^
11041 /// Min HoleMin HoleMax Max
11042 ///
11043 /// ... where there is only a hole if a signed type is promoted to unsigned
11044 /// (in which case Min and Max are the smallest and largest representable
11045 /// values).
11046 struct PromotedRange {
11047 // Min, or HoleMax if there is a hole.
11048 llvm::APSInt PromotedMin;
11049 // Max, or HoleMin if there is a hole.
11050 llvm::APSInt PromotedMax;
11051
PromotedRange__anon28c3fbb12b11::PromotedRange11052 PromotedRange(IntRange R, unsigned BitWidth, bool Unsigned) {
11053 if (R.Width == 0)
11054 PromotedMin = PromotedMax = llvm::APSInt(BitWidth, Unsigned);
11055 else if (R.Width >= BitWidth && !Unsigned) {
11056 // Promotion made the type *narrower*. This happens when promoting
11057 // a < 32-bit unsigned / <= 32-bit signed bit-field to 'signed int'.
11058 // Treat all values of 'signed int' as being in range for now.
11059 PromotedMin = llvm::APSInt::getMinValue(BitWidth, Unsigned);
11060 PromotedMax = llvm::APSInt::getMaxValue(BitWidth, Unsigned);
11061 } else {
11062 PromotedMin = llvm::APSInt::getMinValue(R.Width, R.NonNegative)
11063 .extOrTrunc(BitWidth);
11064 PromotedMin.setIsUnsigned(Unsigned);
11065
11066 PromotedMax = llvm::APSInt::getMaxValue(R.Width, R.NonNegative)
11067 .extOrTrunc(BitWidth);
11068 PromotedMax.setIsUnsigned(Unsigned);
11069 }
11070 }
11071
11072 // Determine whether this range is contiguous (has no hole).
isContiguous__anon28c3fbb12b11::PromotedRange11073 bool isContiguous() const { return PromotedMin <= PromotedMax; }
11074
11075 // Where a constant value is within the range.
11076 enum ComparisonResult {
11077 LT = 0x1,
11078 LE = 0x2,
11079 GT = 0x4,
11080 GE = 0x8,
11081 EQ = 0x10,
11082 NE = 0x20,
11083 InRangeFlag = 0x40,
11084
11085 Less = LE | LT | NE,
11086 Min = LE | InRangeFlag,
11087 InRange = InRangeFlag,
11088 Max = GE | InRangeFlag,
11089 Greater = GE | GT | NE,
11090
11091 OnlyValue = LE | GE | EQ | InRangeFlag,
11092 InHole = NE
11093 };
11094
compare__anon28c3fbb12b11::PromotedRange11095 ComparisonResult compare(const llvm::APSInt &Value) const {
11096 assert(Value.getBitWidth() == PromotedMin.getBitWidth() &&
11097 Value.isUnsigned() == PromotedMin.isUnsigned());
11098 if (!isContiguous()) {
11099 assert(Value.isUnsigned() && "discontiguous range for signed compare");
11100 if (Value.isMinValue()) return Min;
11101 if (Value.isMaxValue()) return Max;
11102 if (Value >= PromotedMin) return InRange;
11103 if (Value <= PromotedMax) return InRange;
11104 return InHole;
11105 }
11106
11107 switch (llvm::APSInt::compareValues(Value, PromotedMin)) {
11108 case -1: return Less;
11109 case 0: return PromotedMin == PromotedMax ? OnlyValue : Min;
11110 case 1:
11111 switch (llvm::APSInt::compareValues(Value, PromotedMax)) {
11112 case -1: return InRange;
11113 case 0: return Max;
11114 case 1: return Greater;
11115 }
11116 }
11117
11118 llvm_unreachable("impossible compare result");
11119 }
11120
11121 static std::optional<StringRef>
constantValue__anon28c3fbb12b11::PromotedRange11122 constantValue(BinaryOperatorKind Op, ComparisonResult R, bool ConstantOnRHS) {
11123 if (Op == BO_Cmp) {
11124 ComparisonResult LTFlag = LT, GTFlag = GT;
11125 if (ConstantOnRHS) std::swap(LTFlag, GTFlag);
11126
11127 if (R & EQ) return StringRef("'std::strong_ordering::equal'");
11128 if (R & LTFlag) return StringRef("'std::strong_ordering::less'");
11129 if (R & GTFlag) return StringRef("'std::strong_ordering::greater'");
11130 return std::nullopt;
11131 }
11132
11133 ComparisonResult TrueFlag, FalseFlag;
11134 if (Op == BO_EQ) {
11135 TrueFlag = EQ;
11136 FalseFlag = NE;
11137 } else if (Op == BO_NE) {
11138 TrueFlag = NE;
11139 FalseFlag = EQ;
11140 } else {
11141 if ((Op == BO_LT || Op == BO_GE) ^ ConstantOnRHS) {
11142 TrueFlag = LT;
11143 FalseFlag = GE;
11144 } else {
11145 TrueFlag = GT;
11146 FalseFlag = LE;
11147 }
11148 if (Op == BO_GE || Op == BO_LE)
11149 std::swap(TrueFlag, FalseFlag);
11150 }
11151 if (R & TrueFlag)
11152 return StringRef("true");
11153 if (R & FalseFlag)
11154 return StringRef("false");
11155 return std::nullopt;
11156 }
11157 };
11158 }
11159
HasEnumType(const Expr * E)11160 static bool HasEnumType(const Expr *E) {
11161 // Strip off implicit integral promotions.
11162 while (const auto *ICE = dyn_cast<ImplicitCastExpr>(E)) {
11163 if (ICE->getCastKind() != CK_IntegralCast &&
11164 ICE->getCastKind() != CK_NoOp)
11165 break;
11166 E = ICE->getSubExpr();
11167 }
11168
11169 return E->getType()->isEnumeralType();
11170 }
11171
classifyConstantValue(Expr * Constant)11172 static int classifyConstantValue(Expr *Constant) {
11173 // The values of this enumeration are used in the diagnostics
11174 // diag::warn_out_of_range_compare and diag::warn_tautological_bool_compare.
11175 enum ConstantValueKind {
11176 Miscellaneous = 0,
11177 LiteralTrue,
11178 LiteralFalse
11179 };
11180 if (auto *BL = dyn_cast<CXXBoolLiteralExpr>(Constant))
11181 return BL->getValue() ? ConstantValueKind::LiteralTrue
11182 : ConstantValueKind::LiteralFalse;
11183 return ConstantValueKind::Miscellaneous;
11184 }
11185
CheckTautologicalComparison(Sema & S,BinaryOperator * E,Expr * Constant,Expr * Other,const llvm::APSInt & Value,bool RhsConstant)11186 static bool CheckTautologicalComparison(Sema &S, BinaryOperator *E,
11187 Expr *Constant, Expr *Other,
11188 const llvm::APSInt &Value,
11189 bool RhsConstant) {
11190 if (S.inTemplateInstantiation())
11191 return false;
11192
11193 Expr *OriginalOther = Other;
11194
11195 Constant = Constant->IgnoreParenImpCasts();
11196 Other = Other->IgnoreParenImpCasts();
11197
11198 // Suppress warnings on tautological comparisons between values of the same
11199 // enumeration type. There are only two ways we could warn on this:
11200 // - If the constant is outside the range of representable values of
11201 // the enumeration. In such a case, we should warn about the cast
11202 // to enumeration type, not about the comparison.
11203 // - If the constant is the maximum / minimum in-range value. For an
11204 // enumeratin type, such comparisons can be meaningful and useful.
11205 if (Constant->getType()->isEnumeralType() &&
11206 S.Context.hasSameUnqualifiedType(Constant->getType(), Other->getType()))
11207 return false;
11208
11209 std::optional<IntRange> OtherValueRange = TryGetExprRange(
11210 S.Context, Other, S.isConstantEvaluatedContext(), /*Approximate=*/false);
11211 if (!OtherValueRange)
11212 return false;
11213
11214 QualType OtherT = Other->getType();
11215 if (const auto *AT = OtherT->getAs<AtomicType>())
11216 OtherT = AT->getValueType();
11217 IntRange OtherTypeRange = IntRange::forValueOfType(S.Context, OtherT);
11218
11219 // Special case for ObjC BOOL on targets where its a typedef for a signed char
11220 // (Namely, macOS). FIXME: IntRange::forValueOfType should do this.
11221 bool IsObjCSignedCharBool = S.getLangOpts().ObjC &&
11222 S.ObjC().NSAPIObj->isObjCBOOLType(OtherT) &&
11223 OtherT->isSpecificBuiltinType(BuiltinType::SChar);
11224
11225 // Whether we're treating Other as being a bool because of the form of
11226 // expression despite it having another type (typically 'int' in C).
11227 bool OtherIsBooleanDespiteType =
11228 !OtherT->isBooleanType() && Other->isKnownToHaveBooleanValue();
11229 if (OtherIsBooleanDespiteType || IsObjCSignedCharBool)
11230 OtherTypeRange = *OtherValueRange = IntRange::forBoolType();
11231
11232 // Check if all values in the range of possible values of this expression
11233 // lead to the same comparison outcome.
11234 PromotedRange OtherPromotedValueRange(*OtherValueRange, Value.getBitWidth(),
11235 Value.isUnsigned());
11236 auto Cmp = OtherPromotedValueRange.compare(Value);
11237 auto Result = PromotedRange::constantValue(E->getOpcode(), Cmp, RhsConstant);
11238 if (!Result)
11239 return false;
11240
11241 // Also consider the range determined by the type alone. This allows us to
11242 // classify the warning under the proper diagnostic group.
11243 bool TautologicalTypeCompare = false;
11244 {
11245 PromotedRange OtherPromotedTypeRange(OtherTypeRange, Value.getBitWidth(),
11246 Value.isUnsigned());
11247 auto TypeCmp = OtherPromotedTypeRange.compare(Value);
11248 if (auto TypeResult = PromotedRange::constantValue(E->getOpcode(), TypeCmp,
11249 RhsConstant)) {
11250 TautologicalTypeCompare = true;
11251 Cmp = TypeCmp;
11252 Result = TypeResult;
11253 }
11254 }
11255
11256 // Don't warn if the non-constant operand actually always evaluates to the
11257 // same value.
11258 if (!TautologicalTypeCompare && OtherValueRange->Width == 0)
11259 return false;
11260
11261 // Suppress the diagnostic for an in-range comparison if the constant comes
11262 // from a macro or enumerator. We don't want to diagnose
11263 //
11264 // some_long_value <= INT_MAX
11265 //
11266 // when sizeof(int) == sizeof(long).
11267 bool InRange = Cmp & PromotedRange::InRangeFlag;
11268 if (InRange && IsEnumConstOrFromMacro(S, Constant))
11269 return false;
11270
11271 // A comparison of an unsigned bit-field against 0 is really a type problem,
11272 // even though at the type level the bit-field might promote to 'signed int'.
11273 if (Other->refersToBitField() && InRange && Value == 0 &&
11274 Other->getType()->isUnsignedIntegerOrEnumerationType())
11275 TautologicalTypeCompare = true;
11276
11277 // If this is a comparison to an enum constant, include that
11278 // constant in the diagnostic.
11279 const EnumConstantDecl *ED = nullptr;
11280 if (const auto *DR = dyn_cast<DeclRefExpr>(Constant))
11281 ED = dyn_cast<EnumConstantDecl>(DR->getDecl());
11282
11283 // Should be enough for uint128 (39 decimal digits)
11284 SmallString<64> PrettySourceValue;
11285 llvm::raw_svector_ostream OS(PrettySourceValue);
11286 if (ED) {
11287 OS << '\'' << *ED << "' (" << Value << ")";
11288 } else if (auto *BL = dyn_cast<ObjCBoolLiteralExpr>(
11289 Constant->IgnoreParenImpCasts())) {
11290 OS << (BL->getValue() ? "YES" : "NO");
11291 } else {
11292 OS << Value;
11293 }
11294
11295 if (!TautologicalTypeCompare) {
11296 S.Diag(E->getOperatorLoc(), diag::warn_tautological_compare_value_range)
11297 << RhsConstant << OtherValueRange->Width << OtherValueRange->NonNegative
11298 << E->getOpcodeStr() << OS.str() << *Result
11299 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
11300 return true;
11301 }
11302
11303 if (IsObjCSignedCharBool) {
11304 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
11305 S.PDiag(diag::warn_tautological_compare_objc_bool)
11306 << OS.str() << *Result);
11307 return true;
11308 }
11309
11310 // FIXME: We use a somewhat different formatting for the in-range cases and
11311 // cases involving boolean values for historical reasons. We should pick a
11312 // consistent way of presenting these diagnostics.
11313 if (!InRange || Other->isKnownToHaveBooleanValue()) {
11314
11315 S.DiagRuntimeBehavior(
11316 E->getOperatorLoc(), E,
11317 S.PDiag(!InRange ? diag::warn_out_of_range_compare
11318 : diag::warn_tautological_bool_compare)
11319 << OS.str() << classifyConstantValue(Constant) << OtherT
11320 << OtherIsBooleanDespiteType << *Result
11321 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange());
11322 } else {
11323 bool IsCharTy = OtherT.withoutLocalFastQualifiers() == S.Context.CharTy;
11324 unsigned Diag =
11325 (isKnownToHaveUnsignedValue(OriginalOther) && Value == 0)
11326 ? (HasEnumType(OriginalOther)
11327 ? diag::warn_unsigned_enum_always_true_comparison
11328 : IsCharTy ? diag::warn_unsigned_char_always_true_comparison
11329 : diag::warn_unsigned_always_true_comparison)
11330 : diag::warn_tautological_constant_compare;
11331
11332 S.Diag(E->getOperatorLoc(), Diag)
11333 << RhsConstant << OtherT << E->getOpcodeStr() << OS.str() << *Result
11334 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
11335 }
11336
11337 return true;
11338 }
11339
11340 /// Analyze the operands of the given comparison. Implements the
11341 /// fallback case from AnalyzeComparison.
AnalyzeImpConvsInComparison(Sema & S,BinaryOperator * E)11342 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) {
11343 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11344 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11345 }
11346
11347 /// Implements -Wsign-compare.
11348 ///
11349 /// \param E the binary operator to check for warnings
AnalyzeComparison(Sema & S,BinaryOperator * E)11350 static void AnalyzeComparison(Sema &S, BinaryOperator *E) {
11351 // The type the comparison is being performed in.
11352 QualType T = E->getLHS()->getType();
11353
11354 // Only analyze comparison operators where both sides have been converted to
11355 // the same type.
11356 if (!S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()))
11357 return AnalyzeImpConvsInComparison(S, E);
11358
11359 // Don't analyze value-dependent comparisons directly.
11360 if (E->isValueDependent())
11361 return AnalyzeImpConvsInComparison(S, E);
11362
11363 Expr *LHS = E->getLHS();
11364 Expr *RHS = E->getRHS();
11365
11366 if (T->isIntegralType(S.Context)) {
11367 std::optional<llvm::APSInt> RHSValue =
11368 RHS->getIntegerConstantExpr(S.Context);
11369 std::optional<llvm::APSInt> LHSValue =
11370 LHS->getIntegerConstantExpr(S.Context);
11371
11372 // We don't care about expressions whose result is a constant.
11373 if (RHSValue && LHSValue)
11374 return AnalyzeImpConvsInComparison(S, E);
11375
11376 // We only care about expressions where just one side is literal
11377 if ((bool)RHSValue ^ (bool)LHSValue) {
11378 // Is the constant on the RHS or LHS?
11379 const bool RhsConstant = (bool)RHSValue;
11380 Expr *Const = RhsConstant ? RHS : LHS;
11381 Expr *Other = RhsConstant ? LHS : RHS;
11382 const llvm::APSInt &Value = RhsConstant ? *RHSValue : *LHSValue;
11383
11384 // Check whether an integer constant comparison results in a value
11385 // of 'true' or 'false'.
11386 if (CheckTautologicalComparison(S, E, Const, Other, Value, RhsConstant))
11387 return AnalyzeImpConvsInComparison(S, E);
11388 }
11389 }
11390
11391 if (!T->hasUnsignedIntegerRepresentation()) {
11392 // We don't do anything special if this isn't an unsigned integral
11393 // comparison: we're only interested in integral comparisons, and
11394 // signed comparisons only happen in cases we don't care to warn about.
11395 return AnalyzeImpConvsInComparison(S, E);
11396 }
11397
11398 LHS = LHS->IgnoreParenImpCasts();
11399 RHS = RHS->IgnoreParenImpCasts();
11400
11401 if (!S.getLangOpts().CPlusPlus) {
11402 // Avoid warning about comparison of integers with different signs when
11403 // RHS/LHS has a `typeof(E)` type whose sign is different from the sign of
11404 // the type of `E`.
11405 if (const auto *TET = dyn_cast<TypeOfExprType>(LHS->getType()))
11406 LHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
11407 if (const auto *TET = dyn_cast<TypeOfExprType>(RHS->getType()))
11408 RHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
11409 }
11410
11411 // Check to see if one of the (unmodified) operands is of different
11412 // signedness.
11413 Expr *signedOperand, *unsignedOperand;
11414 if (LHS->getType()->hasSignedIntegerRepresentation()) {
11415 assert(!RHS->getType()->hasSignedIntegerRepresentation() &&
11416 "unsigned comparison between two signed integer expressions?");
11417 signedOperand = LHS;
11418 unsignedOperand = RHS;
11419 } else if (RHS->getType()->hasSignedIntegerRepresentation()) {
11420 signedOperand = RHS;
11421 unsignedOperand = LHS;
11422 } else {
11423 return AnalyzeImpConvsInComparison(S, E);
11424 }
11425
11426 // Otherwise, calculate the effective range of the signed operand.
11427 std::optional<IntRange> signedRange =
11428 TryGetExprRange(S.Context, signedOperand, S.isConstantEvaluatedContext(),
11429 /*Approximate=*/true);
11430 if (!signedRange)
11431 return;
11432
11433 // Go ahead and analyze implicit conversions in the operands. Note
11434 // that we skip the implicit conversions on both sides.
11435 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc());
11436 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc());
11437
11438 // If the signed range is non-negative, -Wsign-compare won't fire.
11439 if (signedRange->NonNegative)
11440 return;
11441
11442 // For (in)equality comparisons, if the unsigned operand is a
11443 // constant which cannot collide with a overflowed signed operand,
11444 // then reinterpreting the signed operand as unsigned will not
11445 // change the result of the comparison.
11446 if (E->isEqualityOp()) {
11447 unsigned comparisonWidth = S.Context.getIntWidth(T);
11448 std::optional<IntRange> unsignedRange = TryGetExprRange(
11449 S.Context, unsignedOperand, S.isConstantEvaluatedContext(),
11450 /*Approximate=*/true);
11451 if (!unsignedRange)
11452 return;
11453
11454 // We should never be unable to prove that the unsigned operand is
11455 // non-negative.
11456 assert(unsignedRange->NonNegative && "unsigned range includes negative?");
11457
11458 if (unsignedRange->Width < comparisonWidth)
11459 return;
11460 }
11461
11462 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
11463 S.PDiag(diag::warn_mixed_sign_comparison)
11464 << LHS->getType() << RHS->getType()
11465 << LHS->getSourceRange() << RHS->getSourceRange());
11466 }
11467
11468 /// Analyzes an attempt to assign the given value to a bitfield.
11469 ///
11470 /// Returns true if there was something fishy about the attempt.
AnalyzeBitFieldAssignment(Sema & S,FieldDecl * Bitfield,Expr * Init,SourceLocation InitLoc)11471 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init,
11472 SourceLocation InitLoc) {
11473 assert(Bitfield->isBitField());
11474 if (Bitfield->isInvalidDecl())
11475 return false;
11476
11477 // White-list bool bitfields.
11478 QualType BitfieldType = Bitfield->getType();
11479 if (BitfieldType->isBooleanType())
11480 return false;
11481
11482 if (BitfieldType->isEnumeralType()) {
11483 EnumDecl *BitfieldEnumDecl = BitfieldType->castAs<EnumType>()->getDecl();
11484 // If the underlying enum type was not explicitly specified as an unsigned
11485 // type and the enum contain only positive values, MSVC++ will cause an
11486 // inconsistency by storing this as a signed type.
11487 if (S.getLangOpts().CPlusPlus11 &&
11488 !BitfieldEnumDecl->getIntegerTypeSourceInfo() &&
11489 BitfieldEnumDecl->getNumPositiveBits() > 0 &&
11490 BitfieldEnumDecl->getNumNegativeBits() == 0) {
11491 S.Diag(InitLoc, diag::warn_no_underlying_type_specified_for_enum_bitfield)
11492 << BitfieldEnumDecl;
11493 }
11494 }
11495
11496 // Ignore value- or type-dependent expressions.
11497 if (Bitfield->getBitWidth()->isValueDependent() ||
11498 Bitfield->getBitWidth()->isTypeDependent() ||
11499 Init->isValueDependent() ||
11500 Init->isTypeDependent())
11501 return false;
11502
11503 Expr *OriginalInit = Init->IgnoreParenImpCasts();
11504 unsigned FieldWidth = Bitfield->getBitWidthValue();
11505
11506 Expr::EvalResult Result;
11507 if (!OriginalInit->EvaluateAsInt(Result, S.Context,
11508 Expr::SE_AllowSideEffects)) {
11509 // The RHS is not constant. If the RHS has an enum type, make sure the
11510 // bitfield is wide enough to hold all the values of the enum without
11511 // truncation.
11512 const auto *EnumTy = OriginalInit->getType()->getAs<EnumType>();
11513 const PreferredTypeAttr *PTAttr = nullptr;
11514 if (!EnumTy) {
11515 PTAttr = Bitfield->getAttr<PreferredTypeAttr>();
11516 if (PTAttr)
11517 EnumTy = PTAttr->getType()->getAs<EnumType>();
11518 }
11519 if (EnumTy) {
11520 EnumDecl *ED = EnumTy->getDecl();
11521 bool SignedBitfield = BitfieldType->isSignedIntegerOrEnumerationType();
11522
11523 // Enum types are implicitly signed on Windows, so check if there are any
11524 // negative enumerators to see if the enum was intended to be signed or
11525 // not.
11526 bool SignedEnum = ED->getNumNegativeBits() > 0;
11527
11528 // Check for surprising sign changes when assigning enum values to a
11529 // bitfield of different signedness. If the bitfield is signed and we
11530 // have exactly the right number of bits to store this unsigned enum,
11531 // suggest changing the enum to an unsigned type. This typically happens
11532 // on Windows where unfixed enums always use an underlying type of 'int'.
11533 unsigned DiagID = 0;
11534 if (SignedEnum && !SignedBitfield) {
11535 DiagID =
11536 PTAttr == nullptr
11537 ? diag::warn_unsigned_bitfield_assigned_signed_enum
11538 : diag::
11539 warn_preferred_type_unsigned_bitfield_assigned_signed_enum;
11540 } else if (SignedBitfield && !SignedEnum &&
11541 ED->getNumPositiveBits() == FieldWidth) {
11542 DiagID =
11543 PTAttr == nullptr
11544 ? diag::warn_signed_bitfield_enum_conversion
11545 : diag::warn_preferred_type_signed_bitfield_enum_conversion;
11546 }
11547 if (DiagID) {
11548 S.Diag(InitLoc, DiagID) << Bitfield << ED;
11549 TypeSourceInfo *TSI = Bitfield->getTypeSourceInfo();
11550 SourceRange TypeRange =
11551 TSI ? TSI->getTypeLoc().getSourceRange() : SourceRange();
11552 S.Diag(Bitfield->getTypeSpecStartLoc(), diag::note_change_bitfield_sign)
11553 << SignedEnum << TypeRange;
11554 if (PTAttr)
11555 S.Diag(PTAttr->getLocation(), diag::note_bitfield_preferred_type)
11556 << ED;
11557 }
11558
11559 // Compute the required bitwidth. If the enum has negative values, we need
11560 // one more bit than the normal number of positive bits to represent the
11561 // sign bit.
11562 unsigned BitsNeeded = SignedEnum ? std::max(ED->getNumPositiveBits() + 1,
11563 ED->getNumNegativeBits())
11564 : ED->getNumPositiveBits();
11565
11566 // Check the bitwidth.
11567 if (BitsNeeded > FieldWidth) {
11568 Expr *WidthExpr = Bitfield->getBitWidth();
11569 auto DiagID =
11570 PTAttr == nullptr
11571 ? diag::warn_bitfield_too_small_for_enum
11572 : diag::warn_preferred_type_bitfield_too_small_for_enum;
11573 S.Diag(InitLoc, DiagID) << Bitfield << ED;
11574 S.Diag(WidthExpr->getExprLoc(), diag::note_widen_bitfield)
11575 << BitsNeeded << ED << WidthExpr->getSourceRange();
11576 if (PTAttr)
11577 S.Diag(PTAttr->getLocation(), diag::note_bitfield_preferred_type)
11578 << ED;
11579 }
11580 }
11581
11582 return false;
11583 }
11584
11585 llvm::APSInt Value = Result.Val.getInt();
11586
11587 unsigned OriginalWidth = Value.getBitWidth();
11588
11589 // In C, the macro 'true' from stdbool.h will evaluate to '1'; To reduce
11590 // false positives where the user is demonstrating they intend to use the
11591 // bit-field as a Boolean, check to see if the value is 1 and we're assigning
11592 // to a one-bit bit-field to see if the value came from a macro named 'true'.
11593 bool OneAssignedToOneBitBitfield = FieldWidth == 1 && Value == 1;
11594 if (OneAssignedToOneBitBitfield && !S.LangOpts.CPlusPlus) {
11595 SourceLocation MaybeMacroLoc = OriginalInit->getBeginLoc();
11596 if (S.SourceMgr.isInSystemMacro(MaybeMacroLoc) &&
11597 S.findMacroSpelling(MaybeMacroLoc, "true"))
11598 return false;
11599 }
11600
11601 if (!Value.isSigned() || Value.isNegative())
11602 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(OriginalInit))
11603 if (UO->getOpcode() == UO_Minus || UO->getOpcode() == UO_Not)
11604 OriginalWidth = Value.getSignificantBits();
11605
11606 if (OriginalWidth <= FieldWidth)
11607 return false;
11608
11609 // Compute the value which the bitfield will contain.
11610 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth);
11611 TruncatedValue.setIsSigned(BitfieldType->isSignedIntegerType());
11612
11613 // Check whether the stored value is equal to the original value.
11614 TruncatedValue = TruncatedValue.extend(OriginalWidth);
11615 if (llvm::APSInt::isSameValue(Value, TruncatedValue))
11616 return false;
11617
11618 std::string PrettyValue = toString(Value, 10);
11619 std::string PrettyTrunc = toString(TruncatedValue, 10);
11620
11621 S.Diag(InitLoc, OneAssignedToOneBitBitfield
11622 ? diag::warn_impcast_single_bit_bitield_precision_constant
11623 : diag::warn_impcast_bitfield_precision_constant)
11624 << PrettyValue << PrettyTrunc << OriginalInit->getType()
11625 << Init->getSourceRange();
11626
11627 return true;
11628 }
11629
11630 /// Analyze the given simple or compound assignment for warning-worthy
11631 /// operations.
AnalyzeAssignment(Sema & S,BinaryOperator * E)11632 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) {
11633 // Just recurse on the LHS.
11634 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11635
11636 // We want to recurse on the RHS as normal unless we're assigning to
11637 // a bitfield.
11638 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) {
11639 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(),
11640 E->getOperatorLoc())) {
11641 // Recurse, ignoring any implicit conversions on the RHS.
11642 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(),
11643 E->getOperatorLoc());
11644 }
11645 }
11646
11647 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11648
11649 // Diagnose implicitly sequentially-consistent atomic assignment.
