xref: /freebsd/contrib/llvm-project/clang/lib/Sema/SemaChecking.cpp (revision e3f4a63af63bea70bc86b6c790b14aa5ee99fcd0) 
1 //===- SemaChecking.cpp - Extra Semantic Checking -------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 //  This file implements extra semantic analysis beyond what is enforced
10 //  by the C type system.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "CheckExprLifetime.h"
15 #include "clang/AST/APValue.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/ASTDiagnostic.h"
18 #include "clang/AST/Attr.h"
19 #include "clang/AST/AttrIterator.h"
20 #include "clang/AST/CharUnits.h"
21 #include "clang/AST/Decl.h"
22 #include "clang/AST/DeclBase.h"
23 #include "clang/AST/DeclCXX.h"
24 #include "clang/AST/DeclObjC.h"
25 #include "clang/AST/DeclarationName.h"
26 #include "clang/AST/EvaluatedExprVisitor.h"
27 #include "clang/AST/Expr.h"
28 #include "clang/AST/ExprCXX.h"
29 #include "clang/AST/ExprObjC.h"
30 #include "clang/AST/FormatString.h"
31 #include "clang/AST/IgnoreExpr.h"
32 #include "clang/AST/NSAPI.h"
33 #include "clang/AST/NonTrivialTypeVisitor.h"
34 #include "clang/AST/OperationKinds.h"
35 #include "clang/AST/RecordLayout.h"
36 #include "clang/AST/Stmt.h"
37 #include "clang/AST/TemplateBase.h"
38 #include "clang/AST/Type.h"
39 #include "clang/AST/TypeLoc.h"
40 #include "clang/AST/UnresolvedSet.h"
41 #include "clang/Basic/AddressSpaces.h"
42 #include "clang/Basic/Diagnostic.h"
43 #include "clang/Basic/IdentifierTable.h"
44 #include "clang/Basic/LLVM.h"
45 #include "clang/Basic/LangOptions.h"
46 #include "clang/Basic/OpenCLOptions.h"
47 #include "clang/Basic/OperatorKinds.h"
48 #include "clang/Basic/PartialDiagnostic.h"
49 #include "clang/Basic/SourceLocation.h"
50 #include "clang/Basic/SourceManager.h"
51 #include "clang/Basic/Specifiers.h"
52 #include "clang/Basic/SyncScope.h"
53 #include "clang/Basic/TargetInfo.h"
54 #include "clang/Basic/TypeTraits.h"
55 #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.
56 #include "clang/Sema/Initialization.h"
57 #include "clang/Sema/Lookup.h"
58 #include "clang/Sema/Ownership.h"
59 #include "clang/Sema/Scope.h"
60 #include "clang/Sema/ScopeInfo.h"
61 #include "clang/Sema/Sema.h"
62 #include "clang/Sema/SemaAMDGPU.h"
63 #include "clang/Sema/SemaARM.h"
64 #include "clang/Sema/SemaBPF.h"
65 #include "clang/Sema/SemaDirectX.h"
66 #include "clang/Sema/SemaHLSL.h"
67 #include "clang/Sema/SemaHexagon.h"
68 #include "clang/Sema/SemaLoongArch.h"
69 #include "clang/Sema/SemaMIPS.h"
70 #include "clang/Sema/SemaNVPTX.h"
71 #include "clang/Sema/SemaObjC.h"
72 #include "clang/Sema/SemaOpenCL.h"
73 #include "clang/Sema/SemaPPC.h"
74 #include "clang/Sema/SemaRISCV.h"
75 #include "clang/Sema/SemaSPIRV.h"
76 #include "clang/Sema/SemaSystemZ.h"
77 #include "clang/Sema/SemaWasm.h"
78 #include "clang/Sema/SemaX86.h"
79 #include "llvm/ADT/APFloat.h"
80 #include "llvm/ADT/APInt.h"
81 #include "llvm/ADT/APSInt.h"
82 #include "llvm/ADT/ArrayRef.h"
83 #include "llvm/ADT/DenseMap.h"
84 #include "llvm/ADT/FoldingSet.h"
85 #include "llvm/ADT/STLExtras.h"
86 #include "llvm/ADT/STLForwardCompat.h"
87 #include "llvm/ADT/SmallBitVector.h"
88 #include "llvm/ADT/SmallPtrSet.h"
89 #include "llvm/ADT/SmallString.h"
90 #include "llvm/ADT/SmallVector.h"
91 #include "llvm/ADT/StringExtras.h"
92 #include "llvm/ADT/StringRef.h"
93 #include "llvm/ADT/StringSet.h"
94 #include "llvm/ADT/StringSwitch.h"
95 #include "llvm/Support/AtomicOrdering.h"
96 #include "llvm/Support/Compiler.h"
97 #include "llvm/Support/ConvertUTF.h"
98 #include "llvm/Support/ErrorHandling.h"
99 #include "llvm/Support/Format.h"
100 #include "llvm/Support/Locale.h"
101 #include "llvm/Support/MathExtras.h"
102 #include "llvm/Support/SaveAndRestore.h"
103 #include "llvm/Support/raw_ostream.h"
104 #include "llvm/TargetParser/RISCVTargetParser.h"
105 #include "llvm/TargetParser/Triple.h"
106 #include <algorithm>
107 #include <cassert>
108 #include <cctype>
109 #include <cstddef>
110 #include <cstdint>
111 #include <functional>
112 #include <limits>
113 #include <optional>
114 #include <string>
115 #include <tuple>
116 #include <utility>
117 
118 using namespace clang;
119 using namespace sema;
120 
121 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
122                                                     unsigned ByteNo) const {
123   return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
124                                Context.getTargetInfo());
125 }
126 
127 static constexpr unsigned short combineFAPK(Sema::FormatArgumentPassingKind A,
128                                             Sema::FormatArgumentPassingKind B) {
129   return (A << 8) | B;
130 }
131 
132 bool Sema::checkArgCountAtLeast(CallExpr *Call, unsigned MinArgCount) {
133   unsigned ArgCount = Call->getNumArgs();
134   if (ArgCount >= MinArgCount)
135     return false;
136 
137   return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_few_args)
138          << 0 /*function call*/ << MinArgCount << ArgCount
139          << /*is non object*/ 0 << Call->getSourceRange();
140 }
141 
142 bool Sema::checkArgCountAtMost(CallExpr *Call, unsigned MaxArgCount) {
143   unsigned ArgCount = Call->getNumArgs();
144   if (ArgCount <= MaxArgCount)
145     return false;
146   return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_many_args_at_most)
147          << 0 /*function call*/ << MaxArgCount << ArgCount
148          << /*is non object*/ 0 << Call->getSourceRange();
149 }
150 
151 bool Sema::checkArgCountRange(CallExpr *Call, unsigned MinArgCount,
152                               unsigned MaxArgCount) {
153   return checkArgCountAtLeast(Call, MinArgCount) ||
154          checkArgCountAtMost(Call, MaxArgCount);
155 }
156 
157 bool Sema::checkArgCount(CallExpr *Call, unsigned DesiredArgCount) {
158   unsigned ArgCount = Call->getNumArgs();
159   if (ArgCount == DesiredArgCount)
160     return false;
161 
162   if (checkArgCountAtLeast(Call, DesiredArgCount))
163     return true;
164   assert(ArgCount > DesiredArgCount && "should have diagnosed this");
165 
166   // Highlight all the excess arguments.
167   SourceRange Range(Call->getArg(DesiredArgCount)->getBeginLoc(),
168                     Call->getArg(ArgCount - 1)->getEndLoc());
169 
170   return Diag(Range.getBegin(), diag::err_typecheck_call_too_many_args)
171          << 0 /*function call*/ << DesiredArgCount << ArgCount
172          << /*is non object*/ 0 << Range;
173 }
174 
175 static bool checkBuiltinVerboseTrap(CallExpr *Call, Sema &S) {
176   bool HasError = false;
177 
178   for (unsigned I = 0; I < Call->getNumArgs(); ++I) {
179     Expr *Arg = Call->getArg(I);
180 
181     if (Arg->isValueDependent())
182       continue;
183 
184     std::optional<std::string> ArgString = Arg->tryEvaluateString(S.Context);
185     int DiagMsgKind = -1;
186     // Arguments must be pointers to constant strings and cannot use '$'.
187     if (!ArgString.has_value())
188       DiagMsgKind = 0;
189     else if (ArgString->find('$') != std::string::npos)
190       DiagMsgKind = 1;
191 
192     if (DiagMsgKind >= 0) {
193       S.Diag(Arg->getBeginLoc(), diag::err_builtin_verbose_trap_arg)
194           << DiagMsgKind << Arg->getSourceRange();
195       HasError = true;
196     }
197   }
198 
199   return !HasError;
200 }
201 
202 static bool convertArgumentToType(Sema &S, Expr *&Value, QualType Ty) {
203   if (Value->isTypeDependent())
204     return false;
205 
206   InitializedEntity Entity =
207       InitializedEntity::InitializeParameter(S.Context, Ty, false);
208   ExprResult Result =
209       S.PerformCopyInitialization(Entity, SourceLocation(), Value);
210   if (Result.isInvalid())
211     return true;
212   Value = Result.get();
213   return false;
214 }
215 
216 /// Check that the first argument to __builtin_annotation is an integer
217 /// and the second argument is a non-wide string literal.
218 static bool BuiltinAnnotation(Sema &S, CallExpr *TheCall) {
219   if (S.checkArgCount(TheCall, 2))
220     return true;
221 
222   // First argument should be an integer.
223   Expr *ValArg = TheCall->getArg(0);
224   QualType Ty = ValArg->getType();
225   if (!Ty->isIntegerType()) {
226     S.Diag(ValArg->getBeginLoc(), diag::err_builtin_annotation_first_arg)
227         << ValArg->getSourceRange();
228     return true;
229   }
230 
231   // Second argument should be a constant string.
232   Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts();
233   StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg);
234   if (!Literal || !Literal->isOrdinary()) {
235     S.Diag(StrArg->getBeginLoc(), diag::err_builtin_annotation_second_arg)
236         << StrArg->getSourceRange();
237     return true;
238   }
239 
240   TheCall->setType(Ty);
241   return false;
242 }
243 
244 static bool BuiltinMSVCAnnotation(Sema &S, CallExpr *TheCall) {
245   // We need at least one argument.
246   if (TheCall->getNumArgs() < 1) {
247     S.Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
248         << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
249         << TheCall->getCallee()->getSourceRange();
250     return true;
251   }
252 
253   // All arguments should be wide string literals.
254   for (Expr *Arg : TheCall->arguments()) {
255     auto *Literal = dyn_cast<StringLiteral>(Arg->IgnoreParenCasts());
256     if (!Literal || !Literal->isWide()) {
257       S.Diag(Arg->getBeginLoc(), diag::err_msvc_annotation_wide_str)
258           << Arg->getSourceRange();
259       return true;
260     }
261   }
262 
263   return false;
264 }
265 
266 /// Check that the argument to __builtin_addressof is a glvalue, and set the
267 /// result type to the corresponding pointer type.
268 static bool BuiltinAddressof(Sema &S, CallExpr *TheCall) {
269   if (S.checkArgCount(TheCall, 1))
270     return true;
271 
272   ExprResult Arg(TheCall->getArg(0));
273   QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getBeginLoc());
274   if (ResultType.isNull())
275     return true;
276 
277   TheCall->setArg(0, Arg.get());
278   TheCall->setType(ResultType);
279   return false;
280 }
281 
282 /// Check that the argument to __builtin_function_start is a function.
283 static bool BuiltinFunctionStart(Sema &S, CallExpr *TheCall) {
284   if (S.checkArgCount(TheCall, 1))
285     return true;
286 
287   ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
288   if (Arg.isInvalid())
289     return true;
290 
291   TheCall->setArg(0, Arg.get());
292   const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(
293       Arg.get()->getAsBuiltinConstantDeclRef(S.getASTContext()));
294 
295   if (!FD) {
296     S.Diag(TheCall->getBeginLoc(), diag::err_function_start_invalid_type)
297         << TheCall->getSourceRange();
298     return true;
299   }
300 
301   return !S.checkAddressOfFunctionIsAvailable(FD, /*Complain=*/true,
302                                               TheCall->getBeginLoc());
303 }
304 
305 /// Check the number of arguments and set the result type to
306 /// the argument type.
307 static bool BuiltinPreserveAI(Sema &S, CallExpr *TheCall) {
308   if (S.checkArgCount(TheCall, 1))
309     return true;
310 
311   TheCall->setType(TheCall->getArg(0)->getType());
312   return false;
313 }
314 
315 /// Check that the value argument for __builtin_is_aligned(value, alignment) and
316 /// __builtin_aligned_{up,down}(value, alignment) is an integer or a pointer
317 /// type (but not a function pointer) and that the alignment is a power-of-two.
318 static bool BuiltinAlignment(Sema &S, CallExpr *TheCall, unsigned ID) {
319   if (S.checkArgCount(TheCall, 2))
320     return true;
321 
322   clang::Expr *Source = TheCall->getArg(0);
323   bool IsBooleanAlignBuiltin = ID == Builtin::BI__builtin_is_aligned;
324 
325   auto IsValidIntegerType = [](QualType Ty) {
326     return Ty->isIntegerType() && !Ty->isEnumeralType() && !Ty->isBooleanType();
327   };
328   QualType SrcTy = Source->getType();
329   // We should also be able to use it with arrays (but not functions!).
330   if (SrcTy->canDecayToPointerType() && SrcTy->isArrayType()) {
331     SrcTy = S.Context.getDecayedType(SrcTy);
332   }
333   if ((!SrcTy->isPointerType() && !IsValidIntegerType(SrcTy)) ||
334       SrcTy->isFunctionPointerType()) {
335     // FIXME: this is not quite the right error message since we don't allow
336     // floating point types, or member pointers.
337     S.Diag(Source->getExprLoc(), diag::err_typecheck_expect_scalar_operand)
338         << SrcTy;
339     return true;
340   }
341 
342   clang::Expr *AlignOp = TheCall->getArg(1);
343   if (!IsValidIntegerType(AlignOp->getType())) {
344     S.Diag(AlignOp->getExprLoc(), diag::err_typecheck_expect_int)
345         << AlignOp->getType();
346     return true;
347   }
348   Expr::EvalResult AlignResult;
349   unsigned MaxAlignmentBits = S.Context.getIntWidth(SrcTy) - 1;
350   // We can't check validity of alignment if it is value dependent.
351   if (!AlignOp->isValueDependent() &&
352       AlignOp->EvaluateAsInt(AlignResult, S.Context,
353                              Expr::SE_AllowSideEffects)) {
354     llvm::APSInt AlignValue = AlignResult.Val.getInt();
355     llvm::APSInt MaxValue(
356         llvm::APInt::getOneBitSet(MaxAlignmentBits + 1, MaxAlignmentBits));
357     if (AlignValue < 1) {
358       S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_small) << 1;
359       return true;
360     }
361     if (llvm::APSInt::compareValues(AlignValue, MaxValue) > 0) {
362       S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_big)
363           << toString(MaxValue, 10);
364       return true;
365     }
366     if (!AlignValue.isPowerOf2()) {
367       S.Diag(AlignOp->getExprLoc(), diag::err_alignment_not_power_of_two);
368       return true;
369     }
370     if (AlignValue == 1) {
371       S.Diag(AlignOp->getExprLoc(), diag::warn_alignment_builtin_useless)
372           << IsBooleanAlignBuiltin;
373     }
374   }
375 
376   ExprResult SrcArg = S.PerformCopyInitialization(
377       InitializedEntity::InitializeParameter(S.Context, SrcTy, false),
378       SourceLocation(), Source);
379   if (SrcArg.isInvalid())
380     return true;
381   TheCall->setArg(0, SrcArg.get());
382   ExprResult AlignArg =
383       S.PerformCopyInitialization(InitializedEntity::InitializeParameter(
384                                       S.Context, AlignOp->getType(), false),
385                                   SourceLocation(), AlignOp);
386   if (AlignArg.isInvalid())
387     return true;
388   TheCall->setArg(1, AlignArg.get());
389   // For align_up/align_down, the return type is the same as the (potentially
390   // decayed) argument type including qualifiers. For is_aligned(), the result
391   // is always bool.
392   TheCall->setType(IsBooleanAlignBuiltin ? S.Context.BoolTy : SrcTy);
393   return false;
394 }
395 
396 static bool BuiltinOverflow(Sema &S, CallExpr *TheCall, unsigned BuiltinID) {
397   if (S.checkArgCount(TheCall, 3))
398     return true;
399 
400   std::pair<unsigned, const char *> Builtins[] = {
401     { Builtin::BI__builtin_add_overflow, "ckd_add" },
402     { Builtin::BI__builtin_sub_overflow, "ckd_sub" },
403     { Builtin::BI__builtin_mul_overflow, "ckd_mul" },
404   };
405 
406   bool CkdOperation = llvm::any_of(Builtins, [&](const std::pair<unsigned,
407     const char *> &P) {
408     return BuiltinID == P.first && TheCall->getExprLoc().isMacroID() &&
409          Lexer::getImmediateMacroName(TheCall->getExprLoc(),
410          S.getSourceManager(), S.getLangOpts()) == P.second;
411   });
412 
413   auto ValidCkdIntType = [](QualType QT) {
414     // A valid checked integer type is an integer type other than a plain char,
415     // bool, a bit-precise type, or an enumeration type.
416     if (const auto *BT = QT.getCanonicalType()->getAs<BuiltinType>())
417       return (BT->getKind() >= BuiltinType::Short &&
418            BT->getKind() <= BuiltinType::Int128) || (
419            BT->getKind() >= BuiltinType::UShort &&
420            BT->getKind() <= BuiltinType::UInt128) ||
421            BT->getKind() == BuiltinType::UChar ||
422            BT->getKind() == BuiltinType::SChar;
423     return false;
424   };
425 
426   // First two arguments should be integers.
427   for (unsigned I = 0; I < 2; ++I) {
428     ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(I));
429     if (Arg.isInvalid()) return true;
430     TheCall->setArg(I, Arg.get());
431 
432     QualType Ty = Arg.get()->getType();
433     bool IsValid = CkdOperation ? ValidCkdIntType(Ty) : Ty->isIntegerType();
434     if (!IsValid) {
435       S.Diag(Arg.get()->getBeginLoc(), diag::err_overflow_builtin_must_be_int)
436           << CkdOperation << Ty << Arg.get()->getSourceRange();
437       return true;
438     }
439   }
440 
441   // Third argument should be a pointer to a non-const integer.
442   // IRGen correctly handles volatile, restrict, and address spaces, and
443   // the other qualifiers aren't possible.
444   {
445     ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(2));
446     if (Arg.isInvalid()) return true;
447     TheCall->setArg(2, Arg.get());
448 
449     QualType Ty = Arg.get()->getType();
450     const auto *PtrTy = Ty->getAs<PointerType>();
451     if (!PtrTy ||
452         !PtrTy->getPointeeType()->isIntegerType() ||
453         (!ValidCkdIntType(PtrTy->getPointeeType()) && CkdOperation) ||
454         PtrTy->getPointeeType().isConstQualified()) {
455       S.Diag(Arg.get()->getBeginLoc(),
456              diag::err_overflow_builtin_must_be_ptr_int)
457         << CkdOperation << Ty << Arg.get()->getSourceRange();
458       return true;
459     }
460   }
461 
462   // Disallow signed bit-precise integer args larger than 128 bits to mul
463   // function until we improve backend support.
464   if (BuiltinID == Builtin::BI__builtin_mul_overflow) {
465     for (unsigned I = 0; I < 3; ++I) {
466       const auto Arg = TheCall->getArg(I);
467       // Third argument will be a pointer.
468       auto Ty = I < 2 ? Arg->getType() : Arg->getType()->getPointeeType();
469       if (Ty->isBitIntType() && Ty->isSignedIntegerType() &&
470           S.getASTContext().getIntWidth(Ty) > 128)
471         return S.Diag(Arg->getBeginLoc(),
472                       diag::err_overflow_builtin_bit_int_max_size)
473                << 128;
474     }
475   }
476 
477   return false;
478 }
479 
480 namespace {
481 struct BuiltinDumpStructGenerator {
482   Sema &S;
483   CallExpr *TheCall;
484   SourceLocation Loc = TheCall->getBeginLoc();
485   SmallVector<Expr *, 32> Actions;
486   DiagnosticErrorTrap ErrorTracker;
487   PrintingPolicy Policy;
488 
489   BuiltinDumpStructGenerator(Sema &S, CallExpr *TheCall)
490       : S(S), TheCall(TheCall), ErrorTracker(S.getDiagnostics()),
491         Policy(S.Context.getPrintingPolicy()) {
492     Policy.AnonymousTagLocations = false;
493   }
494 
495   Expr *makeOpaqueValueExpr(Expr *Inner) {
496     auto *OVE = new (S.Context)
497         OpaqueValueExpr(Loc, Inner->getType(), Inner->getValueKind(),
498                         Inner->getObjectKind(), Inner);
499     Actions.push_back(OVE);
500     return OVE;
501   }
502 
503   Expr *getStringLiteral(llvm::StringRef Str) {
504     Expr *Lit = S.Context.getPredefinedStringLiteralFromCache(Str);
505     // Wrap the literal in parentheses to attach a source location.
506     return new (S.Context) ParenExpr(Loc, Loc, Lit);
507   }
508 
509   bool callPrintFunction(llvm::StringRef Format,
510                          llvm::ArrayRef<Expr *> Exprs = {}) {
511     SmallVector<Expr *, 8> Args;
512     assert(TheCall->getNumArgs() >= 2);
513     Args.reserve((TheCall->getNumArgs() - 2) + /*Format*/ 1 + Exprs.size());
514     Args.assign(TheCall->arg_begin() + 2, TheCall->arg_end());
515     Args.push_back(getStringLiteral(Format));
516     llvm::append_range(Args, Exprs);
517 
518     // Register a note to explain why we're performing the call.
519     Sema::CodeSynthesisContext Ctx;
520     Ctx.Kind = Sema::CodeSynthesisContext::BuildingBuiltinDumpStructCall;
521     Ctx.PointOfInstantiation = Loc;
522     Ctx.CallArgs = Args.data();
523     Ctx.NumCallArgs = Args.size();
524     S.pushCodeSynthesisContext(Ctx);
525 
526     ExprResult RealCall =
527         S.BuildCallExpr(/*Scope=*/nullptr, TheCall->getArg(1),
528                         TheCall->getBeginLoc(), Args, TheCall->getRParenLoc());
529 
530     S.popCodeSynthesisContext();
531     if (!RealCall.isInvalid())
532       Actions.push_back(RealCall.get());
533     // Bail out if we've hit any errors, even if we managed to build the
534     // call. We don't want to produce more than one error.
535     return RealCall.isInvalid() || ErrorTracker.hasErrorOccurred();
536   }
537 
538   Expr *getIndentString(unsigned Depth) {
539     if (!Depth)
540       return nullptr;
541 
542     llvm::SmallString<32> Indent;
543     Indent.resize(Depth * Policy.Indentation, ' ');
544     return getStringLiteral(Indent);
545   }
546 
547   Expr *getTypeString(QualType T) {
548     return getStringLiteral(T.getAsString(Policy));
549   }
550 
551   bool appendFormatSpecifier(QualType T, llvm::SmallVectorImpl<char> &Str) {
552     llvm::raw_svector_ostream OS(Str);
553 
554     // Format 'bool', 'char', 'signed char', 'unsigned char' as numbers, rather
555     // than trying to print a single character.
556     if (auto *BT = T->getAs<BuiltinType>()) {
557       switch (BT->getKind()) {
558       case BuiltinType::Bool:
559         OS << "%d";
560         return true;
561       case BuiltinType::Char_U:
562       case BuiltinType::UChar:
563         OS << "%hhu";
564         return true;
565       case BuiltinType::Char_S:
566       case BuiltinType::SChar:
567         OS << "%hhd";
568         return true;
569       default:
570         break;
571       }
572     }
573 
574     analyze_printf::PrintfSpecifier Specifier;
575     if (Specifier.fixType(T, S.getLangOpts(), S.Context, /*IsObjCLiteral=*/false)) {
576       // We were able to guess how to format this.
577       if (Specifier.getConversionSpecifier().getKind() ==
578           analyze_printf::PrintfConversionSpecifier::sArg) {
579         // Wrap double-quotes around a '%s' specifier and limit its maximum
580         // length. Ideally we'd also somehow escape special characters in the
581         // contents but printf doesn't support that.
582         // FIXME: '%s' formatting is not safe in general.
583         OS << '"';
584         Specifier.setPrecision(analyze_printf::OptionalAmount(32u));
585         Specifier.toString(OS);
586         OS << '"';
587         // FIXME: It would be nice to include a '...' if the string doesn't fit
588         // in the length limit.
589       } else {
590         Specifier.toString(OS);
591       }
592       return true;
593     }
594 
595     if (T->isPointerType()) {
596       // Format all pointers with '%p'.
597       OS << "%p";
598       return true;
599     }
600 
601     return false;
602   }
603 
604   bool dumpUnnamedRecord(const RecordDecl *RD, Expr *E, unsigned Depth) {
605     Expr *IndentLit = getIndentString(Depth);
606     Expr *TypeLit = getTypeString(S.Context.getRecordType(RD));
607     if (IndentLit ? callPrintFunction("%s%s", {IndentLit, TypeLit})
608                   : callPrintFunction("%s", {TypeLit}))
609       return true;
610 
611     return dumpRecordValue(RD, E, IndentLit, Depth);
612   }
613 
614   // Dump a record value. E should be a pointer or lvalue referring to an RD.
615   bool dumpRecordValue(const RecordDecl *RD, Expr *E, Expr *RecordIndent,
616                        unsigned Depth) {
617     // FIXME: Decide what to do if RD is a union. At least we should probably
618     // turn off printing `const char*` members with `%s`, because that is very
619     // likely to crash if that's not the active member. Whatever we decide, we
620     // should document it.
621 
622     // Build an OpaqueValueExpr so we can refer to E more than once without
623     // triggering re-evaluation.
624     Expr *RecordArg = makeOpaqueValueExpr(E);
625     bool RecordArgIsPtr = RecordArg->getType()->isPointerType();
626 
627     if (callPrintFunction(" {\n"))
628       return true;
629 
630     // Dump each base class, regardless of whether they're aggregates.
631     if (const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD)) {
632       for (const auto &Base : CXXRD->bases()) {
633         QualType BaseType =
634             RecordArgIsPtr ? S.Context.getPointerType(Base.getType())
635                            : S.Context.getLValueReferenceType(Base.getType());
636         ExprResult BasePtr = S.BuildCStyleCastExpr(
637             Loc, S.Context.getTrivialTypeSourceInfo(BaseType, Loc), Loc,
638             RecordArg);
639         if (BasePtr.isInvalid() ||
640             dumpUnnamedRecord(Base.getType()->getAsRecordDecl(), BasePtr.get(),
641                               Depth + 1))
642           return true;
643       }
644     }
645 
646     Expr *FieldIndentArg = getIndentString(Depth + 1);
647 
648     // Dump each field.
649     for (auto *D : RD->decls()) {
650       auto *IFD = dyn_cast<IndirectFieldDecl>(D);
651       auto *FD = IFD ? IFD->getAnonField() : dyn_cast<FieldDecl>(D);
652       if (!FD || FD->isUnnamedBitField() || FD->isAnonymousStructOrUnion())
653         continue;
654 
655       llvm::SmallString<20> Format = llvm::StringRef("%s%s %s ");
656       llvm::SmallVector<Expr *, 5> Args = {FieldIndentArg,
657                                            getTypeString(FD->getType()),
658                                            getStringLiteral(FD->getName())};
659 
660       if (FD->isBitField()) {
661         Format += ": %zu ";
662         QualType SizeT = S.Context.getSizeType();
663         llvm::APInt BitWidth(S.Context.getIntWidth(SizeT),
664                              FD->getBitWidthValue());
665         Args.push_back(IntegerLiteral::Create(S.Context, BitWidth, SizeT, Loc));
666       }
667 
668       Format += "=";
669 
670       ExprResult Field =
671           IFD ? S.BuildAnonymousStructUnionMemberReference(
672                     CXXScopeSpec(), Loc, IFD,
673                     DeclAccessPair::make(IFD, AS_public), RecordArg, Loc)
674               : S.BuildFieldReferenceExpr(
675                     RecordArg, RecordArgIsPtr, Loc, CXXScopeSpec(), FD,
676                     DeclAccessPair::make(FD, AS_public),
677                     DeclarationNameInfo(FD->getDeclName(), Loc));
678       if (Field.isInvalid())
679         return true;
680 
681       auto *InnerRD = FD->getType()->getAsRecordDecl();
682       auto *InnerCXXRD = dyn_cast_or_null<CXXRecordDecl>(InnerRD);
683       if (InnerRD && (!InnerCXXRD || InnerCXXRD->isAggregate())) {
684         // Recursively print the values of members of aggregate record type.
685         if (callPrintFunction(Format, Args) ||
686             dumpRecordValue(InnerRD, Field.get(), FieldIndentArg, Depth + 1))
687           return true;
688       } else {
689         Format += " ";
690         if (appendFormatSpecifier(FD->getType(), Format)) {
691           // We know how to print this field.
692           Args.push_back(Field.get());
693         } else {
694           // We don't know how to print this field. Print out its address
695           // with a format specifier that a smart tool will be able to
696           // recognize and treat specially.
697           Format += "*%p";
698           ExprResult FieldAddr =
699               S.BuildUnaryOp(nullptr, Loc, UO_AddrOf, Field.get());
700           if (FieldAddr.isInvalid())
701             return true;
702           Args.push_back(FieldAddr.get());
703         }
704         Format += "\n";
705         if (callPrintFunction(Format, Args))
706           return true;
707       }
708     }
709 
710     return RecordIndent ? callPrintFunction("%s}\n", RecordIndent)
711                         : callPrintFunction("}\n");
712   }
713 
714   Expr *buildWrapper() {
715     auto *Wrapper = PseudoObjectExpr::Create(S.Context, TheCall, Actions,
716                                              PseudoObjectExpr::NoResult);
717     TheCall->setType(Wrapper->getType());
718     TheCall->setValueKind(Wrapper->getValueKind());
719     return Wrapper;
720   }
721 };
722 } // namespace
723 
724 static ExprResult BuiltinDumpStruct(Sema &S, CallExpr *TheCall) {
725   if (S.checkArgCountAtLeast(TheCall, 2))
726     return ExprError();
727 
728   ExprResult PtrArgResult = S.DefaultLvalueConversion(TheCall->getArg(0));
729   if (PtrArgResult.isInvalid())
730     return ExprError();
731   TheCall->setArg(0, PtrArgResult.get());
732 
733   // First argument should be a pointer to a struct.
734   QualType PtrArgType = PtrArgResult.get()->getType();
735   if (!PtrArgType->isPointerType() ||
736       !PtrArgType->getPointeeType()->isRecordType()) {
737     S.Diag(PtrArgResult.get()->getBeginLoc(),
738            diag::err_expected_struct_pointer_argument)
739         << 1 << TheCall->getDirectCallee() << PtrArgType;
740     return ExprError();
741   }
742   QualType Pointee = PtrArgType->getPointeeType();
743   const RecordDecl *RD = Pointee->getAsRecordDecl();
744   // Try to instantiate the class template as appropriate; otherwise, access to
745   // its data() may lead to a crash.
746   if (S.RequireCompleteType(PtrArgResult.get()->getBeginLoc(), Pointee,
747                             diag::err_incomplete_type))
748     return ExprError();
749   // Second argument is a callable, but we can't fully validate it until we try
750   // calling it.
751   QualType FnArgType = TheCall->getArg(1)->getType();
752   if (!FnArgType->isFunctionType() && !FnArgType->isFunctionPointerType() &&
753       !FnArgType->isBlockPointerType() &&
754       !(S.getLangOpts().CPlusPlus && FnArgType->isRecordType())) {
755     auto *BT = FnArgType->getAs<BuiltinType>();
756     switch (BT ? BT->getKind() : BuiltinType::Void) {
757     case BuiltinType::Dependent:
758     case BuiltinType::Overload:
759     case BuiltinType::BoundMember:
760     case BuiltinType::PseudoObject:
761     case BuiltinType::UnknownAny:
762     case BuiltinType::BuiltinFn:
763       // This might be a callable.
764       break;
765 
766     default:
767       S.Diag(TheCall->getArg(1)->getBeginLoc(),
768              diag::err_expected_callable_argument)
769           << 2 << TheCall->getDirectCallee() << FnArgType;
770       return ExprError();
771     }
772   }
773 
774   BuiltinDumpStructGenerator Generator(S, TheCall);
775 
776   // Wrap parentheses around the given pointer. This is not necessary for
777   // correct code generation, but it means that when we pretty-print the call
778   // arguments in our diagnostics we will produce '(&s)->n' instead of the
779   // incorrect '&s->n'.
780   Expr *PtrArg = PtrArgResult.get();
781   PtrArg = new (S.Context)
782       ParenExpr(PtrArg->getBeginLoc(),
783                 S.getLocForEndOfToken(PtrArg->getEndLoc()), PtrArg);
784   if (Generator.dumpUnnamedRecord(RD, PtrArg, 0))
785     return ExprError();
786 
787   return Generator.buildWrapper();
788 }
789 
790 static bool BuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
791   if (S.checkArgCount(BuiltinCall, 2))
792     return true;
793 
794   SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc();
795   Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts();
796   Expr *Call = BuiltinCall->getArg(0);
797   Expr *Chain = BuiltinCall->getArg(1);
798 
799   if (Call->getStmtClass() != Stmt::CallExprClass) {
800     S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_not_call)
801         << Call->getSourceRange();
802     return true;
803   }
804 
805   auto CE = cast<CallExpr>(Call);
806   if (CE->getCallee()->getType()->isBlockPointerType()) {
807     S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_block_call)
808         << Call->getSourceRange();
809     return true;
810   }
811 
812   const Decl *TargetDecl = CE->getCalleeDecl();
813   if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(TargetDecl))
814     if (FD->getBuiltinID()) {
815       S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_builtin_call)
816           << Call->getSourceRange();
817       return true;
818     }
819 
820   if (isa<CXXPseudoDestructorExpr>(CE->getCallee()->IgnoreParens())) {
821     S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_pdtor_call)
822         << Call->getSourceRange();
823     return true;
824   }
825 
826   ExprResult ChainResult = S.UsualUnaryConversions(Chain);
827   if (ChainResult.isInvalid())
828     return true;
829   if (!ChainResult.get()->getType()->isPointerType()) {
830     S.Diag(BuiltinLoc, diag::err_second_argument_to_cwsc_not_pointer)
831         << Chain->getSourceRange();
832     return true;
833   }
834 
835   QualType ReturnTy = CE->getCallReturnType(S.Context);
836   QualType ArgTys[2] = { ReturnTy, ChainResult.get()->getType() };
837   QualType BuiltinTy = S.Context.getFunctionType(
838       ReturnTy, ArgTys, FunctionProtoType::ExtProtoInfo());
839   QualType BuiltinPtrTy = S.Context.getPointerType(BuiltinTy);
840 
841   Builtin =
842       S.ImpCastExprToType(Builtin, BuiltinPtrTy, CK_BuiltinFnToFnPtr).get();
843 
844   BuiltinCall->setType(CE->getType());
845   BuiltinCall->setValueKind(CE->getValueKind());
846   BuiltinCall->setObjectKind(CE->getObjectKind());
847   BuiltinCall->setCallee(Builtin);
848   BuiltinCall->setArg(1, ChainResult.get());
849 
850   return false;
851 }
852 
853 namespace {
854 
855 class ScanfDiagnosticFormatHandler
856     : public analyze_format_string::FormatStringHandler {
857   // Accepts the argument index (relative to the first destination index) of the
858   // argument whose size we want.
859   using ComputeSizeFunction =
860       llvm::function_ref<std::optional<llvm::APSInt>(unsigned)>;
861 
862   // Accepts the argument index (relative to the first destination index), the
863   // destination size, and the source size).
864   using DiagnoseFunction =
865       llvm::function_ref<void(unsigned, unsigned, unsigned)>;
866 
867   ComputeSizeFunction ComputeSizeArgument;
868   DiagnoseFunction Diagnose;
869 
870 public:
871   ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,
872                                DiagnoseFunction Diagnose)
873       : ComputeSizeArgument(ComputeSizeArgument), Diagnose(Diagnose) {}
874 
875   bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
876                             const char *StartSpecifier,
877                             unsigned specifierLen) override {
878     if (!FS.consumesDataArgument())
879       return true;
880 
881     unsigned NulByte = 0;
882     switch ((FS.getConversionSpecifier().getKind())) {
883     default:
884       return true;
885     case analyze_format_string::ConversionSpecifier::sArg:
886     case analyze_format_string::ConversionSpecifier::ScanListArg:
887       NulByte = 1;
888       break;
889     case analyze_format_string::ConversionSpecifier::cArg:
890       break;
891     }
892 
893     analyze_format_string::OptionalAmount FW = FS.getFieldWidth();
894     if (FW.getHowSpecified() !=
895         analyze_format_string::OptionalAmount::HowSpecified::Constant)
896       return true;
897 
898     unsigned SourceSize = FW.getConstantAmount() + NulByte;
899 
900     std::optional<llvm::APSInt> DestSizeAPS =
901         ComputeSizeArgument(FS.getArgIndex());
902     if (!DestSizeAPS)
903       return true;
904 
905     unsigned DestSize = DestSizeAPS->getZExtValue();
906 
907     if (DestSize < SourceSize)
908       Diagnose(FS.getArgIndex(), DestSize, SourceSize);
909 
910     return true;
911   }
912 };
913 
914 class EstimateSizeFormatHandler
915     : public analyze_format_string::FormatStringHandler {
916   size_t Size;
917   /// Whether the format string contains Linux kernel's format specifier
918   /// extension.
919   bool IsKernelCompatible = true;
920 
921 public:
922   EstimateSizeFormatHandler(StringRef Format)
923       : Size(std::min(Format.find(0), Format.size()) +
924              1 /* null byte always written by sprintf */) {}
925 
926   bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
927                              const char *, unsigned SpecifierLen,
928                              const TargetInfo &) override {
929 
930     const size_t FieldWidth = computeFieldWidth(FS);
931     const size_t Precision = computePrecision(FS);
932 
933     // The actual format.
934     switch (FS.getConversionSpecifier().getKind()) {
935     // Just a char.
936     case analyze_format_string::ConversionSpecifier::cArg:
937     case analyze_format_string::ConversionSpecifier::CArg:
938       Size += std::max(FieldWidth, (size_t)1);
939       break;
940     // Just an integer.
941     case analyze_format_string::ConversionSpecifier::dArg:
942     case analyze_format_string::ConversionSpecifier::DArg:
943     case analyze_format_string::ConversionSpecifier::iArg:
944     case analyze_format_string::ConversionSpecifier::oArg:
945     case analyze_format_string::ConversionSpecifier::OArg:
946     case analyze_format_string::ConversionSpecifier::uArg:
947     case analyze_format_string::ConversionSpecifier::UArg:
948     case analyze_format_string::ConversionSpecifier::xArg:
949     case analyze_format_string::ConversionSpecifier::XArg:
950       Size += std::max(FieldWidth, Precision);
951       break;
952 
953     // %g style conversion switches between %f or %e style dynamically.
954     // %g removes trailing zeros, and does not print decimal point if there are
955     // no digits that follow it. Thus %g can print a single digit.
956     // FIXME: If it is alternative form:
957     // For g and G conversions, trailing zeros are not removed from the result.
958     case analyze_format_string::ConversionSpecifier::gArg:
959     case analyze_format_string::ConversionSpecifier::GArg:
960       Size += 1;
961       break;
962 
963     // Floating point number in the form '[+]ddd.ddd'.
964     case analyze_format_string::ConversionSpecifier::fArg:
965     case analyze_format_string::ConversionSpecifier::FArg:
966       Size += std::max(FieldWidth, 1 /* integer part */ +
967                                        (Precision ? 1 + Precision
968                                                   : 0) /* period + decimal */);
969       break;
970 
971     // Floating point number in the form '[-]d.ddde[+-]dd'.
972     case analyze_format_string::ConversionSpecifier::eArg:
973     case analyze_format_string::ConversionSpecifier::EArg:
974       Size +=
975           std::max(FieldWidth,
976                    1 /* integer part */ +
977                        (Precision ? 1 + Precision : 0) /* period + decimal */ +
978                        1 /* e or E letter */ + 2 /* exponent */);
979       break;
980 
981     // Floating point number in the form '[-]0xh.hhhhp±dd'.
982     case analyze_format_string::ConversionSpecifier::aArg:
983     case analyze_format_string::ConversionSpecifier::AArg:
984       Size +=
985           std::max(FieldWidth,
986                    2 /* 0x */ + 1 /* integer part */ +
987                        (Precision ? 1 + Precision : 0) /* period + decimal */ +
988                        1 /* p or P letter */ + 1 /* + or - */ + 1 /* value */);
989       break;
990 
991     // Just a string.
992     case analyze_format_string::ConversionSpecifier::sArg:
993     case analyze_format_string::ConversionSpecifier::SArg:
994       Size += FieldWidth;
995       break;
996 
997     // Just a pointer in the form '0xddd'.
998     case analyze_format_string::ConversionSpecifier::pArg:
999       // Linux kernel has its own extesion for `%p` specifier.
1000       // Kernel Document:
1001       // https://docs.kernel.org/core-api/printk-formats.html#pointer-types
1002       IsKernelCompatible = false;
1003       Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
1004       break;
1005 
1006     // A plain percent.
1007     case analyze_format_string::ConversionSpecifier::PercentArg:
1008       Size += 1;
1009       break;
1010 
1011     default:
1012       break;
1013     }
1014 
1015     // If field width is specified, the sign/space is already accounted for
1016     // within the field width, so no additional size is needed.
1017     if ((FS.hasPlusPrefix() || FS.hasSpacePrefix()) && FieldWidth == 0)
1018       Size += 1;
1019 
1020     if (FS.hasAlternativeForm()) {
1021       switch (FS.getConversionSpecifier().getKind()) {
1022       // For o conversion, it increases the precision, if and only if necessary,
1023       // to force the first digit of the result to be a zero
1024       // (if the value and precision are both 0, a single 0 is printed)
1025       case analyze_format_string::ConversionSpecifier::oArg:
1026       // For b conversion, a nonzero result has 0b prefixed to it.
1027       case analyze_format_string::ConversionSpecifier::bArg:
1028       // For x (or X) conversion, a nonzero result has 0x (or 0X) prefixed to
1029       // it.
1030       case analyze_format_string::ConversionSpecifier::xArg:
1031       case analyze_format_string::ConversionSpecifier::XArg:
1032         // Note: even when the prefix is added, if
1033         // (prefix_width <= FieldWidth - formatted_length) holds,
1034         // the prefix does not increase the format
1035         // size. e.g.(("%#3x", 0xf) is "0xf")
1036 
1037         // If the result is zero, o, b, x, X adds nothing.
1038         break;
1039       // For a, A, e, E, f, F, g, and G conversions,
1040       // the result of converting a floating-point number always contains a
1041       // decimal-point
1042       case analyze_format_string::ConversionSpecifier::aArg:
1043       case analyze_format_string::ConversionSpecifier::AArg:
1044       case analyze_format_string::ConversionSpecifier::eArg:
1045       case analyze_format_string::ConversionSpecifier::EArg:
1046       case analyze_format_string::ConversionSpecifier::fArg:
1047       case analyze_format_string::ConversionSpecifier::FArg:
1048       case analyze_format_string::ConversionSpecifier::gArg:
1049       case analyze_format_string::ConversionSpecifier::GArg:
1050         Size += (Precision ? 0 : 1);
1051         break;
1052       // For other conversions, the behavior is undefined.
1053       default:
1054         break;
1055       }
1056     }
1057     assert(SpecifierLen <= Size && "no underflow");
1058     Size -= SpecifierLen;
1059     return true;
1060   }
1061 
1062   size_t getSizeLowerBound() const { return Size; }
1063   bool isKernelCompatible() const { return IsKernelCompatible; }
1064 
1065 private:
1066   static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
1067     const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
1068     size_t FieldWidth = 0;
1069     if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
1070       FieldWidth = FW.getConstantAmount();
1071     return FieldWidth;
1072   }
1073 
1074   static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
1075     const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
1076     size_t Precision = 0;
1077 
1078     // See man 3 printf for default precision value based on the specifier.
1079     switch (FW.getHowSpecified()) {
1080     case analyze_format_string::OptionalAmount::NotSpecified:
1081       switch (FS.getConversionSpecifier().getKind()) {
1082       default:
1083         break;
1084       case analyze_format_string::ConversionSpecifier::dArg: // %d
1085       case analyze_format_string::ConversionSpecifier::DArg: // %D
1086       case analyze_format_string::ConversionSpecifier::iArg: // %i
1087         Precision = 1;
1088         break;
1089       case analyze_format_string::ConversionSpecifier::oArg: // %d
1090       case analyze_format_string::ConversionSpecifier::OArg: // %D
1091       case analyze_format_string::ConversionSpecifier::uArg: // %d
1092       case analyze_format_string::ConversionSpecifier::UArg: // %D
1093       case analyze_format_string::ConversionSpecifier::xArg: // %d
1094       case analyze_format_string::ConversionSpecifier::XArg: // %D
1095         Precision = 1;
1096         break;
1097       case analyze_format_string::ConversionSpecifier::fArg: // %f
1098       case analyze_format_string::ConversionSpecifier::FArg: // %F
1099       case analyze_format_string::ConversionSpecifier::eArg: // %e
1100       case analyze_format_string::ConversionSpecifier::EArg: // %E
1101       case analyze_format_string::ConversionSpecifier::gArg: // %g
1102       case analyze_format_string::ConversionSpecifier::GArg: // %G
1103         Precision = 6;
1104         break;
1105       case analyze_format_string::ConversionSpecifier::pArg: // %d
1106         Precision = 1;
1107         break;
1108       }
1109       break;
1110     case analyze_format_string::OptionalAmount::Constant:
1111       Precision = FW.getConstantAmount();
1112       break;
1113     default:
1114       break;
1115     }
1116     return Precision;
1117   }
1118 };
1119 
1120 } // namespace
1121 
1122 static bool ProcessFormatStringLiteral(const Expr *FormatExpr,
1123                                        StringRef &FormatStrRef, size_t &StrLen,
1124                                        ASTContext &Context) {
1125   if (const auto *Format = dyn_cast<StringLiteral>(FormatExpr);
1126       Format && (Format->isOrdinary() || Format->isUTF8())) {
1127     FormatStrRef = Format->getString();
1128     const ConstantArrayType *T =
1129         Context.getAsConstantArrayType(Format->getType());
1130     assert(T && "String literal not of constant array type!");
1131     size_t TypeSize = T->getZExtSize();
1132     // In case there's a null byte somewhere.
1133     StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
1134     return true;
1135   }
1136   return false;
1137 }
1138 
1139 void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
1140                                                CallExpr *TheCall) {
1141   if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
1142       isConstantEvaluatedContext())
1143     return;
1144 
1145   bool UseDABAttr = false;
1146   const FunctionDecl *UseDecl = FD;
1147 
1148   const auto *DABAttr = FD->getAttr<DiagnoseAsBuiltinAttr>();
1149   if (DABAttr) {
1150     UseDecl = DABAttr->getFunction();
1151     assert(UseDecl && "Missing FunctionDecl in DiagnoseAsBuiltin attribute!");
1152     UseDABAttr = true;
1153   }
1154 
1155   unsigned BuiltinID = UseDecl->getBuiltinID(/*ConsiderWrappers=*/true);
1156 
1157   if (!BuiltinID)
1158     return;
1159 
1160   const TargetInfo &TI = getASTContext().getTargetInfo();
1161   unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
1162 
1163   auto TranslateIndex = [&](unsigned Index) -> std::optional<unsigned> {
1164     // If we refer to a diagnose_as_builtin attribute, we need to change the
1165     // argument index to refer to the arguments of the called function. Unless
1166     // the index is out of bounds, which presumably means it's a variadic
1167     // function.
1168     if (!UseDABAttr)
1169       return Index;
1170     unsigned DABIndices = DABAttr->argIndices_size();
1171     unsigned NewIndex = Index < DABIndices
1172                             ? DABAttr->argIndices_begin()[Index]
1173                             : Index - DABIndices + FD->getNumParams();
1174     if (NewIndex >= TheCall->getNumArgs())
1175       return std::nullopt;
1176     return NewIndex;
1177   };
1178 
1179   auto ComputeExplicitObjectSizeArgument =
1180       [&](unsigned Index) -> std::optional<llvm::APSInt> {
1181     std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1182     if (!IndexOptional)
1183       return std::nullopt;
1184     unsigned NewIndex = *IndexOptional;
1185     Expr::EvalResult Result;
1186     Expr *SizeArg = TheCall->getArg(NewIndex);
1187     if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
1188       return std::nullopt;
1189     llvm::APSInt Integer = Result.Val.getInt();
1190     Integer.setIsUnsigned(true);
1191     return Integer;
1192   };
1193 
1194   auto ComputeSizeArgument =
1195       [&](unsigned Index) -> std::optional<llvm::APSInt> {
1196     // If the parameter has a pass_object_size attribute, then we should use its
1197     // (potentially) more strict checking mode. Otherwise, conservatively assume
1198     // type 0.
1199     int BOSType = 0;
1200     // This check can fail for variadic functions.
1201     if (Index < FD->getNumParams()) {
1202       if (const auto *POS =
1203               FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
1204         BOSType = POS->getType();
1205     }
1206 
1207     std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1208     if (!IndexOptional)
1209       return std::nullopt;
1210     unsigned NewIndex = *IndexOptional;
1211 
1212     if (NewIndex >= TheCall->getNumArgs())
1213       return std::nullopt;
1214 
1215     const Expr *ObjArg = TheCall->getArg(NewIndex);
1216     uint64_t Result;
1217     if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
1218       return std::nullopt;
1219 
1220     // Get the object size in the target's size_t width.
1221     return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
1222   };
1223 
1224   auto ComputeStrLenArgument =
1225       [&](unsigned Index) -> std::optional<llvm::APSInt> {
1226     std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1227     if (!IndexOptional)
1228       return std::nullopt;
1229     unsigned NewIndex = *IndexOptional;
1230 
1231     const Expr *ObjArg = TheCall->getArg(NewIndex);
1232     uint64_t Result;
1233     if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
1234       return std::nullopt;
1235     // Add 1 for null byte.
1236     return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
1237   };
1238 
1239   std::optional<llvm::APSInt> SourceSize;
1240   std::optional<llvm::APSInt> DestinationSize;
1241   unsigned DiagID = 0;
1242   bool IsChkVariant = false;
1243 
1244   auto GetFunctionName = [&]() {
1245     std::string FunctionNameStr =
1246         getASTContext().BuiltinInfo.getName(BuiltinID);
1247     llvm::StringRef FunctionName = FunctionNameStr;
1248     // Skim off the details of whichever builtin was called to produce a better
1249     // diagnostic, as it's unlikely that the user wrote the __builtin
1250     // explicitly.
1251     if (IsChkVariant) {
1252       FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
1253       FunctionName = FunctionName.drop_back(std::strlen("_chk"));
1254     } else {
1255       FunctionName.consume_front("__builtin_");
1256     }
1257     return FunctionName.str();
1258   };
1259 
1260   switch (BuiltinID) {
1261   default:
1262     return;
1263   case Builtin::BI__builtin_stpcpy:
1264   case Builtin::BIstpcpy:
1265   case Builtin::BI__builtin_strcpy:
1266   case Builtin::BIstrcpy: {
1267     DiagID = diag::warn_fortify_strlen_overflow;
1268     SourceSize = ComputeStrLenArgument(1);
1269     DestinationSize = ComputeSizeArgument(0);
1270     break;
1271   }
1272 
1273   case Builtin::BI__builtin___stpcpy_chk:
1274   case Builtin::BI__builtin___strcpy_chk: {
1275     DiagID = diag::warn_fortify_strlen_overflow;
1276     SourceSize = ComputeStrLenArgument(1);
1277     DestinationSize = ComputeExplicitObjectSizeArgument(2);
1278     IsChkVariant = true;
1279     break;
1280   }
1281 
1282   case Builtin::BIscanf:
1283   case Builtin::BIfscanf:
1284   case Builtin::BIsscanf: {
1285     unsigned FormatIndex = 1;
1286     unsigned DataIndex = 2;
1287     if (BuiltinID == Builtin::BIscanf) {
1288       FormatIndex = 0;
1289       DataIndex = 1;
1290     }
1291 
1292     const auto *FormatExpr =
1293         TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1294 
1295     StringRef FormatStrRef;
1296     size_t StrLen;
1297     if (!ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context))
1298       return;
1299 
1300     auto Diagnose = [&](unsigned ArgIndex, unsigned DestSize,
1301                         unsigned SourceSize) {
1302       DiagID = diag::warn_fortify_scanf_overflow;
1303       unsigned Index = ArgIndex + DataIndex;
1304       std::string FunctionName = GetFunctionName();
1305       DiagRuntimeBehavior(TheCall->getArg(Index)->getBeginLoc(), TheCall,
1306                           PDiag(DiagID) << FunctionName << (Index + 1)
1307                                         << DestSize << SourceSize);
1308     };
1309 
1310     auto ShiftedComputeSizeArgument = [&](unsigned Index) {
1311       return ComputeSizeArgument(Index + DataIndex);
1312     };
1313     ScanfDiagnosticFormatHandler H(ShiftedComputeSizeArgument, Diagnose);
1314     const char *FormatBytes = FormatStrRef.data();
1315     analyze_format_string::ParseScanfString(H, FormatBytes,
1316                                             FormatBytes + StrLen, getLangOpts(),
1317                                             Context.getTargetInfo());
1318 
1319     // Unlike the other cases, in this one we have already issued the diagnostic
1320     // here, so no need to continue (because unlike the other cases, here the
1321     // diagnostic refers to the argument number).
1322     return;
1323   }
1324 
1325   case Builtin::BIsprintf:
1326   case Builtin::BI__builtin___sprintf_chk: {
1327     size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
1328     auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1329 
1330     StringRef FormatStrRef;
1331     size_t StrLen;
1332     if (ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1333       EstimateSizeFormatHandler H(FormatStrRef);
1334       const char *FormatBytes = FormatStrRef.data();
1335       if (!analyze_format_string::ParsePrintfString(
1336               H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1337               Context.getTargetInfo(), false)) {
1338         DiagID = H.isKernelCompatible()
1339                      ? diag::warn_format_overflow
1340                      : diag::warn_format_overflow_non_kprintf;
1341         SourceSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1342                          .extOrTrunc(SizeTypeWidth);
1343         if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
1344           DestinationSize = ComputeExplicitObjectSizeArgument(2);
1345           IsChkVariant = true;
1346         } else {
1347           DestinationSize = ComputeSizeArgument(0);
1348         }
1349         break;
1350       }
1351     }
1352     return;
1353   }
1354   case Builtin::BI__builtin___memcpy_chk:
1355   case Builtin::BI__builtin___memmove_chk:
1356   case Builtin::BI__builtin___memset_chk:
1357   case Builtin::BI__builtin___strlcat_chk:
1358   case Builtin::BI__builtin___strlcpy_chk:
1359   case Builtin::BI__builtin___strncat_chk:
1360   case Builtin::BI__builtin___strncpy_chk:
1361   case Builtin::BI__builtin___stpncpy_chk:
1362   case Builtin::BI__builtin___memccpy_chk:
1363   case Builtin::BI__builtin___mempcpy_chk: {
1364     DiagID = diag::warn_builtin_chk_overflow;
1365     SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
1366     DestinationSize =
1367         ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1368     IsChkVariant = true;
1369     break;
1370   }
1371 
1372   case Builtin::BI__builtin___snprintf_chk:
1373   case Builtin::BI__builtin___vsnprintf_chk: {
1374     DiagID = diag::warn_builtin_chk_overflow;
1375     SourceSize = ComputeExplicitObjectSizeArgument(1);
1376     DestinationSize = ComputeExplicitObjectSizeArgument(3);
1377     IsChkVariant = true;
1378     break;
1379   }
1380 
1381   case Builtin::BIstrncat:
1382   case Builtin::BI__builtin_strncat:
1383   case Builtin::BIstrncpy:
1384   case Builtin::BI__builtin_strncpy:
1385   case Builtin::BIstpncpy:
1386   case Builtin::BI__builtin_stpncpy: {
1387     // Whether these functions overflow depends on the runtime strlen of the
1388     // string, not just the buffer size, so emitting the "always overflow"
1389     // diagnostic isn't quite right. We should still diagnose passing a buffer
1390     // size larger than the destination buffer though; this is a runtime abort
1391     // in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
1392     DiagID = diag::warn_fortify_source_size_mismatch;
1393     SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1394     DestinationSize = ComputeSizeArgument(0);
1395     break;
1396   }
1397 
1398   case Builtin::BImemcpy:
1399   case Builtin::BI__builtin_memcpy:
1400   case Builtin::BImemmove:
1401   case Builtin::BI__builtin_memmove:
1402   case Builtin::BImemset:
1403   case Builtin::BI__builtin_memset:
1404   case Builtin::BImempcpy:
1405   case Builtin::BI__builtin_mempcpy: {
1406     DiagID = diag::warn_fortify_source_overflow;
1407     SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1408     DestinationSize = ComputeSizeArgument(0);
1409     break;
1410   }
1411   case Builtin::BIsnprintf:
1412   case Builtin::BI__builtin_snprintf:
1413   case Builtin::BIvsnprintf:
1414   case Builtin::BI__builtin_vsnprintf: {
1415     DiagID = diag::warn_fortify_source_size_mismatch;
1416     SourceSize = ComputeExplicitObjectSizeArgument(1);
1417     const auto *FormatExpr = TheCall->getArg(2)->IgnoreParenImpCasts();
1418     StringRef FormatStrRef;
1419     size_t StrLen;
1420     if (SourceSize &&
1421         ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1422       EstimateSizeFormatHandler H(FormatStrRef);
1423       const char *FormatBytes = FormatStrRef.data();
1424       if (!analyze_format_string::ParsePrintfString(
1425               H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1426               Context.getTargetInfo(), /*isFreeBSDKPrintf=*/false)) {
1427         llvm::APSInt FormatSize =
1428             llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1429                 .extOrTrunc(SizeTypeWidth);
1430         if (FormatSize > *SourceSize && *SourceSize != 0) {
1431           unsigned TruncationDiagID =
1432               H.isKernelCompatible() ? diag::warn_format_truncation
1433                                      : diag::warn_format_truncation_non_kprintf;
1434           SmallString<16> SpecifiedSizeStr;
1435           SmallString<16> FormatSizeStr;
1436           SourceSize->toString(SpecifiedSizeStr, /*Radix=*/10);
1437           FormatSize.toString(FormatSizeStr, /*Radix=*/10);
1438           DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1439                               PDiag(TruncationDiagID)
1440                                   << GetFunctionName() << SpecifiedSizeStr
1441                                   << FormatSizeStr);
1442         }
1443       }
1444     }
1445     DestinationSize = ComputeSizeArgument(0);
1446   }
1447   }
1448 
1449   if (!SourceSize || !DestinationSize ||
1450       llvm::APSInt::compareValues(*SourceSize, *DestinationSize) <= 0)
1451     return;
1452 
1453   std::string FunctionName = GetFunctionName();
1454 
1455   SmallString<16> DestinationStr;
1456   SmallString<16> SourceStr;
1457   DestinationSize->toString(DestinationStr, /*Radix=*/10);
1458   SourceSize->toString(SourceStr, /*Radix=*/10);
1459   DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1460                       PDiag(DiagID)
1461                           << FunctionName << DestinationStr << SourceStr);
1462 }
1463 
1464 static bool BuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
1465                                  Scope::ScopeFlags NeededScopeFlags,
1466                                  unsigned DiagID) {
1467   // Scopes aren't available during instantiation. Fortunately, builtin
1468   // functions cannot be template args so they cannot be formed through template
1469   // instantiation. Therefore checking once during the parse is sufficient.
1470   if (SemaRef.inTemplateInstantiation())
1471     return false;
1472 
1473   Scope *S = SemaRef.getCurScope();
1474   while (S && !S->isSEHExceptScope())
1475     S = S->getParent();
1476   if (!S || !(S->getFlags() & NeededScopeFlags)) {
1477     auto *DRE = cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1478     SemaRef.Diag(TheCall->getExprLoc(), DiagID)
1479         << DRE->getDecl()->getIdentifier();
1480     return true;
1481   }
1482 
1483   return false;
1484 }
1485 
1486 // In OpenCL, __builtin_alloca_* should return a pointer to address space
1487 // that corresponds to the stack address space i.e private address space.
1488 static void builtinAllocaAddrSpace(Sema &S, CallExpr *TheCall) {
1489   QualType RT = TheCall->getType();
1490   assert((RT->isPointerType() && !(RT->getPointeeType().hasAddressSpace())) &&
1491          "__builtin_alloca has invalid address space");
1492 
1493   RT = RT->getPointeeType();
1494   RT = S.Context.getAddrSpaceQualType(RT, LangAS::opencl_private);
1495   TheCall->setType(S.Context.getPointerType(RT));
1496 }
1497 
1498 namespace {
1499 enum PointerAuthOpKind {
1500   PAO_Strip,
1501   PAO_Sign,
1502   PAO_Auth,
1503   PAO_SignGeneric,
1504   PAO_Discriminator,
1505   PAO_BlendPointer,
1506   PAO_BlendInteger
1507 };
1508 }
1509 
1510 bool Sema::checkPointerAuthEnabled(SourceLocation Loc, SourceRange Range) {
1511   if (getLangOpts().PointerAuthIntrinsics)
1512     return false;
1513 
1514   Diag(Loc, diag::err_ptrauth_disabled) << Range;
1515   return true;
1516 }
1517 
1518 static bool checkPointerAuthEnabled(Sema &S, Expr *E) {
1519   return S.checkPointerAuthEnabled(E->getExprLoc(), E->getSourceRange());
1520 }
1521 
1522 static bool checkPointerAuthKey(Sema &S, Expr *&Arg) {
1523   // Convert it to type 'int'.
1524   if (convertArgumentToType(S, Arg, S.Context.IntTy))
1525     return true;
1526 
1527   // Value-dependent expressions are okay; wait for template instantiation.
1528   if (Arg->isValueDependent())
1529     return false;
1530 
1531   unsigned KeyValue;
1532   return S.checkConstantPointerAuthKey(Arg, KeyValue);
1533 }
1534 
1535 bool Sema::checkConstantPointerAuthKey(Expr *Arg, unsigned &Result) {
1536   // Attempt to constant-evaluate the expression.
1537   std::optional<llvm::APSInt> KeyValue = Arg->getIntegerConstantExpr(Context);
1538   if (!KeyValue) {
1539     Diag(Arg->getExprLoc(), diag::err_expr_not_ice)
1540         << 0 << Arg->getSourceRange();
1541     return true;
1542   }
1543 
1544   // Ask the target to validate the key parameter.
1545   if (!Context.getTargetInfo().validatePointerAuthKey(*KeyValue)) {
1546     llvm::SmallString<32> Value;
1547     {
1548       llvm::raw_svector_ostream Str(Value);
1549       Str << *KeyValue;
1550     }
1551 
1552     Diag(Arg->getExprLoc(), diag::err_ptrauth_invalid_key)
1553         << Value << Arg->getSourceRange();
1554     return true;
1555   }
1556 
1557   Result = KeyValue->getZExtValue();
1558   return false;
1559 }
1560 
1561 bool Sema::checkPointerAuthDiscriminatorArg(Expr *Arg,
1562                                             PointerAuthDiscArgKind Kind,
1563                                             unsigned &IntVal) {
1564   if (!Arg) {
1565     IntVal = 0;
1566     return true;
1567   }
1568 
1569   std::optional<llvm::APSInt> Result = Arg->getIntegerConstantExpr(Context);
1570   if (!Result) {
1571     Diag(Arg->getExprLoc(), diag::err_ptrauth_arg_not_ice);
1572     return false;
1573   }
1574 
1575   unsigned Max;
1576   bool IsAddrDiscArg = false;
1577 
1578   switch (Kind) {
1579   case PointerAuthDiscArgKind::Addr:
1580     Max = 1;
1581     IsAddrDiscArg = true;
1582     break;
1583   case PointerAuthDiscArgKind::Extra:
1584     Max = PointerAuthQualifier::MaxDiscriminator;
1585     break;
1586   };
1587 
1588   if (*Result < 0 || *Result > Max) {
1589     if (IsAddrDiscArg)
1590       Diag(Arg->getExprLoc(), diag::err_ptrauth_address_discrimination_invalid)
1591           << Result->getExtValue();
1592     else
1593       Diag(Arg->getExprLoc(), diag::err_ptrauth_extra_discriminator_invalid)
1594           << Result->getExtValue() << Max;
1595 
1596     return false;
1597   };
1598 
1599   IntVal = Result->getZExtValue();
1600   return true;
1601 }
1602 
1603 static std::pair<const ValueDecl *, CharUnits>
1604 findConstantBaseAndOffset(Sema &S, Expr *E) {
1605   // Must evaluate as a pointer.
1606   Expr::EvalResult Result;
1607   if (!E->EvaluateAsRValue(Result, S.Context) || !Result.Val.isLValue())
1608     return {nullptr, CharUnits()};
1609 
1610   const auto *BaseDecl =
1611       Result.Val.getLValueBase().dyn_cast<const ValueDecl *>();
1612   if (!BaseDecl)
1613     return {nullptr, CharUnits()};
1614 
1615   return {BaseDecl, Result.Val.getLValueOffset()};
1616 }
1617 
1618 static bool checkPointerAuthValue(Sema &S, Expr *&Arg, PointerAuthOpKind OpKind,
1619                                   bool RequireConstant = false) {
1620   if (Arg->hasPlaceholderType()) {
1621     ExprResult R = S.CheckPlaceholderExpr(Arg);
1622     if (R.isInvalid())
1623       return true;
1624     Arg = R.get();
1625   }
1626 
1627   auto AllowsPointer = [](PointerAuthOpKind OpKind) {
1628     return OpKind != PAO_BlendInteger;
1629   };
1630   auto AllowsInteger = [](PointerAuthOpKind OpKind) {
1631     return OpKind == PAO_Discriminator || OpKind == PAO_BlendInteger ||
1632            OpKind == PAO_SignGeneric;
1633   };
1634 
1635   // Require the value to have the right range of type.
1636   QualType ExpectedTy;
1637   if (AllowsPointer(OpKind) && Arg->getType()->isPointerType()) {
1638     ExpectedTy = Arg->getType().getUnqualifiedType();
1639   } else if (AllowsPointer(OpKind) && Arg->getType()->isNullPtrType()) {
1640     ExpectedTy = S.Context.VoidPtrTy;
1641   } else if (AllowsInteger(OpKind) &&
1642              Arg->getType()->isIntegralOrUnscopedEnumerationType()) {
1643     ExpectedTy = S.Context.getUIntPtrType();
1644 
1645   } else {
1646     // Diagnose the failures.
1647     S.Diag(Arg->getExprLoc(), diag::err_ptrauth_value_bad_type)
1648         << unsigned(OpKind == PAO_Discriminator  ? 1
1649                     : OpKind == PAO_BlendPointer ? 2
1650                     : OpKind == PAO_BlendInteger ? 3
1651                                                  : 0)
1652         << unsigned(AllowsInteger(OpKind) ? (AllowsPointer(OpKind) ? 2 : 1) : 0)
1653         << Arg->getType() << Arg->getSourceRange();
1654     return true;
1655   }
1656 
1657   // Convert to that type.  This should just be an lvalue-to-rvalue
1658   // conversion.
1659   if (convertArgumentToType(S, Arg, ExpectedTy))
1660     return true;
1661 
1662   if (!RequireConstant) {
1663     // Warn about null pointers for non-generic sign and auth operations.
1664     if ((OpKind == PAO_Sign || OpKind == PAO_Auth) &&
1665         Arg->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNull)) {
1666       S.Diag(Arg->getExprLoc(), OpKind == PAO_Sign
1667                                     ? diag::warn_ptrauth_sign_null_pointer
1668                                     : diag::warn_ptrauth_auth_null_pointer)
1669           << Arg->getSourceRange();
1670     }
1671 
1672     return false;
1673   }
1674 
1675   // Perform special checking on the arguments to ptrauth_sign_constant.
1676 
1677   // The main argument.
1678   if (OpKind == PAO_Sign) {
1679     // Require the value we're signing to have a special form.
1680     auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Arg);
1681     bool Invalid;
1682 
1683     // Must be rooted in a declaration reference.
1684     if (!BaseDecl)
1685       Invalid = true;
1686 
1687     // If it's a function declaration, we can't have an offset.
1688     else if (isa<FunctionDecl>(BaseDecl))
1689       Invalid = !Offset.isZero();
1690 
1691     // Otherwise we're fine.
1692     else
1693       Invalid = false;
1694 
1695     if (Invalid)
1696       S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_pointer);
1697     return Invalid;
1698   }
1699 
1700   // The discriminator argument.
1701   assert(OpKind == PAO_Discriminator);
1702 
1703   // Must be a pointer or integer or blend thereof.
1704   Expr *Pointer = nullptr;
1705   Expr *Integer = nullptr;
1706   if (auto *Call = dyn_cast<CallExpr>(Arg->IgnoreParens())) {
1707     if (Call->getBuiltinCallee() ==
1708         Builtin::BI__builtin_ptrauth_blend_discriminator) {
1709       Pointer = Call->getArg(0);
1710       Integer = Call->getArg(1);
1711     }
1712   }
1713   if (!Pointer && !Integer) {
1714     if (Arg->getType()->isPointerType())
1715       Pointer = Arg;
1716     else
1717       Integer = Arg;
1718   }
1719 
1720   // Check the pointer.
1721   bool Invalid = false;
1722   if (Pointer) {
1723     assert(Pointer->getType()->isPointerType());
1724 
1725     // TODO: if we're initializing a global, check that the address is
1726     // somehow related to what we're initializing.  This probably will
1727     // never really be feasible and we'll have to catch it at link-time.
1728     auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Pointer);
1729     if (!BaseDecl || !isa<VarDecl>(BaseDecl))
1730       Invalid = true;
1731   }
1732 
1733   // Check the integer.
1734   if (Integer) {
1735     assert(Integer->getType()->isIntegerType());
1736     if (!Integer->isEvaluatable(S.Context))
1737       Invalid = true;
1738   }
1739 
1740   if (Invalid)
1741     S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_discriminator);
1742   return Invalid;
1743 }
1744 
1745 static ExprResult PointerAuthStrip(Sema &S, CallExpr *Call) {
1746   if (S.checkArgCount(Call, 2))
1747     return ExprError();
1748   if (checkPointerAuthEnabled(S, Call))
1749     return ExprError();
1750   if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Strip) ||
1751       checkPointerAuthKey(S, Call->getArgs()[1]))
1752     return ExprError();
1753 
1754   Call->setType(Call->getArgs()[0]->getType());
1755   return Call;
1756 }
1757 
1758 static ExprResult PointerAuthBlendDiscriminator(Sema &S, CallExpr *Call) {
1759   if (S.checkArgCount(Call, 2))
1760     return ExprError();
1761   if (checkPointerAuthEnabled(S, Call))
1762     return ExprError();
1763   if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_BlendPointer) ||
1764       checkPointerAuthValue(S, Call->getArgs()[1], PAO_BlendInteger))
1765     return ExprError();
1766 
1767   Call->setType(S.Context.getUIntPtrType());
1768   return Call;
1769 }
1770 
1771 static ExprResult PointerAuthSignGenericData(Sema &S, CallExpr *Call) {
1772   if (S.checkArgCount(Call, 2))
1773     return ExprError();
1774   if (checkPointerAuthEnabled(S, Call))
1775     return ExprError();
1776   if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_SignGeneric) ||
1777       checkPointerAuthValue(S, Call->getArgs()[1], PAO_Discriminator))
1778     return ExprError();
1779 
1780   Call->setType(S.Context.getUIntPtrType());
1781   return Call;
1782 }
1783 
1784 static ExprResult PointerAuthSignOrAuth(Sema &S, CallExpr *Call,
1785                                         PointerAuthOpKind OpKind,
1786                                         bool RequireConstant) {
1787   if (S.checkArgCount(Call, 3))
1788     return ExprError();
1789   if (checkPointerAuthEnabled(S, Call))
1790     return ExprError();
1791   if (checkPointerAuthValue(S, Call->getArgs()[0], OpKind, RequireConstant) ||
1792       checkPointerAuthKey(S, Call->getArgs()[1]) ||
1793       checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator,
1794                             RequireConstant))
1795     return ExprError();
1796 
1797   Call->setType(Call->getArgs()[0]->getType());
1798   return Call;
1799 }
1800 
1801 static ExprResult PointerAuthAuthAndResign(Sema &S, CallExpr *Call) {
1802   if (S.checkArgCount(Call, 5))
1803     return ExprError();
1804   if (checkPointerAuthEnabled(S, Call))
1805     return ExprError();
1806   if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Auth) ||
1807       checkPointerAuthKey(S, Call->getArgs()[1]) ||
1808       checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator) ||
1809       checkPointerAuthKey(S, Call->getArgs()[3]) ||
1810       checkPointerAuthValue(S, Call->getArgs()[4], PAO_Discriminator))
1811     return ExprError();
1812 
1813   Call->setType(Call->getArgs()[0]->getType());
1814   return Call;
1815 }
1816 
1817 static ExprResult PointerAuthStringDiscriminator(Sema &S, CallExpr *Call) {
1818   if (checkPointerAuthEnabled(S, Call))
1819     return ExprError();
1820 
1821   // We've already performed normal call type-checking.
1822   const Expr *Arg = Call->getArg(0)->IgnoreParenImpCasts();
1823 
1824   // Operand must be an ordinary or UTF-8 string literal.
1825   const auto *Literal = dyn_cast<StringLiteral>(Arg);
1826   if (!Literal || Literal->getCharByteWidth() != 1) {
1827     S.Diag(Arg->getExprLoc(), diag::err_ptrauth_string_not_literal)
1828         << (Literal ? 1 : 0) << Arg->getSourceRange();
1829     return ExprError();
1830   }
1831 
1832   return Call;
1833 }
1834 
1835 static ExprResult GetVTablePointer(Sema &S, CallExpr *Call) {
1836   if (S.checkArgCount(Call, 1))
1837     return ExprError();
1838   Expr *FirstArg = Call->getArg(0);
1839   ExprResult FirstValue = S.DefaultFunctionArrayLvalueConversion(FirstArg);
1840   if (FirstValue.isInvalid())
1841     return ExprError();
1842   Call->setArg(0, FirstValue.get());
1843   QualType FirstArgType = FirstArg->getType();
1844   if (FirstArgType->canDecayToPointerType() && FirstArgType->isArrayType())
1845     FirstArgType = S.Context.getDecayedType(FirstArgType);
1846 
1847   const CXXRecordDecl *FirstArgRecord = FirstArgType->getPointeeCXXRecordDecl();
1848   if (!FirstArgRecord) {
1849     S.Diag(FirstArg->getBeginLoc(), diag::err_get_vtable_pointer_incorrect_type)
1850         << /*isPolymorphic=*/0 << FirstArgType;
1851     return ExprError();
1852   }
1853   if (S.RequireCompleteType(
1854           FirstArg->getBeginLoc(), FirstArgType->getPointeeType(),
1855           diag::err_get_vtable_pointer_requires_complete_type)) {
1856     return ExprError();
1857   }
1858 
1859   if (!FirstArgRecord->isPolymorphic()) {
1860     S.Diag(FirstArg->getBeginLoc(), diag::err_get_vtable_pointer_incorrect_type)
1861         << /*isPolymorphic=*/1 << FirstArgRecord;
1862     return ExprError();
1863   }
1864   QualType ReturnType = S.Context.getPointerType(S.Context.VoidTy.withConst());
1865   Call->setType(ReturnType);
1866   return Call;
1867 }
1868 
1869 static ExprResult BuiltinLaunder(Sema &S, CallExpr *TheCall) {
1870   if (S.checkArgCount(TheCall, 1))
1871     return ExprError();
1872 
1873   // Compute __builtin_launder's parameter type from the argument.
1874   // The parameter type is:
1875   //  * The type of the argument if it's not an array or function type,
1876   //  Otherwise,
1877   //  * The decayed argument type.
1878   QualType ParamTy = [&]() {
1879     QualType ArgTy = TheCall->getArg(0)->getType();
1880     if (const ArrayType *Ty = ArgTy->getAsArrayTypeUnsafe())
1881       return S.Context.getPointerType(Ty->getElementType());
1882     if (ArgTy->isFunctionType()) {
1883       return S.Context.getPointerType(ArgTy);
1884     }
1885     return ArgTy;
1886   }();
1887 
1888   TheCall->setType(ParamTy);
1889 
1890   auto DiagSelect = [&]() -> std::optional<unsigned> {
1891     if (!ParamTy->isPointerType())
1892       return 0;
1893     if (ParamTy->isFunctionPointerType())
1894       return 1;
1895     if (ParamTy->isVoidPointerType())
1896       return 2;
1897     return std::optional<unsigned>{};
1898   }();
1899   if (DiagSelect) {
1900     S.Diag(TheCall->getBeginLoc(), diag::err_builtin_launder_invalid_arg)
1901         << *DiagSelect << TheCall->getSourceRange();
1902     return ExprError();
1903   }
1904 
1905   // We either have an incomplete class type, or we have a class template
1906   // whose instantiation has not been forced. Example:
1907   //
1908   //   template <class T> struct Foo { T value; };
1909   //   Foo<int> *p = nullptr;
1910   //   auto *d = __builtin_launder(p);
1911   if (S.RequireCompleteType(TheCall->getBeginLoc(), ParamTy->getPointeeType(),
1912                             diag::err_incomplete_type))
1913     return ExprError();
1914 
1915   assert(ParamTy->getPointeeType()->isObjectType() &&
1916          "Unhandled non-object pointer case");
1917 
1918   InitializedEntity Entity =
1919       InitializedEntity::InitializeParameter(S.Context, ParamTy, false);
1920   ExprResult Arg =
1921       S.PerformCopyInitialization(Entity, SourceLocation(), TheCall->getArg(0));
1922   if (Arg.isInvalid())
1923     return ExprError();
1924   TheCall->setArg(0, Arg.get());
1925 
1926   return TheCall;
1927 }
1928 
1929 static ExprResult BuiltinIsWithinLifetime(Sema &S, CallExpr *TheCall) {
1930   if (S.checkArgCount(TheCall, 1))
1931     return ExprError();
1932 
1933   ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
1934   if (Arg.isInvalid())
1935     return ExprError();
1936   QualType ParamTy = Arg.get()->getType();
1937   TheCall->setArg(0, Arg.get());
1938   TheCall->setType(S.Context.BoolTy);
1939 
1940   // Only accept pointers to objects as arguments, which should have object
1941   // pointer or void pointer types.
1942   if (const auto *PT = ParamTy->getAs<PointerType>()) {
1943     // LWG4138: Function pointer types not allowed
1944     if (PT->getPointeeType()->isFunctionType()) {
1945       S.Diag(TheCall->getArg(0)->getExprLoc(),
1946              diag::err_builtin_is_within_lifetime_invalid_arg)
1947           << 1;
1948       return ExprError();
1949     }
1950     // Disallow VLAs too since those shouldn't be able to
1951     // be a template parameter for `std::is_within_lifetime`
1952     if (PT->getPointeeType()->isVariableArrayType()) {
1953       S.Diag(TheCall->getArg(0)->getExprLoc(), diag::err_vla_unsupported)
1954           << 1 << "__builtin_is_within_lifetime";
1955       return ExprError();
1956     }
1957   } else {
1958     S.Diag(TheCall->getArg(0)->getExprLoc(),
1959            diag::err_builtin_is_within_lifetime_invalid_arg)
1960         << 0;
1961     return ExprError();
1962   }
1963   return TheCall;
1964 }
1965 
1966 static ExprResult BuiltinTriviallyRelocate(Sema &S, CallExpr *TheCall) {
1967   if (S.checkArgCount(TheCall, 3))
1968     return ExprError();
1969 
1970   QualType Dest = TheCall->getArg(0)->getType();
1971   if (!Dest->isPointerType() || Dest.getCVRQualifiers() != 0) {
1972     S.Diag(TheCall->getArg(0)->getExprLoc(),
1973            diag::err_builtin_trivially_relocate_invalid_arg_type)
1974         << /*a pointer*/ 0;
1975     return ExprError();
1976   }
1977 
1978   QualType T = Dest->getPointeeType();
1979   if (S.RequireCompleteType(TheCall->getBeginLoc(), T,
1980                             diag::err_incomplete_type))
1981     return ExprError();
1982 
1983   if (T.isConstQualified() || !S.IsCXXTriviallyRelocatableType(T) ||
1984       T->isIncompleteArrayType()) {
1985     S.Diag(TheCall->getArg(0)->getExprLoc(),
1986            diag::err_builtin_trivially_relocate_invalid_arg_type)
1987         << (T.isConstQualified() ? /*non-const*/ 1 : /*relocatable*/ 2);
1988     return ExprError();
1989   }
1990 
1991   TheCall->setType(Dest);
1992 
1993   QualType Src = TheCall->getArg(1)->getType();
1994   if (Src.getCanonicalType() != Dest.getCanonicalType()) {
1995     S.Diag(TheCall->getArg(1)->getExprLoc(),
1996            diag::err_builtin_trivially_relocate_invalid_arg_type)
1997         << /*the same*/ 3;
1998     return ExprError();
1999   }
2000 
2001   Expr *SizeExpr = TheCall->getArg(2);
2002   ExprResult Size = S.DefaultLvalueConversion(SizeExpr);
2003   if (Size.isInvalid())
2004     return ExprError();
2005 
2006   Size = S.tryConvertExprToType(Size.get(), S.getASTContext().getSizeType());
2007   if (Size.isInvalid())
2008     return ExprError();
2009   SizeExpr = Size.get();
2010   TheCall->setArg(2, SizeExpr);
2011 
2012   return TheCall;
2013 }
2014 
2015 // Emit an error and return true if the current object format type is in the
2016 // list of unsupported types.