11650 if (E->getLHS()->getType()->isAtomicType())
11651 S.Diag(E->getRHS()->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
11652 }
11653
11654 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
DiagnoseImpCast(Sema & S,const Expr * E,QualType SourceType,QualType T,SourceLocation CContext,unsigned diag,bool PruneControlFlow=false)11655 static void DiagnoseImpCast(Sema &S, const Expr *E, QualType SourceType,
11656 QualType T, SourceLocation CContext, unsigned diag,
11657 bool PruneControlFlow = false) {
11658 // For languages like HLSL and OpenCL, implicit conversion diagnostics listing
11659 // address space annotations isn't really useful. The warnings aren't because
11660 // you're converting a `private int` to `unsigned int`, it is because you're
11661 // conerting `int` to `unsigned int`.
11662 if (SourceType.hasAddressSpace())
11663 SourceType = S.getASTContext().removeAddrSpaceQualType(SourceType);
11664 if (T.hasAddressSpace())
11665 T = S.getASTContext().removeAddrSpaceQualType(T);
11666 if (PruneControlFlow) {
11667 S.DiagRuntimeBehavior(E->getExprLoc(), E,
11668 S.PDiag(diag)
11669 << SourceType << T << E->getSourceRange()
11670 << SourceRange(CContext));
11671 return;
11672 }
11673 S.Diag(E->getExprLoc(), diag)
11674 << SourceType << T << E->getSourceRange() << SourceRange(CContext);
11675 }
11676
11677 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
DiagnoseImpCast(Sema & S,const Expr * E,QualType T,SourceLocation CContext,unsigned diag,bool PruneControlFlow=false)11678 static void DiagnoseImpCast(Sema &S, const Expr *E, QualType T,
11679 SourceLocation CContext, unsigned diag,
11680 bool PruneControlFlow = false) {
11681 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, PruneControlFlow);
11682 }
11683
11684 /// Diagnose an implicit cast from a floating point value to an integer value.
DiagnoseFloatingImpCast(Sema & S,const Expr * E,QualType T,SourceLocation CContext)11685 static void DiagnoseFloatingImpCast(Sema &S, const Expr *E, QualType T,
11686 SourceLocation CContext) {
11687 bool IsBool = T->isSpecificBuiltinType(BuiltinType::Bool);
11688 bool PruneWarnings = S.inTemplateInstantiation();
11689
11690 const Expr *InnerE = E->IgnoreParenImpCasts();
11691 // We also want to warn on, e.g., "int i = -1.234"
11692 if (const auto *UOp = dyn_cast<UnaryOperator>(InnerE))
11693 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus)
11694 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts();
11695
11696 bool IsLiteral = isa<FloatingLiteral>(E) || isa<FloatingLiteral>(InnerE);
11697
11698 llvm::APFloat Value(0.0);
11699 bool IsConstant =
11700 E->EvaluateAsFloat(Value, S.Context, Expr::SE_AllowSideEffects);
11701 if (!IsConstant) {
11702 if (S.ObjC().isSignedCharBool(T)) {
11703 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
11704 E, S.Diag(CContext, diag::warn_impcast_float_to_objc_signed_char_bool)
11705 << E->getType());
11706 }
11707
11708 return DiagnoseImpCast(S, E, T, CContext,
11709 diag::warn_impcast_float_integer, PruneWarnings);
11710 }
11711
11712 bool isExact = false;
11713
11714 llvm::APSInt IntegerValue(S.Context.getIntWidth(T),
11715 T->hasUnsignedIntegerRepresentation());
11716 llvm::APFloat::opStatus Result = Value.convertToInteger(
11717 IntegerValue, llvm::APFloat::rmTowardZero, &isExact);
11718
11719 // FIXME: Force the precision of the source value down so we don't print
11720 // digits which are usually useless (we don't really care here if we
11721 // truncate a digit by accident in edge cases). Ideally, APFloat::toString
11722 // would automatically print the shortest representation, but it's a bit
11723 // tricky to implement.
11724 SmallString<16> PrettySourceValue;
11725 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics());
11726 precision = (precision * 59 + 195) / 196;
11727 Value.toString(PrettySourceValue, precision);
11728
11729 if (S.ObjC().isSignedCharBool(T) && IntegerValue != 0 && IntegerValue != 1) {
11730 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
11731 E, S.Diag(CContext, diag::warn_impcast_constant_value_to_objc_bool)
11732 << PrettySourceValue);
11733 }
11734
11735 if (Result == llvm::APFloat::opOK && isExact) {
11736 if (IsLiteral) return;
11737 return DiagnoseImpCast(S, E, T, CContext, diag::warn_impcast_float_integer,
11738 PruneWarnings);
11739 }
11740
11741 // Conversion of a floating-point value to a non-bool integer where the
11742 // integral part cannot be represented by the integer type is undefined.
11743 if (!IsBool && Result == llvm::APFloat::opInvalidOp)
11744 return DiagnoseImpCast(
11745 S, E, T, CContext,
11746 IsLiteral ? diag::warn_impcast_literal_float_to_integer_out_of_range
11747 : diag::warn_impcast_float_to_integer_out_of_range,
11748 PruneWarnings);
11749
11750 unsigned DiagID = 0;
11751 if (IsLiteral) {
11752 // Warn on floating point literal to integer.
11753 DiagID = diag::warn_impcast_literal_float_to_integer;
11754 } else if (IntegerValue == 0) {
11755 if (Value.isZero()) { // Skip -0.0 to 0 conversion.
11756 return DiagnoseImpCast(S, E, T, CContext,
11757 diag::warn_impcast_float_integer, PruneWarnings);
11758 }
11759 // Warn on non-zero to zero conversion.
11760 DiagID = diag::warn_impcast_float_to_integer_zero;
11761 } else {
11762 if (IntegerValue.isUnsigned()) {
11763 if (!IntegerValue.isMaxValue()) {
11764 return DiagnoseImpCast(S, E, T, CContext,
11765 diag::warn_impcast_float_integer, PruneWarnings);
11766 }
11767 } else { // IntegerValue.isSigned()
11768 if (!IntegerValue.isMaxSignedValue() &&
11769 !IntegerValue.isMinSignedValue()) {
11770 return DiagnoseImpCast(S, E, T, CContext,
11771 diag::warn_impcast_float_integer, PruneWarnings);
11772 }
11773 }
11774 // Warn on evaluatable floating point expression to integer conversion.
11775 DiagID = diag::warn_impcast_float_to_integer;
11776 }
11777
11778 SmallString<16> PrettyTargetValue;
11779 if (IsBool)
11780 PrettyTargetValue = Value.isZero() ? "false" : "true";
11781 else
11782 IntegerValue.toString(PrettyTargetValue);
11783
11784 if (PruneWarnings) {
11785 S.DiagRuntimeBehavior(E->getExprLoc(), E,
11786 S.PDiag(DiagID)
11787 << E->getType() << T.getUnqualifiedType()
11788 << PrettySourceValue << PrettyTargetValue
11789 << E->getSourceRange() << SourceRange(CContext));
11790 } else {
11791 S.Diag(E->getExprLoc(), DiagID)
11792 << E->getType() << T.getUnqualifiedType() << PrettySourceValue
11793 << PrettyTargetValue << E->getSourceRange() << SourceRange(CContext);
11794 }
11795 }
11796
11797 /// Analyze the given compound assignment for the possible losing of
11798 /// floating-point precision.
AnalyzeCompoundAssignment(Sema & S,BinaryOperator * E)11799 static void AnalyzeCompoundAssignment(Sema &S, BinaryOperator *E) {
11800 assert(isa<CompoundAssignOperator>(E) &&
11801 "Must be compound assignment operation");
11802 // Recurse on the LHS and RHS in here
11803 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11804 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11805
11806 if (E->getLHS()->getType()->isAtomicType())
11807 S.Diag(E->getOperatorLoc(), diag::warn_atomic_implicit_seq_cst);
11808
11809 // Now check the outermost expression
11810 const auto *ResultBT = E->getLHS()->getType()->getAs<BuiltinType>();
11811 const auto *RBT = cast<CompoundAssignOperator>(E)
11812 ->getComputationResultType()
11813 ->getAs<BuiltinType>();
11814
11815 // The below checks assume source is floating point.
11816 if (!ResultBT || !RBT || !RBT->isFloatingPoint()) return;
11817
11818 // If source is floating point but target is an integer.
11819 if (ResultBT->isInteger())
11820 return DiagnoseImpCast(S, E, E->getRHS()->getType(), E->getLHS()->getType(),
11821 E->getExprLoc(), diag::warn_impcast_float_integer);
11822
11823 if (!ResultBT->isFloatingPoint())
11824 return;
11825
11826 // If both source and target are floating points, warn about losing precision.
11827 int Order = S.getASTContext().getFloatingTypeSemanticOrder(
11828 QualType(ResultBT, 0), QualType(RBT, 0));
11829 if (Order < 0 && !S.SourceMgr.isInSystemMacro(E->getOperatorLoc()))
11830 // warn about dropping FP rank.
11831 DiagnoseImpCast(S, E->getRHS(), E->getLHS()->getType(), E->getOperatorLoc(),
11832 diag::warn_impcast_float_result_precision);
11833 }
11834
PrettyPrintInRange(const llvm::APSInt & Value,IntRange Range)11835 static std::string PrettyPrintInRange(const llvm::APSInt &Value,
11836 IntRange Range) {
11837 if (!Range.Width) return "0";
11838
11839 llvm::APSInt ValueInRange = Value;
11840 ValueInRange.setIsSigned(!Range.NonNegative);
11841 ValueInRange = ValueInRange.trunc(Range.Width);
11842 return toString(ValueInRange, 10);
11843 }
11844
IsImplicitBoolFloatConversion(Sema & S,const Expr * Ex,bool ToBool)11845 static bool IsImplicitBoolFloatConversion(Sema &S, const Expr *Ex,
11846 bool ToBool) {
11847 if (!isa<ImplicitCastExpr>(Ex))
11848 return false;
11849
11850 const Expr *InnerE = Ex->IgnoreParenImpCasts();
11851 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr();
11852 const Type *Source =
11853 S.Context.getCanonicalType(InnerE->getType()).getTypePtr();
11854 if (Target->isDependentType())
11855 return false;
11856
11857 const auto *FloatCandidateBT =
11858 dyn_cast<BuiltinType>(ToBool ? Source : Target);
11859 const Type *BoolCandidateType = ToBool ? Target : Source;
11860
11861 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) &&
11862 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint()));
11863 }
11864
CheckImplicitArgumentConversions(Sema & S,const CallExpr * TheCall,SourceLocation CC)11865 static void CheckImplicitArgumentConversions(Sema &S, const CallExpr *TheCall,
11866 SourceLocation CC) {
11867 for (unsigned I = 0, N = TheCall->getNumArgs(); I < N; ++I) {
11868 const Expr *CurrA = TheCall->getArg(I);
11869 if (!IsImplicitBoolFloatConversion(S, CurrA, true))
11870 continue;
11871
11872 bool IsSwapped = ((I > 0) && IsImplicitBoolFloatConversion(
11873 S, TheCall->getArg(I - 1), false));
11874 IsSwapped |= ((I < (N - 1)) && IsImplicitBoolFloatConversion(
11875 S, TheCall->getArg(I + 1), false));
11876 if (IsSwapped) {
11877 // Warn on this floating-point to bool conversion.
11878 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(),
11879 CurrA->getType(), CC,
11880 diag::warn_impcast_floating_point_to_bool);
11881 }
11882 }
11883 }
11884
DiagnoseNullConversion(Sema & S,Expr * E,QualType T,SourceLocation CC)11885 static void DiagnoseNullConversion(Sema &S, Expr *E, QualType T,
11886 SourceLocation CC) {
11887 // Don't warn on functions which have return type nullptr_t.
11888 if (isa<CallExpr>(E))
11889 return;
11890
11891 // Check for NULL (GNUNull) or nullptr (CXX11_nullptr).
11892 const Expr *NewE = E->IgnoreParenImpCasts();
11893 bool IsGNUNullExpr = isa<GNUNullExpr>(NewE);
11894 bool HasNullPtrType = NewE->getType()->isNullPtrType();
11895 if (!IsGNUNullExpr && !HasNullPtrType)
11896 return;
11897
11898 // Return if target type is a safe conversion.
11899 if (T->isAnyPointerType() || T->isBlockPointerType() ||
11900 T->isMemberPointerType() || !T->isScalarType() || T->isNullPtrType())
11901 return;
11902
11903 if (S.Diags.isIgnored(diag::warn_impcast_null_pointer_to_integer,
11904 E->getExprLoc()))
11905 return;
11906
11907 SourceLocation Loc = E->getSourceRange().getBegin();
11908
11909 // Venture through the macro stacks to get to the source of macro arguments.
11910 // The new location is a better location than the complete location that was
11911 // passed in.
11912 Loc = S.SourceMgr.getTopMacroCallerLoc(Loc);
11913 CC = S.SourceMgr.getTopMacroCallerLoc(CC);
11914
11915 // __null is usually wrapped in a macro. Go up a macro if that is the case.
11916 if (IsGNUNullExpr && Loc.isMacroID()) {
11917 StringRef MacroName = Lexer::getImmediateMacroNameForDiagnostics(
11918 Loc, S.SourceMgr, S.getLangOpts());
11919 if (MacroName == "NULL")
11920 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).getBegin();
11921 }
11922
11923 // Only warn if the null and context location are in the same macro expansion.
11924 if (S.SourceMgr.getFileID(Loc) != S.SourceMgr.getFileID(CC))
11925 return;
11926
11927 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer)
11928 << HasNullPtrType << T << SourceRange(CC)
11929 << FixItHint::CreateReplacement(Loc,
11930 S.getFixItZeroLiteralForType(T, Loc));
11931 }
11932
11933 // Helper function to filter out cases for constant width constant conversion.
11934 // Don't warn on char array initialization or for non-decimal values.
isSameWidthConstantConversion(Sema & S,Expr * E,QualType T,SourceLocation CC)11935 static bool isSameWidthConstantConversion(Sema &S, Expr *E, QualType T,
11936 SourceLocation CC) {
11937 // If initializing from a constant, and the constant starts with '0',
11938 // then it is a binary, octal, or hexadecimal. Allow these constants
11939 // to fill all the bits, even if there is a sign change.
11940 if (auto *IntLit = dyn_cast<IntegerLiteral>(E->IgnoreParenImpCasts())) {
11941 const char FirstLiteralCharacter =
11942 S.getSourceManager().getCharacterData(IntLit->getBeginLoc())[0];
11943 if (FirstLiteralCharacter == '0')
11944 return false;
11945 }
11946
11947 // If the CC location points to a '{', and the type is char, then assume
11948 // assume it is an array initialization.
11949 if (CC.isValid() && T->isCharType()) {
11950 const char FirstContextCharacter =
11951 S.getSourceManager().getCharacterData(CC)[0];
11952 if (FirstContextCharacter == '{')
11953 return false;
11954 }
11955
11956 return true;
11957 }
11958
getIntegerLiteral(Expr * E)11959 static const IntegerLiteral *getIntegerLiteral(Expr *E) {
11960 const auto *IL = dyn_cast<IntegerLiteral>(E);
11961 if (!IL) {
11962 if (auto *UO = dyn_cast<UnaryOperator>(E)) {
11963 if (UO->getOpcode() == UO_Minus)
11964 return dyn_cast<IntegerLiteral>(UO->getSubExpr());
11965 }
11966 }
11967
11968 return IL;
11969 }
11970
DiagnoseIntInBoolContext(Sema & S,Expr * E)11971 static void DiagnoseIntInBoolContext(Sema &S, Expr *E) {
11972 E = E->IgnoreParenImpCasts();
11973 SourceLocation ExprLoc = E->getExprLoc();
11974
11975 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
11976 BinaryOperator::Opcode Opc = BO->getOpcode();
11977 Expr::EvalResult Result;
11978 // Do not diagnose unsigned shifts.
11979 if (Opc == BO_Shl) {
11980 const auto *LHS = getIntegerLiteral(BO->getLHS());
11981 const auto *RHS = getIntegerLiteral(BO->getRHS());
11982 if (LHS && LHS->getValue() == 0)
11983 S.Diag(ExprLoc, diag::warn_left_shift_always) << 0;
11984 else if (!E->isValueDependent() && LHS && RHS &&
11985 RHS->getValue().isNonNegative() &&
11986 E->EvaluateAsInt(Result, S.Context, Expr::SE_AllowSideEffects))
11987 S.Diag(ExprLoc, diag::warn_left_shift_always)
11988 << (Result.Val.getInt() != 0);
11989 else if (E->getType()->isSignedIntegerType())
11990 S.Diag(ExprLoc, diag::warn_left_shift_in_bool_context)
11991 << FixItHint::CreateInsertion(E->getBeginLoc(), "(")
11992 << FixItHint::CreateInsertion(S.getLocForEndOfToken(E->getEndLoc()),
11993 ") != 0");
11994 }
11995 }
11996
11997 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
11998 const auto *LHS = getIntegerLiteral(CO->getTrueExpr());
11999 const auto *RHS = getIntegerLiteral(CO->getFalseExpr());
12000 if (!LHS || !RHS)
12001 return;
12002 if ((LHS->getValue() == 0 || LHS->getValue() == 1) &&
12003 (RHS->getValue() == 0 || RHS->getValue() == 1))
12004 // Do not diagnose common idioms.
12005 return;
12006 if (LHS->getValue() != 0 && RHS->getValue() != 0)
12007 S.Diag(ExprLoc, diag::warn_integer_constants_in_conditional_always_true);
12008 }
12009 }
12010
DiagnoseMixedUnicodeImplicitConversion(Sema & S,const Type * Source,const Type * Target,Expr * E,QualType T,SourceLocation CC)12011 static void DiagnoseMixedUnicodeImplicitConversion(Sema &S, const Type *Source,
12012 const Type *Target, Expr *E,
12013 QualType T,
12014 SourceLocation CC) {
12015 assert(Source->isUnicodeCharacterType() && Target->isUnicodeCharacterType() &&
12016 Source != Target);
12017
12018 // Lone surrogates have a distinct representation in UTF-32.
12019 // Converting between UTF-16 and UTF-32 codepoints seems very widespread,
12020 // so don't warn on such conversion.
12021 if (Source->isChar16Type() && Target->isChar32Type())
12022 return;
12023
12024 Expr::EvalResult Result;
12025 if (E->EvaluateAsInt(Result, S.getASTContext(), Expr::SE_AllowSideEffects,
12026 S.isConstantEvaluatedContext())) {
12027 llvm::APSInt Value(32);
12028 Value = Result.Val.getInt();
12029 bool IsASCII = Value <= 0x7F;
12030 bool IsBMP = Value <= 0xDFFF || (Value >= 0xE000 && Value <= 0xFFFF);
12031 bool ConversionPreservesSemantics =
12032 IsASCII || (!Source->isChar8Type() && !Target->isChar8Type() && IsBMP);
12033
12034 if (!ConversionPreservesSemantics) {
12035 auto IsSingleCodeUnitCP = [](const QualType &T,
12036 const llvm::APSInt &Value) {
12037 if (T->isChar8Type())
12038 return llvm::IsSingleCodeUnitUTF8Codepoint(Value.getExtValue());
12039 if (T->isChar16Type())
12040 return llvm::IsSingleCodeUnitUTF16Codepoint(Value.getExtValue());
12041 assert(T->isChar32Type());
12042 return llvm::IsSingleCodeUnitUTF32Codepoint(Value.getExtValue());
12043 };
12044
12045 S.Diag(CC, diag::warn_impcast_unicode_char_type_constant)
12046 << E->getType() << T
12047 << IsSingleCodeUnitCP(E->getType().getUnqualifiedType(), Value)
12048 << FormatUTFCodeUnitAsCodepoint(Value.getExtValue(), E->getType());
12049 }
12050 } else {
12051 bool LosesPrecision = S.getASTContext().getIntWidth(E->getType()) >
12052 S.getASTContext().getIntWidth(T);
12053 DiagnoseImpCast(S, E, T, CC,
12054 LosesPrecision ? diag::warn_impcast_unicode_precision
12055 : diag::warn_impcast_unicode_char_type);
12056 }
12057 }
12058
12059 enum CFIUncheckedCalleeChange {
12060 None,
12061 Adding,
12062 Discarding,
12063 };
12064
AdjustingCFIUncheckedCallee(QualType From,QualType To)12065 static CFIUncheckedCalleeChange AdjustingCFIUncheckedCallee(QualType From,
12066 QualType To) {
12067 QualType MaybePointee = From->getPointeeType();
12068 if (!MaybePointee.isNull() && MaybePointee->getAs<FunctionType>())
12069 From = MaybePointee;
12070 MaybePointee = To->getPointeeType();
12071 if (!MaybePointee.isNull() && MaybePointee->getAs<FunctionType>())
12072 To = MaybePointee;
12073
12074 if (const auto *FromFn = From->getAs<FunctionType>()) {
12075 if (const auto *ToFn = To->getAs<FunctionType>()) {
12076 if (FromFn->getCFIUncheckedCalleeAttr() &&
12077 !ToFn->getCFIUncheckedCalleeAttr())
12078 return Discarding;
12079 if (!FromFn->getCFIUncheckedCalleeAttr() &&
12080 ToFn->getCFIUncheckedCalleeAttr())
12081 return Adding;
12082 }
12083 }
12084 return None;
12085 }
12086
DiscardingCFIUncheckedCallee(QualType From,QualType To) const12087 bool Sema::DiscardingCFIUncheckedCallee(QualType From, QualType To) const {
12088 From = Context.getCanonicalType(From);
12089 To = Context.getCanonicalType(To);
12090 return ::AdjustingCFIUncheckedCallee(From, To) == Discarding;
12091 }
12092
AddingCFIUncheckedCallee(QualType From,QualType To) const12093 bool Sema::AddingCFIUncheckedCallee(QualType From, QualType To) const {
12094 From = Context.getCanonicalType(From);
12095 To = Context.getCanonicalType(To);
12096 return ::AdjustingCFIUncheckedCallee(From, To) == Adding;
12097 }
12098
CheckImplicitConversion(Expr * E,QualType T,SourceLocation CC,bool * ICContext,bool IsListInit)12099 void Sema::CheckImplicitConversion(Expr *E, QualType T, SourceLocation CC,
12100 bool *ICContext, bool IsListInit) {
12101 if (E->isTypeDependent() || E->isValueDependent()) return;
12102
12103 const Type *Source = Context.getCanonicalType(E->getType()).getTypePtr();
12104 const Type *Target = Context.getCanonicalType(T).getTypePtr();
12105 if (Source == Target) return;
12106 if (Target->isDependentType()) return;
12107
12108 // If the conversion context location is invalid don't complain. We also
12109 // don't want to emit a warning if the issue occurs from the expansion of
12110 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we
12111 // delay this check as long as possible. Once we detect we are in that
12112 // scenario, we just return.
12113 if (CC.isInvalid())
12114 return;
12115
12116 if (Source->isAtomicType())
12117 Diag(E->getExprLoc(), diag::warn_atomic_implicit_seq_cst);
12118
12119 // Diagnose implicit casts to bool.
12120 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {
12121 if (isa<StringLiteral>(E))
12122 // Warn on string literal to bool. Checks for string literals in logical
12123 // and expressions, for instance, assert(0 && "error here"), are
12124 // prevented by a check in AnalyzeImplicitConversions().
12125 return DiagnoseImpCast(*this, E, T, CC,
12126 diag::warn_impcast_string_literal_to_bool);
12127 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) ||
12128 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) {
12129 // This covers the literal expressions that evaluate to Objective-C
12130 // objects.
12131 return DiagnoseImpCast(*this, E, T, CC,
12132 diag::warn_impcast_objective_c_literal_to_bool);
12133 }
12134 if (Source->isPointerType() || Source->canDecayToPointerType()) {
12135 // Warn on pointer to bool conversion that is always true.
12136 DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false,
12137 SourceRange(CC));
12138 }
12139 }
12140
12141 // If the we're converting a constant to an ObjC BOOL on a platform where BOOL
12142 // is a typedef for signed char (macOS), then that constant value has to be 1
12143 // or 0.
12144 if (ObjC().isSignedCharBool(T) && Source->isIntegralType(Context)) {
12145 Expr::EvalResult Result;
12146 if (E->EvaluateAsInt(Result, getASTContext(), Expr::SE_AllowSideEffects)) {
12147 if (Result.Val.getInt() != 1 && Result.Val.getInt() != 0) {
12148 ObjC().adornBoolConversionDiagWithTernaryFixit(
12149 E, Diag(CC, diag::warn_impcast_constant_value_to_objc_bool)
12150 << toString(Result.Val.getInt(), 10));
12151 }
12152 return;
12153 }
12154 }
12155
12156 // Check implicit casts from Objective-C collection literals to specialized
12157 // collection types, e.g., NSArray<NSString *> *.
12158 if (auto *ArrayLiteral = dyn_cast<ObjCArrayLiteral>(E))
12159 ObjC().checkArrayLiteral(QualType(Target, 0), ArrayLiteral);
12160 else if (auto *DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(E))
12161 ObjC().checkDictionaryLiteral(QualType(Target, 0), DictionaryLiteral);
12162
12163 // Strip vector types.
12164 if (isa<VectorType>(Source)) {
12165 if (Target->isSveVLSBuiltinType() &&
12166 (ARM().areCompatibleSveTypes(QualType(Target, 0),
12167 QualType(Source, 0)) ||
12168 ARM().areLaxCompatibleSveTypes(QualType(Target, 0),
12169 QualType(Source, 0))))
12170 return;
12171
12172 if (Target->isRVVVLSBuiltinType() &&
12173 (Context.areCompatibleRVVTypes(QualType(Target, 0),
12174 QualType(Source, 0)) ||
12175 Context.areLaxCompatibleRVVTypes(QualType(Target, 0),
12176 QualType(Source, 0))))
12177 return;
12178
12179 if (!isa<VectorType>(Target)) {
12180 if (SourceMgr.isInSystemMacro(CC))
12181 return;
12182 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_vector_scalar);
12183 } else if (getLangOpts().HLSL &&
12184 Target->castAs<VectorType>()->getNumElements() <
12185 Source->castAs<VectorType>()->getNumElements()) {
12186 // Diagnose vector truncation but don't return. We may also want to
12187 // diagnose an element conversion.
12188 DiagnoseImpCast(*this, E, T, CC,
12189 diag::warn_hlsl_impcast_vector_truncation);
12190 }
12191
12192 // If the vector cast is cast between two vectors of the same size, it is
12193 // a bitcast, not a conversion, except under HLSL where it is a conversion.
12194 if (!getLangOpts().HLSL &&
12195 Context.getTypeSize(Source) == Context.getTypeSize(Target))
12196 return;
12197
12198 Source = cast<VectorType>(Source)->getElementType().getTypePtr();
12199 Target = cast<VectorType>(Target)->getElementType().getTypePtr();
12200 }
12201 if (auto VecTy = dyn_cast<VectorType>(Target))
12202 Target = VecTy->getElementType().getTypePtr();
12203
12204 // Strip complex types.
12205 if (isa<ComplexType>(Source)) {
12206 if (!isa<ComplexType>(Target)) {
12207 if (SourceMgr.isInSystemMacro(CC) || Target->isBooleanType())
12208 return;
12209
12210 return DiagnoseImpCast(*this, E, T, CC,
12211 getLangOpts().CPlusPlus
12212 ? diag::err_impcast_complex_scalar
12213 : diag::warn_impcast_complex_scalar);
12214 }
12215
12216 Source = cast<ComplexType>(Source)->getElementType().getTypePtr();
12217 Target = cast<ComplexType>(Target)->getElementType().getTypePtr();
12218 }
12219
12220 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source);
12221 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target);
12222
12223 // Strip SVE vector types
12224 if (SourceBT && SourceBT->isSveVLSBuiltinType()) {
12225 // Need the original target type for vector type checks
12226 const Type *OriginalTarget = Context.getCanonicalType(T).getTypePtr();
12227 // Handle conversion from scalable to fixed when msve-vector-bits is
12228 // specified
12229 if (ARM().areCompatibleSveTypes(QualType(OriginalTarget, 0),
12230 QualType(Source, 0)) ||
12231 ARM().areLaxCompatibleSveTypes(QualType(OriginalTarget, 0),
12232 QualType(Source, 0)))
12233 return;
12234
12235 // If the vector cast is cast between two vectors of the same size, it is
12236 // a bitcast, not a conversion.
12237 if (Context.getTypeSize(Source) == Context.getTypeSize(Target))
12238 return;
12239
12240 Source = SourceBT->getSveEltType(Context).getTypePtr();
12241 }
12242
12243 if (TargetBT && TargetBT->isSveVLSBuiltinType())
12244 Target = TargetBT->getSveEltType(Context).getTypePtr();
12245
12246 // If the source is floating point...
12247 if (SourceBT && SourceBT->isFloatingPoint()) {
12248 // ...and the target is floating point...
12249 if (TargetBT && TargetBT->isFloatingPoint()) {
12250 // ...then warn if we're dropping FP rank.
12251
12252 int Order = getASTContext().getFloatingTypeSemanticOrder(
12253 QualType(SourceBT, 0), QualType(TargetBT, 0));
12254 if (Order > 0) {
12255 // Don't warn about float constants that are precisely
12256 // representable in the target type.
12257 Expr::EvalResult result;
12258 if (E->EvaluateAsRValue(result, Context)) {
12259 // Value might be a float, a float vector, or a float complex.
12260 if (IsSameFloatAfterCast(
12261 result.Val,
12262 Context.getFloatTypeSemantics(QualType(TargetBT, 0)),
12263 Context.getFloatTypeSemantics(QualType(SourceBT, 0))))
12264 return;
12265 }
12266
12267 if (SourceMgr.isInSystemMacro(CC))
12268 return;
12269
12270 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_float_precision);
12271 }
12272 // ... or possibly if we're increasing rank, too
12273 else if (Order < 0) {
12274 if (SourceMgr.isInSystemMacro(CC))
12275 return;
12276
12277 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_double_promotion);
12278 }
12279 return;
12280 }
12281
12282 // If the target is integral, always warn.
12283 if (TargetBT && TargetBT->isInteger()) {
12284 if (SourceMgr.isInSystemMacro(CC))
12285 return;
12286
12287 DiagnoseFloatingImpCast(*this, E, T, CC);
12288 }
12289
12290 // Detect the case where a call result is converted from floating-point to
12291 // to bool, and the final argument to the call is converted from bool, to
12292 // discover this typo:
12293 //
12294 // bool b = fabs(x < 1.0); // should be "bool b = fabs(x) < 1.0;"
12295 //
12296 // FIXME: This is an incredibly special case; is there some more general
12297 // way to detect this class of misplaced-parentheses bug?
12298 if (Target->isBooleanType() && isa<CallExpr>(E)) {
12299 // Check last argument of function call to see if it is an
12300 // implicit cast from a type matching the type the result
12301 // is being cast to.
12302 CallExpr *CEx = cast<CallExpr>(E);
12303 if (unsigned NumArgs = CEx->getNumArgs()) {
12304 Expr *LastA = CEx->getArg(NumArgs - 1);
12305 Expr *InnerE = LastA->IgnoreParenImpCasts();
12306 if (isa<ImplicitCastExpr>(LastA) &&
12307 InnerE->getType()->isBooleanType()) {
12308 // Warn on this floating-point to bool conversion
12309 DiagnoseImpCast(*this, E, T, CC,
12310 diag::warn_impcast_floating_point_to_bool);
12311 }
12312 }
12313 }
12314 return;
12315 }
12316
12317 // Valid casts involving fixed point types should be accounted for here.
12318 if (Source->isFixedPointType()) {
12319 if (Target->isUnsaturatedFixedPointType()) {
12320 Expr::EvalResult Result;
12321 if (E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects,
12322 isConstantEvaluatedContext())) {
12323 llvm::APFixedPoint Value = Result.Val.getFixedPoint();
12324 llvm::APFixedPoint MaxVal = Context.getFixedPointMax(T);
12325 llvm::APFixedPoint MinVal = Context.getFixedPointMin(T);
12326 if (Value > MaxVal || Value < MinVal) {
12327 DiagRuntimeBehavior(E->getExprLoc(), E,
12328 PDiag(diag::warn_impcast_fixed_point_range)
12329 << Value.toString() << T
12330 << E->getSourceRange()
12331 << clang::SourceRange(CC));
12332 return;
12333 }
12334 }
12335 } else if (Target->isIntegerType()) {
12336 Expr::EvalResult Result;
12337 if (!isConstantEvaluatedContext() &&
12338 E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects)) {
12339 llvm::APFixedPoint FXResult = Result.Val.getFixedPoint();
12340
12341 bool Overflowed;
12342 llvm::APSInt IntResult = FXResult.convertToInt(
12343 Context.getIntWidth(T), Target->isSignedIntegerOrEnumerationType(),
12344 &Overflowed);
12345
12346 if (Overflowed) {
12347 DiagRuntimeBehavior(E->getExprLoc(), E,
12348 PDiag(diag::warn_impcast_fixed_point_range)
12349 << FXResult.toString() << T
12350 << E->getSourceRange()
12351 << clang::SourceRange(CC));
12352 return;
12353 }
12354 }
12355 }
12356 } else if (Target->isUnsaturatedFixedPointType()) {
12357 if (Source->isIntegerType()) {
12358 Expr::EvalResult Result;
12359 if (!isConstantEvaluatedContext() &&
12360 E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects)) {
12361 llvm::APSInt Value = Result.Val.getInt();
12362
12363 bool Overflowed;
12364 llvm::APFixedPoint IntResult = llvm::APFixedPoint::getFromIntValue(
12365 Value, Context.getFixedPointSemantics(T), &Overflowed);
12366
12367 if (Overflowed) {
12368 DiagRuntimeBehavior(E->getExprLoc(), E,
12369 PDiag(diag::warn_impcast_fixed_point_range)
12370 << toString(Value, /*Radix=*/10) << T
12371 << E->getSourceRange()
12372 << clang::SourceRange(CC));
12373 return;
12374 }
12375 }
12376 }
12377 }
12378
12379 // If we are casting an integer type to a floating point type without
12380 // initialization-list syntax, we might lose accuracy if the floating
12381 // point type has a narrower significand than the integer type.
12382 if (SourceBT && TargetBT && SourceBT->isIntegerType() &&
12383 TargetBT->isFloatingType() && !IsListInit) {
12384 // Determine the number of precision bits in the source integer type.
12385 std::optional<IntRange> SourceRange =
12386 TryGetExprRange(Context, E, isConstantEvaluatedContext(),
12387 /*Approximate=*/true);
12388 if (!SourceRange)
12389 return;
12390 unsigned int SourcePrecision = SourceRange->Width;
12391
12392 // Determine the number of precision bits in the
12393 // target floating point type.
12394 unsigned int TargetPrecision = llvm::APFloatBase::semanticsPrecision(
12395 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
12396
12397 if (SourcePrecision > 0 && TargetPrecision > 0 &&
12398 SourcePrecision > TargetPrecision) {
12399
12400 if (std::optional<llvm::APSInt> SourceInt =
12401 E->getIntegerConstantExpr(Context)) {
12402 // If the source integer is a constant, convert it to the target
12403 // floating point type. Issue a warning if the value changes
12404 // during the whole conversion.
12405 llvm::APFloat TargetFloatValue(
12406 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
12407 llvm::APFloat::opStatus ConversionStatus =
12408 TargetFloatValue.convertFromAPInt(
12409 *SourceInt, SourceBT->isSignedInteger(),
12410 llvm::APFloat::rmNearestTiesToEven);
12411
12412 if (ConversionStatus != llvm::APFloat::opOK) {
12413 SmallString<32> PrettySourceValue;
12414 SourceInt->toString(PrettySourceValue, 10);
12415 SmallString<32> PrettyTargetValue;
12416 TargetFloatValue.toString(PrettyTargetValue, TargetPrecision);
12417
12418 DiagRuntimeBehavior(
12419 E->getExprLoc(), E,
12420 PDiag(diag::warn_impcast_integer_float_precision_constant)
12421 << PrettySourceValue << PrettyTargetValue << E->getType() << T
12422 << E->getSourceRange() << clang::SourceRange(CC));
12423 }
12424 } else {
12425 // Otherwise, the implicit conversion may lose precision.
12426 DiagnoseImpCast(*this, E, T, CC,
12427 diag::warn_impcast_integer_float_precision);
12428 }
12429 }
12430 }
12431
12432 DiagnoseNullConversion(*this, E, T, CC);
12433
12434 DiscardMisalignedMemberAddress(Target, E);
12435
12436 if (Source->isUnicodeCharacterType() && Target->isUnicodeCharacterType()) {
12437 DiagnoseMixedUnicodeImplicitConversion(*this, Source, Target, E, T, CC);
12438 return;
12439 }
12440
12441 if (Target->isBooleanType())
12442 DiagnoseIntInBoolContext(*this, E);
12443
12444 if (DiscardingCFIUncheckedCallee(QualType(Source, 0), QualType(Target, 0))) {
12445 Diag(CC, diag::warn_cast_discards_cfi_unchecked_callee)
12446 << QualType(Source, 0) << QualType(Target, 0);
12447 }
12448
12449 if (!Source->isIntegerType() || !Target->isIntegerType())
12450 return;
12451
12452 // TODO: remove this early return once the false positives for constant->bool
12453 // in templates, macros, etc, are reduced or removed.
12454 if (Target->isSpecificBuiltinType(BuiltinType::Bool))
12455 return;
12456
12457 if (ObjC().isSignedCharBool(T) && !Source->isCharType() &&
12458 !E->isKnownToHaveBooleanValue(/*Semantic=*/false)) {
12459 return ObjC().adornBoolConversionDiagWithTernaryFixit(
12460 E, Diag(CC, diag::warn_impcast_int_to_objc_signed_char_bool)
12461 << E->getType());
12462 }
12463 std::optional<IntRange> LikelySourceRange = TryGetExprRange(
12464 Context, E, isConstantEvaluatedContext(), /*Approximate=*/true);
12465 if (!LikelySourceRange)
12466 return;
12467
12468 IntRange SourceTypeRange =
12469 IntRange::forTargetOfCanonicalType(Context, Source);
12470 IntRange TargetRange = IntRange::forTargetOfCanonicalType(Context, Target);
12471
12472 if (LikelySourceRange->Width > TargetRange.Width) {
12473 // If the source is a constant, use a default-on diagnostic.
12474 // TODO: this should happen for bitfield stores, too.
12475 Expr::EvalResult Result;
12476 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects,
12477 isConstantEvaluatedContext())) {
12478 llvm::APSInt Value(32);
12479 Value = Result.Val.getInt();
12480
12481 if (SourceMgr.isInSystemMacro(CC))
12482 return;
12483
12484 std::string PrettySourceValue = toString(Value, 10);
12485 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
12486
12487 DiagRuntimeBehavior(E->getExprLoc(), E,
12488 PDiag(diag::warn_impcast_integer_precision_constant)
12489 << PrettySourceValue << PrettyTargetValue
12490 << E->getType() << T << E->getSourceRange()
12491 << SourceRange(CC));
12492 return;
12493 }
12494
12495 // People want to build with -Wshorten-64-to-32 and not -Wconversion.
12496 if (SourceMgr.isInSystemMacro(CC))
12497 return;
12498
12499 if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
12500 if (UO->getOpcode() == UO_Minus)
12501 return DiagnoseImpCast(
12502 *this, E, T, CC, diag::warn_impcast_integer_precision_on_negation);
12503 }
12504
12505 if (TargetRange.Width == 32 && Context.getIntWidth(E->getType()) == 64)
12506 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_integer_64_32,
12507 /* pruneControlFlow */ true);
12508 return DiagnoseImpCast(*this, E, T, CC,
12509 diag::warn_impcast_integer_precision);
12510 }
12511
12512 if (TargetRange.Width > SourceTypeRange.Width) {
12513 if (auto *UO = dyn_cast<UnaryOperator>(E))
12514 if (UO->getOpcode() == UO_Minus)
12515 if (Source->isUnsignedIntegerType()) {
12516 if (Target->isUnsignedIntegerType())
12517 return DiagnoseImpCast(*this, E, T, CC,
12518 diag::warn_impcast_high_order_zero_bits);
12519 if (Target->isSignedIntegerType())
12520 return DiagnoseImpCast(*this, E, T, CC,
12521 diag::warn_impcast_nonnegative_result);
12522 }
12523 }
12524
12525 if (TargetRange.Width == LikelySourceRange->Width &&
12526 !TargetRange.NonNegative && LikelySourceRange->NonNegative &&
12527 Source->isSignedIntegerType()) {
12528 // Warn when doing a signed to signed conversion, warn if the positive
12529 // source value is exactly the width of the target type, which will
12530 // cause a negative value to be stored.
12531
12532 Expr::EvalResult Result;
12533 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects) &&
12534 !SourceMgr.isInSystemMacro(CC)) {
12535 llvm::APSInt Value = Result.Val.getInt();
12536 if (isSameWidthConstantConversion(*this, E, T, CC)) {
12537 std::string PrettySourceValue = toString(Value, 10);
12538 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
12539
12540 Diag(E->getExprLoc(),
12541 PDiag(diag::warn_impcast_integer_precision_constant)
12542 << PrettySourceValue << PrettyTargetValue << E->getType() << T
12543 << E->getSourceRange() << SourceRange(CC));
12544 return;
12545 }
12546 }
12547
12548 // Fall through for non-constants to give a sign conversion warning.
12549 }
12550
12551 if ((!isa<EnumType>(Target) || !isa<EnumType>(Source)) &&
12552 ((TargetRange.NonNegative && !LikelySourceRange->NonNegative) ||
12553 (!TargetRange.NonNegative && LikelySourceRange->NonNegative &&
12554 LikelySourceRange->Width == TargetRange.Width))) {
12555 if (SourceMgr.isInSystemMacro(CC))
12556 return;
12557
12558 if (SourceBT && SourceBT->isInteger() && TargetBT &&
12559 TargetBT->isInteger() &&
12560 Source->isSignedIntegerType() == Target->isSignedIntegerType()) {
12561 return;
12562 }
12563
12564 unsigned DiagID = diag::warn_impcast_integer_sign;
12565
12566 // Traditionally, gcc has warned about this under -Wsign-compare.
12567 // We also want to warn about it in -Wconversion.
12568 // So if -Wconversion is off, use a completely identical diagnostic
12569 // in the sign-compare group.
12570 // The conditional-checking code will
12571 if (ICContext) {
12572 DiagID = diag::warn_impcast_integer_sign_conditional;
12573 *ICContext = true;
12574 }
12575
12576 DiagnoseImpCast(*this, E, T, CC, DiagID);
12577 }
12578
12579 // If we're implicitly converting from an integer into an enumeration, that
12580 // is valid in C but invalid in C++.
12581 QualType SourceType = E->getEnumCoercedType(Context);
12582 const BuiltinType *CoercedSourceBT = SourceType->getAs<BuiltinType>();
12583 if (CoercedSourceBT && CoercedSourceBT->isInteger() && isa<EnumType>(Target))
12584 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_int_to_enum);
12585
12586 // Diagnose conversions between different enumeration types.
12587 // In C, we pretend that the type of an EnumConstantDecl is its enumeration
12588 // type, to give us better diagnostics.
12589 Source = Context.getCanonicalType(SourceType).getTypePtr();
12590
12591 if (const EnumType *SourceEnum = Source->getAs<EnumType>())
12592 if (const EnumType *TargetEnum = Target->getAs<EnumType>())
12593 if (SourceEnum->getDecl()->hasNameForLinkage() &&
12594 TargetEnum->getDecl()->hasNameForLinkage() &&
12595 SourceEnum != TargetEnum) {
12596 if (SourceMgr.isInSystemMacro(CC))
12597 return;
12598
12599 return DiagnoseImpCast(*this, E, SourceType, T, CC,
12600 diag::warn_impcast_different_enum_types);
12601 }
12602 }
12603
12604 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
12605 SourceLocation CC, QualType T);
12606
CheckConditionalOperand(Sema & S,Expr * E,QualType T,SourceLocation CC,bool & ICContext)12607 static void CheckConditionalOperand(Sema &S, Expr *E, QualType T,
12608 SourceLocation CC, bool &ICContext) {
12609 E = E->IgnoreParenImpCasts();
12610 // Diagnose incomplete type for second or third operand in C.
12611 if (!S.getLangOpts().CPlusPlus && E->getType()->isRecordType())
12612 S.RequireCompleteExprType(E, diag::err_incomplete_type);
12613
12614 if (auto *CO = dyn_cast<AbstractConditionalOperator>(E))
12615 return CheckConditionalOperator(S, CO, CC, T);
12616
12617 AnalyzeImplicitConversions(S, E, CC);
12618 if (E->getType() != T)
12619 return S.CheckImplicitConversion(E, T, CC, &ICContext);
12620 }
12621
CheckConditionalOperator(Sema & S,AbstractConditionalOperator * E,SourceLocation CC,QualType T)12622 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
12623 SourceLocation CC, QualType T) {
12624 AnalyzeImplicitConversions(S, E->getCond(), E->getQuestionLoc());
12625
12626 Expr *TrueExpr = E->getTrueExpr();
12627 if (auto *BCO = dyn_cast<BinaryConditionalOperator>(E))
12628 TrueExpr = BCO->getCommon();
12629
12630 bool Suspicious = false;
12631 CheckConditionalOperand(S, TrueExpr, T, CC, Suspicious);
12632 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious);
12633
12634 if (T->isBooleanType())
12635 DiagnoseIntInBoolContext(S, E);
12636
12637 // If -Wconversion would have warned about either of the candidates
12638 // for a signedness conversion to the context type...
12639 if (!Suspicious) return;
12640
12641 // ...but it's currently ignored...
12642 if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC))
12643 return;
12644
12645 // ...then check whether it would have warned about either of the
12646 // candidates for a signedness conversion to the condition type.
12647 if (E->getType() == T) return;
12648
12649 Suspicious = false;
12650 S.CheckImplicitConversion(TrueExpr->IgnoreParenImpCasts(), E->getType(), CC,
12651 &Suspicious);
12652 if (!Suspicious)
12653 S.CheckImplicitConversion(E->getFalseExpr()->IgnoreParenImpCasts(),
12654 E->getType(), CC, &Suspicious);
12655 }
12656
12657 /// Check conversion of given expression to boolean.
12658 /// Input argument E is a logical expression.
CheckBoolLikeConversion(Sema & S,Expr * E,SourceLocation CC)12659 static void CheckBoolLikeConversion(Sema &S, Expr *E, SourceLocation CC) {
12660 // Run the bool-like conversion checks only for C since there bools are
12661 // still not used as the return type from "boolean" operators or as the input
12662 // type for conditional operators.
12663 if (S.getLangOpts().CPlusPlus)
12664 return;
12665 if (E->IgnoreParenImpCasts()->getType()->isAtomicType())
12666 return;
12667 S.CheckImplicitConversion(E->IgnoreParenImpCasts(), S.Context.BoolTy, CC);
12668 }
12669
12670 namespace {
12671 struct AnalyzeImplicitConversionsWorkItem {
12672 Expr *E;
12673 SourceLocation CC;
12674 bool IsListInit;
12675 };
12676 }
12677
CheckCommaOperand(Sema & S,Expr * E,QualType T,SourceLocation CC,bool ExtraCheckForImplicitConversion,llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> & WorkList)12678 static void CheckCommaOperand(
12679 Sema &S, Expr *E, QualType T, SourceLocation CC,
12680 bool ExtraCheckForImplicitConversion,
12681 llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
12682 E = E->IgnoreParenImpCasts();
12683 WorkList.push_back({E, CC, false});
12684
12685 if (ExtraCheckForImplicitConversion && E->getType() != T)
12686 S.CheckImplicitConversion(E, T, CC);
12687 }
12688
12689 /// Data recursive variant of AnalyzeImplicitConversions. Subexpressions
12690 /// that should be visited are added to WorkList.
AnalyzeImplicitConversions(Sema & S,AnalyzeImplicitConversionsWorkItem Item,llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> & WorkList)12691 static void AnalyzeImplicitConversions(
12692 Sema &S, AnalyzeImplicitConversionsWorkItem Item,
12693 llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
12694 Expr *OrigE = Item.E;
12695 SourceLocation CC = Item.CC;
12696
12697 QualType T = OrigE->getType();
12698 Expr *E = OrigE->IgnoreParenImpCasts();
12699
12700 // Propagate whether we are in a C++ list initialization expression.
12701 // If so, we do not issue warnings for implicit int-float conversion
12702 // precision loss, because C++11 narrowing already handles it.
12703 //
12704 // HLSL's initialization lists are special, so they shouldn't observe the C++
12705 // behavior here.
12706 bool IsListInit =
12707 Item.IsListInit || (isa<InitListExpr>(OrigE) &&
12708 S.getLangOpts().CPlusPlus && !S.getLangOpts().HLSL);
12709
12710 if (E->isTypeDependent() || E->isValueDependent())
12711 return;
12712
12713 Expr *SourceExpr = E;
12714 // Examine, but don't traverse into the source expression of an
12715 // OpaqueValueExpr, since it may have multiple parents and we don't want to
12716 // emit duplicate diagnostics. Its fine to examine the form or attempt to
12717 // evaluate it in the context of checking the specific conversion to T though.
12718 if (auto *OVE = dyn_cast<OpaqueValueExpr>(E))
12719 if (auto *Src = OVE->getSourceExpr())
12720 SourceExpr = Src;
12721
12722 if (const auto *UO = dyn_cast<UnaryOperator>(SourceExpr))
12723 if (UO->getOpcode() == UO_Not &&
12724 UO->getSubExpr()->isKnownToHaveBooleanValue())
12725 S.Diag(UO->getBeginLoc(), diag::warn_bitwise_negation_bool)
12726 << OrigE->getSourceRange() << T->isBooleanType()
12727 << FixItHint::CreateReplacement(UO->getBeginLoc(), "!");
12728
12729 if (auto *BO = dyn_cast<BinaryOperator>(SourceExpr)) {
12730 if ((BO->getOpcode() == BO_And || BO->getOpcode() == BO_Or) &&
12731 BO->getLHS()->isKnownToHaveBooleanValue() &&
12732 BO->getRHS()->isKnownToHaveBooleanValue() &&
12733 BO->getLHS()->HasSideEffects(S.Context) &&
12734 BO->getRHS()->HasSideEffects(S.Context)) {
12735 SourceManager &SM = S.getSourceManager();
12736 const LangOptions &LO = S.getLangOpts();
12737 SourceLocation BLoc = BO->getOperatorLoc();
12738 SourceLocation ELoc = Lexer::getLocForEndOfToken(BLoc, 0, SM, LO);
12739 StringRef SR = clang::Lexer::getSourceText(
12740 clang::CharSourceRange::getTokenRange(BLoc, ELoc), SM, LO);
12741 // To reduce false positives, only issue the diagnostic if the operator
12742 // is explicitly spelled as a punctuator. This suppresses the diagnostic
12743 // when using 'bitand' or 'bitor' either as keywords in C++ or as macros
12744 // in C, along with other macro spellings the user might invent.
12745 if (SR.str() == "&" || SR.str() == "|") {
12746
12747 S.Diag(BO->getBeginLoc(), diag::warn_bitwise_instead_of_logical)
12748 << (BO->getOpcode() == BO_And ? "&" : "|")
12749 << OrigE->getSourceRange()
12750 << FixItHint::CreateReplacement(
12751 BO->getOperatorLoc(),
12752 (BO->getOpcode() == BO_And ? "&&" : "||"));
12753 S.Diag(BO->getBeginLoc(), diag::note_cast_operand_to_int);
12754 }
12755 } else if (BO->isCommaOp() && !S.getLangOpts().CPlusPlus) {
12756 /// Analyze the given comma operator. The basic idea behind the analysis
12757 /// is to analyze the left and right operands slightly differently. The
12758 /// left operand needs to check whether the operand itself has an implicit
12759 /// conversion, but not whether the left operand induces an implicit
12760 /// conversion for the entire comma expression itself. This is similar to
12761 /// how CheckConditionalOperand behaves; it's as-if the correct operand
12762 /// were directly used for the implicit conversion check.
12763 CheckCommaOperand(S, BO->getLHS(), T, BO->getOperatorLoc(),
12764 /*ExtraCheckForImplicitConversion=*/false, WorkList);
12765 CheckCommaOperand(S, BO->getRHS(), T, BO->getOperatorLoc(),
12766 /*ExtraCheckForImplicitConversion=*/true, WorkList);
12767 return;
12768 }
12769 }
12770
12771 // For conditional operators, we analyze the arguments as if they
12772 // were being fed directly into the output.
12773 if (auto *CO = dyn_cast<AbstractConditionalOperator>(SourceExpr)) {
12774 CheckConditionalOperator(S, CO, CC, T);
12775 return;
12776 }
12777
12778 // Check implicit argument conversions for function calls.
12779 if (const auto *Call = dyn_cast<CallExpr>(SourceExpr))
12780 CheckImplicitArgumentConversions(S, Call, CC);
12781
12782 // Go ahead and check any implicit conversions we might have skipped.
12783 // The non-canonical typecheck is just an optimization;
12784 // CheckImplicitConversion will filter out dead implicit conversions.
12785 if (SourceExpr->getType() != T)
12786 S.CheckImplicitConversion(SourceExpr, T, CC, nullptr, IsListInit);
12787
12788 // Now continue drilling into this expression.
12789
12790 if (PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E)) {
12791 // The bound subexpressions in a PseudoObjectExpr are not reachable
12792 // as transitive children.
12793 // FIXME: Use a more uniform representation for this.
12794 for (auto *SE : POE->semantics())
12795 if (auto *OVE = dyn_cast<OpaqueValueExpr>(SE))
12796 WorkList.push_back({OVE->getSourceExpr(), CC, IsListInit});
12797 }
12798
12799 // Skip past explicit casts.
12800 if (auto *CE = dyn_cast<ExplicitCastExpr>(E)) {
12801 E = CE->getSubExpr()->IgnoreParenImpCasts();
12802 if (!CE->getType()->isVoidType() && E->getType()->isAtomicType())
12803 S.Diag(E->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
12804 WorkList.push_back({E, CC, IsListInit});
12805 return;
12806 }
12807
12808 if (auto *OutArgE = dyn_cast<HLSLOutArgExpr>(E)) {
12809 WorkList.push_back({OutArgE->getArgLValue(), CC, IsListInit});
12810 // The base expression is only used to initialize the parameter for
12811 // arguments to `inout` parameters, so we only traverse down the base
12812 // expression for `inout` cases.
12813 if (OutArgE->isInOut())
12814 WorkList.push_back(
12815 {OutArgE->getCastedTemporary()->getSourceExpr(), CC, IsListInit});
12816 WorkList.push_back({OutArgE->getWritebackCast(), CC, IsListInit});
12817 return;
12818 }
12819
12820 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
12821 // Do a somewhat different check with comparison operators.
12822 if (BO->isComparisonOp())
12823 return AnalyzeComparison(S, BO);
12824
12825 // And with simple assignments.
12826 if (BO->getOpcode() == BO_Assign)
12827 return AnalyzeAssignment(S, BO);
12828 // And with compound assignments.
12829 if (BO->isAssignmentOp())
12830 return AnalyzeCompoundAssignment(S, BO);
12831 }
12832
12833 // These break the otherwise-useful invariant below. Fortunately,
12834 // we don't really need to recurse into them, because any internal
12835 // expressions should have been analyzed already when they were
12836 // built into statements.
12837 if (isa<StmtExpr>(E)) return;
12838
12839 // Don't descend into unevaluated contexts.
12840 if (isa<UnaryExprOrTypeTraitExpr>(E)) return;
12841
12842 // Now just recurse over the expression's children.