2017 static bool CheckBuiltinTargetNotInUnsupported(
2018     Sema &S, unsigned BuiltinID, CallExpr *TheCall,
2019     ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes) {
2020   llvm::Triple::ObjectFormatType CurObjFormat =
2021       S.getASTContext().getTargetInfo().getTriple().getObjectFormat();
2022   if (llvm::is_contained(UnsupportedObjectFormatTypes, CurObjFormat)) {
2023     S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2024         << TheCall->getSourceRange();
2025     return true;
2026   }
2027   return false;
2028 }
2029 
2030 // Emit an error and return true if the current architecture is not in the list
2031 // of supported architectures.
2032 static bool
2033 CheckBuiltinTargetInSupported(Sema &S, CallExpr *TheCall,
2034                               ArrayRef<llvm::Triple::ArchType> SupportedArchs) {
2035   llvm::Triple::ArchType CurArch =
2036       S.getASTContext().getTargetInfo().getTriple().getArch();
2037   if (llvm::is_contained(SupportedArchs, CurArch))
2038     return false;
2039   S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2040       << TheCall->getSourceRange();
2041   return true;
2042 }
2043 
2044 static void CheckNonNullArgument(Sema &S, const Expr *ArgExpr,
2045                                  SourceLocation CallSiteLoc);
2046 
2047 bool Sema::CheckTSBuiltinFunctionCall(const TargetInfo &TI, unsigned BuiltinID,
2048                                       CallExpr *TheCall) {
2049   switch (TI.getTriple().getArch()) {
2050   default:
2051     // Some builtins don't require additional checking, so just consider these
2052     // acceptable.
2053     return false;
2054   case llvm::Triple::arm:
2055   case llvm::Triple::armeb:
2056   case llvm::Triple::thumb:
2057   case llvm::Triple::thumbeb:
2058     return ARM().CheckARMBuiltinFunctionCall(TI, BuiltinID, TheCall);
2059   case llvm::Triple::aarch64:
2060   case llvm::Triple::aarch64_32:
2061   case llvm::Triple::aarch64_be:
2062     return ARM().CheckAArch64BuiltinFunctionCall(TI, BuiltinID, TheCall);
2063   case llvm::Triple::bpfeb:
2064   case llvm::Triple::bpfel:
2065     return BPF().CheckBPFBuiltinFunctionCall(BuiltinID, TheCall);
2066   case llvm::Triple::dxil:
2067     return DirectX().CheckDirectXBuiltinFunctionCall(BuiltinID, TheCall);
2068   case llvm::Triple::hexagon:
2069     return Hexagon().CheckHexagonBuiltinFunctionCall(BuiltinID, TheCall);
2070   case llvm::Triple::mips:
2071   case llvm::Triple::mipsel:
2072   case llvm::Triple::mips64:
2073   case llvm::Triple::mips64el:
2074     return MIPS().CheckMipsBuiltinFunctionCall(TI, BuiltinID, TheCall);
2075   case llvm::Triple::spirv:
2076   case llvm::Triple::spirv32:
2077   case llvm::Triple::spirv64:
2078     if (TI.getTriple().getOS() != llvm::Triple::OSType::AMDHSA)
2079       return SPIRV().CheckSPIRVBuiltinFunctionCall(TI, BuiltinID, TheCall);
2080     return false;
2081   case llvm::Triple::systemz:
2082     return SystemZ().CheckSystemZBuiltinFunctionCall(BuiltinID, TheCall);
2083   case llvm::Triple::x86:
2084   case llvm::Triple::x86_64:
2085     return X86().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
2086   case llvm::Triple::ppc:
2087   case llvm::Triple::ppcle:
2088   case llvm::Triple::ppc64:
2089   case llvm::Triple::ppc64le:
2090     return PPC().CheckPPCBuiltinFunctionCall(TI, BuiltinID, TheCall);
2091   case llvm::Triple::amdgcn:
2092     return AMDGPU().CheckAMDGCNBuiltinFunctionCall(BuiltinID, TheCall);
2093   case llvm::Triple::riscv32:
2094   case llvm::Triple::riscv64:
2095     return RISCV().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
2096   case llvm::Triple::loongarch32:
2097   case llvm::Triple::loongarch64:
2098     return LoongArch().CheckLoongArchBuiltinFunctionCall(TI, BuiltinID,
2099                                                          TheCall);
2100   case llvm::Triple::wasm32:
2101   case llvm::Triple::wasm64:
2102     return Wasm().CheckWebAssemblyBuiltinFunctionCall(TI, BuiltinID, TheCall);
2103   case llvm::Triple::nvptx:
2104   case llvm::Triple::nvptx64:
2105     return NVPTX().CheckNVPTXBuiltinFunctionCall(TI, BuiltinID, TheCall);
2106   }
2107 }
2108 
2109 // Check if \p Ty is a valid type for the elementwise math builtins. If it is
2110 // not a valid type, emit an error message and return true. Otherwise return
2111 // false.
2112 static bool
2113 checkMathBuiltinElementType(Sema &S, SourceLocation Loc, QualType ArgTy,
2114                             Sema::EltwiseBuiltinArgTyRestriction ArgTyRestr,
2115                             int ArgOrdinal) {
2116   QualType EltTy = ArgTy;
2117   if (auto *VecTy = EltTy->getAs<VectorType>())
2118     EltTy = VecTy->getElementType();
2119 
2120   switch (ArgTyRestr) {
2121   case Sema::EltwiseBuiltinArgTyRestriction::None:
2122     if (!ArgTy->getAs<VectorType>() &&
2123         !ConstantMatrixType::isValidElementType(ArgTy)) {
2124       return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2125              << ArgOrdinal << /* vector */ 2 << /* integer */ 1 << /* fp */ 1
2126              << ArgTy;
2127     }
2128     break;
2129   case Sema::EltwiseBuiltinArgTyRestriction::FloatTy:
2130     if (!EltTy->isRealFloatingType()) {
2131       return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2132              << ArgOrdinal << /* scalar or vector */ 5 << /* no int */ 0
2133              << /* floating-point */ 1 << ArgTy;
2134     }
2135     break;
2136   case Sema::EltwiseBuiltinArgTyRestriction::IntegerTy:
2137     if (!EltTy->isIntegerType()) {
2138       return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2139              << ArgOrdinal << /* scalar or vector */ 5 << /* integer */ 1
2140              << /* no fp */ 0 << ArgTy;
2141     }
2142     break;
2143   case Sema::EltwiseBuiltinArgTyRestriction::SignedIntOrFloatTy:
2144     if (EltTy->isUnsignedIntegerType()) {
2145       return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
2146              << 1 << /* scalar or vector */ 5 << /* signed int */ 2
2147              << /* or fp */ 1 << ArgTy;
2148     }
2149     break;
2150   }
2151 
2152   return false;
2153 }
2154 
2155 /// BuiltinCpu{Supports|Is} - Handle __builtin_cpu_{supports|is}(char *).
2156 /// This checks that the target supports the builtin and that the string
2157 /// argument is constant and valid.
2158 static bool BuiltinCpu(Sema &S, const TargetInfo &TI, CallExpr *TheCall,
2159                        const TargetInfo *AuxTI, unsigned BuiltinID) {
2160   assert((BuiltinID == Builtin::BI__builtin_cpu_supports ||
2161           BuiltinID == Builtin::BI__builtin_cpu_is) &&
2162          "Expecting __builtin_cpu_...");
2163 
2164   bool IsCPUSupports = BuiltinID == Builtin::BI__builtin_cpu_supports;
2165   const TargetInfo *TheTI = &TI;
2166   auto SupportsBI = [=](const TargetInfo *TInfo) {
2167     return TInfo && ((IsCPUSupports && TInfo->supportsCpuSupports()) ||
2168                      (!IsCPUSupports && TInfo->supportsCpuIs()));
2169   };
2170   if (!SupportsBI(&TI) && SupportsBI(AuxTI))
2171     TheTI = AuxTI;
2172 
2173   if ((!IsCPUSupports && !TheTI->supportsCpuIs()) ||
2174       (IsCPUSupports && !TheTI->supportsCpuSupports()))
2175     return S.Diag(TheCall->getBeginLoc(),
2176                   TI.getTriple().isOSAIX()
2177                       ? diag::err_builtin_aix_os_unsupported
2178                       : diag::err_builtin_target_unsupported)
2179            << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2180 
2181   Expr *Arg = TheCall->getArg(0)->IgnoreParenImpCasts();
2182   // Check if the argument is a string literal.
2183   if (!isa<StringLiteral>(Arg))
2184     return S.Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
2185            << Arg->getSourceRange();
2186 
2187   // Check the contents of the string.
2188   StringRef Feature = cast<StringLiteral>(Arg)->getString();
2189   if (IsCPUSupports && !TheTI->validateCpuSupports(Feature)) {
2190     S.Diag(TheCall->getBeginLoc(), diag::warn_invalid_cpu_supports)
2191         << Arg->getSourceRange();
2192     return false;
2193   }
2194   if (!IsCPUSupports && !TheTI->validateCpuIs(Feature))
2195     return S.Diag(TheCall->getBeginLoc(), diag::err_invalid_cpu_is)
2196            << Arg->getSourceRange();
2197   return false;
2198 }
2199 
2200 /// Checks that __builtin_popcountg was called with a single argument, which is
2201 /// an unsigned integer.
2202 static bool BuiltinPopcountg(Sema &S, CallExpr *TheCall) {
2203   if (S.checkArgCount(TheCall, 1))
2204     return true;
2205 
2206   ExprResult ArgRes = S.DefaultLvalueConversion(TheCall->getArg(0));
2207   if (ArgRes.isInvalid())
2208     return true;
2209 
2210   Expr *Arg = ArgRes.get();
2211   TheCall->setArg(0, Arg);
2212 
2213   QualType ArgTy = Arg->getType();
2214 
2215   if (!ArgTy->isUnsignedIntegerType()) {
2216     S.Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2217         << 1 << /* scalar */ 1 << /* unsigned integer ty */ 3 << /* no fp */ 0
2218         << ArgTy;
2219     return true;
2220   }
2221   return false;
2222 }
2223 
2224 /// Checks that __builtin_{clzg,ctzg} was called with a first argument, which is
2225 /// an unsigned integer, and an optional second argument, which is promoted to
2226 /// an 'int'.
2227 static bool BuiltinCountZeroBitsGeneric(Sema &S, CallExpr *TheCall) {
2228   if (S.checkArgCountRange(TheCall, 1, 2))
2229     return true;
2230 
2231   ExprResult Arg0Res = S.DefaultLvalueConversion(TheCall->getArg(0));
2232   if (Arg0Res.isInvalid())
2233     return true;
2234 
2235   Expr *Arg0 = Arg0Res.get();
2236   TheCall->setArg(0, Arg0);
2237 
2238   QualType Arg0Ty = Arg0->getType();
2239 
2240   if (!Arg0Ty->isUnsignedIntegerType()) {
2241     S.Diag(Arg0->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2242         << 1 << /* scalar */ 1 << /* unsigned integer ty */ 3 << /* no fp */ 0
2243         << Arg0Ty;
2244     return true;
2245   }
2246 
2247   if (TheCall->getNumArgs() > 1) {
2248     ExprResult Arg1Res = S.UsualUnaryConversions(TheCall->getArg(1));
2249     if (Arg1Res.isInvalid())
2250       return true;
2251 
2252     Expr *Arg1 = Arg1Res.get();
2253     TheCall->setArg(1, Arg1);
2254 
2255     QualType Arg1Ty = Arg1->getType();
2256 
2257     if (!Arg1Ty->isSpecificBuiltinType(BuiltinType::Int)) {
2258       S.Diag(Arg1->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2259           << 2 << /* scalar */ 1 << /* 'int' ty */ 4 << /* no fp */ 0 << Arg1Ty;
2260       return true;
2261     }
2262   }
2263 
2264   return false;
2265 }
2266 
2267 static ExprResult BuiltinInvoke(Sema &S, CallExpr *TheCall) {
2268   SourceLocation Loc = TheCall->getBeginLoc();
2269   MutableArrayRef Args(TheCall->getArgs(), TheCall->getNumArgs());
2270   assert(llvm::none_of(Args, [](Expr *Arg) { return Arg->isTypeDependent(); }));
2271 
2272   if (Args.size() == 0) {
2273     S.Diag(TheCall->getBeginLoc(),
2274            diag::err_typecheck_call_too_few_args_at_least)
2275         << /*callee_type=*/0 << /*min_arg_count=*/1 << /*actual_arg_count=*/0
2276         << /*is_non_object=*/0 << TheCall->getSourceRange();
2277     return ExprError();
2278   }
2279 
2280   QualType FuncT = Args[0]->getType();
2281 
2282   if (const auto *MPT = FuncT->getAs<MemberPointerType>()) {
2283     if (Args.size() < 2) {
2284       S.Diag(TheCall->getBeginLoc(),
2285              diag::err_typecheck_call_too_few_args_at_least)
2286           << /*callee_type=*/0 << /*min_arg_count=*/2 << /*actual_arg_count=*/1
2287           << /*is_non_object=*/0 << TheCall->getSourceRange();
2288       return ExprError();
2289     }
2290 
2291     const Type *MemPtrClass = MPT->getQualifier()->getAsType();
2292     QualType ObjectT = Args[1]->getType();
2293 
2294     if (MPT->isMemberDataPointer() && S.checkArgCount(TheCall, 2))
2295       return ExprError();
2296 
2297     ExprResult ObjectArg = [&]() -> ExprResult {
2298       // (1.1): (t1.*f)(t2, ..., tN) when f is a pointer to a member function of
2299       // a class T and is_same_v<T, remove_cvref_t<decltype(t1)>> ||
2300       // is_base_of_v<T, remove_cvref_t<decltype(t1)>> is true;
2301       // (1.4): t1.*f when N=1 and f is a pointer to data member of a class T
2302       // and is_same_v<T, remove_cvref_t<decltype(t1)>> ||
2303       // is_base_of_v<T, remove_cvref_t<decltype(t1)>> is true;
2304       if (S.Context.hasSameType(QualType(MemPtrClass, 0),
2305                                 S.BuiltinRemoveCVRef(ObjectT, Loc)) ||
2306           S.BuiltinIsBaseOf(Args[1]->getBeginLoc(), QualType(MemPtrClass, 0),
2307                             S.BuiltinRemoveCVRef(ObjectT, Loc))) {
2308         return Args[1];
2309       }
2310 
2311       // (t1.get().*f)(t2, ..., tN) when f is a pointer to a member function of
2312       // a class T and remove_cvref_t<decltype(t1)> is a specialization of
2313       // reference_wrapper;
2314       if (const auto *RD = ObjectT->getAsCXXRecordDecl()) {
2315         if (RD->isInStdNamespace() &&
2316             RD->getDeclName().getAsString() == "reference_wrapper") {
2317           CXXScopeSpec SS;
2318           IdentifierInfo *GetName = &S.Context.Idents.get("get");
2319           UnqualifiedId GetID;
2320           GetID.setIdentifier(GetName, Loc);
2321 
2322           ExprResult MemExpr = S.ActOnMemberAccessExpr(
2323               S.getCurScope(), Args[1], Loc, tok::period, SS,
2324               /*TemplateKWLoc=*/SourceLocation(), GetID, nullptr);
2325 
2326           if (MemExpr.isInvalid())
2327             return ExprError();
2328 
2329           return S.ActOnCallExpr(S.getCurScope(), MemExpr.get(), Loc, {}, Loc);
2330         }
2331       }
2332 
2333       // ((*t1).*f)(t2, ..., tN) when f is a pointer to a member function of a
2334       // class T and t1 does not satisfy the previous two items;
2335 
2336       return S.ActOnUnaryOp(S.getCurScope(), Loc, tok::star, Args[1]);
2337     }();
2338 
2339     if (ObjectArg.isInvalid())
2340       return ExprError();
2341 
2342     ExprResult BinOp = S.ActOnBinOp(S.getCurScope(), TheCall->getBeginLoc(),
2343                                     tok::periodstar, ObjectArg.get(), Args[0]);
2344     if (BinOp.isInvalid())
2345       return ExprError();
2346 
2347     if (MPT->isMemberDataPointer())
2348       return BinOp;
2349 
2350     auto *MemCall = new (S.Context)
2351         ParenExpr(SourceLocation(), SourceLocation(), BinOp.get());
2352 
2353     return S.ActOnCallExpr(S.getCurScope(), MemCall, TheCall->getBeginLoc(),
2354                            Args.drop_front(2), TheCall->getRParenLoc());
2355   }
2356   return S.ActOnCallExpr(S.getCurScope(), Args.front(), TheCall->getBeginLoc(),
2357                          Args.drop_front(), TheCall->getRParenLoc());
2358 }
2359 
2360 ExprResult
2361 Sema::CheckBuiltinFunctionCall(FunctionDecl *FDecl, unsigned BuiltinID,
2362                                CallExpr *TheCall) {
2363   ExprResult TheCallResult(TheCall);
2364 
2365   // Find out if any arguments are required to be integer constant expressions.
2366   unsigned ICEArguments = 0;
2367   ASTContext::GetBuiltinTypeError Error;
2368   Context.GetBuiltinType(BuiltinID, Error, &ICEArguments);
2369   if (Error != ASTContext::GE_None)
2370     ICEArguments = 0;  // Don't diagnose previously diagnosed errors.
2371 
2372   // If any arguments are required to be ICE's, check and diagnose.
2373   for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) {
2374     // Skip arguments not required to be ICE's.
2375     if ((ICEArguments & (1 << ArgNo)) == 0) continue;
2376 
2377     llvm::APSInt Result;
2378     // If we don't have enough arguments, continue so we can issue better
2379     // diagnostic in checkArgCount(...)
2380     if (ArgNo < TheCall->getNumArgs() &&
2381         BuiltinConstantArg(TheCall, ArgNo, Result))
2382       return true;
2383     ICEArguments &= ~(1 << ArgNo);
2384   }
2385 
2386   FPOptions FPO;
2387   switch (BuiltinID) {
2388   case Builtin::BI__builtin_cpu_supports:
2389   case Builtin::BI__builtin_cpu_is:
2390     if (BuiltinCpu(*this, Context.getTargetInfo(), TheCall,
2391                    Context.getAuxTargetInfo(), BuiltinID))
2392       return ExprError();
2393     break;
2394   case Builtin::BI__builtin_cpu_init:
2395     if (!Context.getTargetInfo().supportsCpuInit()) {
2396       Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2397           << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2398       return ExprError();
2399     }
2400     break;
2401   case Builtin::BI__builtin___CFStringMakeConstantString:
2402     // CFStringMakeConstantString is currently not implemented for GOFF (i.e.,
2403     // on z/OS) and for XCOFF (i.e., on AIX). Emit unsupported
2404     if (CheckBuiltinTargetNotInUnsupported(
2405             *this, BuiltinID, TheCall,
2406             {llvm::Triple::GOFF, llvm::Triple::XCOFF}))
2407       return ExprError();
2408     assert(TheCall->getNumArgs() == 1 &&
2409            "Wrong # arguments to builtin CFStringMakeConstantString");
2410     if (ObjC().CheckObjCString(TheCall->getArg(0)))
2411       return ExprError();
2412     break;
2413   case Builtin::BI__builtin_ms_va_start:
2414   case Builtin::BI__builtin_stdarg_start:
2415   case Builtin::BI__builtin_va_start:
2416   case Builtin::BI__builtin_c23_va_start:
2417     if (BuiltinVAStart(BuiltinID, TheCall))
2418       return ExprError();
2419     break;
2420   case Builtin::BI__va_start: {
2421     switch (Context.getTargetInfo().getTriple().getArch()) {
2422     case llvm::Triple::aarch64:
2423     case llvm::Triple::arm:
2424     case llvm::Triple::thumb:
2425       if (BuiltinVAStartARMMicrosoft(TheCall))
2426         return ExprError();
2427       break;
2428     default:
2429       if (BuiltinVAStart(BuiltinID, TheCall))
2430         return ExprError();
2431       break;
2432     }
2433     break;
2434   }
2435 
2436   // The acquire, release, and no fence variants are ARM and AArch64 only.
2437   case Builtin::BI_interlockedbittestandset_acq:
2438   case Builtin::BI_interlockedbittestandset_rel:
2439   case Builtin::BI_interlockedbittestandset_nf:
2440   case Builtin::BI_interlockedbittestandreset_acq:
2441   case Builtin::BI_interlockedbittestandreset_rel:
2442   case Builtin::BI_interlockedbittestandreset_nf:
2443     if (CheckBuiltinTargetInSupported(
2444             *this, TheCall,
2445             {llvm::Triple::arm, llvm::Triple::thumb, llvm::Triple::aarch64}))
2446       return ExprError();
2447     break;
2448 
2449   // The 64-bit bittest variants are x64, ARM, and AArch64 only.
2450   case Builtin::BI_bittest64:
2451   case Builtin::BI_bittestandcomplement64:
2452   case Builtin::BI_bittestandreset64:
2453   case Builtin::BI_bittestandset64:
2454   case Builtin::BI_interlockedbittestandreset64:
2455   case Builtin::BI_interlockedbittestandset64:
2456     if (CheckBuiltinTargetInSupported(
2457             *this, TheCall,
2458             {llvm::Triple::x86_64, llvm::Triple::arm, llvm::Triple::thumb,
2459              llvm::Triple::aarch64, llvm::Triple::amdgcn}))
2460       return ExprError();
2461     break;
2462 
2463   // The 64-bit acquire, release, and no fence variants are AArch64 only.
2464   case Builtin::BI_interlockedbittestandreset64_acq:
2465   case Builtin::BI_interlockedbittestandreset64_rel:
2466   case Builtin::BI_interlockedbittestandreset64_nf:
2467   case Builtin::BI_interlockedbittestandset64_acq:
2468   case Builtin::BI_interlockedbittestandset64_rel:
2469   case Builtin::BI_interlockedbittestandset64_nf:
2470     if (CheckBuiltinTargetInSupported(*this, TheCall, {llvm::Triple::aarch64}))
2471       return ExprError();
2472     break;
2473 
2474   case Builtin::BI__builtin_set_flt_rounds:
2475     if (CheckBuiltinTargetInSupported(
2476             *this, TheCall,
2477             {llvm::Triple::x86, llvm::Triple::x86_64, llvm::Triple::arm,
2478              llvm::Triple::thumb, llvm::Triple::aarch64, llvm::Triple::amdgcn,
2479              llvm::Triple::ppc, llvm::Triple::ppc64, llvm::Triple::ppcle,
2480              llvm::Triple::ppc64le}))
2481       return ExprError();
2482     break;
2483 
2484   case Builtin::BI__builtin_isgreater:
2485   case Builtin::BI__builtin_isgreaterequal:
2486   case Builtin::BI__builtin_isless:
2487   case Builtin::BI__builtin_islessequal:
2488   case Builtin::BI__builtin_islessgreater:
2489   case Builtin::BI__builtin_isunordered:
2490     if (BuiltinUnorderedCompare(TheCall, BuiltinID))
2491       return ExprError();
2492     break;
2493   case Builtin::BI__builtin_fpclassify:
2494     if (BuiltinFPClassification(TheCall, 6, BuiltinID))
2495       return ExprError();
2496     break;
2497   case Builtin::BI__builtin_isfpclass:
2498     if (BuiltinFPClassification(TheCall, 2, BuiltinID))
2499       return ExprError();
2500     break;
2501   case Builtin::BI__builtin_isfinite:
2502   case Builtin::BI__builtin_isinf:
2503   case Builtin::BI__builtin_isinf_sign:
2504   case Builtin::BI__builtin_isnan:
2505   case Builtin::BI__builtin_issignaling:
2506   case Builtin::BI__builtin_isnormal:
2507   case Builtin::BI__builtin_issubnormal:
2508   case Builtin::BI__builtin_iszero:
2509   case Builtin::BI__builtin_signbit:
2510   case Builtin::BI__builtin_signbitf:
2511   case Builtin::BI__builtin_signbitl:
2512     if (BuiltinFPClassification(TheCall, 1, BuiltinID))
2513       return ExprError();
2514     break;
2515   case Builtin::BI__builtin_shufflevector:
2516     return BuiltinShuffleVector(TheCall);
2517     // TheCall will be freed by the smart pointer here, but that's fine, since
2518     // BuiltinShuffleVector guts it, but then doesn't release it.
2519   case Builtin::BI__builtin_invoke:
2520     return BuiltinInvoke(*this, TheCall);
2521   case Builtin::BI__builtin_prefetch:
2522     if (BuiltinPrefetch(TheCall))
2523       return ExprError();
2524     break;
2525   case Builtin::BI__builtin_alloca_with_align:
2526   case Builtin::BI__builtin_alloca_with_align_uninitialized:
2527     if (BuiltinAllocaWithAlign(TheCall))
2528       return ExprError();
2529     [[fallthrough]];
2530   case Builtin::BI__builtin_alloca:
2531   case Builtin::BI__builtin_alloca_uninitialized:
2532     Diag(TheCall->getBeginLoc(), diag::warn_alloca)
2533         << TheCall->getDirectCallee();
2534     if (getLangOpts().OpenCL) {
2535       builtinAllocaAddrSpace(*this, TheCall);
2536     }
2537     break;
2538   case Builtin::BI__arithmetic_fence:
2539     if (BuiltinArithmeticFence(TheCall))
2540       return ExprError();
2541     break;
2542   case Builtin::BI__assume:
2543   case Builtin::BI__builtin_assume:
2544     if (BuiltinAssume(TheCall))
2545       return ExprError();
2546     break;
2547   case Builtin::BI__builtin_assume_aligned:
2548     if (BuiltinAssumeAligned(TheCall))
2549       return ExprError();
2550     break;
2551   case Builtin::BI__builtin_dynamic_object_size:
2552   case Builtin::BI__builtin_object_size:
2553     if (BuiltinConstantArgRange(TheCall, 1, 0, 3))
2554       return ExprError();
2555     break;
2556   case Builtin::BI__builtin_longjmp:
2557     if (BuiltinLongjmp(TheCall))
2558       return ExprError();
2559     break;
2560   case Builtin::BI__builtin_setjmp:
2561     if (BuiltinSetjmp(TheCall))
2562       return ExprError();
2563     break;
2564   case Builtin::BI__builtin_classify_type:
2565     if (checkArgCount(TheCall, 1))
2566       return true;
2567     TheCall->setType(Context.IntTy);
2568     break;
2569   case Builtin::BI__builtin_complex:
2570     if (BuiltinComplex(TheCall))
2571       return ExprError();
2572     break;
2573   case Builtin::BI__builtin_constant_p: {
2574     if (checkArgCount(TheCall, 1))
2575       return true;
2576     ExprResult Arg = DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
2577     if (Arg.isInvalid()) return true;
2578     TheCall->setArg(0, Arg.get());
2579     TheCall->setType(Context.IntTy);
2580     break;
2581   }
2582   case Builtin::BI__builtin_launder:
2583     return BuiltinLaunder(*this, TheCall);
2584   case Builtin::BI__builtin_is_within_lifetime:
2585     return BuiltinIsWithinLifetime(*this, TheCall);
2586   case Builtin::BI__builtin_trivially_relocate:
2587     return BuiltinTriviallyRelocate(*this, TheCall);
2588 
2589   case Builtin::BI__sync_fetch_and_add:
2590   case Builtin::BI__sync_fetch_and_add_1:
2591   case Builtin::BI__sync_fetch_and_add_2:
2592   case Builtin::BI__sync_fetch_and_add_4:
2593   case Builtin::BI__sync_fetch_and_add_8:
2594   case Builtin::BI__sync_fetch_and_add_16:
2595   case Builtin::BI__sync_fetch_and_sub:
2596   case Builtin::BI__sync_fetch_and_sub_1:
2597   case Builtin::BI__sync_fetch_and_sub_2:
2598   case Builtin::BI__sync_fetch_and_sub_4:
2599   case Builtin::BI__sync_fetch_and_sub_8:
2600   case Builtin::BI__sync_fetch_and_sub_16:
2601   case Builtin::BI__sync_fetch_and_or:
2602   case Builtin::BI__sync_fetch_and_or_1:
2603   case Builtin::BI__sync_fetch_and_or_2:
2604   case Builtin::BI__sync_fetch_and_or_4:
2605   case Builtin::BI__sync_fetch_and_or_8:
2606   case Builtin::BI__sync_fetch_and_or_16:
2607   case Builtin::BI__sync_fetch_and_and:
2608   case Builtin::BI__sync_fetch_and_and_1:
2609   case Builtin::BI__sync_fetch_and_and_2:
2610   case Builtin::BI__sync_fetch_and_and_4:
2611   case Builtin::BI__sync_fetch_and_and_8:
2612   case Builtin::BI__sync_fetch_and_and_16:
2613   case Builtin::BI__sync_fetch_and_xor:
2614   case Builtin::BI__sync_fetch_and_xor_1:
2615   case Builtin::BI__sync_fetch_and_xor_2:
2616   case Builtin::BI__sync_fetch_and_xor_4:
2617   case Builtin::BI__sync_fetch_and_xor_8:
2618   case Builtin::BI__sync_fetch_and_xor_16:
2619   case Builtin::BI__sync_fetch_and_nand:
2620   case Builtin::BI__sync_fetch_and_nand_1:
2621   case Builtin::BI__sync_fetch_and_nand_2:
2622   case Builtin::BI__sync_fetch_and_nand_4:
2623   case Builtin::BI__sync_fetch_and_nand_8:
2624   case Builtin::BI__sync_fetch_and_nand_16:
2625   case Builtin::BI__sync_add_and_fetch:
2626   case Builtin::BI__sync_add_and_fetch_1:
2627   case Builtin::BI__sync_add_and_fetch_2:
2628   case Builtin::BI__sync_add_and_fetch_4:
2629   case Builtin::BI__sync_add_and_fetch_8:
2630   case Builtin::BI__sync_add_and_fetch_16:
2631   case Builtin::BI__sync_sub_and_fetch:
2632   case Builtin::BI__sync_sub_and_fetch_1:
2633   case Builtin::BI__sync_sub_and_fetch_2:
2634   case Builtin::BI__sync_sub_and_fetch_4:
2635   case Builtin::BI__sync_sub_and_fetch_8:
2636   case Builtin::BI__sync_sub_and_fetch_16:
2637   case Builtin::BI__sync_and_and_fetch:
2638   case Builtin::BI__sync_and_and_fetch_1:
2639   case Builtin::BI__sync_and_and_fetch_2:
2640   case Builtin::BI__sync_and_and_fetch_4:
2641   case Builtin::BI__sync_and_and_fetch_8:
2642   case Builtin::BI__sync_and_and_fetch_16:
2643   case Builtin::BI__sync_or_and_fetch:
2644   case Builtin::BI__sync_or_and_fetch_1:
2645   case Builtin::BI__sync_or_and_fetch_2:
2646   case Builtin::BI__sync_or_and_fetch_4:
2647   case Builtin::BI__sync_or_and_fetch_8:
2648   case Builtin::BI__sync_or_and_fetch_16:
2649   case Builtin::BI__sync_xor_and_fetch:
2650   case Builtin::BI__sync_xor_and_fetch_1:
2651   case Builtin::BI__sync_xor_and_fetch_2:
2652   case Builtin::BI__sync_xor_and_fetch_4:
2653   case Builtin::BI__sync_xor_and_fetch_8:
2654   case Builtin::BI__sync_xor_and_fetch_16:
2655   case Builtin::BI__sync_nand_and_fetch:
2656   case Builtin::BI__sync_nand_and_fetch_1:
2657   case Builtin::BI__sync_nand_and_fetch_2:
2658   case Builtin::BI__sync_nand_and_fetch_4:
2659   case Builtin::BI__sync_nand_and_fetch_8:
2660   case Builtin::BI__sync_nand_and_fetch_16:
2661   case Builtin::BI__sync_val_compare_and_swap:
2662   case Builtin::BI__sync_val_compare_and_swap_1:
2663   case Builtin::BI__sync_val_compare_and_swap_2:
2664   case Builtin::BI__sync_val_compare_and_swap_4:
2665   case Builtin::BI__sync_val_compare_and_swap_8:
2666   case Builtin::BI__sync_val_compare_and_swap_16:
2667   case Builtin::BI__sync_bool_compare_and_swap:
2668   case Builtin::BI__sync_bool_compare_and_swap_1:
2669   case Builtin::BI__sync_bool_compare_and_swap_2:
2670   case Builtin::BI__sync_bool_compare_and_swap_4:
2671   case Builtin::BI__sync_bool_compare_and_swap_8:
2672   case Builtin::BI__sync_bool_compare_and_swap_16:
2673   case Builtin::BI__sync_lock_test_and_set:
2674   case Builtin::BI__sync_lock_test_and_set_1:
2675   case Builtin::BI__sync_lock_test_and_set_2:
2676   case Builtin::BI__sync_lock_test_and_set_4:
2677   case Builtin::BI__sync_lock_test_and_set_8:
2678   case Builtin::BI__sync_lock_test_and_set_16:
2679   case Builtin::BI__sync_lock_release:
2680   case Builtin::BI__sync_lock_release_1:
2681   case Builtin::BI__sync_lock_release_2:
2682   case Builtin::BI__sync_lock_release_4:
2683   case Builtin::BI__sync_lock_release_8:
2684   case Builtin::BI__sync_lock_release_16:
2685   case Builtin::BI__sync_swap:
2686   case Builtin::BI__sync_swap_1:
2687   case Builtin::BI__sync_swap_2:
2688   case Builtin::BI__sync_swap_4:
2689   case Builtin::BI__sync_swap_8:
2690   case Builtin::BI__sync_swap_16:
2691     return BuiltinAtomicOverloaded(TheCallResult);
2692   case Builtin::BI__sync_synchronize:
2693     Diag(TheCall->getBeginLoc(), diag::warn_atomic_implicit_seq_cst)
2694         << TheCall->getCallee()->getSourceRange();
2695     break;
2696   case Builtin::BI__builtin_nontemporal_load:
2697   case Builtin::BI__builtin_nontemporal_store:
2698     return BuiltinNontemporalOverloaded(TheCallResult);
2699   case Builtin::BI__builtin_memcpy_inline: {
2700     clang::Expr *SizeOp = TheCall->getArg(2);
2701     // We warn about copying to or from `nullptr` pointers when `size` is
2702     // greater than 0. When `size` is value dependent we cannot evaluate its
2703     // value so we bail out.
2704     if (SizeOp->isValueDependent())
2705       break;
2706     if (!SizeOp->EvaluateKnownConstInt(Context).isZero()) {
2707       CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2708       CheckNonNullArgument(*this, TheCall->getArg(1), TheCall->getExprLoc());
2709     }
2710     break;
2711   }
2712   case Builtin::BI__builtin_memset_inline: {
2713     clang::Expr *SizeOp = TheCall->getArg(2);
2714     // We warn about filling to `nullptr` pointers when `size` is greater than
2715     // 0. When `size` is value dependent we cannot evaluate its value so we bail
2716     // out.
2717     if (SizeOp->isValueDependent())
2718       break;
2719     if (!SizeOp->EvaluateKnownConstInt(Context).isZero())
2720       CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2721     break;
2722   }
2723 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS)                                        \
2724   case Builtin::BI##ID:                                                        \
2725     return AtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID);
2726 #include "clang/Basic/Builtins.inc"
2727   case Builtin::BI__annotation:
2728     if (BuiltinMSVCAnnotation(*this, TheCall))
2729       return ExprError();
2730     break;
2731   case Builtin::BI__builtin_annotation:
2732     if (BuiltinAnnotation(*this, TheCall))
2733       return ExprError();
2734     break;
2735   case Builtin::BI__builtin_addressof:
2736     if (BuiltinAddressof(*this, TheCall))
2737       return ExprError();
2738     break;
2739   case Builtin::BI__builtin_function_start:
2740     if (BuiltinFunctionStart(*this, TheCall))
2741       return ExprError();
2742     break;
2743   case Builtin::BI__builtin_is_aligned:
2744   case Builtin::BI__builtin_align_up:
2745   case Builtin::BI__builtin_align_down:
2746     if (BuiltinAlignment(*this, TheCall, BuiltinID))
2747       return ExprError();
2748     break;
2749   case Builtin::BI__builtin_add_overflow:
2750   case Builtin::BI__builtin_sub_overflow:
2751   case Builtin::BI__builtin_mul_overflow:
2752     if (BuiltinOverflow(*this, TheCall, BuiltinID))
2753       return ExprError();
2754     break;
2755   case Builtin::BI__builtin_operator_new:
2756   case Builtin::BI__builtin_operator_delete: {
2757     bool IsDelete = BuiltinID == Builtin::BI__builtin_operator_delete;
2758     ExprResult Res =
2759         BuiltinOperatorNewDeleteOverloaded(TheCallResult, IsDelete);
2760     return Res;
2761   }
2762   case Builtin::BI__builtin_dump_struct:
2763     return BuiltinDumpStruct(*this, TheCall);
2764   case Builtin::BI__builtin_expect_with_probability: {
2765     // We first want to ensure we are called with 3 arguments
2766     if (checkArgCount(TheCall, 3))
2767       return ExprError();
2768     // then check probability is constant float in range [0.0, 1.0]
2769     const Expr *ProbArg = TheCall->getArg(2);
2770     SmallVector<PartialDiagnosticAt, 8> Notes;
2771     Expr::EvalResult Eval;
2772     Eval.Diag = &Notes;
2773     if ((!ProbArg->EvaluateAsConstantExpr(Eval, Context)) ||
2774         !Eval.Val.isFloat()) {
2775       Diag(ProbArg->getBeginLoc(), diag::err_probability_not_constant_float)
2776           << ProbArg->getSourceRange();
2777       for (const PartialDiagnosticAt &PDiag : Notes)
2778         Diag(PDiag.first, PDiag.second);
2779       return ExprError();
2780     }
2781     llvm::APFloat Probability = Eval.Val.getFloat();
2782     bool LoseInfo = false;
2783     Probability.convert(llvm::APFloat::IEEEdouble(),
2784                         llvm::RoundingMode::Dynamic, &LoseInfo);
2785     if (!(Probability >= llvm::APFloat(0.0) &&
2786           Probability <= llvm::APFloat(1.0))) {
2787       Diag(ProbArg->getBeginLoc(), diag::err_probability_out_of_range)
2788           << ProbArg->getSourceRange();
2789       return ExprError();
2790     }
2791     break;
2792   }
2793   case Builtin::BI__builtin_preserve_access_index:
2794     if (BuiltinPreserveAI(*this, TheCall))
2795       return ExprError();
2796     break;
2797   case Builtin::BI__builtin_call_with_static_chain:
2798     if (BuiltinCallWithStaticChain(*this, TheCall))
2799       return ExprError();
2800     break;
2801   case Builtin::BI__exception_code:
2802   case Builtin::BI_exception_code:
2803     if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope,
2804                              diag::err_seh___except_block))
2805       return ExprError();
2806     break;
2807   case Builtin::BI__exception_info:
2808   case Builtin::BI_exception_info:
2809     if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHFilterScope,
2810                              diag::err_seh___except_filter))
2811       return ExprError();
2812     break;
2813   case Builtin::BI__GetExceptionInfo:
2814     if (checkArgCount(TheCall, 1))
2815       return ExprError();
2816 
2817     if (CheckCXXThrowOperand(
2818             TheCall->getBeginLoc(),
2819             Context.getExceptionObjectType(FDecl->getParamDecl(0)->getType()),
2820             TheCall))
2821       return ExprError();
2822 
2823     TheCall->setType(Context.VoidPtrTy);
2824     break;
2825   case Builtin::BIaddressof:
2826   case Builtin::BI__addressof:
2827   case Builtin::BIforward:
2828   case Builtin::BIforward_like:
2829   case Builtin::BImove:
2830   case Builtin::BImove_if_noexcept:
2831   case Builtin::BIas_const: {
2832     // These are all expected to be of the form
2833     //   T &/&&/* f(U &/&&)
2834     // where T and U only differ in qualification.
2835     if (checkArgCount(TheCall, 1))
2836       return ExprError();
2837     QualType Param = FDecl->getParamDecl(0)->getType();
2838     QualType Result = FDecl->getReturnType();
2839     bool ReturnsPointer = BuiltinID == Builtin::BIaddressof ||
2840                           BuiltinID == Builtin::BI__addressof;
2841     if (!(Param->isReferenceType() &&
2842           (ReturnsPointer ? Result->isAnyPointerType()
2843                           : Result->isReferenceType()) &&
2844           Context.hasSameUnqualifiedType(Param->getPointeeType(),
2845                                          Result->getPointeeType()))) {
2846       Diag(TheCall->getBeginLoc(), diag::err_builtin_move_forward_unsupported)
2847           << FDecl;
2848       return ExprError();
2849     }
2850     break;
2851   }
2852   case Builtin::BI__builtin_ptrauth_strip:
2853     return PointerAuthStrip(*this, TheCall);
2854   case Builtin::BI__builtin_ptrauth_blend_discriminator:
2855     return PointerAuthBlendDiscriminator(*this, TheCall);
2856   case Builtin::BI__builtin_ptrauth_sign_constant:
2857     return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2858                                  /*RequireConstant=*/true);
2859   case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
2860     return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2861                                  /*RequireConstant=*/false);
2862   case Builtin::BI__builtin_ptrauth_auth:
2863     return PointerAuthSignOrAuth(*this, TheCall, PAO_Auth,
2864                                  /*RequireConstant=*/false);
2865   case Builtin::BI__builtin_ptrauth_sign_generic_data:
2866     return PointerAuthSignGenericData(*this, TheCall);
2867   case Builtin::BI__builtin_ptrauth_auth_and_resign:
2868     return PointerAuthAuthAndResign(*this, TheCall);
2869   case Builtin::BI__builtin_ptrauth_string_discriminator:
2870     return PointerAuthStringDiscriminator(*this, TheCall);
2871 
2872   case Builtin::BI__builtin_get_vtable_pointer:
2873     return GetVTablePointer(*this, TheCall);
2874 
2875   // OpenCL v2.0, s6.13.16 - Pipe functions
2876   case Builtin::BIread_pipe:
2877   case Builtin::BIwrite_pipe:
2878     // Since those two functions are declared with var args, we need a semantic
2879     // check for the argument.
2880     if (OpenCL().checkBuiltinRWPipe(TheCall))
2881       return ExprError();
2882     break;
2883   case Builtin::BIreserve_read_pipe:
2884   case Builtin::BIreserve_write_pipe:
2885   case Builtin::BIwork_group_reserve_read_pipe:
2886   case Builtin::BIwork_group_reserve_write_pipe:
2887     if (OpenCL().checkBuiltinReserveRWPipe(TheCall))
2888       return ExprError();
2889     break;
2890   case Builtin::BIsub_group_reserve_read_pipe:
2891   case Builtin::BIsub_group_reserve_write_pipe:
2892     if (OpenCL().checkSubgroupExt(TheCall) ||
2893         OpenCL().checkBuiltinReserveRWPipe(TheCall))
2894       return ExprError();
2895     break;
2896   case Builtin::BIcommit_read_pipe:
2897   case Builtin::BIcommit_write_pipe:
2898   case Builtin::BIwork_group_commit_read_pipe:
2899   case Builtin::BIwork_group_commit_write_pipe:
2900     if (OpenCL().checkBuiltinCommitRWPipe(TheCall))
2901       return ExprError();
2902     break;
2903   case Builtin::BIsub_group_commit_read_pipe:
2904   case Builtin::BIsub_group_commit_write_pipe:
2905     if (OpenCL().checkSubgroupExt(TheCall) ||
2906         OpenCL().checkBuiltinCommitRWPipe(TheCall))
2907       return ExprError();
2908     break;
2909   case Builtin::BIget_pipe_num_packets:
2910   case Builtin::BIget_pipe_max_packets:
2911     if (OpenCL().checkBuiltinPipePackets(TheCall))
2912       return ExprError();
2913     break;
2914   case Builtin::BIto_global:
2915   case Builtin::BIto_local:
2916   case Builtin::BIto_private:
2917     if (OpenCL().checkBuiltinToAddr(BuiltinID, TheCall))
2918       return ExprError();
2919     break;
2920   // OpenCL v2.0, s6.13.17 - Enqueue kernel functions.
2921   case Builtin::BIenqueue_kernel:
2922     if (OpenCL().checkBuiltinEnqueueKernel(TheCall))
2923       return ExprError();
2924     break;
2925   case Builtin::BIget_kernel_work_group_size:
2926   case Builtin::BIget_kernel_preferred_work_group_size_multiple:
2927     if (OpenCL().checkBuiltinKernelWorkGroupSize(TheCall))
2928       return ExprError();
2929     break;
2930   case Builtin::BIget_kernel_max_sub_group_size_for_ndrange:
2931   case Builtin::BIget_kernel_sub_group_count_for_ndrange:
2932     if (OpenCL().checkBuiltinNDRangeAndBlock(TheCall))
2933       return ExprError();
2934     break;
2935   case Builtin::BI__builtin_os_log_format:
2936     Cleanup.setExprNeedsCleanups(true);
2937     [[fallthrough]];
2938   case Builtin::BI__builtin_os_log_format_buffer_size:
2939     if (BuiltinOSLogFormat(TheCall))
2940       return ExprError();
2941     break;
2942   case Builtin::BI__builtin_frame_address:
2943   case Builtin::BI__builtin_return_address: {
2944     if (BuiltinConstantArgRange(TheCall, 0, 0, 0xFFFF))
2945       return ExprError();
2946 
2947     // -Wframe-address warning if non-zero passed to builtin
2948     // return/frame address.
2949     Expr::EvalResult Result;
2950     if (!TheCall->getArg(0)->isValueDependent() &&
2951         TheCall->getArg(0)->EvaluateAsInt(Result, getASTContext()) &&
2952         Result.Val.getInt() != 0)
2953       Diag(TheCall->getBeginLoc(), diag::warn_frame_address)
2954           << ((BuiltinID == Builtin::BI__builtin_return_address)
2955                   ? "__builtin_return_address"
2956                   : "__builtin_frame_address")
2957           << TheCall->getSourceRange();
2958     break;
2959   }
2960 
2961   case Builtin::BI__builtin_nondeterministic_value: {
2962     if (BuiltinNonDeterministicValue(TheCall))
2963       return ExprError();
2964     break;
2965   }
2966 
2967   // __builtin_elementwise_abs restricts the element type to signed integers or
2968   // floating point types only.
2969   case Builtin::BI__builtin_elementwise_abs:
2970     if (PrepareBuiltinElementwiseMathOneArgCall(
2971             TheCall, EltwiseBuiltinArgTyRestriction::SignedIntOrFloatTy))
2972       return ExprError();
2973     break;
2974 
2975   // These builtins restrict the element type to floating point
2976   // types only.
2977   case Builtin::BI__builtin_elementwise_acos:
2978   case Builtin::BI__builtin_elementwise_asin:
2979   case Builtin::BI__builtin_elementwise_atan:
2980   case Builtin::BI__builtin_elementwise_ceil:
2981   case Builtin::BI__builtin_elementwise_cos:
2982   case Builtin::BI__builtin_elementwise_cosh:
2983   case Builtin::BI__builtin_elementwise_exp:
2984   case Builtin::BI__builtin_elementwise_exp2:
2985   case Builtin::BI__builtin_elementwise_exp10:
2986   case Builtin::BI__builtin_elementwise_floor:
2987   case Builtin::BI__builtin_elementwise_log:
2988   case Builtin::BI__builtin_elementwise_log2:
2989   case Builtin::BI__builtin_elementwise_log10:
2990   case Builtin::BI__builtin_elementwise_roundeven:
2991   case Builtin::BI__builtin_elementwise_round:
2992   case Builtin::BI__builtin_elementwise_rint:
2993   case Builtin::BI__builtin_elementwise_nearbyint:
2994   case Builtin::BI__builtin_elementwise_sin:
2995   case Builtin::BI__builtin_elementwise_sinh:
2996   case Builtin::BI__builtin_elementwise_sqrt:
2997   case Builtin::BI__builtin_elementwise_tan:
2998   case Builtin::BI__builtin_elementwise_tanh:
2999   case Builtin::BI__builtin_elementwise_trunc:
3000   case Builtin::BI__builtin_elementwise_canonicalize:
3001     if (PrepareBuiltinElementwiseMathOneArgCall(
3002             TheCall, EltwiseBuiltinArgTyRestriction::FloatTy))
3003       return ExprError();
3004     break;
3005   case Builtin::BI__builtin_elementwise_fma:
3006     if (BuiltinElementwiseTernaryMath(TheCall))
3007       return ExprError();
3008     break;
3009 
3010   // These builtins restrict the element type to floating point
3011   // types only, and take in two arguments.
3012   case Builtin::BI__builtin_elementwise_minnum:
3013   case Builtin::BI__builtin_elementwise_maxnum:
3014   case Builtin::BI__builtin_elementwise_minimum:
3015   case Builtin::BI__builtin_elementwise_maximum:
3016   case Builtin::BI__builtin_elementwise_atan2:
3017   case Builtin::BI__builtin_elementwise_fmod:
3018   case Builtin::BI__builtin_elementwise_pow:
3019     if (BuiltinElementwiseMath(TheCall,
3020                                EltwiseBuiltinArgTyRestriction::FloatTy))
3021       return ExprError();
3022     break;
3023   // These builtins restrict the element type to integer
3024   // types only.
3025   case Builtin::BI__builtin_elementwise_add_sat:
3026   case Builtin::BI__builtin_elementwise_sub_sat:
3027     if (BuiltinElementwiseMath(TheCall,
3028                                EltwiseBuiltinArgTyRestriction::IntegerTy))
3029       return ExprError();
3030     break;
3031   case Builtin::BI__builtin_elementwise_min:
3032   case Builtin::BI__builtin_elementwise_max:
3033     if (BuiltinElementwiseMath(TheCall))
3034       return ExprError();
3035     break;
3036   case Builtin::BI__builtin_elementwise_popcount:
3037   case Builtin::BI__builtin_elementwise_bitreverse:
3038     if (PrepareBuiltinElementwiseMathOneArgCall(
3039             TheCall, EltwiseBuiltinArgTyRestriction::IntegerTy))
3040       return ExprError();
3041     break;
3042   case Builtin::BI__builtin_elementwise_copysign: {
3043     if (checkArgCount(TheCall, 2))
3044       return ExprError();
3045 
3046     ExprResult Magnitude = UsualUnaryConversions(TheCall->getArg(0));
3047     ExprResult Sign = UsualUnaryConversions(TheCall->getArg(1));
3048     if (Magnitude.isInvalid() || Sign.isInvalid())
3049       return ExprError();
3050 
3051     QualType MagnitudeTy = Magnitude.get()->getType();
3052     QualType SignTy = Sign.get()->getType();
3053     if (checkMathBuiltinElementType(
3054             *this, TheCall->getArg(0)->getBeginLoc(), MagnitudeTy,
3055             EltwiseBuiltinArgTyRestriction::FloatTy, 1) ||
3056         checkMathBuiltinElementType(
3057             *this, TheCall->getArg(1)->getBeginLoc(), SignTy,
3058             EltwiseBuiltinArgTyRestriction::FloatTy, 2)) {
3059       return ExprError();
3060     }
3061 
3062     if (MagnitudeTy.getCanonicalType() != SignTy.getCanonicalType()) {
3063       return Diag(Sign.get()->getBeginLoc(),
3064                   diag::err_typecheck_call_different_arg_types)
3065              << MagnitudeTy << SignTy;
3066     }
3067 
3068     TheCall->setArg(0, Magnitude.get());
3069     TheCall->setArg(1, Sign.get());
3070     TheCall->setType(Magnitude.get()->getType());
3071     break;
3072   }
3073   case Builtin::BI__builtin_reduce_max:
3074   case Builtin::BI__builtin_reduce_min: {
3075     if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3076       return ExprError();
3077 
3078     const Expr *Arg = TheCall->getArg(0);
3079     const auto *TyA = Arg->getType()->getAs<VectorType>();
3080 
3081     QualType ElTy;
3082     if (TyA)
3083       ElTy = TyA->getElementType();
3084     else if (Arg->getType()->isSizelessVectorType())
3085       ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3086 
3087     if (ElTy.isNull()) {
3088       Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3089           << 1 << /* vector ty */ 2 << /* no int */ 0 << /* no fp */ 0
3090           << Arg->getType();
3091       return ExprError();
3092     }
3093 
3094     TheCall->setType(ElTy);
3095     break;
3096   }
3097   case Builtin::BI__builtin_reduce_maximum:
3098   case Builtin::BI__builtin_reduce_minimum: {
3099     if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3100       return ExprError();
3101 
3102     const Expr *Arg = TheCall->getArg(0);
3103     const auto *TyA = Arg->getType()->getAs<VectorType>();
3104 
3105     QualType ElTy;
3106     if (TyA)
3107       ElTy = TyA->getElementType();
3108     else if (Arg->getType()->isSizelessVectorType())
3109       ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3110 
3111     if (ElTy.isNull() || !ElTy->isFloatingType()) {
3112       Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3113           << 1 << /* vector of */ 4 << /* no int */ 0 << /* fp */ 1
3114           << Arg->getType();
3115       return ExprError();
3116     }
3117 
3118     TheCall->setType(ElTy);
3119     break;
3120   }
3121 
3122   // These builtins support vectors of integers only.
3123   // TODO: ADD/MUL should support floating-point types.
3124   case Builtin::BI__builtin_reduce_add:
3125   case Builtin::BI__builtin_reduce_mul:
3126   case Builtin::BI__builtin_reduce_xor:
3127   case Builtin::BI__builtin_reduce_or:
3128   case Builtin::BI__builtin_reduce_and: {
3129     if (PrepareBuiltinReduceMathOneArgCall(TheCall))
3130       return ExprError();
3131 
3132     const Expr *Arg = TheCall->getArg(0);
3133     const auto *TyA = Arg->getType()->getAs<VectorType>();
3134 
3135     QualType ElTy;
3136     if (TyA)
3137       ElTy = TyA->getElementType();
3138     else if (Arg->getType()->isSizelessVectorType())
3139       ElTy = Arg->getType()->getSizelessVectorEltType(Context);
3140 
3141     if (ElTy.isNull() || !ElTy->isIntegerType()) {
3142       Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
3143           << 1 << /* vector of */ 4 << /* int */ 1 << /* no fp */ 0
3144           << Arg->getType();
3145       return ExprError();
3146     }
3147 
3148     TheCall->setType(ElTy);
3149     break;
3150   }
3151 
3152   case Builtin::BI__builtin_matrix_transpose:
3153     return BuiltinMatrixTranspose(TheCall, TheCallResult);
3154 
3155   case Builtin::BI__builtin_matrix_column_major_load:
3156     return BuiltinMatrixColumnMajorLoad(TheCall, TheCallResult);
3157 
3158   case Builtin::BI__builtin_matrix_column_major_store:
3159     return BuiltinMatrixColumnMajorStore(TheCall, TheCallResult);
3160 
3161   case Builtin::BI__builtin_verbose_trap:
3162     if (!checkBuiltinVerboseTrap(TheCall, *this))
3163       return ExprError();
3164     break;
3165 
3166   case Builtin::BI__builtin_get_device_side_mangled_name: {
3167     auto Check = [](CallExpr *TheCall) {
3168       if (TheCall->getNumArgs() != 1)
3169         return false;
3170       auto *DRE = dyn_cast<DeclRefExpr>(TheCall->getArg(0)->IgnoreImpCasts());
3171       if (!DRE)
3172         return false;
3173       auto *D = DRE->getDecl();
3174       if (!isa<FunctionDecl>(D) && !isa<VarDecl>(D))
3175         return false;
3176       return D->hasAttr<CUDAGlobalAttr>() || D->hasAttr<CUDADeviceAttr>() ||
3177              D->hasAttr<CUDAConstantAttr>() || D->hasAttr<HIPManagedAttr>();
3178     };
3179     if (!Check(TheCall)) {
3180       Diag(TheCall->getBeginLoc(),
3181            diag::err_hip_invalid_args_builtin_mangled_name);
3182       return ExprError();
3183     }
3184     break;
3185   }
3186   case Builtin::BI__builtin_popcountg:
3187     if (BuiltinPopcountg(*this, TheCall))
3188       return ExprError();
3189     break;
3190   case Builtin::BI__builtin_clzg:
3191   case Builtin::BI__builtin_ctzg:
3192     if (BuiltinCountZeroBitsGeneric(*this, TheCall))
3193       return ExprError();
3194     break;
3195 
3196   case Builtin::BI__builtin_allow_runtime_check: {
3197     Expr *Arg = TheCall->getArg(0);
3198     // Check if the argument is a string literal.
3199     if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) {
3200       Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
3201           << Arg->getSourceRange();
3202       return ExprError();
3203     }
3204     break;
3205   }
3206   case Builtin::BI__builtin_counted_by_ref:
3207     if (BuiltinCountedByRef(TheCall))
3208       return ExprError();
3209     break;
3210   }
3211 
3212   if (getLangOpts().HLSL && HLSL().CheckBuiltinFunctionCall(BuiltinID, TheCall))
3213     return ExprError();
3214 
3215   // Since the target specific builtins for each arch overlap, only check those
3216   // of the arch we are compiling for.
3217   if (Context.BuiltinInfo.isTSBuiltin(BuiltinID)) {
3218     if (Context.BuiltinInfo.isAuxBuiltinID(BuiltinID)) {
3219       assert(Context.getAuxTargetInfo() &&
3220              "Aux Target Builtin, but not an aux target?");
3221 
3222       if (CheckTSBuiltinFunctionCall(
3223               *Context.getAuxTargetInfo(),
3224               Context.BuiltinInfo.getAuxBuiltinID(BuiltinID), TheCall))
3225         return ExprError();
3226     } else {
3227       if (CheckTSBuiltinFunctionCall(Context.getTargetInfo(), BuiltinID,
3228                                      TheCall))
3229         return ExprError();
3230     }
3231   }
3232 
3233   return TheCallResult;
3234 }
3235 
3236 bool Sema::ValueIsRunOfOnes(CallExpr *TheCall, unsigned ArgNum) {
3237   llvm::APSInt Result;
3238   // We can't check the value of a dependent argument.
3239   Expr *Arg = TheCall->getArg(ArgNum);
3240   if (Arg->isTypeDependent() || Arg->isValueDependent())
3241     return false;
3242 
3243   // Check constant-ness first.
3244   if (BuiltinConstantArg(TheCall, ArgNum, Result))
3245     return true;
3246 
3247   // Check contiguous run of 1s, 0xFF0000FF is also a run of 1s.
3248   if (Result.isShiftedMask() || (~Result).isShiftedMask())
3249     return false;
3250 
3251   return Diag(TheCall->getBeginLoc(),
3252               diag::err_argument_not_contiguous_bit_field)
3253          << ArgNum << Arg->getSourceRange();
3254 }
3255 
3256 bool Sema::getFormatStringInfo(const Decl *D, unsigned FormatIdx,
3257                                unsigned FirstArg, FormatStringInfo *FSI) {
3258   bool IsCXXMember = false;
3259   if (const auto *MD = dyn_cast<CXXMethodDecl>(D))
3260     IsCXXMember = MD->isInstance();
3261   bool IsVariadic = false;
3262   if (const FunctionType *FnTy = D->getFunctionType())
3263     IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();
3264   else if (const auto *BD = dyn_cast<BlockDecl>(D))
3265     IsVariadic = BD->isVariadic();
3266   else if (const auto *OMD = dyn_cast<ObjCMethodDecl>(D))
3267     IsVariadic = OMD->isVariadic();
3268 
3269   return getFormatStringInfo(FormatIdx, FirstArg, IsCXXMember, IsVariadic, FSI);
3270 }
3271 
3272 bool Sema::getFormatStringInfo(unsigned FormatIdx, unsigned FirstArg,
3273                                bool IsCXXMember, bool IsVariadic,
3274                                FormatStringInfo *FSI) {
3275   if (FirstArg == 0)
3276     FSI->ArgPassingKind = FAPK_VAList;
3277   else if (IsVariadic)
3278     FSI->ArgPassingKind = FAPK_Variadic;
3279   else
3280     FSI->ArgPassingKind = FAPK_Fixed;
3281   FSI->FormatIdx = FormatIdx - 1;
3282   FSI->FirstDataArg = FSI->ArgPassingKind == FAPK_VAList ? 0 : FirstArg - 1;
3283 
3284   // The way the format attribute works in GCC, the implicit this argument
3285   // of member functions is counted. However, it doesn't appear in our own
3286   // lists, so decrement format_idx in that case.
3287   if (IsCXXMember) {
3288     if(FSI->FormatIdx == 0)
3289       return false;
3290     --FSI->FormatIdx;
3291     if (FSI->FirstDataArg != 0)
3292       --FSI->FirstDataArg;
3293   }
3294   return true;
3295 }
3296 
3297 /// Checks if a the given expression evaluates to null.
3298 ///
3299 /// Returns true if the value evaluates to null.
3300 static bool CheckNonNullExpr(Sema &S, const Expr *Expr) {
3301   // Treat (smart) pointers constructed from nullptr as null, whether we can
3302   // const-evaluate them or not.
3303   // This must happen first: the smart pointer expr might have _Nonnull type!
3304   if (isa<CXXNullPtrLiteralExpr>(
3305           IgnoreExprNodes(Expr, IgnoreImplicitAsWrittenSingleStep,
3306                           IgnoreElidableImplicitConstructorSingleStep)))
3307     return true;
3308 
3309   // If the expression has non-null type, it doesn't evaluate to null.
3310   if (auto nullability = Expr->IgnoreImplicit()->getType()->getNullability()) {
3311     if (*nullability == NullabilityKind::NonNull)
3312       return false;
3313   }
3314 
3315   // As a special case, transparent unions initialized with zero are
3316   // considered null for the purposes of the nonnull attribute.
3317   if (const RecordType *UT = Expr->getType()->getAsUnionType();
3318       UT && UT->getDecl()->hasAttr<TransparentUnionAttr>()) {
3319     if (const auto *CLE = dyn_cast<CompoundLiteralExpr>(Expr))
3320       if (const auto *ILE = dyn_cast<InitListExpr>(CLE->getInitializer()))
3321         Expr = ILE->getInit(0);
3322   }
3323 
3324   bool Result;
3325   return (!Expr->isValueDependent() &&
3326           Expr->EvaluateAsBooleanCondition(Result, S.Context) &&
3327           !Result);
3328 }
3329 
3330 static void CheckNonNullArgument(Sema &S,
3331                                  const Expr *ArgExpr,
3332                                  SourceLocation CallSiteLoc) {
3333   if (CheckNonNullExpr(S, ArgExpr))
3334     S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr,
3335                           S.PDiag(diag::warn_null_arg)
3336                               << ArgExpr->getSourceRange());
3337 }
3338 
3339 /// Determine whether the given type has a non-null nullability annotation.
3340 static bool isNonNullType(QualType type) {
3341   if (auto nullability = type->getNullability())
3342     return *nullability == NullabilityKind::NonNull;
3343 
3344   return false;
3345 }
3346 
3347 static void CheckNonNullArguments(Sema &S,
3348                                   const NamedDecl *FDecl,
3349                                   const FunctionProtoType *Proto,
3350                                   ArrayRef<const Expr *> Args,
3351                                   SourceLocation CallSiteLoc) {
3352   assert((FDecl || Proto) && "Need a function declaration or prototype");
3353 
3354   // Already checked by constant evaluator.
3355   if (S.isConstantEvaluatedContext())
3356     return;
3357   // Check the attributes attached to the method/function itself.
3358   llvm::SmallBitVector NonNullArgs;
3359   if (FDecl) {
3360     // Handle the nonnull attribute on the function/method declaration itself.
3361     for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) {
3362       if (!NonNull->args_size()) {
3363         // Easy case: all pointer arguments are nonnull.
3364         for (const auto *Arg : Args)
3365           if (S.isValidPointerAttrType(Arg->getType()))
3366             CheckNonNullArgument(S, Arg, CallSiteLoc);
3367         return;
3368       }
3369 
3370       for (const ParamIdx &Idx : NonNull->args()) {
3371         unsigned IdxAST = Idx.getASTIndex();
3372         if (IdxAST >= Args.size())
3373           continue;
3374         if (NonNullArgs.empty())
3375           NonNullArgs.resize(Args.size());
3376         NonNullArgs.set(IdxAST);
3377       }
3378     }
3379   }
3380 
3381   if (FDecl && (isa<FunctionDecl>(FDecl) || isa<ObjCMethodDecl>(FDecl))) {
3382     // Handle the nonnull attribute on the parameters of the
3383     // function/method.
3384     ArrayRef<ParmVarDecl*> parms;
3385     if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl))
3386       parms = FD->parameters();
3387     else
3388       parms = cast<ObjCMethodDecl>(FDecl)->parameters();
3389 
3390     unsigned ParamIndex = 0;
3391     for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end();
3392          I != E; ++I, ++ParamIndex) {
3393       const ParmVarDecl *PVD = *I;
3394       if (PVD->hasAttr<NonNullAttr>() || isNonNullType(PVD->getType())) {
3395         if (NonNullArgs.empty())
3396           NonNullArgs.resize(Args.size());
3397 
3398         NonNullArgs.set(ParamIndex);
3399       }
3400     }
3401   } else {
3402     // If we have a non-function, non-method declaration but no
3403     // function prototype, try to dig out the function prototype.
3404     if (!Proto) {
3405       if (const ValueDecl *VD = dyn_cast<ValueDecl>(FDecl)) {
3406         QualType type = VD->getType().getNonReferenceType();
3407         if (auto pointerType = type->getAs<PointerType>())
3408           type = pointerType->getPointeeType();
3409         else if (auto blockType = type->getAs<BlockPointerType>())
3410           type = blockType->getPointeeType();
3411         // FIXME: data member pointers?
3412 
3413         // Dig out the function prototype, if there is one.
3414         Proto = type->getAs<FunctionProtoType>();
3415       }
3416     }
3417 
3418     // Fill in non-null argument information from the nullability
3419     // information on the parameter types (if we have them).
3420     if (Proto) {
3421       unsigned Index = 0;
3422       for (auto paramType : Proto->getParamTypes()) {
3423         if (isNonNullType(paramType)) {
3424           if (NonNullArgs.empty())
3425             NonNullArgs.resize(Args.size());
3426 
3427           NonNullArgs.set(Index);
3428         }
3429 
3430         ++Index;
3431       }
3432     }
3433   }
3434 
3435   // Check for non-null arguments.
3436   for (unsigned ArgIndex = 0, ArgIndexEnd = NonNullArgs.size();
3437        ArgIndex != ArgIndexEnd; ++ArgIndex) {
3438     if (NonNullArgs[ArgIndex])
3439       CheckNonNullArgument(S, Args[ArgIndex], Args[ArgIndex]->getExprLoc());
3440   }
3441 }
3442 
3443 void Sema::CheckArgAlignment(SourceLocation Loc, NamedDecl *FDecl,
3444                              StringRef ParamName, QualType ArgTy,
3445                              QualType ParamTy) {
3446 
3447   // If a function accepts a pointer or reference type
3448   if (!ParamTy->isPointerType() && !ParamTy->isReferenceType())
3449     return;
3450 
3451   // If the parameter is a pointer type, get the pointee type for the
3452   // argument too. If the parameter is a reference type, don't try to get
3453   // the pointee type for the argument.
3454   if (ParamTy->isPointerType())
3455     ArgTy = ArgTy->getPointeeType();
3456 
3457   // Remove reference or pointer
3458   ParamTy = ParamTy->getPointeeType();
3459 
3460   // Find expected alignment, and the actual alignment of the passed object.
3461   // getTypeAlignInChars requires complete types
3462   if (ArgTy.isNull() || ParamTy->isDependentType() ||
3463       ParamTy->isIncompleteType() || ArgTy->isIncompleteType() ||
3464       ParamTy->isUndeducedType() || ArgTy->isUndeducedType())
3465     return;
3466 
3467   CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy);
3468   CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy);
3469 
3470   // If the argument is less aligned than the parameter, there is a
3471   // potential alignment issue.
3472   if (ArgAlign < ParamAlign)
3473     Diag(Loc, diag::warn_param_mismatched_alignment)
3474         << (int)ArgAlign.getQuantity() << (int)ParamAlign.getQuantity()
3475         << ParamName << (FDecl != nullptr) << FDecl;
3476 }
3477 
3478 void Sema::checkLifetimeCaptureBy(FunctionDecl *FD, bool IsMemberFunction,
3479                                   const Expr *ThisArg,
3480                                   ArrayRef<const Expr *> Args) {
3481   if (!FD || Args.empty())
3482     return;
3483   auto GetArgAt = [&](int Idx) -> const Expr * {
3484     if (Idx == LifetimeCaptureByAttr::Global ||
3485         Idx == LifetimeCaptureByAttr::Unknown)
3486       return nullptr;
3487     if (IsMemberFunction && Idx == 0)
3488       return ThisArg;
3489     return Args[Idx - IsMemberFunction];
3490   };
3491   auto HandleCaptureByAttr = [&](const LifetimeCaptureByAttr *Attr,
3492                                  unsigned ArgIdx) {
3493     if (!Attr)
3494       return;
3495 
3496     Expr *Captured = const_cast<Expr *>(GetArgAt(ArgIdx));
3497     for (int CapturingParamIdx : Attr->params()) {
3498       // lifetime_capture_by(this) case is handled in the lifetimebound expr
3499       // initialization codepath.
3500       if (CapturingParamIdx == LifetimeCaptureByAttr::This &&
3501           isa<CXXConstructorDecl>(FD))
3502         continue;
3503       Expr *Capturing = const_cast<Expr *>(GetArgAt(CapturingParamIdx));
3504       CapturingEntity CE{Capturing};
3505       // Ensure that 'Captured' outlives the 'Capturing' entity.
3506       checkCaptureByLifetime(*this, CE, Captured);
3507     }
3508   };
3509   for (unsigned I = 0; I < FD->getNumParams(); ++I)
3510     HandleCaptureByAttr(FD->getParamDecl(I)->getAttr<LifetimeCaptureByAttr>(),
3511                         I + IsMemberFunction);
3512   // Check when the implicit object param is captured.
3513   if (IsMemberFunction) {
3514     TypeSourceInfo *TSI = FD->getTypeSourceInfo();
3515     if (!TSI)
3516       return;
3517     AttributedTypeLoc ATL;
3518     for (TypeLoc TL = TSI->getTypeLoc();
3519          (ATL = TL.getAsAdjusted<AttributedTypeLoc>());
3520          TL = ATL.getModifiedLoc())
3521       HandleCaptureByAttr(ATL.getAttrAs<LifetimeCaptureByAttr>(), 0);
3522   }
3523 }
3524 
3525 void Sema::checkCall(NamedDecl *FDecl, const FunctionProtoType *Proto,
3526                      const Expr *ThisArg, ArrayRef<const Expr *> Args,
3527                      bool IsMemberFunction, SourceLocation Loc,
3528                      SourceRange Range, VariadicCallType CallType) {
3529   // FIXME: We should check as much as we can in the template definition.
3530   if (CurContext->isDependentContext())
3531     return;
3532 
3533   // Printf and scanf checking.
3534   llvm::SmallBitVector CheckedVarArgs;
3535   if (FDecl) {
3536     for (const auto *I : FDecl->specific_attrs<FormatMatchesAttr>()) {
3537       // Only create vector if there are format attributes.
3538       CheckedVarArgs.resize(Args.size());
3539       CheckFormatString(I, Args, IsMemberFunction, CallType, Loc, Range,
3540                         CheckedVarArgs);
3541     }
3542 
3543     for (const auto *I : FDecl->specific_attrs<FormatAttr>()) {
3544       CheckedVarArgs.resize(Args.size());
3545       CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range,
3546                            CheckedVarArgs);
3547     }
3548   }
3549 
3550   // Refuse POD arguments that weren't caught by the format string
3551   // checks above.
3552   auto *FD = dyn_cast_or_null<FunctionDecl>(FDecl);
3553   if (CallType != VariadicCallType::DoesNotApply &&
3554       (!FD || FD->getBuiltinID() != Builtin::BI__noop)) {
3555     unsigned NumParams = Proto ? Proto->getNumParams()
3556                          : isa_and_nonnull<FunctionDecl>(FDecl)
3557                              ? cast<FunctionDecl>(FDecl)->getNumParams()
3558                          : isa_and_nonnull<ObjCMethodDecl>(FDecl)
3559                              ? cast<ObjCMethodDecl>(FDecl)->param_size()
3560                              : 0;
3561 
3562     for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) {
3563       // Args[ArgIdx] can be null in malformed code.
3564       if (const Expr *Arg = Args[ArgIdx]) {
3565         if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx])
3566           checkVariadicArgument(Arg, CallType);
3567       }
3568     }
3569   }
3570   if (FD)
3571     checkLifetimeCaptureBy(FD, IsMemberFunction, ThisArg, Args);
3572   if (FDecl || Proto) {
3573     CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);
3574 
3575     // Type safety checking.
3576     if (FDecl) {
3577       for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
3578         CheckArgumentWithTypeTag(I, Args, Loc);
3579     }
3580   }
3581 
3582   // Check that passed arguments match the alignment of original arguments.
3583   // Try to get the missing prototype from the declaration.
3584   if (!Proto && FDecl) {
3585     const auto *FT = FDecl->getFunctionType();
3586     if (isa_and_nonnull<FunctionProtoType>(FT))
3587       Proto = cast<FunctionProtoType>(FDecl->getFunctionType());
3588   }
3589   if (Proto) {
3590     // For variadic functions, we may have more args than parameters.
3591     // For some K&R functions, we may have less args than parameters.
3592     const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size());
3593     bool IsScalableRet = Proto->getReturnType()->isSizelessVectorType();
3594     bool IsScalableArg = false;
3595     for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) {
3596       // Args[ArgIdx] can be null in malformed code.
3597       if (const Expr *Arg = Args[ArgIdx]) {
3598         if (Arg->containsErrors())
3599           continue;
3600 
3601         if (Context.getTargetInfo().getTriple().isOSAIX() && FDecl && Arg &&
3602             FDecl->hasLinkage() &&
3603             FDecl->getFormalLinkage() != Linkage::Internal &&
3604             CallType == VariadicCallType::DoesNotApply)
3605           PPC().checkAIXMemberAlignment((Arg->getExprLoc()), Arg);
3606 
3607         QualType ParamTy = Proto->getParamType(ArgIdx);
3608         if (ParamTy->isSizelessVectorType())
3609           IsScalableArg = true;
3610         QualType ArgTy = Arg->getType();
3611         CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1),
3612                           ArgTy, ParamTy);
3613       }
3614     }
3615 
3616     // If the callee has an AArch64 SME attribute to indicate that it is an
3617     // __arm_streaming function, then the caller requires SME to be available.
3618     FunctionProtoType::ExtProtoInfo ExtInfo = Proto->getExtProtoInfo();
3619     if (ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask) {
3620       if (auto *CallerFD = dyn_cast<FunctionDecl>(CurContext)) {
3621         llvm::StringMap<bool> CallerFeatureMap;
3622         Context.getFunctionFeatureMap(CallerFeatureMap, CallerFD);
3623         if (!CallerFeatureMap.contains("sme"))
3624           Diag(Loc, diag::err_sme_call_in_non_sme_target);
3625       } else if (!Context.getTargetInfo().hasFeature("sme")) {
3626         Diag(Loc, diag::err_sme_call_in_non_sme_target);
3627       }
3628     }
3629 
3630     // If the call requires a streaming-mode change and has scalable vector
3631     // arguments or return values, then warn the user that the streaming and
3632     // non-streaming vector lengths may be different.
3633     const auto *CallerFD = dyn_cast<FunctionDecl>(CurContext);
3634     if (CallerFD && (!FD || !FD->getBuiltinID()) &&
3635         (IsScalableArg || IsScalableRet)) {
3636       bool IsCalleeStreaming =
3637           ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask;
3638       bool IsCalleeStreamingCompatible =
3639           ExtInfo.AArch64SMEAttributes &
3640           FunctionType::SME_PStateSMCompatibleMask;
3641       SemaARM::ArmStreamingType CallerFnType = getArmStreamingFnType(CallerFD);
3642       if (!IsCalleeStreamingCompatible &&
3643           (CallerFnType == SemaARM::ArmStreamingCompatible ||
3644            ((CallerFnType == SemaARM::ArmStreaming) ^ IsCalleeStreaming))) {
3645         if (IsScalableArg)
3646           Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3647               << /*IsArg=*/true;
3648         if (IsScalableRet)
3649           Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3650               << /*IsArg=*/false;
3651       }
3652     }
3653 
3654     FunctionType::ArmStateValue CalleeArmZAState =
3655         FunctionType::getArmZAState(ExtInfo.AArch64SMEAttributes);
3656     FunctionType::ArmStateValue CalleeArmZT0State =
3657         FunctionType::getArmZT0State(ExtInfo.AArch64SMEAttributes);
3658     if (CalleeArmZAState != FunctionType::ARM_None ||
3659         CalleeArmZT0State != FunctionType::ARM_None) {
3660       bool CallerHasZAState = false;
3661       bool CallerHasZT0State = false;
3662       if (CallerFD) {
3663         auto *Attr = CallerFD->getAttr<ArmNewAttr>();
3664         if (Attr && Attr->isNewZA())
3665           CallerHasZAState = true;
3666         if (Attr && Attr->isNewZT0())
3667           CallerHasZT0State = true;
3668         if (const auto *FPT = CallerFD->getType()->getAs<FunctionProtoType>()) {
3669           CallerHasZAState |=
3670               FunctionType::getArmZAState(
3671                   FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3672               FunctionType::ARM_None;
3673           CallerHasZT0State |=
3674               FunctionType::getArmZT0State(
3675                   FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3676               FunctionType::ARM_None;
3677         }
3678       }
3679 
3680       if (CalleeArmZAState != FunctionType::ARM_None && !CallerHasZAState)
3681         Diag(Loc, diag::err_sme_za_call_no_za_state);
3682 
3683       if (CalleeArmZT0State != FunctionType::ARM_None && !CallerHasZT0State)
3684         Diag(Loc, diag::err_sme_zt0_call_no_zt0_state);
3685 
3686       if (CallerHasZAState && CalleeArmZAState == FunctionType::ARM_None &&
3687           CalleeArmZT0State != FunctionType::ARM_None) {
3688         Diag(Loc, diag::err_sme_unimplemented_za_save_restore);
3689         Diag(Loc, diag::note_sme_use_preserves_za);
3690       }
3691     }
3692   }
3693 
3694   if (FDecl && FDecl->hasAttr<AllocAlignAttr>()) {
3695     auto *AA = FDecl->getAttr<AllocAlignAttr>();
3696     const Expr *Arg = Args[AA->getParamIndex().getASTIndex()];
3697     if (!Arg->isValueDependent()) {
3698       Expr::EvalResult Align;
3699       if (Arg->EvaluateAsInt(Align, Context)) {
3700         const llvm::APSInt &I = Align.Val.getInt();
3701         if (!I.isPowerOf2())
3702           Diag(Arg->getExprLoc(), diag::warn_alignment_not_power_of_two)
3703               << Arg->getSourceRange();
3704 
3705         if (I > Sema::MaximumAlignment)
3706           Diag(Arg->getExprLoc(), diag::warn_assume_aligned_too_great)
3707               << Arg->getSourceRange() << Sema::MaximumAlignment;
3708       }
3709     }
3710   }
3711 
3712   if (FD)
3713     diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);
3714 }
3715 
3716 void Sema::CheckConstrainedAuto(const AutoType *AutoT, SourceLocation Loc) {
3717   if (ConceptDecl *Decl = AutoT->getTypeConstraintConcept()) {
3718     DiagnoseUseOfDecl(Decl, Loc);
3719   }
3720 }
3721 
3722 void Sema::CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType,
3723                                 ArrayRef<const Expr *> Args,
3724                                 const FunctionProtoType *Proto,
3725                                 SourceLocation Loc) {
3726   VariadicCallType CallType = Proto->isVariadic()
3727                                   ? VariadicCallType::Constructor
3728                                   : VariadicCallType::DoesNotApply;
3729 
3730   auto *Ctor = cast<CXXConstructorDecl>(FDecl);
3731   CheckArgAlignment(
3732       Loc, FDecl, "'this'", Context.getPointerType(ThisType),
3733       Context.getPointerType(Ctor->getFunctionObjectParameterType()));
3734 
3735   checkCall(FDecl, Proto, /*ThisArg=*/nullptr, Args, /*IsMemberFunction=*/true,
3736             Loc, SourceRange(), CallType);
3737 }
3738 
3739 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
3740                              const FunctionProtoType *Proto) {
3741   bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) &&
3742                               isa<CXXMethodDecl>(FDecl);
3743   bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) ||
3744                           IsMemberOperatorCall;
3745   VariadicCallType CallType = getVariadicCallType(FDecl, Proto,
3746                                                   TheCall->getCallee());
3747   Expr** Args = TheCall->getArgs();
3748   unsigned NumArgs = TheCall->getNumArgs();
3749 
3750   Expr *ImplicitThis = nullptr;
3751   if (IsMemberOperatorCall && !FDecl->hasCXXExplicitFunctionObjectParameter()) {
3752     // If this is a call to a member operator, hide the first
3753     // argument from checkCall.
3754     // FIXME: Our choice of AST representation here is less than ideal.
3755     ImplicitThis = Args[0];
3756     ++Args;
3757     --NumArgs;
3758   } else if (IsMemberFunction && !FDecl->isStatic() &&
3759              !FDecl->hasCXXExplicitFunctionObjectParameter())
3760     ImplicitThis =
3761         cast<CXXMemberCallExpr>(TheCall)->getImplicitObjectArgument();
3762 
3763   if (ImplicitThis) {
3764     // ImplicitThis may or may not be a pointer, depending on whether . or -> is
3765     // used.
3766     QualType ThisType = ImplicitThis->getType();
3767     if (!ThisType->isPointerType()) {
3768       assert(!ThisType->isReferenceType());
3769       ThisType = Context.getPointerType(ThisType);
3770     }
3771 
3772     QualType ThisTypeFromDecl = Context.getPointerType(
3773         cast<CXXMethodDecl>(FDecl)->getFunctionObjectParameterType());
3774 
3775     CheckArgAlignment(TheCall->getRParenLoc(), FDecl, "'this'", ThisType,
3776                       ThisTypeFromDecl);
3777   }
3778 
3779   checkCall(FDecl, Proto, ImplicitThis, llvm::ArrayRef(Args, NumArgs),
3780             IsMemberFunction, TheCall->getRParenLoc(),
3781             TheCall->getCallee()->getSourceRange(), CallType);
3782 
3783   IdentifierInfo *FnInfo = FDecl->getIdentifier();
3784   // None of the checks below are needed for functions that don't have
3785   // simple names (e.g., C++ conversion functions).
3786   if (!FnInfo)
3787     return false;
3788 
3789   // Enforce TCB except for builtin calls, which are always allowed.