12843 CC = E->getExprLoc();
12844 BinaryOperator *BO = dyn_cast<BinaryOperator>(E);
12845 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd;
12846 for (Stmt *SubStmt : E->children()) {
12847 Expr *ChildExpr = dyn_cast_or_null<Expr>(SubStmt);
12848 if (!ChildExpr)
12849 continue;
12850
12851 if (auto *CSE = dyn_cast<CoroutineSuspendExpr>(E))
12852 if (ChildExpr == CSE->getOperand())
12853 // Do not recurse over a CoroutineSuspendExpr's operand.
12854 // The operand is also a subexpression of getCommonExpr(), and
12855 // recursing into it directly would produce duplicate diagnostics.
12856 continue;
12857
12858 if (IsLogicalAndOperator &&
12859 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts()))
12860 // Ignore checking string literals that are in logical and operators.
12861 // This is a common pattern for asserts.
12862 continue;
12863 WorkList.push_back({ChildExpr, CC, IsListInit});
12864 }
12865
12866 if (BO && BO->isLogicalOp()) {
12867 Expr *SubExpr = BO->getLHS()->IgnoreParenImpCasts();
12868 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
12869 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
12870
12871 SubExpr = BO->getRHS()->IgnoreParenImpCasts();
12872 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
12873 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
12874 }
12875
12876 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
12877 if (U->getOpcode() == UO_LNot) {
12878 ::CheckBoolLikeConversion(S, U->getSubExpr(), CC);
12879 } else if (U->getOpcode() != UO_AddrOf) {
12880 if (U->getSubExpr()->getType()->isAtomicType())
12881 S.Diag(U->getSubExpr()->getBeginLoc(),
12882 diag::warn_atomic_implicit_seq_cst);
12883 }
12884 }
12885 }
12886
12887 /// AnalyzeImplicitConversions - Find and report any interesting
12888 /// implicit conversions in the given expression. There are a couple
12889 /// of competing diagnostics here, -Wconversion and -Wsign-compare.
AnalyzeImplicitConversions(Sema & S,Expr * OrigE,SourceLocation CC,bool IsListInit)12890 static void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC,
12891 bool IsListInit/*= false*/) {
12892 llvm::SmallVector<AnalyzeImplicitConversionsWorkItem, 16> WorkList;
12893 WorkList.push_back({OrigE, CC, IsListInit});
12894 while (!WorkList.empty())
12895 AnalyzeImplicitConversions(S, WorkList.pop_back_val(), WorkList);
12896 }
12897
12898 // Helper function for Sema::DiagnoseAlwaysNonNullPointer.
12899 // Returns true when emitting a warning about taking the address of a reference.
CheckForReference(Sema & SemaRef,const Expr * E,const PartialDiagnostic & PD)12900 static bool CheckForReference(Sema &SemaRef, const Expr *E,
12901 const PartialDiagnostic &PD) {
12902 E = E->IgnoreParenImpCasts();
12903
12904 const FunctionDecl *FD = nullptr;
12905
12906 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
12907 if (!DRE->getDecl()->getType()->isReferenceType())
12908 return false;
12909 } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) {
12910 if (!M->getMemberDecl()->getType()->isReferenceType())
12911 return false;
12912 } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) {
12913 if (!Call->getCallReturnType(SemaRef.Context)->isReferenceType())
12914 return false;
12915 FD = Call->getDirectCallee();
12916 } else {
12917 return false;
12918 }
12919
12920 SemaRef.Diag(E->getExprLoc(), PD);
12921
12922 // If possible, point to location of function.
12923 if (FD) {
12924 SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD;
12925 }
12926
12927 return true;
12928 }
12929
12930 // Returns true if the SourceLocation is expanded from any macro body.
12931 // Returns false if the SourceLocation is invalid, is from not in a macro
12932 // expansion, or is from expanded from a top-level macro argument.
IsInAnyMacroBody(const SourceManager & SM,SourceLocation Loc)12933 static bool IsInAnyMacroBody(const SourceManager &SM, SourceLocation Loc) {
12934 if (Loc.isInvalid())
12935 return false;
12936
12937 while (Loc.isMacroID()) {
12938 if (SM.isMacroBodyExpansion(Loc))
12939 return true;
12940 Loc = SM.getImmediateMacroCallerLoc(Loc);
12941 }
12942
12943 return false;
12944 }
12945
DiagnoseAlwaysNonNullPointer(Expr * E,Expr::NullPointerConstantKind NullKind,bool IsEqual,SourceRange Range)12946 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E,
12947 Expr::NullPointerConstantKind NullKind,
12948 bool IsEqual, SourceRange Range) {
12949 if (!E)
12950 return;
12951
12952 // Don't warn inside macros.
12953 if (E->getExprLoc().isMacroID()) {
12954 const SourceManager &SM = getSourceManager();
12955 if (IsInAnyMacroBody(SM, E->getExprLoc()) ||
12956 IsInAnyMacroBody(SM, Range.getBegin()))
12957 return;
12958 }
12959 E = E->IgnoreImpCasts();
12960
12961 const bool IsCompare = NullKind != Expr::NPCK_NotNull;
12962
12963 if (isa<CXXThisExpr>(E)) {
12964 unsigned DiagID = IsCompare ? diag::warn_this_null_compare
12965 : diag::warn_this_bool_conversion;
12966 Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual;
12967 return;
12968 }
12969
12970 bool IsAddressOf = false;
12971
12972 if (auto *UO = dyn_cast<UnaryOperator>(E->IgnoreParens())) {
12973 if (UO->getOpcode() != UO_AddrOf)
12974 return;
12975 IsAddressOf = true;
12976 E = UO->getSubExpr();
12977 }
12978
12979 if (IsAddressOf) {
12980 unsigned DiagID = IsCompare
12981 ? diag::warn_address_of_reference_null_compare
12982 : diag::warn_address_of_reference_bool_conversion;
12983 PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range
12984 << IsEqual;
12985 if (CheckForReference(*this, E, PD)) {
12986 return;
12987 }
12988 }
12989
12990 auto ComplainAboutNonnullParamOrCall = [&](const Attr *NonnullAttr) {
12991 bool IsParam = isa<NonNullAttr>(NonnullAttr);
12992 std::string Str;
12993 llvm::raw_string_ostream S(Str);
12994 E->printPretty(S, nullptr, getPrintingPolicy());
12995 unsigned DiagID = IsCompare ? diag::warn_nonnull_expr_compare
12996 : diag::warn_cast_nonnull_to_bool;
12997 Diag(E->getExprLoc(), DiagID) << IsParam << S.str()
12998 << E->getSourceRange() << Range << IsEqual;
12999 Diag(NonnullAttr->getLocation(), diag::note_declared_nonnull) << IsParam;
13000 };
13001
13002 // If we have a CallExpr that is tagged with returns_nonnull, we can complain.
13003 if (auto *Call = dyn_cast<CallExpr>(E->IgnoreParenImpCasts())) {
13004 if (auto *Callee = Call->getDirectCallee()) {
13005 if (const Attr *A = Callee->getAttr<ReturnsNonNullAttr>()) {
13006 ComplainAboutNonnullParamOrCall(A);
13007 return;
13008 }
13009 }
13010 }
13011
13012 // Complain if we are converting a lambda expression to a boolean value
13013 // outside of instantiation.
13014 if (!inTemplateInstantiation()) {
13015 if (const auto *MCallExpr = dyn_cast<CXXMemberCallExpr>(E)) {
13016 if (const auto *MRecordDecl = MCallExpr->getRecordDecl();
13017 MRecordDecl && MRecordDecl->isLambda()) {
13018 Diag(E->getExprLoc(), diag::warn_impcast_pointer_to_bool)
13019 << /*LambdaPointerConversionOperatorType=*/3
13020 << MRecordDecl->getSourceRange() << Range << IsEqual;
13021 return;
13022 }
13023 }
13024 }
13025
13026 // Expect to find a single Decl. Skip anything more complicated.
13027 ValueDecl *D = nullptr;
13028 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) {
13029 D = R->getDecl();
13030 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) {
13031 D = M->getMemberDecl();
13032 }
13033
13034 // Weak Decls can be null.
13035 if (!D || D->isWeak())
13036 return;
13037
13038 // Check for parameter decl with nonnull attribute
13039 if (const auto* PV = dyn_cast<ParmVarDecl>(D)) {
13040 if (getCurFunction() &&
13041 !getCurFunction()->ModifiedNonNullParams.count(PV)) {
13042 if (const Attr *A = PV->getAttr<NonNullAttr>()) {
13043 ComplainAboutNonnullParamOrCall(A);
13044 return;
13045 }
13046
13047 if (const auto *FD = dyn_cast<FunctionDecl>(PV->getDeclContext())) {
13048 // Skip function template not specialized yet.
13049 if (FD->getTemplatedKind() == FunctionDecl::TK_FunctionTemplate)
13050 return;
13051 auto ParamIter = llvm::find(FD->parameters(), PV);
13052 assert(ParamIter != FD->param_end());
13053 unsigned ParamNo = std::distance(FD->param_begin(), ParamIter);
13054
13055 for (const auto *NonNull : FD->specific_attrs<NonNullAttr>()) {
13056 if (!NonNull->args_size()) {
13057 ComplainAboutNonnullParamOrCall(NonNull);
13058 return;
13059 }
13060
13061 for (const ParamIdx &ArgNo : NonNull->args()) {
13062 if (ArgNo.getASTIndex() == ParamNo) {
13063 ComplainAboutNonnullParamOrCall(NonNull);
13064 return;
13065 }
13066 }
13067 }
13068 }
13069 }
13070 }
13071
13072 QualType T = D->getType();
13073 const bool IsArray = T->isArrayType();
13074 const bool IsFunction = T->isFunctionType();
13075
13076 // Address of function is used to silence the function warning.
13077 if (IsAddressOf && IsFunction) {
13078 return;
13079 }
13080
13081 // Found nothing.
13082 if (!IsAddressOf && !IsFunction && !IsArray)
13083 return;
13084
13085 // Pretty print the expression for the diagnostic.
13086 std::string Str;
13087 llvm::raw_string_ostream S(Str);
13088 E->printPretty(S, nullptr, getPrintingPolicy());
13089
13090 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare
13091 : diag::warn_impcast_pointer_to_bool;
13092 enum {
13093 AddressOf,
13094 FunctionPointer,
13095 ArrayPointer
13096 } DiagType;
13097 if (IsAddressOf)
13098 DiagType = AddressOf;
13099 else if (IsFunction)
13100 DiagType = FunctionPointer;
13101 else if (IsArray)
13102 DiagType = ArrayPointer;
13103 else
13104 llvm_unreachable("Could not determine diagnostic.");
13105 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange()
13106 << Range << IsEqual;
13107
13108 if (!IsFunction)
13109 return;
13110
13111 // Suggest '&' to silence the function warning.
13112 Diag(E->getExprLoc(), diag::note_function_warning_silence)
13113 << FixItHint::CreateInsertion(E->getBeginLoc(), "&");
13114
13115 // Check to see if '()' fixit should be emitted.
13116 QualType ReturnType;
13117 UnresolvedSet<4> NonTemplateOverloads;
13118 tryExprAsCall(*E, ReturnType, NonTemplateOverloads);
13119 if (ReturnType.isNull())
13120 return;
13121
13122 if (IsCompare) {
13123 // There are two cases here. If there is null constant, the only suggest
13124 // for a pointer return type. If the null is 0, then suggest if the return
13125 // type is a pointer or an integer type.
13126 if (!ReturnType->isPointerType()) {
13127 if (NullKind == Expr::NPCK_ZeroExpression ||
13128 NullKind == Expr::NPCK_ZeroLiteral) {
13129 if (!ReturnType->isIntegerType())
13130 return;
13131 } else {
13132 return;
13133 }
13134 }
13135 } else { // !IsCompare
13136 // For function to bool, only suggest if the function pointer has bool
13137 // return type.
13138 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool))
13139 return;
13140 }
13141 Diag(E->getExprLoc(), diag::note_function_to_function_call)
13142 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getEndLoc()), "()");
13143 }
13144
CheckImplicitConversions(Expr * E,SourceLocation CC)13145 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) {
13146 // Don't diagnose in unevaluated contexts.
13147 if (isUnevaluatedContext())
13148 return;
13149
13150 // Don't diagnose for value- or type-dependent expressions.
13151 if (E->isTypeDependent() || E->isValueDependent())
13152 return;
13153
13154 // Check for array bounds violations in cases where the check isn't triggered
13155 // elsewhere for other Expr types (like BinaryOperators), e.g. when an
13156 // ArraySubscriptExpr is on the RHS of a variable initialization.
13157 CheckArrayAccess(E);
13158
13159 // This is not the right CC for (e.g.) a variable initialization.
13160 AnalyzeImplicitConversions(*this, E, CC);
13161 }
13162
CheckBoolLikeConversion(Expr * E,SourceLocation CC)13163 void Sema::CheckBoolLikeConversion(Expr *E, SourceLocation CC) {
13164 ::CheckBoolLikeConversion(*this, E, CC);
13165 }
13166
CheckForIntOverflow(const Expr * E)13167 void Sema::CheckForIntOverflow (const Expr *E) {
13168 // Use a work list to deal with nested struct initializers.
13169 SmallVector<const Expr *, 2> Exprs(1, E);
13170
13171 do {
13172 const Expr *OriginalE = Exprs.pop_back_val();
13173 const Expr *E = OriginalE->IgnoreParenCasts();
13174
13175 if (isa<BinaryOperator, UnaryOperator>(E)) {
13176 E->EvaluateForOverflow(Context);
13177 continue;
13178 }
13179
13180 if (const auto *InitList = dyn_cast<InitListExpr>(OriginalE))
13181 Exprs.append(InitList->inits().begin(), InitList->inits().end());
13182 else if (isa<ObjCBoxedExpr>(OriginalE))
13183 E->EvaluateForOverflow(Context);
13184 else if (const auto *Call = dyn_cast<CallExpr>(E))
13185 Exprs.append(Call->arg_begin(), Call->arg_end());
13186 else if (const auto *Message = dyn_cast<ObjCMessageExpr>(E))
13187 Exprs.append(Message->arg_begin(), Message->arg_end());
13188 else if (const auto *Construct = dyn_cast<CXXConstructExpr>(E))
13189 Exprs.append(Construct->arg_begin(), Construct->arg_end());
13190 else if (const auto *Temporary = dyn_cast<CXXBindTemporaryExpr>(E))
13191 Exprs.push_back(Temporary->getSubExpr());
13192 else if (const auto *Array = dyn_cast<ArraySubscriptExpr>(E))
13193 Exprs.push_back(Array->getIdx());
13194 else if (const auto *Compound = dyn_cast<CompoundLiteralExpr>(E))
13195 Exprs.push_back(Compound->getInitializer());
13196 else if (const auto *New = dyn_cast<CXXNewExpr>(E);
13197 New && New->isArray()) {
13198 if (auto ArraySize = New->getArraySize())
13199 Exprs.push_back(*ArraySize);
13200 } else if (const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(OriginalE))
13201 Exprs.push_back(MTE->getSubExpr());
13202 } while (!Exprs.empty());
13203 }
13204
13205 namespace {
13206
13207 /// Visitor for expressions which looks for unsequenced operations on the
13208 /// same object.
13209 class SequenceChecker : public ConstEvaluatedExprVisitor<SequenceChecker> {
13210 using Base = ConstEvaluatedExprVisitor<SequenceChecker>;
13211
13212 /// A tree of sequenced regions within an expression. Two regions are
13213 /// unsequenced if one is an ancestor or a descendent of the other. When we
13214 /// finish processing an expression with sequencing, such as a comma
13215 /// expression, we fold its tree nodes into its parent, since they are
13216 /// unsequenced with respect to nodes we will visit later.
13217 class SequenceTree {
13218 struct Value {
Value__anon28c3fbb13011::SequenceChecker::SequenceTree::Value13219 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {}
13220 unsigned Parent : 31;
13221 LLVM_PREFERRED_TYPE(bool)
13222 unsigned Merged : 1;
13223 };
13224 SmallVector<Value, 8> Values;
13225
13226 public:
13227 /// A region within an expression which may be sequenced with respect
13228 /// to some other region.
13229 class Seq {
13230 friend class SequenceTree;
13231
13232 unsigned Index;
13233
Seq(unsigned N)13234 explicit Seq(unsigned N) : Index(N) {}
13235
13236 public:
Seq()13237 Seq() : Index(0) {}
13238 };
13239
SequenceTree()13240 SequenceTree() { Values.push_back(Value(0)); }
root() const13241 Seq root() const { return Seq(0); }
13242
13243 /// Create a new sequence of operations, which is an unsequenced
13244 /// subset of \p Parent. This sequence of operations is sequenced with
13245 /// respect to other children of \p Parent.
allocate(Seq Parent)13246 Seq allocate(Seq Parent) {
13247 Values.push_back(Value(Parent.Index));
13248 return Seq(Values.size() - 1);
13249 }
13250
13251 /// Merge a sequence of operations into its parent.
merge(Seq S)13252 void merge(Seq S) {
13253 Values[S.Index].Merged = true;
13254 }
13255
13256 /// Determine whether two operations are unsequenced. This operation
13257 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old
13258 /// should have been merged into its parent as appropriate.
isUnsequenced(Seq Cur,Seq Old)13259 bool isUnsequenced(Seq Cur, Seq Old) {
13260 unsigned C = representative(Cur.Index);
13261 unsigned Target = representative(Old.Index);
13262 while (C >= Target) {
13263 if (C == Target)
13264 return true;
13265 C = Values[C].Parent;
13266 }
13267 return false;
13268 }
13269
13270 private:
13271 /// Pick a representative for a sequence.
representative(unsigned K)13272 unsigned representative(unsigned K) {
13273 if (Values[K].Merged)
13274 // Perform path compression as we go.
13275 return Values[K].Parent = representative(Values[K].Parent);
13276 return K;
13277 }
13278 };
13279
13280 /// An object for which we can track unsequenced uses.
13281 using Object = const NamedDecl *;
13282
13283 /// Different flavors of object usage which we track. We only track the
13284 /// least-sequenced usage of each kind.
13285 enum UsageKind {
13286 /// A read of an object. Multiple unsequenced reads are OK.
13287 UK_Use,
13288
13289 /// A modification of an object which is sequenced before the value
13290 /// computation of the expression, such as ++n in C++.
13291 UK_ModAsValue,
13292
13293 /// A modification of an object which is not sequenced before the value
13294 /// computation of the expression, such as n++.
13295 UK_ModAsSideEffect,
13296
13297 UK_Count = UK_ModAsSideEffect + 1
13298 };
13299
13300 /// Bundle together a sequencing region and the expression corresponding
13301 /// to a specific usage. One Usage is stored for each usage kind in UsageInfo.
13302 struct Usage {
13303 const Expr *UsageExpr = nullptr;
13304 SequenceTree::Seq Seq;
13305
13306 Usage() = default;
13307 };
13308
13309 struct UsageInfo {
13310 Usage Uses[UK_Count];
13311
13312 /// Have we issued a diagnostic for this object already?
13313 bool Diagnosed = false;
13314
13315 UsageInfo();
13316 };
13317 using UsageInfoMap = llvm::SmallDenseMap<Object, UsageInfo, 16>;
13318
13319 Sema &SemaRef;
13320
13321 /// Sequenced regions within the expression.
13322 SequenceTree Tree;
13323
13324 /// Declaration modifications and references which we have seen.
13325 UsageInfoMap UsageMap;
13326
13327 /// The region we are currently within.
13328 SequenceTree::Seq Region;
13329
13330 /// Filled in with declarations which were modified as a side-effect
13331 /// (that is, post-increment operations).
13332 SmallVectorImpl<std::pair<Object, Usage>> *ModAsSideEffect = nullptr;
13333
13334 /// Expressions to check later. We defer checking these to reduce
13335 /// stack usage.
13336 SmallVectorImpl<const Expr *> &WorkList;
13337
13338 /// RAII object wrapping the visitation of a sequenced subexpression of an
13339 /// expression. At the end of this process, the side-effects of the evaluation
13340 /// become sequenced with respect to the value computation of the result, so
13341 /// we downgrade any UK_ModAsSideEffect within the evaluation to
13342 /// UK_ModAsValue.
13343 struct SequencedSubexpression {
SequencedSubexpression__anon28c3fbb13011::SequenceChecker::SequencedSubexpression13344 SequencedSubexpression(SequenceChecker &Self)
13345 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) {
13346 Self.ModAsSideEffect = &ModAsSideEffect;
13347 }
13348
~SequencedSubexpression__anon28c3fbb13011::SequenceChecker::SequencedSubexpression13349 ~SequencedSubexpression() {
13350 for (const std::pair<Object, Usage> &M : llvm::reverse(ModAsSideEffect)) {
13351 // Add a new usage with usage kind UK_ModAsValue, and then restore
13352 // the previous usage with UK_ModAsSideEffect (thus clearing it if
13353 // the previous one was empty).
13354 UsageInfo &UI = Self.UsageMap[M.first];
13355 auto &SideEffectUsage = UI.Uses[UK_ModAsSideEffect];
13356 Self.addUsage(M.first, UI, SideEffectUsage.UsageExpr, UK_ModAsValue);
13357 SideEffectUsage = M.second;
13358 }
13359 Self.ModAsSideEffect = OldModAsSideEffect;
13360 }
13361
13362 SequenceChecker &Self;
13363 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect;
13364 SmallVectorImpl<std::pair<Object, Usage>> *OldModAsSideEffect;
13365 };
13366
13367 /// RAII object wrapping the visitation of a subexpression which we might
13368 /// choose to evaluate as a constant. If any subexpression is evaluated and
13369 /// found to be non-constant, this allows us to suppress the evaluation of
13370 /// the outer expression.
13371 class EvaluationTracker {
13372 public:
EvaluationTracker(SequenceChecker & Self)13373 EvaluationTracker(SequenceChecker &Self)
13374 : Self(Self), Prev(Self.EvalTracker) {
13375 Self.EvalTracker = this;
13376 }
13377
~EvaluationTracker()13378 ~EvaluationTracker() {
13379 Self.EvalTracker = Prev;
13380 if (Prev)
13381 Prev->EvalOK &= EvalOK;
13382 }
13383
evaluate(const Expr * E,bool & Result)13384 bool evaluate(const Expr *E, bool &Result) {
13385 if (!EvalOK || E->isValueDependent())
13386 return false;
13387 EvalOK = E->EvaluateAsBooleanCondition(
13388 Result, Self.SemaRef.Context,
13389 Self.SemaRef.isConstantEvaluatedContext());
13390 return EvalOK;
13391 }
13392
13393 private:
13394 SequenceChecker &Self;
13395 EvaluationTracker *Prev;
13396 bool EvalOK = true;
13397 } *EvalTracker = nullptr;
13398
13399 /// Find the object which is produced by the specified expression,
13400 /// if any.
getObject(const Expr * E,bool Mod) const13401 Object getObject(const Expr *E, bool Mod) const {
13402 E = E->IgnoreParenCasts();
13403 if (const UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) {
13404 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec))
13405 return getObject(UO->getSubExpr(), Mod);
13406 } else if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
13407 if (BO->getOpcode() == BO_Comma)
13408 return getObject(BO->getRHS(), Mod);
13409 if (Mod && BO->isAssignmentOp())
13410 return getObject(BO->getLHS(), Mod);
13411 } else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
13412 // FIXME: Check for more interesting cases, like "x.n = ++x.n".
13413 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts()))
13414 return ME->getMemberDecl();
13415 } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E))
13416 // FIXME: If this is a reference, map through to its value.
13417 return DRE->getDecl();
13418 return nullptr;
13419 }
13420
13421 /// Note that an object \p O was modified or used by an expression
13422 /// \p UsageExpr with usage kind \p UK. \p UI is the \p UsageInfo for
13423 /// the object \p O as obtained via the \p UsageMap.
addUsage(Object O,UsageInfo & UI,const Expr * UsageExpr,UsageKind UK)13424 void addUsage(Object O, UsageInfo &UI, const Expr *UsageExpr, UsageKind UK) {
13425 // Get the old usage for the given object and usage kind.
13426 Usage &U = UI.Uses[UK];
13427 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq)) {
13428 // If we have a modification as side effect and are in a sequenced
13429 // subexpression, save the old Usage so that we can restore it later
13430 // in SequencedSubexpression::~SequencedSubexpression.
13431 if (UK == UK_ModAsSideEffect && ModAsSideEffect)
13432 ModAsSideEffect->push_back(std::make_pair(O, U));
13433 // Then record the new usage with the current sequencing region.
13434 U.UsageExpr = UsageExpr;
13435 U.Seq = Region;
13436 }
13437 }
13438
13439 /// Check whether a modification or use of an object \p O in an expression
13440 /// \p UsageExpr conflicts with a prior usage of kind \p OtherKind. \p UI is
13441 /// the \p UsageInfo for the object \p O as obtained via the \p UsageMap.
13442 /// \p IsModMod is true when we are checking for a mod-mod unsequenced
13443 /// usage and false we are checking for a mod-use unsequenced usage.
checkUsage(Object O,UsageInfo & UI,const Expr * UsageExpr,UsageKind OtherKind,bool IsModMod)13444 void checkUsage(Object O, UsageInfo &UI, const Expr *UsageExpr,
13445 UsageKind OtherKind, bool IsModMod) {
13446 if (UI.Diagnosed)
13447 return;
13448
13449 const Usage &U = UI.Uses[OtherKind];
13450 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq))
13451 return;
13452
13453 const Expr *Mod = U.UsageExpr;
13454 const Expr *ModOrUse = UsageExpr;
13455 if (OtherKind == UK_Use)
13456 std::swap(Mod, ModOrUse);
13457
13458 SemaRef.DiagRuntimeBehavior(
13459 Mod->getExprLoc(), {Mod, ModOrUse},
13460 SemaRef.PDiag(IsModMod ? diag::warn_unsequenced_mod_mod
13461 : diag::warn_unsequenced_mod_use)
13462 << O << SourceRange(ModOrUse->getExprLoc()));
13463 UI.Diagnosed = true;
13464 }
13465
13466 // A note on note{Pre, Post}{Use, Mod}:
13467 //
13468 // (It helps to follow the algorithm with an expression such as
13469 // "((++k)++, k) = k" or "k = (k++, k++)". Both contain unsequenced
13470 // operations before C++17 and both are well-defined in C++17).
13471 //
13472 // When visiting a node which uses/modify an object we first call notePreUse
13473 // or notePreMod before visiting its sub-expression(s). At this point the
13474 // children of the current node have not yet been visited and so the eventual
13475 // uses/modifications resulting from the children of the current node have not
13476 // been recorded yet.
13477 //
13478 // We then visit the children of the current node. After that notePostUse or
13479 // notePostMod is called. These will 1) detect an unsequenced modification
13480 // as side effect (as in "k++ + k") and 2) add a new usage with the
13481 // appropriate usage kind.
13482 //
13483 // We also have to be careful that some operation sequences modification as
13484 // side effect as well (for example: || or ,). To account for this we wrap
13485 // the visitation of such a sub-expression (for example: the LHS of || or ,)
13486 // with SequencedSubexpression. SequencedSubexpression is an RAII object
13487 // which record usages which are modifications as side effect, and then
13488 // downgrade them (or more accurately restore the previous usage which was a
13489 // modification as side effect) when exiting the scope of the sequenced
13490 // subexpression.
13491
notePreUse(Object O,const Expr * UseExpr)13492 void notePreUse(Object O, const Expr *UseExpr) {
13493 UsageInfo &UI = UsageMap[O];
13494 // Uses conflict with other modifications.
13495 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/false);
13496 }
13497
notePostUse(Object O,const Expr * UseExpr)13498 void notePostUse(Object O, const Expr *UseExpr) {
13499 UsageInfo &UI = UsageMap[O];
13500 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsSideEffect,
13501 /*IsModMod=*/false);
13502 addUsage(O, UI, UseExpr, /*UsageKind=*/UK_Use);
13503 }
13504
notePreMod(Object O,const Expr * ModExpr)13505 void notePreMod(Object O, const Expr *ModExpr) {
13506 UsageInfo &UI = UsageMap[O];
13507 // Modifications conflict with other modifications and with uses.