3790   if (FDecl->getBuiltinID() == 0)
3791     CheckTCBEnforcement(TheCall->getExprLoc(), FDecl);
3792 
3793   CheckAbsoluteValueFunction(TheCall, FDecl);
3794   CheckMaxUnsignedZero(TheCall, FDecl);
3795   CheckInfNaNFunction(TheCall, FDecl);
3796 
3797   if (getLangOpts().ObjC)
3798     ObjC().DiagnoseCStringFormatDirectiveInCFAPI(FDecl, Args, NumArgs);
3799 
3800   unsigned CMId = FDecl->getMemoryFunctionKind();
3801 
3802   // Handle memory setting and copying functions.
3803   switch (CMId) {
3804   case 0:
3805     return false;
3806   case Builtin::BIstrlcpy: // fallthrough
3807   case Builtin::BIstrlcat:
3808     CheckStrlcpycatArguments(TheCall, FnInfo);
3809     break;
3810   case Builtin::BIstrncat:
3811     CheckStrncatArguments(TheCall, FnInfo);
3812     break;
3813   case Builtin::BIfree:
3814     CheckFreeArguments(TheCall);
3815     break;
3816   default:
3817     CheckMemaccessArguments(TheCall, CMId, FnInfo);
3818   }
3819 
3820   return false;
3821 }
3822 
3823 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
3824                             const FunctionProtoType *Proto) {
3825   QualType Ty;
3826   if (const auto *V = dyn_cast<VarDecl>(NDecl))
3827     Ty = V->getType().getNonReferenceType();
3828   else if (const auto *F = dyn_cast<FieldDecl>(NDecl))
3829     Ty = F->getType().getNonReferenceType();
3830   else
3831     return false;
3832 
3833   if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType() &&
3834       !Ty->isFunctionProtoType())
3835     return false;
3836 
3837   VariadicCallType CallType;
3838   if (!Proto || !Proto->isVariadic()) {
3839     CallType = VariadicCallType::DoesNotApply;
3840   } else if (Ty->isBlockPointerType()) {
3841     CallType = VariadicCallType::Block;
3842   } else { // Ty->isFunctionPointerType()
3843     CallType = VariadicCallType::Function;
3844   }
3845 
3846   checkCall(NDecl, Proto, /*ThisArg=*/nullptr,
3847             llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3848             /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3849             TheCall->getCallee()->getSourceRange(), CallType);
3850 
3851   return false;
3852 }
3853 
3854 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) {
3855   VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto,
3856                                                   TheCall->getCallee());
3857   checkCall(/*FDecl=*/nullptr, Proto, /*ThisArg=*/nullptr,
3858             llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3859             /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3860             TheCall->getCallee()->getSourceRange(), CallType);
3861 
3862   return false;
3863 }
3864 
3865 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) {
3866   if (!llvm::isValidAtomicOrderingCABI(Ordering))
3867     return false;
3868 
3869   auto OrderingCABI = (llvm::AtomicOrderingCABI)Ordering;
3870   switch (Op) {
3871   case AtomicExpr::AO__c11_atomic_init:
3872   case AtomicExpr::AO__opencl_atomic_init:
3873     llvm_unreachable("There is no ordering argument for an init");
3874 
3875   case AtomicExpr::AO__c11_atomic_load:
3876   case AtomicExpr::AO__opencl_atomic_load:
3877   case AtomicExpr::AO__hip_atomic_load:
3878   case AtomicExpr::AO__atomic_load_n:
3879   case AtomicExpr::AO__atomic_load:
3880   case AtomicExpr::AO__scoped_atomic_load_n:
3881   case AtomicExpr::AO__scoped_atomic_load:
3882     return OrderingCABI != llvm::AtomicOrderingCABI::release &&
3883            OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3884 
3885   case AtomicExpr::AO__c11_atomic_store:
3886   case AtomicExpr::AO__opencl_atomic_store:
3887   case AtomicExpr::AO__hip_atomic_store:
3888   case AtomicExpr::AO__atomic_store:
3889   case AtomicExpr::AO__atomic_store_n:
3890   case AtomicExpr::AO__scoped_atomic_store:
3891   case AtomicExpr::AO__scoped_atomic_store_n:
3892   case AtomicExpr::AO__atomic_clear:
3893     return OrderingCABI != llvm::AtomicOrderingCABI::consume &&
3894            OrderingCABI != llvm::AtomicOrderingCABI::acquire &&
3895            OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3896 
3897   default:
3898     return true;
3899   }
3900 }
3901 
3902 ExprResult Sema::AtomicOpsOverloaded(ExprResult TheCallResult,
3903                                      AtomicExpr::AtomicOp Op) {
3904   CallExpr *TheCall = cast<CallExpr>(TheCallResult.get());
3905   DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
3906   MultiExprArg Args{TheCall->getArgs(), TheCall->getNumArgs()};
3907   return BuildAtomicExpr({TheCall->getBeginLoc(), TheCall->getEndLoc()},
3908                          DRE->getSourceRange(), TheCall->getRParenLoc(), Args,
3909                          Op);
3910 }
3911 
3912 ExprResult Sema::BuildAtomicExpr(SourceRange CallRange, SourceRange ExprRange,
3913                                  SourceLocation RParenLoc, MultiExprArg Args,
3914                                  AtomicExpr::AtomicOp Op,
3915                                  AtomicArgumentOrder ArgOrder) {
3916   // All the non-OpenCL operations take one of the following forms.
3917   // The OpenCL operations take the __c11 forms with one extra argument for
3918   // synchronization scope.
3919   enum {
3920     // C    __c11_atomic_init(A *, C)
3921     Init,
3922 
3923     // C    __c11_atomic_load(A *, int)
3924     Load,
3925 
3926     // void __atomic_load(A *, CP, int)
3927     LoadCopy,
3928 
3929     // void __atomic_store(A *, CP, int)
3930     Copy,
3931 
3932     // C    __c11_atomic_add(A *, M, int)
3933     Arithmetic,
3934 
3935     // C    __atomic_exchange_n(A *, CP, int)
3936     Xchg,
3937 
3938     // void __atomic_exchange(A *, C *, CP, int)
3939     GNUXchg,
3940 
3941     // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int)
3942     C11CmpXchg,
3943 
3944     // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int)
3945     GNUCmpXchg,
3946 
3947     // bool __atomic_test_and_set(A *, int)
3948     TestAndSetByte,
3949 
3950     // void __atomic_clear(A *, int)
3951     ClearByte,
3952   } Form = Init;
3953 
3954   const unsigned NumForm = ClearByte + 1;
3955   const unsigned NumArgs[] = {2, 2, 3, 3, 3, 3, 4, 5, 6, 2, 2};
3956   const unsigned NumVals[] = {1, 0, 1, 1, 1, 1, 2, 2, 3, 0, 0};
3957   // where:
3958   //   C is an appropriate type,
3959   //   A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins,
3960   //   CP is C for __c11 builtins and GNU _n builtins and is C * otherwise,
3961   //   M is C if C is an integer, and ptrdiff_t if C is a pointer, and
3962   //   the int parameters are for orderings.
3963 
3964   static_assert(sizeof(NumArgs)/sizeof(NumArgs[0]) == NumForm
3965       && sizeof(NumVals)/sizeof(NumVals[0]) == NumForm,
3966       "need to update code for modified forms");
3967   static_assert(AtomicExpr::AO__atomic_add_fetch == 0 &&
3968                     AtomicExpr::AO__atomic_xor_fetch + 1 ==
3969                         AtomicExpr::AO__c11_atomic_compare_exchange_strong,
3970                 "need to update code for modified C11 atomics");
3971   bool IsOpenCL = Op >= AtomicExpr::AO__opencl_atomic_compare_exchange_strong &&
3972                   Op <= AtomicExpr::AO__opencl_atomic_store;
3973   bool IsHIP = Op >= AtomicExpr::AO__hip_atomic_compare_exchange_strong &&
3974                Op <= AtomicExpr::AO__hip_atomic_store;
3975   bool IsScoped = Op >= AtomicExpr::AO__scoped_atomic_add_fetch &&
3976                   Op <= AtomicExpr::AO__scoped_atomic_xor_fetch;
3977   bool IsC11 = (Op >= AtomicExpr::AO__c11_atomic_compare_exchange_strong &&
3978                 Op <= AtomicExpr::AO__c11_atomic_store) ||
3979                IsOpenCL;
3980   bool IsN = Op == AtomicExpr::AO__atomic_load_n ||
3981              Op == AtomicExpr::AO__atomic_store_n ||
3982              Op == AtomicExpr::AO__atomic_exchange_n ||
3983              Op == AtomicExpr::AO__atomic_compare_exchange_n ||
3984              Op == AtomicExpr::AO__scoped_atomic_load_n ||
3985              Op == AtomicExpr::AO__scoped_atomic_store_n ||
3986              Op == AtomicExpr::AO__scoped_atomic_exchange_n ||
3987              Op == AtomicExpr::AO__scoped_atomic_compare_exchange_n;
3988   // Bit mask for extra allowed value types other than integers for atomic
3989   // arithmetic operations. Add/sub allow pointer and floating point. Min/max
3990   // allow floating point.
3991   enum ArithOpExtraValueType {
3992     AOEVT_None = 0,
3993     AOEVT_Pointer = 1,
3994     AOEVT_FP = 2,
3995   };
3996   unsigned ArithAllows = AOEVT_None;
3997 
3998   switch (Op) {
3999   case AtomicExpr::AO__c11_atomic_init:
4000   case AtomicExpr::AO__opencl_atomic_init:
4001     Form = Init;
4002     break;
4003 
4004   case AtomicExpr::AO__c11_atomic_load:
4005   case AtomicExpr::AO__opencl_atomic_load:
4006   case AtomicExpr::AO__hip_atomic_load:
4007   case AtomicExpr::AO__atomic_load_n:
4008   case AtomicExpr::AO__scoped_atomic_load_n:
4009     Form = Load;
4010     break;
4011 
4012   case AtomicExpr::AO__atomic_load:
4013   case AtomicExpr::AO__scoped_atomic_load:
4014     Form = LoadCopy;
4015     break;
4016 
4017   case AtomicExpr::AO__c11_atomic_store:
4018   case AtomicExpr::AO__opencl_atomic_store:
4019   case AtomicExpr::AO__hip_atomic_store:
4020   case AtomicExpr::AO__atomic_store:
4021   case AtomicExpr::AO__atomic_store_n:
4022   case AtomicExpr::AO__scoped_atomic_store:
4023   case AtomicExpr::AO__scoped_atomic_store_n:
4024     Form = Copy;
4025     break;
4026   case AtomicExpr::AO__atomic_fetch_add:
4027   case AtomicExpr::AO__atomic_fetch_sub:
4028   case AtomicExpr::AO__atomic_add_fetch:
4029   case AtomicExpr::AO__atomic_sub_fetch:
4030   case AtomicExpr::AO__scoped_atomic_fetch_add:
4031   case AtomicExpr::AO__scoped_atomic_fetch_sub:
4032   case AtomicExpr::AO__scoped_atomic_add_fetch:
4033   case AtomicExpr::AO__scoped_atomic_sub_fetch:
4034   case AtomicExpr::AO__c11_atomic_fetch_add:
4035   case AtomicExpr::AO__c11_atomic_fetch_sub:
4036   case AtomicExpr::AO__opencl_atomic_fetch_add:
4037   case AtomicExpr::AO__opencl_atomic_fetch_sub:
4038   case AtomicExpr::AO__hip_atomic_fetch_add:
4039   case AtomicExpr::AO__hip_atomic_fetch_sub:
4040     ArithAllows = AOEVT_Pointer | AOEVT_FP;
4041     Form = Arithmetic;
4042     break;
4043   case AtomicExpr::AO__atomic_fetch_max:
4044   case AtomicExpr::AO__atomic_fetch_min:
4045   case AtomicExpr::AO__atomic_max_fetch:
4046   case AtomicExpr::AO__atomic_min_fetch:
4047   case AtomicExpr::AO__scoped_atomic_fetch_max:
4048   case AtomicExpr::AO__scoped_atomic_fetch_min:
4049   case AtomicExpr::AO__scoped_atomic_max_fetch:
4050   case AtomicExpr::AO__scoped_atomic_min_fetch:
4051   case AtomicExpr::AO__c11_atomic_fetch_max:
4052   case AtomicExpr::AO__c11_atomic_fetch_min:
4053   case AtomicExpr::AO__opencl_atomic_fetch_max:
4054   case AtomicExpr::AO__opencl_atomic_fetch_min:
4055   case AtomicExpr::AO__hip_atomic_fetch_max:
4056   case AtomicExpr::AO__hip_atomic_fetch_min:
4057     ArithAllows = AOEVT_FP;
4058     Form = Arithmetic;
4059     break;
4060   case AtomicExpr::AO__c11_atomic_fetch_and:
4061   case AtomicExpr::AO__c11_atomic_fetch_or:
4062   case AtomicExpr::AO__c11_atomic_fetch_xor:
4063   case AtomicExpr::AO__hip_atomic_fetch_and:
4064   case AtomicExpr::AO__hip_atomic_fetch_or:
4065   case AtomicExpr::AO__hip_atomic_fetch_xor:
4066   case AtomicExpr::AO__c11_atomic_fetch_nand:
4067   case AtomicExpr::AO__opencl_atomic_fetch_and:
4068   case AtomicExpr::AO__opencl_atomic_fetch_or:
4069   case AtomicExpr::AO__opencl_atomic_fetch_xor:
4070   case AtomicExpr::AO__atomic_fetch_and:
4071   case AtomicExpr::AO__atomic_fetch_or:
4072   case AtomicExpr::AO__atomic_fetch_xor:
4073   case AtomicExpr::AO__atomic_fetch_nand:
4074   case AtomicExpr::AO__atomic_and_fetch:
4075   case AtomicExpr::AO__atomic_or_fetch:
4076   case AtomicExpr::AO__atomic_xor_fetch:
4077   case AtomicExpr::AO__atomic_nand_fetch:
4078   case AtomicExpr::AO__scoped_atomic_fetch_and:
4079   case AtomicExpr::AO__scoped_atomic_fetch_or:
4080   case AtomicExpr::AO__scoped_atomic_fetch_xor:
4081   case AtomicExpr::AO__scoped_atomic_fetch_nand:
4082   case AtomicExpr::AO__scoped_atomic_and_fetch:
4083   case AtomicExpr::AO__scoped_atomic_or_fetch:
4084   case AtomicExpr::AO__scoped_atomic_xor_fetch:
4085   case AtomicExpr::AO__scoped_atomic_nand_fetch:
4086     Form = Arithmetic;
4087     break;
4088 
4089   case AtomicExpr::AO__c11_atomic_exchange:
4090   case AtomicExpr::AO__hip_atomic_exchange:
4091   case AtomicExpr::AO__opencl_atomic_exchange:
4092   case AtomicExpr::AO__atomic_exchange_n:
4093   case AtomicExpr::AO__scoped_atomic_exchange_n:
4094     Form = Xchg;
4095     break;
4096 
4097   case AtomicExpr::AO__atomic_exchange:
4098   case AtomicExpr::AO__scoped_atomic_exchange:
4099     Form = GNUXchg;
4100     break;
4101 
4102   case AtomicExpr::AO__c11_atomic_compare_exchange_strong:
4103   case AtomicExpr::AO__c11_atomic_compare_exchange_weak:
4104   case AtomicExpr::AO__hip_atomic_compare_exchange_strong:
4105   case AtomicExpr::AO__opencl_atomic_compare_exchange_strong:
4106   case AtomicExpr::AO__opencl_atomic_compare_exchange_weak:
4107   case AtomicExpr::AO__hip_atomic_compare_exchange_weak:
4108     Form = C11CmpXchg;
4109     break;
4110 
4111   case AtomicExpr::AO__atomic_compare_exchange:
4112   case AtomicExpr::AO__atomic_compare_exchange_n:
4113   case AtomicExpr::AO__scoped_atomic_compare_exchange:
4114   case AtomicExpr::AO__scoped_atomic_compare_exchange_n:
4115     Form = GNUCmpXchg;
4116     break;
4117 
4118   case AtomicExpr::AO__atomic_test_and_set:
4119     Form = TestAndSetByte;
4120     break;
4121 
4122   case AtomicExpr::AO__atomic_clear:
4123     Form = ClearByte;
4124     break;
4125   }
4126 
4127   unsigned AdjustedNumArgs = NumArgs[Form];
4128   if ((IsOpenCL || IsHIP || IsScoped) &&
4129       Op != AtomicExpr::AO__opencl_atomic_init)
4130     ++AdjustedNumArgs;
4131   // Check we have the right number of arguments.
4132   if (Args.size() < AdjustedNumArgs) {
4133     Diag(CallRange.getEnd(), diag::err_typecheck_call_too_few_args)
4134         << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
4135         << /*is non object*/ 0 << ExprRange;
4136     return ExprError();
4137   } else if (Args.size() > AdjustedNumArgs) {
4138     Diag(Args[AdjustedNumArgs]->getBeginLoc(),
4139          diag::err_typecheck_call_too_many_args)
4140         << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
4141         << /*is non object*/ 0 << ExprRange;
4142     return ExprError();
4143   }
4144 
4145   // Inspect the first argument of the atomic operation.
4146   Expr *Ptr = Args[0];
4147   ExprResult ConvertedPtr = DefaultFunctionArrayLvalueConversion(Ptr);
4148   if (ConvertedPtr.isInvalid())
4149     return ExprError();
4150 
4151   Ptr = ConvertedPtr.get();
4152   const PointerType *pointerType = Ptr->getType()->getAs<PointerType>();
4153   if (!pointerType) {
4154     Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
4155         << Ptr->getType() << 0 << Ptr->getSourceRange();
4156     return ExprError();
4157   }
4158 
4159   // For a __c11 builtin, this should be a pointer to an _Atomic type.
4160   QualType AtomTy = pointerType->getPointeeType(); // 'A'
4161   QualType ValType = AtomTy; // 'C'
4162   if (IsC11) {
4163     if (!AtomTy->isAtomicType()) {
4164       Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic)
4165           << Ptr->getType() << Ptr->getSourceRange();
4166       return ExprError();
4167     }
4168     if ((Form != Load && Form != LoadCopy && AtomTy.isConstQualified()) ||
4169         AtomTy.getAddressSpace() == LangAS::opencl_constant) {
4170       Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_atomic)
4171           << (AtomTy.isConstQualified() ? 0 : 1) << Ptr->getType()
4172           << Ptr->getSourceRange();
4173       return ExprError();
4174     }
4175     ValType = AtomTy->castAs<AtomicType>()->getValueType();
4176   } else if (Form != Load && Form != LoadCopy) {
4177     if (ValType.isConstQualified()) {
4178       Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_pointer)
4179           << Ptr->getType() << Ptr->getSourceRange();
4180       return ExprError();
4181     }
4182   }
4183 
4184   if (Form != TestAndSetByte && Form != ClearByte) {
4185     // Pointer to object of size zero is not allowed.
4186     if (RequireCompleteType(Ptr->getBeginLoc(), AtomTy,
4187                             diag::err_incomplete_type))
4188       return ExprError();
4189 
4190     if (Context.getTypeInfoInChars(AtomTy).Width.isZero()) {
4191       Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
4192           << Ptr->getType() << 1 << Ptr->getSourceRange();
4193       return ExprError();
4194     }
4195   } else {
4196     // The __atomic_clear and __atomic_test_and_set intrinsics accept any
4197     // non-const pointer type, including void* and pointers to incomplete
4198     // structs, but only access the first byte.
4199     AtomTy = Context.CharTy;
4200     AtomTy = AtomTy.withCVRQualifiers(
4201         pointerType->getPointeeType().getCVRQualifiers());
4202     QualType PointerQT = Context.getPointerType(AtomTy);
4203     pointerType = PointerQT->getAs<PointerType>();
4204     Ptr = ImpCastExprToType(Ptr, PointerQT, CK_BitCast).get();
4205     ValType = AtomTy;
4206   }
4207 
4208   PointerAuthQualifier PointerAuth = AtomTy.getPointerAuth();
4209   if (PointerAuth && PointerAuth.isAddressDiscriminated()) {
4210     Diag(ExprRange.getBegin(),
4211          diag::err_atomic_op_needs_non_address_discriminated_pointer)
4212         << 0 << Ptr->getType() << Ptr->getSourceRange();
4213     return ExprError();
4214   }
4215 
4216   // For an arithmetic operation, the implied arithmetic must be well-formed.
4217   if (Form == Arithmetic) {
4218     // GCC does not enforce these rules for GNU atomics, but we do to help catch
4219     // trivial type errors.
4220     auto IsAllowedValueType = [&](QualType ValType,
4221                                   unsigned AllowedType) -> bool {
4222       if (ValType->isIntegerType())
4223         return true;
4224       if (ValType->isPointerType())
4225         return AllowedType & AOEVT_Pointer;
4226       if (!(ValType->isFloatingType() && (AllowedType & AOEVT_FP)))
4227         return false;
4228       // LLVM Parser does not allow atomicrmw with x86_fp80 type.
4229       if (ValType->isSpecificBuiltinType(BuiltinType::LongDouble) &&
4230           &Context.getTargetInfo().getLongDoubleFormat() ==
4231               &llvm::APFloat::x87DoubleExtended())
4232         return false;
4233       return true;
4234     };
4235     if (!IsAllowedValueType(ValType, ArithAllows)) {
4236       auto DID = ArithAllows & AOEVT_FP
4237                      ? (ArithAllows & AOEVT_Pointer
4238                             ? diag::err_atomic_op_needs_atomic_int_ptr_or_fp
4239                             : diag::err_atomic_op_needs_atomic_int_or_fp)
4240                      : diag::err_atomic_op_needs_atomic_int;
4241       Diag(ExprRange.getBegin(), DID)
4242           << IsC11 << Ptr->getType() << Ptr->getSourceRange();
4243       return ExprError();
4244     }
4245     if (IsC11 && ValType->isPointerType() &&
4246         RequireCompleteType(Ptr->getBeginLoc(), ValType->getPointeeType(),
4247                             diag::err_incomplete_type)) {
4248       return ExprError();
4249     }
4250   } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) {
4251     // For __atomic_*_n operations, the value type must be a scalar integral or
4252     // pointer type which is 1, 2, 4, 8 or 16 bytes in length.
4253     Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic_int_or_ptr)
4254         << IsC11 << Ptr->getType() << Ptr->getSourceRange();
4255     return ExprError();
4256   }
4257 
4258   if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) &&
4259       !AtomTy->isScalarType()) {
4260     // For GNU atomics, require a trivially-copyable type. This is not part of
4261     // the GNU atomics specification but we enforce it for consistency with
4262     // other atomics which generally all require a trivially-copyable type. This
4263     // is because atomics just copy bits.
4264     Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_trivial_copy)
4265         << Ptr->getType() << Ptr->getSourceRange();
4266     return ExprError();
4267   }
4268 
4269   switch (ValType.getObjCLifetime()) {
4270   case Qualifiers::OCL_None:
4271   case Qualifiers::OCL_ExplicitNone:
4272     // okay
4273     break;
4274 
4275   case Qualifiers::OCL_Weak:
4276   case Qualifiers::OCL_Strong:
4277   case Qualifiers::OCL_Autoreleasing:
4278     // FIXME: Can this happen? By this point, ValType should be known
4279     // to be trivially copyable.
4280     Diag(ExprRange.getBegin(), diag::err_arc_atomic_ownership)
4281         << ValType << Ptr->getSourceRange();
4282     return ExprError();
4283   }
4284 
4285   // All atomic operations have an overload which takes a pointer to a volatile
4286   // 'A'.  We shouldn't let the volatile-ness of the pointee-type inject itself
4287   // into the result or the other operands. Similarly atomic_load takes a
4288   // pointer to a const 'A'.
4289   ValType.removeLocalVolatile();
4290   ValType.removeLocalConst();
4291   QualType ResultType = ValType;
4292   if (Form == Copy || Form == LoadCopy || Form == GNUXchg || Form == Init ||
4293       Form == ClearByte)
4294     ResultType = Context.VoidTy;
4295   else if (Form == C11CmpXchg || Form == GNUCmpXchg || Form == TestAndSetByte)
4296     ResultType = Context.BoolTy;
4297 
4298   // The type of a parameter passed 'by value'. In the GNU atomics, such
4299   // arguments are actually passed as pointers.
4300   QualType ByValType = ValType; // 'CP'
4301   bool IsPassedByAddress = false;
4302   if (!IsC11 && !IsHIP && !IsN) {
4303     ByValType = Ptr->getType();
4304     IsPassedByAddress = true;
4305   }
4306 
4307   SmallVector<Expr *, 5> APIOrderedArgs;
4308   if (ArgOrder == Sema::AtomicArgumentOrder::AST) {
4309     APIOrderedArgs.push_back(Args[0]);
4310     switch (Form) {
4311     case Init:
4312     case Load:
4313       APIOrderedArgs.push_back(Args[1]); // Val1/Order
4314       break;
4315     case LoadCopy:
4316     case Copy:
4317     case Arithmetic:
4318     case Xchg:
4319       APIOrderedArgs.push_back(Args[2]); // Val1
4320       APIOrderedArgs.push_back(Args[1]); // Order
4321       break;
4322     case GNUXchg:
4323       APIOrderedArgs.push_back(Args[2]); // Val1
4324       APIOrderedArgs.push_back(Args[3]); // Val2
4325       APIOrderedArgs.push_back(Args[1]); // Order
4326       break;
4327     case C11CmpXchg:
4328       APIOrderedArgs.push_back(Args[2]); // Val1
4329       APIOrderedArgs.push_back(Args[4]); // Val2
4330       APIOrderedArgs.push_back(Args[1]); // Order
4331       APIOrderedArgs.push_back(Args[3]); // OrderFail
4332       break;
4333     case GNUCmpXchg:
4334       APIOrderedArgs.push_back(Args[2]); // Val1
4335       APIOrderedArgs.push_back(Args[4]); // Val2
4336       APIOrderedArgs.push_back(Args[5]); // Weak
4337       APIOrderedArgs.push_back(Args[1]); // Order
4338       APIOrderedArgs.push_back(Args[3]); // OrderFail
4339       break;
4340     case TestAndSetByte:
4341     case ClearByte:
4342       APIOrderedArgs.push_back(Args[1]); // Order
4343       break;
4344     }
4345   } else
4346     APIOrderedArgs.append(Args.begin(), Args.end());
4347 
4348   // The first argument's non-CV pointer type is used to deduce the type of
4349   // subsequent arguments, except for:
4350   //  - weak flag (always converted to bool)
4351   //  - memory order (always converted to int)
4352   //  - scope  (always converted to int)
4353   for (unsigned i = 0; i != APIOrderedArgs.size(); ++i) {
4354     QualType Ty;
4355     if (i < NumVals[Form] + 1) {
4356       switch (i) {
4357       case 0:
4358         // The first argument is always a pointer. It has a fixed type.
4359         // It is always dereferenced, a nullptr is undefined.
4360         CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4361         // Nothing else to do: we already know all we want about this pointer.
4362         continue;
4363       case 1:
4364         // The second argument is the non-atomic operand. For arithmetic, this
4365         // is always passed by value, and for a compare_exchange it is always
4366         // passed by address. For the rest, GNU uses by-address and C11 uses
4367         // by-value.
4368         assert(Form != Load);
4369         if (Form == Arithmetic && ValType->isPointerType())
4370           Ty = Context.getPointerDiffType();
4371         else if (Form == Init || Form == Arithmetic)
4372           Ty = ValType;
4373         else if (Form == Copy || Form == Xchg) {
4374           if (IsPassedByAddress) {
4375             // The value pointer is always dereferenced, a nullptr is undefined.
4376             CheckNonNullArgument(*this, APIOrderedArgs[i],
4377                                  ExprRange.getBegin());
4378           }
4379           Ty = ByValType;
4380         } else {
4381           Expr *ValArg = APIOrderedArgs[i];
4382           // The value pointer is always dereferenced, a nullptr is undefined.
4383           CheckNonNullArgument(*this, ValArg, ExprRange.getBegin());
4384           LangAS AS = LangAS::Default;
4385           // Keep address space of non-atomic pointer type.
4386           if (const PointerType *PtrTy =
4387                   ValArg->getType()->getAs<PointerType>()) {
4388             AS = PtrTy->getPointeeType().getAddressSpace();
4389           }
4390           Ty = Context.getPointerType(
4391               Context.getAddrSpaceQualType(ValType.getUnqualifiedType(), AS));
4392         }
4393         break;
4394       case 2:
4395         // The third argument to compare_exchange / GNU exchange is the desired
4396         // value, either by-value (for the C11 and *_n variant) or as a pointer.
4397         if (IsPassedByAddress)
4398           CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4399         Ty = ByValType;
4400         break;
4401       case 3:
4402         // The fourth argument to GNU compare_exchange is a 'weak' flag.
4403         Ty = Context.BoolTy;
4404         break;
4405       }
4406     } else {
4407       // The order(s) and scope are always converted to int.
4408       Ty = Context.IntTy;
4409     }
4410 
4411     InitializedEntity Entity =
4412         InitializedEntity::InitializeParameter(Context, Ty, false);
4413     ExprResult Arg = APIOrderedArgs[i];
4414     Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4415     if (Arg.isInvalid())
4416       return true;
4417     APIOrderedArgs[i] = Arg.get();
4418   }
4419 
4420   // Permute the arguments into a 'consistent' order.
4421   SmallVector<Expr*, 5> SubExprs;
4422   SubExprs.push_back(Ptr);
4423   switch (Form) {
4424   case Init:
4425     // Note, AtomicExpr::getVal1() has a special case for this atomic.
4426     SubExprs.push_back(APIOrderedArgs[1]); // Val1
4427     break;
4428   case Load:
4429   case TestAndSetByte:
4430   case ClearByte:
4431     SubExprs.push_back(APIOrderedArgs[1]); // Order
4432     break;
4433   case LoadCopy:
4434   case Copy:
4435   case Arithmetic:
4436   case Xchg:
4437     SubExprs.push_back(APIOrderedArgs[2]); // Order
4438     SubExprs.push_back(APIOrderedArgs[1]); // Val1
4439     break;
4440   case GNUXchg:
4441     // Note, AtomicExpr::getVal2() has a special case for this atomic.
4442     SubExprs.push_back(APIOrderedArgs[3]); // Order
4443     SubExprs.push_back(APIOrderedArgs[1]); // Val1
4444     SubExprs.push_back(APIOrderedArgs[2]); // Val2
4445     break;
4446   case C11CmpXchg:
4447     SubExprs.push_back(APIOrderedArgs[3]); // Order
4448     SubExprs.push_back(APIOrderedArgs[1]); // Val1
4449     SubExprs.push_back(APIOrderedArgs[4]); // OrderFail
4450     SubExprs.push_back(APIOrderedArgs[2]); // Val2
4451     break;
4452   case GNUCmpXchg:
4453     SubExprs.push_back(APIOrderedArgs[4]); // Order
4454     SubExprs.push_back(APIOrderedArgs[1]); // Val1
4455     SubExprs.push_back(APIOrderedArgs[5]); // OrderFail
4456     SubExprs.push_back(APIOrderedArgs[2]); // Val2
4457     SubExprs.push_back(APIOrderedArgs[3]); // Weak
4458     break;
4459   }
4460 
4461   // If the memory orders are constants, check they are valid.
4462   if (SubExprs.size() >= 2 && Form != Init) {
4463     std::optional<llvm::APSInt> Success =
4464         SubExprs[1]->getIntegerConstantExpr(Context);
4465     if (Success && !isValidOrderingForOp(Success->getSExtValue(), Op)) {
4466       Diag(SubExprs[1]->getBeginLoc(),
4467            diag::warn_atomic_op_has_invalid_memory_order)
4468           << /*success=*/(Form == C11CmpXchg || Form == GNUCmpXchg)
4469           << SubExprs[1]->getSourceRange();
4470     }
4471     if (SubExprs.size() >= 5) {
4472       if (std::optional<llvm::APSInt> Failure =
4473               SubExprs[3]->getIntegerConstantExpr(Context)) {
4474         if (!llvm::is_contained(
4475                 {llvm::AtomicOrderingCABI::relaxed,
4476                  llvm::AtomicOrderingCABI::consume,
4477                  llvm::AtomicOrderingCABI::acquire,
4478                  llvm::AtomicOrderingCABI::seq_cst},
4479                 (llvm::AtomicOrderingCABI)Failure->getSExtValue())) {
4480           Diag(SubExprs[3]->getBeginLoc(),
4481                diag::warn_atomic_op_has_invalid_memory_order)
4482               << /*failure=*/2 << SubExprs[3]->getSourceRange();
4483         }
4484       }
4485     }
4486   }
4487 
4488   if (auto ScopeModel = AtomicExpr::getScopeModel(Op)) {
4489     auto *Scope = Args[Args.size() - 1];
4490     if (std::optional<llvm::APSInt> Result =
4491             Scope->getIntegerConstantExpr(Context)) {
4492       if (!ScopeModel->isValid(Result->getZExtValue()))
4493         Diag(Scope->getBeginLoc(), diag::err_atomic_op_has_invalid_sync_scope)
4494             << Scope->getSourceRange();
4495     }
4496     SubExprs.push_back(Scope);
4497   }
4498 
4499   AtomicExpr *AE = new (Context)
4500       AtomicExpr(ExprRange.getBegin(), SubExprs, ResultType, Op, RParenLoc);
4501 
4502   if ((Op == AtomicExpr::AO__c11_atomic_load ||
4503        Op == AtomicExpr::AO__c11_atomic_store ||
4504        Op == AtomicExpr::AO__opencl_atomic_load ||
4505        Op == AtomicExpr::AO__hip_atomic_load ||
4506        Op == AtomicExpr::AO__opencl_atomic_store ||
4507        Op == AtomicExpr::AO__hip_atomic_store) &&
4508       Context.AtomicUsesUnsupportedLibcall(AE))
4509     Diag(AE->getBeginLoc(), diag::err_atomic_load_store_uses_lib)
4510         << ((Op == AtomicExpr::AO__c11_atomic_load ||
4511              Op == AtomicExpr::AO__opencl_atomic_load ||
4512              Op == AtomicExpr::AO__hip_atomic_load)
4513                 ? 0
4514                 : 1);
4515 
4516   if (ValType->isBitIntType()) {
4517     Diag(Ptr->getExprLoc(), diag::err_atomic_builtin_bit_int_prohibit);
4518     return ExprError();
4519   }
4520 
4521   return AE;
4522 }
4523 
4524 /// checkBuiltinArgument - Given a call to a builtin function, perform
4525 /// normal type-checking on the given argument, updating the call in
4526 /// place.  This is useful when a builtin function requires custom
4527 /// type-checking for some of its arguments but not necessarily all of
4528 /// them.
4529 ///
4530 /// Returns true on error.
4531 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) {
4532   FunctionDecl *Fn = E->getDirectCallee();
4533   assert(Fn && "builtin call without direct callee!");
4534 
4535   ParmVarDecl *Param = Fn->getParamDecl(ArgIndex);
4536   InitializedEntity Entity =
4537     InitializedEntity::InitializeParameter(S.Context, Param);
4538 
4539   ExprResult Arg = E->getArg(ArgIndex);
4540   Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
4541   if (Arg.isInvalid())
4542     return true;
4543 
4544   E->setArg(ArgIndex, Arg.get());
4545   return false;
4546 }
4547 
4548 ExprResult Sema::BuiltinAtomicOverloaded(ExprResult TheCallResult) {
4549   CallExpr *TheCall = static_cast<CallExpr *>(TheCallResult.get());
4550   Expr *Callee = TheCall->getCallee();
4551   DeclRefExpr *DRE = cast<DeclRefExpr>(Callee->IgnoreParenCasts());
4552   FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4553 
4554   // Ensure that we have at least one argument to do type inference from.
4555   if (TheCall->getNumArgs() < 1) {
4556     Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4557         << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
4558         << Callee->getSourceRange();
4559     return ExprError();
4560   }
4561 
4562   // Inspect the first argument of the atomic builtin.  This should always be
4563   // a pointer type, whose element is an integral scalar or pointer type.
4564   // Because it is a pointer type, we don't have to worry about any implicit
4565   // casts here.
4566   // FIXME: We don't allow floating point scalars as input.
4567   Expr *FirstArg = TheCall->getArg(0);
4568   ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg);
4569   if (FirstArgResult.isInvalid())
4570     return ExprError();
4571   FirstArg = FirstArgResult.get();
4572   TheCall->setArg(0, FirstArg);
4573 
4574   const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>();
4575   if (!pointerType) {
4576     Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer)
4577         << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4578     return ExprError();
4579   }
4580 
4581   QualType ValType = pointerType->getPointeeType();
4582   if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4583       !ValType->isBlockPointerType()) {
4584     Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer_intptr)
4585         << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4586     return ExprError();
4587   }
4588   PointerAuthQualifier PointerAuth = ValType.getPointerAuth();
4589   if (PointerAuth && PointerAuth.isAddressDiscriminated()) {
4590     Diag(FirstArg->getBeginLoc(),
4591          diag::err_atomic_op_needs_non_address_discriminated_pointer)
4592         << 1 << ValType << FirstArg->getSourceRange();
4593     return ExprError();
4594   }
4595 
4596   if (ValType.isConstQualified()) {
4597     Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_cannot_be_const)
4598         << FirstArg->getType() << FirstArg->getSourceRange();
4599     return ExprError();
4600   }
4601 
4602   switch (ValType.getObjCLifetime()) {
4603   case Qualifiers::OCL_None:
4604   case Qualifiers::OCL_ExplicitNone:
4605     // okay
4606     break;
4607 
4608   case Qualifiers::OCL_Weak:
4609   case Qualifiers::OCL_Strong:
4610   case Qualifiers::OCL_Autoreleasing:
4611     Diag(DRE->getBeginLoc(), diag::err_arc_atomic_ownership)
4612         << ValType << FirstArg->getSourceRange();
4613     return ExprError();
4614   }
4615 
4616   // Strip any qualifiers off ValType.
4617   ValType = ValType.getUnqualifiedType();
4618 
4619   // The majority of builtins return a value, but a few have special return
4620   // types, so allow them to override appropriately below.
4621   QualType ResultType = ValType;
4622 
4623   // We need to figure out which concrete builtin this maps onto.  For example,
4624   // __sync_fetch_and_add with a 2 byte object turns into
4625   // __sync_fetch_and_add_2.
4626 #define BUILTIN_ROW(x) \
4627   { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \
4628     Builtin::BI##x##_8, Builtin::BI##x##_16 }
4629 
4630   static const unsigned BuiltinIndices[][5] = {
4631     BUILTIN_ROW(__sync_fetch_and_add),
4632     BUILTIN_ROW(__sync_fetch_and_sub),
4633     BUILTIN_ROW(__sync_fetch_and_or),
4634     BUILTIN_ROW(__sync_fetch_and_and),
4635     BUILTIN_ROW(__sync_fetch_and_xor),
4636     BUILTIN_ROW(__sync_fetch_and_nand),
4637 
4638     BUILTIN_ROW(__sync_add_and_fetch),
4639     BUILTIN_ROW(__sync_sub_and_fetch),
4640     BUILTIN_ROW(__sync_and_and_fetch),
4641     BUILTIN_ROW(__sync_or_and_fetch),
4642     BUILTIN_ROW(__sync_xor_and_fetch),
4643     BUILTIN_ROW(__sync_nand_and_fetch),
4644 
4645     BUILTIN_ROW(__sync_val_compare_and_swap),
4646     BUILTIN_ROW(__sync_bool_compare_and_swap),
4647     BUILTIN_ROW(__sync_lock_test_and_set),
4648     BUILTIN_ROW(__sync_lock_release),
4649     BUILTIN_ROW(__sync_swap)
4650   };
4651 #undef BUILTIN_ROW
4652 
4653   // Determine the index of the size.
4654   unsigned SizeIndex;
4655   switch (Context.getTypeSizeInChars(ValType).getQuantity()) {
4656   case 1: SizeIndex = 0; break;
4657   case 2: SizeIndex = 1; break;
4658   case 4: SizeIndex = 2; break;
4659   case 8: SizeIndex = 3; break;
4660   case 16: SizeIndex = 4; break;
4661   default:
4662     Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_pointer_size)
4663         << FirstArg->getType() << FirstArg->getSourceRange();
4664     return ExprError();
4665   }
4666 
4667   // Each of these builtins has one pointer argument, followed by some number of
4668   // values (0, 1 or 2) followed by a potentially empty varags list of stuff
4669   // that we ignore.  Find out which row of BuiltinIndices to read from as well
4670   // as the number of fixed args.
4671   unsigned BuiltinID = FDecl->getBuiltinID();
4672   unsigned BuiltinIndex, NumFixed = 1;
4673   bool WarnAboutSemanticsChange = false;
4674   switch (BuiltinID) {
4675   default: llvm_unreachable("Unknown overloaded atomic builtin!");
4676   case Builtin::BI__sync_fetch_and_add:
4677   case Builtin::BI__sync_fetch_and_add_1:
4678   case Builtin::BI__sync_fetch_and_add_2:
4679   case Builtin::BI__sync_fetch_and_add_4:
4680   case Builtin::BI__sync_fetch_and_add_8:
4681   case Builtin::BI__sync_fetch_and_add_16:
4682     BuiltinIndex = 0;
4683     break;
4684 
4685   case Builtin::BI__sync_fetch_and_sub:
4686   case Builtin::BI__sync_fetch_and_sub_1:
4687   case Builtin::BI__sync_fetch_and_sub_2:
4688   case Builtin::BI__sync_fetch_and_sub_4:
4689   case Builtin::BI__sync_fetch_and_sub_8:
4690   case Builtin::BI__sync_fetch_and_sub_16:
4691     BuiltinIndex = 1;
4692     break;
4693 
4694   case Builtin::BI__sync_fetch_and_or:
4695   case Builtin::BI__sync_fetch_and_or_1:
4696   case Builtin::BI__sync_fetch_and_or_2:
4697   case Builtin::BI__sync_fetch_and_or_4:
4698   case Builtin::BI__sync_fetch_and_or_8:
4699   case Builtin::BI__sync_fetch_and_or_16:
4700     BuiltinIndex = 2;
4701     break;
4702 
4703   case Builtin::BI__sync_fetch_and_and:
4704   case Builtin::BI__sync_fetch_and_and_1:
4705   case Builtin::BI__sync_fetch_and_and_2:
4706   case Builtin::BI__sync_fetch_and_and_4:
4707   case Builtin::BI__sync_fetch_and_and_8:
4708   case Builtin::BI__sync_fetch_and_and_16:
4709     BuiltinIndex = 3;
4710     break;
4711 
4712   case Builtin::BI__sync_fetch_and_xor:
4713   case Builtin::BI__sync_fetch_and_xor_1:
4714   case Builtin::BI__sync_fetch_and_xor_2:
4715   case Builtin::BI__sync_fetch_and_xor_4:
4716   case Builtin::BI__sync_fetch_and_xor_8:
4717   case Builtin::BI__sync_fetch_and_xor_16:
4718     BuiltinIndex = 4;
4719     break;
4720 
4721   case Builtin::BI__sync_fetch_and_nand:
4722   case Builtin::BI__sync_fetch_and_nand_1:
4723   case Builtin::BI__sync_fetch_and_nand_2:
4724   case Builtin::BI__sync_fetch_and_nand_4:
4725   case Builtin::BI__sync_fetch_and_nand_8:
4726   case Builtin::BI__sync_fetch_and_nand_16:
4727     BuiltinIndex = 5;
4728     WarnAboutSemanticsChange = true;
4729     break;
4730 
4731   case Builtin::BI__sync_add_and_fetch:
4732   case Builtin::BI__sync_add_and_fetch_1:
4733   case Builtin::BI__sync_add_and_fetch_2:
4734   case Builtin::BI__sync_add_and_fetch_4:
4735   case Builtin::BI__sync_add_and_fetch_8:
4736   case Builtin::BI__sync_add_and_fetch_16:
4737     BuiltinIndex = 6;
4738     break;
4739 
4740   case Builtin::BI__sync_sub_and_fetch:
4741   case Builtin::BI__sync_sub_and_fetch_1:
4742   case Builtin::BI__sync_sub_and_fetch_2:
4743   case Builtin::BI__sync_sub_and_fetch_4:
4744   case Builtin::BI__sync_sub_and_fetch_8:
4745   case Builtin::BI__sync_sub_and_fetch_16:
4746     BuiltinIndex = 7;
4747     break;
4748 
4749   case Builtin::BI__sync_and_and_fetch:
4750   case Builtin::BI__sync_and_and_fetch_1:
4751   case Builtin::BI__sync_and_and_fetch_2:
4752   case Builtin::BI__sync_and_and_fetch_4:
4753   case Builtin::BI__sync_and_and_fetch_8:
4754   case Builtin::BI__sync_and_and_fetch_16:
4755     BuiltinIndex = 8;
4756     break;
4757 
4758   case Builtin::BI__sync_or_and_fetch:
4759   case Builtin::BI__sync_or_and_fetch_1:
4760   case Builtin::BI__sync_or_and_fetch_2:
4761   case Builtin::BI__sync_or_and_fetch_4:
4762   case Builtin::BI__sync_or_and_fetch_8:
4763   case Builtin::BI__sync_or_and_fetch_16:
4764     BuiltinIndex = 9;
4765     break;
4766 
4767   case Builtin::BI__sync_xor_and_fetch:
4768   case Builtin::BI__sync_xor_and_fetch_1:
4769   case Builtin::BI__sync_xor_and_fetch_2:
4770   case Builtin::BI__sync_xor_and_fetch_4:
4771   case Builtin::BI__sync_xor_and_fetch_8:
4772   case Builtin::BI__sync_xor_and_fetch_16:
4773     BuiltinIndex = 10;
4774     break;
4775 
4776   case Builtin::BI__sync_nand_and_fetch:
4777   case Builtin::BI__sync_nand_and_fetch_1:
4778   case Builtin::BI__sync_nand_and_fetch_2:
4779   case Builtin::BI__sync_nand_and_fetch_4:
4780   case Builtin::BI__sync_nand_and_fetch_8:
4781   case Builtin::BI__sync_nand_and_fetch_16:
4782     BuiltinIndex = 11;
4783     WarnAboutSemanticsChange = true;
4784     break;
4785 
4786   case Builtin::BI__sync_val_compare_and_swap:
4787   case Builtin::BI__sync_val_compare_and_swap_1:
4788   case Builtin::BI__sync_val_compare_and_swap_2:
4789   case Builtin::BI__sync_val_compare_and_swap_4:
4790   case Builtin::BI__sync_val_compare_and_swap_8:
4791   case Builtin::BI__sync_val_compare_and_swap_16:
4792     BuiltinIndex = 12;
4793     NumFixed = 2;
4794     break;
4795 
4796   case Builtin::BI__sync_bool_compare_and_swap:
4797   case Builtin::BI__sync_bool_compare_and_swap_1:
4798   case Builtin::BI__sync_bool_compare_and_swap_2:
4799   case Builtin::BI__sync_bool_compare_and_swap_4:
4800   case Builtin::BI__sync_bool_compare_and_swap_8:
4801   case Builtin::BI__sync_bool_compare_and_swap_16:
4802     BuiltinIndex = 13;
4803     NumFixed = 2;
4804     ResultType = Context.BoolTy;
4805     break;
4806 
4807   case Builtin::BI__sync_lock_test_and_set:
4808   case Builtin::BI__sync_lock_test_and_set_1:
4809   case Builtin::BI__sync_lock_test_and_set_2:
4810   case Builtin::BI__sync_lock_test_and_set_4:
4811   case Builtin::BI__sync_lock_test_and_set_8:
4812   case Builtin::BI__sync_lock_test_and_set_16:
4813     BuiltinIndex = 14;
4814     break;
4815 
4816   case Builtin::BI__sync_lock_release:
4817   case Builtin::BI__sync_lock_release_1:
4818   case Builtin::BI__sync_lock_release_2:
4819   case Builtin::BI__sync_lock_release_4:
4820   case Builtin::BI__sync_lock_release_8:
4821   case Builtin::BI__sync_lock_release_16:
4822     BuiltinIndex = 15;
4823     NumFixed = 0;
4824     ResultType = Context.VoidTy;
4825     break;
4826 
4827   case Builtin::BI__sync_swap:
4828   case Builtin::BI__sync_swap_1:
4829   case Builtin::BI__sync_swap_2:
4830   case Builtin::BI__sync_swap_4:
4831   case Builtin::BI__sync_swap_8:
4832   case Builtin::BI__sync_swap_16:
4833     BuiltinIndex = 16;
4834     break;
4835   }
4836 
4837   // Now that we know how many fixed arguments we expect, first check that we
4838   // have at least that many.
4839   if (TheCall->getNumArgs() < 1+NumFixed) {
4840     Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4841         << 0 << 1 + NumFixed << TheCall->getNumArgs() << /*is non object*/ 0
4842         << Callee->getSourceRange();
4843     return ExprError();
4844   }
4845 
4846   Diag(TheCall->getEndLoc(), diag::warn_atomic_implicit_seq_cst)
4847       << Callee->getSourceRange();
4848 
4849   if (WarnAboutSemanticsChange) {
4850     Diag(TheCall->getEndLoc(), diag::warn_sync_fetch_and_nand_semantics_change)
4851         << Callee->getSourceRange();
4852   }
4853 
4854   // Get the decl for the concrete builtin from this, we can tell what the
4855   // concrete integer type we should convert to is.
4856   unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex];
4857   std::string NewBuiltinName = Context.BuiltinInfo.getName(NewBuiltinID);
4858   FunctionDecl *NewBuiltinDecl;
4859   if (NewBuiltinID == BuiltinID)
4860     NewBuiltinDecl = FDecl;
4861   else {
4862     // Perform builtin lookup to avoid redeclaring it.
4863     DeclarationName DN(&Context.Idents.get(NewBuiltinName));
4864     LookupResult Res(*this, DN, DRE->getBeginLoc(), LookupOrdinaryName);
4865     LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true);
4866     assert(Res.getFoundDecl());
4867     NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl());
4868     if (!NewBuiltinDecl)
4869       return ExprError();
4870   }
4871 
4872   // The first argument --- the pointer --- has a fixed type; we
4873   // deduce the types of the rest of the arguments accordingly.  Walk
4874   // the remaining arguments, converting them to the deduced value type.
4875   for (unsigned i = 0; i != NumFixed; ++i) {
4876     ExprResult Arg = TheCall->getArg(i+1);
4877 
4878     // GCC does an implicit conversion to the pointer or integer ValType.  This
4879     // can fail in some cases (1i -> int**), check for this error case now.
4880     // Initialize the argument.
4881     InitializedEntity Entity = InitializedEntity::InitializeParameter(Context,
4882                                                    ValType, /*consume*/ false);
4883     Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4884     if (Arg.isInvalid())
4885       return ExprError();
4886 
4887     // Okay, we have something that *can* be converted to the right type.  Check
4888     // to see if there is a potentially weird extension going on here.  This can
4889     // happen when you do an atomic operation on something like an char* and
4890     // pass in 42.  The 42 gets converted to char.  This is even more strange
4891     // for things like 45.123 -> char, etc.
4892     // FIXME: Do this check.
4893     TheCall->setArg(i+1, Arg.get());
4894   }
4895 
4896   // Create a new DeclRefExpr to refer to the new decl.
4897   DeclRefExpr *NewDRE = DeclRefExpr::Create(
4898       Context, DRE->getQualifierLoc(), SourceLocation(), NewBuiltinDecl,
4899       /*enclosing*/ false, DRE->getLocation(), Context.BuiltinFnTy,
4900       DRE->getValueKind(), nullptr, nullptr, DRE->isNonOdrUse());
4901 
4902   // Set the callee in the CallExpr.
4903   // FIXME: This loses syntactic information.
4904   QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType());
4905   ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy,
4906                                               CK_BuiltinFnToFnPtr);
4907   TheCall->setCallee(PromotedCall.get());
4908 
4909   // Change the result type of the call to match the original value type. This
4910   // is arbitrary, but the codegen for these builtins ins design to handle it
4911   // gracefully.
4912   TheCall->setType(ResultType);
4913 
4914   // Prohibit problematic uses of bit-precise integer types with atomic
4915   // builtins. The arguments would have already been converted to the first
4916   // argument's type, so only need to check the first argument.
4917   const auto *BitIntValType = ValType->getAs<BitIntType>();
4918   if (BitIntValType && !llvm::isPowerOf2_64(BitIntValType->getNumBits())) {
4919     Diag(FirstArg->getExprLoc(), diag::err_atomic_builtin_ext_int_size);
4920     return ExprError();
4921   }
4922 
4923   return TheCallResult;
4924 }
4925 
4926 ExprResult Sema::BuiltinNontemporalOverloaded(ExprResult TheCallResult) {
4927   CallExpr *TheCall = (CallExpr *)TheCallResult.get();
4928   DeclRefExpr *DRE =
4929       cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
4930   FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4931   unsigned BuiltinID = FDecl->getBuiltinID();
4932   assert((BuiltinID == Builtin::BI__builtin_nontemporal_store ||
4933           BuiltinID == Builtin::BI__builtin_nontemporal_load) &&
4934          "Unexpected nontemporal load/store builtin!");
4935   bool isStore = BuiltinID == Builtin::BI__builtin_nontemporal_store;
4936   unsigned numArgs = isStore ? 2 : 1;
4937 
4938   // Ensure that we have the proper number of arguments.
4939   if (checkArgCount(TheCall, numArgs))
4940     return ExprError();
4941 
4942   // Inspect the last argument of the nontemporal builtin.  This should always
4943   // be a pointer type, from which we imply the type of the memory access.
4944   // Because it is a pointer type, we don't have to worry about any implicit
4945   // casts here.
4946   Expr *PointerArg = TheCall->getArg(numArgs - 1);
4947   ExprResult PointerArgResult =
4948       DefaultFunctionArrayLvalueConversion(PointerArg);
4949 
4950   if (PointerArgResult.isInvalid())
4951     return ExprError();
4952   PointerArg = PointerArgResult.get();
4953   TheCall->setArg(numArgs - 1, PointerArg);
4954 
4955   const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>();
4956   if (!pointerType) {
4957     Diag(DRE->getBeginLoc(), diag::err_nontemporal_builtin_must_be_pointer)
4958         << PointerArg->getType() << PointerArg->getSourceRange();
4959     return ExprError();
4960   }
4961 
4962   QualType ValType = pointerType->getPointeeType();
4963 
4964   // Strip any qualifiers off ValType.
4965   ValType = ValType.getUnqualifiedType();
4966   if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4967       !ValType->isBlockPointerType() && !ValType->isFloatingType() &&
4968       !ValType->isVectorType()) {
4969     Diag(DRE->getBeginLoc(),
4970          diag::err_nontemporal_builtin_must_be_pointer_intfltptr_or_vector)
4971         << PointerArg->getType() << PointerArg->getSourceRange();
4972     return ExprError();
4973   }
4974 
4975   if (!isStore) {
4976     TheCall->setType(ValType);
4977     return TheCallResult;
4978   }
4979 
4980   ExprResult ValArg = TheCall->getArg(0);
4981   InitializedEntity Entity = InitializedEntity::InitializeParameter(
4982       Context, ValType, /*consume*/ false);
4983   ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg);
4984   if (ValArg.isInvalid())
4985     return ExprError();
4986 
4987   TheCall->setArg(0, ValArg.get());
4988   TheCall->setType(Context.VoidTy);
4989   return TheCallResult;
4990 }
4991 
4992 /// CheckObjCString - Checks that the format string argument to the os_log()
4993 /// and os_trace() functions is correct, and converts it to const char *.
4994 ExprResult Sema::CheckOSLogFormatStringArg(Expr *Arg) {
4995   Arg = Arg->IgnoreParenCasts();
4996   auto *Literal = dyn_cast<StringLiteral>(Arg);
4997   if (!Literal) {
4998     if (auto *ObjcLiteral = dyn_cast<ObjCStringLiteral>(Arg)) {
4999       Literal = ObjcLiteral->getString();
5000     }
5001   }
5002 
5003   if (!Literal || (!Literal->isOrdinary() && !Literal->isUTF8())) {
5004     return ExprError(
5005         Diag(Arg->getBeginLoc(), diag::err_os_log_format_not_string_constant)
5006         << Arg->getSourceRange());
5007   }
5008 
5009   ExprResult Result(Literal);
5010   QualType ResultTy = Context.getPointerType(Context.CharTy.withConst());
5011   InitializedEntity Entity =
5012       InitializedEntity::InitializeParameter(Context, ResultTy, false);
5013   Result = PerformCopyInitialization(Entity, SourceLocation(), Result);
5014   return Result;
5015 }
5016 
5017 /// Check that the user is calling the appropriate va_start builtin for the
5018 /// target and calling convention.
5019 static bool checkVAStartABI(Sema &S, unsigned BuiltinID, Expr *Fn) {
5020   const llvm::Triple &TT = S.Context.getTargetInfo().getTriple();
5021   bool IsX64 = TT.getArch() == llvm::Triple::x86_64;
5022   bool IsAArch64 = (TT.getArch() == llvm::Triple::aarch64 ||
5023                     TT.getArch() == llvm::Triple::aarch64_32);
5024   bool IsWindowsOrUEFI = TT.isOSWindows() || TT.isUEFI();
5025   bool IsMSVAStart = BuiltinID == Builtin::BI__builtin_ms_va_start;
5026   if (IsX64 || IsAArch64) {
5027     CallingConv CC = CC_C;
5028     if (const FunctionDecl *FD = S.getCurFunctionDecl())
5029       CC = FD->getType()->castAs<FunctionType>()->getCallConv();
5030     if (IsMSVAStart) {
5031       // Don't allow this in System V ABI functions.
5032       if (CC == CC_X86_64SysV || (!IsWindowsOrUEFI && CC != CC_Win64))
5033         return S.Diag(Fn->getBeginLoc(),
5034                       diag::err_ms_va_start_used_in_sysv_function);
5035     } else {
5036       // On x86-64/AArch64 Unix, don't allow this in Win64 ABI functions.
5037       // On x64 Windows, don't allow this in System V ABI functions.
5038       // (Yes, that means there's no corresponding way to support variadic
5039       // System V ABI functions on Windows.)
5040       if ((IsWindowsOrUEFI && CC == CC_X86_64SysV) ||
5041           (!IsWindowsOrUEFI && CC == CC_Win64))
5042         return S.Diag(Fn->getBeginLoc(),
5043                       diag::err_va_start_used_in_wrong_abi_function)
5044                << !IsWindowsOrUEFI;
5045     }
5046     return false;
5047   }
5048 
5049   if (IsMSVAStart)
5050     return S.Diag(Fn->getBeginLoc(), diag::err_builtin_x64_aarch64_only);
5051   return false;
5052 }
5053 
5054 static bool checkVAStartIsInVariadicFunction(Sema &S, Expr *Fn,
5055                                              ParmVarDecl **LastParam = nullptr) {
5056   // Determine whether the current function, block, or obj-c method is variadic
5057   // and get its parameter list.
5058   bool IsVariadic = false;
5059   ArrayRef<ParmVarDecl *> Params;
5060   DeclContext *Caller = S.CurContext;
5061   if (auto *Block = dyn_cast<BlockDecl>(Caller)) {
5062     IsVariadic = Block->isVariadic();
5063     Params = Block->parameters();
5064   } else if (auto *FD = dyn_cast<FunctionDecl>(Caller)) {
5065     IsVariadic = FD->isVariadic();
5066     Params = FD->parameters();
5067   } else if (auto *MD = dyn_cast<ObjCMethodDecl>(Caller)) {
5068     IsVariadic = MD->isVariadic();
5069     // FIXME: This isn't correct for methods (results in bogus warning).
5070     Params = MD->parameters();
5071   } else if (isa<CapturedDecl>(Caller)) {
5072     // We don't support va_start in a CapturedDecl.
5073     S.Diag(Fn->getBeginLoc(), diag::err_va_start_captured_stmt);
5074     return true;
5075   } else {
5076     // This must be some other declcontext that parses exprs.
5077     S.Diag(Fn->getBeginLoc(), diag::err_va_start_outside_function);
5078     return true;
5079   }
5080 
5081   if (!IsVariadic) {
5082     S.Diag(Fn->getBeginLoc(), diag::err_va_start_fixed_function);
5083     return true;
5084   }
5085 
5086   if (LastParam)
5087     *LastParam = Params.empty() ? nullptr : Params.back();
5088 
5089   return false;
5090 }
5091 
5092 bool Sema::BuiltinVAStart(unsigned BuiltinID, CallExpr *TheCall) {
5093   Expr *Fn = TheCall->getCallee();
5094   if (checkVAStartABI(*this, BuiltinID, Fn))
5095     return true;
5096 
5097   if (BuiltinID == Builtin::BI__builtin_c23_va_start) {
5098     // This builtin requires one argument (the va_list), allows two arguments,
5099     // but diagnoses more than two arguments. e.g.,
5100     //   __builtin_c23_va_start(); // error
5101     //   __builtin_c23_va_start(list); // ok
5102     //   __builtin_c23_va_start(list, param); // ok
5103     //   __builtin_c23_va_start(list, anything, anything); // error
5104     // This differs from the GCC behavior in that they accept the last case
5105     // with a warning, but it doesn't seem like a useful behavior to allow.
5106     if (checkArgCountRange(TheCall, 1, 2))
5107       return true;
5108   } else {
5109     // In C23 mode, va_start only needs one argument. However, the builtin still
5110     // requires two arguments (which matches the behavior of the GCC builtin),
5111     // <stdarg.h> passes `0` as the second argument in C23 mode.
5112     if (checkArgCount(TheCall, 2))
5113       return true;
5114   }
5115 
5116   // Type-check the first argument normally.
5117   if (checkBuiltinArgument(*this, TheCall, 0))
5118     return true;
5119 
5120   // Check that the current function is variadic, and get its last parameter.
5121   ParmVarDecl *LastParam;
5122   if (checkVAStartIsInVariadicFunction(*this, Fn, &LastParam))
5123     return true;
5124 
5125   // Verify that the second argument to the builtin is the last non-variadic
5126   // argument of the current function or method. In C23 mode, if the call is
5127   // not to __builtin_c23_va_start, and the second argument is an integer
5128   // constant expression with value 0, then we don't bother with this check.
5129   // For __builtin_c23_va_start, we only perform the check for the second
5130   // argument being the last argument to the current function if there is a
5131   // second argument present.
5132   if (BuiltinID == Builtin::BI__builtin_c23_va_start &&
5133       TheCall->getNumArgs() < 2) {
5134     Diag(TheCall->getExprLoc(), diag::warn_c17_compat_va_start_one_arg);
5135     return false;
5136   }
5137 
5138   const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts();
5139   if (std::optional<llvm::APSInt> Val =
5140           TheCall->getArg(1)->getIntegerConstantExpr(Context);
5141       Val && LangOpts.C23 && *Val == 0 &&
5142       BuiltinID != Builtin::BI__builtin_c23_va_start) {
5143     Diag(TheCall->getExprLoc(), diag::warn_c17_compat_va_start_one_arg);
5144     return false;
5145   }
5146 
5147   // These are valid if SecondArgIsLastNonVariadicArgument is false after the
5148   // next block.
5149   QualType Type;
5150   SourceLocation ParamLoc;
5151   bool IsCRegister = false;
5152   bool SecondArgIsLastNonVariadicArgument = false;
5153   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) {
5154     if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) {
5155       SecondArgIsLastNonVariadicArgument = PV == LastParam;
5156 
5157       Type = PV->getType();
5158       ParamLoc = PV->getLocation();
5159       IsCRegister =
5160           PV->getStorageClass() == SC_Register && !getLangOpts().CPlusPlus;
5161     }
5162   }
5163 
5164   if (!SecondArgIsLastNonVariadicArgument)
5165     Diag(TheCall->getArg(1)->getBeginLoc(),
5166          diag::warn_second_arg_of_va_start_not_last_non_variadic_param);
5167   else if (IsCRegister || Type->isReferenceType() ||
5168            Type->isSpecificBuiltinType(BuiltinType::Float) || [=] {
5169              // Promotable integers are UB, but enumerations need a bit of
5170              // extra checking to see what their promotable type actually is.
5171              if (!Context.isPromotableIntegerType(Type))
5172                return false;
5173              if (!Type->isEnumeralType())
5174                return true;
5175              const EnumDecl *ED = Type->castAs<EnumType>()->getDecl();
5176              return !(ED &&
5177                       Context.typesAreCompatible(ED->getPromotionType(), Type));
5178            }()) {
5179     unsigned Reason = 0;
5180     if (Type->isReferenceType())  Reason = 1;
5181     else if (IsCRegister)         Reason = 2;
5182     Diag(Arg->getBeginLoc(), diag::warn_va_start_type_is_undefined) << Reason;
5183     Diag(ParamLoc, diag::note_parameter_type) << Type;
5184   }
5185 
5186   return false;
5187 }
5188 
5189 bool Sema::BuiltinVAStartARMMicrosoft(CallExpr *Call) {
5190   auto IsSuitablyTypedFormatArgument = [this](const Expr *Arg) -> bool {
5191     const LangOptions &LO = getLangOpts();
5192 
5193     if (LO.CPlusPlus)
5194       return Arg->getType()
5195                  .getCanonicalType()
5196                  .getTypePtr()
5197                  ->getPointeeType()
5198                  .withoutLocalFastQualifiers() == Context.CharTy;
5199 
5200     // In C, allow aliasing through `char *`, this is required for AArch64 at
5201     // least.
5202     return true;
5203   };
5204 
5205   // void __va_start(va_list *ap, const char *named_addr, size_t slot_size,
5206   //                 const char *named_addr);
5207 
5208   Expr *Func = Call->getCallee();
5209 
5210   if (Call->getNumArgs() < 3)
5211     return Diag(Call->getEndLoc(),
5212                 diag::err_typecheck_call_too_few_args_at_least)
5213            << 0 /*function call*/ << 3 << Call->getNumArgs()
5214            << /*is non object*/ 0;
5215 
5216   // Type-check the first argument normally.
5217   if (checkBuiltinArgument(*this, Call, 0))
5218     return true;
5219 
5220   // Check that the current function is variadic.
5221   if (checkVAStartIsInVariadicFunction(*this, Func))
5222     return true;
5223 
5224   // __va_start on Windows does not validate the parameter qualifiers
5225 
5226   const Expr *Arg1 = Call->getArg(1)->IgnoreParens();
5227   const Type *Arg1Ty = Arg1->getType().getCanonicalType().getTypePtr();
5228 
5229   const Expr *Arg2 = Call->getArg(2)->IgnoreParens();
5230   const Type *Arg2Ty = Arg2->getType().getCanonicalType().getTypePtr();
5231 
5232   const QualType &ConstCharPtrTy =
5233       Context.getPointerType(Context.CharTy.withConst());
5234   if (!Arg1Ty->isPointerType() || !IsSuitablyTypedFormatArgument(Arg1))
5235     Diag(Arg1->getBeginLoc(), diag::err_typecheck_convert_incompatible)
5236         << Arg1->getType() << ConstCharPtrTy << 1 /* different class */
5237         << 0                                      /* qualifier difference */
5238         << 3                                      /* parameter mismatch */
5239         << 2 << Arg1->getType() << ConstCharPtrTy;
5240 
5241   const QualType SizeTy = Context.getSizeType();
5242   if (Arg2Ty->getCanonicalTypeInternal().withoutLocalFastQualifiers() != SizeTy)
5243     Diag(Arg2->getBeginLoc(), diag::err_typecheck_convert_incompatible)
5244         << Arg2->getType() << SizeTy << 1 /* different class */
5245         << 0                              /* qualifier difference */
5246         << 3                              /* parameter mismatch */
5247         << 3 << Arg2->getType() << SizeTy;
5248 
5249   return false;
5250 }
5251 
5252 bool Sema::BuiltinUnorderedCompare(CallExpr *TheCall, unsigned BuiltinID) {
5253   if (checkArgCount(TheCall, 2))
5254     return true;
5255 
5256   if (BuiltinID == Builtin::BI__builtin_isunordered &&
5257       TheCall->getFPFeaturesInEffect(getLangOpts()).getNoHonorNaNs())
5258     Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5259         << 1 << 0 << TheCall->getSourceRange();
5260 
5261   ExprResult OrigArg0 = TheCall->getArg(0);
5262   ExprResult OrigArg1 = TheCall->getArg(1);
5263 
5264   // Do standard promotions between the two arguments, returning their common
5265   // type.
5266   QualType Res = UsualArithmeticConversions(
5267       OrigArg0, OrigArg1, TheCall->getExprLoc(), ArithConvKind::Comparison);
5268   if (OrigArg0.isInvalid() || OrigArg1.isInvalid())
5269     return true;
5270 
5271   // Make sure any conversions are pushed back into the call; this is
5272   // type safe since unordered compare builtins are declared as "_Bool
5273   // foo(...)".
5274   TheCall->setArg(0, OrigArg0.get());
5275   TheCall->setArg(1, OrigArg1.get());
5276 
5277   if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent())
5278     return false;
5279 
5280   // If the common type isn't a real floating type, then the arguments were
5281   // invalid for this operation.
5282   if (Res.isNull() || !Res->isRealFloatingType())
5283     return Diag(OrigArg0.get()->getBeginLoc(),
5284                 diag::err_typecheck_call_invalid_ordered_compare)
5285            << OrigArg0.get()->getType() << OrigArg1.get()->getType()
5286            << SourceRange(OrigArg0.get()->getBeginLoc(),
5287                           OrigArg1.get()->getEndLoc());
5288 
5289   return false;
5290 }
5291 
5292 bool Sema::BuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs,
5293                                    unsigned BuiltinID) {
5294   if (checkArgCount(TheCall, NumArgs))
5295     return true;
5296 
5297   FPOptions FPO = TheCall->getFPFeaturesInEffect(getLangOpts());
5298   if (FPO.getNoHonorInfs() && (BuiltinID == Builtin::BI__builtin_isfinite ||
5299                                BuiltinID == Builtin::BI__builtin_isinf ||
5300                                BuiltinID == Builtin::BI__builtin_isinf_sign))
5301     Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5302         << 0 << 0 << TheCall->getSourceRange();
5303 
5304   if (FPO.getNoHonorNaNs() && (BuiltinID == Builtin::BI__builtin_isnan ||
5305                                BuiltinID == Builtin::BI__builtin_isunordered))
5306     Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
5307         << 1 << 0 << TheCall->getSourceRange();
5308 
5309   bool IsFPClass = NumArgs == 2;
5310 
5311   // Find out position of floating-point argument.
5312   unsigned FPArgNo = IsFPClass ? 0 : NumArgs - 1;
5313 
5314   // We can count on all parameters preceding the floating-point just being int.
5315   // Try all of those.
5316   for (unsigned i = 0; i < FPArgNo; ++i) {
5317     Expr *Arg = TheCall->getArg(i);
5318 
5319     if (Arg->isTypeDependent())
5320       return false;
5321 
5322     ExprResult Res = PerformImplicitConversion(Arg, Context.IntTy,
5323                                                AssignmentAction::Passing);
5324 
5325     if (Res.isInvalid())
5326       return true;
5327     TheCall->setArg(i, Res.get());
5328   }
5329 
5330   Expr *OrigArg = TheCall->getArg(FPArgNo);
5331 
5332   if (OrigArg->isTypeDependent())
5333     return false;
5334 
5335   // Usual Unary Conversions will convert half to float, which we want for
5336   // machines that use fp16 conversion intrinsics. Else, we wnat to leave the
5337   // type how it is, but do normal L->Rvalue conversions.
5338   if (Context.getTargetInfo().useFP16ConversionIntrinsics()) {
5339     ExprResult Res = UsualUnaryConversions(OrigArg);
5340 
5341     if (!Res.isUsable())
5342       return true;
5343     OrigArg = Res.get();
5344   } else {
5345     ExprResult Res = DefaultFunctionArrayLvalueConversion(OrigArg);
5346 
5347     if (!Res.isUsable())
5348       return true;
5349     OrigArg = Res.get();
5350   }
5351   TheCall->setArg(FPArgNo, OrigArg);
5352 
5353   QualType VectorResultTy;
5354   QualType ElementTy = OrigArg->getType();
5355   // TODO: When all classification function are implemented with is_fpclass,
5356   // vector argument can be supported in all of them.
5357   if (ElementTy->isVectorType() && IsFPClass) {
5358     VectorResultTy = GetSignedVectorType(ElementTy);
5359     ElementTy = ElementTy->castAs<VectorType>()->getElementType();
5360   }
5361 
5362   // This operation requires a non-_Complex floating-point number.
5363   if (!ElementTy->isRealFloatingType())
5364     return Diag(OrigArg->getBeginLoc(),
5365                 diag::err_typecheck_call_invalid_unary_fp)
5366            << OrigArg->getType() << OrigArg->getSourceRange();
5367 
5368   // __builtin_isfpclass has integer parameter that specify test mask. It is
5369   // passed in (...), so it should be analyzed completely here.
5370   if (IsFPClass)
5371     if (BuiltinConstantArgRange(TheCall, 1, 0, llvm::fcAllFlags))
5372       return true;
5373 
5374   // TODO: enable this code to all classification functions.
5375   if (IsFPClass) {
5376     QualType ResultTy;
5377     if (!VectorResultTy.isNull())
5378       ResultTy = VectorResultTy;
5379     else
5380       ResultTy = Context.IntTy;
5381     TheCall->setType(ResultTy);
5382   }
5383 
5384   return false;
5385 }
5386 
5387 bool Sema::BuiltinComplex(CallExpr *TheCall) {
5388   if (checkArgCount(TheCall, 2))
5389     return true;
5390 
5391   bool Dependent = false;
5392   for (unsigned I = 0; I != 2; ++I) {
5393     Expr *Arg = TheCall->getArg(I);
5394     QualType T = Arg->getType();
5395     if (T->isDependentType()) {
5396       Dependent = true;
5397       continue;
5398     }
5399 
5400     // Despite supporting _Complex int, GCC requires a real floating point type
5401     // for the operands of __builtin_complex.
5402     if (!T->isRealFloatingType()) {
5403       return Diag(Arg->getBeginLoc(), diag::err_typecheck_call_requires_real_fp)
5404              << Arg->getType() << Arg->getSourceRange();
5405     }
5406 
5407     ExprResult Converted = DefaultLvalueConversion(Arg);
5408     if (Converted.isInvalid())
5409       return true;
5410     TheCall->setArg(I, Converted.get());
5411   }
5412 
5413   if (Dependent) {
5414     TheCall->setType(Context.DependentTy);
5415     return false;
5416   }
5417 
5418   Expr *Real = TheCall->getArg(0);
5419   Expr *Imag = TheCall->getArg(1);
5420   if (!Context.hasSameType(Real->getType(), Imag->getType())) {
5421     return Diag(Real->getBeginLoc(),
5422                 diag::err_typecheck_call_different_arg_types)
5423            << Real->getType() << Imag->getType()
5424            << Real->getSourceRange() << Imag->getSourceRange();
5425   }
5426 
5427   // We don't allow _Complex _Float16 nor _Complex __fp16 as type specifiers;
5428   // don't allow this builtin to form those types either.
5429   // FIXME: Should we allow these types?
5430   if (Real->getType()->isFloat16Type())
5431     return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5432            << "_Float16";
5433   if (Real->getType()->isHalfType())
5434     return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5435            << "half";
5436 
5437   TheCall->setType(Context.getComplexType(Real->getType()));
5438   return false;
5439 }
5440 
5441 /// BuiltinShuffleVector - Handle __builtin_shufflevector.
5442 // This is declared to take (...), so we have to check everything.
5443 ExprResult Sema::BuiltinShuffleVector(CallExpr *TheCall) {
5444   if (TheCall->getNumArgs() < 2)
5445     return ExprError(Diag(TheCall->getEndLoc(),
5446                           diag::err_typecheck_call_too_few_args_at_least)
5447                      << 0 /*function call*/ << 2 << TheCall->getNumArgs()
5448                      << /*is non object*/ 0 << TheCall->getSourceRange());
5449 
5450   // Determine which of the following types of shufflevector we're checking:
5451   // 1) unary, vector mask: (lhs, mask)
5452   // 2) binary, scalar mask: (lhs, rhs, index, ..., index)
5453   QualType resType = TheCall->getArg(0)->getType();
5454   unsigned numElements = 0;
5455 
5456   if (!TheCall->getArg(0)->isTypeDependent() &&
5457       !TheCall->getArg(1)->isTypeDependent()) {
5458     QualType LHSType = TheCall->getArg(0)->getType();
5459     QualType RHSType = TheCall->getArg(1)->getType();
5460 
5461     if (!LHSType->isVectorType() || !RHSType->isVectorType())
5462       return ExprError(
5463           Diag(TheCall->getBeginLoc(), diag::err_vec_builtin_non_vector)
5464           << TheCall->getDirectCallee() << /*isMorethantwoArgs*/ false
5465           << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5466                          TheCall->getArg(1)->getEndLoc()));
5467 
5468     numElements = LHSType->castAs<VectorType>()->getNumElements();
5469     unsigned numResElements = TheCall->getNumArgs() - 2;
5470 
5471     // Check to see if we have a call with 2 vector arguments, the unary shuffle
5472     // with mask.  If so, verify that RHS is an integer vector type with the
5473     // same number of elts as lhs.
5474     if (TheCall->getNumArgs() == 2) {
5475       if (!RHSType->hasIntegerRepresentation() ||
5476           RHSType->castAs<VectorType>()->getNumElements() != numElements)
5477         return ExprError(Diag(TheCall->getBeginLoc(),
5478                               diag::err_vec_builtin_incompatible_vector)
5479                          << TheCall->getDirectCallee()
5480                          << /*isMorethantwoArgs*/ false
5481                          << SourceRange(TheCall->getArg(1)->getBeginLoc(),
5482                                         TheCall->getArg(1)->getEndLoc()));
5483     } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) {
5484       return ExprError(Diag(TheCall->getBeginLoc(),
5485                             diag::err_vec_builtin_incompatible_vector)
5486                        << TheCall->getDirectCallee()
5487                        << /*isMorethantwoArgs*/ false
5488                        << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5489                                       TheCall->getArg(1)->getEndLoc()));
5490     } else if (numElements != numResElements) {
5491       QualType eltType = LHSType->castAs<VectorType>()->getElementType();
5492       resType =
5493           Context.getVectorType(eltType, numResElements, VectorKind::Generic);
5494     }
5495   }
5496 
5497   for (unsigned i = 2; i < TheCall->getNumArgs(); i++) {
5498     Expr *Arg = TheCall->getArg(i);
5499     if (Arg->isTypeDependent() || Arg->isValueDependent())
5500       continue;
5501 
5502     std::optional<llvm::APSInt> Result;
5503     if (!(Result = Arg->getIntegerConstantExpr(Context)))
5504       return ExprError(Diag(TheCall->getBeginLoc(),
5505                             diag::err_shufflevector_nonconstant_argument)
5506                        << Arg->getSourceRange());
5507 
5508     // Allow -1 which will be translated to undef in the IR.
5509     if (Result->isSigned() && Result->isAllOnes())
5510       ;
5511     else if (Result->getActiveBits() > 64 ||
5512              Result->getZExtValue() >= numElements * 2)
5513       return ExprError(Diag(TheCall->getBeginLoc(),
5514                             diag::err_shufflevector_argument_too_large)
5515                        << Arg->getSourceRange());
5516 
5517     TheCall->setArg(i, ConstantExpr::Create(Context, Arg, APValue(*Result)));
5518   }
5519 
5520   SmallVector<Expr *> exprs;
5521   for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) {
5522     exprs.push_back(TheCall->getArg(i));
5523     TheCall->setArg(i, nullptr);
5524   }
5525 
5526   return new (Context) ShuffleVectorExpr(Context, exprs, resType,
5527                                          TheCall->getCallee()->getBeginLoc(),
5528                                          TheCall->getRParenLoc());
5529 }
5530 
5531 ExprResult Sema::ConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo,
5532                                    SourceLocation BuiltinLoc,
5533                                    SourceLocation RParenLoc) {
5534   ExprValueKind VK = VK_PRValue;
5535   ExprObjectKind OK = OK_Ordinary;
5536   QualType DstTy = TInfo->getType();
5537   QualType SrcTy = E->getType();
5538 
5539   if (!SrcTy->isVectorType() && !SrcTy->isDependentType())
5540     return ExprError(Diag(BuiltinLoc,
5541                           diag::err_convertvector_non_vector)
5542                      << E->getSourceRange());
5543   if (!DstTy->isVectorType() && !DstTy->isDependentType())
5544     return ExprError(Diag(BuiltinLoc, diag::err_builtin_non_vector_type)
5545                      << "second"
5546                      << "__builtin_convertvector");
5547 
5548   if (!SrcTy->isDependentType() && !DstTy->isDependentType()) {
5549     unsigned SrcElts = SrcTy->castAs<VectorType>()->getNumElements();
5550     unsigned DstElts = DstTy->castAs<VectorType>()->getNumElements();
5551     if (SrcElts != DstElts)
5552       return ExprError(Diag(BuiltinLoc,
5553                             diag::err_convertvector_incompatible_vector)
5554                        << E->getSourceRange());
5555   }
5556 
5557   return ConvertVectorExpr::Create(Context, E, TInfo, DstTy, VK, OK, BuiltinLoc,
5558                                    RParenLoc, CurFPFeatureOverrides());
5559 }
5560 
5561 bool Sema::BuiltinPrefetch(CallExpr *TheCall) {
5562   unsigned NumArgs = TheCall->getNumArgs();
5563 
5564   if (NumArgs > 3)
5565     return Diag(TheCall->getEndLoc(),
5566                 diag::err_typecheck_call_too_many_args_at_most)
5567            << 0 /*function call*/ << 3 << NumArgs << /*is non object*/ 0
5568            << TheCall->getSourceRange();
5569 
5570   // Argument 0 is checked for us and the remaining arguments must be
5571   // constant integers.