13508 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/true);
13509 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_Use, /*IsModMod=*/false);
13510 }
13511
notePostMod(Object O,const Expr * ModExpr,UsageKind UK)13512 void notePostMod(Object O, const Expr *ModExpr, UsageKind UK) {
13513 UsageInfo &UI = UsageMap[O];
13514 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsSideEffect,
13515 /*IsModMod=*/true);
13516 addUsage(O, UI, ModExpr, /*UsageKind=*/UK);
13517 }
13518
13519 public:
SequenceChecker(Sema & S,const Expr * E,SmallVectorImpl<const Expr * > & WorkList)13520 SequenceChecker(Sema &S, const Expr *E,
13521 SmallVectorImpl<const Expr *> &WorkList)
13522 : Base(S.Context), SemaRef(S), Region(Tree.root()), WorkList(WorkList) {
13523 Visit(E);
13524 // Silence a -Wunused-private-field since WorkList is now unused.
13525 // TODO: Evaluate if it can be used, and if not remove it.
13526 (void)this->WorkList;
13527 }
13528
VisitStmt(const Stmt * S)13529 void VisitStmt(const Stmt *S) {
13530 // Skip all statements which aren't expressions for now.
13531 }
13532
VisitExpr(const Expr * E)13533 void VisitExpr(const Expr *E) {
13534 // By default, just recurse to evaluated subexpressions.
13535 Base::VisitStmt(E);
13536 }
13537
VisitCoroutineSuspendExpr(const CoroutineSuspendExpr * CSE)13538 void VisitCoroutineSuspendExpr(const CoroutineSuspendExpr *CSE) {
13539 for (auto *Sub : CSE->children()) {
13540 const Expr *ChildExpr = dyn_cast_or_null<Expr>(Sub);
13541 if (!ChildExpr)
13542 continue;
13543
13544 if (ChildExpr == CSE->getOperand())
13545 // Do not recurse over a CoroutineSuspendExpr's operand.
13546 // The operand is also a subexpression of getCommonExpr(), and
13547 // recursing into it directly could confuse object management
13548 // for the sake of sequence tracking.
13549 continue;
13550
13551 Visit(Sub);
13552 }
13553 }
13554
VisitCastExpr(const CastExpr * E)13555 void VisitCastExpr(const CastExpr *E) {
13556 Object O = Object();
13557 if (E->getCastKind() == CK_LValueToRValue)
13558 O = getObject(E->getSubExpr(), false);
13559
13560 if (O)
13561 notePreUse(O, E);
13562 VisitExpr(E);
13563 if (O)
13564 notePostUse(O, E);
13565 }
13566
VisitSequencedExpressions(const Expr * SequencedBefore,const Expr * SequencedAfter)13567 void VisitSequencedExpressions(const Expr *SequencedBefore,
13568 const Expr *SequencedAfter) {
13569 SequenceTree::Seq BeforeRegion = Tree.allocate(Region);
13570 SequenceTree::Seq AfterRegion = Tree.allocate(Region);
13571 SequenceTree::Seq OldRegion = Region;
13572
13573 {
13574 SequencedSubexpression SeqBefore(*this);
13575 Region = BeforeRegion;
13576 Visit(SequencedBefore);
13577 }
13578
13579 Region = AfterRegion;
13580 Visit(SequencedAfter);
13581
13582 Region = OldRegion;
13583
13584 Tree.merge(BeforeRegion);
13585 Tree.merge(AfterRegion);
13586 }
13587
VisitArraySubscriptExpr(const ArraySubscriptExpr * ASE)13588 void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE) {
13589 // C++17 [expr.sub]p1:
13590 // The expression E1[E2] is identical (by definition) to *((E1)+(E2)). The
13591 // expression E1 is sequenced before the expression E2.
13592 if (SemaRef.getLangOpts().CPlusPlus17)
13593 VisitSequencedExpressions(ASE->getLHS(), ASE->getRHS());
13594 else {
13595 Visit(ASE->getLHS());
13596 Visit(ASE->getRHS());
13597 }
13598 }
13599
VisitBinPtrMemD(const BinaryOperator * BO)13600 void VisitBinPtrMemD(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
VisitBinPtrMemI(const BinaryOperator * BO)13601 void VisitBinPtrMemI(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
VisitBinPtrMem(const BinaryOperator * BO)13602 void VisitBinPtrMem(const BinaryOperator *BO) {
13603 // C++17 [expr.mptr.oper]p4:
13604 // Abbreviating pm-expression.*cast-expression as E1.*E2, [...]
13605 // the expression E1 is sequenced before the expression E2.
13606 if (SemaRef.getLangOpts().CPlusPlus17)
13607 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13608 else {
13609 Visit(BO->getLHS());
13610 Visit(BO->getRHS());
13611 }
13612 }
13613
VisitBinShl(const BinaryOperator * BO)13614 void VisitBinShl(const BinaryOperator *BO) { VisitBinShlShr(BO); }
VisitBinShr(const BinaryOperator * BO)13615 void VisitBinShr(const BinaryOperator *BO) { VisitBinShlShr(BO); }
VisitBinShlShr(const BinaryOperator * BO)13616 void VisitBinShlShr(const BinaryOperator *BO) {
13617 // C++17 [expr.shift]p4:
13618 // The expression E1 is sequenced before the expression E2.
13619 if (SemaRef.getLangOpts().CPlusPlus17)
13620 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13621 else {
13622 Visit(BO->getLHS());
13623 Visit(BO->getRHS());
13624 }
13625 }
13626
VisitBinComma(const BinaryOperator * BO)13627 void VisitBinComma(const BinaryOperator *BO) {
13628 // C++11 [expr.comma]p1:
13629 // Every value computation and side effect associated with the left
13630 // expression is sequenced before every value computation and side
13631 // effect associated with the right expression.
13632 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13633 }
13634
VisitBinAssign(const BinaryOperator * BO)13635 void VisitBinAssign(const BinaryOperator *BO) {
13636 SequenceTree::Seq RHSRegion;
13637 SequenceTree::Seq LHSRegion;
13638 if (SemaRef.getLangOpts().CPlusPlus17) {
13639 RHSRegion = Tree.allocate(Region);
13640 LHSRegion = Tree.allocate(Region);
13641 } else {
13642 RHSRegion = Region;
13643 LHSRegion = Region;
13644 }
13645 SequenceTree::Seq OldRegion = Region;
13646
13647 // C++11 [expr.ass]p1:
13648 // [...] the assignment is sequenced after the value computation
13649 // of the right and left operands, [...]
13650 //
13651 // so check it before inspecting the operands and update the
13652 // map afterwards.
13653 Object O = getObject(BO->getLHS(), /*Mod=*/true);
13654 if (O)
13655 notePreMod(O, BO);
13656
13657 if (SemaRef.getLangOpts().CPlusPlus17) {
13658 // C++17 [expr.ass]p1:
13659 // [...] The right operand is sequenced before the left operand. [...]
13660 {
13661 SequencedSubexpression SeqBefore(*this);
13662 Region = RHSRegion;
13663 Visit(BO->getRHS());
13664 }
13665
13666 Region = LHSRegion;
13667 Visit(BO->getLHS());
13668
13669 if (O && isa<CompoundAssignOperator>(BO))
13670 notePostUse(O, BO);
13671
13672 } else {
13673 // C++11 does not specify any sequencing between the LHS and RHS.
13674 Region = LHSRegion;
13675 Visit(BO->getLHS());
13676
13677 if (O && isa<CompoundAssignOperator>(BO))
13678 notePostUse(O, BO);
13679
13680 Region = RHSRegion;
13681 Visit(BO->getRHS());
13682 }
13683
13684 // C++11 [expr.ass]p1:
13685 // the assignment is sequenced [...] before the value computation of the
13686 // assignment expression.
13687 // C11 6.5.16/3 has no such rule.
13688 Region = OldRegion;
13689 if (O)
13690 notePostMod(O, BO,
13691 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
13692 : UK_ModAsSideEffect);
13693 if (SemaRef.getLangOpts().CPlusPlus17) {
13694 Tree.merge(RHSRegion);
13695 Tree.merge(LHSRegion);
13696 }
13697 }
13698
VisitCompoundAssignOperator(const CompoundAssignOperator * CAO)13699 void VisitCompoundAssignOperator(const CompoundAssignOperator *CAO) {
13700 VisitBinAssign(CAO);
13701 }
13702
VisitUnaryPreInc(const UnaryOperator * UO)13703 void VisitUnaryPreInc(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
VisitUnaryPreDec(const UnaryOperator * UO)13704 void VisitUnaryPreDec(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
VisitUnaryPreIncDec(const UnaryOperator * UO)13705 void VisitUnaryPreIncDec(const UnaryOperator *UO) {
13706 Object O = getObject(UO->getSubExpr(), true);
13707 if (!O)
13708 return VisitExpr(UO);
13709
13710 notePreMod(O, UO);
13711 Visit(UO->getSubExpr());
13712 // C++11 [expr.pre.incr]p1:
13713 // the expression ++x is equivalent to x+=1
13714 notePostMod(O, UO,
13715 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
13716 : UK_ModAsSideEffect);
13717 }
13718
VisitUnaryPostInc(const UnaryOperator * UO)13719 void VisitUnaryPostInc(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
VisitUnaryPostDec(const UnaryOperator * UO)13720 void VisitUnaryPostDec(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
VisitUnaryPostIncDec(const UnaryOperator * UO)13721 void VisitUnaryPostIncDec(const UnaryOperator *UO) {
13722 Object O = getObject(UO->getSubExpr(), true);
13723 if (!O)
13724 return VisitExpr(UO);
13725
13726 notePreMod(O, UO);
13727 Visit(UO->getSubExpr());
13728 notePostMod(O, UO, UK_ModAsSideEffect);
13729 }
13730
VisitBinLOr(const BinaryOperator * BO)13731 void VisitBinLOr(const BinaryOperator *BO) {
13732 // C++11 [expr.log.or]p2:
13733 // If the second expression is evaluated, every value computation and
13734 // side effect associated with the first expression is sequenced before
13735 // every value computation and side effect associated with the
13736 // second expression.
13737 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
13738 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
13739 SequenceTree::Seq OldRegion = Region;
13740
13741 EvaluationTracker Eval(*this);
13742 {
13743 SequencedSubexpression Sequenced(*this);
13744 Region = LHSRegion;
13745 Visit(BO->getLHS());
13746 }
13747
13748 // C++11 [expr.log.or]p1:
13749 // [...] the second operand is not evaluated if the first operand
13750 // evaluates to true.
13751 bool EvalResult = false;
13752 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
13753 bool ShouldVisitRHS = !EvalOK || !EvalResult;
13754 if (ShouldVisitRHS) {
13755 Region = RHSRegion;
13756 Visit(BO->getRHS());
13757 }
13758
13759 Region = OldRegion;
13760 Tree.merge(LHSRegion);
13761 Tree.merge(RHSRegion);
13762 }
13763
VisitBinLAnd(const BinaryOperator * BO)13764 void VisitBinLAnd(const BinaryOperator *BO) {
13765 // C++11 [expr.log.and]p2:
13766 // If the second expression is evaluated, every value computation and
13767 // side effect associated with the first expression is sequenced before
13768 // every value computation and side effect associated with the
13769 // second expression.
13770 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
13771 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
13772 SequenceTree::Seq OldRegion = Region;
13773
13774 EvaluationTracker Eval(*this);
13775 {
13776 SequencedSubexpression Sequenced(*this);
13777 Region = LHSRegion;
13778 Visit(BO->getLHS());
13779 }
13780
13781 // C++11 [expr.log.and]p1:
13782 // [...] the second operand is not evaluated if the first operand is false.
13783 bool EvalResult = false;
13784 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
13785 bool ShouldVisitRHS = !EvalOK || EvalResult;
13786 if (ShouldVisitRHS) {
13787 Region = RHSRegion;
13788 Visit(BO->getRHS());
13789 }
13790
13791 Region = OldRegion;
13792 Tree.merge(LHSRegion);
13793 Tree.merge(RHSRegion);
13794 }
13795
VisitAbstractConditionalOperator(const AbstractConditionalOperator * CO)13796 void VisitAbstractConditionalOperator(const AbstractConditionalOperator *CO) {
13797 // C++11 [expr.cond]p1:
13798 // [...] Every value computation and side effect associated with the first
13799 // expression is sequenced before every value computation and side effect
13800 // associated with the second or third expression.
13801 SequenceTree::Seq ConditionRegion = Tree.allocate(Region);
13802
13803 // No sequencing is specified between the true and false expression.
13804 // However since exactly one of both is going to be evaluated we can
13805 // consider them to be sequenced. This is needed to avoid warning on
13806 // something like "x ? y+= 1 : y += 2;" in the case where we will visit
13807 // both the true and false expressions because we can't evaluate x.
13808 // This will still allow us to detect an expression like (pre C++17)
13809 // "(x ? y += 1 : y += 2) = y".
13810 //
13811 // We don't wrap the visitation of the true and false expression with
13812 // SequencedSubexpression because we don't want to downgrade modifications
13813 // as side effect in the true and false expressions after the visition
13814 // is done. (for example in the expression "(x ? y++ : y++) + y" we should
13815 // not warn between the two "y++", but we should warn between the "y++"
13816 // and the "y".
13817 SequenceTree::Seq TrueRegion = Tree.allocate(Region);
13818 SequenceTree::Seq FalseRegion = Tree.allocate(Region);
13819 SequenceTree::Seq OldRegion = Region;
13820
13821 EvaluationTracker Eval(*this);
13822 {
13823 SequencedSubexpression Sequenced(*this);
13824 Region = ConditionRegion;
13825 Visit(CO->getCond());
13826 }
13827
13828 // C++11 [expr.cond]p1:
13829 // [...] The first expression is contextually converted to bool (Clause 4).
13830 // It is evaluated and if it is true, the result of the conditional
13831 // expression is the value of the second expression, otherwise that of the
13832 // third expression. Only one of the second and third expressions is
13833 // evaluated. [...]
13834 bool EvalResult = false;
13835 bool EvalOK = Eval.evaluate(CO->getCond(), EvalResult);
13836 bool ShouldVisitTrueExpr = !EvalOK || EvalResult;
13837 bool ShouldVisitFalseExpr = !EvalOK || !EvalResult;
13838 if (ShouldVisitTrueExpr) {
13839 Region = TrueRegion;
13840 Visit(CO->getTrueExpr());
13841 }
13842 if (ShouldVisitFalseExpr) {
13843 Region = FalseRegion;
13844 Visit(CO->getFalseExpr());
13845 }
13846
13847 Region = OldRegion;
13848 Tree.merge(ConditionRegion);
13849 Tree.merge(TrueRegion);
13850 Tree.merge(FalseRegion);
13851 }
13852
VisitCallExpr(const CallExpr * CE)13853 void VisitCallExpr(const CallExpr *CE) {
13854 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions.
13855
13856 if (CE->isUnevaluatedBuiltinCall(Context))
13857 return;
13858
13859 // C++11 [intro.execution]p15:
13860 // When calling a function [...], every value computation and side effect
13861 // associated with any argument expression, or with the postfix expression
13862 // designating the called function, is sequenced before execution of every
13863 // expression or statement in the body of the function [and thus before
13864 // the value computation of its result].
13865 SequencedSubexpression Sequenced(*this);
13866 SemaRef.runWithSufficientStackSpace(CE->getExprLoc(), [&] {
13867 // C++17 [expr.call]p5
13868 // The postfix-expression is sequenced before each expression in the
13869 // expression-list and any default argument. [...]
13870 SequenceTree::Seq CalleeRegion;
13871 SequenceTree::Seq OtherRegion;
13872 if (SemaRef.getLangOpts().CPlusPlus17) {
13873 CalleeRegion = Tree.allocate(Region);
13874 OtherRegion = Tree.allocate(Region);
13875 } else {
13876 CalleeRegion = Region;
13877 OtherRegion = Region;
13878 }
13879 SequenceTree::Seq OldRegion = Region;
13880
13881 // Visit the callee expression first.
13882 Region = CalleeRegion;
13883 if (SemaRef.getLangOpts().CPlusPlus17) {
13884 SequencedSubexpression Sequenced(*this);
13885 Visit(CE->getCallee());
13886 } else {
13887 Visit(CE->getCallee());
13888 }
13889
13890 // Then visit the argument expressions.
13891 Region = OtherRegion;
13892 for (const Expr *Argument : CE->arguments())
13893 Visit(Argument);
13894
13895 Region = OldRegion;
13896 if (SemaRef.getLangOpts().CPlusPlus17) {
13897 Tree.merge(CalleeRegion);
13898 Tree.merge(OtherRegion);
13899 }
13900 });
13901 }
13902
VisitCXXOperatorCallExpr(const CXXOperatorCallExpr * CXXOCE)13903 void VisitCXXOperatorCallExpr(const CXXOperatorCallExpr *CXXOCE) {
13904 // C++17 [over.match.oper]p2:
13905 // [...] the operator notation is first transformed to the equivalent
13906 // function-call notation as summarized in Table 12 (where @ denotes one
13907 // of the operators covered in the specified subclause). However, the
13908 // operands are sequenced in the order prescribed for the built-in
13909 // operator (Clause 8).
13910 //
13911 // From the above only overloaded binary operators and overloaded call
13912 // operators have sequencing rules in C++17 that we need to handle
13913 // separately.
13914 if (!SemaRef.getLangOpts().CPlusPlus17 ||
13915 (CXXOCE->getNumArgs() != 2 && CXXOCE->getOperator() != OO_Call))
13916 return VisitCallExpr(CXXOCE);
13917
13918 enum {
13919 NoSequencing,
13920 LHSBeforeRHS,
13921 RHSBeforeLHS,
13922 LHSBeforeRest
13923 } SequencingKind;
13924 switch (CXXOCE->getOperator()) {
13925 case OO_Equal:
13926 case OO_PlusEqual:
13927 case OO_MinusEqual:
13928 case OO_StarEqual:
13929 case OO_SlashEqual:
13930 case OO_PercentEqual:
13931 case OO_CaretEqual:
13932 case OO_AmpEqual:
13933 case OO_PipeEqual:
13934 case OO_LessLessEqual:
13935 case OO_GreaterGreaterEqual:
13936 SequencingKind = RHSBeforeLHS;
13937 break;
13938
13939 case OO_LessLess:
13940 case OO_GreaterGreater:
13941 case OO_AmpAmp:
13942 case OO_PipePipe:
13943 case OO_Comma:
13944 case OO_ArrowStar:
13945 case OO_Subscript:
13946 SequencingKind = LHSBeforeRHS;
13947 break;
13948
13949 case OO_Call:
13950 SequencingKind = LHSBeforeRest;
13951 break;
13952
13953 default:
13954 SequencingKind = NoSequencing;
13955 break;
13956 }
13957
13958 if (SequencingKind == NoSequencing)
13959 return VisitCallExpr(CXXOCE);
13960
13961 // This is a call, so all subexpressions are sequenced before the result.
13962 SequencedSubexpression Sequenced(*this);
13963
13964 SemaRef.runWithSufficientStackSpace(CXXOCE->getExprLoc(), [&] {
13965 assert(SemaRef.getLangOpts().CPlusPlus17 &&
13966 "Should only get there with C++17 and above!");
13967 assert((CXXOCE->getNumArgs() == 2 || CXXOCE->getOperator() == OO_Call) &&
13968 "Should only get there with an overloaded binary operator"
13969 " or an overloaded call operator!");
13970
13971 if (SequencingKind == LHSBeforeRest) {
13972 assert(CXXOCE->getOperator() == OO_Call &&
13973 "We should only have an overloaded call operator here!");
13974
13975 // This is very similar to VisitCallExpr, except that we only have the
13976 // C++17 case. The postfix-expression is the first argument of the
13977 // CXXOperatorCallExpr. The expressions in the expression-list, if any,
13978 // are in the following arguments.
13979 //
13980 // Note that we intentionally do not visit the callee expression since
13981 // it is just a decayed reference to a function.
13982 SequenceTree::Seq PostfixExprRegion = Tree.allocate(Region);
13983 SequenceTree::Seq ArgsRegion = Tree.allocate(Region);
13984 SequenceTree::Seq OldRegion = Region;
13985
13986 assert(CXXOCE->getNumArgs() >= 1 &&
13987 "An overloaded call operator must have at least one argument"
13988 " for the postfix-expression!");
13989 const Expr *PostfixExpr = CXXOCE->getArgs()[0];
13990 llvm::ArrayRef<const Expr *> Args(CXXOCE->getArgs() + 1,
13991 CXXOCE->getNumArgs() - 1);
13992
13993 // Visit the postfix-expression first.
13994 {
13995 Region = PostfixExprRegion;
13996 SequencedSubexpression Sequenced(*this);
13997 Visit(PostfixExpr);
13998 }
13999
14000 // Then visit the argument expressions.
14001 Region = ArgsRegion;
14002 for (const Expr *Arg : Args)
14003 Visit(Arg);
14004
14005 Region = OldRegion;
14006 Tree.merge(PostfixExprRegion);
14007 Tree.merge(ArgsRegion);
14008 } else {
14009 assert(CXXOCE->getNumArgs() == 2 &&
14010 "Should only have two arguments here!");
14011 assert((SequencingKind == LHSBeforeRHS ||
14012 SequencingKind == RHSBeforeLHS) &&
14013 "Unexpected sequencing kind!");
14014
14015 // We do not visit the callee expression since it is just a decayed
14016 // reference to a function.
14017 const Expr *E1 = CXXOCE->getArg(0);
14018 const Expr *E2 = CXXOCE->getArg(1);
14019 if (SequencingKind == RHSBeforeLHS)
14020 std::swap(E1, E2);
14021
14022 return VisitSequencedExpressions(E1, E2);
14023 }
14024 });
14025 }
14026
VisitCXXConstructExpr(const CXXConstructExpr * CCE)14027 void VisitCXXConstructExpr(const CXXConstructExpr *CCE) {
14028 // This is a call, so all subexpressions are sequenced before the result.
14029 SequencedSubexpression Sequenced(*this);
14030
14031 if (!CCE->isListInitialization())
14032 return VisitExpr(CCE);
14033
14034 // In C++11, list initializations are sequenced.
14035 SequenceExpressionsInOrder(
14036 llvm::ArrayRef(CCE->getArgs(), CCE->getNumArgs()));
14037 }
14038
VisitInitListExpr(const InitListExpr * ILE)14039 void VisitInitListExpr(const InitListExpr *ILE) {
14040 if (!SemaRef.getLangOpts().CPlusPlus11)
14041 return VisitExpr(ILE);
14042
14043 // In C++11, list initializations are sequenced.
14044 SequenceExpressionsInOrder(ILE->inits());
14045 }
14046
VisitCXXParenListInitExpr(const CXXParenListInitExpr * PLIE)14047 void VisitCXXParenListInitExpr(const CXXParenListInitExpr *PLIE) {
14048 // C++20 parenthesized list initializations are sequenced. See C++20
14049 // [decl.init.general]p16.5 and [decl.init.general]p16.6.2.2.
14050 SequenceExpressionsInOrder(PLIE->getInitExprs());
14051 }
14052
14053 private:
SequenceExpressionsInOrder(ArrayRef<const Expr * > ExpressionList)14054 void SequenceExpressionsInOrder(ArrayRef<const Expr *> ExpressionList) {
14055 SmallVector<SequenceTree::Seq, 32> Elts;
14056 SequenceTree::Seq Parent = Region;
14057 for (const Expr *E : ExpressionList) {
14058 if (!E)
14059 continue;
14060 Region = Tree.allocate(Parent);
14061 Elts.push_back(Region);
14062 Visit(E);
14063 }
14064
14065 // Forget that the initializers are sequenced.
14066 Region = Parent;
14067 for (unsigned I = 0; I < Elts.size(); ++I)
14068 Tree.merge(Elts[I]);
14069 }
14070 };
14071
14072 SequenceChecker::UsageInfo::UsageInfo() = default;
14073
14074 } // namespace
14075
CheckUnsequencedOperations(const Expr * E)14076 void Sema::CheckUnsequencedOperations(const Expr *E) {
14077 SmallVector<const Expr *, 8> WorkList;
14078 WorkList.push_back(E);
14079 while (!WorkList.empty()) {
14080 const Expr *Item = WorkList.pop_back_val();
14081 SequenceChecker(*this, Item, WorkList);
14082 }
14083 }
14084
CheckCompletedExpr(Expr * E,SourceLocation CheckLoc,bool IsConstexpr)14085 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc,
14086 bool IsConstexpr) {
14087 llvm::SaveAndRestore ConstantContext(isConstantEvaluatedOverride,
14088 IsConstexpr || isa<ConstantExpr>(E));
14089 CheckImplicitConversions(E, CheckLoc);
14090 if (!E->isInstantiationDependent())
14091 CheckUnsequencedOperations(E);
14092 if (!IsConstexpr && !E->isValueDependent())
14093 CheckForIntOverflow(E);
14094 DiagnoseMisalignedMembers();
14095 }
14096
CheckBitFieldInitialization(SourceLocation InitLoc,FieldDecl * BitField,Expr * Init)14097 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc,
14098 FieldDecl *BitField,
14099 Expr *Init) {
14100 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc);
14101 }
14102
diagnoseArrayStarInParamType(Sema & S,QualType PType,SourceLocation Loc)14103 static void diagnoseArrayStarInParamType(Sema &S, QualType PType,
14104 SourceLocation Loc) {
14105 if (!PType->isVariablyModifiedType())
14106 return;
14107 if (const auto *PointerTy = dyn_cast<PointerType>(PType)) {
14108 diagnoseArrayStarInParamType(S, PointerTy->getPointeeType(), Loc);
14109 return;
14110 }
14111 if (const auto *ReferenceTy = dyn_cast<ReferenceType>(PType)) {
14112 diagnoseArrayStarInParamType(S, ReferenceTy->getPointeeType(), Loc);
14113 return;
14114 }
14115 if (const auto *ParenTy = dyn_cast<ParenType>(PType)) {
14116 diagnoseArrayStarInParamType(S, ParenTy->getInnerType(), Loc);
14117 return;
14118 }
14119
14120 const ArrayType *AT = S.Context.getAsArrayType(PType);
14121 if (!AT)
14122 return;
14123
14124 if (AT->getSizeModifier() != ArraySizeModifier::Star) {
14125 diagnoseArrayStarInParamType(S, AT->getElementType(), Loc);
14126 return;
14127 }
14128
14129 S.Diag(Loc, diag::err_array_star_in_function_definition);
14130 }
14131
CheckParmsForFunctionDef(ArrayRef<ParmVarDecl * > Parameters,bool CheckParameterNames)14132 bool Sema::CheckParmsForFunctionDef(ArrayRef<ParmVarDecl *> Parameters,
14133 bool CheckParameterNames) {
14134 bool HasInvalidParm = false;
14135 for (ParmVarDecl *Param : Parameters) {
14136 assert(Param && "null in a parameter list");
14137 // C99 6.7.5.3p4: the parameters in a parameter type list in a
14138 // function declarator that is part of a function definition of
14139 // that function shall not have incomplete type.
14140 //
14141 // C++23 [dcl.fct.def.general]/p2
14142 // The type of a parameter [...] for a function definition
14143 // shall not be a (possibly cv-qualified) class type that is incomplete
14144 // or abstract within the function body unless the function is deleted.
14145 if (!Param->isInvalidDecl() &&
14146 (RequireCompleteType(Param->getLocation(), Param->getType(),
14147 diag::err_typecheck_decl_incomplete_type) ||
14148 RequireNonAbstractType(Param->getBeginLoc(), Param->getOriginalType(),
14149 diag::err_abstract_type_in_decl,
14150 AbstractParamType))) {
14151 Param->setInvalidDecl();
14152 HasInvalidParm = true;
14153 }
14154
14155 // C99 6.9.1p5: If the declarator includes a parameter type list, the
14156 // declaration of each parameter shall include an identifier.
14157 if (CheckParameterNames && Param->getIdentifier() == nullptr &&
14158 !Param->isImplicit() && !getLangOpts().CPlusPlus) {
14159 // Diagnose this as an extension in C17 and earlier.
14160 if (!getLangOpts().C23)
14161 Diag(Param->getLocation(), diag::ext_parameter_name_omitted_c23);
14162 }
14163
14164 // C99 6.7.5.3p12:
14165 // If the function declarator is not part of a definition of that
14166 // function, parameters may have incomplete type and may use the [*]
14167 // notation in their sequences of declarator specifiers to specify
14168 // variable length array types.
14169 QualType PType = Param->getOriginalType();
14170 // FIXME: This diagnostic should point the '[*]' if source-location
14171 // information is added for it.
14172 diagnoseArrayStarInParamType(*this, PType, Param->getLocation());
14173
14174 // If the parameter is a c++ class type and it has to be destructed in the
14175 // callee function, declare the destructor so that it can be called by the
14176 // callee function. Do not perform any direct access check on the dtor here.
14177 if (!Param->isInvalidDecl()) {
14178 if (CXXRecordDecl *ClassDecl = Param->getType()->getAsCXXRecordDecl()) {
14179 if (!ClassDecl->isInvalidDecl() &&
14180 !ClassDecl->hasIrrelevantDestructor() &&
14181 !ClassDecl->isDependentContext() &&
14182 ClassDecl->isParamDestroyedInCallee()) {
14183 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl);
14184 MarkFunctionReferenced(Param->getLocation(), Destructor);
14185 DiagnoseUseOfDecl(Destructor, Param->getLocation());
14186 }
14187 }
14188 }
14189
14190 // Parameters with the pass_object_size attribute only need to be marked
14191 // constant at function definitions. Because we lack information about
14192 // whether we're on a declaration or definition when we're instantiating the
14193 // attribute, we need to check for constness here.
14194 if (const auto *Attr = Param->getAttr<PassObjectSizeAttr>())
14195 if (!Param->getType().isConstQualified())
14196 Diag(Param->getLocation(), diag::err_attribute_pointers_only)
14197 << Attr->getSpelling() << 1;
14198
14199 // Check for parameter names shadowing fields from the class.
14200 if (LangOpts.CPlusPlus && !Param->isInvalidDecl()) {
14201 // The owning context for the parameter should be the function, but we
14202 // want to see if this function's declaration context is a record.
14203 DeclContext *DC = Param->getDeclContext();
14204 if (DC && DC->isFunctionOrMethod()) {
14205 if (auto *RD = dyn_cast<CXXRecordDecl>(DC->getParent()))
14206 CheckShadowInheritedFields(Param->getLocation(), Param->getDeclName(),
14207 RD, /*DeclIsField*/ false);
14208 }
14209 }
14210
14211 if (!Param->isInvalidDecl() &&
14212 Param->getOriginalType()->isWebAssemblyTableType()) {
14213 Param->setInvalidDecl();
14214 HasInvalidParm = true;
14215 Diag(Param->getLocation(), diag::err_wasm_table_as_function_parameter);
14216 }
14217 }
14218
14219 return HasInvalidParm;
14220 }
14221
14222 std::optional<std::pair<
14223 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
14224 *E,
14225 ASTContext
14226 &Ctx);
14227
14228 /// Compute the alignment and offset of the base class object given the
14229 /// derived-to-base cast expression and the alignment and offset of the derived
14230 /// class object.
14231 static std::pair<CharUnits, CharUnits>
getDerivedToBaseAlignmentAndOffset(const CastExpr * CE,QualType DerivedType,CharUnits BaseAlignment,CharUnits Offset,ASTContext & Ctx)14232 getDerivedToBaseAlignmentAndOffset(const CastExpr *CE, QualType DerivedType,
14233 CharUnits BaseAlignment, CharUnits Offset,
14234 ASTContext &Ctx) {
14235 for (auto PathI = CE->path_begin(), PathE = CE->path_end(); PathI != PathE;
14236 ++PathI) {
14237 const CXXBaseSpecifier *Base = *PathI;
14238 const CXXRecordDecl *BaseDecl = Base->getType()->getAsCXXRecordDecl();
14239 if (Base->isVirtual()) {
14240 // The complete object may have a lower alignment than the non-virtual
14241 // alignment of the base, in which case the base may be misaligned. Choose
14242 // the smaller of the non-virtual alignment and BaseAlignment, which is a
14243 // conservative lower bound of the complete object alignment.
14244 CharUnits NonVirtualAlignment =
14245 Ctx.getASTRecordLayout(BaseDecl).getNonVirtualAlignment();
14246 BaseAlignment = std::min(BaseAlignment, NonVirtualAlignment);
14247 Offset = CharUnits::Zero();
14248 } else {
14249 const ASTRecordLayout &RL =
14250 Ctx.getASTRecordLayout(DerivedType->getAsCXXRecordDecl());
14251 Offset += RL.getBaseClassOffset(BaseDecl);
14252 }
14253 DerivedType = Base->getType();
14254 }
14255
14256 return std::make_pair(BaseAlignment, Offset);
14257 }
14258
14259 /// Compute the alignment and offset of a binary additive operator.
14260 static std::optional<std::pair<CharUnits, CharUnits>>
getAlignmentAndOffsetFromBinAddOrSub(const Expr * PtrE,const Expr * IntE,bool IsSub,ASTContext & Ctx)14261 getAlignmentAndOffsetFromBinAddOrSub(const Expr *PtrE, const Expr *IntE,
14262 bool IsSub, ASTContext &Ctx) {
14263 QualType PointeeType = PtrE->getType()->getPointeeType();
14264
14265 if (!PointeeType->isConstantSizeType())
14266 return std::nullopt;
14267
14268 auto P = getBaseAlignmentAndOffsetFromPtr(PtrE, Ctx);
14269
14270 if (!P)
14271 return std::nullopt;
14272
14273 CharUnits EltSize = Ctx.getTypeSizeInChars(PointeeType);
14274 if (std::optional<llvm::APSInt> IdxRes = IntE->getIntegerConstantExpr(Ctx)) {
14275 CharUnits Offset = EltSize * IdxRes->getExtValue();
14276 if (IsSub)
14277 Offset = -Offset;
14278 return std::make_pair(P->first, P->second + Offset);
14279 }
14280
14281 // If the integer expression isn't a constant expression, compute the lower
14282 // bound of the alignment using the alignment and offset of the pointer
14283 // expression and the element size.
14284 return std::make_pair(
14285 P->first.alignmentAtOffset(P->second).alignmentAtOffset(EltSize),
14286 CharUnits::Zero());
14287 }
14288
14289 /// This helper function takes an lvalue expression and returns the alignment of
14290 /// a VarDecl and a constant offset from the VarDecl.
14291 std::optional<std::pair<
14292 CharUnits,
getBaseAlignmentAndOffsetFromLValue(const Expr * E,ASTContext & Ctx)14293 CharUnits>> static getBaseAlignmentAndOffsetFromLValue(const Expr *E,
14294 ASTContext &Ctx) {
14295 E = E->IgnoreParens();
14296 switch (E->getStmtClass()) {
14297 default:
14298 break;
14299 case Stmt::CStyleCastExprClass:
14300 case Stmt::CXXStaticCastExprClass:
14301 case Stmt::ImplicitCastExprClass: {
14302 auto *CE = cast<CastExpr>(E);
14303 const Expr *From = CE->getSubExpr();
14304 switch (CE->getCastKind()) {
14305 default:
14306 break;
14307 case CK_NoOp:
14308 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14309 case CK_UncheckedDerivedToBase:
14310 case CK_DerivedToBase: {
14311 auto P = getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14312 if (!P)
14313 break;
14314 return getDerivedToBaseAlignmentAndOffset(CE, From->getType(), P->first,
14315 P->second, Ctx);
14316 }
14317 }
14318 break;
14319 }
14320 case Stmt::ArraySubscriptExprClass: {
14321 auto *ASE = cast<ArraySubscriptExpr>(E);
14322 return getAlignmentAndOffsetFromBinAddOrSub(ASE->getBase(), ASE->getIdx(),
14323 false, Ctx);
14324 }
14325 case Stmt::DeclRefExprClass: {
14326 if (auto *VD = dyn_cast<VarDecl>(cast<DeclRefExpr>(E)->getDecl())) {
14327 // FIXME: If VD is captured by copy or is an escaping __block variable,
14328 // use the alignment of VD's type.
14329 if (!VD->getType()->isReferenceType()) {
14330 // Dependent alignment cannot be resolved -> bail out.
14331 if (VD->hasDependentAlignment())
14332 break;
14333 return std::make_pair(Ctx.getDeclAlign(VD), CharUnits::Zero());
14334 }
14335 if (VD->hasInit())
14336 return getBaseAlignmentAndOffsetFromLValue(VD->getInit(), Ctx);
14337 }
14338 break;
14339 }
14340 case Stmt::MemberExprClass: {
14341 auto *ME = cast<MemberExpr>(E);
14342 auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl());
14343 if (!FD || FD->getType()->isReferenceType() ||
14344 FD->getParent()->isInvalidDecl())
14345 break;
14346 std::optional<std::pair<CharUnits, CharUnits>> P;
14347 if (ME->isArrow())
14348 P = getBaseAlignmentAndOffsetFromPtr(ME->getBase(), Ctx);
14349 else
14350 P = getBaseAlignmentAndOffsetFromLValue(ME->getBase(), Ctx);
14351 if (!P)
14352 break;
14353 const ASTRecordLayout &Layout = Ctx.getASTRecordLayout(FD->getParent());
14354 uint64_t Offset = Layout.getFieldOffset(FD->getFieldIndex());
14355 return std::make_pair(P->first,
14356 P->second + CharUnits::fromQuantity(Offset));
14357 }
14358 case Stmt::UnaryOperatorClass: {
14359 auto *UO = cast<UnaryOperator>(E);
14360 switch (UO->getOpcode()) {
14361 default:
14362 break;
14363 case UO_Deref:
14364 return getBaseAlignmentAndOffsetFromPtr(UO->getSubExpr(), Ctx);
14365 }
14366 break;
14367 }
14368 case Stmt::BinaryOperatorClass: {
14369 auto *BO = cast<BinaryOperator>(E);
14370 auto Opcode = BO->getOpcode();
14371 switch (Opcode) {
14372 default:
14373 break;
14374 case BO_Comma:
14375 return getBaseAlignmentAndOffsetFromLValue(BO->getRHS(), Ctx);
14376 }
14377 break;
14378 }
14379 }
14380 return std::nullopt;
14381 }
14382
14383 /// This helper function takes a pointer expression and returns the alignment of
14384 /// a VarDecl and a constant offset from the VarDecl.
14385 std::optional<std::pair<
getBaseAlignmentAndOffsetFromPtr(const Expr * E,ASTContext & Ctx)14386 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
14387 *E,
14388 ASTContext
14389 &Ctx) {
14390 E = E->IgnoreParens();
14391 switch (E->getStmtClass()) {
14392 default:
14393 break;
14394 case Stmt::CStyleCastExprClass:
14395 case Stmt::CXXStaticCastExprClass:
14396 case Stmt::ImplicitCastExprClass: {
14397 auto *CE = cast<CastExpr>(E);
14398 const Expr *From = CE->getSubExpr();
14399 switch (CE->getCastKind()) {
14400 default:
14401 break;
14402 case CK_NoOp:
14403 return getBaseAlignmentAndOffsetFromPtr(From, Ctx);
14404 case CK_ArrayToPointerDecay:
14405 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14406 case CK_UncheckedDerivedToBase:
14407 case CK_DerivedToBase: {
14408 auto P = getBaseAlignmentAndOffsetFromPtr(From, Ctx);
14409 if (!P)
14410 break;
14411 return getDerivedToBaseAlignmentAndOffset(
14412 CE, From->getType()->getPointeeType(), P->first, P->second, Ctx);
14413 }
14414 }
14415 break;
14416 }
14417 case Stmt::CXXThisExprClass: {
14418 auto *RD = E->getType()->getPointeeType()->getAsCXXRecordDecl();
14419 CharUnits Alignment = Ctx.getASTRecordLayout(RD).getNonVirtualAlignment();
14420 return std::make_pair(Alignment, CharUnits::Zero());
14421 }
14422 case Stmt::UnaryOperatorClass: {
14423 auto *UO = cast<UnaryOperator>(E);
14424 if (UO->getOpcode() == UO_AddrOf)
14425 return getBaseAlignmentAndOffsetFromLValue(UO->getSubExpr(), Ctx);
14426 break;
14427 }
14428 case Stmt::BinaryOperatorClass: {
14429 auto *BO = cast<BinaryOperator>(E);
14430 auto Opcode = BO->getOpcode();
14431 switch (Opcode) {
14432 default:
14433 break;
14434 case BO_Add:
14435 case BO_Sub: {
14436 const Expr *LHS = BO->getLHS(), *RHS = BO->getRHS();
14437 if (Opcode == BO_Add && !RHS->getType()->isIntegralOrEnumerationType())
14438 std::swap(LHS, RHS);
14439 return getAlignmentAndOffsetFromBinAddOrSub(LHS, RHS, Opcode == BO_Sub,
14440 Ctx);
14441 }
14442 case BO_Comma:
14443 return getBaseAlignmentAndOffsetFromPtr(BO->getRHS(), Ctx);
14444 }
14445 break;
14446 }
14447 }
14448 return std::nullopt;
14449 }
14450
getPresumedAlignmentOfPointer(const Expr * E,Sema & S)14451 static CharUnits getPresumedAlignmentOfPointer(const Expr *E, Sema &S) {
14452 // See if we can compute the alignment of a VarDecl and an offset from it.
14453 std::optional<std::pair<CharUnits, CharUnits>> P =
14454 getBaseAlignmentAndOffsetFromPtr(E, S.Context);
14455
14456 if (P)
14457 return P->first.alignmentAtOffset(P->second);
14458
14459 // If that failed, return the type's alignment.
14460 return S.Context.getTypeAlignInChars(E->getType()->getPointeeType());
14461 }
14462
CheckCastAlign(Expr * Op,QualType T,SourceRange TRange)14463 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
14464 // This is actually a lot of work to potentially be doing on every
14465 // cast; don't do it if we're ignoring -Wcast_align (as is the default).
14466 if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin()))
14467 return;
14468
14469 // Ignore dependent types.
14470 if (T->isDependentType() || Op->getType()->isDependentType())
14471 return;
14472
14473 // Require that the destination be a pointer type.
14474 const PointerType *DestPtr = T->getAs<PointerType>();
14475 if (!DestPtr) return;
14476
14477 // If the destination has alignment 1, we're done.
14478 QualType DestPointee = DestPtr->getPointeeType();
14479 if (DestPointee->isIncompleteType()) return;
14480 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee);
14481 if (DestAlign.isOne()) return;
14482
14483 // Require that the source be a pointer type.
14484 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();
14485 if (!SrcPtr) return;
14486 QualType SrcPointee = SrcPtr->getPointeeType();
14487
14488 // Explicitly allow casts from cv void*. We already implicitly
14489 // allowed casts to cv void*, since they have alignment 1.
14490 // Also allow casts involving incomplete types, which implicitly
14491 // includes 'void'.
14492 if (SrcPointee->isIncompleteType()) return;
14493
14494 CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);
14495
14496 if (SrcAlign >= DestAlign) return;
14497
14498 Diag(TRange.getBegin(), diag::warn_cast_align)
14499 << Op->getType() << T
14500 << static_cast<unsigned>(SrcAlign.getQuantity())
14501 << static_cast<unsigned>(DestAlign.getQuantity())
14502 << TRange << Op->getSourceRange();
14503 }
14504
CheckArrayAccess(const Expr * BaseExpr,const Expr * IndexExpr,const ArraySubscriptExpr * ASE,bool AllowOnePastEnd,bool IndexNegated)14505 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
14506 const ArraySubscriptExpr *ASE,
14507 bool AllowOnePastEnd, bool IndexNegated) {
14508 // Already diagnosed by the constant evaluator.
14509 if (isConstantEvaluatedContext())
14510 return;
14511
14512 IndexExpr = IndexExpr->IgnoreParenImpCasts();
14513 if (IndexExpr->isValueDependent())
14514 return;
14515
14516 const Type *EffectiveType =
14517 BaseExpr->getType()->getPointeeOrArrayElementType();
14518 BaseExpr = BaseExpr->IgnoreParenCasts();
14519 const ConstantArrayType *ArrayTy =
14520 Context.getAsConstantArrayType(BaseExpr->getType());
14521
14522 LangOptions::StrictFlexArraysLevelKind
14523 StrictFlexArraysLevel = getLangOpts().getStrictFlexArraysLevel();
14524
14525 const Type *BaseType =
14526 ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();
14527 bool IsUnboundedArray =
14528 BaseType == nullptr || BaseExpr->isFlexibleArrayMemberLike(
14529 Context, StrictFlexArraysLevel,
14530 /*IgnoreTemplateOrMacroSubstitution=*/true);
14531 if (EffectiveType->isDependentType() ||
14532 (!IsUnboundedArray && BaseType->isDependentType()))
14533 return;
14534
14535 Expr::EvalResult Result;
14536 if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))
14537 return;
14538
14539 llvm::APSInt index = Result.Val.getInt();
14540 if (IndexNegated) {
14541 index.setIsUnsigned(false);
14542 index = -index;
14543 }
14544
14545 if (IsUnboundedArray) {
14546 if (EffectiveType->isFunctionType())
14547 return;
14548 if (index.isUnsigned() || !index.isNegative()) {
14549 const auto &ASTC = getASTContext();
14550 unsigned AddrBits = ASTC.getTargetInfo().getPointerWidth(
14551 EffectiveType->getCanonicalTypeInternal().getAddressSpace());
14552 if (index.getBitWidth() < AddrBits)
14553 index = index.zext(AddrBits);
14554 std::optional<CharUnits> ElemCharUnits =
14555 ASTC.getTypeSizeInCharsIfKnown(EffectiveType);
14556 // PR50741 - If EffectiveType has unknown size (e.g., if it's a void
14557 // pointer) bounds-checking isn't meaningful.
14558 if (!ElemCharUnits || ElemCharUnits->isZero())
14559 return;
14560 llvm::APInt ElemBytes(index.getBitWidth(), ElemCharUnits->getQuantity());
14561 // If index has more active bits than address space, we already know
14562 // we have a bounds violation to warn about. Otherwise, compute
14563 // address of (index + 1)th element, and warn about bounds violation
14564 // only if that address exceeds address space.
14565 if (index.getActiveBits() <= AddrBits) {
14566 bool Overflow;
14567 llvm::APInt Product(index);
14568 Product += 1;
14569 Product = Product.umul_ov(ElemBytes, Overflow);
14570 if (!Overflow && Product.getActiveBits() <= AddrBits)
14571 return;
14572 }
14573
14574 // Need to compute max possible elements in address space, since that
14575 // is included in diag message.
14576 llvm::APInt MaxElems = llvm::APInt::getMaxValue(AddrBits);
14577 MaxElems = MaxElems.zext(std::max(AddrBits + 1, ElemBytes.getBitWidth()));
14578 MaxElems += 1;
14579 ElemBytes = ElemBytes.zextOrTrunc(MaxElems.getBitWidth());
14580 MaxElems = MaxElems.udiv(ElemBytes);
14581
14582 unsigned DiagID =
14583 ASE ? diag::warn_array_index_exceeds_max_addressable_bounds
14584 : diag::warn_ptr_arith_exceeds_max_addressable_bounds;
14585
14586 // Diag message shows element size in bits and in "bytes" (platform-
14587 // dependent CharUnits)
14588 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
14589 PDiag(DiagID)
14590 << toString(index, 10, true) << AddrBits
14591 << (unsigned)ASTC.toBits(*ElemCharUnits)
14592 << toString(ElemBytes, 10, false)
14593 << toString(MaxElems, 10, false)
14594 << (unsigned)MaxElems.getLimitedValue(~0U)
14595 << IndexExpr->getSourceRange());
14596
14597 const NamedDecl *ND = nullptr;
14598 // Try harder to find a NamedDecl to point at in the note.
14599 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
14600 BaseExpr = ASE->getBase()->IgnoreParenCasts();
14601 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
14602 ND = DRE->getDecl();
14603 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
14604 ND = ME->getMemberDecl();
14605
14606 if (ND)
14607 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
14608 PDiag(diag::note_array_declared_here) << ND);
14609 }
14610 return;
14611 }
14612
14613 if (index.isUnsigned() || !index.isNegative()) {
14614 // It is possible that the type of the base expression after
14615 // IgnoreParenCasts is incomplete, even though the type of the base
14616 // expression before IgnoreParenCasts is complete (see PR39746 for an
14617 // example). In this case we have no information about whether the array
14618 // access exceeds the array bounds. However we can still diagnose an array
14619 // access which precedes the array bounds.
14620 if (BaseType->isIncompleteType())
14621 return;
14622
14623 llvm::APInt size = ArrayTy->getSize();
14624
14625 if (BaseType != EffectiveType) {
14626 // Make sure we're comparing apples to apples when comparing index to
14627 // size.
14628 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);
14629 uint64_t array_typesize = Context.getTypeSize(BaseType);
14630
14631 // Handle ptrarith_typesize being zero, such as when casting to void*.
14632 // Use the size in bits (what "getTypeSize()" returns) rather than bytes.
14633 if (!ptrarith_typesize)
14634 ptrarith_typesize = Context.getCharWidth();
14635
14636 if (ptrarith_typesize != array_typesize) {
14637 // There's a cast to a different size type involved.
14638 uint64_t ratio = array_typesize / ptrarith_typesize;
14639
14640 // TODO: Be smarter about handling cases where array_typesize is not a
14641 // multiple of ptrarith_typesize.
14642 if (ptrarith_typesize * ratio == array_typesize)
14643 size *= llvm::APInt(size.getBitWidth(), ratio);
14644 }
14645 }
14646
14647 if (size.getBitWidth() > index.getBitWidth())
14648 index = index.zext(size.getBitWidth());
14649 else if (size.getBitWidth() < index.getBitWidth())
14650 size = size.zext(index.getBitWidth());
14651
14652 // For array subscripting the index must be less than size, but for pointer
14653 // arithmetic also allow the index (offset) to be equal to size since
14654 // computing the next address after the end of the array is legal and
14655 // commonly done e.g. in C++ iterators and range-based for loops.
14656 if (AllowOnePastEnd ? index.ule(size) : index.ult(size))
14657 return;
14658
14659 // Suppress the warning if the subscript expression (as identified by the
14660 // ']' location) and the index expression are both from macro expansions
14661 // within a system header.
14662 if (ASE) {
14663 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(
14664 ASE->getRBracketLoc());
14665 if (SourceMgr.isInSystemHeader(RBracketLoc)) {
14666 SourceLocation IndexLoc =
14667 SourceMgr.getSpellingLoc(IndexExpr->getBeginLoc());
14668 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc))
14669 return;
14670 }
14671 }
14672
14673 unsigned DiagID = ASE ? diag::warn_array_index_exceeds_bounds
14674 : diag::warn_ptr_arith_exceeds_bounds;
14675 unsigned CastMsg = (!ASE || BaseType == EffectiveType) ? 0 : 1;
14676 QualType CastMsgTy = ASE ? ASE->getLHS()->getType() : QualType();
14677
14678 DiagRuntimeBehavior(
14679 BaseExpr->getBeginLoc(), BaseExpr,
14680 PDiag(DiagID) << toString(index, 10, true) << ArrayTy->desugar()
14681 << CastMsg << CastMsgTy << IndexExpr->getSourceRange());
14682 } else {
14683 unsigned DiagID = diag::warn_array_index_precedes_bounds;
14684 if (!ASE) {
14685 DiagID = diag::warn_ptr_arith_precedes_bounds;
14686 if (index.isNegative()) index = -index;
14687 }
14688
14689 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
14690 PDiag(DiagID) << toString(index, 10, true)
14691 << IndexExpr->getSourceRange());
14692 }
14693
14694 const NamedDecl *ND = nullptr;
14695 // Try harder to find a NamedDecl to point at in the note.
14696 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
14697 BaseExpr = ASE->getBase()->IgnoreParenCasts();
14698 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
14699 ND = DRE->getDecl();
14700 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
14701 ND = ME->getMemberDecl();
14702
14703 if (ND)
14704 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
14705 PDiag(diag::note_array_declared_here) << ND);
14706 }
14707
CheckArrayAccess(const Expr * expr)14708 void Sema::CheckArrayAccess(const Expr *expr) {
14709 int AllowOnePastEnd = 0;
14710 while (expr) {
14711 expr = expr->IgnoreParenImpCasts();
14712 switch (expr->getStmtClass()) {
14713 case Stmt::ArraySubscriptExprClass: {
14714 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr);
14715 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE,
14716 AllowOnePastEnd > 0);
14717 expr = ASE->getBase();
14718 break;
14719 }
14720 case Stmt::MemberExprClass: {
14721 expr = cast<MemberExpr>(expr)->getBase();
14722 break;
14723 }
14724 case Stmt::ArraySectionExprClass: {
14725 const ArraySectionExpr *ASE = cast<ArraySectionExpr>(expr);
14726 // FIXME: We should probably be checking all of the elements to the
14727 // 'length' here as well.
14728 if (ASE->getLowerBound())
14729 CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(),
14730 /*ASE=*/nullptr, AllowOnePastEnd > 0);
14731 return;
14732 }
14733 case Stmt::UnaryOperatorClass: {
14734 // Only unwrap the * and & unary operators
14735 const UnaryOperator *UO = cast<UnaryOperator>(expr);
14736 expr = UO->getSubExpr();
14737 switch (UO->getOpcode()) {
14738 case UO_AddrOf:
14739 AllowOnePastEnd++;
14740 break;
14741 case UO_Deref:
14742 AllowOnePastEnd--;
14743 break;
14744 default:
14745 return;
14746 }
14747 break;
14748 }
14749 case Stmt::ConditionalOperatorClass: {
14750 const ConditionalOperator *cond = cast<ConditionalOperator>(expr);
14751 if (const Expr *lhs = cond->getLHS())
14752 CheckArrayAccess(lhs);
14753 if (const Expr *rhs = cond->getRHS())
14754 CheckArrayAccess(rhs);
14755 return;
14756 }
14757 case Stmt::CXXOperatorCallExprClass: {
14758 const auto *OCE = cast<CXXOperatorCallExpr>(expr);
14759 for (const auto *Arg : OCE->arguments())
14760 CheckArrayAccess(Arg);
14761 return;
14762 }
14763 default:
14764 return;
14765 }
14766 }
14767 }
14768
checkUnsafeAssignLiteral(Sema & S,SourceLocation Loc,Expr * RHS,bool isProperty)14769 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc,
14770 Expr *RHS, bool isProperty) {
14771 // Check if RHS is an Objective-C object literal, which also can get
14772 // immediately zapped in a weak reference. Note that we explicitly
14773 // allow ObjCStringLiterals, since those are designed to never really die.
14774 RHS = RHS->IgnoreParenImpCasts();
14775
14776 // This enum needs to match with the 'select' in
14777 // warn_objc_arc_literal_assign (off-by-1).
14778 SemaObjC::ObjCLiteralKind Kind = S.ObjC().CheckLiteralKind(RHS);
14779 if (Kind == SemaObjC::LK_String || Kind == SemaObjC::LK_None)
14780 return false;
14781
14782 S.Diag(Loc, diag::warn_arc_literal_assign)
14783 << (unsigned) Kind
14784 << (isProperty ? 0 : 1)
14785 << RHS->getSourceRange();
14786
14787 return true;
14788 }
14789
checkUnsafeAssignObject(Sema & S,SourceLocation Loc,Qualifiers::ObjCLifetime LT,Expr * RHS,bool isProperty)14790 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc,
14791 Qualifiers::ObjCLifetime LT,
14792 Expr *RHS, bool isProperty) {
14793 // Strip off any implicit cast added to get to the one ARC-specific.