5572   for (unsigned i = 1; i != NumArgs; ++i)
5573     if (BuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3))
5574       return true;
5575 
5576   return false;
5577 }
5578 
5579 bool Sema::BuiltinArithmeticFence(CallExpr *TheCall) {
5580   if (!Context.getTargetInfo().checkArithmeticFenceSupported())
5581     return Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
5582            << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5583   if (checkArgCount(TheCall, 1))
5584     return true;
5585   Expr *Arg = TheCall->getArg(0);
5586   if (Arg->isInstantiationDependent())
5587     return false;
5588 
5589   QualType ArgTy = Arg->getType();
5590   if (!ArgTy->hasFloatingRepresentation())
5591     return Diag(TheCall->getEndLoc(), diag::err_typecheck_expect_flt_or_vector)
5592            << ArgTy;
5593   if (Arg->isLValue()) {
5594     ExprResult FirstArg = DefaultLvalueConversion(Arg);
5595     TheCall->setArg(0, FirstArg.get());
5596   }
5597   TheCall->setType(TheCall->getArg(0)->getType());
5598   return false;
5599 }
5600 
5601 bool Sema::BuiltinAssume(CallExpr *TheCall) {
5602   Expr *Arg = TheCall->getArg(0);
5603   if (Arg->isInstantiationDependent()) return false;
5604 
5605   if (Arg->HasSideEffects(Context))
5606     Diag(Arg->getBeginLoc(), diag::warn_assume_side_effects)
5607         << Arg->getSourceRange()
5608         << cast<FunctionDecl>(TheCall->getCalleeDecl())->getIdentifier();
5609 
5610   return false;
5611 }
5612 
5613 bool Sema::BuiltinAllocaWithAlign(CallExpr *TheCall) {
5614   // The alignment must be a constant integer.
5615   Expr *Arg = TheCall->getArg(1);
5616 
5617   // We can't check the value of a dependent argument.
5618   if (!Arg->isTypeDependent() && !Arg->isValueDependent()) {
5619     if (const auto *UE =
5620             dyn_cast<UnaryExprOrTypeTraitExpr>(Arg->IgnoreParenImpCasts()))
5621       if (UE->getKind() == UETT_AlignOf ||
5622           UE->getKind() == UETT_PreferredAlignOf)
5623         Diag(TheCall->getBeginLoc(), diag::warn_alloca_align_alignof)
5624             << Arg->getSourceRange();
5625 
5626     llvm::APSInt Result = Arg->EvaluateKnownConstInt(Context);
5627 
5628     if (!Result.isPowerOf2())
5629       return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5630              << Arg->getSourceRange();
5631 
5632     if (Result < Context.getCharWidth())
5633       return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_small)
5634              << (unsigned)Context.getCharWidth() << Arg->getSourceRange();
5635 
5636     if (Result > std::numeric_limits<int32_t>::max())
5637       return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_big)
5638              << std::numeric_limits<int32_t>::max() << Arg->getSourceRange();
5639   }
5640 
5641   return false;
5642 }
5643 
5644 bool Sema::BuiltinAssumeAligned(CallExpr *TheCall) {
5645   if (checkArgCountRange(TheCall, 2, 3))
5646     return true;
5647 
5648   unsigned NumArgs = TheCall->getNumArgs();
5649   Expr *FirstArg = TheCall->getArg(0);
5650 
5651   {
5652     ExprResult FirstArgResult =
5653         DefaultFunctionArrayLvalueConversion(FirstArg);
5654     if (!FirstArgResult.get()->getType()->isPointerType()) {
5655       Diag(TheCall->getBeginLoc(), diag::err_builtin_assume_aligned_invalid_arg)
5656           << TheCall->getSourceRange();
5657       return true;
5658     }
5659     TheCall->setArg(0, FirstArgResult.get());
5660   }
5661 
5662   // The alignment must be a constant integer.
5663   Expr *SecondArg = TheCall->getArg(1);
5664 
5665   // We can't check the value of a dependent argument.
5666   if (!SecondArg->isValueDependent()) {
5667     llvm::APSInt Result;
5668     if (BuiltinConstantArg(TheCall, 1, Result))
5669       return true;
5670 
5671     if (!Result.isPowerOf2())
5672       return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5673              << SecondArg->getSourceRange();
5674 
5675     if (Result > Sema::MaximumAlignment)
5676       Diag(TheCall->getBeginLoc(), diag::warn_assume_aligned_too_great)
5677           << SecondArg->getSourceRange() << Sema::MaximumAlignment;
5678   }
5679 
5680   if (NumArgs > 2) {
5681     Expr *ThirdArg = TheCall->getArg(2);
5682     if (convertArgumentToType(*this, ThirdArg, Context.getSizeType()))
5683       return true;
5684     TheCall->setArg(2, ThirdArg);
5685   }
5686 
5687   return false;
5688 }
5689 
5690 bool Sema::BuiltinOSLogFormat(CallExpr *TheCall) {
5691   unsigned BuiltinID =
5692       cast<FunctionDecl>(TheCall->getCalleeDecl())->getBuiltinID();
5693   bool IsSizeCall = BuiltinID == Builtin::BI__builtin_os_log_format_buffer_size;
5694 
5695   unsigned NumArgs = TheCall->getNumArgs();
5696   unsigned NumRequiredArgs = IsSizeCall ? 1 : 2;
5697   if (NumArgs < NumRequiredArgs) {
5698     return Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args)
5699            << 0 /* function call */ << NumRequiredArgs << NumArgs
5700            << /*is non object*/ 0 << TheCall->getSourceRange();
5701   }
5702   if (NumArgs >= NumRequiredArgs + 0x100) {
5703     return Diag(TheCall->getEndLoc(),
5704                 diag::err_typecheck_call_too_many_args_at_most)
5705            << 0 /* function call */ << (NumRequiredArgs + 0xff) << NumArgs
5706            << /*is non object*/ 0 << TheCall->getSourceRange();
5707   }
5708   unsigned i = 0;
5709 
5710   // For formatting call, check buffer arg.
5711   if (!IsSizeCall) {
5712     ExprResult Arg(TheCall->getArg(i));
5713     InitializedEntity Entity = InitializedEntity::InitializeParameter(
5714         Context, Context.VoidPtrTy, false);
5715     Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
5716     if (Arg.isInvalid())
5717       return true;
5718     TheCall->setArg(i, Arg.get());
5719     i++;
5720   }
5721 
5722   // Check string literal arg.
5723   unsigned FormatIdx = i;
5724   {
5725     ExprResult Arg = CheckOSLogFormatStringArg(TheCall->getArg(i));
5726     if (Arg.isInvalid())
5727       return true;
5728     TheCall->setArg(i, Arg.get());
5729     i++;
5730   }
5731 
5732   // Make sure variadic args are scalar.
5733   unsigned FirstDataArg = i;
5734   while (i < NumArgs) {
5735     ExprResult Arg = DefaultVariadicArgumentPromotion(
5736         TheCall->getArg(i), VariadicCallType::Function, nullptr);
5737     if (Arg.isInvalid())
5738       return true;
5739     CharUnits ArgSize = Context.getTypeSizeInChars(Arg.get()->getType());
5740     if (ArgSize.getQuantity() >= 0x100) {
5741       return Diag(Arg.get()->getEndLoc(), diag::err_os_log_argument_too_big)
5742              << i << (int)ArgSize.getQuantity() << 0xff
5743              << TheCall->getSourceRange();
5744     }
5745     TheCall->setArg(i, Arg.get());
5746     i++;
5747   }
5748 
5749   // Check formatting specifiers. NOTE: We're only doing this for the non-size
5750   // call to avoid duplicate diagnostics.
5751   if (!IsSizeCall) {
5752     llvm::SmallBitVector CheckedVarArgs(NumArgs, false);
5753     ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs());
5754     bool Success = CheckFormatArguments(
5755         Args, FAPK_Variadic, nullptr, FormatIdx, FirstDataArg,
5756         FormatStringType::OSLog, VariadicCallType::Function,
5757         TheCall->getBeginLoc(), SourceRange(), CheckedVarArgs);
5758     if (!Success)
5759       return true;
5760   }
5761 
5762   if (IsSizeCall) {
5763     TheCall->setType(Context.getSizeType());
5764   } else {
5765     TheCall->setType(Context.VoidPtrTy);
5766   }
5767   return false;
5768 }
5769 
5770 bool Sema::BuiltinConstantArg(CallExpr *TheCall, int ArgNum,
5771                               llvm::APSInt &Result) {
5772   Expr *Arg = TheCall->getArg(ArgNum);
5773   DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
5774   FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
5775 
5776   if (Arg->isTypeDependent() || Arg->isValueDependent()) return false;
5777 
5778   std::optional<llvm::APSInt> R;
5779   if (!(R = Arg->getIntegerConstantExpr(Context)))
5780     return Diag(TheCall->getBeginLoc(), diag::err_constant_integer_arg_type)
5781            << FDecl->getDeclName() << Arg->getSourceRange();
5782   Result = *R;
5783   return false;
5784 }
5785 
5786 bool Sema::BuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, int Low,
5787                                    int High, bool RangeIsError) {
5788   if (isConstantEvaluatedContext())
5789     return false;
5790   llvm::APSInt Result;
5791 
5792   // We can't check the value of a dependent argument.
5793   Expr *Arg = TheCall->getArg(ArgNum);
5794   if (Arg->isTypeDependent() || Arg->isValueDependent())
5795     return false;
5796 
5797   // Check constant-ness first.
5798   if (BuiltinConstantArg(TheCall, ArgNum, Result))
5799     return true;
5800 
5801   if (Result.getSExtValue() < Low || Result.getSExtValue() > High) {
5802     if (RangeIsError)
5803       return Diag(TheCall->getBeginLoc(), diag::err_argument_invalid_range)
5804              << toString(Result, 10) << Low << High << Arg->getSourceRange();
5805     else
5806       // Defer the warning until we know if the code will be emitted so that
5807       // dead code can ignore this.
5808       DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
5809                           PDiag(diag::warn_argument_invalid_range)
5810                               << toString(Result, 10) << Low << High
5811                               << Arg->getSourceRange());
5812   }
5813 
5814   return false;
5815 }
5816 
5817 bool Sema::BuiltinConstantArgMultiple(CallExpr *TheCall, int ArgNum,
5818                                       unsigned Num) {
5819   llvm::APSInt Result;
5820 
5821   // We can't check the value of a dependent argument.
5822   Expr *Arg = TheCall->getArg(ArgNum);
5823   if (Arg->isTypeDependent() || Arg->isValueDependent())
5824     return false;
5825 
5826   // Check constant-ness first.
5827   if (BuiltinConstantArg(TheCall, ArgNum, Result))
5828     return true;
5829 
5830   if (Result.getSExtValue() % Num != 0)
5831     return Diag(TheCall->getBeginLoc(), diag::err_argument_not_multiple)
5832            << Num << Arg->getSourceRange();
5833 
5834   return false;
5835 }
5836 
5837 bool Sema::BuiltinConstantArgPower2(CallExpr *TheCall, int ArgNum) {
5838   llvm::APSInt Result;
5839 
5840   // We can't check the value of a dependent argument.
5841   Expr *Arg = TheCall->getArg(ArgNum);
5842   if (Arg->isTypeDependent() || Arg->isValueDependent())
5843     return false;
5844 
5845   // Check constant-ness first.
5846   if (BuiltinConstantArg(TheCall, ArgNum, Result))
5847     return true;
5848 
5849   // Bit-twiddling to test for a power of 2: for x > 0, x & (x-1) is zero if
5850   // and only if x is a power of 2.
5851   if (Result.isStrictlyPositive() && (Result & (Result - 1)) == 0)
5852     return false;
5853 
5854   return Diag(TheCall->getBeginLoc(), diag::err_argument_not_power_of_2)
5855          << Arg->getSourceRange();
5856 }
5857 
5858 static bool IsShiftedByte(llvm::APSInt Value) {
5859   if (Value.isNegative())
5860     return false;
5861 
5862   // Check if it's a shifted byte, by shifting it down
5863   while (true) {
5864     // If the value fits in the bottom byte, the check passes.
5865     if (Value < 0x100)
5866       return true;
5867 
5868     // Otherwise, if the value has _any_ bits in the bottom byte, the check
5869     // fails.
5870     if ((Value & 0xFF) != 0)
5871       return false;
5872 
5873     // If the bottom 8 bits are all 0, but something above that is nonzero,
5874     // then shifting the value right by 8 bits won't affect whether it's a
5875     // shifted byte or not. So do that, and go round again.
5876     Value >>= 8;
5877   }
5878 }
5879 
5880 bool Sema::BuiltinConstantArgShiftedByte(CallExpr *TheCall, int ArgNum,
5881                                          unsigned ArgBits) {
5882   llvm::APSInt Result;
5883 
5884   // We can't check the value of a dependent argument.
5885   Expr *Arg = TheCall->getArg(ArgNum);
5886   if (Arg->isTypeDependent() || Arg->isValueDependent())
5887     return false;
5888 
5889   // Check constant-ness first.
5890   if (BuiltinConstantArg(TheCall, ArgNum, Result))
5891     return true;
5892 
5893   // Truncate to the given size.
5894   Result = Result.getLoBits(ArgBits);
5895   Result.setIsUnsigned(true);
5896 
5897   if (IsShiftedByte(Result))
5898     return false;
5899 
5900   return Diag(TheCall->getBeginLoc(), diag::err_argument_not_shifted_byte)
5901          << Arg->getSourceRange();
5902 }
5903 
5904 bool Sema::BuiltinConstantArgShiftedByteOrXXFF(CallExpr *TheCall, int ArgNum,
5905                                                unsigned ArgBits) {
5906   llvm::APSInt Result;
5907 
5908   // We can't check the value of a dependent argument.
5909   Expr *Arg = TheCall->getArg(ArgNum);
5910   if (Arg->isTypeDependent() || Arg->isValueDependent())
5911     return false;
5912 
5913   // Check constant-ness first.
5914   if (BuiltinConstantArg(TheCall, ArgNum, Result))
5915     return true;
5916 
5917   // Truncate to the given size.
5918   Result = Result.getLoBits(ArgBits);
5919   Result.setIsUnsigned(true);
5920 
5921   // Check to see if it's in either of the required forms.
5922   if (IsShiftedByte(Result) ||
5923       (Result > 0 && Result < 0x10000 && (Result & 0xFF) == 0xFF))
5924     return false;
5925 
5926   return Diag(TheCall->getBeginLoc(),
5927               diag::err_argument_not_shifted_byte_or_xxff)
5928          << Arg->getSourceRange();
5929 }
5930 
5931 bool Sema::BuiltinLongjmp(CallExpr *TheCall) {
5932   if (!Context.getTargetInfo().hasSjLjLowering())
5933     return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_unsupported)
5934            << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5935 
5936   Expr *Arg = TheCall->getArg(1);
5937   llvm::APSInt Result;
5938 
5939   // TODO: This is less than ideal. Overload this to take a value.
5940   if (BuiltinConstantArg(TheCall, 1, Result))
5941     return true;
5942 
5943   if (Result != 1)
5944     return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_invalid_val)
5945            << SourceRange(Arg->getBeginLoc(), Arg->getEndLoc());
5946 
5947   return false;
5948 }
5949 
5950 bool Sema::BuiltinSetjmp(CallExpr *TheCall) {
5951   if (!Context.getTargetInfo().hasSjLjLowering())
5952     return Diag(TheCall->getBeginLoc(), diag::err_builtin_setjmp_unsupported)
5953            << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5954   return false;
5955 }
5956 
5957 bool Sema::BuiltinCountedByRef(CallExpr *TheCall) {
5958   if (checkArgCount(TheCall, 1))
5959     return true;
5960 
5961   ExprResult ArgRes = UsualUnaryConversions(TheCall->getArg(0));
5962   if (ArgRes.isInvalid())
5963     return true;
5964 
5965   // For simplicity, we support only limited expressions for the argument.
5966   // Specifically a pointer to a flexible array member:'ptr->array'. This
5967   // allows us to reject arguments with complex casting, which really shouldn't
5968   // be a huge problem.
5969   const Expr *Arg = ArgRes.get()->IgnoreParenImpCasts();
5970   if (!isa<PointerType>(Arg->getType()) && !Arg->getType()->isArrayType())
5971     return Diag(Arg->getBeginLoc(),
5972                 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5973            << Arg->getSourceRange();
5974 
5975   if (Arg->HasSideEffects(Context))
5976     return Diag(Arg->getBeginLoc(),
5977                 diag::err_builtin_counted_by_ref_has_side_effects)
5978            << Arg->getSourceRange();
5979 
5980   if (const auto *ME = dyn_cast<MemberExpr>(Arg)) {
5981     if (!ME->isFlexibleArrayMemberLike(
5982             Context, getLangOpts().getStrictFlexArraysLevel()))
5983       return Diag(Arg->getBeginLoc(),
5984                   diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5985              << Arg->getSourceRange();
5986 
5987     if (auto *CATy =
5988             ME->getMemberDecl()->getType()->getAs<CountAttributedType>();
5989         CATy && CATy->getKind() == CountAttributedType::CountedBy) {
5990       const auto *FAMDecl = cast<FieldDecl>(ME->getMemberDecl());
5991       if (const FieldDecl *CountFD = FAMDecl->findCountedByField()) {
5992         TheCall->setType(Context.getPointerType(CountFD->getType()));
5993         return false;
5994       }
5995     }
5996   } else {
5997     return Diag(Arg->getBeginLoc(),
5998                 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5999            << Arg->getSourceRange();
6000   }
6001 
6002   TheCall->setType(Context.getPointerType(Context.VoidTy));
6003   return false;
6004 }
6005 
6006 /// The result of __builtin_counted_by_ref cannot be assigned to a variable.
6007 /// It allows leaking and modification of bounds safety information.
6008 bool Sema::CheckInvalidBuiltinCountedByRef(const Expr *E,
6009                                            BuiltinCountedByRefKind K) {
6010   const CallExpr *CE =
6011       E ? dyn_cast<CallExpr>(E->IgnoreParenImpCasts()) : nullptr;
6012   if (!CE || CE->getBuiltinCallee() != Builtin::BI__builtin_counted_by_ref)
6013     return false;
6014 
6015   switch (K) {
6016   case BuiltinCountedByRefKind::Assignment:
6017   case BuiltinCountedByRefKind::Initializer:
6018     Diag(E->getExprLoc(),
6019          diag::err_builtin_counted_by_ref_cannot_leak_reference)
6020         << 0 << E->getSourceRange();
6021     break;
6022   case BuiltinCountedByRefKind::FunctionArg:
6023     Diag(E->getExprLoc(),
6024          diag::err_builtin_counted_by_ref_cannot_leak_reference)
6025         << 1 << E->getSourceRange();
6026     break;
6027   case BuiltinCountedByRefKind::ReturnArg:
6028     Diag(E->getExprLoc(),
6029          diag::err_builtin_counted_by_ref_cannot_leak_reference)
6030         << 2 << E->getSourceRange();
6031     break;
6032   case BuiltinCountedByRefKind::ArraySubscript:
6033     Diag(E->getExprLoc(), diag::err_builtin_counted_by_ref_invalid_use)
6034         << 0 << E->getSourceRange();
6035     break;
6036   case BuiltinCountedByRefKind::BinaryExpr:
6037     Diag(E->getExprLoc(), diag::err_builtin_counted_by_ref_invalid_use)
6038         << 1 << E->getSourceRange();
6039     break;
6040   }
6041 
6042   return true;
6043 }
6044 
6045 namespace {
6046 
6047 class UncoveredArgHandler {
6048   enum { Unknown = -1, AllCovered = -2 };
6049 
6050   signed FirstUncoveredArg = Unknown;
6051   SmallVector<const Expr *, 4> DiagnosticExprs;
6052 
6053 public:
6054   UncoveredArgHandler() = default;
6055 
6056   bool hasUncoveredArg() const {
6057     return (FirstUncoveredArg >= 0);
6058   }
6059 
6060   unsigned getUncoveredArg() const {
6061     assert(hasUncoveredArg() && "no uncovered argument");
6062     return FirstUncoveredArg;
6063   }
6064 
6065   void setAllCovered() {
6066     // A string has been found with all arguments covered, so clear out
6067     // the diagnostics.
6068     DiagnosticExprs.clear();
6069     FirstUncoveredArg = AllCovered;
6070   }
6071 
6072   void Update(signed NewFirstUncoveredArg, const Expr *StrExpr) {
6073     assert(NewFirstUncoveredArg >= 0 && "Outside range");
6074 
6075     // Don't update if a previous string covers all arguments.
6076     if (FirstUncoveredArg == AllCovered)
6077       return;
6078 
6079     // UncoveredArgHandler tracks the highest uncovered argument index
6080     // and with it all the strings that match this index.
6081     if (NewFirstUncoveredArg == FirstUncoveredArg)
6082       DiagnosticExprs.push_back(StrExpr);
6083     else if (NewFirstUncoveredArg > FirstUncoveredArg) {
6084       DiagnosticExprs.clear();
6085       DiagnosticExprs.push_back(StrExpr);
6086       FirstUncoveredArg = NewFirstUncoveredArg;
6087     }
6088   }
6089 
6090   void Diagnose(Sema &S, bool IsFunctionCall, const Expr *ArgExpr);
6091 };
6092 
6093 enum StringLiteralCheckType {
6094   SLCT_NotALiteral,
6095   SLCT_UncheckedLiteral,
6096   SLCT_CheckedLiteral
6097 };
6098 
6099 } // namespace
6100 
6101 static void sumOffsets(llvm::APSInt &Offset, llvm::APSInt Addend,
6102                                      BinaryOperatorKind BinOpKind,
6103                                      bool AddendIsRight) {
6104   unsigned BitWidth = Offset.getBitWidth();
6105   unsigned AddendBitWidth = Addend.getBitWidth();
6106   // There might be negative interim results.
6107   if (Addend.isUnsigned()) {
6108     Addend = Addend.zext(++AddendBitWidth);
6109     Addend.setIsSigned(true);
6110   }
6111   // Adjust the bit width of the APSInts.
6112   if (AddendBitWidth > BitWidth) {
6113     Offset = Offset.sext(AddendBitWidth);
6114     BitWidth = AddendBitWidth;
6115   } else if (BitWidth > AddendBitWidth) {
6116     Addend = Addend.sext(BitWidth);
6117   }
6118 
6119   bool Ov = false;
6120   llvm::APSInt ResOffset = Offset;
6121   if (BinOpKind == BO_Add)
6122     ResOffset = Offset.sadd_ov(Addend, Ov);
6123   else {
6124     assert(AddendIsRight && BinOpKind == BO_Sub &&
6125            "operator must be add or sub with addend on the right");
6126     ResOffset = Offset.ssub_ov(Addend, Ov);
6127   }
6128 
6129   // We add an offset to a pointer here so we should support an offset as big as
6130   // possible.
6131   if (Ov) {
6132     assert(BitWidth <= std::numeric_limits<unsigned>::max() / 2 &&
6133            "index (intermediate) result too big");
6134     Offset = Offset.sext(2 * BitWidth);
6135     sumOffsets(Offset, Addend, BinOpKind, AddendIsRight);
6136     return;
6137   }
6138 
6139   Offset = ResOffset;
6140 }
6141 
6142 namespace {
6143 
6144 // This is a wrapper class around StringLiteral to support offsetted string
6145 // literals as format strings. It takes the offset into account when returning
6146 // the string and its length or the source locations to display notes correctly.
6147 class FormatStringLiteral {
6148   const StringLiteral *FExpr;
6149   int64_t Offset;
6150 
6151 public:
6152   FormatStringLiteral(const StringLiteral *fexpr, int64_t Offset = 0)
6153       : FExpr(fexpr), Offset(Offset) {}
6154 
6155   const StringLiteral *getFormatString() const { return FExpr; }
6156 
6157   StringRef getString() const { return FExpr->getString().drop_front(Offset); }
6158 
6159   unsigned getByteLength() const {
6160     return FExpr->getByteLength() - getCharByteWidth() * Offset;
6161   }
6162 
6163   unsigned getLength() const { return FExpr->getLength() - Offset; }
6164   unsigned getCharByteWidth() const { return FExpr->getCharByteWidth(); }
6165 
6166   StringLiteralKind getKind() const { return FExpr->getKind(); }
6167 
6168   QualType getType() const { return FExpr->getType(); }
6169 
6170   bool isAscii() const { return FExpr->isOrdinary(); }
6171   bool isWide() const { return FExpr->isWide(); }
6172   bool isUTF8() const { return FExpr->isUTF8(); }
6173   bool isUTF16() const { return FExpr->isUTF16(); }
6174   bool isUTF32() const { return FExpr->isUTF32(); }
6175   bool isPascal() const { return FExpr->isPascal(); }
6176 
6177   SourceLocation getLocationOfByte(
6178       unsigned ByteNo, const SourceManager &SM, const LangOptions &Features,
6179       const TargetInfo &Target, unsigned *StartToken = nullptr,
6180       unsigned *StartTokenByteOffset = nullptr) const {
6181     return FExpr->getLocationOfByte(ByteNo + Offset, SM, Features, Target,
6182                                     StartToken, StartTokenByteOffset);
6183   }
6184 
6185   SourceLocation getBeginLoc() const LLVM_READONLY {
6186     return FExpr->getBeginLoc().getLocWithOffset(Offset);
6187   }
6188 
6189   SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); }
6190 };
6191 
6192 } // namespace
6193 
6194 static void CheckFormatString(
6195     Sema &S, const FormatStringLiteral *FExpr,
6196     const StringLiteral *ReferenceFormatString, const Expr *OrigFormatExpr,
6197     ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
6198     unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
6199     bool inFunctionCall, VariadicCallType CallType,
6200     llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
6201     bool IgnoreStringsWithoutSpecifiers);
6202 
6203 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6204                                                const Expr *E);
6205 
6206 // Determine if an expression is a string literal or constant string.
6207 // If this function returns false on the arguments to a function expecting a
6208 // format string, we will usually need to emit a warning.
6209 // True string literals are then checked by CheckFormatString.
6210 static StringLiteralCheckType checkFormatStringExpr(
6211     Sema &S, const StringLiteral *ReferenceFormatString, const Expr *E,
6212     ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
6213     unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
6214     VariadicCallType CallType, bool InFunctionCall,
6215     llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
6216     llvm::APSInt Offset, bool IgnoreStringsWithoutSpecifiers = false) {
6217   if (S.isConstantEvaluatedContext())
6218     return SLCT_NotALiteral;
6219 tryAgain:
6220   assert(Offset.isSigned() && "invalid offset");
6221 
6222   if (E->isTypeDependent() || E->isValueDependent())
6223     return SLCT_NotALiteral;
6224 
6225   E = E->IgnoreParenCasts();
6226 
6227   if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
6228     // Technically -Wformat-nonliteral does not warn about this case.
6229     // The behavior of printf and friends in this case is implementation
6230     // dependent.  Ideally if the format string cannot be null then
6231     // it should have a 'nonnull' attribute in the function prototype.
6232     return SLCT_UncheckedLiteral;
6233 
6234   switch (E->getStmtClass()) {
6235   case Stmt::InitListExprClass:
6236     // Handle expressions like {"foobar"}.
6237     if (const clang::Expr *SLE = maybeConstEvalStringLiteral(S.Context, E)) {
6238       return checkFormatStringExpr(
6239           S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
6240           Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
6241           UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6242     }
6243     return SLCT_NotALiteral;
6244   case Stmt::BinaryConditionalOperatorClass:
6245   case Stmt::ConditionalOperatorClass: {
6246     // The expression is a literal if both sub-expressions were, and it was
6247     // completely checked only if both sub-expressions were checked.
6248     const AbstractConditionalOperator *C =
6249         cast<AbstractConditionalOperator>(E);
6250 
6251     // Determine whether it is necessary to check both sub-expressions, for
6252     // example, because the condition expression is a constant that can be
6253     // evaluated at compile time.
6254     bool CheckLeft = true, CheckRight = true;
6255 
6256     bool Cond;
6257     if (C->getCond()->EvaluateAsBooleanCondition(
6258             Cond, S.getASTContext(), S.isConstantEvaluatedContext())) {
6259       if (Cond)
6260         CheckRight = false;
6261       else
6262         CheckLeft = false;
6263     }
6264 
6265     // We need to maintain the offsets for the right and the left hand side
6266     // separately to check if every possible indexed expression is a valid
6267     // string literal. They might have different offsets for different string
6268     // literals in the end.
6269     StringLiteralCheckType Left;
6270     if (!CheckLeft)
6271       Left = SLCT_UncheckedLiteral;
6272     else {
6273       Left = checkFormatStringExpr(
6274           S, ReferenceFormatString, C->getTrueExpr(), Args, APK, format_idx,
6275           firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6276           UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6277       if (Left == SLCT_NotALiteral || !CheckRight) {
6278         return Left;
6279       }
6280     }
6281 
6282     StringLiteralCheckType Right = checkFormatStringExpr(
6283         S, ReferenceFormatString, C->getFalseExpr(), Args, APK, format_idx,
6284         firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6285         UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6286 
6287     return (CheckLeft && Left < Right) ? Left : Right;
6288   }
6289 
6290   case Stmt::ImplicitCastExprClass:
6291     E = cast<ImplicitCastExpr>(E)->getSubExpr();
6292     goto tryAgain;
6293 
6294   case Stmt::OpaqueValueExprClass:
6295     if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) {
6296       E = src;
6297       goto tryAgain;
6298     }
6299     return SLCT_NotALiteral;
6300 
6301   case Stmt::PredefinedExprClass:
6302     // While __func__, etc., are technically not string literals, they
6303     // cannot contain format specifiers and thus are not a security
6304     // liability.
6305     return SLCT_UncheckedLiteral;
6306 
6307   case Stmt::DeclRefExprClass: {
6308     const DeclRefExpr *DR = cast<DeclRefExpr>(E);
6309 
6310     // As an exception, do not flag errors for variables binding to
6311     // const string literals.
6312     if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
6313       bool isConstant = false;
6314       QualType T = DR->getType();
6315 
6316       if (const ArrayType *AT = S.Context.getAsArrayType(T)) {
6317         isConstant = AT->getElementType().isConstant(S.Context);
6318       } else if (const PointerType *PT = T->getAs<PointerType>()) {
6319         isConstant = T.isConstant(S.Context) &&
6320                      PT->getPointeeType().isConstant(S.Context);
6321       } else if (T->isObjCObjectPointerType()) {
6322         // In ObjC, there is usually no "const ObjectPointer" type,
6323         // so don't check if the pointee type is constant.
6324         isConstant = T.isConstant(S.Context);
6325       }
6326 
6327       if (isConstant) {
6328         if (const Expr *Init = VD->getAnyInitializer()) {
6329           // Look through initializers like const char c[] = { "foo" }
6330           if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
6331             if (InitList->isStringLiteralInit())
6332               Init = InitList->getInit(0)->IgnoreParenImpCasts();
6333           }
6334           return checkFormatStringExpr(
6335               S, ReferenceFormatString, Init, Args, APK, format_idx,
6336               firstDataArg, Type, CallType,
6337               /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
6338         }
6339       }
6340 
6341       // When the format argument is an argument of this function, and this
6342       // function also has the format attribute, there are several interactions
6343       // for which there shouldn't be a warning. For instance, when calling
6344       // v*printf from a function that has the printf format attribute, we
6345       // should not emit a warning about using `fmt`, even though it's not
6346       // constant, because the arguments have already been checked for the
6347       // caller of `logmessage`:
6348       //
6349       //  __attribute__((format(printf, 1, 2)))
6350       //  void logmessage(char const *fmt, ...) {
6351       //    va_list ap;
6352       //    va_start(ap, fmt);
6353       //    vprintf(fmt, ap);  /* do not emit a warning about "fmt" */
6354       //    ...
6355       // }
6356       //
6357       // Another interaction that we need to support is using a format string
6358       // specified by the format_matches attribute:
6359       //
6360       //  __attribute__((format_matches(printf, 1, "%s %d")))
6361       //  void logmessage(char const *fmt, const char *a, int b) {
6362       //    printf(fmt, a, b); /* do not emit a warning about "fmt" */
6363       //    printf(fmt, 123.4); /* emit warnings that "%s %d" is incompatible */
6364       //    ...
6365       // }
6366       //
6367       // Yet another interaction that we need to support is calling a variadic
6368       // format function from a format function that has fixed arguments. For
6369       // instance:
6370       //
6371       //  __attribute__((format(printf, 1, 2)))
6372       //  void logstring(char const *fmt, char const *str) {
6373       //    printf(fmt, str);  /* do not emit a warning about "fmt" */
6374       //  }
6375       //
6376       // Same (and perhaps more relatably) for the variadic template case:
6377       //
6378       //  template<typename... Args>
6379       //  __attribute__((format(printf, 1, 2)))
6380       //  void log(const char *fmt, Args&&... args) {
6381       //    printf(fmt, forward<Args>(args)...);
6382       //           /* do not emit a warning about "fmt" */
6383       //  }
6384       //
6385       // Due to implementation difficulty, we only check the format, not the
6386       // format arguments, in all cases.
6387       //
6388       if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
6389         if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
6390           for (const auto *PVFormatMatches :
6391                D->specific_attrs<FormatMatchesAttr>()) {
6392             Sema::FormatStringInfo CalleeFSI;
6393             if (!Sema::getFormatStringInfo(D, PVFormatMatches->getFormatIdx(),
6394                                            0, &CalleeFSI))
6395               continue;
6396             if (PV->getFunctionScopeIndex() == CalleeFSI.FormatIdx) {
6397               // If using the wrong type of format string, emit a diagnostic
6398               // here and stop checking to avoid irrelevant diagnostics.
6399               if (Type != S.GetFormatStringType(PVFormatMatches)) {
6400                 S.Diag(Args[format_idx]->getBeginLoc(),
6401                        diag::warn_format_string_type_incompatible)
6402                     << PVFormatMatches->getType()->getName()
6403                     << S.GetFormatStringTypeName(Type);
6404                 if (!InFunctionCall) {
6405                   S.Diag(PVFormatMatches->getFormatString()->getBeginLoc(),
6406                          diag::note_format_string_defined);
6407                 }
6408                 return SLCT_UncheckedLiteral;
6409               }
6410               return checkFormatStringExpr(
6411                   S, ReferenceFormatString, PVFormatMatches->getFormatString(),
6412                   Args, APK, format_idx, firstDataArg, Type, CallType,
6413                   /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg,
6414                   Offset, IgnoreStringsWithoutSpecifiers);
6415             }
6416           }
6417 
6418           for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) {
6419             Sema::FormatStringInfo CallerFSI;
6420             if (!Sema::getFormatStringInfo(D, PVFormat->getFormatIdx(),
6421                                            PVFormat->getFirstArg(), &CallerFSI))
6422               continue;
6423             if (PV->getFunctionScopeIndex() == CallerFSI.FormatIdx) {
6424               // We also check if the formats are compatible.
6425               // We can't pass a 'scanf' string to a 'printf' function.
6426               if (Type != S.GetFormatStringType(PVFormat)) {
6427                 S.Diag(Args[format_idx]->getBeginLoc(),
6428                        diag::warn_format_string_type_incompatible)
6429                     << PVFormat->getType()->getName()
6430                     << S.GetFormatStringTypeName(Type);
6431                 if (!InFunctionCall) {
6432                   S.Diag(E->getBeginLoc(), diag::note_format_string_defined);
6433                 }
6434                 return SLCT_UncheckedLiteral;
6435               }
6436               // Lastly, check that argument passing kinds transition in a
6437               // way that makes sense:
6438               // from a caller with FAPK_VAList, allow FAPK_VAList
6439               // from a caller with FAPK_Fixed, allow FAPK_Fixed
6440               // from a caller with FAPK_Fixed, allow FAPK_Variadic
6441               // from a caller with FAPK_Variadic, allow FAPK_VAList
6442               switch (combineFAPK(CallerFSI.ArgPassingKind, APK)) {
6443               case combineFAPK(Sema::FAPK_VAList, Sema::FAPK_VAList):
6444               case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Fixed):
6445               case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Variadic):
6446               case combineFAPK(Sema::FAPK_Variadic, Sema::FAPK_VAList):
6447                 return SLCT_UncheckedLiteral;
6448               }
6449             }
6450           }
6451         }
6452       }
6453     }
6454 
6455     return SLCT_NotALiteral;
6456   }
6457 
6458   case Stmt::CallExprClass:
6459   case Stmt::CXXMemberCallExprClass: {
6460     const CallExpr *CE = cast<CallExpr>(E);
6461     if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
6462       bool IsFirst = true;
6463       StringLiteralCheckType CommonResult;
6464       for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) {
6465         const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex());
6466         StringLiteralCheckType Result = checkFormatStringExpr(
6467             S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
6468             Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
6469             Offset, IgnoreStringsWithoutSpecifiers);
6470         if (IsFirst) {
6471           CommonResult = Result;
6472           IsFirst = false;
6473         }
6474       }
6475       if (!IsFirst)
6476         return CommonResult;
6477 
6478       if (const auto *FD = dyn_cast<FunctionDecl>(ND)) {
6479         unsigned BuiltinID = FD->getBuiltinID();
6480         if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
6481             BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
6482           const Expr *Arg = CE->getArg(0);
6483           return checkFormatStringExpr(
6484               S, ReferenceFormatString, Arg, Args, APK, format_idx,
6485               firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
6486               UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6487         }
6488       }
6489     }
6490     if (const Expr *SLE = maybeConstEvalStringLiteral(S.Context, E))
6491       return checkFormatStringExpr(
6492           S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
6493           Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
6494           UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
6495     return SLCT_NotALiteral;
6496   }
6497   case Stmt::ObjCMessageExprClass: {
6498     const auto *ME = cast<ObjCMessageExpr>(E);
6499     if (const auto *MD = ME->getMethodDecl()) {
6500       if (const auto *FA = MD->getAttr<FormatArgAttr>()) {
6501         // As a special case heuristic, if we're using the method -[NSBundle
6502         // localizedStringForKey:value:table:], ignore any key strings that lack
6503         // format specifiers. The idea is that if the key doesn't have any
6504         // format specifiers then its probably just a key to map to the
6505         // localized strings. If it does have format specifiers though, then its
6506         // likely that the text of the key is the format string in the
6507         // programmer's language, and should be checked.
6508         const ObjCInterfaceDecl *IFace;
6509         if (MD->isInstanceMethod() && (IFace = MD->getClassInterface()) &&
6510             IFace->getIdentifier()->isStr("NSBundle") &&
6511             MD->getSelector().isKeywordSelector(
6512                 {"localizedStringForKey", "value", "table"})) {
6513           IgnoreStringsWithoutSpecifiers = true;
6514         }
6515 
6516         const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex());
6517         return checkFormatStringExpr(
6518             S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
6519             Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
6520             Offset, IgnoreStringsWithoutSpecifiers);
6521       }
6522     }
6523 
6524     return SLCT_NotALiteral;
6525   }
6526   case Stmt::ObjCStringLiteralClass:
6527   case Stmt::StringLiteralClass: {
6528     const StringLiteral *StrE = nullptr;
6529 
6530     if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
6531       StrE = ObjCFExpr->getString();
6532     else
6533       StrE = cast<StringLiteral>(E);
6534 
6535     if (StrE) {
6536       if (Offset.isNegative() || Offset > StrE->getLength()) {
6537         // TODO: It would be better to have an explicit warning for out of
6538         // bounds literals.
6539         return SLCT_NotALiteral;
6540       }
6541       FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue());
6542       CheckFormatString(S, &FStr, ReferenceFormatString, E, Args, APK,
6543                         format_idx, firstDataArg, Type, InFunctionCall,
6544                         CallType, CheckedVarArgs, UncoveredArg,
6545                         IgnoreStringsWithoutSpecifiers);
6546       return SLCT_CheckedLiteral;
6547     }
6548 
6549     return SLCT_NotALiteral;
6550   }
6551   case Stmt::BinaryOperatorClass: {
6552     const BinaryOperator *BinOp = cast<BinaryOperator>(E);
6553 
6554     // A string literal + an int offset is still a string literal.
6555     if (BinOp->isAdditiveOp()) {
6556       Expr::EvalResult LResult, RResult;
6557 
6558       bool LIsInt = BinOp->getLHS()->EvaluateAsInt(
6559           LResult, S.Context, Expr::SE_NoSideEffects,
6560           S.isConstantEvaluatedContext());
6561       bool RIsInt = BinOp->getRHS()->EvaluateAsInt(
6562           RResult, S.Context, Expr::SE_NoSideEffects,
6563           S.isConstantEvaluatedContext());
6564 
6565       if (LIsInt != RIsInt) {
6566         BinaryOperatorKind BinOpKind = BinOp->getOpcode();
6567 
6568         if (LIsInt) {
6569           if (BinOpKind == BO_Add) {
6570             sumOffsets(Offset, LResult.Val.getInt(), BinOpKind, RIsInt);
6571             E = BinOp->getRHS();
6572             goto tryAgain;
6573           }
6574         } else {
6575           sumOffsets(Offset, RResult.Val.getInt(), BinOpKind, RIsInt);
6576           E = BinOp->getLHS();
6577           goto tryAgain;
6578         }
6579       }
6580     }
6581 
6582     return SLCT_NotALiteral;
6583   }
6584   case Stmt::UnaryOperatorClass: {
6585     const UnaryOperator *UnaOp = cast<UnaryOperator>(E);
6586     auto ASE = dyn_cast<ArraySubscriptExpr>(UnaOp->getSubExpr());
6587     if (UnaOp->getOpcode() == UO_AddrOf && ASE) {
6588       Expr::EvalResult IndexResult;
6589       if (ASE->getRHS()->EvaluateAsInt(IndexResult, S.Context,
6590                                        Expr::SE_NoSideEffects,
6591                                        S.isConstantEvaluatedContext())) {
6592         sumOffsets(Offset, IndexResult.Val.getInt(), BO_Add,
6593                    /*RHS is int*/ true);
6594         E = ASE->getBase();
6595         goto tryAgain;
6596       }
6597     }
6598 
6599     return SLCT_NotALiteral;
6600   }
6601 
6602   default:
6603     return SLCT_NotALiteral;
6604   }
6605 }
6606 
6607 // If this expression can be evaluated at compile-time,
6608 // check if the result is a StringLiteral and return it
6609 // otherwise return nullptr
6610 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6611                                                const Expr *E) {
6612   Expr::EvalResult Result;
6613   if (E->EvaluateAsRValue(Result, Context) && Result.Val.isLValue()) {
6614     const auto *LVE = Result.Val.getLValueBase().dyn_cast<const Expr *>();
6615     if (isa_and_nonnull<StringLiteral>(LVE))
6616       return LVE;
6617   }
6618   return nullptr;
6619 }
6620 
6621 StringRef Sema::GetFormatStringTypeName(FormatStringType FST) {
6622   switch (FST) {
6623   case FormatStringType::Scanf:
6624     return "scanf";
6625   case FormatStringType::Printf:
6626     return "printf";
6627   case FormatStringType::NSString:
6628     return "NSString";
6629   case FormatStringType::Strftime:
6630     return "strftime";
6631   case FormatStringType::Strfmon:
6632     return "strfmon";
6633   case FormatStringType::Kprintf:
6634     return "kprintf";
6635   case FormatStringType::FreeBSDKPrintf:
6636     return "freebsd_kprintf";
6637   case FormatStringType::OSLog:
6638     return "os_log";
6639   default:
6640     return "<unknown>";
6641   }
6642 }
6643 
6644 FormatStringType Sema::GetFormatStringType(StringRef Flavor) {
6645   return llvm::StringSwitch<FormatStringType>(Flavor)
6646       .Case("scanf", FormatStringType::Scanf)
6647       .Cases("printf", "printf0", "syslog", FormatStringType::Printf)
6648       .Cases("NSString", "CFString", FormatStringType::NSString)
6649       .Case("strftime", FormatStringType::Strftime)
6650       .Case("strfmon", FormatStringType::Strfmon)
6651       .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err",
6652              FormatStringType::Kprintf)
6653       .Case("freebsd_kprintf", FormatStringType::FreeBSDKPrintf)
6654       .Case("os_trace", FormatStringType::OSLog)
6655       .Case("os_log", FormatStringType::OSLog)
6656       .Default(FormatStringType::Unknown);
6657 }
6658 
6659 FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) {
6660   return GetFormatStringType(Format->getType()->getName());
6661 }
6662 
6663 FormatStringType Sema::GetFormatStringType(const FormatMatchesAttr *Format) {
6664   return GetFormatStringType(Format->getType()->getName());
6665 }
6666 
6667 bool Sema::CheckFormatArguments(const FormatAttr *Format,
6668                                 ArrayRef<const Expr *> Args, bool IsCXXMember,
6669                                 VariadicCallType CallType, SourceLocation Loc,
6670                                 SourceRange Range,
6671                                 llvm::SmallBitVector &CheckedVarArgs) {
6672   FormatStringInfo FSI;
6673   if (getFormatStringInfo(Format->getFormatIdx(), Format->getFirstArg(),
6674                           IsCXXMember,
6675                           CallType != VariadicCallType::DoesNotApply, &FSI))
6676     return CheckFormatArguments(
6677         Args, FSI.ArgPassingKind, nullptr, FSI.FormatIdx, FSI.FirstDataArg,
6678         GetFormatStringType(Format), CallType, Loc, Range, CheckedVarArgs);
6679   return false;
6680 }
6681 
6682 bool Sema::CheckFormatString(const FormatMatchesAttr *Format,
6683                              ArrayRef<const Expr *> Args, bool IsCXXMember,
6684                              VariadicCallType CallType, SourceLocation Loc,
6685                              SourceRange Range,
6686                              llvm::SmallBitVector &CheckedVarArgs) {
6687   FormatStringInfo FSI;
6688   if (getFormatStringInfo(Format->getFormatIdx(), 0, IsCXXMember, false,
6689                           &FSI)) {
6690     FSI.ArgPassingKind = Sema::FAPK_Elsewhere;
6691     return CheckFormatArguments(Args, FSI.ArgPassingKind,
6692                                 Format->getFormatString(), FSI.FormatIdx,
6693                                 FSI.FirstDataArg, GetFormatStringType(Format),
6694                                 CallType, Loc, Range, CheckedVarArgs);
6695   }
6696   return false;
6697 }
6698 
6699 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
6700                                 Sema::FormatArgumentPassingKind APK,
6701                                 const StringLiteral *ReferenceFormatString,
6702                                 unsigned format_idx, unsigned firstDataArg,
6703                                 FormatStringType Type,
6704                                 VariadicCallType CallType, SourceLocation Loc,
6705                                 SourceRange Range,
6706                                 llvm::SmallBitVector &CheckedVarArgs) {
6707   // CHECK: printf/scanf-like function is called with no format string.
6708   if (format_idx >= Args.size()) {
6709     Diag(Loc, diag::warn_missing_format_string) << Range;
6710     return false;
6711   }
6712 
6713   const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
6714 
6715   // CHECK: format string is not a string literal.
6716   //
6717   // Dynamically generated format strings are difficult to
6718   // automatically vet at compile time.  Requiring that format strings
6719   // are string literals: (1) permits the checking of format strings by
6720   // the compiler and thereby (2) can practically remove the source of
6721   // many format string exploits.
6722 
6723   // Format string can be either ObjC string (e.g. @"%d") or
6724   // C string (e.g. "%d")
6725   // ObjC string uses the same format specifiers as C string, so we can use
6726   // the same format string checking logic for both ObjC and C strings.
6727   UncoveredArgHandler UncoveredArg;
6728   StringLiteralCheckType CT = checkFormatStringExpr(
6729       *this, ReferenceFormatString, OrigFormatExpr, Args, APK, format_idx,
6730       firstDataArg, Type, CallType,
6731       /*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
6732       /*no string offset*/ llvm::APSInt(64, false) = 0);
6733 
6734   // Generate a diagnostic where an uncovered argument is detected.
6735   if (UncoveredArg.hasUncoveredArg()) {
6736     unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg;
6737     assert(ArgIdx < Args.size() && "ArgIdx outside bounds");
6738     UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]);
6739   }
6740 
6741   if (CT != SLCT_NotALiteral)
6742     // Literal format string found, check done!
6743     return CT == SLCT_CheckedLiteral;
6744 
6745   // Strftime is particular as it always uses a single 'time' argument,
6746   // so it is safe to pass a non-literal string.
6747   if (Type == FormatStringType::Strftime)
6748     return false;
6749 
6750   // Do not emit diag when the string param is a macro expansion and the
6751   // format is either NSString or CFString. This is a hack to prevent
6752   // diag when using the NSLocalizedString and CFCopyLocalizedString macros
6753   // which are usually used in place of NS and CF string literals.
6754   SourceLocation FormatLoc = Args[format_idx]->getBeginLoc();
6755   if (Type == FormatStringType::NSString &&
6756       SourceMgr.isInSystemMacro(FormatLoc))
6757     return false;
6758 
6759   // If there are no arguments specified, warn with -Wformat-security, otherwise
6760   // warn only with -Wformat-nonliteral.
6761   if (Args.size() == firstDataArg) {
6762     Diag(FormatLoc, diag::warn_format_nonliteral_noargs)
6763       << OrigFormatExpr->getSourceRange();
6764     switch (Type) {
6765     default:
6766       break;
6767     case FormatStringType::Kprintf:
6768     case FormatStringType::FreeBSDKPrintf:
6769     case FormatStringType::Printf:
6770     case FormatStringType::Syslog:
6771       Diag(FormatLoc, diag::note_format_security_fixit)
6772         << FixItHint::CreateInsertion(FormatLoc, "\"%s\", ");
6773       break;
6774     case FormatStringType::NSString:
6775       Diag(FormatLoc, diag::note_format_security_fixit)
6776         << FixItHint::CreateInsertion(FormatLoc, "@\"%@\", ");
6777       break;
6778     }
6779   } else {
6780     Diag(FormatLoc, diag::warn_format_nonliteral)
6781       << OrigFormatExpr->getSourceRange();
6782   }
6783   return false;
6784 }
6785 
6786 namespace {
6787 
6788 class CheckFormatHandler : public analyze_format_string::FormatStringHandler {
6789 protected:
6790   Sema &S;
6791   const FormatStringLiteral *FExpr;
6792   const Expr *OrigFormatExpr;
6793   const FormatStringType FSType;
6794   const unsigned FirstDataArg;
6795   const unsigned NumDataArgs;
6796   const char *Beg; // Start of format string.
6797   const Sema::FormatArgumentPassingKind ArgPassingKind;
6798   ArrayRef<const Expr *> Args;
6799   unsigned FormatIdx;
6800   llvm::SmallBitVector CoveredArgs;
6801   bool usesPositionalArgs = false;
6802   bool atFirstArg = true;
6803   bool inFunctionCall;
6804   VariadicCallType CallType;
6805   llvm::SmallBitVector &CheckedVarArgs;
6806   UncoveredArgHandler &UncoveredArg;
6807 
6808 public:
6809   CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr,
6810                      const Expr *origFormatExpr, const FormatStringType type,
6811                      unsigned firstDataArg, unsigned numDataArgs,
6812                      const char *beg, Sema::FormatArgumentPassingKind APK,
6813                      ArrayRef<const Expr *> Args, unsigned formatIdx,
6814                      bool inFunctionCall, VariadicCallType callType,
6815                      llvm::SmallBitVector &CheckedVarArgs,
6816                      UncoveredArgHandler &UncoveredArg)
6817       : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type),
6818         FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg),
6819         ArgPassingKind(APK), Args(Args), FormatIdx(formatIdx),
6820         inFunctionCall(inFunctionCall), CallType(callType),
6821         CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) {
6822     CoveredArgs.resize(numDataArgs);
6823     CoveredArgs.reset();
6824   }
6825 
6826   bool HasFormatArguments() const {
6827     return ArgPassingKind == Sema::FAPK_Fixed ||
6828            ArgPassingKind == Sema::FAPK_Variadic;
6829   }
6830 
6831   void DoneProcessing();
6832 
6833   void HandleIncompleteSpecifier(const char *startSpecifier,
6834                                  unsigned specifierLen) override;
6835 
6836   void HandleInvalidLengthModifier(
6837                            const analyze_format_string::FormatSpecifier &FS,
6838                            const analyze_format_string::ConversionSpecifier &CS,
6839                            const char *startSpecifier, unsigned specifierLen,
6840                            unsigned DiagID);
6841 
6842   void HandleNonStandardLengthModifier(
6843                     const analyze_format_string::FormatSpecifier &FS,
6844                     const char *startSpecifier, unsigned specifierLen);
6845 
6846   void HandleNonStandardConversionSpecifier(
6847                     const analyze_format_string::ConversionSpecifier &CS,
6848                     const char *startSpecifier, unsigned specifierLen);
6849 
6850   void HandlePosition(const char *startPos, unsigned posLen) override;
6851 
6852   void HandleInvalidPosition(const char *startSpecifier,
6853                              unsigned specifierLen,
6854                              analyze_format_string::PositionContext p) override;
6855 
6856   void HandleZeroPosition(const char *startPos, unsigned posLen) override;
6857 
6858   void HandleNullChar(const char *nullCharacter) override;
6859 
6860   template <typename Range>
6861   static void
6862   EmitFormatDiagnostic(Sema &S, bool inFunctionCall, const Expr *ArgumentExpr,
6863                        const PartialDiagnostic &PDiag, SourceLocation StringLoc,
6864                        bool IsStringLocation, Range StringRange,
6865                        ArrayRef<FixItHint> Fixit = {});
6866 
6867 protected:
6868   bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc,
6869                                         const char *startSpec,
6870                                         unsigned specifierLen,
6871                                         const char *csStart, unsigned csLen);
6872 
6873   void HandlePositionalNonpositionalArgs(SourceLocation Loc,
6874                                          const char *startSpec,
6875                                          unsigned specifierLen);
6876 
6877   SourceRange getFormatStringRange();
6878   CharSourceRange getSpecifierRange(const char *startSpecifier,
6879                                     unsigned specifierLen);
6880   SourceLocation getLocationOfByte(const char *x);
6881 
6882   const Expr *getDataArg(unsigned i) const;
6883 
6884   bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS,
6885                     const analyze_format_string::ConversionSpecifier &CS,
6886                     const char *startSpecifier, unsigned specifierLen,
6887                     unsigned argIndex);
6888 
6889   template <typename Range>
6890   void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc,
6891                             bool IsStringLocation, Range StringRange,
6892                             ArrayRef<FixItHint> Fixit = {});
6893 };
6894 
6895 } // namespace
6896 
6897 SourceRange CheckFormatHandler::getFormatStringRange() {
6898   return OrigFormatExpr->getSourceRange();
6899 }
6900 
6901 CharSourceRange CheckFormatHandler::
6902 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) {
6903   SourceLocation Start = getLocationOfByte(startSpecifier);
6904   SourceLocation End   = getLocationOfByte(startSpecifier + specifierLen - 1);
6905 
6906   // Advance the end SourceLocation by one due to half-open ranges.
6907   End = End.getLocWithOffset(1);
6908 
6909   return CharSourceRange::getCharRange(Start, End);
6910 }
6911 
6912 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) {
6913   return FExpr->getLocationOfByte(x - Beg, S.getSourceManager(),
6914                                   S.getLangOpts(), S.Context.getTargetInfo());
6915 }
6916 
6917 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier,
6918                                                    unsigned specifierLen){
6919   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier),
6920                        getLocationOfByte(startSpecifier),
6921                        /*IsStringLocation*/true,
6922                        getSpecifierRange(startSpecifier, specifierLen));
6923 }
6924 
6925 void CheckFormatHandler::HandleInvalidLengthModifier(
6926     const analyze_format_string::FormatSpecifier &FS,
6927     const analyze_format_string::ConversionSpecifier &CS,
6928     const char *startSpecifier, unsigned specifierLen, unsigned DiagID) {
6929   using namespace analyze_format_string;
6930 
6931   const LengthModifier &LM = FS.getLengthModifier();
6932   CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6933 
6934   // See if we know how to fix this length modifier.
6935   std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6936   if (FixedLM) {
6937     EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6938                          getLocationOfByte(LM.getStart()),
6939                          /*IsStringLocation*/true,
6940                          getSpecifierRange(startSpecifier, specifierLen));
6941 
6942     S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6943       << FixedLM->toString()
6944       << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6945 
6946   } else {
6947     FixItHint Hint;
6948     if (DiagID == diag::warn_format_nonsensical_length)
6949       Hint = FixItHint::CreateRemoval(LMRange);
6950 
6951     EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6952                          getLocationOfByte(LM.getStart()),
6953                          /*IsStringLocation*/true,
6954                          getSpecifierRange(startSpecifier, specifierLen),
6955                          Hint);
6956   }
6957 }
6958 
6959 void CheckFormatHandler::HandleNonStandardLengthModifier(
6960     const analyze_format_string::FormatSpecifier &FS,
6961     const char *startSpecifier, unsigned specifierLen) {
6962   using namespace analyze_format_string;
6963 
6964   const LengthModifier &LM = FS.getLengthModifier();
6965   CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6966 
6967   // See if we know how to fix this length modifier.
6968   std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6969   if (FixedLM) {
6970     EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6971                            << LM.toString() << 0,
6972                          getLocationOfByte(LM.getStart()),
6973                          /*IsStringLocation*/true,
6974                          getSpecifierRange(startSpecifier, specifierLen));
6975 
6976     S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6977       << FixedLM->toString()
6978       << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6979 
6980   } else {
6981     EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6982                            << LM.toString() << 0,
6983                          getLocationOfByte(LM.getStart()),
6984                          /*IsStringLocation*/true,
6985                          getSpecifierRange(startSpecifier, specifierLen));
6986   }
6987 }
6988 
6989 void CheckFormatHandler::HandleNonStandardConversionSpecifier(
6990     const analyze_format_string::ConversionSpecifier &CS,
6991     const char *startSpecifier, unsigned specifierLen) {
6992   using namespace analyze_format_string;
6993 
6994   // See if we know how to fix this conversion specifier.
6995   std::optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier();
6996   if (FixedCS) {
6997     EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6998                           << CS.toString() << /*conversion specifier*/1,
6999                          getLocationOfByte(CS.getStart()),
7000                          /*IsStringLocation*/true,
7001                          getSpecifierRange(startSpecifier, specifierLen));
7002 
7003     CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength());
7004     S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier)
7005       << FixedCS->toString()
7006       << FixItHint::CreateReplacement(CSRange, FixedCS->toString());
7007   } else {
7008     EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
7009                           << CS.toString() << /*conversion specifier*/1,
7010                          getLocationOfByte(CS.getStart()),
7011                          /*IsStringLocation*/true,
7012                          getSpecifierRange(startSpecifier, specifierLen));
7013   }
7014 }
7015 
7016 void CheckFormatHandler::HandlePosition(const char *startPos,
7017                                         unsigned posLen) {
7018   if (!S.getDiagnostics().isIgnored(
7019           diag::warn_format_non_standard_positional_arg, SourceLocation()))
7020     EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg),
7021                          getLocationOfByte(startPos),
7022                          /*IsStringLocation*/ true,
7023                          getSpecifierRange(startPos, posLen));
7024 }
7025 
7026 void CheckFormatHandler::HandleInvalidPosition(
7027     const char *startSpecifier, unsigned specifierLen,
7028     analyze_format_string::PositionContext p) {
7029   if (!S.getDiagnostics().isIgnored(
7030           diag::warn_format_invalid_positional_specifier, SourceLocation()))
7031     EmitFormatDiagnostic(
7032         S.PDiag(diag::warn_format_invalid_positional_specifier) << (unsigned)p,
7033         getLocationOfByte(startSpecifier), /*IsStringLocation*/ true,
7034         getSpecifierRange(startSpecifier, specifierLen));
7035 }
7036 
7037 void CheckFormatHandler::HandleZeroPosition(const char *startPos,
7038                                             unsigned posLen) {
7039   if (!S.getDiagnostics().isIgnored(diag::warn_format_zero_positional_specifier,
7040                                     SourceLocation()))
7041     EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier),
7042                          getLocationOfByte(startPos),
7043                          /*IsStringLocation*/ true,
7044                          getSpecifierRange(startPos, posLen));
7045 }
7046 
7047 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) {
7048   if (!isa<ObjCStringLiteral>(OrigFormatExpr)) {
7049     // The presence of a null character is likely an error.
7050     EmitFormatDiagnostic(
7051       S.PDiag(diag::warn_printf_format_string_contains_null_char),
7052       getLocationOfByte(nullCharacter), /*IsStringLocation*/true,
7053       getFormatStringRange());
7054   }
7055 }
7056 
7057 // Note that this may return NULL if there was an error parsing or building
7058 // one of the argument expressions.
7059 const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
7060   return Args[FirstDataArg + i];
7061 }
7062 
7063 void CheckFormatHandler::DoneProcessing() {
7064   // Does the number of data arguments exceed the number of
7065   // format conversions in the format string?
7066   if (HasFormatArguments()) {
7067     // Find any arguments that weren't covered.
7068     CoveredArgs.flip();
7069     signed notCoveredArg = CoveredArgs.find_first();
7070     if (notCoveredArg >= 0) {
7071       assert((unsigned)notCoveredArg < NumDataArgs);
7072       UncoveredArg.Update(notCoveredArg, OrigFormatExpr);
7073     } else {
7074       UncoveredArg.setAllCovered();
7075     }
7076   }
7077 }
7078 
7079 void UncoveredArgHandler::Diagnose(Sema &S, bool IsFunctionCall,
7080                                    const Expr *ArgExpr) {
7081   assert(hasUncoveredArg() && !DiagnosticExprs.empty() &&
7082          "Invalid state");
7083 
7084   if (!ArgExpr)
7085     return;
7086 
7087   SourceLocation Loc = ArgExpr->getBeginLoc();
7088 
7089   if (S.getSourceManager().isInSystemMacro(Loc))
7090     return;
7091 
7092   PartialDiagnostic PDiag = S.PDiag(diag::warn_printf_data_arg_not_used);
7093   for (auto E : DiagnosticExprs)
7094     PDiag << E->getSourceRange();
7095 
7096   CheckFormatHandler::EmitFormatDiagnostic(
7097                                   S, IsFunctionCall, DiagnosticExprs[0],
7098                                   PDiag, Loc, /*IsStringLocation*/false,
7099                                   DiagnosticExprs[0]->getSourceRange());
7100 }
7101 
7102 bool
7103 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex,
7104                                                      SourceLocation Loc,
7105                                                      const char *startSpec,
7106                                                      unsigned specifierLen,
7107                                                      const char *csStart,
7108                                                      unsigned csLen) {
7109   bool keepGoing = true;
7110   if (argIndex < NumDataArgs) {
7111     // Consider the argument coverered, even though the specifier doesn't
7112     // make sense.
7113     CoveredArgs.set(argIndex);
7114   }
7115   else {
7116     // If argIndex exceeds the number of data arguments we
7117     // don't issue a warning because that is just a cascade of warnings (and
7118     // they may have intended '%%' anyway). We don't want to continue processing
7119     // the format string after this point, however, as we will like just get
7120     // gibberish when trying to match arguments.
7121     keepGoing = false;
7122   }
7123 
7124   StringRef Specifier(csStart, csLen);
7125 
7126   // If the specifier in non-printable, it could be the first byte of a UTF-8
7127   // sequence. In that case, print the UTF-8 code point. If not, print the byte
7128   // hex value.
7129   std::string CodePointStr;
7130   if (!llvm::sys::locale::isPrint(*csStart)) {
7131     llvm::UTF32 CodePoint;
7132     const llvm::UTF8 **B = reinterpret_cast<const llvm::UTF8 **>(&csStart);
7133     const llvm::UTF8 *E =
7134         reinterpret_cast<const llvm::UTF8 *>(csStart + csLen);
7135     llvm::ConversionResult Result =
7136         llvm::convertUTF8Sequence(B, E, &CodePoint, llvm::strictConversion);
7137 
7138     if (Result != llvm::conversionOK) {
7139       unsigned char FirstChar = *csStart;
7140       CodePoint = (llvm::UTF32)FirstChar;
7141     }
7142 
7143     llvm::raw_string_ostream OS(CodePointStr);
7144     if (CodePoint < 256)
7145       OS << "\\x" << llvm::format("%02x", CodePoint);
7146     else if (CodePoint <= 0xFFFF)
7147       OS << "\\u" << llvm::format("%04x", CodePoint);
7148     else
7149       OS << "\\U" << llvm::format("%08x", CodePoint);
7150     Specifier = CodePointStr;
7151   }
7152 
7153   EmitFormatDiagnostic(
7154       S.PDiag(diag::warn_format_invalid_conversion) << Specifier, Loc,
7155       /*IsStringLocation*/ true, getSpecifierRange(startSpec, specifierLen));
7156 
7157   return keepGoing;
7158 }
7159 
7160 void
7161 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc,
7162                                                       const char *startSpec,
7163                                                       unsigned specifierLen) {
7164   EmitFormatDiagnostic(
7165     S.PDiag(diag::warn_format_mix_positional_nonpositional_args),
7166     Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen));
7167 }
7168 
7169 bool
7170 CheckFormatHandler::CheckNumArgs(
7171   const analyze_format_string::FormatSpecifier &FS,
7172   const analyze_format_string::ConversionSpecifier &CS,
7173   const char *startSpecifier, unsigned specifierLen, unsigned argIndex) {
7174 
7175   if (HasFormatArguments() && argIndex >= NumDataArgs) {
7176     PartialDiagnostic PDiag = FS.usesPositionalArg()
7177       ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args)
7178            << (argIndex+1) << NumDataArgs)
7179       : S.PDiag(diag::warn_printf_insufficient_data_args);
7180     EmitFormatDiagnostic(
7181       PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true,
7182       getSpecifierRange(startSpecifier, specifierLen));
7183 
7184     // Since more arguments than conversion tokens are given, by extension
7185     // all arguments are covered, so mark this as so.
7186     UncoveredArg.setAllCovered();
7187     return false;
7188   }
7189   return true;
7190 }
7191 
7192 template<typename Range>
7193 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag,
7194                                               SourceLocation Loc,
7195                                               bool IsStringLocation,
7196                                               Range StringRange,
7197                                               ArrayRef<FixItHint> FixIt) {
7198   EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag,
7199                        Loc, IsStringLocation, StringRange, FixIt);
7200 }
7201 
7202 /// If the format string is not within the function call, emit a note
7203 /// so that the function call and string are in diagnostic messages.
7204 ///
7205 /// \param InFunctionCall if true, the format string is within the function
7206 /// call and only one diagnostic message will be produced.  Otherwise, an
7207 /// extra note will be emitted pointing to location of the format string.
7208 ///
7209 /// \param ArgumentExpr the expression that is passed as the format string
7210 /// argument in the function call.  Used for getting locations when two
7211 /// diagnostics are emitted.
7212 ///
7213 /// \param PDiag the callee should already have provided any strings for the
7214 /// diagnostic message.  This function only adds locations and fixits
7215 /// to diagnostics.
7216 ///
7217 /// \param Loc primary location for diagnostic.  If two diagnostics are
7218 /// required, one will be at Loc and a new SourceLocation will be created for
7219 /// the other one.
7220 ///
7221 /// \param IsStringLocation if true, Loc points to the format string should be
7222 /// used for the note.  Otherwise, Loc points to the argument list and will
7223 /// be used with PDiag.
7224 ///
7225 /// \param StringRange some or all of the string to highlight.  This is
7226 /// templated so it can accept either a CharSourceRange or a SourceRange.
7227 ///
7228 /// \param FixIt optional fix it hint for the format string.
7229 template <typename Range>
7230 void CheckFormatHandler::EmitFormatDiagnostic(
7231     Sema &S, bool InFunctionCall, const Expr *ArgumentExpr,
7232     const PartialDiagnostic &PDiag, SourceLocation Loc, bool IsStringLocation,
7233     Range StringRange, ArrayRef<FixItHint> FixIt) {
7234   if (InFunctionCall) {
7235     const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag);
7236     D << StringRange;
7237     D << FixIt;
7238   } else {
7239     S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag)
7240       << ArgumentExpr->getSourceRange();
7241 
7242     const Sema::SemaDiagnosticBuilder &Note =
7243       S.Diag(IsStringLocation ? Loc : StringRange.getBegin(),
7244              diag::note_format_string_defined);
7245 
7246     Note << StringRange;
7247     Note << FixIt;
7248   }
7249 }
7250 
7251 //===--- CHECK: Printf format string checking -----------------------------===//
7252 
7253 namespace {
7254 
7255 class CheckPrintfHandler : public CheckFormatHandler {
7256 public:
7257   CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
7258                      const Expr *origFormatExpr, const FormatStringType type,
7259                      unsigned firstDataArg, unsigned numDataArgs, bool isObjC,
7260                      const char *beg, Sema::FormatArgumentPassingKind APK,
7261                      ArrayRef<const Expr *> Args, unsigned formatIdx,
7262                      bool inFunctionCall, VariadicCallType CallType,
7263                      llvm::SmallBitVector &CheckedVarArgs,
7264                      UncoveredArgHandler &UncoveredArg)
7265       : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7266                            numDataArgs, beg, APK, Args, formatIdx,
7267                            inFunctionCall, CallType, CheckedVarArgs,
7268                            UncoveredArg) {}
7269 
7270   bool isObjCContext() const { return FSType == FormatStringType::NSString; }
7271 
7272   /// Returns true if '%@' specifiers are allowed in the format string.
7273   bool allowsObjCArg() const {
7274     return FSType == FormatStringType::NSString ||
7275            FSType == FormatStringType::OSLog ||
7276            FSType == FormatStringType::OSTrace;
7277   }
7278 
7279   bool HandleInvalidPrintfConversionSpecifier(
7280                                       const analyze_printf::PrintfSpecifier &FS,
7281                                       const char *startSpecifier,
7282                                       unsigned specifierLen) override;
7283 
7284   void handleInvalidMaskType(StringRef MaskType) override;
7285 
7286   bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
7287                              const char *startSpecifier, unsigned specifierLen,
7288                              const TargetInfo &Target) override;
7289   bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
7290                        const char *StartSpecifier,
7291                        unsigned SpecifierLen,
7292                        const Expr *E);
7293 
7294   bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k,
7295                     const char *startSpecifier, unsigned specifierLen);
7296   void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS,
7297                            const analyze_printf::OptionalAmount &Amt,
7298                            unsigned type,
7299                            const char *startSpecifier, unsigned specifierLen);
7300   void HandleFlag(const analyze_printf::PrintfSpecifier &FS,
7301                   const analyze_printf::OptionalFlag &flag,
7302                   const char *startSpecifier, unsigned specifierLen);
7303   void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS,
7304                          const analyze_printf::OptionalFlag &ignoredFlag,
7305                          const analyze_printf::OptionalFlag &flag,
7306                          const char *startSpecifier, unsigned specifierLen);
7307   bool checkForCStrMembers(const analyze_printf::ArgType &AT,
7308                            const Expr *E);
7309 
7310   void HandleEmptyObjCModifierFlag(const char *startFlag,
7311                                    unsigned flagLen) override;
7312 
7313   void HandleInvalidObjCModifierFlag(const char *startFlag,
7314                                             unsigned flagLen) override;
7315 
7316   void
7317   HandleObjCFlagsWithNonObjCConversion(const char *flagsStart,
7318                                        const char *flagsEnd,
7319                                        const char *conversionPosition) override;
7320 };
7321 
7322 /// Keeps around the information needed to verify that two specifiers are
7323 /// compatible.
7324 class EquatableFormatArgument {
7325 public:
7326   enum SpecifierSensitivity : unsigned {
7327     SS_None,
7328     SS_Private,
7329     SS_Public,
7330     SS_Sensitive
7331   };
7332 
7333   enum FormatArgumentRole : unsigned {
7334     FAR_Data,
7335     FAR_FieldWidth,
7336     FAR_Precision,
7337     FAR_Auxiliary, // FreeBSD kernel %b and %D
7338   };
7339 
7340 private:
7341   analyze_format_string::ArgType ArgType;
7342   analyze_format_string::LengthModifier::Kind LengthMod;
7343   StringRef SpecifierLetter;
7344   CharSourceRange Range;
7345   SourceLocation ElementLoc;
7346   FormatArgumentRole Role : 2;
7347   SpecifierSensitivity Sensitivity : 2; // only set for FAR_Data
7348   unsigned Position : 14;
7349   unsigned ModifierFor : 14; // not set for FAR_Data
7350 
7351   void EmitDiagnostic(Sema &S, PartialDiagnostic PDiag, const Expr *FmtExpr,
7352                       bool InFunctionCall) const;
7353 
7354 public:
7355   EquatableFormatArgument(CharSourceRange Range, SourceLocation ElementLoc,
7356                           analyze_format_string::LengthModifier::Kind LengthMod,
7357                           StringRef SpecifierLetter,
7358                           analyze_format_string::ArgType ArgType,
7359                           FormatArgumentRole Role,
7360                           SpecifierSensitivity Sensitivity, unsigned Position,
7361                           unsigned ModifierFor)
7362       : ArgType(ArgType), LengthMod(LengthMod),
7363         SpecifierLetter(SpecifierLetter), Range(Range), ElementLoc(ElementLoc),
7364         Role(Role), Sensitivity(Sensitivity), Position(Position),
7365         ModifierFor(ModifierFor) {}
7366 
7367   unsigned getPosition() const { return Position; }
7368   SourceLocation getSourceLocation() const { return ElementLoc; }
7369   CharSourceRange getSourceRange() const { return Range; }
7370   analyze_format_string::LengthModifier getLengthModifier() const {
7371     return analyze_format_string::LengthModifier(nullptr, LengthMod);
7372   }
7373   void setModifierFor(unsigned V) { ModifierFor = V; }
7374 
7375   std::string buildFormatSpecifier() const {
7376     std::string result;
7377     llvm::raw_string_ostream(result)
7378         << getLengthModifier().toString() << SpecifierLetter;
7379     return result;
7380   }
7381 
7382   bool VerifyCompatible(Sema &S, const EquatableFormatArgument &Other,
7383                         const Expr *FmtExpr, bool InFunctionCall) const;
7384 };
7385 
7386 /// Turns format strings into lists of EquatableSpecifier objects.
7387 class DecomposePrintfHandler : public CheckPrintfHandler {
7388   llvm::SmallVectorImpl<EquatableFormatArgument> &Specs;
7389   bool HadError;
7390 
7391   DecomposePrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
7392                          const Expr *origFormatExpr,
7393                          const FormatStringType type, unsigned firstDataArg,
7394                          unsigned numDataArgs, bool isObjC, const char *beg,
7395                          Sema::FormatArgumentPassingKind APK,
7396                          ArrayRef<const Expr *> Args, unsigned formatIdx,
7397                          bool inFunctionCall, VariadicCallType CallType,
7398                          llvm::SmallBitVector &CheckedVarArgs,
7399                          UncoveredArgHandler &UncoveredArg,
7400                          llvm::SmallVectorImpl<EquatableFormatArgument> &Specs)
7401       : CheckPrintfHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7402                            numDataArgs, isObjC, beg, APK, Args, formatIdx,
7403                            inFunctionCall, CallType, CheckedVarArgs,
7404                            UncoveredArg),
7405         Specs(Specs), HadError(false) {}
7406 
7407 public:
7408   static bool
7409   GetSpecifiers(Sema &S, const FormatStringLiteral *FSL, const Expr *FmtExpr,
7410                 FormatStringType type, bool IsObjC, bool InFunctionCall,
7411                 llvm::SmallVectorImpl<EquatableFormatArgument> &Args);
7412 
7413   virtual bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
7414                                      const char *startSpecifier,
7415                                      unsigned specifierLen,
7416                                      const TargetInfo &Target) override;
7417 };
7418 
7419 } // namespace
7420 
7421 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier(
7422     const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7423     unsigned specifierLen) {
7424   const analyze_printf::PrintfConversionSpecifier &CS =
7425     FS.getConversionSpecifier();
7426 
7427   return HandleInvalidConversionSpecifier(FS.getArgIndex(),
7428                                           getLocationOfByte(CS.getStart()),
7429                                           startSpecifier, specifierLen,
7430                                           CS.getStart(), CS.getLength());
7431 }
7432 
7433 void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) {
7434   S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size);
7435 }
7436 
7437 bool CheckPrintfHandler::HandleAmount(
7438     const analyze_format_string::OptionalAmount &Amt, unsigned k,
7439     const char *startSpecifier, unsigned specifierLen) {
7440   if (Amt.hasDataArgument()) {
7441     if (HasFormatArguments()) {
7442       unsigned argIndex = Amt.getArgIndex();
7443       if (argIndex >= NumDataArgs) {
7444         EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
7445                                  << k,
7446                              getLocationOfByte(Amt.getStart()),
7447                              /*IsStringLocation*/ true,
7448                              getSpecifierRange(startSpecifier, specifierLen));
7449         // Don't do any more checking.  We will just emit
7450         // spurious errors.
7451         return false;
7452       }
7453 
7454       // Type check the data argument.  It should be an 'int'.
7455       // Although not in conformance with C99, we also allow the argument to be
7456       // an 'unsigned int' as that is a reasonably safe case.  GCC also
7457       // doesn't emit a warning for that case.
7458       CoveredArgs.set(argIndex);
7459       const Expr *Arg = getDataArg(argIndex);
7460       if (!Arg)
7461         return false;
7462 
7463       QualType T = Arg->getType();
7464 
7465       const analyze_printf::ArgType &AT = Amt.getArgType(S.Context);
7466       assert(AT.isValid());
7467 
7468       if (!AT.matchesType(S.Context, T)) {
7469         EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type)
7470                                << k << AT.getRepresentativeTypeName(S.Context)
7471                                << T << Arg->getSourceRange(),
7472                              getLocationOfByte(Amt.getStart()),
7473                              /*IsStringLocation*/true,
7474                              getSpecifierRange(startSpecifier, specifierLen));
7475         // Don't do any more checking.  We will just emit
7476         // spurious errors.
7477         return false;
7478       }
7479     }
7480   }
7481   return true;
7482 }
7483 
7484 void CheckPrintfHandler::HandleInvalidAmount(
7485                                       const analyze_printf::PrintfSpecifier &FS,
7486                                       const analyze_printf::OptionalAmount &Amt,
7487                                       unsigned type,
7488                                       const char *startSpecifier,
7489                                       unsigned specifierLen) {
7490   const analyze_printf::PrintfConversionSpecifier &CS =
7491     FS.getConversionSpecifier();
7492 
7493   FixItHint fixit =
7494     Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant
7495       ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(),
7496                                  Amt.getConstantLength()))
7497       : FixItHint();
7498 
7499   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount)
7500                          << type << CS.toString(),
7501                        getLocationOfByte(Amt.getStart()),
7502                        /*IsStringLocation*/true,
7503                        getSpecifierRange(startSpecifier, specifierLen),
7504                        fixit);
7505 }
7506 
7507 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS,
7508                                     const analyze_printf::OptionalFlag &flag,
7509                                     const char *startSpecifier,
7510                                     unsigned specifierLen) {
7511   // Warn about pointless flag with a fixit removal.
7512   const analyze_printf::PrintfConversionSpecifier &CS =
7513     FS.getConversionSpecifier();
7514   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag)
7515                          << flag.toString() << CS.toString(),
7516                        getLocationOfByte(flag.getPosition()),
7517                        /*IsStringLocation*/true,
7518                        getSpecifierRange(startSpecifier, specifierLen),
7519                        FixItHint::CreateRemoval(
7520                          getSpecifierRange(flag.getPosition(), 1)));
7521 }
7522 
7523 void CheckPrintfHandler::HandleIgnoredFlag(
7524                                 const analyze_printf::PrintfSpecifier &FS,
7525                                 const analyze_printf::OptionalFlag &ignoredFlag,
7526                                 const analyze_printf::OptionalFlag &flag,
7527                                 const char *startSpecifier,
7528                                 unsigned specifierLen) {
7529   // Warn about ignored flag with a fixit removal.
7530   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag)
7531                          << ignoredFlag.toString() << flag.toString(),
7532                        getLocationOfByte(ignoredFlag.getPosition()),
7533                        /*IsStringLocation*/true,
7534                        getSpecifierRange(startSpecifier, specifierLen),
7535                        FixItHint::CreateRemoval(
7536                          getSpecifierRange(ignoredFlag.getPosition(), 1)));
7537 }
7538 
7539 void CheckPrintfHandler::HandleEmptyObjCModifierFlag(const char *startFlag,
7540                                                      unsigned flagLen) {
7541   // Warn about an empty flag.
7542   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_empty_objc_flag),
7543                        getLocationOfByte(startFlag),
7544                        /*IsStringLocation*/true,
7545                        getSpecifierRange(startFlag, flagLen));
7546 }
7547 
7548 void CheckPrintfHandler::HandleInvalidObjCModifierFlag(const char *startFlag,
7549                                                        unsigned flagLen) {
7550   // Warn about an invalid flag.
7551   auto Range = getSpecifierRange(startFlag, flagLen);
7552   StringRef flag(startFlag, flagLen);
7553   EmitFormatDiagnostic(S.PDiag(diag::warn_printf_invalid_objc_flag) << flag,
7554                       getLocationOfByte(startFlag),
7555                       /*IsStringLocation*/true,
7556                       Range, FixItHint::CreateRemoval(Range));
7557 }
7558 
7559 void CheckPrintfHandler::HandleObjCFlagsWithNonObjCConversion(
7560     const char *flagsStart, const char *flagsEnd, const char *conversionPosition) {
7561     // Warn about using '[...]' without a '@' conversion.
7562     auto Range = getSpecifierRange(flagsStart, flagsEnd - flagsStart + 1);
7563     auto diag = diag::warn_printf_ObjCflags_without_ObjCConversion;
7564     EmitFormatDiagnostic(S.PDiag(diag) << StringRef(conversionPosition, 1),
7565                          getLocationOfByte(conversionPosition),
7566                          /*IsStringLocation*/ true, Range,
7567                          FixItHint::CreateRemoval(Range));
7568 }
7569 
7570 void EquatableFormatArgument::EmitDiagnostic(Sema &S, PartialDiagnostic PDiag,
7571                                              const Expr *FmtExpr,
7572                                              bool InFunctionCall) const {
7573   CheckFormatHandler::EmitFormatDiagnostic(S, InFunctionCall, FmtExpr, PDiag,
7574                                            ElementLoc, true, Range);
7575 }
7576 
7577 bool EquatableFormatArgument::VerifyCompatible(
7578     Sema &S, const EquatableFormatArgument &Other, const Expr *FmtExpr,
7579     bool InFunctionCall) const {
7580   using MK = analyze_format_string::ArgType::MatchKind;
7581   if (Role != Other.Role) {
7582     // diagnose and stop
7583     EmitDiagnostic(
7584         S, S.PDiag(diag::warn_format_cmp_role_mismatch) << Role << Other.Role,
7585         FmtExpr, InFunctionCall);
7586     S.Diag(Other.ElementLoc, diag::note_format_cmp_with) << 0 << Other.Range;
7587     return false;
7588   }
7589 
7590   if (Role != FAR_Data) {
7591     if (ModifierFor != Other.ModifierFor) {
7592       // diagnose and stop
7593       EmitDiagnostic(S,
7594                      S.PDiag(diag::warn_format_cmp_modifierfor_mismatch)
7595                          << (ModifierFor + 1) << (Other.ModifierFor + 1),
7596                      FmtExpr, InFunctionCall);
7597       S.Diag(Other.ElementLoc, diag::note_format_cmp_with) << 0 << Other.Range;
7598       return false;
7599     }
7600     return true;
7601   }
7602 
7603   bool HadError = false;
7604   if (Sensitivity != Other.Sensitivity) {
7605     // diagnose and continue
7606     EmitDiagnostic(S,
7607                    S.PDiag(diag::warn_format_cmp_sensitivity_mismatch)
7608                        << Sensitivity << Other.Sensitivity,
7609                    FmtExpr, InFunctionCall);
7610     HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7611                << 0 << Other.Range;
7612   }
7613 
7614   switch (ArgType.matchesArgType(S.Context, Other.ArgType)) {
7615   case MK::Match:
7616     break;
7617 
7618   case MK::MatchPromotion:
7619     // Per consensus reached at https://discourse.llvm.org/t/-/83076/12,
7620     // MatchPromotion is treated as a failure by format_matches.