14794 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
14795 if (cast->getCastKind() == CK_ARCConsumeObject) {
14796 S.Diag(Loc, diag::warn_arc_retained_assign)
14797 << (LT == Qualifiers::OCL_ExplicitNone)
14798 << (isProperty ? 0 : 1)
14799 << RHS->getSourceRange();
14800 return true;
14801 }
14802 RHS = cast->getSubExpr();
14803 }
14804
14805 if (LT == Qualifiers::OCL_Weak &&
14806 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty))
14807 return true;
14808
14809 return false;
14810 }
14811
checkUnsafeAssigns(SourceLocation Loc,QualType LHS,Expr * RHS)14812 bool Sema::checkUnsafeAssigns(SourceLocation Loc,
14813 QualType LHS, Expr *RHS) {
14814 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime();
14815
14816 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone)
14817 return false;
14818
14819 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false))
14820 return true;
14821
14822 return false;
14823 }
14824
checkUnsafeExprAssigns(SourceLocation Loc,Expr * LHS,Expr * RHS)14825 void Sema::checkUnsafeExprAssigns(SourceLocation Loc,
14826 Expr *LHS, Expr *RHS) {
14827 QualType LHSType;
14828 // PropertyRef on LHS type need be directly obtained from
14829 // its declaration as it has a PseudoType.
14830 ObjCPropertyRefExpr *PRE
14831 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens());
14832 if (PRE && !PRE->isImplicitProperty()) {
14833 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
14834 if (PD)
14835 LHSType = PD->getType();
14836 }
14837
14838 if (LHSType.isNull())
14839 LHSType = LHS->getType();
14840
14841 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime();
14842
14843 if (LT == Qualifiers::OCL_Weak) {
14844 if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc))
14845 getCurFunction()->markSafeWeakUse(LHS);
14846 }
14847
14848 if (checkUnsafeAssigns(Loc, LHSType, RHS))
14849 return;
14850
14851 // FIXME. Check for other life times.
14852 if (LT != Qualifiers::OCL_None)
14853 return;
14854
14855 if (PRE) {
14856 if (PRE->isImplicitProperty())
14857 return;
14858 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
14859 if (!PD)
14860 return;
14861
14862 unsigned Attributes = PD->getPropertyAttributes();
14863 if (Attributes & ObjCPropertyAttribute::kind_assign) {
14864 // when 'assign' attribute was not explicitly specified
14865 // by user, ignore it and rely on property type itself
14866 // for lifetime info.
14867 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten();
14868 if (!(AsWrittenAttr & ObjCPropertyAttribute::kind_assign) &&
14869 LHSType->isObjCRetainableType())
14870 return;
14871
14872 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
14873 if (cast->getCastKind() == CK_ARCConsumeObject) {
14874 Diag(Loc, diag::warn_arc_retained_property_assign)
14875 << RHS->getSourceRange();
14876 return;
14877 }
14878 RHS = cast->getSubExpr();
14879 }
14880 } else if (Attributes & ObjCPropertyAttribute::kind_weak) {
14881 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true))
14882 return;
14883 }
14884 }
14885 }
14886
14887 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===//
14888
ShouldDiagnoseEmptyStmtBody(const SourceManager & SourceMgr,SourceLocation StmtLoc,const NullStmt * Body)14889 static bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr,
14890 SourceLocation StmtLoc,
14891 const NullStmt *Body) {
14892 // Do not warn if the body is a macro that expands to nothing, e.g:
14893 //
14894 // #define CALL(x)
14895 // if (condition)
14896 // CALL(0);
14897 if (Body->hasLeadingEmptyMacro())
14898 return false;
14899
14900 // Get line numbers of statement and body.
14901 bool StmtLineInvalid;
14902 unsigned StmtLine = SourceMgr.getPresumedLineNumber(StmtLoc,
14903 &StmtLineInvalid);
14904 if (StmtLineInvalid)
14905 return false;
14906
14907 bool BodyLineInvalid;
14908 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(),
14909 &BodyLineInvalid);
14910 if (BodyLineInvalid)
14911 return false;
14912
14913 // Warn if null statement and body are on the same line.
14914 if (StmtLine != BodyLine)
14915 return false;
14916
14917 return true;
14918 }
14919
DiagnoseEmptyStmtBody(SourceLocation StmtLoc,const Stmt * Body,unsigned DiagID)14920 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc,
14921 const Stmt *Body,
14922 unsigned DiagID) {
14923 // Since this is a syntactic check, don't emit diagnostic for template
14924 // instantiations, this just adds noise.
14925 if (CurrentInstantiationScope)
14926 return;
14927
14928 // The body should be a null statement.
14929 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
14930 if (!NBody)
14931 return;
14932
14933 // Do the usual checks.
14934 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
14935 return;
14936
14937 Diag(NBody->getSemiLoc(), DiagID);
14938 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
14939 }
14940
DiagnoseEmptyLoopBody(const Stmt * S,const Stmt * PossibleBody)14941 void Sema::DiagnoseEmptyLoopBody(const Stmt *S,
14942 const Stmt *PossibleBody) {
14943 assert(!CurrentInstantiationScope); // Ensured by caller
14944
14945 SourceLocation StmtLoc;
14946 const Stmt *Body;
14947 unsigned DiagID;
14948 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) {
14949 StmtLoc = FS->getRParenLoc();
14950 Body = FS->getBody();
14951 DiagID = diag::warn_empty_for_body;
14952 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) {
14953 StmtLoc = WS->getRParenLoc();
14954 Body = WS->getBody();
14955 DiagID = diag::warn_empty_while_body;
14956 } else
14957 return; // Neither `for' nor `while'.
14958
14959 // The body should be a null statement.
14960 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
14961 if (!NBody)
14962 return;
14963
14964 // Skip expensive checks if diagnostic is disabled.
14965 if (Diags.isIgnored(DiagID, NBody->getSemiLoc()))
14966 return;
14967
14968 // Do the usual checks.
14969 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
14970 return;
14971
14972 // `for(...);' and `while(...);' are popular idioms, so in order to keep
14973 // noise level low, emit diagnostics only if for/while is followed by a
14974 // CompoundStmt, e.g.:
14975 // for (int i = 0; i < n; i++);
14976 // {
14977 // a(i);
14978 // }
14979 // or if for/while is followed by a statement with more indentation
14980 // than for/while itself:
14981 // for (int i = 0; i < n; i++);
14982 // a(i);
14983 bool ProbableTypo = isa<CompoundStmt>(PossibleBody);
14984 if (!ProbableTypo) {
14985 bool BodyColInvalid;
14986 unsigned BodyCol = SourceMgr.getPresumedColumnNumber(
14987 PossibleBody->getBeginLoc(), &BodyColInvalid);
14988 if (BodyColInvalid)
14989 return;
14990
14991 bool StmtColInvalid;
14992 unsigned StmtCol =
14993 SourceMgr.getPresumedColumnNumber(S->getBeginLoc(), &StmtColInvalid);
14994 if (StmtColInvalid)
14995 return;
14996
14997 if (BodyCol > StmtCol)
14998 ProbableTypo = true;
14999 }
15000
15001 if (ProbableTypo) {
15002 Diag(NBody->getSemiLoc(), DiagID);
15003 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
15004 }
15005 }
15006
15007 //===--- CHECK: Warn on self move with std::move. -------------------------===//
15008
DiagnoseSelfMove(const Expr * LHSExpr,const Expr * RHSExpr,SourceLocation OpLoc)15009 void Sema::DiagnoseSelfMove(const Expr *LHSExpr, const Expr *RHSExpr,
15010 SourceLocation OpLoc) {
15011 if (Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, OpLoc))
15012 return;
15013
15014 if (inTemplateInstantiation())
15015 return;
15016
15017 // Strip parens and casts away.
15018 LHSExpr = LHSExpr->IgnoreParenImpCasts();
15019 RHSExpr = RHSExpr->IgnoreParenImpCasts();
15020
15021 // Check for a call to std::move or for a static_cast<T&&>(..) to an xvalue
15022 // which we can treat as an inlined std::move
15023 if (const auto *CE = dyn_cast<CallExpr>(RHSExpr);
15024 CE && CE->getNumArgs() == 1 && CE->isCallToStdMove())
15025 RHSExpr = CE->getArg(0);
15026 else if (const auto *CXXSCE = dyn_cast<CXXStaticCastExpr>(RHSExpr);
15027 CXXSCE && CXXSCE->isXValue())
15028 RHSExpr = CXXSCE->getSubExpr();
15029 else
15030 return;
15031
15032 const DeclRefExpr *LHSDeclRef = dyn_cast<DeclRefExpr>(LHSExpr);
15033 const DeclRefExpr *RHSDeclRef = dyn_cast<DeclRefExpr>(RHSExpr);
15034
15035 // Two DeclRefExpr's, check that the decls are the same.
15036 if (LHSDeclRef && RHSDeclRef) {
15037 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
15038 return;
15039 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
15040 RHSDeclRef->getDecl()->getCanonicalDecl())
15041 return;
15042
15043 auto D = Diag(OpLoc, diag::warn_self_move)
15044 << LHSExpr->getType() << LHSExpr->getSourceRange()
15045 << RHSExpr->getSourceRange();
15046 if (const FieldDecl *F =
15047 getSelfAssignmentClassMemberCandidate(RHSDeclRef->getDecl()))
15048 D << 1 << F
15049 << FixItHint::CreateInsertion(LHSDeclRef->getBeginLoc(), "this->");
15050 else
15051 D << 0;
15052 return;
15053 }
15054
15055 // Member variables require a different approach to check for self moves.
15056 // MemberExpr's are the same if every nested MemberExpr refers to the same
15057 // Decl and that the base Expr's are DeclRefExpr's with the same Decl or
15058 // the base Expr's are CXXThisExpr's.
15059 const Expr *LHSBase = LHSExpr;
15060 const Expr *RHSBase = RHSExpr;
15061 const MemberExpr *LHSME = dyn_cast<MemberExpr>(LHSExpr);
15062 const MemberExpr *RHSME = dyn_cast<MemberExpr>(RHSExpr);
15063 if (!LHSME || !RHSME)
15064 return;
15065
15066 while (LHSME && RHSME) {
15067 if (LHSME->getMemberDecl()->getCanonicalDecl() !=
15068 RHSME->getMemberDecl()->getCanonicalDecl())
15069 return;
15070
15071 LHSBase = LHSME->getBase();
15072 RHSBase = RHSME->getBase();
15073 LHSME = dyn_cast<MemberExpr>(LHSBase);
15074 RHSME = dyn_cast<MemberExpr>(RHSBase);
15075 }
15076
15077 LHSDeclRef = dyn_cast<DeclRefExpr>(LHSBase);
15078 RHSDeclRef = dyn_cast<DeclRefExpr>(RHSBase);
15079 if (LHSDeclRef && RHSDeclRef) {
15080 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
15081 return;
15082 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
15083 RHSDeclRef->getDecl()->getCanonicalDecl())
15084 return;
15085
15086 Diag(OpLoc, diag::warn_self_move)
15087 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
15088 << RHSExpr->getSourceRange();
15089 return;
15090 }
15091
15092 if (isa<CXXThisExpr>(LHSBase) && isa<CXXThisExpr>(RHSBase))
15093 Diag(OpLoc, diag::warn_self_move)
15094 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
15095 << RHSExpr->getSourceRange();
15096 }
15097
15098 //===--- Layout compatibility ----------------------------------------------//
15099
15100 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2);
15101
15102 /// Check if two enumeration types are layout-compatible.
isLayoutCompatible(const ASTContext & C,const EnumDecl * ED1,const EnumDecl * ED2)15103 static bool isLayoutCompatible(const ASTContext &C, const EnumDecl *ED1,
15104 const EnumDecl *ED2) {
15105 // C++11 [dcl.enum] p8:
15106 // Two enumeration types are layout-compatible if they have the same
15107 // underlying type.
15108 return ED1->isComplete() && ED2->isComplete() &&
15109 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType());
15110 }
15111
15112 /// Check if two fields are layout-compatible.
15113 /// Can be used on union members, which are exempt from alignment requirement
15114 /// of common initial sequence.
isLayoutCompatible(const ASTContext & C,const FieldDecl * Field1,const FieldDecl * Field2,bool AreUnionMembers=false)15115 static bool isLayoutCompatible(const ASTContext &C, const FieldDecl *Field1,
15116 const FieldDecl *Field2,
15117 bool AreUnionMembers = false) {
15118 [[maybe_unused]] const Type *Field1Parent =
15119 Field1->getParent()->getTypeForDecl();
15120 [[maybe_unused]] const Type *Field2Parent =
15121 Field2->getParent()->getTypeForDecl();
15122 assert(((Field1Parent->isStructureOrClassType() &&
15123 Field2Parent->isStructureOrClassType()) ||
15124 (Field1Parent->isUnionType() && Field2Parent->isUnionType())) &&
15125 "Can't evaluate layout compatibility between a struct field and a "
15126 "union field.");
15127 assert(((!AreUnionMembers && Field1Parent->isStructureOrClassType()) ||
15128 (AreUnionMembers && Field1Parent->isUnionType())) &&
15129 "AreUnionMembers should be 'true' for union fields (only).");
15130
15131 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType()))
15132 return false;
15133
15134 if (Field1->isBitField() != Field2->isBitField())
15135 return false;
15136
15137 if (Field1->isBitField()) {
15138 // Make sure that the bit-fields are the same length.
15139 unsigned Bits1 = Field1->getBitWidthValue();
15140 unsigned Bits2 = Field2->getBitWidthValue();
15141
15142 if (Bits1 != Bits2)
15143 return false;
15144 }
15145
15146 if (Field1->hasAttr<clang::NoUniqueAddressAttr>() ||
15147 Field2->hasAttr<clang::NoUniqueAddressAttr>())
15148 return false;
15149
15150 if (!AreUnionMembers &&
15151 Field1->getMaxAlignment() != Field2->getMaxAlignment())
15152 return false;
15153
15154 return true;
15155 }
15156
15157 /// Check if two standard-layout structs are layout-compatible.
15158 /// (C++11 [class.mem] p17)
isLayoutCompatibleStruct(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)15159 static bool isLayoutCompatibleStruct(const ASTContext &C, const RecordDecl *RD1,
15160 const RecordDecl *RD2) {
15161 // Get to the class where the fields are declared
15162 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1))
15163 RD1 = D1CXX->getStandardLayoutBaseWithFields();
15164
15165 if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2))
15166 RD2 = D2CXX->getStandardLayoutBaseWithFields();
15167
15168 // Check the fields.
15169 return llvm::equal(RD1->fields(), RD2->fields(),
15170 [&C](const FieldDecl *F1, const FieldDecl *F2) -> bool {
15171 return isLayoutCompatible(C, F1, F2);
15172 });
15173 }
15174
15175 /// Check if two standard-layout unions are layout-compatible.
15176 /// (C++11 [class.mem] p18)
isLayoutCompatibleUnion(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)15177 static bool isLayoutCompatibleUnion(const ASTContext &C, const RecordDecl *RD1,
15178 const RecordDecl *RD2) {
15179 llvm::SmallPtrSet<const FieldDecl *, 8> UnmatchedFields(llvm::from_range,
15180 RD2->fields());
15181
15182 for (auto *Field1 : RD1->fields()) {
15183 auto I = UnmatchedFields.begin();
15184 auto E = UnmatchedFields.end();
15185
15186 for ( ; I != E; ++I) {
15187 if (isLayoutCompatible(C, Field1, *I, /*IsUnionMember=*/true)) {
15188 bool Result = UnmatchedFields.erase(*I);
15189 (void) Result;
15190 assert(Result);
15191 break;
15192 }
15193 }
15194 if (I == E)
15195 return false;
15196 }
15197
15198 return UnmatchedFields.empty();
15199 }
15200
isLayoutCompatible(const ASTContext & C,const RecordDecl * RD1,const RecordDecl * RD2)15201 static bool isLayoutCompatible(const ASTContext &C, const RecordDecl *RD1,
15202 const RecordDecl *RD2) {
15203 if (RD1->isUnion() != RD2->isUnion())
15204 return false;
15205
15206 if (RD1->isUnion())
15207 return isLayoutCompatibleUnion(C, RD1, RD2);
15208 else
15209 return isLayoutCompatibleStruct(C, RD1, RD2);
15210 }
15211
15212 /// Check if two types are layout-compatible in C++11 sense.
isLayoutCompatible(const ASTContext & C,QualType T1,QualType T2)15213 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2) {
15214 if (T1.isNull() || T2.isNull())
15215 return false;
15216
15217 // C++20 [basic.types] p11:
15218 // Two types cv1 T1 and cv2 T2 are layout-compatible types
15219 // if T1 and T2 are the same type, layout-compatible enumerations (9.7.1),
15220 // or layout-compatible standard-layout class types (11.4).
15221 T1 = T1.getCanonicalType().getUnqualifiedType();
15222 T2 = T2.getCanonicalType().getUnqualifiedType();
15223
15224 if (C.hasSameType(T1, T2))
15225 return true;
15226
15227 const Type::TypeClass TC1 = T1->getTypeClass();
15228 const Type::TypeClass TC2 = T2->getTypeClass();
15229
15230 if (TC1 != TC2)
15231 return false;
15232
15233 if (TC1 == Type::Enum) {
15234 return isLayoutCompatible(C,
15235 cast<EnumType>(T1)->getDecl(),
15236 cast<EnumType>(T2)->getDecl());
15237 } else if (TC1 == Type::Record) {
15238 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType())
15239 return false;
15240
15241 return isLayoutCompatible(C,
15242 cast<RecordType>(T1)->getDecl(),
15243 cast<RecordType>(T2)->getDecl());
15244 }
15245
15246 return false;
15247 }
15248
IsLayoutCompatible(QualType T1,QualType T2) const15249 bool Sema::IsLayoutCompatible(QualType T1, QualType T2) const {
15250 return isLayoutCompatible(getASTContext(), T1, T2);
15251 }
15252
15253 //===-------------- Pointer interconvertibility ----------------------------//
15254
IsPointerInterconvertibleBaseOf(const TypeSourceInfo * Base,const TypeSourceInfo * Derived)15255 bool Sema::IsPointerInterconvertibleBaseOf(const TypeSourceInfo *Base,
15256 const TypeSourceInfo *Derived) {
15257 QualType BaseT = Base->getType()->getCanonicalTypeUnqualified();
15258 QualType DerivedT = Derived->getType()->getCanonicalTypeUnqualified();
15259
15260 if (BaseT->isStructureOrClassType() && DerivedT->isStructureOrClassType() &&
15261 getASTContext().hasSameType(BaseT, DerivedT))
15262 return true;
15263
15264 if (!IsDerivedFrom(Derived->getTypeLoc().getBeginLoc(), DerivedT, BaseT))
15265 return false;
15266
15267 // Per [basic.compound]/4.3, containing object has to be standard-layout.
15268 if (DerivedT->getAsCXXRecordDecl()->isStandardLayout())
15269 return true;
15270
15271 return false;
15272 }
15273
15274 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----//
15275
15276 /// Given a type tag expression find the type tag itself.
15277 ///
15278 /// \param TypeExpr Type tag expression, as it appears in user's code.
15279 ///
15280 /// \param VD Declaration of an identifier that appears in a type tag.
15281 ///
15282 /// \param MagicValue Type tag magic value.
15283 ///
15284 /// \param isConstantEvaluated whether the evalaution should be performed in
15285
15286 /// constant context.
FindTypeTagExpr(const Expr * TypeExpr,const ASTContext & Ctx,const ValueDecl ** VD,uint64_t * MagicValue,bool isConstantEvaluated)15287 static bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx,
15288 const ValueDecl **VD, uint64_t *MagicValue,
15289 bool isConstantEvaluated) {
15290 while(true) {
15291 if (!TypeExpr)
15292 return false;
15293
15294 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts();
15295
15296 switch (TypeExpr->getStmtClass()) {
15297 case Stmt::UnaryOperatorClass: {
15298 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr);
15299 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) {
15300 TypeExpr = UO->getSubExpr();
15301 continue;
15302 }
15303 return false;
15304 }
15305
15306 case Stmt::DeclRefExprClass: {
15307 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr);
15308 *VD = DRE->getDecl();
15309 return true;
15310 }
15311
15312 case Stmt::IntegerLiteralClass: {
15313 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr);
15314 llvm::APInt MagicValueAPInt = IL->getValue();
15315 if (MagicValueAPInt.getActiveBits() <= 64) {
15316 *MagicValue = MagicValueAPInt.getZExtValue();
15317 return true;
15318 } else
15319 return false;
15320 }
15321
15322 case Stmt::BinaryConditionalOperatorClass:
15323 case Stmt::ConditionalOperatorClass: {
15324 const AbstractConditionalOperator *ACO =
15325 cast<AbstractConditionalOperator>(TypeExpr);
15326 bool Result;
15327 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx,
15328 isConstantEvaluated)) {
15329 if (Result)
15330 TypeExpr = ACO->getTrueExpr();
15331 else
15332 TypeExpr = ACO->getFalseExpr();
15333 continue;
15334 }
15335 return false;
15336 }
15337
15338 case Stmt::BinaryOperatorClass: {
15339 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr);
15340 if (BO->getOpcode() == BO_Comma) {
15341 TypeExpr = BO->getRHS();
15342 continue;
15343 }
15344 return false;
15345 }
15346
15347 default:
15348 return false;
15349 }
15350 }
15351 }
15352
15353 /// Retrieve the C type corresponding to type tag TypeExpr.
15354 ///
15355 /// \param TypeExpr Expression that specifies a type tag.
15356 ///
15357 /// \param MagicValues Registered magic values.
15358 ///
15359 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong
15360 /// kind.
15361 ///
15362 /// \param TypeInfo Information about the corresponding C type.
15363 ///
15364 /// \param isConstantEvaluated whether the evalaution should be performed in
15365 /// constant context.
15366 ///
15367 /// \returns true if the corresponding C type was found.
GetMatchingCType(const IdentifierInfo * ArgumentKind,const Expr * TypeExpr,const ASTContext & Ctx,const llvm::DenseMap<Sema::TypeTagMagicValue,Sema::TypeTagData> * MagicValues,bool & FoundWrongKind,Sema::TypeTagData & TypeInfo,bool isConstantEvaluated)15368 static bool GetMatchingCType(
15369 const IdentifierInfo *ArgumentKind, const Expr *TypeExpr,
15370 const ASTContext &Ctx,
15371 const llvm::DenseMap<Sema::TypeTagMagicValue, Sema::TypeTagData>
15372 *MagicValues,
15373 bool &FoundWrongKind, Sema::TypeTagData &TypeInfo,
15374 bool isConstantEvaluated) {
15375 FoundWrongKind = false;
15376
15377 // Variable declaration that has type_tag_for_datatype attribute.
15378 const ValueDecl *VD = nullptr;
15379
15380 uint64_t MagicValue;
15381
15382 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue, isConstantEvaluated))
15383 return false;
15384
15385 if (VD) {
15386 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) {
15387 if (I->getArgumentKind() != ArgumentKind) {
15388 FoundWrongKind = true;
15389 return false;
15390 }
15391 TypeInfo.Type = I->getMatchingCType();
15392 TypeInfo.LayoutCompatible = I->getLayoutCompatible();
15393 TypeInfo.MustBeNull = I->getMustBeNull();
15394 return true;
15395 }
15396 return false;
15397 }
15398
15399 if (!MagicValues)
15400 return false;
15401
15402 llvm::DenseMap<Sema::TypeTagMagicValue,
15403 Sema::TypeTagData>::const_iterator I =
15404 MagicValues->find(std::make_pair(ArgumentKind, MagicValue));
15405 if (I == MagicValues->end())
15406 return false;
15407
15408 TypeInfo = I->second;
15409 return true;
15410 }
15411
RegisterTypeTagForDatatype(const IdentifierInfo * ArgumentKind,uint64_t MagicValue,QualType Type,bool LayoutCompatible,bool MustBeNull)15412 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind,
15413 uint64_t MagicValue, QualType Type,
15414 bool LayoutCompatible,
15415 bool MustBeNull) {
15416 if (!TypeTagForDatatypeMagicValues)
15417 TypeTagForDatatypeMagicValues.reset(
15418 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>);
15419
15420 TypeTagMagicValue Magic(ArgumentKind, MagicValue);
15421 (*TypeTagForDatatypeMagicValues)[Magic] =
15422 TypeTagData(Type, LayoutCompatible, MustBeNull);
15423 }
15424
IsSameCharType(QualType T1,QualType T2)15425 static bool IsSameCharType(QualType T1, QualType T2) {
15426 const BuiltinType *BT1 = T1->getAs<BuiltinType>();
15427 if (!BT1)
15428 return false;
15429
15430 const BuiltinType *BT2 = T2->getAs<BuiltinType>();
15431 if (!BT2)
15432 return false;
15433
15434 BuiltinType::Kind T1Kind = BT1->getKind();
15435 BuiltinType::Kind T2Kind = BT2->getKind();
15436
15437 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) ||
15438 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) ||
15439 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) ||
15440 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);
15441 }
15442
CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr * Attr,const ArrayRef<const Expr * > ExprArgs,SourceLocation CallSiteLoc)15443 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
15444 const ArrayRef<const Expr *> ExprArgs,
15445 SourceLocation CallSiteLoc) {
15446 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();
15447 bool IsPointerAttr = Attr->getIsPointer();
15448
15449 // Retrieve the argument representing the 'type_tag'.
15450 unsigned TypeTagIdxAST = Attr->getTypeTagIdx().getASTIndex();
15451 if (TypeTagIdxAST >= ExprArgs.size()) {
15452 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
15453 << 0 << Attr->getTypeTagIdx().getSourceIndex();
15454 return;
15455 }
15456 const Expr *TypeTagExpr = ExprArgs[TypeTagIdxAST];
15457 bool FoundWrongKind;
15458 TypeTagData TypeInfo;
15459 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,
15460 TypeTagForDatatypeMagicValues.get(), FoundWrongKind,
15461 TypeInfo, isConstantEvaluatedContext())) {
15462 if (FoundWrongKind)
15463 Diag(TypeTagExpr->getExprLoc(),
15464 diag::warn_type_tag_for_datatype_wrong_kind)
15465 << TypeTagExpr->getSourceRange();
15466 return;
15467 }
15468
15469 // Retrieve the argument representing the 'arg_idx'.
15470 unsigned ArgumentIdxAST = Attr->getArgumentIdx().getASTIndex();
15471 if (ArgumentIdxAST >= ExprArgs.size()) {
15472 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
15473 << 1 << Attr->getArgumentIdx().getSourceIndex();
15474 return;
15475 }
15476 const Expr *ArgumentExpr = ExprArgs[ArgumentIdxAST];
15477 if (IsPointerAttr) {
15478 // Skip implicit cast of pointer to `void *' (as a function argument).
15479 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))
15480 if (ICE->getType()->isVoidPointerType() &&
15481 ICE->getCastKind() == CK_BitCast)
15482 ArgumentExpr = ICE->getSubExpr();
15483 }
15484 QualType ArgumentType = ArgumentExpr->getType();
15485
15486 // Passing a `void*' pointer shouldn't trigger a warning.
15487 if (IsPointerAttr && ArgumentType->isVoidPointerType())
15488 return;
15489
15490 if (TypeInfo.MustBeNull) {
15491 // Type tag with matching void type requires a null pointer.
15492 if (!ArgumentExpr->isNullPointerConstant(Context,
15493 Expr::NPC_ValueDependentIsNotNull)) {
15494 Diag(ArgumentExpr->getExprLoc(),
15495 diag::warn_type_safety_null_pointer_required)
15496 << ArgumentKind->getName()
15497 << ArgumentExpr->getSourceRange()
15498 << TypeTagExpr->getSourceRange();
15499 }
15500 return;
15501 }
15502
15503 QualType RequiredType = TypeInfo.Type;
15504 if (IsPointerAttr)
15505 RequiredType = Context.getPointerType(RequiredType);
15506
15507 bool mismatch = false;
15508 if (!TypeInfo.LayoutCompatible) {
15509 mismatch = !Context.hasSameType(ArgumentType, RequiredType);
15510
15511 // C++11 [basic.fundamental] p1:
15512 // Plain char, signed char, and unsigned char are three distinct types.