7621   case MK::NoMatch:
7622   case MK::NoMatchTypeConfusion:
7623   case MK::NoMatchPromotionTypeConfusion:
7624     EmitDiagnostic(S,
7625                    S.PDiag(diag::warn_format_cmp_specifier_mismatch)
7626                        << buildFormatSpecifier()
7627                        << Other.buildFormatSpecifier(),
7628                    FmtExpr, InFunctionCall);
7629     HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7630                << 0 << Other.Range;
7631     break;
7632 
7633   case MK::NoMatchPedantic:
7634     EmitDiagnostic(S,
7635                    S.PDiag(diag::warn_format_cmp_specifier_mismatch_pedantic)
7636                        << buildFormatSpecifier()
7637                        << Other.buildFormatSpecifier(),
7638                    FmtExpr, InFunctionCall);
7639     HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7640                << 0 << Other.Range;
7641     break;
7642 
7643   case MK::NoMatchSignedness:
7644     if (!S.getDiagnostics().isIgnored(
7645             diag::warn_format_conversion_argument_type_mismatch_signedness,
7646             ElementLoc)) {
7647       EmitDiagnostic(S,
7648                      S.PDiag(diag::warn_format_cmp_specifier_sign_mismatch)
7649                          << buildFormatSpecifier()
7650                          << Other.buildFormatSpecifier(),
7651                      FmtExpr, InFunctionCall);
7652       HadError = S.Diag(Other.ElementLoc, diag::note_format_cmp_with)
7653                  << 0 << Other.Range;
7654     }
7655     break;
7656   }
7657   return !HadError;
7658 }
7659 
7660 bool DecomposePrintfHandler::GetSpecifiers(
7661     Sema &S, const FormatStringLiteral *FSL, const Expr *FmtExpr,
7662     FormatStringType Type, bool IsObjC, bool InFunctionCall,
7663     llvm::SmallVectorImpl<EquatableFormatArgument> &Args) {
7664   StringRef Data = FSL->getString();
7665   const char *Str = Data.data();
7666   llvm::SmallBitVector BV;
7667   UncoveredArgHandler UA;
7668   const Expr *PrintfArgs[] = {FSL->getFormatString()};
7669   DecomposePrintfHandler H(S, FSL, FSL->getFormatString(), Type, 0, 0, IsObjC,
7670                            Str, Sema::FAPK_Elsewhere, PrintfArgs, 0,
7671                            InFunctionCall, VariadicCallType::DoesNotApply, BV,
7672                            UA, Args);
7673 
7674   if (!analyze_format_string::ParsePrintfString(
7675           H, Str, Str + Data.size(), S.getLangOpts(), S.Context.getTargetInfo(),
7676           Type == FormatStringType::FreeBSDKPrintf))
7677     H.DoneProcessing();
7678   if (H.HadError)
7679     return false;
7680 
7681   llvm::stable_sort(Args, [](const EquatableFormatArgument &A,
7682                              const EquatableFormatArgument &B) {
7683     return A.getPosition() < B.getPosition();
7684   });
7685   return true;
7686 }
7687 
7688 bool DecomposePrintfHandler::HandlePrintfSpecifier(
7689     const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7690     unsigned specifierLen, const TargetInfo &Target) {
7691   if (!CheckPrintfHandler::HandlePrintfSpecifier(FS, startSpecifier,
7692                                                  specifierLen, Target)) {
7693     HadError = true;
7694     return false;
7695   }
7696 
7697   // Do not add any specifiers to the list for %%. This is possibly incorrect
7698   // if using a precision/width with a data argument, but that combination is
7699   // meaningless and we wouldn't know which format to attach the
7700   // precision/width to.
7701   const auto &CS = FS.getConversionSpecifier();
7702   if (CS.getKind() == analyze_format_string::ConversionSpecifier::PercentArg)
7703     return true;
7704 
7705   // have to patch these to have the right ModifierFor if they are used
7706   const unsigned Unset = ~0;
7707   unsigned FieldWidthIndex = Unset;
7708   unsigned PrecisionIndex = Unset;
7709 
7710   // field width?
7711   const auto &FieldWidth = FS.getFieldWidth();
7712   if (!FieldWidth.isInvalid() && FieldWidth.hasDataArgument()) {
7713     FieldWidthIndex = Specs.size();
7714     Specs.emplace_back(getSpecifierRange(startSpecifier, specifierLen),
7715                        getLocationOfByte(FieldWidth.getStart()),
7716                        analyze_format_string::LengthModifier::None, "*",
7717                        FieldWidth.getArgType(S.Context),
7718                        EquatableFormatArgument::FAR_FieldWidth,
7719                        EquatableFormatArgument::SS_None,
7720                        FieldWidth.usesPositionalArg()
7721                            ? FieldWidth.getPositionalArgIndex() - 1
7722                            : FieldWidthIndex,
7723                        0);
7724   }
7725   // precision?
7726   const auto &Precision = FS.getPrecision();
7727   if (!Precision.isInvalid() && Precision.hasDataArgument()) {
7728     PrecisionIndex = Specs.size();
7729     Specs.emplace_back(
7730         getSpecifierRange(startSpecifier, specifierLen),
7731         getLocationOfByte(Precision.getStart()),
7732         analyze_format_string::LengthModifier::None, ".*",
7733         Precision.getArgType(S.Context), EquatableFormatArgument::FAR_Precision,
7734         EquatableFormatArgument::SS_None,
7735         Precision.usesPositionalArg() ? Precision.getPositionalArgIndex() - 1
7736                                       : PrecisionIndex,
7737         0);
7738   }
7739 
7740   // this specifier
7741   unsigned SpecIndex =
7742       FS.usesPositionalArg() ? FS.getPositionalArgIndex() - 1 : Specs.size();
7743   if (FieldWidthIndex != Unset)
7744     Specs[FieldWidthIndex].setModifierFor(SpecIndex);
7745   if (PrecisionIndex != Unset)
7746     Specs[PrecisionIndex].setModifierFor(SpecIndex);
7747 
7748   EquatableFormatArgument::SpecifierSensitivity Sensitivity;
7749   if (FS.isPrivate())
7750     Sensitivity = EquatableFormatArgument::SS_Private;
7751   else if (FS.isPublic())
7752     Sensitivity = EquatableFormatArgument::SS_Public;
7753   else if (FS.isSensitive())
7754     Sensitivity = EquatableFormatArgument::SS_Sensitive;
7755   else
7756     Sensitivity = EquatableFormatArgument::SS_None;
7757 
7758   Specs.emplace_back(
7759       getSpecifierRange(startSpecifier, specifierLen),
7760       getLocationOfByte(CS.getStart()), FS.getLengthModifier().getKind(),
7761       CS.getCharacters(), FS.getArgType(S.Context, isObjCContext()),
7762       EquatableFormatArgument::FAR_Data, Sensitivity, SpecIndex, 0);
7763 
7764   // auxiliary argument?
7765   if (CS.getKind() == analyze_format_string::ConversionSpecifier::FreeBSDbArg ||
7766       CS.getKind() == analyze_format_string::ConversionSpecifier::FreeBSDDArg) {
7767     Specs.emplace_back(getSpecifierRange(startSpecifier, specifierLen),
7768                        getLocationOfByte(CS.getStart()),
7769                        analyze_format_string::LengthModifier::None,
7770                        CS.getCharacters(),
7771                        analyze_format_string::ArgType::CStrTy,
7772                        EquatableFormatArgument::FAR_Auxiliary, Sensitivity,
7773                        SpecIndex + 1, SpecIndex);
7774   }
7775   return true;
7776 }
7777 
7778 // Determines if the specified is a C++ class or struct containing
7779 // a member with the specified name and kind (e.g. a CXXMethodDecl named
7780 // "c_str()").
7781 template<typename MemberKind>
7782 static llvm::SmallPtrSet<MemberKind*, 1>
7783 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) {
7784   const RecordType *RT = Ty->getAs<RecordType>();
7785   llvm::SmallPtrSet<MemberKind*, 1> Results;
7786 
7787   if (!RT)
7788     return Results;
7789   const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl());
7790   if (!RD || !RD->getDefinition())
7791     return Results;
7792 
7793   LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(),
7794                  Sema::LookupMemberName);
7795   R.suppressDiagnostics();
7796 
7797   // We just need to include all members of the right kind turned up by the
7798   // filter, at this point.
7799   if (S.LookupQualifiedName(R, RT->getDecl()))
7800     for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) {
7801       NamedDecl *decl = (*I)->getUnderlyingDecl();
7802       if (MemberKind *FK = dyn_cast<MemberKind>(decl))
7803         Results.insert(FK);
7804     }
7805   return Results;
7806 }
7807 
7808 /// Check if we could call '.c_str()' on an object.
7809 ///
7810 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't
7811 /// allow the call, or if it would be ambiguous).
7812 bool Sema::hasCStrMethod(const Expr *E) {
7813   using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7814 
7815   MethodSet Results =
7816       CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType());
7817   for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7818        MI != ME; ++MI)
7819     if ((*MI)->getMinRequiredArguments() == 0)
7820       return true;
7821   return false;
7822 }
7823 
7824 // Check if a (w)string was passed when a (w)char* was needed, and offer a
7825 // better diagnostic if so. AT is assumed to be valid.
7826 // Returns true when a c_str() conversion method is found.
7827 bool CheckPrintfHandler::checkForCStrMembers(
7828     const analyze_printf::ArgType &AT, const Expr *E) {
7829   using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7830 
7831   MethodSet Results =
7832       CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType());
7833 
7834   for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7835        MI != ME; ++MI) {
7836     const CXXMethodDecl *Method = *MI;
7837     if (Method->getMinRequiredArguments() == 0 &&
7838         AT.matchesType(S.Context, Method->getReturnType())) {
7839       // FIXME: Suggest parens if the expression needs them.
7840       SourceLocation EndLoc = S.getLocForEndOfToken(E->getEndLoc());
7841       S.Diag(E->getBeginLoc(), diag::note_printf_c_str)
7842           << "c_str()" << FixItHint::CreateInsertion(EndLoc, ".c_str()");
7843       return true;
7844     }
7845   }
7846 
7847   return false;
7848 }
7849 
7850 bool CheckPrintfHandler::HandlePrintfSpecifier(
7851     const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7852     unsigned specifierLen, const TargetInfo &Target) {
7853   using namespace analyze_format_string;
7854   using namespace analyze_printf;
7855 
7856   const PrintfConversionSpecifier &CS = FS.getConversionSpecifier();
7857 
7858   if (FS.consumesDataArgument()) {
7859     if (atFirstArg) {
7860         atFirstArg = false;
7861         usesPositionalArgs = FS.usesPositionalArg();
7862     }
7863     else if (usesPositionalArgs != FS.usesPositionalArg()) {
7864       HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
7865                                         startSpecifier, specifierLen);
7866       return false;
7867     }
7868   }
7869 
7870   // First check if the field width, precision, and conversion specifier
7871   // have matching data arguments.
7872   if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0,
7873                     startSpecifier, specifierLen)) {
7874     return false;
7875   }
7876 
7877   if (!HandleAmount(FS.getPrecision(), /* precision */ 1,
7878                     startSpecifier, specifierLen)) {
7879     return false;
7880   }
7881 
7882   if (!CS.consumesDataArgument()) {
7883     // FIXME: Technically specifying a precision or field width here
7884     // makes no sense.  Worth issuing a warning at some point.
7885     return true;
7886   }
7887 
7888   // Consume the argument.
7889   unsigned argIndex = FS.getArgIndex();
7890   if (argIndex < NumDataArgs) {
7891     // The check to see if the argIndex is valid will come later.
7892     // We set the bit here because we may exit early from this
7893     // function if we encounter some other error.
7894     CoveredArgs.set(argIndex);
7895   }
7896 
7897   // FreeBSD kernel extensions.
7898   if (CS.getKind() == ConversionSpecifier::FreeBSDbArg ||
7899       CS.getKind() == ConversionSpecifier::FreeBSDDArg) {
7900     // We need at least two arguments.
7901     if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex + 1))
7902       return false;
7903 
7904     if (HasFormatArguments()) {
7905       // Claim the second argument.
7906       CoveredArgs.set(argIndex + 1);
7907 
7908       // Type check the first argument (int for %b, pointer for %D)
7909       const Expr *Ex = getDataArg(argIndex);
7910       const analyze_printf::ArgType &AT =
7911           (CS.getKind() == ConversionSpecifier::FreeBSDbArg)
7912               ? ArgType(S.Context.IntTy)
7913               : ArgType::CPointerTy;
7914       if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType()))
7915         EmitFormatDiagnostic(
7916             S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7917                 << AT.getRepresentativeTypeName(S.Context) << Ex->getType()
7918                 << false << Ex->getSourceRange(),
7919             Ex->getBeginLoc(), /*IsStringLocation*/ false,
7920             getSpecifierRange(startSpecifier, specifierLen));
7921 
7922       // Type check the second argument (char * for both %b and %D)
7923       Ex = getDataArg(argIndex + 1);
7924       const analyze_printf::ArgType &AT2 = ArgType::CStrTy;
7925       if (AT2.isValid() && !AT2.matchesType(S.Context, Ex->getType()))
7926         EmitFormatDiagnostic(
7927             S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7928                 << AT2.getRepresentativeTypeName(S.Context) << Ex->getType()
7929                 << false << Ex->getSourceRange(),
7930             Ex->getBeginLoc(), /*IsStringLocation*/ false,
7931             getSpecifierRange(startSpecifier, specifierLen));
7932     }
7933     return true;
7934   }
7935 
7936   // Check for using an Objective-C specific conversion specifier
7937   // in a non-ObjC literal.
7938   if (!allowsObjCArg() && CS.isObjCArg()) {
7939     return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7940                                                   specifierLen);
7941   }
7942 
7943   // %P can only be used with os_log.
7944   if (FSType != FormatStringType::OSLog &&
7945       CS.getKind() == ConversionSpecifier::PArg) {
7946     return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7947                                                   specifierLen);
7948   }
7949 
7950   // %n is not allowed with os_log.
7951   if (FSType == FormatStringType::OSLog &&
7952       CS.getKind() == ConversionSpecifier::nArg) {
7953     EmitFormatDiagnostic(S.PDiag(diag::warn_os_log_format_narg),
7954                          getLocationOfByte(CS.getStart()),
7955                          /*IsStringLocation*/ false,
7956                          getSpecifierRange(startSpecifier, specifierLen));
7957 
7958     return true;
7959   }
7960 
7961   // Only scalars are allowed for os_trace.
7962   if (FSType == FormatStringType::OSTrace &&
7963       (CS.getKind() == ConversionSpecifier::PArg ||
7964        CS.getKind() == ConversionSpecifier::sArg ||
7965        CS.getKind() == ConversionSpecifier::ObjCObjArg)) {
7966     return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7967                                                   specifierLen);
7968   }
7969 
7970   // Check for use of public/private annotation outside of os_log().
7971   if (FSType != FormatStringType::OSLog) {
7972     if (FS.isPublic().isSet()) {
7973       EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7974                                << "public",
7975                            getLocationOfByte(FS.isPublic().getPosition()),
7976                            /*IsStringLocation*/ false,
7977                            getSpecifierRange(startSpecifier, specifierLen));
7978     }
7979     if (FS.isPrivate().isSet()) {
7980       EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7981                                << "private",
7982                            getLocationOfByte(FS.isPrivate().getPosition()),
7983                            /*IsStringLocation*/ false,
7984                            getSpecifierRange(startSpecifier, specifierLen));
7985     }
7986   }
7987 
7988   const llvm::Triple &Triple = Target.getTriple();
7989   if (CS.getKind() == ConversionSpecifier::nArg &&
7990       (Triple.isAndroid() || Triple.isOSFuchsia())) {
7991     EmitFormatDiagnostic(S.PDiag(diag::warn_printf_narg_not_supported),
7992                          getLocationOfByte(CS.getStart()),
7993                          /*IsStringLocation*/ false,
7994                          getSpecifierRange(startSpecifier, specifierLen));
7995   }
7996 
7997   // Check for invalid use of field width
7998   if (!FS.hasValidFieldWidth()) {
7999     HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0,
8000         startSpecifier, specifierLen);
8001   }
8002 
8003   // Check for invalid use of precision
8004   if (!FS.hasValidPrecision()) {
8005     HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1,
8006         startSpecifier, specifierLen);
8007   }
8008 
8009   // Precision is mandatory for %P specifier.
8010   if (CS.getKind() == ConversionSpecifier::PArg &&
8011       FS.getPrecision().getHowSpecified() == OptionalAmount::NotSpecified) {
8012     EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_no_precision),
8013                          getLocationOfByte(startSpecifier),
8014                          /*IsStringLocation*/ false,
8015                          getSpecifierRange(startSpecifier, specifierLen));
8016   }
8017 
8018   // Check each flag does not conflict with any other component.
8019   if (!FS.hasValidThousandsGroupingPrefix())
8020     HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen);
8021   if (!FS.hasValidLeadingZeros())
8022     HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen);
8023   if (!FS.hasValidPlusPrefix())
8024     HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen);
8025   if (!FS.hasValidSpacePrefix())
8026     HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen);
8027   if (!FS.hasValidAlternativeForm())
8028     HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen);
8029   if (!FS.hasValidLeftJustified())
8030     HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen);
8031 
8032   // Check that flags are not ignored by another flag
8033   if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+'
8034     HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(),
8035         startSpecifier, specifierLen);
8036   if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-'
8037     HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(),
8038             startSpecifier, specifierLen);
8039 
8040   // Check the length modifier is valid with the given conversion specifier.
8041   if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
8042                                  S.getLangOpts()))
8043     HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8044                                 diag::warn_format_nonsensical_length);
8045   else if (!FS.hasStandardLengthModifier())
8046     HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
8047   else if (!FS.hasStandardLengthConversionCombination())
8048     HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8049                                 diag::warn_format_non_standard_conversion_spec);
8050 
8051   if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
8052     HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
8053 
8054   // The remaining checks depend on the data arguments.
8055   if (!HasFormatArguments())
8056     return true;
8057 
8058   if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
8059     return false;
8060 
8061   const Expr *Arg = getDataArg(argIndex);
8062   if (!Arg)
8063     return true;
8064 
8065   return checkFormatExpr(FS, startSpecifier, specifierLen, Arg);
8066 }
8067 
8068 static bool requiresParensToAddCast(const Expr *E) {
8069   // FIXME: We should have a general way to reason about operator
8070   // precedence and whether parens are actually needed here.
8071   // Take care of a few common cases where they aren't.
8072   const Expr *Inside = E->IgnoreImpCasts();
8073   if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside))
8074     Inside = POE->getSyntacticForm()->IgnoreImpCasts();
8075 
8076   switch (Inside->getStmtClass()) {
8077   case Stmt::ArraySubscriptExprClass:
8078   case Stmt::CallExprClass:
8079   case Stmt::CharacterLiteralClass:
8080   case Stmt::CXXBoolLiteralExprClass:
8081   case Stmt::DeclRefExprClass:
8082   case Stmt::FloatingLiteralClass:
8083   case Stmt::IntegerLiteralClass:
8084   case Stmt::MemberExprClass:
8085   case Stmt::ObjCArrayLiteralClass:
8086   case Stmt::ObjCBoolLiteralExprClass:
8087   case Stmt::ObjCBoxedExprClass:
8088   case Stmt::ObjCDictionaryLiteralClass:
8089   case Stmt::ObjCEncodeExprClass:
8090   case Stmt::ObjCIvarRefExprClass:
8091   case Stmt::ObjCMessageExprClass:
8092   case Stmt::ObjCPropertyRefExprClass:
8093   case Stmt::ObjCStringLiteralClass:
8094   case Stmt::ObjCSubscriptRefExprClass:
8095   case Stmt::ParenExprClass:
8096   case Stmt::StringLiteralClass:
8097   case Stmt::UnaryOperatorClass:
8098     return false;
8099   default:
8100     return true;
8101   }
8102 }
8103 
8104 static std::pair<QualType, StringRef>
8105 shouldNotPrintDirectly(const ASTContext &Context,
8106                        QualType IntendedTy,
8107                        const Expr *E) {
8108   // Use a 'while' to peel off layers of typedefs.
8109   QualType TyTy = IntendedTy;
8110   while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) {
8111     StringRef Name = UserTy->getDecl()->getName();
8112     QualType CastTy = llvm::StringSwitch<QualType>(Name)
8113       .Case("CFIndex", Context.getNSIntegerType())
8114       .Case("NSInteger", Context.getNSIntegerType())
8115       .Case("NSUInteger", Context.getNSUIntegerType())
8116       .Case("SInt32", Context.IntTy)
8117       .Case("UInt32", Context.UnsignedIntTy)
8118       .Default(QualType());
8119 
8120     if (!CastTy.isNull())
8121       return std::make_pair(CastTy, Name);
8122 
8123     TyTy = UserTy->desugar();
8124   }
8125 
8126   // Strip parens if necessary.
8127   if (const ParenExpr *PE = dyn_cast<ParenExpr>(E))
8128     return shouldNotPrintDirectly(Context,
8129                                   PE->getSubExpr()->getType(),
8130                                   PE->getSubExpr());
8131 
8132   // If this is a conditional expression, then its result type is constructed
8133   // via usual arithmetic conversions and thus there might be no necessary
8134   // typedef sugar there.  Recurse to operands to check for NSInteger &
8135   // Co. usage condition.
8136   if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) {
8137     QualType TrueTy, FalseTy;
8138     StringRef TrueName, FalseName;
8139 
8140     std::tie(TrueTy, TrueName) =
8141       shouldNotPrintDirectly(Context,
8142                              CO->getTrueExpr()->getType(),
8143                              CO->getTrueExpr());
8144     std::tie(FalseTy, FalseName) =
8145       shouldNotPrintDirectly(Context,
8146                              CO->getFalseExpr()->getType(),
8147                              CO->getFalseExpr());
8148 
8149     if (TrueTy == FalseTy)
8150       return std::make_pair(TrueTy, TrueName);
8151     else if (TrueTy.isNull())
8152       return std::make_pair(FalseTy, FalseName);
8153     else if (FalseTy.isNull())
8154       return std::make_pair(TrueTy, TrueName);
8155   }
8156 
8157   return std::make_pair(QualType(), StringRef());
8158 }
8159 
8160 /// Return true if \p ICE is an implicit argument promotion of an arithmetic
8161 /// type. Bit-field 'promotions' from a higher ranked type to a lower ranked
8162 /// type do not count.
8163 static bool
8164 isArithmeticArgumentPromotion(Sema &S, const ImplicitCastExpr *ICE) {
8165   QualType From = ICE->getSubExpr()->getType();
8166   QualType To = ICE->getType();
8167   // It's an integer promotion if the destination type is the promoted
8168   // source type.
8169   if (ICE->getCastKind() == CK_IntegralCast &&
8170       S.Context.isPromotableIntegerType(From) &&
8171       S.Context.getPromotedIntegerType(From) == To)
8172     return true;
8173   // Look through vector types, since we do default argument promotion for
8174   // those in OpenCL.
8175   if (const auto *VecTy = From->getAs<ExtVectorType>())
8176     From = VecTy->getElementType();
8177   if (const auto *VecTy = To->getAs<ExtVectorType>())
8178     To = VecTy->getElementType();
8179   // It's a floating promotion if the source type is a lower rank.
8180   return ICE->getCastKind() == CK_FloatingCast &&
8181          S.Context.getFloatingTypeOrder(From, To) < 0;
8182 }
8183 
8184 static analyze_format_string::ArgType::MatchKind
8185 handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,
8186                        DiagnosticsEngine &Diags, SourceLocation Loc) {
8187   if (Match == analyze_format_string::ArgType::NoMatchSignedness) {
8188     Match =
8189         Diags.isIgnored(
8190             diag::warn_format_conversion_argument_type_mismatch_signedness, Loc)
8191             ? analyze_format_string::ArgType::Match
8192             : analyze_format_string::ArgType::NoMatch;
8193   }
8194   return Match;
8195 }
8196 
8197 bool
8198 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
8199                                     const char *StartSpecifier,
8200                                     unsigned SpecifierLen,
8201                                     const Expr *E) {
8202   using namespace analyze_format_string;
8203   using namespace analyze_printf;
8204 
8205   // Now type check the data expression that matches the
8206   // format specifier.
8207   const analyze_printf::ArgType &AT = FS.getArgType(S.Context, isObjCContext());
8208   if (!AT.isValid())
8209     return true;
8210 
8211   QualType ExprTy = E->getType();
8212   while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
8213     ExprTy = TET->getUnderlyingExpr()->getType();
8214   }
8215 
8216   // When using the format attribute in C++, you can receive a function or an
8217   // array that will necessarily decay to a pointer when passed to the final
8218   // format consumer. Apply decay before type comparison.
8219   if (ExprTy->canDecayToPointerType())
8220     ExprTy = S.Context.getDecayedType(ExprTy);
8221 
8222   // Diagnose attempts to print a boolean value as a character. Unlike other
8223   // -Wformat diagnostics, this is fine from a type perspective, but it still
8224   // doesn't make sense.
8225   if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg &&
8226       E->isKnownToHaveBooleanValue()) {
8227     const CharSourceRange &CSR =
8228         getSpecifierRange(StartSpecifier, SpecifierLen);
8229     SmallString<4> FSString;
8230     llvm::raw_svector_ostream os(FSString);
8231     FS.toString(os);
8232     EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character)
8233                              << FSString,
8234                          E->getExprLoc(), false, CSR);
8235     return true;
8236   }
8237 
8238   // Diagnose attempts to use '%P' with ObjC object types, which will result in
8239   // dumping raw class data (like is-a pointer), not actual data.
8240   if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::PArg &&
8241       ExprTy->isObjCObjectPointerType()) {
8242     const CharSourceRange &CSR =
8243         getSpecifierRange(StartSpecifier, SpecifierLen);
8244     EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_with_objc_pointer),
8245                          E->getExprLoc(), false, CSR);
8246     return true;
8247   }
8248 
8249   ArgType::MatchKind ImplicitMatch = ArgType::NoMatch;
8250   ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy);
8251   ArgType::MatchKind OrigMatch = Match;
8252 
8253   Match = handleFormatSignedness(Match, S.getDiagnostics(), E->getExprLoc());
8254   if (Match == ArgType::Match)
8255     return true;
8256 
8257   // NoMatchPromotionTypeConfusion should be only returned in ImplictCastExpr
8258   assert(Match != ArgType::NoMatchPromotionTypeConfusion);
8259 
8260   // Look through argument promotions for our error message's reported type.
8261   // This includes the integral and floating promotions, but excludes array
8262   // and function pointer decay (seeing that an argument intended to be a
8263   // string has type 'char [6]' is probably more confusing than 'char *') and
8264   // certain bitfield promotions (bitfields can be 'demoted' to a lesser type).
8265   if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
8266     if (isArithmeticArgumentPromotion(S, ICE)) {
8267       E = ICE->getSubExpr();
8268       ExprTy = E->getType();
8269 
8270       // Check if we didn't match because of an implicit cast from a 'char'
8271       // or 'short' to an 'int'.  This is done because printf is a varargs
8272       // function.
8273       if (ICE->getType() == S.Context.IntTy ||
8274           ICE->getType() == S.Context.UnsignedIntTy) {
8275         // All further checking is done on the subexpression
8276         ImplicitMatch = AT.matchesType(S.Context, ExprTy);
8277         if (OrigMatch == ArgType::NoMatchSignedness &&
8278             ImplicitMatch != ArgType::NoMatchSignedness)
8279           // If the original match was a signedness match this match on the
8280           // implicit cast type also need to be signedness match otherwise we
8281           // might introduce new unexpected warnings from -Wformat-signedness.
8282           return true;
8283         ImplicitMatch = handleFormatSignedness(
8284             ImplicitMatch, S.getDiagnostics(), E->getExprLoc());
8285         if (ImplicitMatch == ArgType::Match)
8286           return true;
8287       }
8288     }
8289   } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) {
8290     // Special case for 'a', which has type 'int' in C.
8291     // Note, however, that we do /not/ want to treat multibyte constants like
8292     // 'MooV' as characters! This form is deprecated but still exists. In
8293     // addition, don't treat expressions as of type 'char' if one byte length
8294     // modifier is provided.
8295     if (ExprTy == S.Context.IntTy &&
8296         FS.getLengthModifier().getKind() != LengthModifier::AsChar)
8297       if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) {
8298         ExprTy = S.Context.CharTy;
8299         // To improve check results, we consider a character literal in C
8300         // to be a 'char' rather than an 'int'. 'printf("%hd", 'a');' is
8301         // more likely a type confusion situation, so we will suggest to
8302         // use '%hhd' instead by discarding the MatchPromotion.
8303         if (Match == ArgType::MatchPromotion)
8304           Match = ArgType::NoMatch;
8305       }
8306   }
8307   if (Match == ArgType::MatchPromotion) {
8308     // WG14 N2562 only clarified promotions in *printf
8309     // For NSLog in ObjC, just preserve -Wformat behavior
8310     if (!S.getLangOpts().ObjC &&
8311         ImplicitMatch != ArgType::NoMatchPromotionTypeConfusion &&
8312         ImplicitMatch != ArgType::NoMatchTypeConfusion)
8313       return true;
8314     Match = ArgType::NoMatch;
8315   }
8316   if (ImplicitMatch == ArgType::NoMatchPedantic ||
8317       ImplicitMatch == ArgType::NoMatchTypeConfusion)
8318     Match = ImplicitMatch;
8319   assert(Match != ArgType::MatchPromotion);
8320 
8321   // Look through unscoped enums to their underlying type.
8322   bool IsEnum = false;
8323   bool IsScopedEnum = false;
8324   QualType IntendedTy = ExprTy;
8325   if (auto EnumTy = ExprTy->getAs<EnumType>()) {
8326     IntendedTy = EnumTy->getDecl()->getIntegerType();
8327     if (EnumTy->isUnscopedEnumerationType()) {
8328       ExprTy = IntendedTy;
8329       // This controls whether we're talking about the underlying type or not,
8330       // which we only want to do when it's an unscoped enum.
8331       IsEnum = true;
8332     } else {
8333       IsScopedEnum = true;
8334     }
8335   }
8336 
8337   // %C in an Objective-C context prints a unichar, not a wchar_t.
8338   // If the argument is an integer of some kind, believe the %C and suggest
8339   // a cast instead of changing the conversion specifier.
8340   if (isObjCContext() &&
8341       FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) {
8342     if (ExprTy->isIntegralOrUnscopedEnumerationType() &&
8343         !ExprTy->isCharType()) {
8344       // 'unichar' is defined as a typedef of unsigned short, but we should
8345       // prefer using the typedef if it is visible.
8346       IntendedTy = S.Context.UnsignedShortTy;
8347 
8348       // While we are here, check if the value is an IntegerLiteral that happens
8349       // to be within the valid range.
8350       if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) {
8351         const llvm::APInt &V = IL->getValue();
8352         if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy))
8353           return true;
8354       }
8355 
8356       LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getBeginLoc(),
8357                           Sema::LookupOrdinaryName);
8358       if (S.LookupName(Result, S.getCurScope())) {
8359         NamedDecl *ND = Result.getFoundDecl();
8360         if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND))
8361           if (TD->getUnderlyingType() == IntendedTy)
8362             IntendedTy = S.Context.getTypedefType(TD);
8363       }
8364     }
8365   }
8366 
8367   // Special-case some of Darwin's platform-independence types by suggesting
8368   // casts to primitive types that are known to be large enough.
8369   bool ShouldNotPrintDirectly = false; StringRef CastTyName;
8370   if (S.Context.getTargetInfo().getTriple().isOSDarwin()) {
8371     QualType CastTy;
8372     std::tie(CastTy, CastTyName) = shouldNotPrintDirectly(S.Context, IntendedTy, E);
8373     if (!CastTy.isNull()) {
8374       // %zi/%zu and %td/%tu are OK to use for NSInteger/NSUInteger of type int
8375       // (long in ASTContext). Only complain to pedants or when they're the
8376       // underlying type of a scoped enum (which always needs a cast).
8377       if (!IsScopedEnum &&
8378           (CastTyName == "NSInteger" || CastTyName == "NSUInteger") &&
8379           (AT.isSizeT() || AT.isPtrdiffT()) &&
8380           AT.matchesType(S.Context, CastTy))
8381         Match = ArgType::NoMatchPedantic;
8382       IntendedTy = CastTy;
8383       ShouldNotPrintDirectly = true;
8384     }
8385   }
8386 
8387   // We may be able to offer a FixItHint if it is a supported type.
8388   PrintfSpecifier fixedFS = FS;
8389   bool Success =
8390       fixedFS.fixType(IntendedTy, S.getLangOpts(), S.Context, isObjCContext());
8391 
8392   if (Success) {
8393     // Get the fix string from the fixed format specifier
8394     SmallString<16> buf;
8395     llvm::raw_svector_ostream os(buf);
8396     fixedFS.toString(os);
8397 
8398     CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen);
8399 
8400     if (IntendedTy == ExprTy && !ShouldNotPrintDirectly && !IsScopedEnum) {
8401       unsigned Diag;
8402       switch (Match) {
8403       case ArgType::Match:
8404       case ArgType::MatchPromotion:
8405       case ArgType::NoMatchPromotionTypeConfusion:
8406       case ArgType::NoMatchSignedness:
8407         llvm_unreachable("expected non-matching");
8408       case ArgType::NoMatchPedantic:
8409         Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
8410         break;
8411       case ArgType::NoMatchTypeConfusion:
8412         Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
8413         break;
8414       case ArgType::NoMatch:
8415         Diag = diag::warn_format_conversion_argument_type_mismatch;
8416         break;
8417       }
8418 
8419       // In this case, the specifier is wrong and should be changed to match
8420       // the argument.
8421       EmitFormatDiagnostic(S.PDiag(Diag)
8422                                << AT.getRepresentativeTypeName(S.Context)
8423                                << IntendedTy << IsEnum << E->getSourceRange(),
8424                            E->getBeginLoc(),
8425                            /*IsStringLocation*/ false, SpecRange,
8426                            FixItHint::CreateReplacement(SpecRange, os.str()));
8427     } else {
8428       // The canonical type for formatting this value is different from the
8429       // actual type of the expression. (This occurs, for example, with Darwin's
8430       // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but
8431       // should be printed as 'long' for 64-bit compatibility.)
8432       // Rather than emitting a normal format/argument mismatch, we want to
8433       // add a cast to the recommended type (and correct the format string
8434       // if necessary). We should also do so for scoped enumerations.
8435       SmallString<16> CastBuf;
8436       llvm::raw_svector_ostream CastFix(CastBuf);
8437       CastFix << (S.LangOpts.CPlusPlus ? "static_cast<" : "(");
8438       IntendedTy.print(CastFix, S.Context.getPrintingPolicy());
8439       CastFix << (S.LangOpts.CPlusPlus ? ">" : ")");
8440 
8441       SmallVector<FixItHint,4> Hints;
8442       ArgType::MatchKind IntendedMatch = AT.matchesType(S.Context, IntendedTy);
8443       IntendedMatch = handleFormatSignedness(IntendedMatch, S.getDiagnostics(),
8444                                              E->getExprLoc());
8445       if ((IntendedMatch != ArgType::Match) || ShouldNotPrintDirectly)
8446         Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str()));
8447 
8448       if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) {
8449         // If there's already a cast present, just replace it.
8450         SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc());
8451         Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str()));
8452 
8453       } else if (!requiresParensToAddCast(E) && !S.LangOpts.CPlusPlus) {
8454         // If the expression has high enough precedence,
8455         // just write the C-style cast.
8456         Hints.push_back(
8457             FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
8458       } else {
8459         // Otherwise, add parens around the expression as well as the cast.
8460         CastFix << "(";
8461         Hints.push_back(
8462             FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
8463 
8464         // We don't use getLocForEndOfToken because it returns invalid source
8465         // locations for macro expansions (by design).
8466         SourceLocation EndLoc = S.SourceMgr.getSpellingLoc(E->getEndLoc());
8467         SourceLocation After = EndLoc.getLocWithOffset(
8468             Lexer::MeasureTokenLength(EndLoc, S.SourceMgr, S.LangOpts));
8469         Hints.push_back(FixItHint::CreateInsertion(After, ")"));
8470       }
8471 
8472       if (ShouldNotPrintDirectly && !IsScopedEnum) {
8473         // The expression has a type that should not be printed directly.
8474         // We extract the name from the typedef because we don't want to show
8475         // the underlying type in the diagnostic.
8476         StringRef Name;
8477         if (const auto *TypedefTy = ExprTy->getAs<TypedefType>())
8478           Name = TypedefTy->getDecl()->getName();
8479         else
8480           Name = CastTyName;
8481         unsigned Diag = Match == ArgType::NoMatchPedantic
8482                             ? diag::warn_format_argument_needs_cast_pedantic
8483                             : diag::warn_format_argument_needs_cast;
8484         EmitFormatDiagnostic(S.PDiag(Diag) << Name << IntendedTy << IsEnum
8485                                            << E->getSourceRange(),
8486                              E->getBeginLoc(), /*IsStringLocation=*/false,
8487                              SpecRange, Hints);
8488       } else {
8489         // In this case, the expression could be printed using a different
8490         // specifier, but we've decided that the specifier is probably correct
8491         // and we should cast instead. Just use the normal warning message.
8492 
8493         unsigned Diag =
8494             IsScopedEnum
8495                 ? diag::warn_format_conversion_argument_type_mismatch_pedantic
8496                 : diag::warn_format_conversion_argument_type_mismatch;
8497 
8498         EmitFormatDiagnostic(
8499             S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
8500                           << IsEnum << E->getSourceRange(),
8501             E->getBeginLoc(), /*IsStringLocation*/ false, SpecRange, Hints);
8502       }
8503     }
8504   } else {
8505     const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
8506                                                    SpecifierLen);
8507     // Since the warning for passing non-POD types to variadic functions
8508     // was deferred until now, we emit a warning for non-POD
8509     // arguments here.
8510     bool EmitTypeMismatch = false;
8511     switch (S.isValidVarArgType(ExprTy)) {
8512     case VarArgKind::Valid:
8513     case VarArgKind::ValidInCXX11: {
8514       unsigned Diag;
8515       switch (Match) {
8516       case ArgType::Match:
8517       case ArgType::MatchPromotion:
8518       case ArgType::NoMatchPromotionTypeConfusion:
8519       case ArgType::NoMatchSignedness:
8520         llvm_unreachable("expected non-matching");
8521       case ArgType::NoMatchPedantic:
8522         Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
8523         break;
8524       case ArgType::NoMatchTypeConfusion:
8525         Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
8526         break;
8527       case ArgType::NoMatch:
8528         Diag = diag::warn_format_conversion_argument_type_mismatch;
8529         break;
8530       }
8531 
8532       EmitFormatDiagnostic(
8533           S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
8534                         << IsEnum << CSR << E->getSourceRange(),
8535           E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8536       break;
8537     }
8538     case VarArgKind::Undefined:
8539     case VarArgKind::MSVCUndefined:
8540       if (CallType == VariadicCallType::DoesNotApply) {
8541         EmitTypeMismatch = true;
8542       } else {
8543         EmitFormatDiagnostic(
8544             S.PDiag(diag::warn_non_pod_vararg_with_format_string)
8545                 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
8546                 << AT.getRepresentativeTypeName(S.Context) << CSR
8547                 << E->getSourceRange(),
8548             E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8549         checkForCStrMembers(AT, E);
8550       }
8551       break;
8552 
8553     case VarArgKind::Invalid:
8554       if (CallType == VariadicCallType::DoesNotApply)
8555         EmitTypeMismatch = true;
8556       else if (ExprTy->isObjCObjectType())
8557         EmitFormatDiagnostic(
8558             S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
8559                 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
8560                 << AT.getRepresentativeTypeName(S.Context) << CSR
8561                 << E->getSourceRange(),
8562             E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
8563       else
8564         // FIXME: If this is an initializer list, suggest removing the braces
8565         // or inserting a cast to the target type.
8566         S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format)
8567             << isa<InitListExpr>(E) << ExprTy << CallType
8568             << AT.getRepresentativeTypeName(S.Context) << E->getSourceRange();
8569       break;
8570     }
8571 
8572     if (EmitTypeMismatch) {
8573       // The function is not variadic, so we do not generate warnings about
8574       // being allowed to pass that object as a variadic argument. Instead,
8575       // since there are inherently no printf specifiers for types which cannot
8576       // be passed as variadic arguments, emit a plain old specifier mismatch
8577       // argument.
8578       EmitFormatDiagnostic(
8579           S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
8580               << AT.getRepresentativeTypeName(S.Context) << ExprTy << false
8581               << E->getSourceRange(),
8582           E->getBeginLoc(), false, CSR);
8583     }
8584 
8585     assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
8586            "format string specifier index out of range");
8587     CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
8588   }
8589 
8590   return true;
8591 }
8592 
8593 //===--- CHECK: Scanf format string checking ------------------------------===//
8594 
8595 namespace {
8596 
8597 class CheckScanfHandler : public CheckFormatHandler {
8598 public:
8599   CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr,
8600                     const Expr *origFormatExpr, FormatStringType type,
8601                     unsigned firstDataArg, unsigned numDataArgs,
8602                     const char *beg, Sema::FormatArgumentPassingKind APK,
8603                     ArrayRef<const Expr *> Args, unsigned formatIdx,
8604                     bool inFunctionCall, VariadicCallType CallType,
8605                     llvm::SmallBitVector &CheckedVarArgs,
8606                     UncoveredArgHandler &UncoveredArg)
8607       : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
8608                            numDataArgs, beg, APK, Args, formatIdx,
8609                            inFunctionCall, CallType, CheckedVarArgs,
8610                            UncoveredArg) {}
8611 
8612   bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
8613                             const char *startSpecifier,
8614                             unsigned specifierLen) override;
8615 
8616   bool HandleInvalidScanfConversionSpecifier(
8617           const analyze_scanf::ScanfSpecifier &FS,
8618           const char *startSpecifier,
8619           unsigned specifierLen) override;
8620 
8621   void HandleIncompleteScanList(const char *start, const char *end) override;
8622 };
8623 
8624 } // namespace
8625 
8626 void CheckScanfHandler::HandleIncompleteScanList(const char *start,
8627                                                  const char *end) {
8628   EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete),
8629                        getLocationOfByte(end), /*IsStringLocation*/true,
8630                        getSpecifierRange(start, end - start));
8631 }
8632 
8633 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier(
8634                                         const analyze_scanf::ScanfSpecifier &FS,
8635                                         const char *startSpecifier,
8636                                         unsigned specifierLen) {
8637   const analyze_scanf::ScanfConversionSpecifier &CS =
8638     FS.getConversionSpecifier();
8639 
8640   return HandleInvalidConversionSpecifier(FS.getArgIndex(),
8641                                           getLocationOfByte(CS.getStart()),
8642                                           startSpecifier, specifierLen,
8643                                           CS.getStart(), CS.getLength());
8644 }
8645 
8646 bool CheckScanfHandler::HandleScanfSpecifier(
8647                                        const analyze_scanf::ScanfSpecifier &FS,
8648                                        const char *startSpecifier,
8649                                        unsigned specifierLen) {
8650   using namespace analyze_scanf;
8651   using namespace analyze_format_string;
8652 
8653   const ScanfConversionSpecifier &CS = FS.getConversionSpecifier();
8654 
8655   // Handle case where '%' and '*' don't consume an argument.  These shouldn't
8656   // be used to decide if we are using positional arguments consistently.
8657   if (FS.consumesDataArgument()) {
8658     if (atFirstArg) {
8659       atFirstArg = false;
8660       usesPositionalArgs = FS.usesPositionalArg();
8661     }
8662     else if (usesPositionalArgs != FS.usesPositionalArg()) {
8663       HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
8664                                         startSpecifier, specifierLen);
8665       return false;
8666     }
8667   }
8668 
8669   // Check if the field with is non-zero.
8670   const OptionalAmount &Amt = FS.getFieldWidth();
8671   if (Amt.getHowSpecified() == OptionalAmount::Constant) {
8672     if (Amt.getConstantAmount() == 0) {
8673       const CharSourceRange &R = getSpecifierRange(Amt.getStart(),
8674                                                    Amt.getConstantLength());
8675       EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width),
8676                            getLocationOfByte(Amt.getStart()),
8677                            /*IsStringLocation*/true, R,
8678                            FixItHint::CreateRemoval(R));
8679     }
8680   }
8681 
8682   if (!FS.consumesDataArgument()) {
8683     // FIXME: Technically specifying a precision or field width here
8684     // makes no sense.  Worth issuing a warning at some point.
8685     return true;
8686   }
8687 
8688   // Consume the argument.
8689   unsigned argIndex = FS.getArgIndex();
8690   if (argIndex < NumDataArgs) {
8691       // The check to see if the argIndex is valid will come later.
8692       // We set the bit here because we may exit early from this
8693       // function if we encounter some other error.
8694     CoveredArgs.set(argIndex);
8695   }
8696 
8697   // Check the length modifier is valid with the given conversion specifier.
8698   if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
8699                                  S.getLangOpts()))
8700     HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8701                                 diag::warn_format_nonsensical_length);
8702   else if (!FS.hasStandardLengthModifier())
8703     HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
8704   else if (!FS.hasStandardLengthConversionCombination())
8705     HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
8706                                 diag::warn_format_non_standard_conversion_spec);
8707 
8708   if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
8709     HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
8710 
8711   // The remaining checks depend on the data arguments.
8712   if (!HasFormatArguments())
8713     return true;
8714 
8715   if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
8716     return false;
8717 
8718   // Check that the argument type matches the format specifier.
8719   const Expr *Ex = getDataArg(argIndex);
8720   if (!Ex)
8721     return true;
8722 
8723   const analyze_format_string::ArgType &AT = FS.getArgType(S.Context);
8724 
8725   if (!AT.isValid()) {
8726     return true;
8727   }
8728 
8729   analyze_format_string::ArgType::MatchKind Match =
8730       AT.matchesType(S.Context, Ex->getType());
8731   Match = handleFormatSignedness(Match, S.getDiagnostics(), Ex->getExprLoc());
8732   bool Pedantic = Match == analyze_format_string::ArgType::NoMatchPedantic;
8733   if (Match == analyze_format_string::ArgType::Match)
8734     return true;
8735 
8736   ScanfSpecifier fixedFS = FS;
8737   bool Success = fixedFS.fixType(Ex->getType(), Ex->IgnoreImpCasts()->getType(),
8738                                  S.getLangOpts(), S.Context);
8739 
8740   unsigned Diag =
8741       Pedantic ? diag::warn_format_conversion_argument_type_mismatch_pedantic
8742                : diag::warn_format_conversion_argument_type_mismatch;
8743 
8744   if (Success) {
8745     // Get the fix string from the fixed format specifier.
8746     SmallString<128> buf;
8747     llvm::raw_svector_ostream os(buf);
8748     fixedFS.toString(os);
8749 
8750     EmitFormatDiagnostic(
8751         S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context)
8752                       << Ex->getType() << false << Ex->getSourceRange(),
8753         Ex->getBeginLoc(),
8754         /*IsStringLocation*/ false,
8755         getSpecifierRange(startSpecifier, specifierLen),
8756         FixItHint::CreateReplacement(
8757             getSpecifierRange(startSpecifier, specifierLen), os.str()));
8758   } else {
8759     EmitFormatDiagnostic(S.PDiag(Diag)
8760                              << AT.getRepresentativeTypeName(S.Context)
8761                              << Ex->getType() << false << Ex->getSourceRange(),
8762                          Ex->getBeginLoc(),
8763                          /*IsStringLocation*/ false,
8764                          getSpecifierRange(startSpecifier, specifierLen));
8765   }
8766 
8767   return true;
8768 }
8769 
8770 static bool CompareFormatSpecifiers(Sema &S, const StringLiteral *Ref,
8771                                     ArrayRef<EquatableFormatArgument> RefArgs,
8772                                     const StringLiteral *Fmt,
8773                                     ArrayRef<EquatableFormatArgument> FmtArgs,
8774                                     const Expr *FmtExpr, bool InFunctionCall) {
8775   bool HadError = false;
8776   auto FmtIter = FmtArgs.begin(), FmtEnd = FmtArgs.end();
8777   auto RefIter = RefArgs.begin(), RefEnd = RefArgs.end();
8778   while (FmtIter < FmtEnd && RefIter < RefEnd) {
8779     // In positional-style format strings, the same specifier can appear
8780     // multiple times (like %2$i %2$d). Specifiers in both RefArgs and FmtArgs
8781     // are sorted by getPosition(), and we process each range of equal
8782     // getPosition() values as one group.
8783     // RefArgs are taken from a string literal that was given to
8784     // attribute(format_matches), and if we got this far, we have already
8785     // verified that if it has positional specifiers that appear in multiple
8786     // locations, then they are all mutually compatible. What's left for us to
8787     // do is verify that all specifiers with the same position in FmtArgs are
8788     // compatible with the RefArgs specifiers. We check each specifier from
8789     // FmtArgs against the first member of the RefArgs group.
8790     for (; FmtIter < FmtEnd; ++FmtIter) {
8791       // Clang does not diagnose missing format specifiers in positional-style
8792       // strings (TODO: which it probably should do, as it is UB to skip over a
8793       // format argument). Skip specifiers if needed.
8794       if (FmtIter->getPosition() < RefIter->getPosition())
8795         continue;
8796 
8797       // Delimits a new getPosition() value.
8798       if (FmtIter->getPosition() > RefIter->getPosition())
8799         break;
8800 
8801       HadError |=
8802           !FmtIter->VerifyCompatible(S, *RefIter, FmtExpr, InFunctionCall);
8803     }
8804 
8805     // Jump RefIter to the start of the next group.
8806     RefIter = std::find_if(RefIter + 1, RefEnd, [=](const auto &Arg) {
8807       return Arg.getPosition() != RefIter->getPosition();
8808     });
8809   }
8810 
8811   if (FmtIter < FmtEnd) {
8812     CheckFormatHandler::EmitFormatDiagnostic(
8813         S, InFunctionCall, FmtExpr,
8814         S.PDiag(diag::warn_format_cmp_specifier_arity) << 1,
8815         FmtExpr->getBeginLoc(), false, FmtIter->getSourceRange());
8816     HadError = S.Diag(Ref->getBeginLoc(), diag::note_format_cmp_with) << 1;
8817   } else if (RefIter < RefEnd) {
8818     CheckFormatHandler::EmitFormatDiagnostic(
8819         S, InFunctionCall, FmtExpr,
8820         S.PDiag(diag::warn_format_cmp_specifier_arity) << 0,
8821         FmtExpr->getBeginLoc(), false, Fmt->getSourceRange());
8822     HadError = S.Diag(Ref->getBeginLoc(), diag::note_format_cmp_with)
8823                << 1 << RefIter->getSourceRange();
8824   }
8825   return !HadError;
8826 }
8827 
8828 static void CheckFormatString(
8829     Sema &S, const FormatStringLiteral *FExpr,
8830     const StringLiteral *ReferenceFormatString, const Expr *OrigFormatExpr,
8831     ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
8832     unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
8833     bool inFunctionCall, VariadicCallType CallType,
8834     llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
8835     bool IgnoreStringsWithoutSpecifiers) {
8836   // CHECK: is the format string a wide literal?
8837   if (!FExpr->isAscii() && !FExpr->isUTF8()) {
8838     CheckFormatHandler::EmitFormatDiagnostic(
8839         S, inFunctionCall, Args[format_idx],
8840         S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(),
8841         /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
8842     return;
8843   }
8844 
8845   // Str - The format string.  NOTE: this is NOT null-terminated!
8846   StringRef StrRef = FExpr->getString();
8847   const char *Str = StrRef.data();
8848   // Account for cases where the string literal is truncated in a declaration.
8849   const ConstantArrayType *T =
8850     S.Context.getAsConstantArrayType(FExpr->getType());
8851   assert(T && "String literal not of constant array type!");
8852   size_t TypeSize = T->getZExtSize();
8853   size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8854   const unsigned numDataArgs = Args.size() - firstDataArg;
8855 
8856   if (IgnoreStringsWithoutSpecifiers &&
8857       !analyze_format_string::parseFormatStringHasFormattingSpecifiers(
8858           Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8859     return;
8860 
8861   // Emit a warning if the string literal is truncated and does not contain an
8862   // embedded null character.
8863   if (TypeSize <= StrRef.size() && !StrRef.substr(0, TypeSize).contains('\0')) {
8864     CheckFormatHandler::EmitFormatDiagnostic(
8865         S, inFunctionCall, Args[format_idx],
8866         S.PDiag(diag::warn_printf_format_string_not_null_terminated),
8867         FExpr->getBeginLoc(),
8868         /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange());
8869     return;
8870   }
8871 
8872   // CHECK: empty format string?
8873   if (StrLen == 0 && numDataArgs > 0) {
8874     CheckFormatHandler::EmitFormatDiagnostic(
8875         S, inFunctionCall, Args[format_idx],
8876         S.PDiag(diag::warn_empty_format_string), FExpr->getBeginLoc(),
8877         /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
8878     return;
8879   }
8880 
8881   if (Type == FormatStringType::Printf || Type == FormatStringType::NSString ||
8882       Type == FormatStringType::Kprintf ||
8883       Type == FormatStringType::FreeBSDKPrintf ||
8884       Type == FormatStringType::OSLog || Type == FormatStringType::OSTrace ||
8885       Type == FormatStringType::Syslog) {
8886     bool IsObjC =
8887         Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8888     if (ReferenceFormatString == nullptr) {
8889       CheckPrintfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
8890                            numDataArgs, IsObjC, Str, APK, Args, format_idx,
8891                            inFunctionCall, CallType, CheckedVarArgs,
8892                            UncoveredArg);
8893 
8894       if (!analyze_format_string::ParsePrintfString(
8895               H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo(),
8896               Type == FormatStringType::Kprintf ||
8897                   Type == FormatStringType::FreeBSDKPrintf))
8898         H.DoneProcessing();
8899     } else {
8900       S.CheckFormatStringsCompatible(
8901           Type, ReferenceFormatString, FExpr->getFormatString(),
8902           inFunctionCall ? nullptr : Args[format_idx]);
8903     }
8904   } else if (Type == FormatStringType::Scanf) {
8905     CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
8906                         numDataArgs, Str, APK, Args, format_idx, inFunctionCall,
8907                         CallType, CheckedVarArgs, UncoveredArg);
8908 
8909     if (!analyze_format_string::ParseScanfString(
8910             H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8911       H.DoneProcessing();
8912   } // TODO: handle other formats
8913 }
8914 
8915 bool Sema::CheckFormatStringsCompatible(
8916     FormatStringType Type, const StringLiteral *AuthoritativeFormatString,
8917     const StringLiteral *TestedFormatString, const Expr *FunctionCallArg) {
8918   if (Type != FormatStringType::Printf && Type != FormatStringType::NSString &&
8919       Type != FormatStringType::Kprintf &&
8920       Type != FormatStringType::FreeBSDKPrintf &&
8921       Type != FormatStringType::OSLog && Type != FormatStringType::OSTrace &&
8922       Type != FormatStringType::Syslog)
8923     return true;
8924 
8925   bool IsObjC =
8926       Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8927   llvm::SmallVector<EquatableFormatArgument, 9> RefArgs, FmtArgs;
8928   FormatStringLiteral RefLit = AuthoritativeFormatString;
8929   FormatStringLiteral TestLit = TestedFormatString;
8930   const Expr *Arg;
8931   bool DiagAtStringLiteral;
8932   if (FunctionCallArg) {
8933     Arg = FunctionCallArg;
8934     DiagAtStringLiteral = false;
8935   } else {
8936     Arg = TestedFormatString;
8937     DiagAtStringLiteral = true;
8938   }
8939   if (DecomposePrintfHandler::GetSpecifiers(*this, &RefLit,
8940                                             AuthoritativeFormatString, Type,
8941                                             IsObjC, true, RefArgs) &&
8942       DecomposePrintfHandler::GetSpecifiers(*this, &TestLit, Arg, Type, IsObjC,
8943                                             DiagAtStringLiteral, FmtArgs)) {
8944     return CompareFormatSpecifiers(*this, AuthoritativeFormatString, RefArgs,
8945                                    TestedFormatString, FmtArgs, Arg,
8946                                    DiagAtStringLiteral);
8947   }
8948   return false;
8949 }
8950 
8951 bool Sema::ValidateFormatString(FormatStringType Type,
8952                                 const StringLiteral *Str) {
8953   if (Type != FormatStringType::Printf && Type != FormatStringType::NSString &&
8954       Type != FormatStringType::Kprintf &&
8955       Type != FormatStringType::FreeBSDKPrintf &&
8956       Type != FormatStringType::OSLog && Type != FormatStringType::OSTrace &&
8957       Type != FormatStringType::Syslog)
8958     return true;
8959 
8960   FormatStringLiteral RefLit = Str;
8961   llvm::SmallVector<EquatableFormatArgument, 9> Args;
8962   bool IsObjC =
8963       Type == FormatStringType::NSString || Type == FormatStringType::OSTrace;
8964   if (!DecomposePrintfHandler::GetSpecifiers(*this, &RefLit, Str, Type, IsObjC,
8965                                              true, Args))
8966     return false;
8967 
8968   // Group arguments by getPosition() value, and check that each member of the
8969   // group is compatible with the first member. This verifies that when
8970   // positional arguments are used multiple times (such as %2$i %2$d), all uses
8971   // are mutually compatible. As an optimization, don't test the first member
8972   // against itself.
8973   bool HadError = false;
8974   auto Iter = Args.begin();
8975   auto End = Args.end();
8976   while (Iter != End) {
8977     const auto &FirstInGroup = *Iter;
8978     for (++Iter;
8979          Iter != End && Iter->getPosition() == FirstInGroup.getPosition();
8980          ++Iter) {
8981       HadError |= !Iter->VerifyCompatible(*this, FirstInGroup, Str, true);
8982     }
8983   }
8984   return !HadError;
8985 }
8986 
8987 bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) {
8988   // Str - The format string.  NOTE: this is NOT null-terminated!
8989   StringRef StrRef = FExpr->getString();
8990   const char *Str = StrRef.data();
8991   // Account for cases where the string literal is truncated in a declaration.
8992   const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType());
8993   assert(T && "String literal not of constant array type!");
8994   size_t TypeSize = T->getZExtSize();
8995   size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8996   return analyze_format_string::ParseFormatStringHasSArg(Str, Str + StrLen,
8997                                                          getLangOpts(),
8998                                                          Context.getTargetInfo());
8999 }
9000 
9001 //===--- CHECK: Warn on use of wrong absolute value function. -------------===//
9002 
9003 // Returns the related absolute value function that is larger, of 0 if one
9004 // does not exist.
9005 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) {
9006   switch (AbsFunction) {
9007   default:
9008     return 0;
9009 
9010   case Builtin::BI__builtin_abs:
9011     return Builtin::BI__builtin_labs;
9012   case Builtin::BI__builtin_labs:
9013     return Builtin::BI__builtin_llabs;
9014   case Builtin::BI__builtin_llabs:
9015     return 0;
9016 
9017   case Builtin::BI__builtin_fabsf:
9018     return Builtin::BI__builtin_fabs;
9019   case Builtin::BI__builtin_fabs:
9020     return Builtin::BI__builtin_fabsl;
9021   case Builtin::BI__builtin_fabsl:
9022     return 0;
9023 
9024   case Builtin::BI__builtin_cabsf:
9025     return Builtin::BI__builtin_cabs;
9026   case Builtin::BI__builtin_cabs:
9027     return Builtin::BI__builtin_cabsl;
9028   case Builtin::BI__builtin_cabsl:
9029     return 0;
9030 
9031   case Builtin::BIabs:
9032     return Builtin::BIlabs;
9033   case Builtin::BIlabs:
9034     return Builtin::BIllabs;
9035   case Builtin::BIllabs:
9036     return 0;
9037 
9038   case Builtin::BIfabsf:
9039     return Builtin::BIfabs;
9040   case Builtin::BIfabs:
9041     return Builtin::BIfabsl;
9042   case Builtin::BIfabsl:
9043     return 0;
9044 
9045   case Builtin::BIcabsf:
9046    return Builtin::BIcabs;
9047   case Builtin::BIcabs:
9048     return Builtin::BIcabsl;
9049   case Builtin::BIcabsl:
9050     return 0;
9051   }
9052 }
9053 
9054 // Returns the argument type of the absolute value function.
9055 static QualType getAbsoluteValueArgumentType(ASTContext &Context,
9056                                              unsigned AbsType) {
9057   if (AbsType == 0)
9058     return QualType();
9059 
9060   ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None;
9061   QualType BuiltinType = Context.GetBuiltinType(AbsType, Error);
9062   if (Error != ASTContext::GE_None)
9063     return QualType();
9064 
9065   const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>();
9066   if (!FT)
9067     return QualType();
9068 
9069   if (FT->getNumParams() != 1)
9070     return QualType();
9071 
9072   return FT->getParamType(0);
9073 }
9074 
9075 // Returns the best absolute value function, or zero, based on type and
9076 // current absolute value function.
9077 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType,
9078                                    unsigned AbsFunctionKind) {
9079   unsigned BestKind = 0;
9080   uint64_t ArgSize = Context.getTypeSize(ArgType);
9081   for (unsigned Kind = AbsFunctionKind; Kind != 0;
9082        Kind = getLargerAbsoluteValueFunction(Kind)) {
9083     QualType ParamType = getAbsoluteValueArgumentType(Context, Kind);
9084     if (Context.getTypeSize(ParamType) >= ArgSize) {
9085       if (BestKind == 0)
9086         BestKind = Kind;
9087       else if (Context.hasSameType(ParamType, ArgType)) {
9088         BestKind = Kind;
9089         break;
9090       }
9091     }
9092   }
9093   return BestKind;
9094 }
9095 
9096 enum AbsoluteValueKind {
9097   AVK_Integer,
9098   AVK_Floating,
9099   AVK_Complex
9100 };
9101 
9102 static AbsoluteValueKind getAbsoluteValueKind(QualType T) {
9103   if (T->isIntegralOrEnumerationType())
9104     return AVK_Integer;
9105   if (T->isRealFloatingType())
9106     return AVK_Floating;
9107   if (T->isAnyComplexType())
9108     return AVK_Complex;
9109 
9110   llvm_unreachable("Type not integer, floating, or complex");
9111 }
9112 
9113 // Changes the absolute value function to a different type.  Preserves whether
9114 // the function is a builtin.
9115 static unsigned changeAbsFunction(unsigned AbsKind,
9116                                   AbsoluteValueKind ValueKind) {
9117   switch (ValueKind) {
9118   case AVK_Integer:
9119     switch (AbsKind) {
9120     default:
9121       return 0;
9122     case Builtin::BI__builtin_fabsf:
9123     case Builtin::BI__builtin_fabs:
9124     case Builtin::BI__builtin_fabsl:
9125     case Builtin::BI__builtin_cabsf:
9126     case Builtin::BI__builtin_cabs:
9127     case Builtin::BI__builtin_cabsl:
9128       return Builtin::BI__builtin_abs;
9129     case Builtin::BIfabsf:
9130     case Builtin::BIfabs:
9131     case Builtin::BIfabsl:
9132     case Builtin::BIcabsf:
9133     case Builtin::BIcabs:
9134     case Builtin::BIcabsl:
9135       return Builtin::BIabs;
9136     }
9137   case AVK_Floating:
9138     switch (AbsKind) {
9139     default:
9140       return 0;
9141     case Builtin::BI__builtin_abs:
9142     case Builtin::BI__builtin_labs:
9143     case Builtin::BI__builtin_llabs:
9144     case Builtin::BI__builtin_cabsf:
9145     case Builtin::BI__builtin_cabs:
9146     case Builtin::BI__builtin_cabsl:
9147       return Builtin::BI__builtin_fabsf;
9148     case Builtin::BIabs:
9149     case Builtin::BIlabs:
9150     case Builtin::BIllabs:
9151     case Builtin::BIcabsf:
9152     case Builtin::BIcabs:
9153     case Builtin::BIcabsl:
9154       return Builtin::BIfabsf;
9155     }
9156   case AVK_Complex:
9157     switch (AbsKind) {
9158     default:
9159       return 0;
9160     case Builtin::BI__builtin_abs:
9161     case Builtin::BI__builtin_labs:
9162     case Builtin::BI__builtin_llabs:
9163     case Builtin::BI__builtin_fabsf:
9164     case Builtin::BI__builtin_fabs:
9165     case Builtin::BI__builtin_fabsl:
9166       return Builtin::BI__builtin_cabsf;
9167     case Builtin::BIabs:
9168     case Builtin::BIlabs:
9169     case Builtin::BIllabs:
9170     case Builtin::BIfabsf:
9171     case Builtin::BIfabs:
9172     case Builtin::BIfabsl:
9173       return Builtin::BIcabsf;
9174     }
9175   }
9176   llvm_unreachable("Unable to convert function");
9177 }
9178 
9179 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) {
9180   const IdentifierInfo *FnInfo = FDecl->getIdentifier();
9181   if (!FnInfo)
9182     return 0;
9183 
9184   switch (FDecl->getBuiltinID()) {
9185   default:
9186     return 0;
9187   case Builtin::BI__builtin_abs:
9188   case Builtin::BI__builtin_fabs:
9189   case Builtin::BI__builtin_fabsf:
9190   case Builtin::BI__builtin_fabsl:
9191   case Builtin::BI__builtin_labs:
9192   case Builtin::BI__builtin_llabs:
9193   case Builtin::BI__builtin_cabs:
9194   case Builtin::BI__builtin_cabsf:
9195   case Builtin::BI__builtin_cabsl:
9196   case Builtin::BIabs:
9197   case Builtin::BIlabs:
9198   case Builtin::BIllabs:
9199   case Builtin::BIfabs:
9200   case Builtin::BIfabsf:
9201   case Builtin::BIfabsl:
9202   case Builtin::BIcabs:
9203   case Builtin::BIcabsf:
9204   case Builtin::BIcabsl:
9205     return FDecl->getBuiltinID();
9206   }
9207   llvm_unreachable("Unknown Builtin type");
9208 }
9209 
9210 // If the replacement is valid, emit a note with replacement function.
9211 // Additionally, suggest including the proper header if not already included.
9212 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range,
9213                             unsigned AbsKind, QualType ArgType) {
9214   bool EmitHeaderHint = true;
9215   const char *HeaderName = nullptr;
9216   std::string FunctionName;
9217   if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) {
9218     FunctionName = "std::abs";
9219     if (ArgType->isIntegralOrEnumerationType()) {
9220       HeaderName = "cstdlib";
9221     } else if (ArgType->isRealFloatingType()) {
9222       HeaderName = "cmath";
9223     } else {
9224       llvm_unreachable("Invalid Type");
9225     }
9226 
9227     // Lookup all std::abs
9228     if (NamespaceDecl *Std = S.getStdNamespace()) {
9229       LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName);
9230       R.suppressDiagnostics();
9231       S.LookupQualifiedName(R, Std);
9232 
9233       for (const auto *I : R) {
9234         const FunctionDecl *FDecl = nullptr;
9235         if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) {
9236           FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl());
9237         } else {
9238           FDecl = dyn_cast<FunctionDecl>(I);
9239         }
9240         if (!FDecl)
9241           continue;
9242 
9243         // Found std::abs(), check that they are the right ones.
9244         if (FDecl->getNumParams() != 1)
9245           continue;
9246 
9247         // Check that the parameter type can handle the argument.
9248         QualType ParamType = FDecl->getParamDecl(0)->getType();
9249         if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) &&
9250             S.Context.getTypeSize(ArgType) <=
9251                 S.Context.getTypeSize(ParamType)) {
9252           // Found a function, don't need the header hint.
9253           EmitHeaderHint = false;
9254           break;
9255         }
9256       }
9257     }
9258   } else {
9259     FunctionName = S.Context.BuiltinInfo.getName(AbsKind);
9260     HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind);
9261 
9262     if (HeaderName) {
9263       DeclarationName DN(&S.Context.Idents.get(FunctionName));
9264       LookupResult R(S, DN, Loc, Sema::LookupAnyName);
9265       R.suppressDiagnostics();
9266       S.LookupName(R, S.getCurScope());
9267 
9268       if (R.isSingleResult()) {
9269         FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl());
9270         if (FD && FD->getBuiltinID() == AbsKind) {
9271           EmitHeaderHint = false;
9272         } else {
9273           return;
9274         }
9275       } else if (!R.empty()) {
9276         return;
9277       }
9278     }
9279   }
9280 
9281   S.Diag(Loc, diag::note_replace_abs_function)
9282       << FunctionName << FixItHint::CreateReplacement(Range, FunctionName);
9283 
9284   if (!HeaderName)
9285     return;
9286 
9287   if (!EmitHeaderHint)
9288     return;
9289 
9290   S.Diag(Loc, diag::note_include_header_or_declare) << HeaderName
9291                                                     << FunctionName;
9292 }
9293 
9294 template <std::size_t StrLen>
9295 static bool IsStdFunction(const FunctionDecl *FDecl,
9296                           const char (&Str)[StrLen]) {
9297   if (!FDecl)
9298     return false;
9299   if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr(Str))
9300     return false;
9301   if (!FDecl->isInStdNamespace())
9302     return false;
9303 
9304   return true;
9305 }
9306 
9307 enum class MathCheck { NaN, Inf };
9308 static bool IsInfOrNanFunction(StringRef calleeName, MathCheck Check) {
9309   auto MatchesAny = [&](std::initializer_list<llvm::StringRef> names) {
9310     return llvm::is_contained(names, calleeName);
9311   };
9312 
9313   switch (Check) {
9314   case MathCheck::NaN:
9315     return MatchesAny({"__builtin_nan", "__builtin_nanf", "__builtin_nanl",
9316                        "__builtin_nanf16", "__builtin_nanf128"});
9317   case MathCheck::Inf:
9318     return MatchesAny({"__builtin_inf", "__builtin_inff", "__builtin_infl",
9319                        "__builtin_inff16", "__builtin_inff128"});
9320   }
9321   llvm_unreachable("unknown MathCheck");
9322 }
9323 
9324 static bool IsInfinityFunction(const FunctionDecl *FDecl) {
9325   if (FDecl->getName() != "infinity")
9326     return false;
9327 
9328   if (const CXXMethodDecl *MDecl = dyn_cast<CXXMethodDecl>(FDecl)) {
9329     const CXXRecordDecl *RDecl = MDecl->getParent();
9330     if (RDecl->getName() != "numeric_limits")
9331       return false;
9332 
9333     if (const NamespaceDecl *NSDecl =
9334             dyn_cast<NamespaceDecl>(RDecl->getDeclContext()))
9335       return NSDecl->isStdNamespace();
9336   }
9337 
9338   return false;
9339 }
9340 
9341 void Sema::CheckInfNaNFunction(const CallExpr *Call,
9342                                const FunctionDecl *FDecl) {
9343   if (!FDecl->getIdentifier())
9344     return;
9345 
9346   FPOptions FPO = Call->getFPFeaturesInEffect(getLangOpts());
9347   if (FPO.getNoHonorNaNs() &&
9348       (IsStdFunction(FDecl, "isnan") || IsStdFunction(FDecl, "isunordered") ||
9349        IsInfOrNanFunction(FDecl->getName(), MathCheck::NaN))) {
9350     Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
9351         << 1 << 0 << Call->getSourceRange();
9352     return;
9353   }
9354 
9355   if (FPO.getNoHonorInfs() &&
9356       (IsStdFunction(FDecl, "isinf") || IsStdFunction(FDecl, "isfinite") ||
9357        IsInfinityFunction(FDecl) ||
9358        IsInfOrNanFunction(FDecl->getName(), MathCheck::Inf))) {
9359     Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
9360         << 0 << 0 << Call->getSourceRange();
9361   }
9362 }
9363 
9364 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call,
9365                                       const FunctionDecl *FDecl) {
9366   if (Call->getNumArgs() != 1)
9367     return;
9368 
9369   unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl);
9370   bool IsStdAbs = IsStdFunction(FDecl, "abs");
9371   if (AbsKind == 0 && !IsStdAbs)
9372     return;
9373 
9374   QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType();
9375   QualType ParamType = Call->getArg(0)->getType();
9376 
9377   // Unsigned types cannot be negative.  Suggest removing the absolute value
9378   // function call.
9379   if (ArgType->isUnsignedIntegerType()) {
9380     std::string FunctionName =
9381         IsStdAbs ? "std::abs" : Context.BuiltinInfo.getName(AbsKind);
9382     Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType;
9383     Diag(Call->getExprLoc(), diag::note_remove_abs)
9384         << FunctionName
9385         << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange());
9386     return;
9387   }
9388 
9389   // Taking the absolute value of a pointer is very suspicious, they probably
9390   // wanted to index into an array, dereference a pointer, call a function, etc.
9391   if (ArgType->isPointerType() || ArgType->canDecayToPointerType()) {
9392     unsigned DiagType = 0;
9393     if (ArgType->isFunctionType())
9394       DiagType = 1;
9395     else if (ArgType->isArrayType())
9396       DiagType = 2;
9397 
9398     Diag(Call->getExprLoc(), diag::warn_pointer_abs) << DiagType << ArgType;
9399     return;
9400   }
9401 
9402   // std::abs has overloads which prevent most of the absolute value problems
9403   // from occurring.
9404   if (IsStdAbs)
9405     return;
9406 
9407   AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType);
9408   AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType);
9409 
9410   // The argument and parameter are the same kind.  Check if they are the right
9411   // size.
9412   if (ArgValueKind == ParamValueKind) {
9413     if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType))
9414       return;
9415 
9416     unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind);
9417     Diag(Call->getExprLoc(), diag::warn_abs_too_small)
9418         << FDecl << ArgType << ParamType;
9419 
9420     if (NewAbsKind == 0)
9421       return;
9422 
9423     emitReplacement(*this, Call->getExprLoc(),
9424                     Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
9425     return;
9426   }
9427 
9428   // ArgValueKind != ParamValueKind
9429   // The wrong type of absolute value function was used.  Attempt to find the
9430   // proper one.
9431   unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind);
9432   NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind);
9433   if (NewAbsKind == 0)
9434     return;
9435 
9436   Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type)
9437       << FDecl << ParamValueKind << ArgValueKind;
9438 
9439   emitReplacement(*this, Call->getExprLoc(),
9440                   Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
9441 }
9442 
9443 //===--- CHECK: Warn on use of std::max and unsigned zero. r---------------===//
9444 void Sema::CheckMaxUnsignedZero(const CallExpr *Call,
9445                                 const FunctionDecl *FDecl) {
9446   if (!Call || !FDecl) return;
9447 
9448   // Ignore template specializations and macros.
9449   if (inTemplateInstantiation()) return;
9450   if (Call->getExprLoc().isMacroID()) return;
9451 
9452   // Only care about the one template argument, two function parameter std::max
9453   if (Call->getNumArgs() != 2) return;
9454   if (!IsStdFunction(FDecl, "max")) return;
9455   const auto * ArgList = FDecl->getTemplateSpecializationArgs();
9456   if (!ArgList) return;
9457   if (ArgList->size() != 1) return;
9458 
9459   // Check that template type argument is unsigned integer.
9460   const auto& TA = ArgList->get(0);
9461   if (TA.getKind() != TemplateArgument::Type) return;
9462   QualType ArgType = TA.getAsType();
9463   if (!ArgType->isUnsignedIntegerType()) return;
9464 
9465   // See if either argument is a literal zero.
9466   auto IsLiteralZeroArg = [](const Expr* E) -> bool {
9467     const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(E);
9468     if (!MTE) return false;
9469     const auto *Num = dyn_cast<IntegerLiteral>(MTE->getSubExpr());
9470     if (!Num) return false;
9471     if (Num->getValue() != 0) return false;
9472     return true;
9473   };
9474 
9475   const Expr *FirstArg = Call->getArg(0);
9476   const Expr *SecondArg = Call->getArg(1);
9477   const bool IsFirstArgZero = IsLiteralZeroArg(FirstArg);
9478   const bool IsSecondArgZero = IsLiteralZeroArg(SecondArg);
9479 
9480   // Only warn when exactly one argument is zero.
9481   if (IsFirstArgZero == IsSecondArgZero) return;
9482 
9483   SourceRange FirstRange = FirstArg->getSourceRange();
9484   SourceRange SecondRange = SecondArg->getSourceRange();
9485 
9486   SourceRange ZeroRange = IsFirstArgZero ? FirstRange : SecondRange;
9487 
9488   Diag(Call->getExprLoc(), diag::warn_max_unsigned_zero)
9489       << IsFirstArgZero << Call->getCallee()->getSourceRange() << ZeroRange;
9490 
9491   // Deduce what parts to remove so that "std::max(0u, foo)" becomes "(foo)".
9492   SourceRange RemovalRange;
9493   if (IsFirstArgZero) {
9494     RemovalRange = SourceRange(FirstRange.getBegin(),
9495                                SecondRange.getBegin().getLocWithOffset(-1));
9496   } else {
9497     RemovalRange = SourceRange(getLocForEndOfToken(FirstRange.getEnd()),
9498                                SecondRange.getEnd());
9499   }
9500 
9501   Diag(Call->getExprLoc(), diag::note_remove_max_call)
9502         << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange())
9503         << FixItHint::CreateRemoval(RemovalRange);
9504 }
9505 
9506 //===--- CHECK: Standard memory functions ---------------------------------===//
9507 
9508 /// Takes the expression passed to the size_t parameter of functions
9509 /// such as memcmp, strncat, etc and warns if it's a comparison.
9510 ///
9511 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`.
9512 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E,
9513                                            const IdentifierInfo *FnName,
9514                                            SourceLocation FnLoc,
9515                                            SourceLocation RParenLoc) {
9516   const auto *Size = dyn_cast<BinaryOperator>(E);
9517   if (!Size)
9518     return false;
9519 
9520   // if E is binop and op is <=>, >, <, >=, <=, ==, &&, ||:
9521   if (!Size->isComparisonOp() && !Size->isLogicalOp())
9522     return false;
9523 
9524   SourceRange SizeRange = Size->getSourceRange();
9525   S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison)
9526       << SizeRange << FnName;
9527   S.Diag(FnLoc, diag::note_memsize_comparison_paren)
9528       << FnName
9529       << FixItHint::CreateInsertion(
9530              S.getLocForEndOfToken(Size->getLHS()->getEndLoc()), ")")
9531       << FixItHint::CreateRemoval(RParenLoc);
9532   S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence)
9533       << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(")
9534       << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()),
9535                                     ")");
9536 
9537   return true;
9538 }
9539 
9540 /// Determine whether the given type is or contains a dynamic class type
9541 /// (e.g., whether it has a vtable).
9542 static const CXXRecordDecl *getContainedDynamicClass(QualType T,
9543                                                      bool &IsContained) {
9544   // Look through array types while ignoring qualifiers.
9545   const Type *Ty = T->getBaseElementTypeUnsafe();
9546   IsContained = false;
9547 
9548   const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
9549   RD = RD ? RD->getDefinition() : nullptr;
9550   if (!RD || RD->isInvalidDecl())
9551     return nullptr;
9552 
9553   if (RD->isDynamicClass())
9554     return RD;
9555 
9556   // Check all the fields.  If any bases were dynamic, the class is dynamic.
9557   // It's impossible for a class to transitively contain itself by value, so
9558   // infinite recursion is impossible.
9559   for (auto *FD : RD->fields()) {
9560     bool SubContained;
9561     if (const CXXRecordDecl *ContainedRD =
9562             getContainedDynamicClass(FD->getType(), SubContained)) {
9563       IsContained = true;
9564       return ContainedRD;
9565     }
9566   }
9567 
9568   return nullptr;
9569 }
9570 
9571 static const UnaryExprOrTypeTraitExpr *getAsSizeOfExpr(const Expr *E) {
9572   if (const auto *Unary = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
9573     if (Unary->getKind() == UETT_SizeOf)
9574       return Unary;
9575   return nullptr;
9576 }
9577 
9578 /// If E is a sizeof expression, returns its argument expression,
9579 /// otherwise returns NULL.
9580 static const Expr *getSizeOfExprArg(const Expr *E) {
9581   if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
9582     if (!SizeOf->isArgumentType())
9583       return SizeOf->getArgumentExpr()->IgnoreParenImpCasts();
9584   return nullptr;
9585 }
9586 
9587 /// If E is a sizeof expression, returns its argument type.