15513 //
15514 // But we treat plain `char' as equivalent to `signed char' or `unsigned
15515 // char' depending on the current char signedness mode.
15516 if (mismatch)
15517 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(),
15518 RequiredType->getPointeeType())) ||
15519 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType)))
15520 mismatch = false;
15521 } else
15522 if (IsPointerAttr)
15523 mismatch = !isLayoutCompatible(Context,
15524 ArgumentType->getPointeeType(),
15525 RequiredType->getPointeeType());
15526 else
15527 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType);
15528
15529 if (mismatch)
15530 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch)
15531 << ArgumentType << ArgumentKind
15532 << TypeInfo.LayoutCompatible << RequiredType
15533 << ArgumentExpr->getSourceRange()
15534 << TypeTagExpr->getSourceRange();
15535 }
15536
AddPotentialMisalignedMembers(Expr * E,RecordDecl * RD,ValueDecl * MD,CharUnits Alignment)15537 void Sema::AddPotentialMisalignedMembers(Expr *E, RecordDecl *RD, ValueDecl *MD,
15538 CharUnits Alignment) {
15539 MisalignedMembers.emplace_back(E, RD, MD, Alignment);
15540 }
15541
DiagnoseMisalignedMembers()15542 void Sema::DiagnoseMisalignedMembers() {
15543 for (MisalignedMember &m : MisalignedMembers) {
15544 const NamedDecl *ND = m.RD;
15545 if (ND->getName().empty()) {
15546 if (const TypedefNameDecl *TD = m.RD->getTypedefNameForAnonDecl())
15547 ND = TD;
15548 }
15549 Diag(m.E->getBeginLoc(), diag::warn_taking_address_of_packed_member)
15550 << m.MD << ND << m.E->getSourceRange();
15551 }
15552 MisalignedMembers.clear();
15553 }
15554
DiscardMisalignedMemberAddress(const Type * T,Expr * E)15555 void Sema::DiscardMisalignedMemberAddress(const Type *T, Expr *E) {
15556 E = E->IgnoreParens();
15557 if (!T->isPointerType() && !T->isIntegerType() && !T->isDependentType())
15558 return;
15559 if (isa<UnaryOperator>(E) &&
15560 cast<UnaryOperator>(E)->getOpcode() == UO_AddrOf) {
15561 auto *Op = cast<UnaryOperator>(E)->getSubExpr()->IgnoreParens();
15562 if (isa<MemberExpr>(Op)) {
15563 auto *MA = llvm::find(MisalignedMembers, MisalignedMember(Op));
15564 if (MA != MisalignedMembers.end() &&
15565 (T->isDependentType() || T->isIntegerType() ||
15566 (T->isPointerType() && (T->getPointeeType()->isIncompleteType() ||
15567 Context.getTypeAlignInChars(
15568 T->getPointeeType()) <= MA->Alignment))))
15569 MisalignedMembers.erase(MA);
15570 }
15571 }
15572 }
15573
RefersToMemberWithReducedAlignment(Expr * E,llvm::function_ref<void (Expr *,RecordDecl *,FieldDecl *,CharUnits)> Action)15574 void Sema::RefersToMemberWithReducedAlignment(
15575 Expr *E,
15576 llvm::function_ref<void(Expr *, RecordDecl *, FieldDecl *, CharUnits)>
15577 Action) {
15578 const auto *ME = dyn_cast<MemberExpr>(E);
15579 if (!ME)
15580 return;
15581
15582 // No need to check expressions with an __unaligned-qualified type.
15583 if (E->getType().getQualifiers().hasUnaligned())
15584 return;
15585
15586 // For a chain of MemberExpr like "a.b.c.d" this list
15587 // will keep FieldDecl's like [d, c, b].
15588 SmallVector<FieldDecl *, 4> ReverseMemberChain;
15589 const MemberExpr *TopME = nullptr;
15590 bool AnyIsPacked = false;
15591 do {
15592 QualType BaseType = ME->getBase()->getType();
15593 if (BaseType->isDependentType())
15594 return;
15595 if (ME->isArrow())
15596 BaseType = BaseType->getPointeeType();
15597 RecordDecl *RD = BaseType->castAs<RecordType>()->getDecl();
15598 if (RD->isInvalidDecl())
15599 return;
15600
15601 ValueDecl *MD = ME->getMemberDecl();
15602 auto *FD = dyn_cast<FieldDecl>(MD);
15603 // We do not care about non-data members.
15604 if (!FD || FD->isInvalidDecl())
15605 return;
15606
15607 AnyIsPacked =
15608 AnyIsPacked || (RD->hasAttr<PackedAttr>() || MD->hasAttr<PackedAttr>());
15609 ReverseMemberChain.push_back(FD);
15610
15611 TopME = ME;
15612 ME = dyn_cast<MemberExpr>(ME->getBase()->IgnoreParens());
15613 } while (ME);
15614 assert(TopME && "We did not compute a topmost MemberExpr!");
15615
15616 // Not the scope of this diagnostic.
15617 if (!AnyIsPacked)
15618 return;
15619
15620 const Expr *TopBase = TopME->getBase()->IgnoreParenImpCasts();
15621 const auto *DRE = dyn_cast<DeclRefExpr>(TopBase);
15622 // TODO: The innermost base of the member expression may be too complicated.
15623 // For now, just disregard these cases. This is left for future
15624 // improvement.
15625 if (!DRE && !isa<CXXThisExpr>(TopBase))
15626 return;
15627
15628 // Alignment expected by the whole expression.
15629 CharUnits ExpectedAlignment = Context.getTypeAlignInChars(E->getType());
15630
15631 // No need to do anything else with this case.
15632 if (ExpectedAlignment.isOne())
15633 return;
15634
15635 // Synthesize offset of the whole access.
15636 CharUnits Offset;
15637 for (const FieldDecl *FD : llvm::reverse(ReverseMemberChain))
15638 Offset += Context.toCharUnitsFromBits(Context.getFieldOffset(FD));
15639
15640 // Compute the CompleteObjectAlignment as the alignment of the whole chain.
15641 CharUnits CompleteObjectAlignment = Context.getTypeAlignInChars(
15642 ReverseMemberChain.back()->getParent()->getTypeForDecl());
15643
15644 // The base expression of the innermost MemberExpr may give
15645 // stronger guarantees than the class containing the member.
15646 if (DRE && !TopME->isArrow()) {
15647 const ValueDecl *VD = DRE->getDecl();
15648 if (!VD->getType()->isReferenceType())
15649 CompleteObjectAlignment =
15650 std::max(CompleteObjectAlignment, Context.getDeclAlign(VD));
15651 }
15652
15653 // Check if the synthesized offset fulfills the alignment.
15654 if (Offset % ExpectedAlignment != 0 ||
15655 // It may fulfill the offset it but the effective alignment may still be
15656 // lower than the expected expression alignment.
15657 CompleteObjectAlignment < ExpectedAlignment) {
15658 // If this happens, we want to determine a sensible culprit of this.
15659 // Intuitively, watching the chain of member expressions from right to
15660 // left, we start with the required alignment (as required by the field
15661 // type) but some packed attribute in that chain has reduced the alignment.
15662 // It may happen that another packed structure increases it again. But if
15663 // we are here such increase has not been enough. So pointing the first
15664 // FieldDecl that either is packed or else its RecordDecl is,
15665 // seems reasonable.
15666 FieldDecl *FD = nullptr;
15667 CharUnits Alignment;
15668 for (FieldDecl *FDI : ReverseMemberChain) {
15669 if (FDI->hasAttr<PackedAttr>() ||
15670 FDI->getParent()->hasAttr<PackedAttr>()) {
15671 FD = FDI;
15672 Alignment = std::min(
15673 Context.getTypeAlignInChars(FD->getType()),
15674 Context.getTypeAlignInChars(FD->getParent()->getTypeForDecl()));
15675 break;
15676 }
15677 }
15678 assert(FD && "We did not find a packed FieldDecl!");
15679 Action(E, FD->getParent(), FD, Alignment);
15680 }
15681 }
15682
CheckAddressOfPackedMember(Expr * rhs)15683 void Sema::CheckAddressOfPackedMember(Expr *rhs) {
15684 using namespace std::placeholders;
15685
15686 RefersToMemberWithReducedAlignment(
15687 rhs, std::bind(&Sema::AddPotentialMisalignedMembers, std::ref(*this), _1,
15688 _2, _3, _4));
15689 }
15690
15691 // Performs a similar job to Sema::UsualUnaryConversions, but without any
15692 // implicit promotion of integral/enumeration types.
BuiltinVectorMathConversions(Sema & S,Expr * E)15693 static ExprResult BuiltinVectorMathConversions(Sema &S, Expr *E) {
15694 // First, convert to an r-value.
15695 ExprResult Res = S.DefaultFunctionArrayLvalueConversion(E);
15696 if (Res.isInvalid())
15697 return ExprError();
15698
15699 // Promote floating-point types.
15700 return S.UsualUnaryFPConversions(Res.get());
15701 }
15702
PrepareBuiltinElementwiseMathOneArgCall(CallExpr * TheCall,EltwiseBuiltinArgTyRestriction ArgTyRestr)15703 bool Sema::PrepareBuiltinElementwiseMathOneArgCall(
15704 CallExpr *TheCall, EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15705 if (checkArgCount(TheCall, 1))
15706 return true;
15707
15708 ExprResult A = BuiltinVectorMathConversions(*this, TheCall->getArg(0));
15709 if (A.isInvalid())
15710 return true;
15711
15712 TheCall->setArg(0, A.get());
15713 QualType TyA = A.get()->getType();
15714
15715 if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA,
15716 ArgTyRestr, 1))
15717 return true;
15718
15719 TheCall->setType(TyA);
15720 return false;
15721 }
15722
BuiltinElementwiseMath(CallExpr * TheCall,EltwiseBuiltinArgTyRestriction ArgTyRestr)15723 bool Sema::BuiltinElementwiseMath(CallExpr *TheCall,
15724 EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15725 if (auto Res = BuiltinVectorMath(TheCall, ArgTyRestr); Res.has_value()) {
15726 TheCall->setType(*Res);
15727 return false;
15728 }
15729 return true;
15730 }
15731
BuiltinVectorToScalarMath(CallExpr * TheCall)15732 bool Sema::BuiltinVectorToScalarMath(CallExpr *TheCall) {
15733 std::optional<QualType> Res = BuiltinVectorMath(TheCall);
15734 if (!Res)
15735 return true;
15736
15737 if (auto *VecTy0 = (*Res)->getAs<VectorType>())
15738 TheCall->setType(VecTy0->getElementType());
15739 else
15740 TheCall->setType(*Res);
15741
15742 return false;
15743 }
15744
checkBuiltinVectorMathMixedEnums(Sema & S,Expr * LHS,Expr * RHS,SourceLocation Loc)15745 static bool checkBuiltinVectorMathMixedEnums(Sema &S, Expr *LHS, Expr *RHS,
15746 SourceLocation Loc) {
15747 QualType L = LHS->getEnumCoercedType(S.Context),
15748 R = RHS->getEnumCoercedType(S.Context);
15749 if (L->isUnscopedEnumerationType() && R->isUnscopedEnumerationType() &&
15750 !S.Context.hasSameUnqualifiedType(L, R)) {
15751 return S.Diag(Loc, diag::err_conv_mixed_enum_types)
15752 << LHS->getSourceRange() << RHS->getSourceRange()
15753 << /*Arithmetic Between*/ 0 << L << R;
15754 }
15755 return false;
15756 }
15757
15758 std::optional<QualType>
BuiltinVectorMath(CallExpr * TheCall,EltwiseBuiltinArgTyRestriction ArgTyRestr)15759 Sema::BuiltinVectorMath(CallExpr *TheCall,
15760 EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15761 if (checkArgCount(TheCall, 2))
15762 return std::nullopt;
15763
15764 if (checkBuiltinVectorMathMixedEnums(
15765 *this, TheCall->getArg(0), TheCall->getArg(1), TheCall->getExprLoc()))
15766 return std::nullopt;
15767
15768 Expr *Args[2];
15769 for (int I = 0; I < 2; ++I) {
15770 ExprResult Converted =
15771 BuiltinVectorMathConversions(*this, TheCall->getArg(I));
15772 if (Converted.isInvalid())
15773 return std::nullopt;
15774 Args[I] = Converted.get();
15775 }
15776
15777 SourceLocation LocA = Args[0]->getBeginLoc();
15778 QualType TyA = Args[0]->getType();
15779 QualType TyB = Args[1]->getType();
15780
15781 if (checkMathBuiltinElementType(*this, LocA, TyA, ArgTyRestr, 1))
15782 return std::nullopt;
15783
15784 if (!Context.hasSameUnqualifiedType(TyA, TyB)) {
15785 Diag(LocA, diag::err_typecheck_call_different_arg_types) << TyA << TyB;
15786 return std::nullopt;
15787 }
15788
15789 TheCall->setArg(0, Args[0]);
15790 TheCall->setArg(1, Args[1]);
15791 return TyA;
15792 }
15793
BuiltinElementwiseTernaryMath(CallExpr * TheCall,EltwiseBuiltinArgTyRestriction ArgTyRestr)15794 bool Sema::BuiltinElementwiseTernaryMath(
15795 CallExpr *TheCall, EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15796 if (checkArgCount(TheCall, 3))
15797 return true;
15798
15799 SourceLocation Loc = TheCall->getExprLoc();
15800 if (checkBuiltinVectorMathMixedEnums(*this, TheCall->getArg(0),
15801 TheCall->getArg(1), Loc) ||
15802 checkBuiltinVectorMathMixedEnums(*this, TheCall->getArg(1),
15803 TheCall->getArg(2), Loc))
15804 return true;
15805
15806 Expr *Args[3];
15807 for (int I = 0; I < 3; ++I) {
15808 ExprResult Converted =
15809 BuiltinVectorMathConversions(*this, TheCall->getArg(I));
15810 if (Converted.isInvalid())
15811 return true;
15812 Args[I] = Converted.get();
15813 }
15814
15815 int ArgOrdinal = 1;
15816 for (Expr *Arg : Args) {
15817 if (checkMathBuiltinElementType(*this, Arg->getBeginLoc(), Arg->getType(),
15818 ArgTyRestr, ArgOrdinal++))
15819 return true;
15820 }
15821
15822 for (int I = 1; I < 3; ++I) {
15823 if (Args[0]->getType().getCanonicalType() !=
15824 Args[I]->getType().getCanonicalType()) {
15825 return Diag(Args[0]->getBeginLoc(),
15826 diag::err_typecheck_call_different_arg_types)
15827 << Args[0]->getType() << Args[I]->getType();
15828 }
15829
15830 TheCall->setArg(I, Args[I]);
15831 }
15832
15833 TheCall->setType(Args[0]->getType());
15834 return false;
15835 }
15836
PrepareBuiltinReduceMathOneArgCall(CallExpr * TheCall)15837 bool Sema::PrepareBuiltinReduceMathOneArgCall(CallExpr *TheCall) {
15838 if (checkArgCount(TheCall, 1))
15839 return true;
15840
15841 ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
15842 if (A.isInvalid())
15843 return true;
15844
15845 TheCall->setArg(0, A.get());
15846 return false;
15847 }
15848
BuiltinNonDeterministicValue(CallExpr * TheCall)15849 bool Sema::BuiltinNonDeterministicValue(CallExpr *TheCall) {
15850 if (checkArgCount(TheCall, 1))
15851 return true;
15852
15853 ExprResult Arg = TheCall->getArg(0);
15854 QualType TyArg = Arg.get()->getType();
15855
15856 if (!TyArg->isBuiltinType() && !TyArg->isVectorType())
15857 return Diag(TheCall->getArg(0)->getBeginLoc(),
15858 diag::err_builtin_invalid_arg_type)
15859 << 1 << /* vector */ 2 << /* integer */ 1 << /* fp */ 1 << TyArg;
15860
15861 TheCall->setType(TyArg);
15862 return false;
15863 }
15864
BuiltinMatrixTranspose(CallExpr * TheCall,ExprResult CallResult)15865 ExprResult Sema::BuiltinMatrixTranspose(CallExpr *TheCall,
15866 ExprResult CallResult) {
15867 if (checkArgCount(TheCall, 1))
15868 return ExprError();
15869
15870 ExprResult MatrixArg = DefaultLvalueConversion(TheCall->getArg(0));
15871 if (MatrixArg.isInvalid())
15872 return MatrixArg;
15873 Expr *Matrix = MatrixArg.get();
15874
15875 auto *MType = Matrix->getType()->getAs<ConstantMatrixType>();
15876 if (!MType) {
15877 Diag(Matrix->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15878 << 1 << /* matrix */ 3 << /* no int */ 0 << /* no fp */ 0
15879 << Matrix->getType();
15880 return ExprError();
15881 }
15882
15883 // Create returned matrix type by swapping rows and columns of the argument
15884 // matrix type.
15885 QualType ResultType = Context.getConstantMatrixType(
15886 MType->getElementType(), MType->getNumColumns(), MType->getNumRows());
15887
15888 // Change the return type to the type of the returned matrix.
15889 TheCall->setType(ResultType);
15890
15891 // Update call argument to use the possibly converted matrix argument.
15892 TheCall->setArg(0, Matrix);
15893 return CallResult;
15894 }
15895
15896 // Get and verify the matrix dimensions.
15897 static std::optional<unsigned>
getAndVerifyMatrixDimension(Expr * Expr,StringRef Name,Sema & S)15898 getAndVerifyMatrixDimension(Expr *Expr, StringRef Name, Sema &S) {
15899 SourceLocation ErrorPos;
15900 std::optional<llvm::APSInt> Value =
15901 Expr->getIntegerConstantExpr(S.Context, &ErrorPos);
15902 if (!Value) {
15903 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_scalar_unsigned_arg)
15904 << Name;
15905 return {};
15906 }
15907 uint64_t Dim = Value->getZExtValue();
15908 if (!ConstantMatrixType::isDimensionValid(Dim)) {
15909 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_invalid_dimension)
15910 << Name << ConstantMatrixType::getMaxElementsPerDimension();
15911 return {};
15912 }
15913 return Dim;
15914 }
15915
BuiltinMatrixColumnMajorLoad(CallExpr * TheCall,ExprResult CallResult)15916 ExprResult Sema::BuiltinMatrixColumnMajorLoad(CallExpr *TheCall,
15917 ExprResult CallResult) {
15918 if (!getLangOpts().MatrixTypes) {
15919 Diag(TheCall->getBeginLoc(), diag::err_builtin_matrix_disabled);
15920 return ExprError();
15921 }
15922
15923 if (checkArgCount(TheCall, 4))
15924 return ExprError();
15925
15926 unsigned PtrArgIdx = 0;
15927 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
15928 Expr *RowsExpr = TheCall->getArg(1);
15929 Expr *ColumnsExpr = TheCall->getArg(2);
15930 Expr *StrideExpr = TheCall->getArg(3);
15931
15932 bool ArgError = false;
15933
15934 // Check pointer argument.
15935 {
15936 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
15937 if (PtrConv.isInvalid())
15938 return PtrConv;
15939 PtrExpr = PtrConv.get();
15940 TheCall->setArg(0, PtrExpr);
15941 if (PtrExpr->isTypeDependent()) {
15942 TheCall->setType(Context.DependentTy);
15943 return TheCall;
15944 }
15945 }
15946
15947 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
15948 QualType ElementTy;
15949 if (!PtrTy) {
15950 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15951 << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5 << /* no fp */ 0
15952 << PtrExpr->getType();
15953 ArgError = true;
15954 } else {
15955 ElementTy = PtrTy->getPointeeType().getUnqualifiedType();
15956
15957 if (!ConstantMatrixType::isValidElementType(ElementTy)) {
15958 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15959 << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5
15960 << /* no fp */ 0 << PtrExpr->getType();
15961 ArgError = true;
15962 }
15963 }
15964
15965 // Apply default Lvalue conversions and convert the expression to size_t.
15966 auto ApplyArgumentConversions = [this](Expr *E) {
15967 ExprResult Conv = DefaultLvalueConversion(E);
15968 if (Conv.isInvalid())
15969 return Conv;
15970
15971 return tryConvertExprToType(Conv.get(), Context.getSizeType());
15972 };
15973
15974 // Apply conversion to row and column expressions.
15975 ExprResult RowsConv = ApplyArgumentConversions(RowsExpr);
15976 if (!RowsConv.isInvalid()) {
15977 RowsExpr = RowsConv.get();
15978 TheCall->setArg(1, RowsExpr);
15979 } else
15980 RowsExpr = nullptr;
15981
15982 ExprResult ColumnsConv = ApplyArgumentConversions(ColumnsExpr);
15983 if (!ColumnsConv.isInvalid()) {
15984 ColumnsExpr = ColumnsConv.get();
15985 TheCall->setArg(2, ColumnsExpr);
15986 } else
15987 ColumnsExpr = nullptr;
15988
15989 // If any part of the result matrix type is still pending, just use
15990 // Context.DependentTy, until all parts are resolved.
15991 if ((RowsExpr && RowsExpr->isTypeDependent()) ||
15992 (ColumnsExpr && ColumnsExpr->isTypeDependent())) {
15993 TheCall->setType(Context.DependentTy);
15994 return CallResult;
15995 }
15996
15997 // Check row and column dimensions.
15998 std::optional<unsigned> MaybeRows;
15999 if (RowsExpr)
16000 MaybeRows = getAndVerifyMatrixDimension(RowsExpr, "row", *this);
16001
16002 std::optional<unsigned> MaybeColumns;
16003 if (ColumnsExpr)
16004 MaybeColumns = getAndVerifyMatrixDimension(ColumnsExpr, "column", *this);
16005
16006 // Check stride argument.
16007 ExprResult StrideConv = ApplyArgumentConversions(StrideExpr);
16008 if (StrideConv.isInvalid())
16009 return ExprError();
16010 StrideExpr = StrideConv.get();
16011 TheCall->setArg(3, StrideExpr);
16012
16013 if (MaybeRows) {
16014 if (std::optional<llvm::APSInt> Value =
16015 StrideExpr->getIntegerConstantExpr(Context)) {
16016 uint64_t Stride = Value->getZExtValue();
16017 if (Stride < *MaybeRows) {
16018 Diag(StrideExpr->getBeginLoc(),
16019 diag::err_builtin_matrix_stride_too_small);
16020 ArgError = true;
16021 }
16022 }
16023 }
16024
16025 if (ArgError || !MaybeRows || !MaybeColumns)
16026 return ExprError();
16027
16028 TheCall->setType(
16029 Context.getConstantMatrixType(ElementTy, *MaybeRows, *MaybeColumns));
16030 return CallResult;
16031 }
16032
BuiltinMatrixColumnMajorStore(CallExpr * TheCall,ExprResult CallResult)16033 ExprResult Sema::BuiltinMatrixColumnMajorStore(CallExpr *TheCall,
16034 ExprResult CallResult) {
16035 if (checkArgCount(TheCall, 3))
16036 return ExprError();
16037
16038 unsigned PtrArgIdx = 1;
16039 Expr *MatrixExpr = TheCall->getArg(0);
16040 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
16041 Expr *StrideExpr = TheCall->getArg(2);
16042
16043 bool ArgError = false;
16044
16045 {
16046 ExprResult MatrixConv = DefaultLvalueConversion(MatrixExpr);
16047 if (MatrixConv.isInvalid())
16048 return MatrixConv;
16049 MatrixExpr = MatrixConv.get();
16050 TheCall->setArg(0, MatrixExpr);
16051 }
16052 if (MatrixExpr->isTypeDependent()) {
16053 TheCall->setType(Context.DependentTy);
16054 return TheCall;
16055 }
16056
16057 auto *MatrixTy = MatrixExpr->getType()->getAs<ConstantMatrixType>();
16058 if (!MatrixTy) {
16059 Diag(MatrixExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
16060 << 1 << /* matrix ty */ 3 << 0 << 0 << MatrixExpr->getType();
16061 ArgError = true;
16062 }
16063
16064 {
16065 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
16066 if (PtrConv.isInvalid())
16067 return PtrConv;
16068 PtrExpr = PtrConv.get();
16069 TheCall->setArg(1, PtrExpr);
16070 if (PtrExpr->isTypeDependent()) {
16071 TheCall->setType(Context.DependentTy);
16072 return TheCall;
16073 }
16074 }
16075
16076 // Check pointer argument.
16077 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
16078 if (!PtrTy) {
16079 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
16080 << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5 << 0
16081 << PtrExpr->getType();
16082 ArgError = true;
16083 } else {
16084 QualType ElementTy = PtrTy->getPointeeType();
16085 if (ElementTy.isConstQualified()) {
16086 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_matrix_store_to_const);
16087 ArgError = true;
16088 }
16089 ElementTy = ElementTy.getUnqualifiedType().getCanonicalType();
16090 if (MatrixTy &&
16091 !Context.hasSameType(ElementTy, MatrixTy->getElementType())) {
16092 Diag(PtrExpr->getBeginLoc(),
16093 diag::err_builtin_matrix_pointer_arg_mismatch)
16094 << ElementTy << MatrixTy->getElementType();
16095 ArgError = true;
16096 }
16097 }
16098
16099 // Apply default Lvalue conversions and convert the stride expression to
16100 // size_t.
16101 {
16102 ExprResult StrideConv = DefaultLvalueConversion(StrideExpr);
16103 if (StrideConv.isInvalid())
16104 return StrideConv;
16105
16106 StrideConv = tryConvertExprToType(StrideConv.get(), Context.getSizeType());
16107 if (StrideConv.isInvalid())
16108 return StrideConv;
16109 StrideExpr = StrideConv.get();
16110 TheCall->setArg(2, StrideExpr);
16111 }
16112
16113 // Check stride argument.
16114 if (MatrixTy) {
16115 if (std::optional<llvm::APSInt> Value =
16116 StrideExpr->getIntegerConstantExpr(Context)) {
16117 uint64_t Stride = Value->getZExtValue();
16118 if (Stride < MatrixTy->getNumRows()) {
16119 Diag(StrideExpr->getBeginLoc(),
16120 diag::err_builtin_matrix_stride_too_small);
16121 ArgError = true;
16122 }
16123 }
16124 }
16125
16126 if (ArgError)
16127 return ExprError();
16128
16129 return CallResult;
16130 }
16131
CheckTCBEnforcement(const SourceLocation CallExprLoc,const NamedDecl * Callee)16132 void Sema::CheckTCBEnforcement(const SourceLocation CallExprLoc,
16133 const NamedDecl *Callee) {
16134 // This warning does not make sense in code that has no runtime behavior.
16135 if (isUnevaluatedContext())
16136 return;
16137
16138 const NamedDecl *Caller = getCurFunctionOrMethodDecl();
16139
16140 if (!Caller || !Caller->hasAttr<EnforceTCBAttr>())
16141 return;
16142
16143 // Search through the enforce_tcb and enforce_tcb_leaf attributes to find
16144 // all TCBs the callee is a part of.
16145 llvm::StringSet<> CalleeTCBs;
16146 for (const auto *A : Callee->specific_attrs<EnforceTCBAttr>())
16147 CalleeTCBs.insert(A->getTCBName());
16148 for (const auto *A : Callee->specific_attrs<EnforceTCBLeafAttr>())
16149 CalleeTCBs.insert(A->getTCBName());
16150
16151 // Go through the TCBs the caller is a part of and emit warnings if Caller
16152 // is in a TCB that the Callee is not.
16153 for (const auto *A : Caller->specific_attrs<EnforceTCBAttr>()) {
16154 StringRef CallerTCB = A->getTCBName();
16155 if (CalleeTCBs.count(CallerTCB) == 0) {
16156 this->Diag(CallExprLoc, diag::warn_tcb_enforcement_violation)
16157 << Callee << CallerTCB;
16158 }
16159 }
16160 }
16161