9588 static QualType getSizeOfArgType(const Expr *E) {
9589   if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
9590     return SizeOf->getTypeOfArgument();
9591   return QualType();
9592 }
9593 
9594 namespace {
9595 
9596 struct SearchNonTrivialToInitializeField
9597     : DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField> {
9598   using Super =
9599       DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField>;
9600 
9601   SearchNonTrivialToInitializeField(const Expr *E, Sema &S) : E(E), S(S) {}
9602 
9603   void visitWithKind(QualType::PrimitiveDefaultInitializeKind PDIK, QualType FT,
9604                      SourceLocation SL) {
9605     if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
9606       asDerived().visitArray(PDIK, AT, SL);
9607       return;
9608     }
9609 
9610     Super::visitWithKind(PDIK, FT, SL);
9611   }
9612 
9613   void visitARCStrong(QualType FT, SourceLocation SL) {
9614     S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
9615   }
9616   void visitARCWeak(QualType FT, SourceLocation SL) {
9617     S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
9618   }
9619   void visitStruct(QualType FT, SourceLocation SL) {
9620     for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
9621       visit(FD->getType(), FD->getLocation());
9622   }
9623   void visitArray(QualType::PrimitiveDefaultInitializeKind PDIK,
9624                   const ArrayType *AT, SourceLocation SL) {
9625     visit(getContext().getBaseElementType(AT), SL);
9626   }
9627   void visitTrivial(QualType FT, SourceLocation SL) {}
9628 
9629   static void diag(QualType RT, const Expr *E, Sema &S) {
9630     SearchNonTrivialToInitializeField(E, S).visitStruct(RT, SourceLocation());
9631   }
9632 
9633   ASTContext &getContext() { return S.getASTContext(); }
9634 
9635   const Expr *E;
9636   Sema &S;
9637 };
9638 
9639 struct SearchNonTrivialToCopyField
9640     : CopiedTypeVisitor<SearchNonTrivialToCopyField, false> {
9641   using Super = CopiedTypeVisitor<SearchNonTrivialToCopyField, false>;
9642 
9643   SearchNonTrivialToCopyField(const Expr *E, Sema &S) : E(E), S(S) {}
9644 
9645   void visitWithKind(QualType::PrimitiveCopyKind PCK, QualType FT,
9646                      SourceLocation SL) {
9647     if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
9648       asDerived().visitArray(PCK, AT, SL);
9649       return;
9650     }
9651 
9652     Super::visitWithKind(PCK, FT, SL);
9653   }
9654 
9655   void visitARCStrong(QualType FT, SourceLocation SL) {
9656     S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9657   }
9658   void visitARCWeak(QualType FT, SourceLocation SL) {
9659     S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9660   }
9661   void visitPtrAuth(QualType FT, SourceLocation SL) {
9662     S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
9663   }
9664   void visitStruct(QualType FT, SourceLocation SL) {
9665     for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
9666       visit(FD->getType(), FD->getLocation());
9667   }
9668   void visitArray(QualType::PrimitiveCopyKind PCK, const ArrayType *AT,
9669                   SourceLocation SL) {
9670     visit(getContext().getBaseElementType(AT), SL);
9671   }
9672   void preVisit(QualType::PrimitiveCopyKind PCK, QualType FT,
9673                 SourceLocation SL) {}
9674   void visitTrivial(QualType FT, SourceLocation SL) {}
9675   void visitVolatileTrivial(QualType FT, SourceLocation SL) {}
9676 
9677   static void diag(QualType RT, const Expr *E, Sema &S) {
9678     SearchNonTrivialToCopyField(E, S).visitStruct(RT, SourceLocation());
9679   }
9680 
9681   ASTContext &getContext() { return S.getASTContext(); }
9682 
9683   const Expr *E;
9684   Sema &S;
9685 };
9686 
9687 }
9688 
9689 /// Detect if \c SizeofExpr is likely to calculate the sizeof an object.
9690 static bool doesExprLikelyComputeSize(const Expr *SizeofExpr) {
9691   SizeofExpr = SizeofExpr->IgnoreParenImpCasts();
9692 
9693   if (const auto *BO = dyn_cast<BinaryOperator>(SizeofExpr)) {
9694     if (BO->getOpcode() != BO_Mul && BO->getOpcode() != BO_Add)
9695       return false;
9696 
9697     return doesExprLikelyComputeSize(BO->getLHS()) ||
9698            doesExprLikelyComputeSize(BO->getRHS());
9699   }
9700 
9701   return getAsSizeOfExpr(SizeofExpr) != nullptr;
9702 }
9703 
9704 /// Check if the ArgLoc originated from a macro passed to the call at CallLoc.
9705 ///
9706 /// \code
9707 ///   #define MACRO 0
9708 ///   foo(MACRO);
9709 ///   foo(0);
9710 /// \endcode
9711 ///
9712 /// This should return true for the first call to foo, but not for the second
9713 /// (regardless of whether foo is a macro or function).
9714 static bool isArgumentExpandedFromMacro(SourceManager &SM,
9715                                         SourceLocation CallLoc,
9716                                         SourceLocation ArgLoc) {
9717   if (!CallLoc.isMacroID())
9718     return SM.getFileID(CallLoc) != SM.getFileID(ArgLoc);
9719 
9720   return SM.getFileID(SM.getImmediateMacroCallerLoc(CallLoc)) !=
9721          SM.getFileID(SM.getImmediateMacroCallerLoc(ArgLoc));
9722 }
9723 
9724 /// Diagnose cases like 'memset(buf, sizeof(buf), 0)', which should have the
9725 /// last two arguments transposed.
9726 static void CheckMemaccessSize(Sema &S, unsigned BId, const CallExpr *Call) {
9727   if (BId != Builtin::BImemset && BId != Builtin::BIbzero)
9728     return;
9729 
9730   const Expr *SizeArg =
9731     Call->getArg(BId == Builtin::BImemset ? 2 : 1)->IgnoreImpCasts();
9732 
9733   auto isLiteralZero = [](const Expr *E) {
9734     return (isa<IntegerLiteral>(E) &&
9735             cast<IntegerLiteral>(E)->getValue() == 0) ||
9736            (isa<CharacterLiteral>(E) &&
9737             cast<CharacterLiteral>(E)->getValue() == 0);
9738   };
9739 
9740   // If we're memsetting or bzeroing 0 bytes, then this is likely an error.
9741   SourceLocation CallLoc = Call->getRParenLoc();
9742   SourceManager &SM = S.getSourceManager();
9743   if (isLiteralZero(SizeArg) &&
9744       !isArgumentExpandedFromMacro(SM, CallLoc, SizeArg->getExprLoc())) {
9745 
9746     SourceLocation DiagLoc = SizeArg->getExprLoc();
9747 
9748     // Some platforms #define bzero to __builtin_memset. See if this is the
9749     // case, and if so, emit a better diagnostic.
9750     if (BId == Builtin::BIbzero ||
9751         (CallLoc.isMacroID() && Lexer::getImmediateMacroName(
9752                                     CallLoc, SM, S.getLangOpts()) == "bzero")) {
9753       S.Diag(DiagLoc, diag::warn_suspicious_bzero_size);
9754       S.Diag(DiagLoc, diag::note_suspicious_bzero_size_silence);
9755     } else if (!isLiteralZero(Call->getArg(1)->IgnoreImpCasts())) {
9756       S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 0;
9757       S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 0;
9758     }
9759     return;
9760   }
9761 
9762   // If the second argument to a memset is a sizeof expression and the third
9763   // isn't, this is also likely an error. This should catch
9764   // 'memset(buf, sizeof(buf), 0xff)'.
9765   if (BId == Builtin::BImemset &&
9766       doesExprLikelyComputeSize(Call->getArg(1)) &&
9767       !doesExprLikelyComputeSize(Call->getArg(2))) {
9768     SourceLocation DiagLoc = Call->getArg(1)->getExprLoc();
9769     S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 1;
9770     S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 1;
9771     return;
9772   }
9773 }
9774 
9775 void Sema::CheckMemaccessArguments(const CallExpr *Call,
9776                                    unsigned BId,
9777                                    IdentifierInfo *FnName) {
9778   assert(BId != 0);
9779 
9780   // It is possible to have a non-standard definition of memset.  Validate
9781   // we have enough arguments, and if not, abort further checking.
9782   unsigned ExpectedNumArgs =
9783       (BId == Builtin::BIstrndup || BId == Builtin::BIbzero ? 2 : 3);
9784   if (Call->getNumArgs() < ExpectedNumArgs)
9785     return;
9786 
9787   unsigned LastArg = (BId == Builtin::BImemset || BId == Builtin::BIbzero ||
9788                       BId == Builtin::BIstrndup ? 1 : 2);
9789   unsigned LenArg =
9790       (BId == Builtin::BIbzero || BId == Builtin::BIstrndup ? 1 : 2);
9791   const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts();
9792 
9793   if (CheckMemorySizeofForComparison(*this, LenExpr, FnName,
9794                                      Call->getBeginLoc(), Call->getRParenLoc()))
9795     return;
9796 
9797   // Catch cases like 'memset(buf, sizeof(buf), 0)'.
9798   CheckMemaccessSize(*this, BId, Call);
9799 
9800   // We have special checking when the length is a sizeof expression.
9801   QualType SizeOfArgTy = getSizeOfArgType(LenExpr);
9802   const Expr *SizeOfArg = getSizeOfExprArg(LenExpr);
9803   llvm::FoldingSetNodeID SizeOfArgID;
9804 
9805   // Although widely used, 'bzero' is not a standard function. Be more strict
9806   // with the argument types before allowing diagnostics and only allow the
9807   // form bzero(ptr, sizeof(...)).
9808   QualType FirstArgTy = Call->getArg(0)->IgnoreParenImpCasts()->getType();
9809   if (BId == Builtin::BIbzero && !FirstArgTy->getAs<PointerType>())
9810     return;
9811 
9812   for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) {
9813     const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts();
9814     SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange();
9815 
9816     QualType DestTy = Dest->getType();
9817     QualType PointeeTy;
9818     if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) {
9819       PointeeTy = DestPtrTy->getPointeeType();
9820 
9821       // Never warn about void type pointers. This can be used to suppress
9822       // false positives.
9823       if (PointeeTy->isVoidType())
9824         continue;
9825 
9826       // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by
9827       // actually comparing the expressions for equality. Because computing the
9828       // expression IDs can be expensive, we only do this if the diagnostic is
9829       // enabled.
9830       if (SizeOfArg &&
9831           !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess,
9832                            SizeOfArg->getExprLoc())) {
9833         // We only compute IDs for expressions if the warning is enabled, and
9834         // cache the sizeof arg's ID.
9835         if (SizeOfArgID == llvm::FoldingSetNodeID())
9836           SizeOfArg->Profile(SizeOfArgID, Context, true);
9837         llvm::FoldingSetNodeID DestID;
9838         Dest->Profile(DestID, Context, true);
9839         if (DestID == SizeOfArgID) {
9840           // TODO: For strncpy() and friends, this could suggest sizeof(dst)
9841           //       over sizeof(src) as well.
9842           unsigned ActionIdx = 0; // Default is to suggest dereferencing.
9843           StringRef ReadableName = FnName->getName();
9844 
9845           if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest))
9846             if (UnaryOp->getOpcode() == UO_AddrOf)
9847               ActionIdx = 1; // If its an address-of operator, just remove it.
9848           if (!PointeeTy->isIncompleteType() &&
9849               (Context.getTypeSize(PointeeTy) == Context.getCharWidth()))
9850             ActionIdx = 2; // If the pointee's size is sizeof(char),
9851                            // suggest an explicit length.
9852 
9853           // If the function is defined as a builtin macro, do not show macro
9854           // expansion.
9855           SourceLocation SL = SizeOfArg->getExprLoc();
9856           SourceRange DSR = Dest->getSourceRange();
9857           SourceRange SSR = SizeOfArg->getSourceRange();
9858           SourceManager &SM = getSourceManager();
9859 
9860           if (SM.isMacroArgExpansion(SL)) {
9861             ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts);
9862             SL = SM.getSpellingLoc(SL);
9863             DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()),
9864                              SM.getSpellingLoc(DSR.getEnd()));
9865             SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()),
9866                              SM.getSpellingLoc(SSR.getEnd()));
9867           }
9868 
9869           DiagRuntimeBehavior(SL, SizeOfArg,
9870                               PDiag(diag::warn_sizeof_pointer_expr_memaccess)
9871                                 << ReadableName
9872                                 << PointeeTy
9873                                 << DestTy
9874                                 << DSR
9875                                 << SSR);
9876           DiagRuntimeBehavior(SL, SizeOfArg,
9877                          PDiag(diag::warn_sizeof_pointer_expr_memaccess_note)
9878                                 << ActionIdx
9879                                 << SSR);
9880 
9881           break;
9882         }
9883       }
9884 
9885       // Also check for cases where the sizeof argument is the exact same
9886       // type as the memory argument, and where it points to a user-defined
9887       // record type.
9888       if (SizeOfArgTy != QualType()) {
9889         if (PointeeTy->isRecordType() &&
9890             Context.typesAreCompatible(SizeOfArgTy, DestTy)) {
9891           DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest,
9892                               PDiag(diag::warn_sizeof_pointer_type_memaccess)
9893                                 << FnName << SizeOfArgTy << ArgIdx
9894                                 << PointeeTy << Dest->getSourceRange()
9895                                 << LenExpr->getSourceRange());
9896           break;
9897         }
9898       }
9899     } else if (DestTy->isArrayType()) {
9900       PointeeTy = DestTy;
9901     }
9902 
9903     if (PointeeTy == QualType())
9904       continue;
9905 
9906     // Always complain about dynamic classes.
9907     bool IsContained;
9908     if (const CXXRecordDecl *ContainedRD =
9909             getContainedDynamicClass(PointeeTy, IsContained)) {
9910 
9911       unsigned OperationType = 0;
9912       const bool IsCmp = BId == Builtin::BImemcmp || BId == Builtin::BIbcmp;
9913       // "overwritten" if we're warning about the destination for any call
9914       // but memcmp; otherwise a verb appropriate to the call.
9915       if (ArgIdx != 0 || IsCmp) {
9916         if (BId == Builtin::BImemcpy)
9917           OperationType = 1;
9918         else if(BId == Builtin::BImemmove)
9919           OperationType = 2;
9920         else if (IsCmp)
9921           OperationType = 3;
9922       }
9923 
9924       DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9925                           PDiag(diag::warn_dyn_class_memaccess)
9926                               << (IsCmp ? ArgIdx + 2 : ArgIdx) << FnName
9927                               << IsContained << ContainedRD << OperationType
9928                               << Call->getCallee()->getSourceRange());
9929     } else if (PointeeTy.hasNonTrivialObjCLifetime() &&
9930              BId != Builtin::BImemset)
9931       DiagRuntimeBehavior(
9932         Dest->getExprLoc(), Dest,
9933         PDiag(diag::warn_arc_object_memaccess)
9934           << ArgIdx << FnName << PointeeTy
9935           << Call->getCallee()->getSourceRange());
9936     else if (const auto *RT = PointeeTy->getAs<RecordType>()) {
9937 
9938       // FIXME: Do not consider incomplete types even though they may be
9939       // completed later. GCC does not diagnose such code, but we may want to
9940       // consider diagnosing it in the future, perhaps under a different, but
9941       // related, diagnostic group.
9942       bool NonTriviallyCopyableCXXRecord =
9943           getLangOpts().CPlusPlus && !RT->isIncompleteType() &&
9944           !RT->desugar().isTriviallyCopyableType(Context);
9945 
9946       if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9947           RT->getDecl()->isNonTrivialToPrimitiveDefaultInitialize()) {
9948         DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9949                             PDiag(diag::warn_cstruct_memaccess)
9950                                 << ArgIdx << FnName << PointeeTy << 0);
9951         SearchNonTrivialToInitializeField::diag(PointeeTy, Dest, *this);
9952       } else if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9953                  NonTriviallyCopyableCXXRecord && ArgIdx == 0) {
9954         // FIXME: Limiting this warning to dest argument until we decide
9955         // whether it's valid for source argument too.
9956         DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9957                             PDiag(diag::warn_cxxstruct_memaccess)
9958                                 << FnName << PointeeTy);
9959       } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9960                  RT->getDecl()->isNonTrivialToPrimitiveCopy()) {
9961         DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9962                             PDiag(diag::warn_cstruct_memaccess)
9963                                 << ArgIdx << FnName << PointeeTy << 1);
9964         SearchNonTrivialToCopyField::diag(PointeeTy, Dest, *this);
9965       } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9966                  NonTriviallyCopyableCXXRecord && ArgIdx == 0) {
9967         // FIXME: Limiting this warning to dest argument until we decide
9968         // whether it's valid for source argument too.
9969         DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9970                             PDiag(diag::warn_cxxstruct_memaccess)
9971                                 << FnName << PointeeTy);
9972       } else {
9973         continue;
9974       }
9975     } else
9976       continue;
9977 
9978     DiagRuntimeBehavior(
9979       Dest->getExprLoc(), Dest,
9980       PDiag(diag::note_bad_memaccess_silence)
9981         << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)"));
9982     break;
9983   }
9984 }
9985 
9986 // A little helper routine: ignore addition and subtraction of integer literals.
9987 // This intentionally does not ignore all integer constant expressions because
9988 // we don't want to remove sizeof().
9989 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) {
9990   Ex = Ex->IgnoreParenCasts();
9991 
9992   while (true) {
9993     const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex);
9994     if (!BO || !BO->isAdditiveOp())
9995       break;
9996 
9997     const Expr *RHS = BO->getRHS()->IgnoreParenCasts();
9998     const Expr *LHS = BO->getLHS()->IgnoreParenCasts();
9999 
10000     if (isa<IntegerLiteral>(RHS))
10001       Ex = LHS;
10002     else if (isa<IntegerLiteral>(LHS))
10003       Ex = RHS;
10004     else
10005       break;
10006   }
10007 
10008   return Ex;
10009 }
10010 
10011 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty,
10012                                                       ASTContext &Context) {
10013   // Only handle constant-sized or VLAs, but not flexible members.
10014   if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) {
10015     // Only issue the FIXIT for arrays of size > 1.
10016     if (CAT->getZExtSize() <= 1)
10017       return false;
10018   } else if (!Ty->isVariableArrayType()) {
10019     return false;
10020   }
10021   return true;
10022 }
10023 
10024 void Sema::CheckStrlcpycatArguments(const CallExpr *Call,
10025                                     IdentifierInfo *FnName) {
10026 
10027   // Don't crash if the user has the wrong number of arguments
10028   unsigned NumArgs = Call->getNumArgs();
10029   if ((NumArgs != 3) && (NumArgs != 4))
10030     return;
10031 
10032   const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context);
10033   const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context);
10034   const Expr *CompareWithSrc = nullptr;
10035 
10036   if (CheckMemorySizeofForComparison(*this, SizeArg, FnName,
10037                                      Call->getBeginLoc(), Call->getRParenLoc()))
10038     return;
10039 
10040   // Look for 'strlcpy(dst, x, sizeof(x))'
10041   if (const Expr *Ex = getSizeOfExprArg(SizeArg))
10042     CompareWithSrc = Ex;
10043   else {
10044     // Look for 'strlcpy(dst, x, strlen(x))'
10045     if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) {
10046       if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen &&
10047           SizeCall->getNumArgs() == 1)
10048         CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context);
10049     }
10050   }
10051 
10052   if (!CompareWithSrc)
10053     return;
10054 
10055   // Determine if the argument to sizeof/strlen is equal to the source
10056   // argument.  In principle there's all kinds of things you could do
10057   // here, for instance creating an == expression and evaluating it with
10058   // EvaluateAsBooleanCondition, but this uses a more direct technique:
10059   const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg);
10060   if (!SrcArgDRE)
10061     return;
10062 
10063   const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc);
10064   if (!CompareWithSrcDRE ||
10065       SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl())
10066     return;
10067 
10068   const Expr *OriginalSizeArg = Call->getArg(2);
10069   Diag(CompareWithSrcDRE->getBeginLoc(), diag::warn_strlcpycat_wrong_size)
10070       << OriginalSizeArg->getSourceRange() << FnName;
10071 
10072   // Output a FIXIT hint if the destination is an array (rather than a
10073   // pointer to an array).  This could be enhanced to handle some
10074   // pointers if we know the actual size, like if DstArg is 'array+2'
10075   // we could say 'sizeof(array)-2'.
10076   const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts();
10077   if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context))
10078     return;
10079 
10080   SmallString<128> sizeString;
10081   llvm::raw_svector_ostream OS(sizeString);
10082   OS << "sizeof(";
10083   DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10084   OS << ")";
10085 
10086   Diag(OriginalSizeArg->getBeginLoc(), diag::note_strlcpycat_wrong_size)
10087       << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(),
10088                                       OS.str());
10089 }
10090 
10091 /// Check if two expressions refer to the same declaration.
10092 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) {
10093   if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1))
10094     if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2))
10095       return D1->getDecl() == D2->getDecl();
10096   return false;
10097 }
10098 
10099 static const Expr *getStrlenExprArg(const Expr *E) {
10100   if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
10101     const FunctionDecl *FD = CE->getDirectCallee();
10102     if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen)
10103       return nullptr;
10104     return CE->getArg(0)->IgnoreParenCasts();
10105   }
10106   return nullptr;
10107 }
10108 
10109 void Sema::CheckStrncatArguments(const CallExpr *CE,
10110                                  const IdentifierInfo *FnName) {
10111   // Don't crash if the user has the wrong number of arguments.
10112   if (CE->getNumArgs() < 3)
10113     return;
10114   const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts();
10115   const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts();
10116   const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts();
10117 
10118   if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getBeginLoc(),
10119                                      CE->getRParenLoc()))
10120     return;
10121 
10122   // Identify common expressions, which are wrongly used as the size argument
10123   // to strncat and may lead to buffer overflows.
10124   unsigned PatternType = 0;
10125   if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) {
10126     // - sizeof(dst)
10127     if (referToTheSameDecl(SizeOfArg, DstArg))
10128       PatternType = 1;
10129     // - sizeof(src)
10130     else if (referToTheSameDecl(SizeOfArg, SrcArg))
10131       PatternType = 2;
10132   } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) {
10133     if (BE->getOpcode() == BO_Sub) {
10134       const Expr *L = BE->getLHS()->IgnoreParenCasts();
10135       const Expr *R = BE->getRHS()->IgnoreParenCasts();
10136       // - sizeof(dst) - strlen(dst)
10137       if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) &&
10138           referToTheSameDecl(DstArg, getStrlenExprArg(R)))
10139         PatternType = 1;
10140       // - sizeof(src) - (anything)
10141       else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L)))
10142         PatternType = 2;
10143     }
10144   }
10145 
10146   if (PatternType == 0)
10147     return;
10148 
10149   // Generate the diagnostic.
10150   SourceLocation SL = LenArg->getBeginLoc();
10151   SourceRange SR = LenArg->getSourceRange();
10152   SourceManager &SM = getSourceManager();
10153 
10154   // If the function is defined as a builtin macro, do not show macro expansion.
10155   if (SM.isMacroArgExpansion(SL)) {
10156     SL = SM.getSpellingLoc(SL);
10157     SR = SourceRange(SM.getSpellingLoc(SR.getBegin()),
10158                      SM.getSpellingLoc(SR.getEnd()));
10159   }
10160 
10161   // Check if the destination is an array (rather than a pointer to an array).
10162   QualType DstTy = DstArg->getType();
10163   bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy,
10164                                                                     Context);
10165   if (!isKnownSizeArray) {
10166     if (PatternType == 1)
10167       Diag(SL, diag::warn_strncat_wrong_size) << SR;
10168     else
10169       Diag(SL, diag::warn_strncat_src_size) << SR;
10170     return;
10171   }
10172 
10173   if (PatternType == 1)
10174     Diag(SL, diag::warn_strncat_large_size) << SR;
10175   else
10176     Diag(SL, diag::warn_strncat_src_size) << SR;
10177 
10178   SmallString<128> sizeString;
10179   llvm::raw_svector_ostream OS(sizeString);
10180   OS << "sizeof(";
10181   DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10182   OS << ") - ";
10183   OS << "strlen(";
10184   DstArg->printPretty(OS, nullptr, getPrintingPolicy());
10185   OS << ") - 1";
10186 
10187   Diag(SL, diag::note_strncat_wrong_size)
10188     << FixItHint::CreateReplacement(SR, OS.str());
10189 }
10190 
10191 namespace {
10192 void CheckFreeArgumentsOnLvalue(Sema &S, const std::string &CalleeName,
10193                                 const UnaryOperator *UnaryExpr, const Decl *D) {
10194   if (isa<FieldDecl, FunctionDecl, VarDecl>(D)) {
10195     S.Diag(UnaryExpr->getBeginLoc(), diag::warn_free_nonheap_object)
10196         << CalleeName << 0 /*object: */ << cast<NamedDecl>(D);
10197     return;
10198   }
10199 }
10200 
10201 void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName,
10202                                  const UnaryOperator *UnaryExpr) {
10203   if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) {
10204     const Decl *D = Lvalue->getDecl();
10205     if (const auto *DD = dyn_cast<DeclaratorDecl>(D)) {
10206       if (!DD->getType()->isReferenceType())
10207         return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D);
10208     }
10209   }
10210 
10211   if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr()))
10212     return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr,
10213                                       Lvalue->getMemberDecl());
10214 }
10215 
10216 void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName,
10217                             const UnaryOperator *UnaryExpr) {
10218   const auto *Lambda = dyn_cast<LambdaExpr>(
10219       UnaryExpr->getSubExpr()->IgnoreImplicitAsWritten()->IgnoreParens());
10220   if (!Lambda)
10221     return;
10222 
10223   S.Diag(Lambda->getBeginLoc(), diag::warn_free_nonheap_object)
10224       << CalleeName << 2 /*object: lambda expression*/;
10225 }
10226 
10227 void CheckFreeArgumentsStackArray(Sema &S, const std::string &CalleeName,
10228                                   const DeclRefExpr *Lvalue) {
10229   const auto *Var = dyn_cast<VarDecl>(Lvalue->getDecl());
10230   if (Var == nullptr)
10231     return;
10232 
10233   S.Diag(Lvalue->getBeginLoc(), diag::warn_free_nonheap_object)
10234       << CalleeName << 0 /*object: */ << Var;
10235 }
10236 
10237 void CheckFreeArgumentsCast(Sema &S, const std::string &CalleeName,
10238                             const CastExpr *Cast) {
10239   SmallString<128> SizeString;
10240   llvm::raw_svector_ostream OS(SizeString);
10241 
10242   clang::CastKind Kind = Cast->getCastKind();
10243   if (Kind == clang::CK_BitCast &&
10244       !Cast->getSubExpr()->getType()->isFunctionPointerType())
10245     return;
10246   if (Kind == clang::CK_IntegralToPointer &&
10247       !isa<IntegerLiteral>(
10248           Cast->getSubExpr()->IgnoreParenImpCasts()->IgnoreParens()))
10249     return;
10250 
10251   switch (Cast->getCastKind()) {
10252   case clang::CK_BitCast:
10253   case clang::CK_IntegralToPointer:
10254   case clang::CK_FunctionToPointerDecay:
10255     OS << '\'';
10256     Cast->printPretty(OS, nullptr, S.getPrintingPolicy());
10257     OS << '\'';
10258     break;
10259   default:
10260     return;
10261   }
10262 
10263   S.Diag(Cast->getBeginLoc(), diag::warn_free_nonheap_object)
10264       << CalleeName << 0 /*object: */ << OS.str();
10265 }
10266 } // namespace
10267 
10268 void Sema::CheckFreeArguments(const CallExpr *E) {
10269   const std::string CalleeName =
10270       cast<FunctionDecl>(E->getCalleeDecl())->getQualifiedNameAsString();
10271 
10272   { // Prefer something that doesn't involve a cast to make things simpler.
10273     const Expr *Arg = E->getArg(0)->IgnoreParenCasts();
10274     if (const auto *UnaryExpr = dyn_cast<UnaryOperator>(Arg))
10275       switch (UnaryExpr->getOpcode()) {
10276       case UnaryOperator::Opcode::UO_AddrOf:
10277         return CheckFreeArgumentsAddressof(*this, CalleeName, UnaryExpr);
10278       case UnaryOperator::Opcode::UO_Plus:
10279         return CheckFreeArgumentsPlus(*this, CalleeName, UnaryExpr);
10280       default:
10281         break;
10282       }
10283 
10284     if (const auto *Lvalue = dyn_cast<DeclRefExpr>(Arg))
10285       if (Lvalue->getType()->isArrayType())
10286         return CheckFreeArgumentsStackArray(*this, CalleeName, Lvalue);
10287 
10288     if (const auto *Label = dyn_cast<AddrLabelExpr>(Arg)) {
10289       Diag(Label->getBeginLoc(), diag::warn_free_nonheap_object)
10290           << CalleeName << 0 /*object: */ << Label->getLabel()->getIdentifier();
10291       return;
10292     }
10293 
10294     if (isa<BlockExpr>(Arg)) {
10295       Diag(Arg->getBeginLoc(), diag::warn_free_nonheap_object)
10296           << CalleeName << 1 /*object: block*/;
10297       return;
10298     }
10299   }
10300   // Maybe the cast was important, check after the other cases.
10301   if (const auto *Cast = dyn_cast<CastExpr>(E->getArg(0)))
10302     return CheckFreeArgumentsCast(*this, CalleeName, Cast);
10303 }
10304 
10305 void
10306 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType,
10307                          SourceLocation ReturnLoc,
10308                          bool isObjCMethod,
10309                          const AttrVec *Attrs,
10310                          const FunctionDecl *FD) {
10311   // Check if the return value is null but should not be.
10312   if (((Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs)) ||
10313        (!isObjCMethod && isNonNullType(lhsType))) &&
10314       CheckNonNullExpr(*this, RetValExp))
10315     Diag(ReturnLoc, diag::warn_null_ret)
10316       << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange();
10317 
10318   // C++11 [basic.stc.dynamic.allocation]p4:
10319   //   If an allocation function declared with a non-throwing
10320   //   exception-specification fails to allocate storage, it shall return
10321   //   a null pointer. Any other allocation function that fails to allocate
10322   //   storage shall indicate failure only by throwing an exception [...]
10323   if (FD) {
10324     OverloadedOperatorKind Op = FD->getOverloadedOperator();
10325     if (Op == OO_New || Op == OO_Array_New) {
10326       const FunctionProtoType *Proto
10327         = FD->getType()->castAs<FunctionProtoType>();
10328       if (!Proto->isNothrow(/*ResultIfDependent*/true) &&
10329           CheckNonNullExpr(*this, RetValExp))
10330         Diag(ReturnLoc, diag::warn_operator_new_returns_null)
10331           << FD << getLangOpts().CPlusPlus11;
10332     }
10333   }
10334 
10335   if (RetValExp && RetValExp->getType()->isWebAssemblyTableType()) {
10336     Diag(ReturnLoc, diag::err_wasm_table_art) << 1;
10337   }
10338 
10339   // PPC MMA non-pointer types are not allowed as return type. Checking the type
10340   // here prevent the user from using a PPC MMA type as trailing return type.
10341   if (Context.getTargetInfo().getTriple().isPPC64())
10342     PPC().CheckPPCMMAType(RetValExp->getType(), ReturnLoc);
10343 }
10344 
10345 void Sema::CheckFloatComparison(SourceLocation Loc, const Expr *LHS,
10346                                 const Expr *RHS, BinaryOperatorKind Opcode) {
10347   if (!BinaryOperator::isEqualityOp(Opcode))
10348     return;
10349 
10350   // Match and capture subexpressions such as "(float) X == 0.1".
10351   const FloatingLiteral *FPLiteral;
10352   const CastExpr *FPCast;
10353   auto getCastAndLiteral = [&FPLiteral, &FPCast](const Expr *L, const Expr *R) {
10354     FPLiteral = dyn_cast<FloatingLiteral>(L->IgnoreParens());
10355     FPCast = dyn_cast<CastExpr>(R->IgnoreParens());
10356     return FPLiteral && FPCast;
10357   };
10358 
10359   if (getCastAndLiteral(LHS, RHS) || getCastAndLiteral(RHS, LHS)) {
10360     auto *SourceTy = FPCast->getSubExpr()->getType()->getAs<BuiltinType>();
10361     auto *TargetTy = FPLiteral->getType()->getAs<BuiltinType>();
10362     if (SourceTy && TargetTy && SourceTy->isFloatingPoint() &&
10363         TargetTy->isFloatingPoint()) {
10364       bool Lossy;
10365       llvm::APFloat TargetC = FPLiteral->getValue();
10366       TargetC.convert(Context.getFloatTypeSemantics(QualType(SourceTy, 0)),
10367                       llvm::APFloat::rmNearestTiesToEven, &Lossy);
10368       if (Lossy) {
10369         // If the literal cannot be represented in the source type, then a
10370         // check for == is always false and check for != is always true.
10371         Diag(Loc, diag::warn_float_compare_literal)
10372             << (Opcode == BO_EQ) << QualType(SourceTy, 0)
10373             << LHS->getSourceRange() << RHS->getSourceRange();
10374         return;
10375       }
10376     }
10377   }
10378 
10379   // Match a more general floating-point equality comparison (-Wfloat-equal).
10380   const Expr *LeftExprSansParen = LHS->IgnoreParenImpCasts();
10381   const Expr *RightExprSansParen = RHS->IgnoreParenImpCasts();
10382 
10383   // Special case: check for x == x (which is OK).
10384   // Do not emit warnings for such cases.
10385   if (const auto *DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen))
10386     if (const auto *DRR = dyn_cast<DeclRefExpr>(RightExprSansParen))
10387       if (DRL->getDecl() == DRR->getDecl())
10388         return;
10389 
10390   // Special case: check for comparisons against literals that can be exactly
10391   //  represented by APFloat.  In such cases, do not emit a warning.  This
10392   //  is a heuristic: often comparison against such literals are used to
10393   //  detect if a value in a variable has not changed.  This clearly can
10394   //  lead to false negatives.
10395   if (const auto *FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) {
10396     if (FLL->isExact())
10397       return;
10398   } else if (const auto *FLR = dyn_cast<FloatingLiteral>(RightExprSansParen))
10399     if (FLR->isExact())
10400       return;
10401 
10402   // Check for comparisons with builtin types.
10403   if (const auto *CL = dyn_cast<CallExpr>(LeftExprSansParen);
10404       CL && CL->getBuiltinCallee())
10405     return;
10406 
10407   if (const auto *CR = dyn_cast<CallExpr>(RightExprSansParen);
10408       CR && CR->getBuiltinCallee())
10409     return;
10410 
10411   // Emit the diagnostic.
10412   Diag(Loc, diag::warn_floatingpoint_eq)
10413     << LHS->getSourceRange() << RHS->getSourceRange();
10414 }
10415 
10416 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===//
10417 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===//
10418 
10419 namespace {
10420 
10421 /// Structure recording the 'active' range of an integer-valued
10422 /// expression.
10423 struct IntRange {
10424   /// The number of bits active in the int. Note that this includes exactly one
10425   /// sign bit if !NonNegative.
10426   unsigned Width;
10427 
10428   /// True if the int is known not to have negative values. If so, all leading
10429   /// bits before Width are known zero, otherwise they are known to be the
10430   /// same as the MSB within Width.
10431   bool NonNegative;
10432 
10433   IntRange(unsigned Width, bool NonNegative)
10434       : Width(Width), NonNegative(NonNegative) {}
10435 
10436   /// Number of bits excluding the sign bit.
10437   unsigned valueBits() const {
10438     return NonNegative ? Width : Width - 1;
10439   }
10440 
10441   /// Returns the range of the bool type.
10442   static IntRange forBoolType() {
10443     return IntRange(1, true);
10444   }
10445 
10446   /// Returns the range of an opaque value of the given integral type.
10447   static IntRange forValueOfType(ASTContext &C, QualType T) {
10448     return forValueOfCanonicalType(C,
10449                           T->getCanonicalTypeInternal().getTypePtr());
10450   }
10451 
10452   /// Returns the range of an opaque value of a canonical integral type.
10453   static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) {
10454     assert(T->isCanonicalUnqualified());
10455 
10456     if (const auto *VT = dyn_cast<VectorType>(T))
10457       T = VT->getElementType().getTypePtr();
10458     if (const auto *CT = dyn_cast<ComplexType>(T))
10459       T = CT->getElementType().getTypePtr();
10460     if (const auto *AT = dyn_cast<AtomicType>(T))
10461       T = AT->getValueType().getTypePtr();
10462 
10463     if (!C.getLangOpts().CPlusPlus) {
10464       // For enum types in C code, use the underlying datatype.
10465       if (const auto *ET = dyn_cast<EnumType>(T))
10466         T = ET->getDecl()->getIntegerType().getDesugaredType(C).getTypePtr();
10467     } else if (const auto *ET = dyn_cast<EnumType>(T)) {
10468       // For enum types in C++, use the known bit width of the enumerators.
10469       EnumDecl *Enum = ET->getDecl();
10470       // In C++11, enums can have a fixed underlying type. Use this type to
10471       // compute the range.
10472       if (Enum->isFixed()) {
10473         return IntRange(C.getIntWidth(QualType(T, 0)),
10474                         !ET->isSignedIntegerOrEnumerationType());
10475       }
10476 
10477       unsigned NumPositive = Enum->getNumPositiveBits();
10478       unsigned NumNegative = Enum->getNumNegativeBits();
10479 
10480       if (NumNegative == 0)
10481         return IntRange(NumPositive, true/*NonNegative*/);
10482       else
10483         return IntRange(std::max(NumPositive + 1, NumNegative),
10484                         false/*NonNegative*/);
10485     }
10486 
10487     if (const auto *EIT = dyn_cast<BitIntType>(T))
10488       return IntRange(EIT->getNumBits(), EIT->isUnsigned());
10489 
10490     const BuiltinType *BT = cast<BuiltinType>(T);
10491     assert(BT->isInteger());
10492 
10493     return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
10494   }
10495 
10496   /// Returns the "target" range of a canonical integral type, i.e.
10497   /// the range of values expressible in the type.
10498   ///
10499   /// This matches forValueOfCanonicalType except that enums have the
10500   /// full range of their type, not the range of their enumerators.
10501   static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) {
10502     assert(T->isCanonicalUnqualified());
10503 
10504     if (const VectorType *VT = dyn_cast<VectorType>(T))
10505       T = VT->getElementType().getTypePtr();
10506     if (const ComplexType *CT = dyn_cast<ComplexType>(T))
10507       T = CT->getElementType().getTypePtr();
10508     if (const AtomicType *AT = dyn_cast<AtomicType>(T))
10509       T = AT->getValueType().getTypePtr();
10510     if (const EnumType *ET = dyn_cast<EnumType>(T))
10511       T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr();
10512 
10513     if (const auto *EIT = dyn_cast<BitIntType>(T))
10514       return IntRange(EIT->getNumBits(), EIT->isUnsigned());
10515 
10516     const BuiltinType *BT = cast<BuiltinType>(T);
10517     assert(BT->isInteger());
10518 
10519     return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
10520   }
10521 
10522   /// Returns the supremum of two ranges: i.e. their conservative merge.
10523   static IntRange join(IntRange L, IntRange R) {
10524     bool Unsigned = L.NonNegative && R.NonNegative;
10525     return IntRange(std::max(L.valueBits(), R.valueBits()) + !Unsigned,
10526                     L.NonNegative && R.NonNegative);
10527   }
10528 
10529   /// Return the range of a bitwise-AND of the two ranges.
10530   static IntRange bit_and(IntRange L, IntRange R) {
10531     unsigned Bits = std::max(L.Width, R.Width);
10532     bool NonNegative = false;
10533     if (L.NonNegative) {
10534       Bits = std::min(Bits, L.Width);
10535       NonNegative = true;
10536     }
10537     if (R.NonNegative) {
10538       Bits = std::min(Bits, R.Width);
10539       NonNegative = true;
10540     }
10541     return IntRange(Bits, NonNegative);
10542   }
10543 
10544   /// Return the range of a sum of the two ranges.
10545   static IntRange sum(IntRange L, IntRange R) {
10546     bool Unsigned = L.NonNegative && R.NonNegative;
10547     return IntRange(std::max(L.valueBits(), R.valueBits()) + 1 + !Unsigned,
10548                     Unsigned);
10549   }
10550 
10551   /// Return the range of a difference of the two ranges.
10552   static IntRange difference(IntRange L, IntRange R) {
10553     // We need a 1-bit-wider range if:
10554     //   1) LHS can be negative: least value can be reduced.
10555     //   2) RHS can be negative: greatest value can be increased.
10556     bool CanWiden = !L.NonNegative || !R.NonNegative;
10557     bool Unsigned = L.NonNegative && R.Width == 0;
10558     return IntRange(std::max(L.valueBits(), R.valueBits()) + CanWiden +
10559                         !Unsigned,
10560                     Unsigned);
10561   }
10562 
10563   /// Return the range of a product of the two ranges.
10564   static IntRange product(IntRange L, IntRange R) {
10565     // If both LHS and RHS can be negative, we can form
10566     //   -2^L * -2^R = 2^(L + R)
10567     // which requires L + R + 1 value bits to represent.
10568     bool CanWiden = !L.NonNegative && !R.NonNegative;
10569     bool Unsigned = L.NonNegative && R.NonNegative;
10570     return IntRange(L.valueBits() + R.valueBits() + CanWiden + !Unsigned,
10571                     Unsigned);
10572   }
10573 
10574   /// Return the range of a remainder operation between the two ranges.
10575   static IntRange rem(IntRange L, IntRange R) {
10576     // The result of a remainder can't be larger than the result of
10577     // either side. The sign of the result is the sign of the LHS.
10578     bool Unsigned = L.NonNegative;
10579     return IntRange(std::min(L.valueBits(), R.valueBits()) + !Unsigned,
10580                     Unsigned);
10581   }
10582 };
10583 
10584 } // namespace
10585 
10586 static IntRange GetValueRange(llvm::APSInt &value, unsigned MaxWidth) {
10587   if (value.isSigned() && value.isNegative())
10588     return IntRange(value.getSignificantBits(), false);
10589 
10590   if (value.getBitWidth() > MaxWidth)
10591     value = value.trunc(MaxWidth);
10592 
10593   // isNonNegative() just checks the sign bit without considering
10594   // signedness.
10595   return IntRange(value.getActiveBits(), true);
10596 }
10597 
10598 static IntRange GetValueRange(APValue &result, QualType Ty, unsigned MaxWidth) {
10599   if (result.isInt())
10600     return GetValueRange(result.getInt(), MaxWidth);
10601 
10602   if (result.isVector()) {
10603     IntRange R = GetValueRange(result.getVectorElt(0), Ty, MaxWidth);
10604     for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) {
10605       IntRange El = GetValueRange(result.getVectorElt(i), Ty, MaxWidth);
10606       R = IntRange::join(R, El);
10607     }
10608     return R;
10609   }
10610 
10611   if (result.isComplexInt()) {
10612     IntRange R = GetValueRange(result.getComplexIntReal(), MaxWidth);
10613     IntRange I = GetValueRange(result.getComplexIntImag(), MaxWidth);
10614     return IntRange::join(R, I);
10615   }
10616 
10617   // This can happen with lossless casts to intptr_t of "based" lvalues.
10618   // Assume it might use arbitrary bits.
10619   // FIXME: The only reason we need to pass the type in here is to get
10620   // the sign right on this one case.  It would be nice if APValue
10621   // preserved this.
10622   assert(result.isLValue() || result.isAddrLabelDiff());
10623   return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType());
10624 }
10625 
10626 static QualType GetExprType(const Expr *E) {
10627   QualType Ty = E->getType();
10628   if (const auto *AtomicRHS = Ty->getAs<AtomicType>())
10629     Ty = AtomicRHS->getValueType();
10630   return Ty;
10631 }
10632 
10633 /// Attempts to estimate an approximate range for the given integer expression.
10634 /// Returns a range if successful, otherwise it returns \c std::nullopt if a
10635 /// reliable estimation cannot be determined.
10636 ///
10637 /// \param MaxWidth The width to which the value will be truncated.
10638 /// \param InConstantContext If \c true, interpret the expression within a
10639 ///        constant context.
10640 /// \param Approximate If \c true, provide a likely range of values by assuming
10641 ///        that arithmetic on narrower types remains within those types.
10642 ///        If \c false, return a range that includes all possible values
10643 ///        resulting from the expression.
10644 /// \returns A range of values that the expression might take, or
10645 ///          std::nullopt if a reliable estimation cannot be determined.
10646 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
10647                                                unsigned MaxWidth,
10648                                                bool InConstantContext,
10649                                                bool Approximate) {
10650   E = E->IgnoreParens();
10651 
10652   // Try a full evaluation first.
10653   Expr::EvalResult result;
10654   if (E->EvaluateAsRValue(result, C, InConstantContext))
10655     return GetValueRange(result.Val, GetExprType(E), MaxWidth);
10656 
10657   // I think we only want to look through implicit casts here; if the
10658   // user has an explicit widening cast, we should treat the value as
10659   // being of the new, wider type.
10660   if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) {
10661     if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue)
10662       return TryGetExprRange(C, CE->getSubExpr(), MaxWidth, InConstantContext,
10663                              Approximate);
10664 
10665     IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE));
10666 
10667     bool isIntegerCast = CE->getCastKind() == CK_IntegralCast ||
10668                          CE->getCastKind() == CK_BooleanToSignedIntegral;
10669 
10670     // Assume that non-integer casts can span the full range of the type.
10671     if (!isIntegerCast)
10672       return OutputTypeRange;
10673 
10674     std::optional<IntRange> SubRange = TryGetExprRange(
10675         C, CE->getSubExpr(), std::min(MaxWidth, OutputTypeRange.Width),
10676         InConstantContext, Approximate);
10677     if (!SubRange)
10678       return std::nullopt;
10679 
10680     // Bail out if the subexpr's range is as wide as the cast type.
10681     if (SubRange->Width >= OutputTypeRange.Width)
10682       return OutputTypeRange;
10683 
10684     // Otherwise, we take the smaller width, and we're non-negative if
10685     // either the output type or the subexpr is.
10686     return IntRange(SubRange->Width,
10687                     SubRange->NonNegative || OutputTypeRange.NonNegative);
10688   }
10689 
10690   if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
10691     // If we can fold the condition, just take that operand.
10692     bool CondResult;
10693     if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
10694       return TryGetExprRange(
10695           C, CondResult ? CO->getTrueExpr() : CO->getFalseExpr(), MaxWidth,
10696           InConstantContext, Approximate);
10697 
10698     // Otherwise, conservatively merge.
10699     // TryGetExprRange requires an integer expression, but a throw expression
10700     // results in a void type.
10701     Expr *TrueExpr = CO->getTrueExpr();
10702     if (TrueExpr->getType()->isVoidType())
10703       return std::nullopt;
10704 
10705     std::optional<IntRange> L =
10706         TryGetExprRange(C, TrueExpr, MaxWidth, InConstantContext, Approximate);
10707     if (!L)
10708       return std::nullopt;
10709 
10710     Expr *FalseExpr = CO->getFalseExpr();
10711     if (FalseExpr->getType()->isVoidType())
10712       return std::nullopt;
10713 
10714     std::optional<IntRange> R =
10715         TryGetExprRange(C, FalseExpr, MaxWidth, InConstantContext, Approximate);
10716     if (!R)
10717       return std::nullopt;
10718 
10719     return IntRange::join(*L, *R);
10720   }
10721 
10722   if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
10723     IntRange (*Combine)(IntRange, IntRange) = IntRange::join;
10724 
10725     switch (BO->getOpcode()) {
10726     case BO_Cmp:
10727       llvm_unreachable("builtin <=> should have class type");
10728 
10729     // Boolean-valued operations are single-bit and positive.
10730     case BO_LAnd:
10731     case BO_LOr:
10732     case BO_LT:
10733     case BO_GT:
10734     case BO_LE:
10735     case BO_GE:
10736     case BO_EQ:
10737     case BO_NE:
10738       return IntRange::forBoolType();
10739 
10740     // The type of the assignments is the type of the LHS, so the RHS
10741     // is not necessarily the same type.
10742     case BO_MulAssign:
10743     case BO_DivAssign:
10744     case BO_RemAssign:
10745     case BO_AddAssign:
10746     case BO_SubAssign:
10747     case BO_XorAssign:
10748     case BO_OrAssign:
10749       // TODO: bitfields?
10750       return IntRange::forValueOfType(C, GetExprType(E));
10751 
10752     // Simple assignments just pass through the RHS, which will have
10753     // been coerced to the LHS type.
10754     case BO_Assign:
10755       // TODO: bitfields?
10756       return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
10757                              Approximate);
10758 
10759     // Operations with opaque sources are black-listed.
10760     case BO_PtrMemD:
10761     case BO_PtrMemI:
10762       return IntRange::forValueOfType(C, GetExprType(E));
10763 
10764     // Bitwise-and uses the *infinum* of the two source ranges.
10765     case BO_And:
10766     case BO_AndAssign:
10767       Combine = IntRange::bit_and;
10768       break;
10769 
10770     // Left shift gets black-listed based on a judgement call.
10771     case BO_Shl:
10772       // ...except that we want to treat '1 << (blah)' as logically
10773       // positive.  It's an important idiom.
10774       if (IntegerLiteral *I
10775             = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) {
10776         if (I->getValue() == 1) {
10777           IntRange R = IntRange::forValueOfType(C, GetExprType(E));
10778           return IntRange(R.Width, /*NonNegative*/ true);
10779         }
10780       }
10781       [[fallthrough]];
10782 
10783     case BO_ShlAssign:
10784       return IntRange::forValueOfType(C, GetExprType(E));
10785 
10786     // Right shift by a constant can narrow its left argument.
10787     case BO_Shr:
10788     case BO_ShrAssign: {
10789       std::optional<IntRange> L = TryGetExprRange(
10790           C, BO->getLHS(), MaxWidth, InConstantContext, Approximate);
10791       if (!L)
10792         return std::nullopt;
10793 
10794       // If the shift amount is a positive constant, drop the width by
10795       // that much.
10796       if (std::optional<llvm::APSInt> shift =
10797               BO->getRHS()->getIntegerConstantExpr(C)) {
10798         if (shift->isNonNegative()) {
10799           if (shift->uge(L->Width))
10800             L->Width = (L->NonNegative ? 0 : 1);
10801           else
10802             L->Width -= shift->getZExtValue();
10803         }
10804       }
10805 
10806       return L;
10807     }
10808 
10809     // Comma acts as its right operand.
10810     case BO_Comma:
10811       return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
10812                              Approximate);
10813 
10814     case BO_Add:
10815       if (!Approximate)
10816         Combine = IntRange::sum;
10817       break;
10818 
10819     case BO_Sub:
10820       if (BO->getLHS()->getType()->isPointerType())
10821         return IntRange::forValueOfType(C, GetExprType(E));
10822       if (!Approximate)
10823         Combine = IntRange::difference;
10824       break;
10825 
10826     case BO_Mul:
10827       if (!Approximate)
10828         Combine = IntRange::product;
10829       break;
10830 
10831     // The width of a division result is mostly determined by the size
10832     // of the LHS.
10833     case BO_Div: {
10834       // Don't 'pre-truncate' the operands.
10835       unsigned opWidth = C.getIntWidth(GetExprType(E));
10836       std::optional<IntRange> L = TryGetExprRange(
10837           C, BO->getLHS(), opWidth, InConstantContext, Approximate);
10838       if (!L)
10839         return std::nullopt;
10840 
10841       // If the divisor is constant, use that.
10842       if (std::optional<llvm::APSInt> divisor =
10843               BO->getRHS()->getIntegerConstantExpr(C)) {
10844         unsigned log2 = divisor->logBase2(); // floor(log_2(divisor))
10845         if (log2 >= L->Width)
10846           L->Width = (L->NonNegative ? 0 : 1);
10847         else
10848           L->Width = std::min(L->Width - log2, MaxWidth);
10849         return L;
10850       }
10851 
10852       // Otherwise, just use the LHS's width.
10853       // FIXME: This is wrong if the LHS could be its minimal value and the RHS
10854       // could be -1.
10855       std::optional<IntRange> R = TryGetExprRange(
10856           C, BO->getRHS(), opWidth, InConstantContext, Approximate);
10857       if (!R)
10858         return std::nullopt;
10859 
10860       return IntRange(L->Width, L->NonNegative && R->NonNegative);
10861     }
10862 
10863     case BO_Rem:
10864       Combine = IntRange::rem;
10865       break;
10866 
10867     // The default behavior is okay for these.
10868     case BO_Xor:
10869     case BO_Or:
10870       break;
10871     }
10872 
10873     // Combine the two ranges, but limit the result to the type in which we
10874     // performed the computation.
10875     QualType T = GetExprType(E);
10876     unsigned opWidth = C.getIntWidth(T);
10877     std::optional<IntRange> L = TryGetExprRange(C, BO->getLHS(), opWidth,
10878                                                 InConstantContext, Approximate);
10879     if (!L)
10880       return std::nullopt;
10881 
10882     std::optional<IntRange> R = TryGetExprRange(C, BO->getRHS(), opWidth,
10883                                                 InConstantContext, Approximate);
10884     if (!R)
10885       return std::nullopt;
10886 
10887     IntRange C = Combine(*L, *R);
10888     C.NonNegative |= T->isUnsignedIntegerOrEnumerationType();
10889     C.Width = std::min(C.Width, MaxWidth);
10890     return C;
10891   }
10892 
10893   if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
10894     switch (UO->getOpcode()) {
10895     // Boolean-valued operations are white-listed.
10896     case UO_LNot:
10897       return IntRange::forBoolType();
10898 
10899     // Operations with opaque sources are black-listed.
10900     case UO_Deref:
10901     case UO_AddrOf: // should be impossible
10902       return IntRange::forValueOfType(C, GetExprType(E));
10903 
10904     case UO_Minus: {
10905       if (E->getType()->isUnsignedIntegerType()) {
10906         return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10907                                Approximate);
10908       }
10909 
10910       std::optional<IntRange> SubRange = TryGetExprRange(
10911           C, UO->getSubExpr(), MaxWidth, InConstantContext, Approximate);
10912 
10913       if (!SubRange)
10914         return std::nullopt;
10915 
10916       // If the range was previously non-negative, we need an extra bit for the
10917       // sign bit. Otherwise, we need an extra bit because the negation of the
10918       // most-negative value is one bit wider than that value.
10919       return IntRange(std::min(SubRange->Width + 1, MaxWidth), false);
10920     }
10921 
10922     case UO_Not: {
10923       if (E->getType()->isUnsignedIntegerType()) {
10924         return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10925                                Approximate);
10926       }
10927 
10928       std::optional<IntRange> SubRange = TryGetExprRange(
10929           C, UO->getSubExpr(), MaxWidth, InConstantContext, Approximate);
10930 
10931       if (!SubRange)
10932         return std::nullopt;
10933 
10934       // The width increments by 1 if the sub-expression cannot be negative
10935       // since it now can be.
10936       return IntRange(
10937           std::min(SubRange->Width + (int)SubRange->NonNegative, MaxWidth),
10938           false);
10939     }
10940 
10941     default:
10942       return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
10943                              Approximate);
10944     }
10945   }
10946 
10947   if (const auto *OVE = dyn_cast<OpaqueValueExpr>(E))
10948     return TryGetExprRange(C, OVE->getSourceExpr(), MaxWidth, InConstantContext,
10949                            Approximate);
10950 
10951   if (const auto *BitField = E->getSourceBitField())
10952     return IntRange(BitField->getBitWidthValue(),
10953                     BitField->getType()->isUnsignedIntegerOrEnumerationType());
10954 
10955   if (GetExprType(E)->isVoidType())
10956     return std::nullopt;
10957 
10958   return IntRange::forValueOfType(C, GetExprType(E));
10959 }
10960 
10961 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
10962                                                bool InConstantContext,
10963                                                bool Approximate) {
10964   return TryGetExprRange(C, E, C.getIntWidth(GetExprType(E)), InConstantContext,
10965                          Approximate);
10966 }
10967 
10968 /// Checks whether the given value, which currently has the given
10969 /// source semantics, has the same value when coerced through the
10970 /// target semantics.
10971 static bool IsSameFloatAfterCast(const llvm::APFloat &value,
10972                                  const llvm::fltSemantics &Src,
10973                                  const llvm::fltSemantics &Tgt) {
10974   llvm::APFloat truncated = value;
10975 
10976   bool ignored;
10977   truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored);
10978   truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored);
10979 
10980   return truncated.bitwiseIsEqual(value);
10981 }
10982 
10983 /// Checks whether the given value, which currently has the given
10984 /// source semantics, has the same value when coerced through the
10985 /// target semantics.
10986 ///
10987 /// The value might be a vector of floats (or a complex number).
10988 static bool IsSameFloatAfterCast(const APValue &value,
10989                                  const llvm::fltSemantics &Src,
10990                                  const llvm::fltSemantics &Tgt) {
10991   if (value.isFloat())
10992     return IsSameFloatAfterCast(value.getFloat(), Src, Tgt);
10993 
10994   if (value.isVector()) {
10995     for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i)
10996       if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt))
10997         return false;
10998     return true;
10999   }
11000 
11001   assert(value.isComplexFloat());
11002   return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) &&
11003           IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt));
11004 }
11005 
11006 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC,
11007                                        bool IsListInit = false);
11008 
11009 static bool IsEnumConstOrFromMacro(Sema &S, const Expr *E) {
11010   // Suppress cases where we are comparing against an enum constant.
11011   if (const auto *DR = dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts()))
11012     if (isa<EnumConstantDecl>(DR->getDecl()))
11013       return true;
11014 
11015   // Suppress cases where the value is expanded from a macro, unless that macro
11016   // is how a language represents a boolean literal. This is the case in both C
11017   // and Objective-C.
11018   SourceLocation BeginLoc = E->getBeginLoc();
11019   if (BeginLoc.isMacroID()) {
11020     StringRef MacroName = Lexer::getImmediateMacroName(
11021         BeginLoc, S.getSourceManager(), S.getLangOpts());
11022     return MacroName != "YES" && MacroName != "NO" &&
11023            MacroName != "true" && MacroName != "false";
11024   }
11025 
11026   return false;
11027 }
11028 
11029 static bool isKnownToHaveUnsignedValue(const Expr *E) {
11030   return E->getType()->isIntegerType() &&
11031          (!E->getType()->isSignedIntegerType() ||
11032           !E->IgnoreParenImpCasts()->getType()->isSignedIntegerType());
11033 }
11034 
11035 namespace {
11036 /// The promoted range of values of a type. In general this has the
11037 /// following structure:
11038 ///
11039 ///     |-----------| . . . |-----------|
11040 ///     ^           ^       ^           ^
11041 ///    Min       HoleMin  HoleMax      Max
11042 ///
11043 /// ... where there is only a hole if a signed type is promoted to unsigned
11044 /// (in which case Min and Max are the smallest and largest representable
11045 /// values).
11046 struct PromotedRange {
11047   // Min, or HoleMax if there is a hole.
11048   llvm::APSInt PromotedMin;
11049   // Max, or HoleMin if there is a hole.
11050   llvm::APSInt PromotedMax;
11051 
11052   PromotedRange(IntRange R, unsigned BitWidth, bool Unsigned) {
11053     if (R.Width == 0)
11054       PromotedMin = PromotedMax = llvm::APSInt(BitWidth, Unsigned);
11055     else if (R.Width >= BitWidth && !Unsigned) {
11056       // Promotion made the type *narrower*. This happens when promoting
11057       // a < 32-bit unsigned / <= 32-bit signed bit-field to 'signed int'.
11058       // Treat all values of 'signed int' as being in range for now.
11059       PromotedMin = llvm::APSInt::getMinValue(BitWidth, Unsigned);
11060       PromotedMax = llvm::APSInt::getMaxValue(BitWidth, Unsigned);
11061     } else {
11062       PromotedMin = llvm::APSInt::getMinValue(R.Width, R.NonNegative)
11063                         .extOrTrunc(BitWidth);
11064       PromotedMin.setIsUnsigned(Unsigned);
11065 
11066       PromotedMax = llvm::APSInt::getMaxValue(R.Width, R.NonNegative)
11067                         .extOrTrunc(BitWidth);
11068       PromotedMax.setIsUnsigned(Unsigned);
11069     }
11070   }
11071 
11072   // Determine whether this range is contiguous (has no hole).
11073   bool isContiguous() const { return PromotedMin <= PromotedMax; }
11074 
11075   // Where a constant value is within the range.
11076   enum ComparisonResult {
11077     LT = 0x1,
11078     LE = 0x2,
11079     GT = 0x4,
11080     GE = 0x8,
11081     EQ = 0x10,
11082     NE = 0x20,
11083     InRangeFlag = 0x40,
11084 
11085     Less = LE | LT | NE,
11086     Min = LE | InRangeFlag,
11087     InRange = InRangeFlag,
11088     Max = GE | InRangeFlag,
11089     Greater = GE | GT | NE,
11090 
11091     OnlyValue = LE | GE | EQ | InRangeFlag,
11092     InHole = NE
11093   };
11094 
11095   ComparisonResult compare(const llvm::APSInt &Value) const {
11096     assert(Value.getBitWidth() == PromotedMin.getBitWidth() &&
11097            Value.isUnsigned() == PromotedMin.isUnsigned());
11098     if (!isContiguous()) {
11099       assert(Value.isUnsigned() && "discontiguous range for signed compare");
11100       if (Value.isMinValue()) return Min;
11101       if (Value.isMaxValue()) return Max;
11102       if (Value >= PromotedMin) return InRange;
11103       if (Value <= PromotedMax) return InRange;
11104       return InHole;
11105     }
11106 
11107     switch (llvm::APSInt::compareValues(Value, PromotedMin)) {
11108     case -1: return Less;
11109     case 0: return PromotedMin == PromotedMax ? OnlyValue : Min;
11110     case 1:
11111       switch (llvm::APSInt::compareValues(Value, PromotedMax)) {
11112       case -1: return InRange;
11113       case 0: return Max;
11114       case 1: return Greater;
11115       }
11116     }
11117 
11118     llvm_unreachable("impossible compare result");
11119   }
11120 
11121   static std::optional<StringRef>
11122   constantValue(BinaryOperatorKind Op, ComparisonResult R, bool ConstantOnRHS) {
11123     if (Op == BO_Cmp) {
11124       ComparisonResult LTFlag = LT, GTFlag = GT;
11125       if (ConstantOnRHS) std::swap(LTFlag, GTFlag);
11126 
11127       if (R & EQ) return StringRef("'std::strong_ordering::equal'");
11128       if (R & LTFlag) return StringRef("'std::strong_ordering::less'");
11129       if (R & GTFlag) return StringRef("'std::strong_ordering::greater'");
11130       return std::nullopt;
11131     }
11132 
11133     ComparisonResult TrueFlag, FalseFlag;
11134     if (Op == BO_EQ) {
11135       TrueFlag = EQ;
11136       FalseFlag = NE;
11137     } else if (Op == BO_NE) {
11138       TrueFlag = NE;
11139       FalseFlag = EQ;
11140     } else {
11141       if ((Op == BO_LT || Op == BO_GE) ^ ConstantOnRHS) {
11142         TrueFlag = LT;
11143         FalseFlag = GE;
11144       } else {
11145         TrueFlag = GT;
11146         FalseFlag = LE;
11147       }
11148       if (Op == BO_GE || Op == BO_LE)
11149         std::swap(TrueFlag, FalseFlag);
11150     }
11151     if (R & TrueFlag)
11152       return StringRef("true");
11153     if (R & FalseFlag)
11154       return StringRef("false");
11155     return std::nullopt;
11156   }
11157 };
11158 }
11159 
11160 static bool HasEnumType(const Expr *E) {
11161   // Strip off implicit integral promotions.
11162   while (const auto *ICE = dyn_cast<ImplicitCastExpr>(E)) {
11163     if (ICE->getCastKind() != CK_IntegralCast &&
11164         ICE->getCastKind() != CK_NoOp)
11165       break;
11166     E = ICE->getSubExpr();
11167   }
11168 
11169   return E->getType()->isEnumeralType();
11170 }
11171 
11172 static int classifyConstantValue(Expr *Constant) {
11173   // The values of this enumeration are used in the diagnostics
11174   // diag::warn_out_of_range_compare and diag::warn_tautological_bool_compare.
11175   enum ConstantValueKind {
11176     Miscellaneous = 0,
11177     LiteralTrue,
11178     LiteralFalse
11179   };
11180   if (auto *BL = dyn_cast<CXXBoolLiteralExpr>(Constant))
11181     return BL->getValue() ? ConstantValueKind::LiteralTrue
11182                           : ConstantValueKind::LiteralFalse;
11183   return ConstantValueKind::Miscellaneous;
11184 }
11185 
11186 static bool CheckTautologicalComparison(Sema &S, BinaryOperator *E,
11187                                         Expr *Constant, Expr *Other,
11188                                         const llvm::APSInt &Value,
11189                                         bool RhsConstant) {
11190   if (S.inTemplateInstantiation())
11191     return false;
11192 
11193   Expr *OriginalOther = Other;
11194 
11195   Constant = Constant->IgnoreParenImpCasts();
11196   Other = Other->IgnoreParenImpCasts();
11197 
11198   // Suppress warnings on tautological comparisons between values of the same
11199   // enumeration type. There are only two ways we could warn on this:
11200   //  - If the constant is outside the range of representable values of
11201   //    the enumeration. In such a case, we should warn about the cast
11202   //    to enumeration type, not about the comparison.
11203   //  - If the constant is the maximum / minimum in-range value. For an
11204   //    enumeratin type, such comparisons can be meaningful and useful.
11205   if (Constant->getType()->isEnumeralType() &&
11206       S.Context.hasSameUnqualifiedType(Constant->getType(), Other->getType()))
11207     return false;
11208 
11209   std::optional<IntRange> OtherValueRange = TryGetExprRange(
11210       S.Context, Other, S.isConstantEvaluatedContext(), /*Approximate=*/false);
11211   if (!OtherValueRange)
11212     return false;
11213 
11214   QualType OtherT = Other->getType();
11215   if (const auto *AT = OtherT->getAs<AtomicType>())
11216     OtherT = AT->getValueType();
11217   IntRange OtherTypeRange = IntRange::forValueOfType(S.Context, OtherT);
11218 
11219   // Special case for ObjC BOOL on targets where its a typedef for a signed char
11220   // (Namely, macOS). FIXME: IntRange::forValueOfType should do this.
11221   bool IsObjCSignedCharBool = S.getLangOpts().ObjC &&
11222                               S.ObjC().NSAPIObj->isObjCBOOLType(OtherT) &&
11223                               OtherT->isSpecificBuiltinType(BuiltinType::SChar);
11224 
11225   // Whether we're treating Other as being a bool because of the form of
11226   // expression despite it having another type (typically 'int' in C).
11227   bool OtherIsBooleanDespiteType =
11228       !OtherT->isBooleanType() && Other->isKnownToHaveBooleanValue();
11229   if (OtherIsBooleanDespiteType || IsObjCSignedCharBool)
11230     OtherTypeRange = *OtherValueRange = IntRange::forBoolType();
11231 
11232   // Check if all values in the range of possible values of this expression
11233   // lead to the same comparison outcome.
11234   PromotedRange OtherPromotedValueRange(*OtherValueRange, Value.getBitWidth(),
11235                                         Value.isUnsigned());
11236   auto Cmp = OtherPromotedValueRange.compare(Value);
11237   auto Result = PromotedRange::constantValue(E->getOpcode(), Cmp, RhsConstant);
11238   if (!Result)
11239     return false;
11240 
11241   // Also consider the range determined by the type alone. This allows us to
11242   // classify the warning under the proper diagnostic group.
11243   bool TautologicalTypeCompare = false;
11244   {
11245     PromotedRange OtherPromotedTypeRange(OtherTypeRange, Value.getBitWidth(),
11246                                          Value.isUnsigned());
11247     auto TypeCmp = OtherPromotedTypeRange.compare(Value);
11248     if (auto TypeResult = PromotedRange::constantValue(E->getOpcode(), TypeCmp,
11249                                                        RhsConstant)) {
11250       TautologicalTypeCompare = true;
11251       Cmp = TypeCmp;
11252       Result = TypeResult;
11253     }
11254   }
11255 
11256   // Don't warn if the non-constant operand actually always evaluates to the
11257   // same value.
11258   if (!TautologicalTypeCompare && OtherValueRange->Width == 0)
11259     return false;
11260 
11261   // Suppress the diagnostic for an in-range comparison if the constant comes
11262   // from a macro or enumerator. We don't want to diagnose
11263   //
11264   //   some_long_value <= INT_MAX
11265   //
11266   // when sizeof(int) == sizeof(long).
11267   bool InRange = Cmp & PromotedRange::InRangeFlag;
11268   if (InRange && IsEnumConstOrFromMacro(S, Constant))
11269     return false;
11270 
11271   // A comparison of an unsigned bit-field against 0 is really a type problem,
11272   // even though at the type level the bit-field might promote to 'signed int'.
11273   if (Other->refersToBitField() && InRange && Value == 0 &&
11274       Other->getType()->isUnsignedIntegerOrEnumerationType())
11275     TautologicalTypeCompare = true;
11276 
11277   // If this is a comparison to an enum constant, include that
11278   // constant in the diagnostic.
11279   const EnumConstantDecl *ED = nullptr;
11280   if (const auto *DR = dyn_cast<DeclRefExpr>(Constant))
11281     ED = dyn_cast<EnumConstantDecl>(DR->getDecl());
11282 
11283   // Should be enough for uint128 (39 decimal digits)
11284   SmallString<64> PrettySourceValue;
11285   llvm::raw_svector_ostream OS(PrettySourceValue);
11286   if (ED) {
11287     OS << '\'' << *ED << "' (" << Value << ")";
11288   } else if (auto *BL = dyn_cast<ObjCBoolLiteralExpr>(
11289                Constant->IgnoreParenImpCasts())) {
11290     OS << (BL->getValue() ? "YES" : "NO");
11291   } else {
11292     OS << Value;
11293   }
11294 
11295   if (!TautologicalTypeCompare) {
11296     S.Diag(E->getOperatorLoc(), diag::warn_tautological_compare_value_range)
11297         << RhsConstant << OtherValueRange->Width << OtherValueRange->NonNegative
11298         << E->getOpcodeStr() << OS.str() << *Result
11299         << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
11300     return true;
11301   }
11302 
11303   if (IsObjCSignedCharBool) {
11304     S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
11305                           S.PDiag(diag::warn_tautological_compare_objc_bool)
11306                               << OS.str() << *Result);
11307     return true;
11308   }
11309 
11310   // FIXME: We use a somewhat different formatting for the in-range cases and
11311   // cases involving boolean values for historical reasons. We should pick a
11312   // consistent way of presenting these diagnostics.
11313   if (!InRange || Other->isKnownToHaveBooleanValue()) {
11314 
11315     S.DiagRuntimeBehavior(
11316         E->getOperatorLoc(), E,
11317         S.PDiag(!InRange ? diag::warn_out_of_range_compare
11318                          : diag::warn_tautological_bool_compare)
11319             << OS.str() << classifyConstantValue(Constant) << OtherT
11320             << OtherIsBooleanDespiteType << *Result
11321             << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange());
11322   } else {
11323     bool IsCharTy = OtherT.withoutLocalFastQualifiers() == S.Context.CharTy;
11324     unsigned Diag =
11325         (isKnownToHaveUnsignedValue(OriginalOther) && Value == 0)
11326             ? (HasEnumType(OriginalOther)
11327                    ? diag::warn_unsigned_enum_always_true_comparison
11328                    : IsCharTy ? diag::warn_unsigned_char_always_true_comparison
11329                               : diag::warn_unsigned_always_true_comparison)
11330             : diag::warn_tautological_constant_compare;
11331 
11332     S.Diag(E->getOperatorLoc(), Diag)
11333         << RhsConstant << OtherT << E->getOpcodeStr() << OS.str() << *Result
11334         << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
11335   }
11336 
11337   return true;
11338 }
11339 
11340 /// Analyze the operands of the given comparison.  Implements the
11341 /// fallback case from AnalyzeComparison.
11342 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) {
11343   AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11344   AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11345 }
11346 
11347 /// Implements -Wsign-compare.
11348 ///
11349 /// \param E the binary operator to check for warnings
11350 static void AnalyzeComparison(Sema &S, BinaryOperator *E) {
11351   // The type the comparison is being performed in.
11352   QualType T = E->getLHS()->getType();
11353 
11354   // Only analyze comparison operators where both sides have been converted to
11355   // the same type.
11356   if (!S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()))
11357     return AnalyzeImpConvsInComparison(S, E);
11358 
11359   // Don't analyze value-dependent comparisons directly.
11360   if (E->isValueDependent())
11361     return AnalyzeImpConvsInComparison(S, E);
11362 
11363   Expr *LHS = E->getLHS();
11364   Expr *RHS = E->getRHS();
11365 
11366   if (T->isIntegralType(S.Context)) {
11367     std::optional<llvm::APSInt> RHSValue =
11368         RHS->getIntegerConstantExpr(S.Context);
11369     std::optional<llvm::APSInt> LHSValue =
11370         LHS->getIntegerConstantExpr(S.Context);
11371 
11372     // We don't care about expressions whose result is a constant.
11373     if (RHSValue && LHSValue)
11374       return AnalyzeImpConvsInComparison(S, E);
11375 
11376     // We only care about expressions where just one side is literal
11377     if ((bool)RHSValue ^ (bool)LHSValue) {
11378       // Is the constant on the RHS or LHS?
11379       const bool RhsConstant = (bool)RHSValue;
11380       Expr *Const = RhsConstant ? RHS : LHS;
11381       Expr *Other = RhsConstant ? LHS : RHS;
11382       const llvm::APSInt &Value = RhsConstant ? *RHSValue : *LHSValue;
11383 
11384       // Check whether an integer constant comparison results in a value
11385       // of 'true' or 'false'.
11386       if (CheckTautologicalComparison(S, E, Const, Other, Value, RhsConstant))
11387         return AnalyzeImpConvsInComparison(S, E);
11388     }
11389   }
11390 
11391   if (!T->hasUnsignedIntegerRepresentation()) {
11392     // We don't do anything special if this isn't an unsigned integral
11393     // comparison:  we're only interested in integral comparisons, and
11394     // signed comparisons only happen in cases we don't care to warn about.
11395     return AnalyzeImpConvsInComparison(S, E);
11396   }
11397 
11398   LHS = LHS->IgnoreParenImpCasts();
11399   RHS = RHS->IgnoreParenImpCasts();
11400 
11401   if (!S.getLangOpts().CPlusPlus) {
11402     // Avoid warning about comparison of integers with different signs when
11403     // RHS/LHS has a `typeof(E)` type whose sign is different from the sign of
11404     // the type of `E`.
11405     if (const auto *TET = dyn_cast<TypeOfExprType>(LHS->getType()))
11406       LHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
11407     if (const auto *TET = dyn_cast<TypeOfExprType>(RHS->getType()))
11408       RHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
11409   }
11410 
11411   // Check to see if one of the (unmodified) operands is of different
11412   // signedness.
11413   Expr *signedOperand, *unsignedOperand;
11414   if (LHS->getType()->hasSignedIntegerRepresentation()) {
11415     assert(!RHS->getType()->hasSignedIntegerRepresentation() &&
11416            "unsigned comparison between two signed integer expressions?");
11417     signedOperand = LHS;
11418     unsignedOperand = RHS;
11419   } else if (RHS->getType()->hasSignedIntegerRepresentation()) {
11420     signedOperand = RHS;
11421     unsignedOperand = LHS;
11422   } else {
11423     return AnalyzeImpConvsInComparison(S, E);
11424   }
11425 
11426   // Otherwise, calculate the effective range of the signed operand.
11427   std::optional<IntRange> signedRange =
11428       TryGetExprRange(S.Context, signedOperand, S.isConstantEvaluatedContext(),
11429                       /*Approximate=*/true);
11430   if (!signedRange)
11431     return;
11432 
11433   // Go ahead and analyze implicit conversions in the operands.  Note
11434   // that we skip the implicit conversions on both sides.
11435   AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc());
11436   AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc());
11437 
11438   // If the signed range is non-negative, -Wsign-compare won't fire.
11439   if (signedRange->NonNegative)
11440     return;
11441 
11442   // For (in)equality comparisons, if the unsigned operand is a
11443   // constant which cannot collide with a overflowed signed operand,
11444   // then reinterpreting the signed operand as unsigned will not
11445   // change the result of the comparison.
11446   if (E->isEqualityOp()) {
11447     unsigned comparisonWidth = S.Context.getIntWidth(T);
11448     std::optional<IntRange> unsignedRange = TryGetExprRange(
11449         S.Context, unsignedOperand, S.isConstantEvaluatedContext(),
11450         /*Approximate=*/true);
11451     if (!unsignedRange)
11452       return;
11453 
11454     // We should never be unable to prove that the unsigned operand is
11455     // non-negative.
11456     assert(unsignedRange->NonNegative && "unsigned range includes negative?");
11457 
11458     if (unsignedRange->Width < comparisonWidth)
11459       return;
11460   }
11461 
11462   S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
11463                         S.PDiag(diag::warn_mixed_sign_comparison)
11464                             << LHS->getType() << RHS->getType()
11465                             << LHS->getSourceRange() << RHS->getSourceRange());
11466 }
11467 
11468 /// Analyzes an attempt to assign the given value to a bitfield.
11469 ///
11470 /// Returns true if there was something fishy about the attempt.
11471 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init,
11472                                       SourceLocation InitLoc) {
11473   assert(Bitfield->isBitField());
11474   if (Bitfield->isInvalidDecl())
11475     return false;
11476 
11477   // White-list bool bitfields.
11478   QualType BitfieldType = Bitfield->getType();
11479   if (BitfieldType->isBooleanType())
11480      return false;
11481 
11482   if (BitfieldType->isEnumeralType()) {
11483     EnumDecl *BitfieldEnumDecl = BitfieldType->castAs<EnumType>()->getDecl();
11484     // If the underlying enum type was not explicitly specified as an unsigned
11485     // type and the enum contain only positive values, MSVC++ will cause an
11486     // inconsistency by storing this as a signed type.
11487     if (S.getLangOpts().CPlusPlus11 &&
11488         !BitfieldEnumDecl->getIntegerTypeSourceInfo() &&
11489         BitfieldEnumDecl->getNumPositiveBits() > 0 &&
11490         BitfieldEnumDecl->getNumNegativeBits() == 0) {
11491       S.Diag(InitLoc, diag::warn_no_underlying_type_specified_for_enum_bitfield)
11492           << BitfieldEnumDecl;
11493     }
11494   }
11495 
11496   // Ignore value- or type-dependent expressions.
11497   if (Bitfield->getBitWidth()->isValueDependent() ||
11498       Bitfield->getBitWidth()->isTypeDependent() ||
11499       Init->isValueDependent() ||
11500       Init->isTypeDependent())
11501     return false;
11502 
11503   Expr *OriginalInit = Init->IgnoreParenImpCasts();
11504   unsigned FieldWidth = Bitfield->getBitWidthValue();
11505 
11506   Expr::EvalResult Result;
11507   if (!OriginalInit->EvaluateAsInt(Result, S.Context,
11508                                    Expr::SE_AllowSideEffects)) {
11509     // The RHS is not constant.  If the RHS has an enum type, make sure the
11510     // bitfield is wide enough to hold all the values of the enum without
11511     // truncation.
11512     const auto *EnumTy = OriginalInit->getType()->getAs<EnumType>();
11513     const PreferredTypeAttr *PTAttr = nullptr;
11514     if (!EnumTy) {
11515       PTAttr = Bitfield->getAttr<PreferredTypeAttr>();
11516       if (PTAttr)
11517         EnumTy = PTAttr->getType()->getAs<EnumType>();
11518     }
11519     if (EnumTy) {
11520       EnumDecl *ED = EnumTy->getDecl();
11521       bool SignedBitfield = BitfieldType->isSignedIntegerOrEnumerationType();
11522 
11523       // Enum types are implicitly signed on Windows, so check if there are any
11524       // negative enumerators to see if the enum was intended to be signed or
11525       // not.
11526       bool SignedEnum = ED->getNumNegativeBits() > 0;
11527 
11528       // Check for surprising sign changes when assigning enum values to a
11529       // bitfield of different signedness.  If the bitfield is signed and we
11530       // have exactly the right number of bits to store this unsigned enum,
11531       // suggest changing the enum to an unsigned type. This typically happens
11532       // on Windows where unfixed enums always use an underlying type of 'int'.
11533       unsigned DiagID = 0;
11534       if (SignedEnum && !SignedBitfield) {
11535         DiagID =
11536             PTAttr == nullptr
11537                 ? diag::warn_unsigned_bitfield_assigned_signed_enum
11538                 : diag::
11539                       warn_preferred_type_unsigned_bitfield_assigned_signed_enum;
11540       } else if (SignedBitfield && !SignedEnum &&
11541                  ED->getNumPositiveBits() == FieldWidth) {
11542         DiagID =
11543             PTAttr == nullptr
11544                 ? diag::warn_signed_bitfield_enum_conversion
11545                 : diag::warn_preferred_type_signed_bitfield_enum_conversion;
11546       }
11547       if (DiagID) {
11548         S.Diag(InitLoc, DiagID) << Bitfield << ED;
11549         TypeSourceInfo *TSI = Bitfield->getTypeSourceInfo();
11550         SourceRange TypeRange =
11551             TSI ? TSI->getTypeLoc().getSourceRange() : SourceRange();
11552         S.Diag(Bitfield->getTypeSpecStartLoc(), diag::note_change_bitfield_sign)
11553             << SignedEnum << TypeRange;
11554         if (PTAttr)
11555           S.Diag(PTAttr->getLocation(), diag::note_bitfield_preferred_type)
11556               << ED;
11557       }
11558 
11559       // Compute the required bitwidth. If the enum has negative values, we need
11560       // one more bit than the normal number of positive bits to represent the
11561       // sign bit.
11562       unsigned BitsNeeded = SignedEnum ? std::max(ED->getNumPositiveBits() + 1,
11563                                                   ED->getNumNegativeBits())
11564                                        : ED->getNumPositiveBits();
11565 
11566       // Check the bitwidth.
11567       if (BitsNeeded > FieldWidth) {
11568         Expr *WidthExpr = Bitfield->getBitWidth();
11569         auto DiagID =
11570             PTAttr == nullptr
11571                 ? diag::warn_bitfield_too_small_for_enum
11572                 : diag::warn_preferred_type_bitfield_too_small_for_enum;
11573         S.Diag(InitLoc, DiagID) << Bitfield << ED;
11574         S.Diag(WidthExpr->getExprLoc(), diag::note_widen_bitfield)
11575             << BitsNeeded << ED << WidthExpr->getSourceRange();
11576         if (PTAttr)
11577           S.Diag(PTAttr->getLocation(), diag::note_bitfield_preferred_type)
11578               << ED;
11579       }
11580     }
11581 
11582     return false;
11583   }
11584 
11585   llvm::APSInt Value = Result.Val.getInt();
11586 
11587   unsigned OriginalWidth = Value.getBitWidth();
11588 
11589   // In C, the macro 'true' from stdbool.h will evaluate to '1'; To reduce
11590   // false positives where the user is demonstrating they intend to use the
11591   // bit-field as a Boolean, check to see if the value is 1 and we're assigning
11592   // to a one-bit bit-field to see if the value came from a macro named 'true'.
11593   bool OneAssignedToOneBitBitfield = FieldWidth == 1 && Value == 1;
11594   if (OneAssignedToOneBitBitfield && !S.LangOpts.CPlusPlus) {
11595     SourceLocation MaybeMacroLoc = OriginalInit->getBeginLoc();
11596     if (S.SourceMgr.isInSystemMacro(MaybeMacroLoc) &&
11597         S.findMacroSpelling(MaybeMacroLoc, "true"))
11598       return false;
11599   }
11600 
11601   if (!Value.isSigned() || Value.isNegative())
11602     if (UnaryOperator *UO = dyn_cast<UnaryOperator>(OriginalInit))
11603       if (UO->getOpcode() == UO_Minus || UO->getOpcode() == UO_Not)
11604         OriginalWidth = Value.getSignificantBits();
11605 
11606   if (OriginalWidth <= FieldWidth)
11607     return false;
11608 
11609   // Compute the value which the bitfield will contain.
11610   llvm::APSInt TruncatedValue = Value.trunc(FieldWidth);
11611   TruncatedValue.setIsSigned(BitfieldType->isSignedIntegerType());
11612 
11613   // Check whether the stored value is equal to the original value.
11614   TruncatedValue = TruncatedValue.extend(OriginalWidth);
11615   if (llvm::APSInt::isSameValue(Value, TruncatedValue))
11616     return false;
11617 
11618   std::string PrettyValue = toString(Value, 10);
11619   std::string PrettyTrunc = toString(TruncatedValue, 10);
11620 
11621   S.Diag(InitLoc, OneAssignedToOneBitBitfield
11622                       ? diag::warn_impcast_single_bit_bitield_precision_constant
11623                       : diag::warn_impcast_bitfield_precision_constant)
11624       << PrettyValue << PrettyTrunc << OriginalInit->getType()
11625       << Init->getSourceRange();
11626 
11627   return true;
11628 }
11629 
11630 /// Analyze the given simple or compound assignment for warning-worthy
11631 /// operations.
11632 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) {
11633   // Just recurse on the LHS.
11634   AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11635 
11636   // We want to recurse on the RHS as normal unless we're assigning to
11637   // a bitfield.
11638   if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) {
11639     if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(),
11640                                   E->getOperatorLoc())) {
11641       // Recurse, ignoring any implicit conversions on the RHS.
11642       return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(),
11643                                         E->getOperatorLoc());
11644     }
11645   }
11646 
11647   AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11648 
11649   // Diagnose implicitly sequentially-consistent atomic assignment.
11650   if (E->getLHS()->getType()->isAtomicType())
11651     S.Diag(E->getRHS()->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
11652 }
11653 
11654 /// Diagnose an implicit cast;  purely a helper for CheckImplicitConversion.
11655 static void DiagnoseImpCast(Sema &S, const Expr *E, QualType SourceType,
11656                             QualType T, SourceLocation CContext, unsigned diag,
11657                             bool PruneControlFlow = false) {
11658   // For languages like HLSL and OpenCL, implicit conversion diagnostics listing
11659   // address space annotations isn't really useful. The warnings aren't because
11660   // you're converting a `private int` to `unsigned int`, it is because you're
11661   // conerting `int` to `unsigned int`.
11662   if (SourceType.hasAddressSpace())
11663     SourceType = S.getASTContext().removeAddrSpaceQualType(SourceType);
11664   if (T.hasAddressSpace())
11665     T = S.getASTContext().removeAddrSpaceQualType(T);
11666   if (PruneControlFlow) {
11667     S.DiagRuntimeBehavior(E->getExprLoc(), E,
11668                           S.PDiag(diag)
11669                               << SourceType << T << E->getSourceRange()
11670                               << SourceRange(CContext));
11671     return;
11672   }
11673   S.Diag(E->getExprLoc(), diag)
11674     << SourceType << T << E->getSourceRange() << SourceRange(CContext);
11675 }
11676 
11677 /// Diagnose an implicit cast;  purely a helper for CheckImplicitConversion.
11678 static void DiagnoseImpCast(Sema &S, const Expr *E, QualType T,
11679                             SourceLocation CContext, unsigned diag,
11680                             bool PruneControlFlow = false) {
11681   DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, PruneControlFlow);
11682 }
11683 
11684 /// Diagnose an implicit cast from a floating point value to an integer value.
11685 static void DiagnoseFloatingImpCast(Sema &S, const Expr *E, QualType T,
11686                                     SourceLocation CContext) {
11687   bool IsBool = T->isSpecificBuiltinType(BuiltinType::Bool);
11688   bool PruneWarnings = S.inTemplateInstantiation();
11689 
11690   const Expr *InnerE = E->IgnoreParenImpCasts();
11691   // We also want to warn on, e.g., "int i = -1.234"
11692   if (const auto *UOp = dyn_cast<UnaryOperator>(InnerE))
11693     if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus)
11694       InnerE = UOp->getSubExpr()->IgnoreParenImpCasts();
11695 
11696   bool IsLiteral = isa<FloatingLiteral>(E) || isa<FloatingLiteral>(InnerE);
11697 
11698   llvm::APFloat Value(0.0);
11699   bool IsConstant =
11700     E->EvaluateAsFloat(Value, S.Context, Expr::SE_AllowSideEffects);
11701   if (!IsConstant) {
11702     if (S.ObjC().isSignedCharBool(T)) {
11703       return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
11704           E, S.Diag(CContext, diag::warn_impcast_float_to_objc_signed_char_bool)
11705                  << E->getType());
11706     }
11707 
11708     return DiagnoseImpCast(S, E, T, CContext,
11709                            diag::warn_impcast_float_integer, PruneWarnings);
11710   }
11711 
11712   bool isExact = false;
11713 
11714   llvm::APSInt IntegerValue(S.Context.getIntWidth(T),
11715                             T->hasUnsignedIntegerRepresentation());
11716   llvm::APFloat::opStatus Result = Value.convertToInteger(
11717       IntegerValue, llvm::APFloat::rmTowardZero, &isExact);
11718 
11719   // FIXME: Force the precision of the source value down so we don't print
11720   // digits which are usually useless (we don't really care here if we
11721   // truncate a digit by accident in edge cases).  Ideally, APFloat::toString
11722   // would automatically print the shortest representation, but it's a bit
11723   // tricky to implement.
11724   SmallString<16> PrettySourceValue;
11725   unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics());
11726   precision = (precision * 59 + 195) / 196;
11727   Value.toString(PrettySourceValue, precision);
11728 
11729   if (S.ObjC().isSignedCharBool(T) && IntegerValue != 0 && IntegerValue != 1) {
11730     return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
11731         E, S.Diag(CContext, diag::warn_impcast_constant_value_to_objc_bool)
11732                << PrettySourceValue);
11733   }
11734 
11735   if (Result == llvm::APFloat::opOK && isExact) {
11736     if (IsLiteral) return;
11737     return DiagnoseImpCast(S, E, T, CContext, diag::warn_impcast_float_integer,
11738                            PruneWarnings);
11739   }
11740 
11741   // Conversion of a floating-point value to a non-bool integer where the
11742   // integral part cannot be represented by the integer type is undefined.
11743   if (!IsBool && Result == llvm::APFloat::opInvalidOp)
11744     return DiagnoseImpCast(
11745         S, E, T, CContext,
11746         IsLiteral ? diag::warn_impcast_literal_float_to_integer_out_of_range
11747                   : diag::warn_impcast_float_to_integer_out_of_range,
11748         PruneWarnings);
11749 
11750   unsigned DiagID = 0;
11751   if (IsLiteral) {
11752     // Warn on floating point literal to integer.
11753     DiagID = diag::warn_impcast_literal_float_to_integer;
11754   } else if (IntegerValue == 0) {
11755     if (Value.isZero()) {  // Skip -0.0 to 0 conversion.
11756       return DiagnoseImpCast(S, E, T, CContext,
11757                              diag::warn_impcast_float_integer, PruneWarnings);
11758     }
11759     // Warn on non-zero to zero conversion.
11760     DiagID = diag::warn_impcast_float_to_integer_zero;
11761   } else {
11762     if (IntegerValue.isUnsigned()) {
11763       if (!IntegerValue.isMaxValue()) {
11764         return DiagnoseImpCast(S, E, T, CContext,
11765                                diag::warn_impcast_float_integer, PruneWarnings);
11766       }
11767     } else {  // IntegerValue.isSigned()
11768       if (!IntegerValue.isMaxSignedValue() &&
11769           !IntegerValue.isMinSignedValue()) {
11770         return DiagnoseImpCast(S, E, T, CContext,
11771                                diag::warn_impcast_float_integer, PruneWarnings);
11772       }
11773     }
11774     // Warn on evaluatable floating point expression to integer conversion.
11775     DiagID = diag::warn_impcast_float_to_integer;
11776   }
11777 
11778   SmallString<16> PrettyTargetValue;
11779   if (IsBool)
11780     PrettyTargetValue = Value.isZero() ? "false" : "true";
11781   else
11782     IntegerValue.toString(PrettyTargetValue);
11783 
11784   if (PruneWarnings) {
11785     S.DiagRuntimeBehavior(E->getExprLoc(), E,
11786                           S.PDiag(DiagID)
11787                               << E->getType() << T.getUnqualifiedType()
11788                               << PrettySourceValue << PrettyTargetValue
11789                               << E->getSourceRange() << SourceRange(CContext));
11790   } else {
11791     S.Diag(E->getExprLoc(), DiagID)
11792         << E->getType() << T.getUnqualifiedType() << PrettySourceValue
11793         << PrettyTargetValue << E->getSourceRange() << SourceRange(CContext);
11794   }
11795 }
11796 
11797 /// Analyze the given compound assignment for the possible losing of
11798 /// floating-point precision.
11799 static void AnalyzeCompoundAssignment(Sema &S, BinaryOperator *E) {
11800   assert(isa<CompoundAssignOperator>(E) &&
11801          "Must be compound assignment operation");
11802   // Recurse on the LHS and RHS in here
11803   AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
11804   AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
11805 
11806   if (E->getLHS()->getType()->isAtomicType())
11807     S.Diag(E->getOperatorLoc(), diag::warn_atomic_implicit_seq_cst);
11808 
11809   // Now check the outermost expression
11810   const auto *ResultBT = E->getLHS()->getType()->getAs<BuiltinType>();
11811   const auto *RBT = cast<CompoundAssignOperator>(E)
11812                         ->getComputationResultType()
11813                         ->getAs<BuiltinType>();
11814 
11815   // The below checks assume source is floating point.
11816   if (!ResultBT || !RBT || !RBT->isFloatingPoint()) return;
11817 
11818   // If source is floating point but target is an integer.
11819   if (ResultBT->isInteger())
11820     return DiagnoseImpCast(S, E, E->getRHS()->getType(), E->getLHS()->getType(),
11821                            E->getExprLoc(), diag::warn_impcast_float_integer);
11822 
11823   if (!ResultBT->isFloatingPoint())
11824     return;
11825 
11826   // If both source and target are floating points, warn about losing precision.
11827   int Order = S.getASTContext().getFloatingTypeSemanticOrder(
11828       QualType(ResultBT, 0), QualType(RBT, 0));
11829   if (Order < 0 && !S.SourceMgr.isInSystemMacro(E->getOperatorLoc()))
11830     // warn about dropping FP rank.
11831     DiagnoseImpCast(S, E->getRHS(), E->getLHS()->getType(), E->getOperatorLoc(),
11832                     diag::warn_impcast_float_result_precision);
11833 }
11834 
11835 static std::string PrettyPrintInRange(const llvm::APSInt &Value,
11836                                       IntRange Range) {
11837   if (!Range.Width) return "0";
11838 
11839   llvm::APSInt ValueInRange = Value;
11840   ValueInRange.setIsSigned(!Range.NonNegative);
11841   ValueInRange = ValueInRange.trunc(Range.Width);
11842   return toString(ValueInRange, 10);
11843 }
11844 
11845 static bool IsImplicitBoolFloatConversion(Sema &S, const Expr *Ex,
11846                                           bool ToBool) {
11847   if (!isa<ImplicitCastExpr>(Ex))
11848     return false;
11849 
11850   const Expr *InnerE = Ex->IgnoreParenImpCasts();
11851   const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr();
11852   const Type *Source =
11853     S.Context.getCanonicalType(InnerE->getType()).getTypePtr();
11854   if (Target->isDependentType())
11855     return false;
11856 
11857   const auto *FloatCandidateBT =
11858       dyn_cast<BuiltinType>(ToBool ? Source : Target);
11859   const Type *BoolCandidateType = ToBool ? Target : Source;
11860 
11861   return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) &&
11862           FloatCandidateBT && (FloatCandidateBT->isFloatingPoint()));
11863 }
11864 
11865 static void CheckImplicitArgumentConversions(Sema &S, const CallExpr *TheCall,
11866                                              SourceLocation CC) {
11867   for (unsigned I = 0, N = TheCall->getNumArgs(); I < N; ++I) {
11868     const Expr *CurrA = TheCall->getArg(I);
11869     if (!IsImplicitBoolFloatConversion(S, CurrA, true))
11870       continue;
11871 
11872     bool IsSwapped = ((I > 0) && IsImplicitBoolFloatConversion(
11873                                      S, TheCall->getArg(I - 1), false));
11874     IsSwapped |= ((I < (N - 1)) && IsImplicitBoolFloatConversion(
11875                                        S, TheCall->getArg(I + 1), false));
11876     if (IsSwapped) {
11877       // Warn on this floating-point to bool conversion.
11878       DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(),
11879                       CurrA->getType(), CC,
11880                       diag::warn_impcast_floating_point_to_bool);
11881     }
11882   }
11883 }
11884 
11885 static void DiagnoseNullConversion(Sema &S, Expr *E, QualType T,
11886                                    SourceLocation CC) {
11887   // Don't warn on functions which have return type nullptr_t.
11888   if (isa<CallExpr>(E))
11889     return;
11890 
11891   // Check for NULL (GNUNull) or nullptr (CXX11_nullptr).
11892   const Expr *NewE = E->IgnoreParenImpCasts();
11893   bool IsGNUNullExpr = isa<GNUNullExpr>(NewE);
11894   bool HasNullPtrType = NewE->getType()->isNullPtrType();
11895   if (!IsGNUNullExpr && !HasNullPtrType)
11896     return;
11897 
11898   // Return if target type is a safe conversion.
11899   if (T->isAnyPointerType() || T->isBlockPointerType() ||
11900       T->isMemberPointerType() || !T->isScalarType() || T->isNullPtrType())
11901     return;
11902 
11903   if (S.Diags.isIgnored(diag::warn_impcast_null_pointer_to_integer,
11904                         E->getExprLoc()))
11905     return;
11906 
11907   SourceLocation Loc = E->getSourceRange().getBegin();
11908 
11909   // Venture through the macro stacks to get to the source of macro arguments.
11910   // The new location is a better location than the complete location that was
11911   // passed in.
11912   Loc = S.SourceMgr.getTopMacroCallerLoc(Loc);
11913   CC = S.SourceMgr.getTopMacroCallerLoc(CC);
11914 
11915   // __null is usually wrapped in a macro.  Go up a macro if that is the case.
11916   if (IsGNUNullExpr && Loc.isMacroID()) {
11917     StringRef MacroName = Lexer::getImmediateMacroNameForDiagnostics(
11918         Loc, S.SourceMgr, S.getLangOpts());
11919     if (MacroName == "NULL")
11920       Loc = S.SourceMgr.getImmediateExpansionRange(Loc).getBegin();
11921   }
11922 
11923   // Only warn if the null and context location are in the same macro expansion.
11924   if (S.SourceMgr.getFileID(Loc) != S.SourceMgr.getFileID(CC))
11925     return;
11926 
11927   S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer)
11928       << HasNullPtrType << T << SourceRange(CC)
11929       << FixItHint::CreateReplacement(Loc,
11930                                       S.getFixItZeroLiteralForType(T, Loc));
11931 }
11932 
11933 // Helper function to filter out cases for constant width constant conversion.
11934 // Don't warn on char array initialization or for non-decimal values.
11935 static bool isSameWidthConstantConversion(Sema &S, Expr *E, QualType T,
11936                                           SourceLocation CC) {
11937   // If initializing from a constant, and the constant starts with '0',
11938   // then it is a binary, octal, or hexadecimal.  Allow these constants
11939   // to fill all the bits, even if there is a sign change.
11940   if (auto *IntLit = dyn_cast<IntegerLiteral>(E->IgnoreParenImpCasts())) {
11941     const char FirstLiteralCharacter =
11942         S.getSourceManager().getCharacterData(IntLit->getBeginLoc())[0];
11943     if (FirstLiteralCharacter == '0')
11944       return false;
11945   }
11946 
11947   // If the CC location points to a '{', and the type is char, then assume
11948   // assume it is an array initialization.
11949   if (CC.isValid() && T->isCharType()) {
11950     const char FirstContextCharacter =
11951         S.getSourceManager().getCharacterData(CC)[0];
11952     if (FirstContextCharacter == '{')
11953       return false;
11954   }
11955 
11956   return true;
11957 }
11958 
11959 static const IntegerLiteral *getIntegerLiteral(Expr *E) {
11960   const auto *IL = dyn_cast<IntegerLiteral>(E);
11961   if (!IL) {
11962     if (auto *UO = dyn_cast<UnaryOperator>(E)) {
11963       if (UO->getOpcode() == UO_Minus)
11964         return dyn_cast<IntegerLiteral>(UO->getSubExpr());
11965     }
11966   }
11967 
11968   return IL;
11969 }
11970 
11971 static void DiagnoseIntInBoolContext(Sema &S, Expr *E) {
11972   E = E->IgnoreParenImpCasts();
11973   SourceLocation ExprLoc = E->getExprLoc();
11974 
11975   if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
11976     BinaryOperator::Opcode Opc = BO->getOpcode();
11977     Expr::EvalResult Result;
11978     // Do not diagnose unsigned shifts.
11979     if (Opc == BO_Shl) {
11980       const auto *LHS = getIntegerLiteral(BO->getLHS());
11981       const auto *RHS = getIntegerLiteral(BO->getRHS());
11982       if (LHS && LHS->getValue() == 0)
11983         S.Diag(ExprLoc, diag::warn_left_shift_always) << 0;
11984       else if (!E->isValueDependent() && LHS && RHS &&
11985                RHS->getValue().isNonNegative() &&
11986                E->EvaluateAsInt(Result, S.Context, Expr::SE_AllowSideEffects))
11987         S.Diag(ExprLoc, diag::warn_left_shift_always)
11988             << (Result.Val.getInt() != 0);
11989       else if (E->getType()->isSignedIntegerType())
11990         S.Diag(ExprLoc, diag::warn_left_shift_in_bool_context)
11991             << FixItHint::CreateInsertion(E->getBeginLoc(), "(")
11992             << FixItHint::CreateInsertion(S.getLocForEndOfToken(E->getEndLoc()),
11993                                           ") != 0");
11994     }
11995   }
11996 
11997   if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
11998     const auto *LHS = getIntegerLiteral(CO->getTrueExpr());
11999     const auto *RHS = getIntegerLiteral(CO->getFalseExpr());
12000     if (!LHS || !RHS)
12001       return;
12002     if ((LHS->getValue() == 0 || LHS->getValue() == 1) &&
12003         (RHS->getValue() == 0 || RHS->getValue() == 1))
12004       // Do not diagnose common idioms.
12005       return;
12006     if (LHS->getValue() != 0 && RHS->getValue() != 0)
12007       S.Diag(ExprLoc, diag::warn_integer_constants_in_conditional_always_true);
12008   }
12009 }
12010 
12011 static void DiagnoseMixedUnicodeImplicitConversion(Sema &S, const Type *Source,
12012                                                    const Type *Target, Expr *E,
12013                                                    QualType T,
12014                                                    SourceLocation CC) {
12015   assert(Source->isUnicodeCharacterType() && Target->isUnicodeCharacterType() &&
12016          Source != Target);
12017 
12018   // Lone surrogates have a distinct representation in UTF-32.
12019   // Converting between UTF-16 and UTF-32 codepoints seems very widespread,
12020   // so don't warn on such conversion.
12021   if (Source->isChar16Type() && Target->isChar32Type())
12022     return;
12023 
12024   Expr::EvalResult Result;
12025   if (E->EvaluateAsInt(Result, S.getASTContext(), Expr::SE_AllowSideEffects,
12026                        S.isConstantEvaluatedContext())) {
12027     llvm::APSInt Value(32);
12028     Value = Result.Val.getInt();
12029     bool IsASCII = Value <= 0x7F;
12030     bool IsBMP = Value <= 0xDFFF || (Value >= 0xE000 && Value <= 0xFFFF);
12031     bool ConversionPreservesSemantics =
12032         IsASCII || (!Source->isChar8Type() && !Target->isChar8Type() && IsBMP);
12033 
12034     if (!ConversionPreservesSemantics) {
12035       auto IsSingleCodeUnitCP = [](const QualType &T,
12036                                    const llvm::APSInt &Value) {
12037         if (T->isChar8Type())
12038           return llvm::IsSingleCodeUnitUTF8Codepoint(Value.getExtValue());
12039         if (T->isChar16Type())
12040           return llvm::IsSingleCodeUnitUTF16Codepoint(Value.getExtValue());
12041         assert(T->isChar32Type());
12042         return llvm::IsSingleCodeUnitUTF32Codepoint(Value.getExtValue());
12043       };
12044 
12045       S.Diag(CC, diag::warn_impcast_unicode_char_type_constant)
12046           << E->getType() << T
12047           << IsSingleCodeUnitCP(E->getType().getUnqualifiedType(), Value)
12048           << FormatUTFCodeUnitAsCodepoint(Value.getExtValue(), E->getType());
12049     }
12050   } else {
12051     bool LosesPrecision = S.getASTContext().getIntWidth(E->getType()) >
12052                           S.getASTContext().getIntWidth(T);
12053     DiagnoseImpCast(S, E, T, CC,
12054                     LosesPrecision ? diag::warn_impcast_unicode_precision
12055                                    : diag::warn_impcast_unicode_char_type);
12056   }
12057 }
12058 
12059 enum CFIUncheckedCalleeChange {
12060   None,
12061   Adding,
12062   Discarding,
12063 };
12064 
12065 static CFIUncheckedCalleeChange AdjustingCFIUncheckedCallee(QualType From,
12066                                                             QualType To) {
12067   QualType MaybePointee = From->getPointeeType();
12068   if (!MaybePointee.isNull() && MaybePointee->getAs<FunctionType>())
12069     From = MaybePointee;
12070   MaybePointee = To->getPointeeType();
12071   if (!MaybePointee.isNull() && MaybePointee->getAs<FunctionType>())
12072     To = MaybePointee;
12073 
12074   if (const auto *FromFn = From->getAs<FunctionType>()) {
12075     if (const auto *ToFn = To->getAs<FunctionType>()) {
12076       if (FromFn->getCFIUncheckedCalleeAttr() &&
12077           !ToFn->getCFIUncheckedCalleeAttr())
12078         return Discarding;
12079       if (!FromFn->getCFIUncheckedCalleeAttr() &&
12080           ToFn->getCFIUncheckedCalleeAttr())
12081         return Adding;
12082     }
12083   }
12084   return None;
12085 }
12086 
12087 bool Sema::DiscardingCFIUncheckedCallee(QualType From, QualType To) const {
12088   From = Context.getCanonicalType(From);
12089   To = Context.getCanonicalType(To);
12090   return ::AdjustingCFIUncheckedCallee(From, To) == Discarding;
12091 }
12092 
12093 bool Sema::AddingCFIUncheckedCallee(QualType From, QualType To) const {
12094   From = Context.getCanonicalType(From);
12095   To = Context.getCanonicalType(To);
12096   return ::AdjustingCFIUncheckedCallee(From, To) == Adding;
12097 }
12098 
12099 void Sema::CheckImplicitConversion(Expr *E, QualType T, SourceLocation CC,
12100                                    bool *ICContext, bool IsListInit) {
12101   if (E->isTypeDependent() || E->isValueDependent()) return;
12102 
12103   const Type *Source = Context.getCanonicalType(E->getType()).getTypePtr();
12104   const Type *Target = Context.getCanonicalType(T).getTypePtr();
12105   if (Source == Target) return;
12106   if (Target->isDependentType()) return;
12107 
12108   // If the conversion context location is invalid don't complain. We also
12109   // don't want to emit a warning if the issue occurs from the expansion of
12110   // a system macro. The problem is that 'getSpellingLoc()' is slow, so we
12111   // delay this check as long as possible. Once we detect we are in that
12112   // scenario, we just return.
12113   if (CC.isInvalid())
12114     return;
12115 
12116   if (Source->isAtomicType())
12117     Diag(E->getExprLoc(), diag::warn_atomic_implicit_seq_cst);
12118 
12119   // Diagnose implicit casts to bool.
12120   if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {
12121     if (isa<StringLiteral>(E))
12122       // Warn on string literal to bool.  Checks for string literals in logical
12123       // and expressions, for instance, assert(0 && "error here"), are
12124       // prevented by a check in AnalyzeImplicitConversions().
12125       return DiagnoseImpCast(*this, E, T, CC,
12126                              diag::warn_impcast_string_literal_to_bool);
12127     if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) ||
12128         isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) {
12129       // This covers the literal expressions that evaluate to Objective-C
12130       // objects.
12131       return DiagnoseImpCast(*this, E, T, CC,
12132                              diag::warn_impcast_objective_c_literal_to_bool);
12133     }
12134     if (Source->isPointerType() || Source->canDecayToPointerType()) {
12135       // Warn on pointer to bool conversion that is always true.
12136       DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false,
12137                                    SourceRange(CC));
12138     }
12139   }
12140 
12141   // If the we're converting a constant to an ObjC BOOL on a platform where BOOL
12142   // is a typedef for signed char (macOS), then that constant value has to be 1
12143   // or 0.
12144   if (ObjC().isSignedCharBool(T) && Source->isIntegralType(Context)) {
12145     Expr::EvalResult Result;
12146     if (E->EvaluateAsInt(Result, getASTContext(), Expr::SE_AllowSideEffects)) {
12147       if (Result.Val.getInt() != 1 && Result.Val.getInt() != 0) {
12148         ObjC().adornBoolConversionDiagWithTernaryFixit(
12149             E, Diag(CC, diag::warn_impcast_constant_value_to_objc_bool)
12150                    << toString(Result.Val.getInt(), 10));
12151       }
12152       return;
12153     }
12154   }
12155 
12156   // Check implicit casts from Objective-C collection literals to specialized
12157   // collection types, e.g., NSArray<NSString *> *.
12158   if (auto *ArrayLiteral = dyn_cast<ObjCArrayLiteral>(E))
12159     ObjC().checkArrayLiteral(QualType(Target, 0), ArrayLiteral);
12160   else if (auto *DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(E))
12161     ObjC().checkDictionaryLiteral(QualType(Target, 0), DictionaryLiteral);
12162 
12163   // Strip vector types.
12164   if (isa<VectorType>(Source)) {
12165     if (Target->isSveVLSBuiltinType() &&
12166         (ARM().areCompatibleSveTypes(QualType(Target, 0),
12167                                      QualType(Source, 0)) ||
12168          ARM().areLaxCompatibleSveTypes(QualType(Target, 0),
12169                                         QualType(Source, 0))))
12170       return;
12171 
12172     if (Target->isRVVVLSBuiltinType() &&
12173         (Context.areCompatibleRVVTypes(QualType(Target, 0),
12174                                        QualType(Source, 0)) ||
12175          Context.areLaxCompatibleRVVTypes(QualType(Target, 0),
12176                                           QualType(Source, 0))))
12177       return;
12178 
12179     if (!isa<VectorType>(Target)) {
12180       if (SourceMgr.isInSystemMacro(CC))
12181         return;
12182       return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_vector_scalar);
12183     } else if (getLangOpts().HLSL &&
12184                Target->castAs<VectorType>()->getNumElements() <
12185                    Source->castAs<VectorType>()->getNumElements()) {
12186       // Diagnose vector truncation but don't return. We may also want to
12187       // diagnose an element conversion.
12188       DiagnoseImpCast(*this, E, T, CC,
12189                       diag::warn_hlsl_impcast_vector_truncation);
12190     }
12191 
12192     // If the vector cast is cast between two vectors of the same size, it is
12193     // a bitcast, not a conversion, except under HLSL where it is a conversion.
12194     if (!getLangOpts().HLSL &&
12195         Context.getTypeSize(Source) == Context.getTypeSize(Target))
12196       return;
12197 
12198     Source = cast<VectorType>(Source)->getElementType().getTypePtr();
12199     Target = cast<VectorType>(Target)->getElementType().getTypePtr();
12200   }
12201   if (auto VecTy = dyn_cast<VectorType>(Target))
12202     Target = VecTy->getElementType().getTypePtr();
12203 
12204   // Strip complex types.
12205   if (isa<ComplexType>(Source)) {
12206     if (!isa<ComplexType>(Target)) {
12207       if (SourceMgr.isInSystemMacro(CC) || Target->isBooleanType())
12208         return;
12209 
12210       return DiagnoseImpCast(*this, E, T, CC,
12211                              getLangOpts().CPlusPlus
12212                                  ? diag::err_impcast_complex_scalar
12213                                  : diag::warn_impcast_complex_scalar);
12214     }
12215 
12216     Source = cast<ComplexType>(Source)->getElementType().getTypePtr();
12217     Target = cast<ComplexType>(Target)->getElementType().getTypePtr();
12218   }
12219 
12220   const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source);
12221   const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target);
12222 
12223   // Strip SVE vector types
12224   if (SourceBT && SourceBT->isSveVLSBuiltinType()) {
12225     // Need the original target type for vector type checks
12226     const Type *OriginalTarget = Context.getCanonicalType(T).getTypePtr();
12227     // Handle conversion from scalable to fixed when msve-vector-bits is
12228     // specified
12229     if (ARM().areCompatibleSveTypes(QualType(OriginalTarget, 0),
12230                                     QualType(Source, 0)) ||
12231         ARM().areLaxCompatibleSveTypes(QualType(OriginalTarget, 0),
12232                                        QualType(Source, 0)))
12233       return;
12234 
12235     // If the vector cast is cast between two vectors of the same size, it is
12236     // a bitcast, not a conversion.
12237     if (Context.getTypeSize(Source) == Context.getTypeSize(Target))
12238       return;
12239 
12240     Source = SourceBT->getSveEltType(Context).getTypePtr();
12241   }
12242 
12243   if (TargetBT && TargetBT->isSveVLSBuiltinType())
12244     Target = TargetBT->getSveEltType(Context).getTypePtr();
12245 
12246   // If the source is floating point...
12247   if (SourceBT && SourceBT->isFloatingPoint()) {
12248     // ...and the target is floating point...
12249     if (TargetBT && TargetBT->isFloatingPoint()) {
12250       // ...then warn if we're dropping FP rank.
12251 
12252       int Order = getASTContext().getFloatingTypeSemanticOrder(
12253           QualType(SourceBT, 0), QualType(TargetBT, 0));
12254       if (Order > 0) {
12255         // Don't warn about float constants that are precisely
12256         // representable in the target type.
12257         Expr::EvalResult result;
12258         if (E->EvaluateAsRValue(result, Context)) {
12259           // Value might be a float, a float vector, or a float complex.
12260           if (IsSameFloatAfterCast(
12261                   result.Val,
12262                   Context.getFloatTypeSemantics(QualType(TargetBT, 0)),
12263                   Context.getFloatTypeSemantics(QualType(SourceBT, 0))))
12264             return;
12265         }
12266 
12267         if (SourceMgr.isInSystemMacro(CC))
12268           return;
12269 
12270         DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_float_precision);
12271       }
12272       // ... or possibly if we're increasing rank, too
12273       else if (Order < 0) {
12274         if (SourceMgr.isInSystemMacro(CC))
12275           return;
12276 
12277         DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_double_promotion);
12278       }
12279       return;
12280     }
12281 
12282     // If the target is integral, always warn.
12283     if (TargetBT && TargetBT->isInteger()) {
12284       if (SourceMgr.isInSystemMacro(CC))
12285         return;
12286 
12287       DiagnoseFloatingImpCast(*this, E, T, CC);
12288     }
12289 
12290     // Detect the case where a call result is converted from floating-point to
12291     // to bool, and the final argument to the call is converted from bool, to
12292     // discover this typo:
12293     //
12294     //    bool b = fabs(x < 1.0);  // should be "bool b = fabs(x) < 1.0;"
12295     //
12296     // FIXME: This is an incredibly special case; is there some more general
12297     // way to detect this class of misplaced-parentheses bug?
12298     if (Target->isBooleanType() && isa<CallExpr>(E)) {
12299       // Check last argument of function call to see if it is an
12300       // implicit cast from a type matching the type the result
12301       // is being cast to.
12302       CallExpr *CEx = cast<CallExpr>(E);
12303       if (unsigned NumArgs = CEx->getNumArgs()) {
12304         Expr *LastA = CEx->getArg(NumArgs - 1);
12305         Expr *InnerE = LastA->IgnoreParenImpCasts();
12306         if (isa<ImplicitCastExpr>(LastA) &&
12307             InnerE->getType()->isBooleanType()) {
12308           // Warn on this floating-point to bool conversion
12309           DiagnoseImpCast(*this, E, T, CC,
12310                           diag::warn_impcast_floating_point_to_bool);
12311         }
12312       }
12313     }
12314     return;
12315   }
12316 
12317   // Valid casts involving fixed point types should be accounted for here.
12318   if (Source->isFixedPointType()) {
12319     if (Target->isUnsaturatedFixedPointType()) {
12320       Expr::EvalResult Result;
12321       if (E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects,
12322                                   isConstantEvaluatedContext())) {
12323         llvm::APFixedPoint Value = Result.Val.getFixedPoint();
12324         llvm::APFixedPoint MaxVal = Context.getFixedPointMax(T);
12325         llvm::APFixedPoint MinVal = Context.getFixedPointMin(T);
12326         if (Value > MaxVal || Value < MinVal) {
12327           DiagRuntimeBehavior(E->getExprLoc(), E,
12328                               PDiag(diag::warn_impcast_fixed_point_range)
12329                                   << Value.toString() << T
12330                                   << E->getSourceRange()
12331                                   << clang::SourceRange(CC));
12332           return;
12333         }
12334       }
12335     } else if (Target->isIntegerType()) {
12336       Expr::EvalResult Result;
12337       if (!isConstantEvaluatedContext() &&
12338           E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects)) {
12339         llvm::APFixedPoint FXResult = Result.Val.getFixedPoint();
12340 
12341         bool Overflowed;
12342         llvm::APSInt IntResult = FXResult.convertToInt(
12343             Context.getIntWidth(T), Target->isSignedIntegerOrEnumerationType(),
12344             &Overflowed);
12345 
12346         if (Overflowed) {
12347           DiagRuntimeBehavior(E->getExprLoc(), E,
12348                               PDiag(diag::warn_impcast_fixed_point_range)
12349                                   << FXResult.toString() << T
12350                                   << E->getSourceRange()
12351                                   << clang::SourceRange(CC));
12352           return;
12353         }
12354       }
12355     }
12356   } else if (Target->isUnsaturatedFixedPointType()) {
12357     if (Source->isIntegerType()) {
12358       Expr::EvalResult Result;
12359       if (!isConstantEvaluatedContext() &&
12360           E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects)) {
12361         llvm::APSInt Value = Result.Val.getInt();
12362 
12363         bool Overflowed;
12364         llvm::APFixedPoint IntResult = llvm::APFixedPoint::getFromIntValue(
12365             Value, Context.getFixedPointSemantics(T), &Overflowed);
12366 
12367         if (Overflowed) {
12368           DiagRuntimeBehavior(E->getExprLoc(), E,
12369                               PDiag(diag::warn_impcast_fixed_point_range)
12370                                   << toString(Value, /*Radix=*/10) << T
12371                                   << E->getSourceRange()
12372                                   << clang::SourceRange(CC));
12373           return;
12374         }
12375       }
12376     }
12377   }
12378 
12379   // If we are casting an integer type to a floating point type without
12380   // initialization-list syntax, we might lose accuracy if the floating
12381   // point type has a narrower significand than the integer type.
12382   if (SourceBT && TargetBT && SourceBT->isIntegerType() &&
12383       TargetBT->isFloatingType() && !IsListInit) {
12384     // Determine the number of precision bits in the source integer type.
12385     std::optional<IntRange> SourceRange =
12386         TryGetExprRange(Context, E, isConstantEvaluatedContext(),
12387                         /*Approximate=*/true);
12388     if (!SourceRange)
12389       return;
12390     unsigned int SourcePrecision = SourceRange->Width;
12391 
12392     // Determine the number of precision bits in the
12393     // target floating point type.
12394     unsigned int TargetPrecision = llvm::APFloatBase::semanticsPrecision(
12395         Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
12396 
12397     if (SourcePrecision > 0 && TargetPrecision > 0 &&
12398         SourcePrecision > TargetPrecision) {
12399 
12400       if (std::optional<llvm::APSInt> SourceInt =
12401               E->getIntegerConstantExpr(Context)) {
12402         // If the source integer is a constant, convert it to the target
12403         // floating point type. Issue a warning if the value changes
12404         // during the whole conversion.
12405         llvm::APFloat TargetFloatValue(
12406             Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
12407         llvm::APFloat::opStatus ConversionStatus =
12408             TargetFloatValue.convertFromAPInt(
12409                 *SourceInt, SourceBT->isSignedInteger(),
12410                 llvm::APFloat::rmNearestTiesToEven);
12411 
12412         if (ConversionStatus != llvm::APFloat::opOK) {
12413           SmallString<32> PrettySourceValue;
12414           SourceInt->toString(PrettySourceValue, 10);
12415           SmallString<32> PrettyTargetValue;
12416           TargetFloatValue.toString(PrettyTargetValue, TargetPrecision);
12417 
12418           DiagRuntimeBehavior(
12419               E->getExprLoc(), E,
12420               PDiag(diag::warn_impcast_integer_float_precision_constant)
12421                   << PrettySourceValue << PrettyTargetValue << E->getType() << T
12422                   << E->getSourceRange() << clang::SourceRange(CC));
12423         }
12424       } else {
12425         // Otherwise, the implicit conversion may lose precision.
12426         DiagnoseImpCast(*this, E, T, CC,
12427                         diag::warn_impcast_integer_float_precision);
12428       }
12429     }
12430   }
12431 
12432   DiagnoseNullConversion(*this, E, T, CC);
12433 
12434   DiscardMisalignedMemberAddress(Target, E);
12435 
12436   if (Source->isUnicodeCharacterType() && Target->isUnicodeCharacterType()) {
12437     DiagnoseMixedUnicodeImplicitConversion(*this, Source, Target, E, T, CC);
12438     return;
12439   }
12440 
12441   if (Target->isBooleanType())
12442     DiagnoseIntInBoolContext(*this, E);
12443 
12444   if (DiscardingCFIUncheckedCallee(QualType(Source, 0), QualType(Target, 0))) {
12445     Diag(CC, diag::warn_cast_discards_cfi_unchecked_callee)
12446         << QualType(Source, 0) << QualType(Target, 0);
12447   }
12448 
12449   if (!Source->isIntegerType() || !Target->isIntegerType())
12450     return;
12451 
12452   // TODO: remove this early return once the false positives for constant->bool
12453   // in templates, macros, etc, are reduced or removed.
12454   if (Target->isSpecificBuiltinType(BuiltinType::Bool))
12455     return;
12456 
12457   if (ObjC().isSignedCharBool(T) && !Source->isCharType() &&
12458       !E->isKnownToHaveBooleanValue(/*Semantic=*/false)) {
12459     return ObjC().adornBoolConversionDiagWithTernaryFixit(
12460         E, Diag(CC, diag::warn_impcast_int_to_objc_signed_char_bool)
12461                << E->getType());
12462   }
12463   std::optional<IntRange> LikelySourceRange = TryGetExprRange(
12464       Context, E, isConstantEvaluatedContext(), /*Approximate=*/true);
12465   if (!LikelySourceRange)
12466     return;
12467 
12468   IntRange SourceTypeRange =
12469       IntRange::forTargetOfCanonicalType(Context, Source);
12470   IntRange TargetRange = IntRange::forTargetOfCanonicalType(Context, Target);
12471 
12472   if (LikelySourceRange->Width > TargetRange.Width) {
12473     // If the source is a constant, use a default-on diagnostic.
12474     // TODO: this should happen for bitfield stores, too.
12475     Expr::EvalResult Result;
12476     if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects,
12477                          isConstantEvaluatedContext())) {
12478       llvm::APSInt Value(32);
12479       Value = Result.Val.getInt();
12480 
12481       if (SourceMgr.isInSystemMacro(CC))
12482         return;
12483 
12484       std::string PrettySourceValue = toString(Value, 10);
12485       std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
12486 
12487       DiagRuntimeBehavior(E->getExprLoc(), E,
12488                           PDiag(diag::warn_impcast_integer_precision_constant)
12489                               << PrettySourceValue << PrettyTargetValue
12490                               << E->getType() << T << E->getSourceRange()
12491                               << SourceRange(CC));
12492       return;
12493     }
12494 
12495     // People want to build with -Wshorten-64-to-32 and not -Wconversion.
12496     if (SourceMgr.isInSystemMacro(CC))
12497       return;
12498 
12499     if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
12500       if (UO->getOpcode() == UO_Minus)
12501         return DiagnoseImpCast(
12502             *this, E, T, CC, diag::warn_impcast_integer_precision_on_negation);
12503     }
12504 
12505     if (TargetRange.Width == 32 && Context.getIntWidth(E->getType()) == 64)
12506       return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_integer_64_32,
12507                              /* pruneControlFlow */ true);
12508     return DiagnoseImpCast(*this, E, T, CC,
12509                            diag::warn_impcast_integer_precision);
12510   }
12511 
12512   if (TargetRange.Width > SourceTypeRange.Width) {
12513     if (auto *UO = dyn_cast<UnaryOperator>(E))
12514       if (UO->getOpcode() == UO_Minus)
12515         if (Source->isUnsignedIntegerType()) {
12516           if (Target->isUnsignedIntegerType())
12517             return DiagnoseImpCast(*this, E, T, CC,
12518                                    diag::warn_impcast_high_order_zero_bits);
12519           if (Target->isSignedIntegerType())
12520             return DiagnoseImpCast(*this, E, T, CC,
12521                                    diag::warn_impcast_nonnegative_result);
12522         }
12523   }
12524 
12525   if (TargetRange.Width == LikelySourceRange->Width &&
12526       !TargetRange.NonNegative && LikelySourceRange->NonNegative &&
12527       Source->isSignedIntegerType()) {
12528     // Warn when doing a signed to signed conversion, warn if the positive
12529     // source value is exactly the width of the target type, which will
12530     // cause a negative value to be stored.
12531 
12532     Expr::EvalResult Result;
12533     if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects) &&
12534         !SourceMgr.isInSystemMacro(CC)) {
12535       llvm::APSInt Value = Result.Val.getInt();
12536       if (isSameWidthConstantConversion(*this, E, T, CC)) {
12537         std::string PrettySourceValue = toString(Value, 10);
12538         std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
12539 
12540         Diag(E->getExprLoc(),
12541              PDiag(diag::warn_impcast_integer_precision_constant)
12542                  << PrettySourceValue << PrettyTargetValue << E->getType() << T
12543                  << E->getSourceRange() << SourceRange(CC));
12544         return;
12545       }
12546     }
12547 
12548     // Fall through for non-constants to give a sign conversion warning.
12549   }
12550 
12551   if ((!isa<EnumType>(Target) || !isa<EnumType>(Source)) &&
12552       ((TargetRange.NonNegative && !LikelySourceRange->NonNegative) ||
12553        (!TargetRange.NonNegative && LikelySourceRange->NonNegative &&
12554         LikelySourceRange->Width == TargetRange.Width))) {
12555     if (SourceMgr.isInSystemMacro(CC))
12556       return;
12557 
12558     if (SourceBT && SourceBT->isInteger() && TargetBT &&
12559         TargetBT->isInteger() &&
12560         Source->isSignedIntegerType() == Target->isSignedIntegerType()) {
12561       return;
12562     }
12563 
12564     unsigned DiagID = diag::warn_impcast_integer_sign;
12565 
12566     // Traditionally, gcc has warned about this under -Wsign-compare.
12567     // We also want to warn about it in -Wconversion.
12568     // So if -Wconversion is off, use a completely identical diagnostic
12569     // in the sign-compare group.
12570     // The conditional-checking code will
12571     if (ICContext) {
12572       DiagID = diag::warn_impcast_integer_sign_conditional;
12573       *ICContext = true;
12574     }
12575 
12576     DiagnoseImpCast(*this, E, T, CC, DiagID);
12577   }
12578 
12579   // If we're implicitly converting from an integer into an enumeration, that
12580   // is valid in C but invalid in C++.
12581   QualType SourceType = E->getEnumCoercedType(Context);
12582   const BuiltinType *CoercedSourceBT = SourceType->getAs<BuiltinType>();
12583   if (CoercedSourceBT && CoercedSourceBT->isInteger() && isa<EnumType>(Target))
12584     return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_int_to_enum);
12585 
12586   // Diagnose conversions between different enumeration types.
12587   // In C, we pretend that the type of an EnumConstantDecl is its enumeration
12588   // type, to give us better diagnostics.
12589   Source = Context.getCanonicalType(SourceType).getTypePtr();
12590 
12591   if (const EnumType *SourceEnum = Source->getAs<EnumType>())
12592     if (const EnumType *TargetEnum = Target->getAs<EnumType>())
12593       if (SourceEnum->getDecl()->hasNameForLinkage() &&
12594           TargetEnum->getDecl()->hasNameForLinkage() &&
12595           SourceEnum != TargetEnum) {
12596         if (SourceMgr.isInSystemMacro(CC))
12597           return;
12598 
12599         return DiagnoseImpCast(*this, E, SourceType, T, CC,
12600                                diag::warn_impcast_different_enum_types);
12601       }
12602 }
12603 
12604 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
12605                                      SourceLocation CC, QualType T);
12606 
12607 static void CheckConditionalOperand(Sema &S, Expr *E, QualType T,
12608                                     SourceLocation CC, bool &ICContext) {
12609   E = E->IgnoreParenImpCasts();
12610   // Diagnose incomplete type for second or third operand in C.
12611   if (!S.getLangOpts().CPlusPlus && E->getType()->isRecordType())
12612     S.RequireCompleteExprType(E, diag::err_incomplete_type);
12613 
12614   if (auto *CO = dyn_cast<AbstractConditionalOperator>(E))
12615     return CheckConditionalOperator(S, CO, CC, T);
12616 
12617   AnalyzeImplicitConversions(S, E, CC);
12618   if (E->getType() != T)
12619     return S.CheckImplicitConversion(E, T, CC, &ICContext);
12620 }
12621 
12622 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
12623                                      SourceLocation CC, QualType T) {
12624   AnalyzeImplicitConversions(S, E->getCond(), E->getQuestionLoc());
12625 
12626   Expr *TrueExpr = E->getTrueExpr();
12627   if (auto *BCO = dyn_cast<BinaryConditionalOperator>(E))
12628     TrueExpr = BCO->getCommon();
12629 
12630   bool Suspicious = false;
12631   CheckConditionalOperand(S, TrueExpr, T, CC, Suspicious);
12632   CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious);
12633 
12634   if (T->isBooleanType())
12635     DiagnoseIntInBoolContext(S, E);
12636 
12637   // If -Wconversion would have warned about either of the candidates
12638   // for a signedness conversion to the context type...
12639   if (!Suspicious) return;
12640 
12641   // ...but it's currently ignored...
12642   if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC))
12643     return;
12644 
12645   // ...then check whether it would have warned about either of the
12646   // candidates for a signedness conversion to the condition type.
12647   if (E->getType() == T) return;
12648 
12649   Suspicious = false;
12650   S.CheckImplicitConversion(TrueExpr->IgnoreParenImpCasts(), E->getType(), CC,
12651                             &Suspicious);
12652   if (!Suspicious)
12653     S.CheckImplicitConversion(E->getFalseExpr()->IgnoreParenImpCasts(),
12654                               E->getType(), CC, &Suspicious);
12655 }
12656 
12657 /// Check conversion of given expression to boolean.
12658 /// Input argument E is a logical expression.
12659 static void CheckBoolLikeConversion(Sema &S, Expr *E, SourceLocation CC) {
12660   // Run the bool-like conversion checks only for C since there bools are
12661   // still not used as the return type from "boolean" operators or as the input
12662   // type for conditional operators.
12663   if (S.getLangOpts().CPlusPlus)
12664     return;
12665   if (E->IgnoreParenImpCasts()->getType()->isAtomicType())
12666     return;
12667   S.CheckImplicitConversion(E->IgnoreParenImpCasts(), S.Context.BoolTy, CC);
12668 }
12669 
12670 namespace {
12671 struct AnalyzeImplicitConversionsWorkItem {
12672   Expr *E;
12673   SourceLocation CC;
12674   bool IsListInit;
12675 };
12676 }
12677 
12678 static void CheckCommaOperand(
12679     Sema &S, Expr *E, QualType T, SourceLocation CC,
12680     bool ExtraCheckForImplicitConversion,
12681     llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
12682   E = E->IgnoreParenImpCasts();
12683   WorkList.push_back({E, CC, false});
12684 
12685   if (ExtraCheckForImplicitConversion && E->getType() != T)
12686     S.CheckImplicitConversion(E, T, CC);
12687 }
12688 
12689 /// Data recursive variant of AnalyzeImplicitConversions. Subexpressions
12690 /// that should be visited are added to WorkList.
12691 static void AnalyzeImplicitConversions(
12692     Sema &S, AnalyzeImplicitConversionsWorkItem Item,
12693     llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
12694   Expr *OrigE = Item.E;
12695   SourceLocation CC = Item.CC;
12696 
12697   QualType T = OrigE->getType();
12698   Expr *E = OrigE->IgnoreParenImpCasts();
12699 
12700   // Propagate whether we are in a C++ list initialization expression.
12701   // If so, we do not issue warnings for implicit int-float conversion
12702   // precision loss, because C++11 narrowing already handles it.
12703   //
12704   // HLSL's initialization lists are special, so they shouldn't observe the C++
12705   // behavior here.
12706   bool IsListInit =
12707       Item.IsListInit || (isa<InitListExpr>(OrigE) &&
12708                           S.getLangOpts().CPlusPlus && !S.getLangOpts().HLSL);
12709 
12710   if (E->isTypeDependent() || E->isValueDependent())
12711     return;
12712 
12713   Expr *SourceExpr = E;
12714   // Examine, but don't traverse into the source expression of an
12715   // OpaqueValueExpr, since it may have multiple parents and we don't want to
12716   // emit duplicate diagnostics. Its fine to examine the form or attempt to
12717   // evaluate it in the context of checking the specific conversion to T though.
12718   if (auto *OVE = dyn_cast<OpaqueValueExpr>(E))
12719     if (auto *Src = OVE->getSourceExpr())
12720       SourceExpr = Src;
12721 
12722   if (const auto *UO = dyn_cast<UnaryOperator>(SourceExpr))
12723     if (UO->getOpcode() == UO_Not &&
12724         UO->getSubExpr()->isKnownToHaveBooleanValue())
12725       S.Diag(UO->getBeginLoc(), diag::warn_bitwise_negation_bool)
12726           << OrigE->getSourceRange() << T->isBooleanType()
12727           << FixItHint::CreateReplacement(UO->getBeginLoc(), "!");
12728 
12729   if (auto *BO = dyn_cast<BinaryOperator>(SourceExpr)) {
12730     if ((BO->getOpcode() == BO_And || BO->getOpcode() == BO_Or) &&
12731         BO->getLHS()->isKnownToHaveBooleanValue() &&
12732         BO->getRHS()->isKnownToHaveBooleanValue() &&
12733         BO->getLHS()->HasSideEffects(S.Context) &&
12734         BO->getRHS()->HasSideEffects(S.Context)) {
12735       SourceManager &SM = S.getSourceManager();
12736       const LangOptions &LO = S.getLangOpts();
12737       SourceLocation BLoc = BO->getOperatorLoc();
12738       SourceLocation ELoc = Lexer::getLocForEndOfToken(BLoc, 0, SM, LO);
12739       StringRef SR = clang::Lexer::getSourceText(
12740           clang::CharSourceRange::getTokenRange(BLoc, ELoc), SM, LO);
12741       // To reduce false positives, only issue the diagnostic if the operator
12742       // is explicitly spelled as a punctuator. This suppresses the diagnostic
12743       // when using 'bitand' or 'bitor' either as keywords in C++ or as macros
12744       // in C, along with other macro spellings the user might invent.
12745       if (SR.str() == "&" || SR.str() == "|") {
12746 
12747         S.Diag(BO->getBeginLoc(), diag::warn_bitwise_instead_of_logical)
12748             << (BO->getOpcode() == BO_And ? "&" : "|")
12749             << OrigE->getSourceRange()
12750             << FixItHint::CreateReplacement(
12751                    BO->getOperatorLoc(),
12752                    (BO->getOpcode() == BO_And ? "&&" : "||"));
12753         S.Diag(BO->getBeginLoc(), diag::note_cast_operand_to_int);
12754       }
12755     } else if (BO->isCommaOp() && !S.getLangOpts().CPlusPlus) {
12756       /// Analyze the given comma operator. The basic idea behind the analysis
12757       /// is to analyze the left and right operands slightly differently. The
12758       /// left operand needs to check whether the operand itself has an implicit
12759       /// conversion, but not whether the left operand induces an implicit
12760       /// conversion for the entire comma expression itself. This is similar to
12761       /// how CheckConditionalOperand behaves; it's as-if the correct operand
12762       /// were directly used for the implicit conversion check.
12763       CheckCommaOperand(S, BO->getLHS(), T, BO->getOperatorLoc(),
12764                         /*ExtraCheckForImplicitConversion=*/false, WorkList);
12765       CheckCommaOperand(S, BO->getRHS(), T, BO->getOperatorLoc(),
12766                         /*ExtraCheckForImplicitConversion=*/true, WorkList);
12767       return;
12768     }
12769   }
12770 
12771   // For conditional operators, we analyze the arguments as if they
12772   // were being fed directly into the output.
12773   if (auto *CO = dyn_cast<AbstractConditionalOperator>(SourceExpr)) {
12774     CheckConditionalOperator(S, CO, CC, T);
12775     return;
12776   }
12777 
12778   // Check implicit argument conversions for function calls.
12779   if (const auto *Call = dyn_cast<CallExpr>(SourceExpr))
12780     CheckImplicitArgumentConversions(S, Call, CC);
12781 
12782   // Go ahead and check any implicit conversions we might have skipped.
12783   // The non-canonical typecheck is just an optimization;
12784   // CheckImplicitConversion will filter out dead implicit conversions.
12785   if (SourceExpr->getType() != T)
12786     S.CheckImplicitConversion(SourceExpr, T, CC, nullptr, IsListInit);
12787 
12788   // Now continue drilling into this expression.
12789 
12790   if (PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E)) {
12791     // The bound subexpressions in a PseudoObjectExpr are not reachable
12792     // as transitive children.
12793     // FIXME: Use a more uniform representation for this.
12794     for (auto *SE : POE->semantics())
12795       if (auto *OVE = dyn_cast<OpaqueValueExpr>(SE))
12796         WorkList.push_back({OVE->getSourceExpr(), CC, IsListInit});
12797   }
12798 
12799   // Skip past explicit casts.
12800   if (auto *CE = dyn_cast<ExplicitCastExpr>(E)) {
12801     E = CE->getSubExpr()->IgnoreParenImpCasts();
12802     if (!CE->getType()->isVoidType() && E->getType()->isAtomicType())
12803       S.Diag(E->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
12804     WorkList.push_back({E, CC, IsListInit});
12805     return;
12806   }
12807 
12808   if (auto *OutArgE = dyn_cast<HLSLOutArgExpr>(E)) {
12809     WorkList.push_back({OutArgE->getArgLValue(), CC, IsListInit});
12810     // The base expression is only used to initialize the parameter for
12811     // arguments to `inout` parameters, so we only traverse down the base
12812     // expression for `inout` cases.
12813     if (OutArgE->isInOut())
12814       WorkList.push_back(
12815           {OutArgE->getCastedTemporary()->getSourceExpr(), CC, IsListInit});
12816     WorkList.push_back({OutArgE->getWritebackCast(), CC, IsListInit});
12817     return;
12818   }
12819 
12820   if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
12821     // Do a somewhat different check with comparison operators.
12822     if (BO->isComparisonOp())
12823       return AnalyzeComparison(S, BO);
12824 
12825     // And with simple assignments.
12826     if (BO->getOpcode() == BO_Assign)
12827       return AnalyzeAssignment(S, BO);
12828     // And with compound assignments.
12829     if (BO->isAssignmentOp())
12830       return AnalyzeCompoundAssignment(S, BO);
12831   }
12832 
12833   // These break the otherwise-useful invariant below.  Fortunately,
12834   // we don't really need to recurse into them, because any internal
12835   // expressions should have been analyzed already when they were
12836   // built into statements.
12837   if (isa<StmtExpr>(E)) return;
12838 
12839   // Don't descend into unevaluated contexts.
12840   if (isa<UnaryExprOrTypeTraitExpr>(E)) return;
12841 
12842   // Now just recurse over the expression's children.
12843   CC = E->getExprLoc();
12844   BinaryOperator *BO = dyn_cast<BinaryOperator>(E);
12845   bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd;
12846   for (Stmt *SubStmt : E->children()) {
12847     Expr *ChildExpr = dyn_cast_or_null<Expr>(SubStmt);
12848     if (!ChildExpr)
12849       continue;
12850 
12851     if (auto *CSE = dyn_cast<CoroutineSuspendExpr>(E))
12852       if (ChildExpr == CSE->getOperand())
12853         // Do not recurse over a CoroutineSuspendExpr's operand.
12854         // The operand is also a subexpression of getCommonExpr(), and
12855         // recursing into it directly would produce duplicate diagnostics.
12856         continue;
12857 
12858     if (IsLogicalAndOperator &&
12859         isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts()))
12860       // Ignore checking string literals that are in logical and operators.
12861       // This is a common pattern for asserts.
12862       continue;
12863     WorkList.push_back({ChildExpr, CC, IsListInit});
12864   }
12865 
12866   if (BO && BO->isLogicalOp()) {
12867     Expr *SubExpr = BO->getLHS()->IgnoreParenImpCasts();
12868     if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
12869       ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
12870 
12871     SubExpr = BO->getRHS()->IgnoreParenImpCasts();
12872     if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
12873       ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
12874   }
12875 
12876   if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
12877     if (U->getOpcode() == UO_LNot) {
12878       ::CheckBoolLikeConversion(S, U->getSubExpr(), CC);
12879     } else if (U->getOpcode() != UO_AddrOf) {
12880       if (U->getSubExpr()->getType()->isAtomicType())
12881         S.Diag(U->getSubExpr()->getBeginLoc(),
12882                diag::warn_atomic_implicit_seq_cst);
12883     }
12884   }
12885 }
12886 
12887 /// AnalyzeImplicitConversions - Find and report any interesting
12888 /// implicit conversions in the given expression.  There are a couple
12889 /// of competing diagnostics here, -Wconversion and -Wsign-compare.
12890 static void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC,
12891                                        bool IsListInit/*= false*/) {
12892   llvm::SmallVector<AnalyzeImplicitConversionsWorkItem, 16> WorkList;
12893   WorkList.push_back({OrigE, CC, IsListInit});
12894   while (!WorkList.empty())
12895     AnalyzeImplicitConversions(S, WorkList.pop_back_val(), WorkList);
12896 }
12897 
12898 // Helper function for Sema::DiagnoseAlwaysNonNullPointer.
12899 // Returns true when emitting a warning about taking the address of a reference.
12900 static bool CheckForReference(Sema &SemaRef, const Expr *E,
12901                               const PartialDiagnostic &PD) {
12902   E = E->IgnoreParenImpCasts();
12903 
12904   const FunctionDecl *FD = nullptr;
12905 
12906   if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
12907     if (!DRE->getDecl()->getType()->isReferenceType())
12908       return false;
12909   } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) {
12910     if (!M->getMemberDecl()->getType()->isReferenceType())
12911       return false;
12912   } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) {
12913     if (!Call->getCallReturnType(SemaRef.Context)->isReferenceType())
12914       return false;
12915     FD = Call->getDirectCallee();
12916   } else {
12917     return false;
12918   }
12919 
12920   SemaRef.Diag(E->getExprLoc(), PD);
12921 
12922   // If possible, point to location of function.
12923   if (FD) {
12924     SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD;
12925   }
12926 
12927   return true;
12928 }
12929 
12930 // Returns true if the SourceLocation is expanded from any macro body.
12931 // Returns false if the SourceLocation is invalid, is from not in a macro
12932 // expansion, or is from expanded from a top-level macro argument.
12933 static bool IsInAnyMacroBody(const SourceManager &SM, SourceLocation Loc) {
12934   if (Loc.isInvalid())
12935     return false;
12936 
12937   while (Loc.isMacroID()) {
12938     if (SM.isMacroBodyExpansion(Loc))
12939       return true;
12940     Loc = SM.getImmediateMacroCallerLoc(Loc);
12941   }
12942 
12943   return false;
12944 }
12945 
12946 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E,
12947                                         Expr::NullPointerConstantKind NullKind,
12948                                         bool IsEqual, SourceRange Range) {
12949   if (!E)
12950     return;
12951 
12952   // Don't warn inside macros.
12953   if (E->getExprLoc().isMacroID()) {
12954     const SourceManager &SM = getSourceManager();
12955     if (IsInAnyMacroBody(SM, E->getExprLoc()) ||
12956         IsInAnyMacroBody(SM, Range.getBegin()))
12957       return;
12958   }
12959   E = E->IgnoreImpCasts();
12960 
12961   const bool IsCompare = NullKind != Expr::NPCK_NotNull;
12962 
12963   if (isa<CXXThisExpr>(E)) {
12964     unsigned DiagID = IsCompare ? diag::warn_this_null_compare
12965                                 : diag::warn_this_bool_conversion;
12966     Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual;
12967     return;
12968   }
12969 
12970   bool IsAddressOf = false;
12971 
12972   if (auto *UO = dyn_cast<UnaryOperator>(E->IgnoreParens())) {
12973     if (UO->getOpcode() != UO_AddrOf)
12974       return;
12975     IsAddressOf = true;
12976     E = UO->getSubExpr();
12977   }
12978 
12979   if (IsAddressOf) {
12980     unsigned DiagID = IsCompare
12981                           ? diag::warn_address_of_reference_null_compare
12982                           : diag::warn_address_of_reference_bool_conversion;
12983     PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range
12984                                          << IsEqual;
12985     if (CheckForReference(*this, E, PD)) {
12986       return;
12987     }
12988   }
12989 
12990   auto ComplainAboutNonnullParamOrCall = [&](const Attr *NonnullAttr) {
12991     bool IsParam = isa<NonNullAttr>(NonnullAttr);
12992     std::string Str;
12993     llvm::raw_string_ostream S(Str);
12994     E->printPretty(S, nullptr, getPrintingPolicy());
12995     unsigned DiagID = IsCompare ? diag::warn_nonnull_expr_compare
12996                                 : diag::warn_cast_nonnull_to_bool;
12997     Diag(E->getExprLoc(), DiagID) << IsParam << S.str()
12998       << E->getSourceRange() << Range << IsEqual;
12999     Diag(NonnullAttr->getLocation(), diag::note_declared_nonnull) << IsParam;
13000   };
13001 
13002   // If we have a CallExpr that is tagged with returns_nonnull, we can complain.
13003   if (auto *Call = dyn_cast<CallExpr>(E->IgnoreParenImpCasts())) {
13004     if (auto *Callee = Call->getDirectCallee()) {
13005       if (const Attr *A = Callee->getAttr<ReturnsNonNullAttr>()) {
13006         ComplainAboutNonnullParamOrCall(A);
13007         return;
13008       }
13009     }
13010   }
13011 
13012   // Complain if we are converting a lambda expression to a boolean value
13013   // outside of instantiation.
13014   if (!inTemplateInstantiation()) {
13015     if (const auto *MCallExpr = dyn_cast<CXXMemberCallExpr>(E)) {
13016       if (const auto *MRecordDecl = MCallExpr->getRecordDecl();
13017           MRecordDecl && MRecordDecl->isLambda()) {
13018         Diag(E->getExprLoc(), diag::warn_impcast_pointer_to_bool)
13019             << /*LambdaPointerConversionOperatorType=*/3
13020             << MRecordDecl->getSourceRange() << Range << IsEqual;
13021         return;
13022       }
13023     }
13024   }
13025 
13026   // Expect to find a single Decl.  Skip anything more complicated.
13027   ValueDecl *D = nullptr;
13028   if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) {
13029     D = R->getDecl();
13030   } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) {
13031     D = M->getMemberDecl();
13032   }
13033 
13034   // Weak Decls can be null.
13035   if (!D || D->isWeak())
13036     return;
13037 
13038   // Check for parameter decl with nonnull attribute
13039   if (const auto* PV = dyn_cast<ParmVarDecl>(D)) {
13040     if (getCurFunction() &&
13041         !getCurFunction()->ModifiedNonNullParams.count(PV)) {
13042       if (const Attr *A = PV->getAttr<NonNullAttr>()) {
13043         ComplainAboutNonnullParamOrCall(A);
13044         return;
13045       }
13046 
13047       if (const auto *FD = dyn_cast<FunctionDecl>(PV->getDeclContext())) {
13048         // Skip function template not specialized yet.
13049         if (FD->getTemplatedKind() == FunctionDecl::TK_FunctionTemplate)
13050           return;
13051         auto ParamIter = llvm::find(FD->parameters(), PV);
13052         assert(ParamIter != FD->param_end());
13053         unsigned ParamNo = std::distance(FD->param_begin(), ParamIter);
13054 
13055         for (const auto *NonNull : FD->specific_attrs<NonNullAttr>()) {
13056           if (!NonNull->args_size()) {
13057               ComplainAboutNonnullParamOrCall(NonNull);
13058               return;
13059           }
13060 
13061           for (const ParamIdx &ArgNo : NonNull->args()) {
13062             if (ArgNo.getASTIndex() == ParamNo) {
13063               ComplainAboutNonnullParamOrCall(NonNull);
13064               return;
13065             }
13066           }
13067         }
13068       }
13069     }
13070   }
13071 
13072   QualType T = D->getType();
13073   const bool IsArray = T->isArrayType();
13074   const bool IsFunction = T->isFunctionType();
13075 
13076   // Address of function is used to silence the function warning.
13077   if (IsAddressOf && IsFunction) {
13078     return;
13079   }
13080 
13081   // Found nothing.
13082   if (!IsAddressOf && !IsFunction && !IsArray)
13083     return;
13084 
13085   // Pretty print the expression for the diagnostic.
13086   std::string Str;
13087   llvm::raw_string_ostream S(Str);
13088   E->printPretty(S, nullptr, getPrintingPolicy());
13089 
13090   unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare
13091                               : diag::warn_impcast_pointer_to_bool;
13092   enum {
13093     AddressOf,
13094     FunctionPointer,
13095     ArrayPointer
13096   } DiagType;
13097   if (IsAddressOf)
13098     DiagType = AddressOf;
13099   else if (IsFunction)
13100     DiagType = FunctionPointer;
13101   else if (IsArray)
13102     DiagType = ArrayPointer;
13103   else
13104     llvm_unreachable("Could not determine diagnostic.");
13105   Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange()
13106                                 << Range << IsEqual;
13107 
13108   if (!IsFunction)
13109     return;
13110 
13111   // Suggest '&' to silence the function warning.
13112   Diag(E->getExprLoc(), diag::note_function_warning_silence)
13113       << FixItHint::CreateInsertion(E->getBeginLoc(), "&");
13114 
13115   // Check to see if '()' fixit should be emitted.
13116   QualType ReturnType;
13117   UnresolvedSet<4> NonTemplateOverloads;
13118   tryExprAsCall(*E, ReturnType, NonTemplateOverloads);
13119   if (ReturnType.isNull())
13120     return;
13121 
13122   if (IsCompare) {
13123     // There are two cases here.  If there is null constant, the only suggest
13124     // for a pointer return type.  If the null is 0, then suggest if the return
13125     // type is a pointer or an integer type.
13126     if (!ReturnType->isPointerType()) {
13127       if (NullKind == Expr::NPCK_ZeroExpression ||
13128           NullKind == Expr::NPCK_ZeroLiteral) {
13129         if (!ReturnType->isIntegerType())
13130           return;
13131       } else {
13132         return;
13133       }
13134     }
13135   } else { // !IsCompare
13136     // For function to bool, only suggest if the function pointer has bool
13137     // return type.
13138     if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool))
13139       return;
13140   }
13141   Diag(E->getExprLoc(), diag::note_function_to_function_call)
13142       << FixItHint::CreateInsertion(getLocForEndOfToken(E->getEndLoc()), "()");
13143 }
13144 
13145 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) {
13146   // Don't diagnose in unevaluated contexts.
13147   if (isUnevaluatedContext())
13148     return;
13149 
13150   // Don't diagnose for value- or type-dependent expressions.
13151   if (E->isTypeDependent() || E->isValueDependent())
13152     return;
13153 
13154   // Check for array bounds violations in cases where the check isn't triggered
13155   // elsewhere for other Expr types (like BinaryOperators), e.g. when an
13156   // ArraySubscriptExpr is on the RHS of a variable initialization.
13157   CheckArrayAccess(E);
13158 
13159   // This is not the right CC for (e.g.) a variable initialization.
13160   AnalyzeImplicitConversions(*this, E, CC);
13161 }
13162 
13163 void Sema::CheckBoolLikeConversion(Expr *E, SourceLocation CC) {
13164   ::CheckBoolLikeConversion(*this, E, CC);
13165 }
13166 
13167 void Sema::CheckForIntOverflow (const Expr *E) {
13168   // Use a work list to deal with nested struct initializers.
13169   SmallVector<const Expr *, 2> Exprs(1, E);
13170 
13171   do {
13172     const Expr *OriginalE = Exprs.pop_back_val();
13173     const Expr *E = OriginalE->IgnoreParenCasts();
13174 
13175     if (isa<BinaryOperator, UnaryOperator>(E)) {
13176       E->EvaluateForOverflow(Context);
13177       continue;
13178     }
13179 
13180     if (const auto *InitList = dyn_cast<InitListExpr>(OriginalE))
13181       Exprs.append(InitList->inits().begin(), InitList->inits().end());
13182     else if (isa<ObjCBoxedExpr>(OriginalE))
13183       E->EvaluateForOverflow(Context);
13184     else if (const auto *Call = dyn_cast<CallExpr>(E))
13185       Exprs.append(Call->arg_begin(), Call->arg_end());
13186     else if (const auto *Message = dyn_cast<ObjCMessageExpr>(E))
13187       Exprs.append(Message->arg_begin(), Message->arg_end());
13188     else if (const auto *Construct = dyn_cast<CXXConstructExpr>(E))
13189       Exprs.append(Construct->arg_begin(), Construct->arg_end());
13190     else if (const auto *Temporary = dyn_cast<CXXBindTemporaryExpr>(E))
13191       Exprs.push_back(Temporary->getSubExpr());
13192     else if (const auto *Array = dyn_cast<ArraySubscriptExpr>(E))
13193       Exprs.push_back(Array->getIdx());
13194     else if (const auto *Compound = dyn_cast<CompoundLiteralExpr>(E))
13195       Exprs.push_back(Compound->getInitializer());
13196     else if (const auto *New = dyn_cast<CXXNewExpr>(E);
13197              New && New->isArray()) {
13198       if (auto ArraySize = New->getArraySize())
13199         Exprs.push_back(*ArraySize);
13200     } else if (const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(OriginalE))
13201       Exprs.push_back(MTE->getSubExpr());
13202   } while (!Exprs.empty());
13203 }
13204 
13205 namespace {
13206 
13207 /// Visitor for expressions which looks for unsequenced operations on the
13208 /// same object.
13209 class SequenceChecker : public ConstEvaluatedExprVisitor<SequenceChecker> {
13210   using Base = ConstEvaluatedExprVisitor<SequenceChecker>;
13211 
13212   /// A tree of sequenced regions within an expression. Two regions are
13213   /// unsequenced if one is an ancestor or a descendent of the other. When we
13214   /// finish processing an expression with sequencing, such as a comma
13215   /// expression, we fold its tree nodes into its parent, since they are
13216   /// unsequenced with respect to nodes we will visit later.
13217   class SequenceTree {
13218     struct Value {
13219       explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {}
13220       unsigned Parent : 31;
13221       LLVM_PREFERRED_TYPE(bool)
13222       unsigned Merged : 1;
13223     };
13224     SmallVector<Value, 8> Values;
13225 
13226   public:
13227     /// A region within an expression which may be sequenced with respect
13228     /// to some other region.
13229     class Seq {
13230       friend class SequenceTree;
13231 
13232       unsigned Index;
13233 
13234       explicit Seq(unsigned N) : Index(N) {}
13235 
13236     public:
13237       Seq() : Index(0) {}
13238     };
13239 
13240     SequenceTree() { Values.push_back(Value(0)); }
13241     Seq root() const { return Seq(0); }
13242 
13243     /// Create a new sequence of operations, which is an unsequenced
13244     /// subset of \p Parent. This sequence of operations is sequenced with
13245     /// respect to other children of \p Parent.
13246     Seq allocate(Seq Parent) {
13247       Values.push_back(Value(Parent.Index));
13248       return Seq(Values.size() - 1);
13249     }
13250 
13251     /// Merge a sequence of operations into its parent.
13252     void merge(Seq S) {
13253       Values[S.Index].Merged = true;
13254     }
13255 
13256     /// Determine whether two operations are unsequenced. This operation
13257     /// is asymmetric: \p Cur should be the more recent sequence, and \p Old
13258     /// should have been merged into its parent as appropriate.
13259     bool isUnsequenced(Seq Cur, Seq Old) {
13260       unsigned C = representative(Cur.Index);
13261       unsigned Target = representative(Old.Index);
13262       while (C >= Target) {
13263         if (C == Target)
13264           return true;
13265         C = Values[C].Parent;
13266       }
13267       return false;
13268     }
13269 
13270   private:
13271     /// Pick a representative for a sequence.
13272     unsigned representative(unsigned K) {
13273       if (Values[K].Merged)
13274         // Perform path compression as we go.
13275         return Values[K].Parent = representative(Values[K].Parent);
13276       return K;
13277     }
13278   };
13279 
13280   /// An object for which we can track unsequenced uses.
13281   using Object = const NamedDecl *;
13282 
13283   /// Different flavors of object usage which we track. We only track the
13284   /// least-sequenced usage of each kind.
13285   enum UsageKind {
13286     /// A read of an object. Multiple unsequenced reads are OK.
13287     UK_Use,
13288 
13289     /// A modification of an object which is sequenced before the value
13290     /// computation of the expression, such as ++n in C++.
13291     UK_ModAsValue,
13292 
13293     /// A modification of an object which is not sequenced before the value
13294     /// computation of the expression, such as n++.
13295     UK_ModAsSideEffect,
13296 
13297     UK_Count = UK_ModAsSideEffect + 1
13298   };
13299 
13300   /// Bundle together a sequencing region and the expression corresponding
13301   /// to a specific usage. One Usage is stored for each usage kind in UsageInfo.
13302   struct Usage {
13303     const Expr *UsageExpr = nullptr;
13304     SequenceTree::Seq Seq;
13305 
13306     Usage() = default;
13307   };
13308 
13309   struct UsageInfo {
13310     Usage Uses[UK_Count];
13311 
13312     /// Have we issued a diagnostic for this object already?
13313     bool Diagnosed = false;
13314 
13315     UsageInfo();
13316   };
13317   using UsageInfoMap = llvm::SmallDenseMap<Object, UsageInfo, 16>;
13318 
13319   Sema &SemaRef;
13320 
13321   /// Sequenced regions within the expression.
13322   SequenceTree Tree;
13323 
13324   /// Declaration modifications and references which we have seen.
13325   UsageInfoMap UsageMap;
13326 
13327   /// The region we are currently within.
13328   SequenceTree::Seq Region;
13329 
13330   /// Filled in with declarations which were modified as a side-effect
13331   /// (that is, post-increment operations).
13332   SmallVectorImpl<std::pair<Object, Usage>> *ModAsSideEffect = nullptr;
13333 
13334   /// Expressions to check later. We defer checking these to reduce
13335   /// stack usage.
13336   SmallVectorImpl<const Expr *> &WorkList;
13337 
13338   /// RAII object wrapping the visitation of a sequenced subexpression of an
13339   /// expression. At the end of this process, the side-effects of the evaluation
13340   /// become sequenced with respect to the value computation of the result, so
13341   /// we downgrade any UK_ModAsSideEffect within the evaluation to
13342   /// UK_ModAsValue.
13343   struct SequencedSubexpression {
13344     SequencedSubexpression(SequenceChecker &Self)
13345       : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) {
13346       Self.ModAsSideEffect = &ModAsSideEffect;
13347     }
13348 
13349     ~SequencedSubexpression() {
13350       for (const std::pair<Object, Usage> &M : llvm::reverse(ModAsSideEffect)) {
13351         // Add a new usage with usage kind UK_ModAsValue, and then restore
13352         // the previous usage with UK_ModAsSideEffect (thus clearing it if
13353         // the previous one was empty).
13354         UsageInfo &UI = Self.UsageMap[M.first];
13355         auto &SideEffectUsage = UI.Uses[UK_ModAsSideEffect];
13356         Self.addUsage(M.first, UI, SideEffectUsage.UsageExpr, UK_ModAsValue);
13357         SideEffectUsage = M.second;
13358       }
13359       Self.ModAsSideEffect = OldModAsSideEffect;
13360     }
13361 
13362     SequenceChecker &Self;
13363     SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect;
13364     SmallVectorImpl<std::pair<Object, Usage>> *OldModAsSideEffect;
13365   };
13366 
13367   /// RAII object wrapping the visitation of a subexpression which we might
13368   /// choose to evaluate as a constant. If any subexpression is evaluated and
13369   /// found to be non-constant, this allows us to suppress the evaluation of
13370   /// the outer expression.
13371   class EvaluationTracker {
13372   public:
13373     EvaluationTracker(SequenceChecker &Self)
13374         : Self(Self), Prev(Self.EvalTracker) {
13375       Self.EvalTracker = this;
13376     }
13377 
13378     ~EvaluationTracker() {
13379       Self.EvalTracker = Prev;
13380       if (Prev)
13381         Prev->EvalOK &= EvalOK;
13382     }
13383 
13384     bool evaluate(const Expr *E, bool &Result) {
13385       if (!EvalOK || E->isValueDependent())
13386         return false;
13387       EvalOK = E->EvaluateAsBooleanCondition(
13388           Result, Self.SemaRef.Context,
13389           Self.SemaRef.isConstantEvaluatedContext());
13390       return EvalOK;
13391     }
13392 
13393   private:
13394     SequenceChecker &Self;
13395     EvaluationTracker *Prev;
13396     bool EvalOK = true;
13397   } *EvalTracker = nullptr;
13398 
13399   /// Find the object which is produced by the specified expression,
13400   /// if any.
13401   Object getObject(const Expr *E, bool Mod) const {
13402     E = E->IgnoreParenCasts();
13403     if (const UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) {
13404       if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec))
13405         return getObject(UO->getSubExpr(), Mod);
13406     } else if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
13407       if (BO->getOpcode() == BO_Comma)
13408         return getObject(BO->getRHS(), Mod);
13409       if (Mod && BO->isAssignmentOp())
13410         return getObject(BO->getLHS(), Mod);
13411     } else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
13412       // FIXME: Check for more interesting cases, like "x.n = ++x.n".
13413       if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts()))
13414         return ME->getMemberDecl();
13415     } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E))
13416       // FIXME: If this is a reference, map through to its value.
13417       return DRE->getDecl();
13418     return nullptr;
13419   }
13420 
13421   /// Note that an object \p O was modified or used by an expression
13422   /// \p UsageExpr with usage kind \p UK. \p UI is the \p UsageInfo for
13423   /// the object \p O as obtained via the \p UsageMap.
13424   void addUsage(Object O, UsageInfo &UI, const Expr *UsageExpr, UsageKind UK) {
13425     // Get the old usage for the given object and usage kind.
13426     Usage &U = UI.Uses[UK];
13427     if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq)) {
13428       // If we have a modification as side effect and are in a sequenced
13429       // subexpression, save the old Usage so that we can restore it later
13430       // in SequencedSubexpression::~SequencedSubexpression.
13431       if (UK == UK_ModAsSideEffect && ModAsSideEffect)
13432         ModAsSideEffect->push_back(std::make_pair(O, U));
13433       // Then record the new usage with the current sequencing region.
13434       U.UsageExpr = UsageExpr;
13435       U.Seq = Region;
13436     }
13437   }
13438 
13439   /// Check whether a modification or use of an object \p O in an expression
13440   /// \p UsageExpr conflicts with a prior usage of kind \p OtherKind. \p UI is
13441   /// the \p UsageInfo for the object \p O as obtained via the \p UsageMap.
13442   /// \p IsModMod is true when we are checking for a mod-mod unsequenced
13443   /// usage and false we are checking for a mod-use unsequenced usage.
13444   void checkUsage(Object O, UsageInfo &UI, const Expr *UsageExpr,
13445                   UsageKind OtherKind, bool IsModMod) {
13446     if (UI.Diagnosed)
13447       return;
13448 
13449     const Usage &U = UI.Uses[OtherKind];
13450     if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq))
13451       return;
13452 
13453     const Expr *Mod = U.UsageExpr;
13454     const Expr *ModOrUse = UsageExpr;
13455     if (OtherKind == UK_Use)
13456       std::swap(Mod, ModOrUse);
13457 
13458     SemaRef.DiagRuntimeBehavior(
13459         Mod->getExprLoc(), {Mod, ModOrUse},
13460         SemaRef.PDiag(IsModMod ? diag::warn_unsequenced_mod_mod
13461                                : diag::warn_unsequenced_mod_use)
13462             << O << SourceRange(ModOrUse->getExprLoc()));
13463     UI.Diagnosed = true;
13464   }
13465 
13466   // A note on note{Pre, Post}{Use, Mod}:
13467   //
13468   // (It helps to follow the algorithm with an expression such as
13469   //  "((++k)++, k) = k" or "k = (k++, k++)". Both contain unsequenced
13470   //  operations before C++17 and both are well-defined in C++17).
13471   //
13472   // When visiting a node which uses/modify an object we first call notePreUse
13473   // or notePreMod before visiting its sub-expression(s). At this point the
13474   // children of the current node have not yet been visited and so the eventual
13475   // uses/modifications resulting from the children of the current node have not
13476   // been recorded yet.
13477   //
13478   // We then visit the children of the current node. After that notePostUse or
13479   // notePostMod is called. These will 1) detect an unsequenced modification
13480   // as side effect (as in "k++ + k") and 2) add a new usage with the
13481   // appropriate usage kind.
13482   //
13483   // We also have to be careful that some operation sequences modification as
13484   // side effect as well (for example: || or ,). To account for this we wrap
13485   // the visitation of such a sub-expression (for example: the LHS of || or ,)
13486   // with SequencedSubexpression. SequencedSubexpression is an RAII object
13487   // which record usages which are modifications as side effect, and then
13488   // downgrade them (or more accurately restore the previous usage which was a
13489   // modification as side effect) when exiting the scope of the sequenced
13490   // subexpression.
13491 
13492   void notePreUse(Object O, const Expr *UseExpr) {
13493     UsageInfo &UI = UsageMap[O];
13494     // Uses conflict with other modifications.
13495     checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/false);
13496   }
13497 
13498   void notePostUse(Object O, const Expr *UseExpr) {
13499     UsageInfo &UI = UsageMap[O];
13500     checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsSideEffect,
13501                /*IsModMod=*/false);
13502     addUsage(O, UI, UseExpr, /*UsageKind=*/UK_Use);
13503   }
13504 
13505   void notePreMod(Object O, const Expr *ModExpr) {
13506     UsageInfo &UI = UsageMap[O];
13507     // Modifications conflict with other modifications and with uses.
13508     checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/true);
13509     checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_Use, /*IsModMod=*/false);
13510   }
13511 
13512   void notePostMod(Object O, const Expr *ModExpr, UsageKind UK) {
13513     UsageInfo &UI = UsageMap[O];
13514     checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsSideEffect,
13515                /*IsModMod=*/true);
13516     addUsage(O, UI, ModExpr, /*UsageKind=*/UK);
13517   }
13518 
13519 public:
13520   SequenceChecker(Sema &S, const Expr *E,
13521                   SmallVectorImpl<const Expr *> &WorkList)
13522       : Base(S.Context), SemaRef(S), Region(Tree.root()), WorkList(WorkList) {
13523     Visit(E);
13524     // Silence a -Wunused-private-field since WorkList is now unused.
13525     // TODO: Evaluate if it can be used, and if not remove it.
13526     (void)this->WorkList;
13527   }
13528 
13529   void VisitStmt(const Stmt *S) {
13530     // Skip all statements which aren't expressions for now.
13531   }
13532 
13533   void VisitExpr(const Expr *E) {
13534     // By default, just recurse to evaluated subexpressions.
13535     Base::VisitStmt(E);
13536   }
13537 
13538   void VisitCoroutineSuspendExpr(const CoroutineSuspendExpr *CSE) {
13539     for (auto *Sub : CSE->children()) {
13540       const Expr *ChildExpr = dyn_cast_or_null<Expr>(Sub);
13541       if (!ChildExpr)
13542         continue;
13543 
13544       if (ChildExpr == CSE->getOperand())
13545         // Do not recurse over a CoroutineSuspendExpr's operand.
13546         // The operand is also a subexpression of getCommonExpr(), and
13547         // recursing into it directly could confuse object management
13548         // for the sake of sequence tracking.
13549         continue;
13550 
13551       Visit(Sub);
13552     }
13553   }
13554 
13555   void VisitCastExpr(const CastExpr *E) {
13556     Object O = Object();
13557     if (E->getCastKind() == CK_LValueToRValue)
13558       O = getObject(E->getSubExpr(), false);
13559 
13560     if (O)
13561       notePreUse(O, E);
13562     VisitExpr(E);
13563     if (O)
13564       notePostUse(O, E);
13565   }
13566 
13567   void VisitSequencedExpressions(const Expr *SequencedBefore,
13568                                  const Expr *SequencedAfter) {
13569     SequenceTree::Seq BeforeRegion = Tree.allocate(Region);
13570     SequenceTree::Seq AfterRegion = Tree.allocate(Region);
13571     SequenceTree::Seq OldRegion = Region;
13572 
13573     {
13574       SequencedSubexpression SeqBefore(*this);
13575       Region = BeforeRegion;
13576       Visit(SequencedBefore);
13577     }
13578 
13579     Region = AfterRegion;
13580     Visit(SequencedAfter);
13581 
13582     Region = OldRegion;
13583 
13584     Tree.merge(BeforeRegion);
13585     Tree.merge(AfterRegion);
13586   }
13587 
13588   void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE) {
13589     // C++17 [expr.sub]p1:
13590     //   The expression E1[E2] is identical (by definition) to *((E1)+(E2)). The
13591     //   expression E1 is sequenced before the expression E2.
13592     if (SemaRef.getLangOpts().CPlusPlus17)
13593       VisitSequencedExpressions(ASE->getLHS(), ASE->getRHS());
13594     else {
13595       Visit(ASE->getLHS());
13596       Visit(ASE->getRHS());
13597     }
13598   }
13599 
13600   void VisitBinPtrMemD(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
13601   void VisitBinPtrMemI(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
13602   void VisitBinPtrMem(const BinaryOperator *BO) {
13603     // C++17 [expr.mptr.oper]p4:
13604     //  Abbreviating pm-expression.*cast-expression as E1.*E2, [...]
13605     //  the expression E1 is sequenced before the expression E2.
13606     if (SemaRef.getLangOpts().CPlusPlus17)
13607       VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13608     else {
13609       Visit(BO->getLHS());
13610       Visit(BO->getRHS());
13611     }
13612   }
13613 
13614   void VisitBinShl(const BinaryOperator *BO) { VisitBinShlShr(BO); }
13615   void VisitBinShr(const BinaryOperator *BO) { VisitBinShlShr(BO); }
13616   void VisitBinShlShr(const BinaryOperator *BO) {
13617     // C++17 [expr.shift]p4:
13618     //  The expression E1 is sequenced before the expression E2.
13619     if (SemaRef.getLangOpts().CPlusPlus17)
13620       VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13621     else {
13622       Visit(BO->getLHS());
13623       Visit(BO->getRHS());
13624     }
13625   }
13626 
13627   void VisitBinComma(const BinaryOperator *BO) {
13628     // C++11 [expr.comma]p1:
13629     //   Every value computation and side effect associated with the left
13630     //   expression is sequenced before every value computation and side
13631     //   effect associated with the right expression.
13632     VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
13633   }
13634 
13635   void VisitBinAssign(const BinaryOperator *BO) {
13636     SequenceTree::Seq RHSRegion;
13637     SequenceTree::Seq LHSRegion;
13638     if (SemaRef.getLangOpts().CPlusPlus17) {
13639       RHSRegion = Tree.allocate(Region);
13640       LHSRegion = Tree.allocate(Region);
13641     } else {
13642       RHSRegion = Region;
13643       LHSRegion = Region;
13644     }
13645     SequenceTree::Seq OldRegion = Region;
13646 
13647     // C++11 [expr.ass]p1:
13648     //  [...] the assignment is sequenced after the value computation
13649     //  of the right and left operands, [...]
13650     //
13651     // so check it before inspecting the operands and update the
13652     // map afterwards.
13653     Object O = getObject(BO->getLHS(), /*Mod=*/true);
13654     if (O)
13655       notePreMod(O, BO);
13656 
13657     if (SemaRef.getLangOpts().CPlusPlus17) {
13658       // C++17 [expr.ass]p1:
13659       //  [...] The right operand is sequenced before the left operand. [...]
13660       {
13661         SequencedSubexpression SeqBefore(*this);
13662         Region = RHSRegion;
13663         Visit(BO->getRHS());
13664       }
13665 
13666       Region = LHSRegion;
13667       Visit(BO->getLHS());
13668 
13669       if (O && isa<CompoundAssignOperator>(BO))
13670         notePostUse(O, BO);
13671 
13672     } else {
13673       // C++11 does not specify any sequencing between the LHS and RHS.
13674       Region = LHSRegion;
13675       Visit(BO->getLHS());
13676 
13677       if (O && isa<CompoundAssignOperator>(BO))
13678         notePostUse(O, BO);
13679 
13680       Region = RHSRegion;
13681       Visit(BO->getRHS());
13682     }
13683 
13684     // C++11 [expr.ass]p1:
13685     //  the assignment is sequenced [...] before the value computation of the
13686     //  assignment expression.
13687     // C11 6.5.16/3 has no such rule.
13688     Region = OldRegion;
13689     if (O)
13690       notePostMod(O, BO,
13691                   SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
13692                                                   : UK_ModAsSideEffect);
13693     if (SemaRef.getLangOpts().CPlusPlus17) {
13694       Tree.merge(RHSRegion);
13695       Tree.merge(LHSRegion);
13696     }
13697   }
13698 
13699   void VisitCompoundAssignOperator(const CompoundAssignOperator *CAO) {
13700     VisitBinAssign(CAO);
13701   }
13702 
13703   void VisitUnaryPreInc(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
13704   void VisitUnaryPreDec(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
13705   void VisitUnaryPreIncDec(const UnaryOperator *UO) {
13706     Object O = getObject(UO->getSubExpr(), true);
13707     if (!O)
13708       return VisitExpr(UO);
13709 
13710     notePreMod(O, UO);
13711     Visit(UO->getSubExpr());
13712     // C++11 [expr.pre.incr]p1:
13713     //   the expression ++x is equivalent to x+=1
13714     notePostMod(O, UO,
13715                 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
13716                                                 : UK_ModAsSideEffect);
13717   }
13718 
13719   void VisitUnaryPostInc(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
13720   void VisitUnaryPostDec(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
13721   void VisitUnaryPostIncDec(const UnaryOperator *UO) {
13722     Object O = getObject(UO->getSubExpr(), true);
13723     if (!O)
13724       return VisitExpr(UO);
13725 
13726     notePreMod(O, UO);
13727     Visit(UO->getSubExpr());
13728     notePostMod(O, UO, UK_ModAsSideEffect);
13729   }
13730 
13731   void VisitBinLOr(const BinaryOperator *BO) {
13732     // C++11 [expr.log.or]p2:
13733     //  If the second expression is evaluated, every value computation and
13734     //  side effect associated with the first expression is sequenced before
13735     //  every value computation and side effect associated with the
13736     //  second expression.
13737     SequenceTree::Seq LHSRegion = Tree.allocate(Region);
13738     SequenceTree::Seq RHSRegion = Tree.allocate(Region);
13739     SequenceTree::Seq OldRegion = Region;
13740 
13741     EvaluationTracker Eval(*this);
13742     {
13743       SequencedSubexpression Sequenced(*this);
13744       Region = LHSRegion;
13745       Visit(BO->getLHS());
13746     }
13747 
13748     // C++11 [expr.log.or]p1:
13749     //  [...] the second operand is not evaluated if the first operand
13750     //  evaluates to true.
13751     bool EvalResult = false;
13752     bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
13753     bool ShouldVisitRHS = !EvalOK || !EvalResult;
13754     if (ShouldVisitRHS) {
13755       Region = RHSRegion;
13756       Visit(BO->getRHS());
13757     }
13758 
13759     Region = OldRegion;
13760     Tree.merge(LHSRegion);
13761     Tree.merge(RHSRegion);
13762   }
13763 
13764   void VisitBinLAnd(const BinaryOperator *BO) {
13765     // C++11 [expr.log.and]p2:
13766     //  If the second expression is evaluated, every value computation and
13767     //  side effect associated with the first expression is sequenced before
13768     //  every value computation and side effect associated with the
13769     //  second expression.
13770     SequenceTree::Seq LHSRegion = Tree.allocate(Region);
13771     SequenceTree::Seq RHSRegion = Tree.allocate(Region);
13772     SequenceTree::Seq OldRegion = Region;
13773 
13774     EvaluationTracker Eval(*this);
13775     {
13776       SequencedSubexpression Sequenced(*this);
13777       Region = LHSRegion;
13778       Visit(BO->getLHS());
13779     }
13780 
13781     // C++11 [expr.log.and]p1:
13782     //  [...] the second operand is not evaluated if the first operand is false.
13783     bool EvalResult = false;
13784     bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
13785     bool ShouldVisitRHS = !EvalOK || EvalResult;
13786     if (ShouldVisitRHS) {
13787       Region = RHSRegion;
13788       Visit(BO->getRHS());
13789     }
13790 
13791     Region = OldRegion;
13792     Tree.merge(LHSRegion);
13793     Tree.merge(RHSRegion);
13794   }
13795 
13796   void VisitAbstractConditionalOperator(const AbstractConditionalOperator *CO) {
13797     // C++11 [expr.cond]p1:
13798     //  [...] Every value computation and side effect associated with the first
13799     //  expression is sequenced before every value computation and side effect
13800     //  associated with the second or third expression.
13801     SequenceTree::Seq ConditionRegion = Tree.allocate(Region);
13802 
13803     // No sequencing is specified between the true and false expression.
13804     // However since exactly one of both is going to be evaluated we can
13805     // consider them to be sequenced. This is needed to avoid warning on
13806     // something like "x ? y+= 1 : y += 2;" in the case where we will visit
13807     // both the true and false expressions because we can't evaluate x.
13808     // This will still allow us to detect an expression like (pre C++17)
13809     // "(x ? y += 1 : y += 2) = y".
13810     //
13811     // We don't wrap the visitation of the true and false expression with
13812     // SequencedSubexpression because we don't want to downgrade modifications
13813     // as side effect in the true and false expressions after the visition
13814     // is done. (for example in the expression "(x ? y++ : y++) + y" we should
13815     // not warn between the two "y++", but we should warn between the "y++"
13816     // and the "y".
13817     SequenceTree::Seq TrueRegion = Tree.allocate(Region);
13818     SequenceTree::Seq FalseRegion = Tree.allocate(Region);
13819     SequenceTree::Seq OldRegion = Region;
13820 
13821     EvaluationTracker Eval(*this);
13822     {
13823       SequencedSubexpression Sequenced(*this);
13824       Region = ConditionRegion;
13825       Visit(CO->getCond());
13826     }
13827 
13828     // C++11 [expr.cond]p1:
13829     // [...] The first expression is contextually converted to bool (Clause 4).
13830     // It is evaluated and if it is true, the result of the conditional
13831     // expression is the value of the second expression, otherwise that of the
13832     // third expression. Only one of the second and third expressions is
13833     // evaluated. [...]
13834     bool EvalResult = false;
13835     bool EvalOK = Eval.evaluate(CO->getCond(), EvalResult);
13836     bool ShouldVisitTrueExpr = !EvalOK || EvalResult;
13837     bool ShouldVisitFalseExpr = !EvalOK || !EvalResult;
13838     if (ShouldVisitTrueExpr) {
13839       Region = TrueRegion;
13840       Visit(CO->getTrueExpr());
13841     }
13842     if (ShouldVisitFalseExpr) {
13843       Region = FalseRegion;
13844       Visit(CO->getFalseExpr());
13845     }
13846 
13847     Region = OldRegion;
13848     Tree.merge(ConditionRegion);
13849     Tree.merge(TrueRegion);
13850     Tree.merge(FalseRegion);
13851   }
13852 
13853   void VisitCallExpr(const CallExpr *CE) {
13854     // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions.
13855 
13856     if (CE->isUnevaluatedBuiltinCall(Context))
13857       return;
13858 
13859     // C++11 [intro.execution]p15:
13860     //   When calling a function [...], every value computation and side effect
13861     //   associated with any argument expression, or with the postfix expression
13862     //   designating the called function, is sequenced before execution of every
13863     //   expression or statement in the body of the function [and thus before
13864     //   the value computation of its result].
13865     SequencedSubexpression Sequenced(*this);
13866     SemaRef.runWithSufficientStackSpace(CE->getExprLoc(), [&] {
13867       // C++17 [expr.call]p5
13868       //   The postfix-expression is sequenced before each expression in the
13869       //   expression-list and any default argument. [...]
13870       SequenceTree::Seq CalleeRegion;
13871       SequenceTree::Seq OtherRegion;
13872       if (SemaRef.getLangOpts().CPlusPlus17) {
13873         CalleeRegion = Tree.allocate(Region);
13874         OtherRegion = Tree.allocate(Region);
13875       } else {
13876         CalleeRegion = Region;
13877         OtherRegion = Region;
13878       }
13879       SequenceTree::Seq OldRegion = Region;
13880 
13881       // Visit the callee expression first.
13882       Region = CalleeRegion;
13883       if (SemaRef.getLangOpts().CPlusPlus17) {
13884         SequencedSubexpression Sequenced(*this);
13885         Visit(CE->getCallee());
13886       } else {
13887         Visit(CE->getCallee());
13888       }
13889 
13890       // Then visit the argument expressions.
13891       Region = OtherRegion;
13892       for (const Expr *Argument : CE->arguments())
13893         Visit(Argument);
13894 
13895       Region = OldRegion;
13896       if (SemaRef.getLangOpts().CPlusPlus17) {
13897         Tree.merge(CalleeRegion);
13898         Tree.merge(OtherRegion);
13899       }
13900     });
13901   }
13902 
13903   void VisitCXXOperatorCallExpr(const CXXOperatorCallExpr *CXXOCE) {
13904     // C++17 [over.match.oper]p2:
13905     //   [...] the operator notation is first transformed to the equivalent
13906     //   function-call notation as summarized in Table 12 (where @ denotes one
13907     //   of the operators covered in the specified subclause). However, the
13908     //   operands are sequenced in the order prescribed for the built-in
13909     //   operator (Clause 8).
13910     //
13911     // From the above only overloaded binary operators and overloaded call
13912     // operators have sequencing rules in C++17 that we need to handle
13913     // separately.
13914     if (!SemaRef.getLangOpts().CPlusPlus17 ||
13915         (CXXOCE->getNumArgs() != 2 && CXXOCE->getOperator() != OO_Call))
13916       return VisitCallExpr(CXXOCE);
13917 
13918     enum {
13919       NoSequencing,
13920       LHSBeforeRHS,
13921       RHSBeforeLHS,
13922       LHSBeforeRest
13923     } SequencingKind;
13924     switch (CXXOCE->getOperator()) {
13925     case OO_Equal:
13926     case OO_PlusEqual:
13927     case OO_MinusEqual:
13928     case OO_StarEqual:
13929     case OO_SlashEqual:
13930     case OO_PercentEqual:
13931     case OO_CaretEqual:
13932     case OO_AmpEqual:
13933     case OO_PipeEqual:
13934     case OO_LessLessEqual:
13935     case OO_GreaterGreaterEqual:
13936       SequencingKind = RHSBeforeLHS;
13937       break;
13938 
13939     case OO_LessLess:
13940     case OO_GreaterGreater:
13941     case OO_AmpAmp:
13942     case OO_PipePipe:
13943     case OO_Comma:
13944     case OO_ArrowStar:
13945     case OO_Subscript:
13946       SequencingKind = LHSBeforeRHS;
13947       break;
13948 
13949     case OO_Call:
13950       SequencingKind = LHSBeforeRest;
13951       break;
13952 
13953     default:
13954       SequencingKind = NoSequencing;
13955       break;
13956     }
13957 
13958     if (SequencingKind == NoSequencing)
13959       return VisitCallExpr(CXXOCE);
13960 
13961     // This is a call, so all subexpressions are sequenced before the result.
13962     SequencedSubexpression Sequenced(*this);
13963 
13964     SemaRef.runWithSufficientStackSpace(CXXOCE->getExprLoc(), [&] {
13965       assert(SemaRef.getLangOpts().CPlusPlus17 &&
13966              "Should only get there with C++17 and above!");
13967       assert((CXXOCE->getNumArgs() == 2 || CXXOCE->getOperator() == OO_Call) &&
13968              "Should only get there with an overloaded binary operator"
13969              " or an overloaded call operator!");
13970 
13971       if (SequencingKind == LHSBeforeRest) {
13972         assert(CXXOCE->getOperator() == OO_Call &&
13973                "We should only have an overloaded call operator here!");
13974 
13975         // This is very similar to VisitCallExpr, except that we only have the
13976         // C++17 case. The postfix-expression is the first argument of the
13977         // CXXOperatorCallExpr. The expressions in the expression-list, if any,
13978         // are in the following arguments.
13979         //
13980         // Note that we intentionally do not visit the callee expression since
13981         // it is just a decayed reference to a function.
13982         SequenceTree::Seq PostfixExprRegion = Tree.allocate(Region);
13983         SequenceTree::Seq ArgsRegion = Tree.allocate(Region);
13984         SequenceTree::Seq OldRegion = Region;
13985 
13986         assert(CXXOCE->getNumArgs() >= 1 &&
13987                "An overloaded call operator must have at least one argument"
13988                " for the postfix-expression!");
13989         const Expr *PostfixExpr = CXXOCE->getArgs()[0];
13990         llvm::ArrayRef<const Expr *> Args(CXXOCE->getArgs() + 1,
13991                                           CXXOCE->getNumArgs() - 1);
13992 
13993         // Visit the postfix-expression first.
13994         {
13995           Region = PostfixExprRegion;
13996           SequencedSubexpression Sequenced(*this);
13997           Visit(PostfixExpr);
13998         }
13999 
14000         // Then visit the argument expressions.
14001         Region = ArgsRegion;
14002         for (const Expr *Arg : Args)
14003           Visit(Arg);
14004 
14005         Region = OldRegion;
14006         Tree.merge(PostfixExprRegion);
14007         Tree.merge(ArgsRegion);
14008       } else {
14009         assert(CXXOCE->getNumArgs() == 2 &&
14010                "Should only have two arguments here!");
14011         assert((SequencingKind == LHSBeforeRHS ||
14012                 SequencingKind == RHSBeforeLHS) &&
14013                "Unexpected sequencing kind!");
14014 
14015         // We do not visit the callee expression since it is just a decayed
14016         // reference to a function.
14017         const Expr *E1 = CXXOCE->getArg(0);
14018         const Expr *E2 = CXXOCE->getArg(1);
14019         if (SequencingKind == RHSBeforeLHS)
14020           std::swap(E1, E2);
14021 
14022         return VisitSequencedExpressions(E1, E2);
14023       }
14024     });
14025   }
14026 
14027   void VisitCXXConstructExpr(const CXXConstructExpr *CCE) {
14028     // This is a call, so all subexpressions are sequenced before the result.
14029     SequencedSubexpression Sequenced(*this);
14030 
14031     if (!CCE->isListInitialization())
14032       return VisitExpr(CCE);
14033 
14034     // In C++11, list initializations are sequenced.
14035     SequenceExpressionsInOrder(
14036         llvm::ArrayRef(CCE->getArgs(), CCE->getNumArgs()));
14037   }
14038 
14039   void VisitInitListExpr(const InitListExpr *ILE) {
14040     if (!SemaRef.getLangOpts().CPlusPlus11)
14041       return VisitExpr(ILE);
14042 
14043     // In C++11, list initializations are sequenced.
14044     SequenceExpressionsInOrder(ILE->inits());
14045   }
14046 
14047   void VisitCXXParenListInitExpr(const CXXParenListInitExpr *PLIE) {
14048     // C++20 parenthesized list initializations are sequenced. See C++20
14049     // [decl.init.general]p16.5 and [decl.init.general]p16.6.2.2.
14050     SequenceExpressionsInOrder(PLIE->getInitExprs());
14051   }
14052 
14053 private:
14054   void SequenceExpressionsInOrder(ArrayRef<const Expr *> ExpressionList) {
14055     SmallVector<SequenceTree::Seq, 32> Elts;
14056     SequenceTree::Seq Parent = Region;
14057     for (const Expr *E : ExpressionList) {
14058       if (!E)
14059         continue;
14060       Region = Tree.allocate(Parent);
14061       Elts.push_back(Region);
14062       Visit(E);
14063     }
14064 
14065     // Forget that the initializers are sequenced.
14066     Region = Parent;
14067     for (unsigned I = 0; I < Elts.size(); ++I)
14068       Tree.merge(Elts[I]);
14069   }
14070 };
14071 
14072 SequenceChecker::UsageInfo::UsageInfo() = default;
14073 
14074 } // namespace
14075 
14076 void Sema::CheckUnsequencedOperations(const Expr *E) {
14077   SmallVector<const Expr *, 8> WorkList;
14078   WorkList.push_back(E);
14079   while (!WorkList.empty()) {
14080     const Expr *Item = WorkList.pop_back_val();
14081     SequenceChecker(*this, Item, WorkList);
14082   }
14083 }
14084 
14085 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc,
14086                               bool IsConstexpr) {
14087   llvm::SaveAndRestore ConstantContext(isConstantEvaluatedOverride,
14088                                        IsConstexpr || isa<ConstantExpr>(E));
14089   CheckImplicitConversions(E, CheckLoc);
14090   if (!E->isInstantiationDependent())
14091     CheckUnsequencedOperations(E);
14092   if (!IsConstexpr && !E->isValueDependent())
14093     CheckForIntOverflow(E);
14094   DiagnoseMisalignedMembers();
14095 }
14096 
14097 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc,
14098                                        FieldDecl *BitField,
14099                                        Expr *Init) {
14100   (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc);
14101 }
14102 
14103 static void diagnoseArrayStarInParamType(Sema &S, QualType PType,
14104                                          SourceLocation Loc) {
14105   if (!PType->isVariablyModifiedType())
14106     return;
14107   if (const auto *PointerTy = dyn_cast<PointerType>(PType)) {
14108     diagnoseArrayStarInParamType(S, PointerTy->getPointeeType(), Loc);
14109     return;
14110   }
14111   if (const auto *ReferenceTy = dyn_cast<ReferenceType>(PType)) {
14112     diagnoseArrayStarInParamType(S, ReferenceTy->getPointeeType(), Loc);
14113     return;
14114   }
14115   if (const auto *ParenTy = dyn_cast<ParenType>(PType)) {
14116     diagnoseArrayStarInParamType(S, ParenTy->getInnerType(), Loc);
14117     return;
14118   }
14119 
14120   const ArrayType *AT = S.Context.getAsArrayType(PType);
14121   if (!AT)
14122     return;
14123 
14124   if (AT->getSizeModifier() != ArraySizeModifier::Star) {
14125     diagnoseArrayStarInParamType(S, AT->getElementType(), Loc);
14126     return;
14127   }
14128 
14129   S.Diag(Loc, diag::err_array_star_in_function_definition);
14130 }
14131 
14132 bool Sema::CheckParmsForFunctionDef(ArrayRef<ParmVarDecl *> Parameters,
14133                                     bool CheckParameterNames) {
14134   bool HasInvalidParm = false;
14135   for (ParmVarDecl *Param : Parameters) {
14136     assert(Param && "null in a parameter list");
14137     // C99 6.7.5.3p4: the parameters in a parameter type list in a
14138     // function declarator that is part of a function definition of
14139     // that function shall not have incomplete type.
14140     //
14141     // C++23 [dcl.fct.def.general]/p2
14142     // The type of a parameter [...] for a function definition
14143     // shall not be a (possibly cv-qualified) class type that is incomplete
14144     // or abstract within the function body unless the function is deleted.
14145     if (!Param->isInvalidDecl() &&
14146         (RequireCompleteType(Param->getLocation(), Param->getType(),
14147                              diag::err_typecheck_decl_incomplete_type) ||
14148          RequireNonAbstractType(Param->getBeginLoc(), Param->getOriginalType(),
14149                                 diag::err_abstract_type_in_decl,
14150                                 AbstractParamType))) {
14151       Param->setInvalidDecl();
14152       HasInvalidParm = true;
14153     }
14154 
14155     // C99 6.9.1p5: If the declarator includes a parameter type list, the
14156     // declaration of each parameter shall include an identifier.
14157     if (CheckParameterNames && Param->getIdentifier() == nullptr &&
14158         !Param->isImplicit() && !getLangOpts().CPlusPlus) {
14159       // Diagnose this as an extension in C17 and earlier.
14160       if (!getLangOpts().C23)
14161         Diag(Param->getLocation(), diag::ext_parameter_name_omitted_c23);
14162     }
14163 
14164     // C99 6.7.5.3p12:
14165     //   If the function declarator is not part of a definition of that
14166     //   function, parameters may have incomplete type and may use the [*]
14167     //   notation in their sequences of declarator specifiers to specify
14168     //   variable length array types.
14169     QualType PType = Param->getOriginalType();
14170     // FIXME: This diagnostic should point the '[*]' if source-location
14171     // information is added for it.
14172     diagnoseArrayStarInParamType(*this, PType, Param->getLocation());
14173 
14174     // If the parameter is a c++ class type and it has to be destructed in the
14175     // callee function, declare the destructor so that it can be called by the
14176     // callee function. Do not perform any direct access check on the dtor here.
14177     if (!Param->isInvalidDecl()) {
14178       if (CXXRecordDecl *ClassDecl = Param->getType()->getAsCXXRecordDecl()) {
14179         if (!ClassDecl->isInvalidDecl() &&
14180             !ClassDecl->hasIrrelevantDestructor() &&
14181             !ClassDecl->isDependentContext() &&
14182             ClassDecl->isParamDestroyedInCallee()) {
14183           CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl);
14184           MarkFunctionReferenced(Param->getLocation(), Destructor);
14185           DiagnoseUseOfDecl(Destructor, Param->getLocation());
14186         }
14187       }
14188     }
14189 
14190     // Parameters with the pass_object_size attribute only need to be marked
14191     // constant at function definitions. Because we lack information about
14192     // whether we're on a declaration or definition when we're instantiating the
14193     // attribute, we need to check for constness here.
14194     if (const auto *Attr = Param->getAttr<PassObjectSizeAttr>())
14195       if (!Param->getType().isConstQualified())
14196         Diag(Param->getLocation(), diag::err_attribute_pointers_only)
14197             << Attr->getSpelling() << 1;
14198 
14199     // Check for parameter names shadowing fields from the class.
14200     if (LangOpts.CPlusPlus && !Param->isInvalidDecl()) {
14201       // The owning context for the parameter should be the function, but we
14202       // want to see if this function's declaration context is a record.
14203       DeclContext *DC = Param->getDeclContext();
14204       if (DC && DC->isFunctionOrMethod()) {
14205         if (auto *RD = dyn_cast<CXXRecordDecl>(DC->getParent()))
14206           CheckShadowInheritedFields(Param->getLocation(), Param->getDeclName(),
14207                                      RD, /*DeclIsField*/ false);
14208       }
14209     }
14210 
14211     if (!Param->isInvalidDecl() &&
14212         Param->getOriginalType()->isWebAssemblyTableType()) {
14213       Param->setInvalidDecl();
14214       HasInvalidParm = true;
14215       Diag(Param->getLocation(), diag::err_wasm_table_as_function_parameter);
14216     }
14217   }
14218 
14219   return HasInvalidParm;
14220 }
14221 
14222 std::optional<std::pair<
14223     CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
14224                                                                        *E,
14225                                                                    ASTContext
14226                                                                        &Ctx);
14227 
14228 /// Compute the alignment and offset of the base class object given the
14229 /// derived-to-base cast expression and the alignment and offset of the derived
14230 /// class object.
14231 static std::pair<CharUnits, CharUnits>
14232 getDerivedToBaseAlignmentAndOffset(const CastExpr *CE, QualType DerivedType,
14233                                    CharUnits BaseAlignment, CharUnits Offset,
14234                                    ASTContext &Ctx) {
14235   for (auto PathI = CE->path_begin(), PathE = CE->path_end(); PathI != PathE;
14236        ++PathI) {
14237     const CXXBaseSpecifier *Base = *PathI;
14238     const CXXRecordDecl *BaseDecl = Base->getType()->getAsCXXRecordDecl();
14239     if (Base->isVirtual()) {
14240       // The complete object may have a lower alignment than the non-virtual
14241       // alignment of the base, in which case the base may be misaligned. Choose
14242       // the smaller of the non-virtual alignment and BaseAlignment, which is a
14243       // conservative lower bound of the complete object alignment.
14244       CharUnits NonVirtualAlignment =
14245           Ctx.getASTRecordLayout(BaseDecl).getNonVirtualAlignment();
14246       BaseAlignment = std::min(BaseAlignment, NonVirtualAlignment);
14247       Offset = CharUnits::Zero();
14248     } else {
14249       const ASTRecordLayout &RL =
14250           Ctx.getASTRecordLayout(DerivedType->getAsCXXRecordDecl());
14251       Offset += RL.getBaseClassOffset(BaseDecl);
14252     }
14253     DerivedType = Base->getType();
14254   }
14255 
14256   return std::make_pair(BaseAlignment, Offset);
14257 }
14258 
14259 /// Compute the alignment and offset of a binary additive operator.
14260 static std::optional<std::pair<CharUnits, CharUnits>>
14261 getAlignmentAndOffsetFromBinAddOrSub(const Expr *PtrE, const Expr *IntE,
14262                                      bool IsSub, ASTContext &Ctx) {
14263   QualType PointeeType = PtrE->getType()->getPointeeType();
14264 
14265   if (!PointeeType->isConstantSizeType())
14266     return std::nullopt;
14267 
14268   auto P = getBaseAlignmentAndOffsetFromPtr(PtrE, Ctx);
14269 
14270   if (!P)
14271     return std::nullopt;
14272 
14273   CharUnits EltSize = Ctx.getTypeSizeInChars(PointeeType);
14274   if (std::optional<llvm::APSInt> IdxRes = IntE->getIntegerConstantExpr(Ctx)) {
14275     CharUnits Offset = EltSize * IdxRes->getExtValue();
14276     if (IsSub)
14277       Offset = -Offset;
14278     return std::make_pair(P->first, P->second + Offset);
14279   }
14280 
14281   // If the integer expression isn't a constant expression, compute the lower
14282   // bound of the alignment using the alignment and offset of the pointer
14283   // expression and the element size.
14284   return std::make_pair(
14285       P->first.alignmentAtOffset(P->second).alignmentAtOffset(EltSize),
14286       CharUnits::Zero());
14287 }
14288 
14289 /// This helper function takes an lvalue expression and returns the alignment of
14290 /// a VarDecl and a constant offset from the VarDecl.
14291 std::optional<std::pair<
14292     CharUnits,
14293     CharUnits>> static getBaseAlignmentAndOffsetFromLValue(const Expr *E,
14294                                                            ASTContext &Ctx) {
14295   E = E->IgnoreParens();
14296   switch (E->getStmtClass()) {
14297   default:
14298     break;
14299   case Stmt::CStyleCastExprClass:
14300   case Stmt::CXXStaticCastExprClass:
14301   case Stmt::ImplicitCastExprClass: {
14302     auto *CE = cast<CastExpr>(E);
14303     const Expr *From = CE->getSubExpr();
14304     switch (CE->getCastKind()) {
14305     default:
14306       break;
14307     case CK_NoOp:
14308       return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14309     case CK_UncheckedDerivedToBase:
14310     case CK_DerivedToBase: {
14311       auto P = getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14312       if (!P)
14313         break;
14314       return getDerivedToBaseAlignmentAndOffset(CE, From->getType(), P->first,
14315                                                 P->second, Ctx);
14316     }
14317     }
14318     break;
14319   }
14320   case Stmt::ArraySubscriptExprClass: {
14321     auto *ASE = cast<ArraySubscriptExpr>(E);
14322     return getAlignmentAndOffsetFromBinAddOrSub(ASE->getBase(), ASE->getIdx(),
14323                                                 false, Ctx);
14324   }
14325   case Stmt::DeclRefExprClass: {
14326     if (auto *VD = dyn_cast<VarDecl>(cast<DeclRefExpr>(E)->getDecl())) {
14327       // FIXME: If VD is captured by copy or is an escaping __block variable,
14328       // use the alignment of VD's type.
14329       if (!VD->getType()->isReferenceType()) {
14330         // Dependent alignment cannot be resolved -> bail out.
14331         if (VD->hasDependentAlignment())
14332           break;
14333         return std::make_pair(Ctx.getDeclAlign(VD), CharUnits::Zero());
14334       }
14335       if (VD->hasInit())
14336         return getBaseAlignmentAndOffsetFromLValue(VD->getInit(), Ctx);
14337     }
14338     break;
14339   }
14340   case Stmt::MemberExprClass: {
14341     auto *ME = cast<MemberExpr>(E);
14342     auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl());
14343     if (!FD || FD->getType()->isReferenceType() ||
14344         FD->getParent()->isInvalidDecl())
14345       break;
14346     std::optional<std::pair<CharUnits, CharUnits>> P;
14347     if (ME->isArrow())
14348       P = getBaseAlignmentAndOffsetFromPtr(ME->getBase(), Ctx);
14349     else
14350       P = getBaseAlignmentAndOffsetFromLValue(ME->getBase(), Ctx);
14351     if (!P)
14352       break;
14353     const ASTRecordLayout &Layout = Ctx.getASTRecordLayout(FD->getParent());
14354     uint64_t Offset = Layout.getFieldOffset(FD->getFieldIndex());
14355     return std::make_pair(P->first,
14356                           P->second + CharUnits::fromQuantity(Offset));
14357   }
14358   case Stmt::UnaryOperatorClass: {
14359     auto *UO = cast<UnaryOperator>(E);
14360     switch (UO->getOpcode()) {
14361     default:
14362       break;
14363     case UO_Deref:
14364       return getBaseAlignmentAndOffsetFromPtr(UO->getSubExpr(), Ctx);
14365     }
14366     break;
14367   }
14368   case Stmt::BinaryOperatorClass: {
14369     auto *BO = cast<BinaryOperator>(E);
14370     auto Opcode = BO->getOpcode();
14371     switch (Opcode) {
14372     default:
14373       break;
14374     case BO_Comma:
14375       return getBaseAlignmentAndOffsetFromLValue(BO->getRHS(), Ctx);
14376     }
14377     break;
14378   }
14379   }
14380   return std::nullopt;
14381 }
14382 
14383 /// This helper function takes a pointer expression and returns the alignment of
14384 /// a VarDecl and a constant offset from the VarDecl.
14385 std::optional<std::pair<
14386     CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
14387                                                                        *E,
14388                                                                    ASTContext
14389                                                                        &Ctx) {
14390   E = E->IgnoreParens();
14391   switch (E->getStmtClass()) {
14392   default:
14393     break;
14394   case Stmt::CStyleCastExprClass:
14395   case Stmt::CXXStaticCastExprClass:
14396   case Stmt::ImplicitCastExprClass: {
14397     auto *CE = cast<CastExpr>(E);
14398     const Expr *From = CE->getSubExpr();
14399     switch (CE->getCastKind()) {
14400     default:
14401       break;
14402     case CK_NoOp:
14403       return getBaseAlignmentAndOffsetFromPtr(From, Ctx);
14404     case CK_ArrayToPointerDecay:
14405       return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
14406     case CK_UncheckedDerivedToBase:
14407     case CK_DerivedToBase: {
14408       auto P = getBaseAlignmentAndOffsetFromPtr(From, Ctx);
14409       if (!P)
14410         break;
14411       return getDerivedToBaseAlignmentAndOffset(
14412           CE, From->getType()->getPointeeType(), P->first, P->second, Ctx);
14413     }
14414     }
14415     break;
14416   }
14417   case Stmt::CXXThisExprClass: {
14418     auto *RD = E->getType()->getPointeeType()->getAsCXXRecordDecl();
14419     CharUnits Alignment = Ctx.getASTRecordLayout(RD).getNonVirtualAlignment();
14420     return std::make_pair(Alignment, CharUnits::Zero());
14421   }
14422   case Stmt::UnaryOperatorClass: {
14423     auto *UO = cast<UnaryOperator>(E);
14424     if (UO->getOpcode() == UO_AddrOf)
14425       return getBaseAlignmentAndOffsetFromLValue(UO->getSubExpr(), Ctx);
14426     break;
14427   }
14428   case Stmt::BinaryOperatorClass: {
14429     auto *BO = cast<BinaryOperator>(E);
14430     auto Opcode = BO->getOpcode();
14431     switch (Opcode) {
14432     default:
14433       break;
14434     case BO_Add:
14435     case BO_Sub: {
14436       const Expr *LHS = BO->getLHS(), *RHS = BO->getRHS();
14437       if (Opcode == BO_Add && !RHS->getType()->isIntegralOrEnumerationType())
14438         std::swap(LHS, RHS);
14439       return getAlignmentAndOffsetFromBinAddOrSub(LHS, RHS, Opcode == BO_Sub,
14440                                                   Ctx);
14441     }
14442     case BO_Comma:
14443       return getBaseAlignmentAndOffsetFromPtr(BO->getRHS(), Ctx);
14444     }
14445     break;
14446   }
14447   }
14448   return std::nullopt;
14449 }
14450 
14451 static CharUnits getPresumedAlignmentOfPointer(const Expr *E, Sema &S) {
14452   // See if we can compute the alignment of a VarDecl and an offset from it.
14453   std::optional<std::pair<CharUnits, CharUnits>> P =
14454       getBaseAlignmentAndOffsetFromPtr(E, S.Context);
14455 
14456   if (P)
14457     return P->first.alignmentAtOffset(P->second);
14458 
14459   // If that failed, return the type's alignment.
14460   return S.Context.getTypeAlignInChars(E->getType()->getPointeeType());
14461 }
14462 
14463 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
14464   // This is actually a lot of work to potentially be doing on every
14465   // cast; don't do it if we're ignoring -Wcast_align (as is the default).
14466   if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin()))
14467     return;
14468 
14469   // Ignore dependent types.
14470   if (T->isDependentType() || Op->getType()->isDependentType())
14471     return;
14472 
14473   // Require that the destination be a pointer type.
14474   const PointerType *DestPtr = T->getAs<PointerType>();
14475   if (!DestPtr) return;
14476 
14477   // If the destination has alignment 1, we're done.
14478   QualType DestPointee = DestPtr->getPointeeType();
14479   if (DestPointee->isIncompleteType()) return;
14480   CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee);
14481   if (DestAlign.isOne()) return;
14482 
14483   // Require that the source be a pointer type.
14484   const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();
14485   if (!SrcPtr) return;
14486   QualType SrcPointee = SrcPtr->getPointeeType();
14487 
14488   // Explicitly allow casts from cv void*.  We already implicitly
14489   // allowed casts to cv void*, since they have alignment 1.
14490   // Also allow casts involving incomplete types, which implicitly
14491   // includes 'void'.
14492   if (SrcPointee->isIncompleteType()) return;
14493 
14494   CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);
14495 
14496   if (SrcAlign >= DestAlign) return;
14497 
14498   Diag(TRange.getBegin(), diag::warn_cast_align)
14499     << Op->getType() << T
14500     << static_cast<unsigned>(SrcAlign.getQuantity())
14501     << static_cast<unsigned>(DestAlign.getQuantity())
14502     << TRange << Op->getSourceRange();
14503 }
14504 
14505 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
14506                             const ArraySubscriptExpr *ASE,
14507                             bool AllowOnePastEnd, bool IndexNegated) {
14508   // Already diagnosed by the constant evaluator.
14509   if (isConstantEvaluatedContext())
14510     return;
14511 
14512   IndexExpr = IndexExpr->IgnoreParenImpCasts();
14513   if (IndexExpr->isValueDependent())
14514     return;
14515 
14516   const Type *EffectiveType =
14517       BaseExpr->getType()->getPointeeOrArrayElementType();
14518   BaseExpr = BaseExpr->IgnoreParenCasts();
14519   const ConstantArrayType *ArrayTy =
14520       Context.getAsConstantArrayType(BaseExpr->getType());
14521 
14522   LangOptions::StrictFlexArraysLevelKind
14523     StrictFlexArraysLevel = getLangOpts().getStrictFlexArraysLevel();
14524 
14525   const Type *BaseType =
14526       ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();
14527   bool IsUnboundedArray =
14528       BaseType == nullptr || BaseExpr->isFlexibleArrayMemberLike(
14529                                  Context, StrictFlexArraysLevel,
14530                                  /*IgnoreTemplateOrMacroSubstitution=*/true);
14531   if (EffectiveType->isDependentType() ||
14532       (!IsUnboundedArray && BaseType->isDependentType()))
14533     return;
14534 
14535   Expr::EvalResult Result;
14536   if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))
14537     return;
14538 
14539   llvm::APSInt index = Result.Val.getInt();
14540   if (IndexNegated) {
14541     index.setIsUnsigned(false);
14542     index = -index;
14543   }
14544 
14545   if (IsUnboundedArray) {
14546     if (EffectiveType->isFunctionType())
14547       return;
14548     if (index.isUnsigned() || !index.isNegative()) {
14549       const auto &ASTC = getASTContext();
14550       unsigned AddrBits = ASTC.getTargetInfo().getPointerWidth(
14551           EffectiveType->getCanonicalTypeInternal().getAddressSpace());
14552       if (index.getBitWidth() < AddrBits)
14553         index = index.zext(AddrBits);
14554       std::optional<CharUnits> ElemCharUnits =
14555           ASTC.getTypeSizeInCharsIfKnown(EffectiveType);
14556       // PR50741 - If EffectiveType has unknown size (e.g., if it's a void
14557       // pointer) bounds-checking isn't meaningful.
14558       if (!ElemCharUnits || ElemCharUnits->isZero())
14559         return;
14560       llvm::APInt ElemBytes(index.getBitWidth(), ElemCharUnits->getQuantity());
14561       // If index has more active bits than address space, we already know
14562       // we have a bounds violation to warn about.  Otherwise, compute
14563       // address of (index + 1)th element, and warn about bounds violation
14564       // only if that address exceeds address space.
14565       if (index.getActiveBits() <= AddrBits) {
14566         bool Overflow;
14567         llvm::APInt Product(index);
14568         Product += 1;
14569         Product = Product.umul_ov(ElemBytes, Overflow);
14570         if (!Overflow && Product.getActiveBits() <= AddrBits)
14571           return;
14572       }
14573 
14574       // Need to compute max possible elements in address space, since that
14575       // is included in diag message.
14576       llvm::APInt MaxElems = llvm::APInt::getMaxValue(AddrBits);
14577       MaxElems = MaxElems.zext(std::max(AddrBits + 1, ElemBytes.getBitWidth()));
14578       MaxElems += 1;
14579       ElemBytes = ElemBytes.zextOrTrunc(MaxElems.getBitWidth());
14580       MaxElems = MaxElems.udiv(ElemBytes);
14581 
14582       unsigned DiagID =
14583           ASE ? diag::warn_array_index_exceeds_max_addressable_bounds
14584               : diag::warn_ptr_arith_exceeds_max_addressable_bounds;
14585 
14586       // Diag message shows element size in bits and in "bytes" (platform-
14587       // dependent CharUnits)
14588       DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
14589                           PDiag(DiagID)
14590                               << toString(index, 10, true) << AddrBits
14591                               << (unsigned)ASTC.toBits(*ElemCharUnits)
14592                               << toString(ElemBytes, 10, false)
14593                               << toString(MaxElems, 10, false)
14594                               << (unsigned)MaxElems.getLimitedValue(~0U)
14595                               << IndexExpr->getSourceRange());
14596 
14597       const NamedDecl *ND = nullptr;
14598       // Try harder to find a NamedDecl to point at in the note.
14599       while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
14600         BaseExpr = ASE->getBase()->IgnoreParenCasts();
14601       if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
14602         ND = DRE->getDecl();
14603       if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
14604         ND = ME->getMemberDecl();
14605 
14606       if (ND)
14607         DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
14608                             PDiag(diag::note_array_declared_here) << ND);
14609     }
14610     return;
14611   }
14612 
14613   if (index.isUnsigned() || !index.isNegative()) {
14614     // It is possible that the type of the base expression after
14615     // IgnoreParenCasts is incomplete, even though the type of the base
14616     // expression before IgnoreParenCasts is complete (see PR39746 for an
14617     // example). In this case we have no information about whether the array
14618     // access exceeds the array bounds. However we can still diagnose an array
14619     // access which precedes the array bounds.
14620     if (BaseType->isIncompleteType())
14621       return;
14622 
14623     llvm::APInt size = ArrayTy->getSize();
14624 
14625     if (BaseType != EffectiveType) {
14626       // Make sure we're comparing apples to apples when comparing index to
14627       // size.
14628       uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);
14629       uint64_t array_typesize = Context.getTypeSize(BaseType);
14630 
14631       // Handle ptrarith_typesize being zero, such as when casting to void*.
14632       // Use the size in bits (what "getTypeSize()" returns) rather than bytes.
14633       if (!ptrarith_typesize)
14634         ptrarith_typesize = Context.getCharWidth();
14635 
14636       if (ptrarith_typesize != array_typesize) {
14637         // There's a cast to a different size type involved.
14638         uint64_t ratio = array_typesize / ptrarith_typesize;
14639 
14640         // TODO: Be smarter about handling cases where array_typesize is not a
14641         // multiple of ptrarith_typesize.
14642         if (ptrarith_typesize * ratio == array_typesize)
14643           size *= llvm::APInt(size.getBitWidth(), ratio);
14644       }
14645     }
14646 
14647     if (size.getBitWidth() > index.getBitWidth())
14648       index = index.zext(size.getBitWidth());
14649     else if (size.getBitWidth() < index.getBitWidth())
14650       size = size.zext(index.getBitWidth());
14651 
14652     // For array subscripting the index must be less than size, but for pointer
14653     // arithmetic also allow the index (offset) to be equal to size since
14654     // computing the next address after the end of the array is legal and
14655     // commonly done e.g. in C++ iterators and range-based for loops.
14656     if (AllowOnePastEnd ? index.ule(size) : index.ult(size))
14657       return;
14658 
14659     // Suppress the warning if the subscript expression (as identified by the
14660     // ']' location) and the index expression are both from macro expansions
14661     // within a system header.
14662     if (ASE) {
14663       SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(
14664           ASE->getRBracketLoc());
14665       if (SourceMgr.isInSystemHeader(RBracketLoc)) {
14666         SourceLocation IndexLoc =
14667             SourceMgr.getSpellingLoc(IndexExpr->getBeginLoc());
14668         if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc))
14669           return;
14670       }
14671     }
14672 
14673     unsigned DiagID = ASE ? diag::warn_array_index_exceeds_bounds
14674                           : diag::warn_ptr_arith_exceeds_bounds;
14675     unsigned CastMsg = (!ASE || BaseType == EffectiveType) ? 0 : 1;
14676     QualType CastMsgTy = ASE ? ASE->getLHS()->getType() : QualType();
14677 
14678     DiagRuntimeBehavior(
14679         BaseExpr->getBeginLoc(), BaseExpr,
14680         PDiag(DiagID) << toString(index, 10, true) << ArrayTy->desugar()
14681                       << CastMsg << CastMsgTy << IndexExpr->getSourceRange());
14682   } else {
14683     unsigned DiagID = diag::warn_array_index_precedes_bounds;
14684     if (!ASE) {
14685       DiagID = diag::warn_ptr_arith_precedes_bounds;
14686       if (index.isNegative()) index = -index;
14687     }
14688 
14689     DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
14690                         PDiag(DiagID) << toString(index, 10, true)
14691                                       << IndexExpr->getSourceRange());
14692   }
14693 
14694   const NamedDecl *ND = nullptr;
14695   // Try harder to find a NamedDecl to point at in the note.
14696   while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
14697     BaseExpr = ASE->getBase()->IgnoreParenCasts();
14698   if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
14699     ND = DRE->getDecl();
14700   if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
14701     ND = ME->getMemberDecl();
14702 
14703   if (ND)
14704     DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
14705                         PDiag(diag::note_array_declared_here) << ND);
14706 }
14707 
14708 void Sema::CheckArrayAccess(const Expr *expr) {
14709   int AllowOnePastEnd = 0;
14710   while (expr) {
14711     expr = expr->IgnoreParenImpCasts();
14712     switch (expr->getStmtClass()) {
14713       case Stmt::ArraySubscriptExprClass: {
14714         const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr);
14715         CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE,
14716                          AllowOnePastEnd > 0);
14717         expr = ASE->getBase();
14718         break;
14719       }
14720       case Stmt::MemberExprClass: {
14721         expr = cast<MemberExpr>(expr)->getBase();
14722         break;
14723       }
14724       case Stmt::ArraySectionExprClass: {
14725         const ArraySectionExpr *ASE = cast<ArraySectionExpr>(expr);
14726         // FIXME: We should probably be checking all of the elements to the
14727         // 'length' here as well.
14728         if (ASE->getLowerBound())
14729           CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(),
14730                            /*ASE=*/nullptr, AllowOnePastEnd > 0);
14731         return;
14732       }
14733       case Stmt::UnaryOperatorClass: {
14734         // Only unwrap the * and & unary operators
14735         const UnaryOperator *UO = cast<UnaryOperator>(expr);
14736         expr = UO->getSubExpr();
14737         switch (UO->getOpcode()) {
14738           case UO_AddrOf:
14739             AllowOnePastEnd++;
14740             break;
14741           case UO_Deref:
14742             AllowOnePastEnd--;
14743             break;
14744           default:
14745             return;
14746         }
14747         break;
14748       }
14749       case Stmt::ConditionalOperatorClass: {
14750         const ConditionalOperator *cond = cast<ConditionalOperator>(expr);
14751         if (const Expr *lhs = cond->getLHS())
14752           CheckArrayAccess(lhs);
14753         if (const Expr *rhs = cond->getRHS())
14754           CheckArrayAccess(rhs);
14755         return;
14756       }
14757       case Stmt::CXXOperatorCallExprClass: {
14758         const auto *OCE = cast<CXXOperatorCallExpr>(expr);
14759         for (const auto *Arg : OCE->arguments())
14760           CheckArrayAccess(Arg);
14761         return;
14762       }
14763       default:
14764         return;
14765     }
14766   }
14767 }
14768 
14769 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc,
14770                                      Expr *RHS, bool isProperty) {
14771   // Check if RHS is an Objective-C object literal, which also can get
14772   // immediately zapped in a weak reference.  Note that we explicitly
14773   // allow ObjCStringLiterals, since those are designed to never really die.
14774   RHS = RHS->IgnoreParenImpCasts();
14775 
14776   // This enum needs to match with the 'select' in
14777   // warn_objc_arc_literal_assign (off-by-1).
14778   SemaObjC::ObjCLiteralKind Kind = S.ObjC().CheckLiteralKind(RHS);
14779   if (Kind == SemaObjC::LK_String || Kind == SemaObjC::LK_None)
14780     return false;
14781 
14782   S.Diag(Loc, diag::warn_arc_literal_assign)
14783     << (unsigned) Kind
14784     << (isProperty ? 0 : 1)
14785     << RHS->getSourceRange();
14786 
14787   return true;
14788 }
14789 
14790 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc,
14791                                     Qualifiers::ObjCLifetime LT,
14792                                     Expr *RHS, bool isProperty) {
14793   // Strip off any implicit cast added to get to the one ARC-specific.
14794   while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
14795     if (cast->getCastKind() == CK_ARCConsumeObject) {
14796       S.Diag(Loc, diag::warn_arc_retained_assign)
14797         << (LT == Qualifiers::OCL_ExplicitNone)
14798         << (isProperty ? 0 : 1)
14799         << RHS->getSourceRange();
14800       return true;
14801     }
14802     RHS = cast->getSubExpr();
14803   }
14804 
14805   if (LT == Qualifiers::OCL_Weak &&
14806       checkUnsafeAssignLiteral(S, Loc, RHS, isProperty))
14807     return true;
14808 
14809   return false;
14810 }
14811 
14812 bool Sema::checkUnsafeAssigns(SourceLocation Loc,
14813                               QualType LHS, Expr *RHS) {
14814   Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime();
14815 
14816   if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone)
14817     return false;
14818 
14819   if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false))
14820     return true;
14821 
14822   return false;
14823 }
14824 
14825 void Sema::checkUnsafeExprAssigns(SourceLocation Loc,
14826                               Expr *LHS, Expr *RHS) {
14827   QualType LHSType;
14828   // PropertyRef on LHS type need be directly obtained from
14829   // its declaration as it has a PseudoType.
14830   ObjCPropertyRefExpr *PRE
14831     = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens());
14832   if (PRE && !PRE->isImplicitProperty()) {
14833     const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
14834     if (PD)
14835       LHSType = PD->getType();
14836   }
14837 
14838   if (LHSType.isNull())
14839     LHSType = LHS->getType();
14840 
14841   Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime();
14842 
14843   if (LT == Qualifiers::OCL_Weak) {
14844     if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc))
14845       getCurFunction()->markSafeWeakUse(LHS);
14846   }
14847 
14848   if (checkUnsafeAssigns(Loc, LHSType, RHS))
14849     return;
14850 
14851   // FIXME. Check for other life times.
14852   if (LT != Qualifiers::OCL_None)
14853     return;
14854 
14855   if (PRE) {
14856     if (PRE->isImplicitProperty())
14857       return;
14858     const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
14859     if (!PD)
14860       return;
14861 
14862     unsigned Attributes = PD->getPropertyAttributes();
14863     if (Attributes & ObjCPropertyAttribute::kind_assign) {
14864       // when 'assign' attribute was not explicitly specified
14865       // by user, ignore it and rely on property type itself
14866       // for lifetime info.
14867       unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten();
14868       if (!(AsWrittenAttr & ObjCPropertyAttribute::kind_assign) &&
14869           LHSType->isObjCRetainableType())
14870         return;
14871 
14872       while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
14873         if (cast->getCastKind() == CK_ARCConsumeObject) {
14874           Diag(Loc, diag::warn_arc_retained_property_assign)
14875           << RHS->getSourceRange();
14876           return;
14877         }
14878         RHS = cast->getSubExpr();
14879       }
14880     } else if (Attributes & ObjCPropertyAttribute::kind_weak) {
14881       if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true))
14882         return;
14883     }
14884   }
14885 }
14886 
14887 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===//
14888 
14889 static bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr,
14890                                         SourceLocation StmtLoc,
14891                                         const NullStmt *Body) {
14892   // Do not warn if the body is a macro that expands to nothing, e.g:
14893   //
14894   // #define CALL(x)
14895   // if (condition)
14896   //   CALL(0);
14897   if (Body->hasLeadingEmptyMacro())
14898     return false;
14899 
14900   // Get line numbers of statement and body.
14901   bool StmtLineInvalid;
14902   unsigned StmtLine = SourceMgr.getPresumedLineNumber(StmtLoc,
14903                                                       &StmtLineInvalid);
14904   if (StmtLineInvalid)
14905     return false;
14906 
14907   bool BodyLineInvalid;
14908   unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(),
14909                                                       &BodyLineInvalid);
14910   if (BodyLineInvalid)
14911     return false;
14912 
14913   // Warn if null statement and body are on the same line.
14914   if (StmtLine != BodyLine)
14915     return false;
14916 
14917   return true;
14918 }
14919 
14920 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc,
14921                                  const Stmt *Body,
14922                                  unsigned DiagID) {
14923   // Since this is a syntactic check, don't emit diagnostic for template
14924   // instantiations, this just adds noise.
14925   if (CurrentInstantiationScope)
14926     return;
14927 
14928   // The body should be a null statement.
14929   const NullStmt *NBody = dyn_cast<NullStmt>(Body);
14930   if (!NBody)
14931     return;
14932 
14933   // Do the usual checks.
14934   if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
14935     return;
14936 
14937   Diag(NBody->getSemiLoc(), DiagID);
14938   Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
14939 }
14940 
14941 void Sema::DiagnoseEmptyLoopBody(const Stmt *S,
14942                                  const Stmt *PossibleBody) {
14943   assert(!CurrentInstantiationScope); // Ensured by caller
14944 
14945   SourceLocation StmtLoc;
14946   const Stmt *Body;
14947   unsigned DiagID;
14948   if (const ForStmt *FS = dyn_cast<ForStmt>(S)) {
14949     StmtLoc = FS->getRParenLoc();
14950     Body = FS->getBody();
14951     DiagID = diag::warn_empty_for_body;
14952   } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) {
14953     StmtLoc = WS->getRParenLoc();
14954     Body = WS->getBody();
14955     DiagID = diag::warn_empty_while_body;
14956   } else
14957     return; // Neither `for' nor `while'.
14958 
14959   // The body should be a null statement.
14960   const NullStmt *NBody = dyn_cast<NullStmt>(Body);
14961   if (!NBody)
14962     return;
14963 
14964   // Skip expensive checks if diagnostic is disabled.
14965   if (Diags.isIgnored(DiagID, NBody->getSemiLoc()))
14966     return;
14967 
14968   // Do the usual checks.
14969   if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
14970     return;
14971 
14972   // `for(...);' and `while(...);' are popular idioms, so in order to keep
14973   // noise level low, emit diagnostics only if for/while is followed by a
14974   // CompoundStmt, e.g.:
14975   //    for (int i = 0; i < n; i++);
14976   //    {
14977   //      a(i);
14978   //    }
14979   // or if for/while is followed by a statement with more indentation
14980   // than for/while itself:
14981   //    for (int i = 0; i < n; i++);
14982   //      a(i);
14983   bool ProbableTypo = isa<CompoundStmt>(PossibleBody);
14984   if (!ProbableTypo) {
14985     bool BodyColInvalid;
14986     unsigned BodyCol = SourceMgr.getPresumedColumnNumber(
14987         PossibleBody->getBeginLoc(), &BodyColInvalid);
14988     if (BodyColInvalid)
14989       return;
14990 
14991     bool StmtColInvalid;
14992     unsigned StmtCol =
14993         SourceMgr.getPresumedColumnNumber(S->getBeginLoc(), &StmtColInvalid);
14994     if (StmtColInvalid)
14995       return;
14996 
14997     if (BodyCol > StmtCol)
14998       ProbableTypo = true;
14999   }
15000 
15001   if (ProbableTypo) {
15002     Diag(NBody->getSemiLoc(), DiagID);
15003     Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
15004   }
15005 }
15006 
15007 //===--- CHECK: Warn on self move with std::move. -------------------------===//
15008 
15009 void Sema::DiagnoseSelfMove(const Expr *LHSExpr, const Expr *RHSExpr,
15010                              SourceLocation OpLoc) {
15011   if (Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, OpLoc))
15012     return;
15013 
15014   if (inTemplateInstantiation())
15015     return;
15016 
15017   // Strip parens and casts away.
15018   LHSExpr = LHSExpr->IgnoreParenImpCasts();
15019   RHSExpr = RHSExpr->IgnoreParenImpCasts();
15020 
15021   // Check for a call to std::move or for a static_cast<T&&>(..) to an xvalue
15022   // which we can treat as an inlined std::move
15023   if (const auto *CE = dyn_cast<CallExpr>(RHSExpr);
15024       CE && CE->getNumArgs() == 1 && CE->isCallToStdMove())
15025     RHSExpr = CE->getArg(0);
15026   else if (const auto *CXXSCE = dyn_cast<CXXStaticCastExpr>(RHSExpr);
15027            CXXSCE && CXXSCE->isXValue())
15028     RHSExpr = CXXSCE->getSubExpr();
15029   else
15030     return;
15031 
15032   const DeclRefExpr *LHSDeclRef = dyn_cast<DeclRefExpr>(LHSExpr);
15033   const DeclRefExpr *RHSDeclRef = dyn_cast<DeclRefExpr>(RHSExpr);
15034 
15035   // Two DeclRefExpr's, check that the decls are the same.
15036   if (LHSDeclRef && RHSDeclRef) {
15037     if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
15038       return;
15039     if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
15040         RHSDeclRef->getDecl()->getCanonicalDecl())
15041       return;
15042 
15043     auto D = Diag(OpLoc, diag::warn_self_move)
15044              << LHSExpr->getType() << LHSExpr->getSourceRange()
15045              << RHSExpr->getSourceRange();
15046     if (const FieldDecl *F =
15047             getSelfAssignmentClassMemberCandidate(RHSDeclRef->getDecl()))
15048       D << 1 << F
15049         << FixItHint::CreateInsertion(LHSDeclRef->getBeginLoc(), "this->");
15050     else
15051       D << 0;
15052     return;
15053   }
15054 
15055   // Member variables require a different approach to check for self moves.
15056   // MemberExpr's are the same if every nested MemberExpr refers to the same
15057   // Decl and that the base Expr's are DeclRefExpr's with the same Decl or
15058   // the base Expr's are CXXThisExpr's.
15059   const Expr *LHSBase = LHSExpr;
15060   const Expr *RHSBase = RHSExpr;
15061   const MemberExpr *LHSME = dyn_cast<MemberExpr>(LHSExpr);
15062   const MemberExpr *RHSME = dyn_cast<MemberExpr>(RHSExpr);
15063   if (!LHSME || !RHSME)
15064     return;
15065 
15066   while (LHSME && RHSME) {
15067     if (LHSME->getMemberDecl()->getCanonicalDecl() !=
15068         RHSME->getMemberDecl()->getCanonicalDecl())
15069       return;
15070 
15071     LHSBase = LHSME->getBase();
15072     RHSBase = RHSME->getBase();
15073     LHSME = dyn_cast<MemberExpr>(LHSBase);
15074     RHSME = dyn_cast<MemberExpr>(RHSBase);
15075   }
15076 
15077   LHSDeclRef = dyn_cast<DeclRefExpr>(LHSBase);
15078   RHSDeclRef = dyn_cast<DeclRefExpr>(RHSBase);
15079   if (LHSDeclRef && RHSDeclRef) {
15080     if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
15081       return;
15082     if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
15083         RHSDeclRef->getDecl()->getCanonicalDecl())
15084       return;
15085 
15086     Diag(OpLoc, diag::warn_self_move)
15087         << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
15088         << RHSExpr->getSourceRange();
15089     return;
15090   }
15091 
15092   if (isa<CXXThisExpr>(LHSBase) && isa<CXXThisExpr>(RHSBase))
15093     Diag(OpLoc, diag::warn_self_move)
15094         << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
15095         << RHSExpr->getSourceRange();
15096 }
15097 
15098 //===--- Layout compatibility ----------------------------------------------//
15099 
15100 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2);
15101 
15102 /// Check if two enumeration types are layout-compatible.
15103 static bool isLayoutCompatible(const ASTContext &C, const EnumDecl *ED1,
15104                                const EnumDecl *ED2) {
15105   // C++11 [dcl.enum] p8:
15106   // Two enumeration types are layout-compatible if they have the same
15107   // underlying type.
15108   return ED1->isComplete() && ED2->isComplete() &&
15109          C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType());
15110 }
15111 
15112 /// Check if two fields are layout-compatible.
15113 /// Can be used on union members, which are exempt from alignment requirement
15114 /// of common initial sequence.
15115 static bool isLayoutCompatible(const ASTContext &C, const FieldDecl *Field1,
15116                                const FieldDecl *Field2,
15117                                bool AreUnionMembers = false) {
15118   [[maybe_unused]] const Type *Field1Parent =
15119       Field1->getParent()->getTypeForDecl();
15120   [[maybe_unused]] const Type *Field2Parent =
15121       Field2->getParent()->getTypeForDecl();
15122   assert(((Field1Parent->isStructureOrClassType() &&
15123            Field2Parent->isStructureOrClassType()) ||
15124           (Field1Parent->isUnionType() && Field2Parent->isUnionType())) &&
15125          "Can't evaluate layout compatibility between a struct field and a "
15126          "union field.");
15127   assert(((!AreUnionMembers && Field1Parent->isStructureOrClassType()) ||
15128           (AreUnionMembers && Field1Parent->isUnionType())) &&
15129          "AreUnionMembers should be 'true' for union fields (only).");
15130 
15131   if (!isLayoutCompatible(C, Field1->getType(), Field2->getType()))
15132     return false;
15133 
15134   if (Field1->isBitField() != Field2->isBitField())
15135     return false;
15136 
15137   if (Field1->isBitField()) {
15138     // Make sure that the bit-fields are the same length.
15139     unsigned Bits1 = Field1->getBitWidthValue();
15140     unsigned Bits2 = Field2->getBitWidthValue();
15141 
15142     if (Bits1 != Bits2)
15143       return false;
15144   }
15145 
15146   if (Field1->hasAttr<clang::NoUniqueAddressAttr>() ||
15147       Field2->hasAttr<clang::NoUniqueAddressAttr>())
15148     return false;
15149 
15150   if (!AreUnionMembers &&
15151       Field1->getMaxAlignment() != Field2->getMaxAlignment())
15152     return false;
15153 
15154   return true;
15155 }
15156 
15157 /// Check if two standard-layout structs are layout-compatible.
15158 /// (C++11 [class.mem] p17)
15159 static bool isLayoutCompatibleStruct(const ASTContext &C, const RecordDecl *RD1,
15160                                      const RecordDecl *RD2) {
15161   // Get to the class where the fields are declared
15162   if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1))
15163     RD1 = D1CXX->getStandardLayoutBaseWithFields();
15164 
15165   if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2))
15166     RD2 = D2CXX->getStandardLayoutBaseWithFields();
15167 
15168   // Check the fields.
15169   return llvm::equal(RD1->fields(), RD2->fields(),
15170                      [&C](const FieldDecl *F1, const FieldDecl *F2) -> bool {
15171                        return isLayoutCompatible(C, F1, F2);
15172                      });
15173 }
15174 
15175 /// Check if two standard-layout unions are layout-compatible.
15176 /// (C++11 [class.mem] p18)
15177 static bool isLayoutCompatibleUnion(const ASTContext &C, const RecordDecl *RD1,
15178                                     const RecordDecl *RD2) {
15179   llvm::SmallPtrSet<const FieldDecl *, 8> UnmatchedFields(llvm::from_range,
15180                                                           RD2->fields());
15181 
15182   for (auto *Field1 : RD1->fields()) {
15183     auto I = UnmatchedFields.begin();
15184     auto E = UnmatchedFields.end();
15185 
15186     for ( ; I != E; ++I) {
15187       if (isLayoutCompatible(C, Field1, *I, /*IsUnionMember=*/true)) {
15188         bool Result = UnmatchedFields.erase(*I);
15189         (void) Result;
15190         assert(Result);
15191         break;
15192       }
15193     }
15194     if (I == E)
15195       return false;
15196   }
15197 
15198   return UnmatchedFields.empty();
15199 }
15200 
15201 static bool isLayoutCompatible(const ASTContext &C, const RecordDecl *RD1,
15202                                const RecordDecl *RD2) {
15203   if (RD1->isUnion() != RD2->isUnion())
15204     return false;
15205 
15206   if (RD1->isUnion())
15207     return isLayoutCompatibleUnion(C, RD1, RD2);
15208   else
15209     return isLayoutCompatibleStruct(C, RD1, RD2);
15210 }
15211 
15212 /// Check if two types are layout-compatible in C++11 sense.
15213 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2) {
15214   if (T1.isNull() || T2.isNull())
15215     return false;
15216 
15217   // C++20 [basic.types] p11:
15218   // Two types cv1 T1 and cv2 T2 are layout-compatible types
15219   // if T1 and T2 are the same type, layout-compatible enumerations (9.7.1),
15220   // or layout-compatible standard-layout class types (11.4).
15221   T1 = T1.getCanonicalType().getUnqualifiedType();
15222   T2 = T2.getCanonicalType().getUnqualifiedType();
15223 
15224   if (C.hasSameType(T1, T2))
15225     return true;
15226 
15227   const Type::TypeClass TC1 = T1->getTypeClass();
15228   const Type::TypeClass TC2 = T2->getTypeClass();
15229 
15230   if (TC1 != TC2)
15231     return false;
15232 
15233   if (TC1 == Type::Enum) {
15234     return isLayoutCompatible(C,
15235                               cast<EnumType>(T1)->getDecl(),
15236                               cast<EnumType>(T2)->getDecl());
15237   } else if (TC1 == Type::Record) {
15238     if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType())
15239       return false;
15240 
15241     return isLayoutCompatible(C,
15242                               cast<RecordType>(T1)->getDecl(),
15243                               cast<RecordType>(T2)->getDecl());
15244   }
15245 
15246   return false;
15247 }
15248 
15249 bool Sema::IsLayoutCompatible(QualType T1, QualType T2) const {
15250   return isLayoutCompatible(getASTContext(), T1, T2);
15251 }
15252 
15253 //===-------------- Pointer interconvertibility ----------------------------//
15254 
15255 bool Sema::IsPointerInterconvertibleBaseOf(const TypeSourceInfo *Base,
15256                                            const TypeSourceInfo *Derived) {
15257   QualType BaseT = Base->getType()->getCanonicalTypeUnqualified();
15258   QualType DerivedT = Derived->getType()->getCanonicalTypeUnqualified();
15259 
15260   if (BaseT->isStructureOrClassType() && DerivedT->isStructureOrClassType() &&
15261       getASTContext().hasSameType(BaseT, DerivedT))
15262     return true;
15263 
15264   if (!IsDerivedFrom(Derived->getTypeLoc().getBeginLoc(), DerivedT, BaseT))
15265     return false;
15266 
15267   // Per [basic.compound]/4.3, containing object has to be standard-layout.
15268   if (DerivedT->getAsCXXRecordDecl()->isStandardLayout())
15269     return true;
15270 
15271   return false;
15272 }
15273 
15274 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----//
15275 
15276 /// Given a type tag expression find the type tag itself.
15277 ///
15278 /// \param TypeExpr Type tag expression, as it appears in user's code.
15279 ///
15280 /// \param VD Declaration of an identifier that appears in a type tag.
15281 ///
15282 /// \param MagicValue Type tag magic value.
15283 ///
15284 /// \param isConstantEvaluated whether the evalaution should be performed in
15285 
15286 /// constant context.
15287 static bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx,
15288                             const ValueDecl **VD, uint64_t *MagicValue,
15289                             bool isConstantEvaluated) {
15290   while(true) {
15291     if (!TypeExpr)
15292       return false;
15293 
15294     TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts();
15295 
15296     switch (TypeExpr->getStmtClass()) {
15297     case Stmt::UnaryOperatorClass: {
15298       const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr);
15299       if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) {
15300         TypeExpr = UO->getSubExpr();
15301         continue;
15302       }
15303       return false;
15304     }
15305 
15306     case Stmt::DeclRefExprClass: {
15307       const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr);
15308       *VD = DRE->getDecl();
15309       return true;
15310     }
15311 
15312     case Stmt::IntegerLiteralClass: {
15313       const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr);
15314       llvm::APInt MagicValueAPInt = IL->getValue();
15315       if (MagicValueAPInt.getActiveBits() <= 64) {
15316         *MagicValue = MagicValueAPInt.getZExtValue();
15317         return true;
15318       } else
15319         return false;
15320     }
15321 
15322     case Stmt::BinaryConditionalOperatorClass:
15323     case Stmt::ConditionalOperatorClass: {
15324       const AbstractConditionalOperator *ACO =
15325           cast<AbstractConditionalOperator>(TypeExpr);
15326       bool Result;
15327       if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx,
15328                                                      isConstantEvaluated)) {
15329         if (Result)
15330           TypeExpr = ACO->getTrueExpr();
15331         else
15332           TypeExpr = ACO->getFalseExpr();
15333         continue;
15334       }
15335       return false;
15336     }
15337 
15338     case Stmt::BinaryOperatorClass: {
15339       const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr);
15340       if (BO->getOpcode() == BO_Comma) {
15341         TypeExpr = BO->getRHS();
15342         continue;
15343       }
15344       return false;
15345     }
15346 
15347     default:
15348       return false;
15349     }
15350   }
15351 }
15352 
15353 /// Retrieve the C type corresponding to type tag TypeExpr.
15354 ///
15355 /// \param TypeExpr Expression that specifies a type tag.
15356 ///
15357 /// \param MagicValues Registered magic values.
15358 ///
15359 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong
15360 ///        kind.
15361 ///
15362 /// \param TypeInfo Information about the corresponding C type.
15363 ///
15364 /// \param isConstantEvaluated whether the evalaution should be performed in
15365 /// constant context.
15366 ///
15367 /// \returns true if the corresponding C type was found.
15368 static bool GetMatchingCType(
15369     const IdentifierInfo *ArgumentKind, const Expr *TypeExpr,
15370     const ASTContext &Ctx,
15371     const llvm::DenseMap<Sema::TypeTagMagicValue, Sema::TypeTagData>
15372         *MagicValues,
15373     bool &FoundWrongKind, Sema::TypeTagData &TypeInfo,
15374     bool isConstantEvaluated) {
15375   FoundWrongKind = false;
15376 
15377   // Variable declaration that has type_tag_for_datatype attribute.
15378   const ValueDecl *VD = nullptr;
15379 
15380   uint64_t MagicValue;
15381 
15382   if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue, isConstantEvaluated))
15383     return false;
15384 
15385   if (VD) {
15386     if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) {
15387       if (I->getArgumentKind() != ArgumentKind) {
15388         FoundWrongKind = true;
15389         return false;
15390       }
15391       TypeInfo.Type = I->getMatchingCType();
15392       TypeInfo.LayoutCompatible = I->getLayoutCompatible();
15393       TypeInfo.MustBeNull = I->getMustBeNull();
15394       return true;
15395     }
15396     return false;
15397   }
15398 
15399   if (!MagicValues)
15400     return false;
15401 
15402   llvm::DenseMap<Sema::TypeTagMagicValue,
15403                  Sema::TypeTagData>::const_iterator I =
15404       MagicValues->find(std::make_pair(ArgumentKind, MagicValue));
15405   if (I == MagicValues->end())
15406     return false;
15407 
15408   TypeInfo = I->second;
15409   return true;
15410 }
15411 
15412 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind,
15413                                       uint64_t MagicValue, QualType Type,
15414                                       bool LayoutCompatible,
15415                                       bool MustBeNull) {
15416   if (!TypeTagForDatatypeMagicValues)
15417     TypeTagForDatatypeMagicValues.reset(
15418         new llvm::DenseMap<TypeTagMagicValue, TypeTagData>);
15419 
15420   TypeTagMagicValue Magic(ArgumentKind, MagicValue);
15421   (*TypeTagForDatatypeMagicValues)[Magic] =
15422       TypeTagData(Type, LayoutCompatible, MustBeNull);
15423 }
15424 
15425 static bool IsSameCharType(QualType T1, QualType T2) {
15426   const BuiltinType *BT1 = T1->getAs<BuiltinType>();
15427   if (!BT1)
15428     return false;
15429 
15430   const BuiltinType *BT2 = T2->getAs<BuiltinType>();
15431   if (!BT2)
15432     return false;
15433 
15434   BuiltinType::Kind T1Kind = BT1->getKind();
15435   BuiltinType::Kind T2Kind = BT2->getKind();
15436 
15437   return (T1Kind == BuiltinType::SChar  && T2Kind == BuiltinType::Char_S) ||
15438          (T1Kind == BuiltinType::UChar  && T2Kind == BuiltinType::Char_U) ||
15439          (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) ||
15440          (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);
15441 }
15442 
15443 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
15444                                     const ArrayRef<const Expr *> ExprArgs,
15445                                     SourceLocation CallSiteLoc) {
15446   const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();
15447   bool IsPointerAttr = Attr->getIsPointer();
15448 
15449   // Retrieve the argument representing the 'type_tag'.
15450   unsigned TypeTagIdxAST = Attr->getTypeTagIdx().getASTIndex();
15451   if (TypeTagIdxAST >= ExprArgs.size()) {
15452     Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
15453         << 0 << Attr->getTypeTagIdx().getSourceIndex();
15454     return;
15455   }
15456   const Expr *TypeTagExpr = ExprArgs[TypeTagIdxAST];
15457   bool FoundWrongKind;
15458   TypeTagData TypeInfo;
15459   if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,
15460                         TypeTagForDatatypeMagicValues.get(), FoundWrongKind,
15461                         TypeInfo, isConstantEvaluatedContext())) {
15462     if (FoundWrongKind)
15463       Diag(TypeTagExpr->getExprLoc(),
15464            diag::warn_type_tag_for_datatype_wrong_kind)
15465         << TypeTagExpr->getSourceRange();
15466     return;
15467   }
15468 
15469   // Retrieve the argument representing the 'arg_idx'.
15470   unsigned ArgumentIdxAST = Attr->getArgumentIdx().getASTIndex();
15471   if (ArgumentIdxAST >= ExprArgs.size()) {
15472     Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
15473         << 1 << Attr->getArgumentIdx().getSourceIndex();
15474     return;
15475   }
15476   const Expr *ArgumentExpr = ExprArgs[ArgumentIdxAST];
15477   if (IsPointerAttr) {
15478     // Skip implicit cast of pointer to `void *' (as a function argument).
15479     if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))
15480       if (ICE->getType()->isVoidPointerType() &&
15481           ICE->getCastKind() == CK_BitCast)
15482         ArgumentExpr = ICE->getSubExpr();
15483   }
15484   QualType ArgumentType = ArgumentExpr->getType();
15485 
15486   // Passing a `void*' pointer shouldn't trigger a warning.
15487   if (IsPointerAttr && ArgumentType->isVoidPointerType())
15488     return;
15489 
15490   if (TypeInfo.MustBeNull) {
15491     // Type tag with matching void type requires a null pointer.
15492     if (!ArgumentExpr->isNullPointerConstant(Context,
15493                                              Expr::NPC_ValueDependentIsNotNull)) {
15494       Diag(ArgumentExpr->getExprLoc(),
15495            diag::warn_type_safety_null_pointer_required)
15496           << ArgumentKind->getName()
15497           << ArgumentExpr->getSourceRange()
15498           << TypeTagExpr->getSourceRange();
15499     }
15500     return;
15501   }
15502 
15503   QualType RequiredType = TypeInfo.Type;
15504   if (IsPointerAttr)
15505     RequiredType = Context.getPointerType(RequiredType);
15506 
15507   bool mismatch = false;
15508   if (!TypeInfo.LayoutCompatible) {
15509     mismatch = !Context.hasSameType(ArgumentType, RequiredType);
15510 
15511     // C++11 [basic.fundamental] p1:
15512     // Plain char, signed char, and unsigned char are three distinct types.
15513     //
15514     // But we treat plain `char' as equivalent to `signed char' or `unsigned
15515     // char' depending on the current char signedness mode.
15516     if (mismatch)
15517       if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(),
15518                                            RequiredType->getPointeeType())) ||
15519           (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType)))
15520         mismatch = false;
15521   } else
15522     if (IsPointerAttr)
15523       mismatch = !isLayoutCompatible(Context,
15524                                      ArgumentType->getPointeeType(),
15525                                      RequiredType->getPointeeType());
15526     else
15527       mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType);
15528 
15529   if (mismatch)
15530     Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch)
15531         << ArgumentType << ArgumentKind
15532         << TypeInfo.LayoutCompatible << RequiredType
15533         << ArgumentExpr->getSourceRange()
15534         << TypeTagExpr->getSourceRange();
15535 }
15536 
15537 void Sema::AddPotentialMisalignedMembers(Expr *E, RecordDecl *RD, ValueDecl *MD,
15538                                          CharUnits Alignment) {
15539   MisalignedMembers.emplace_back(E, RD, MD, Alignment);
15540 }
15541 
15542 void Sema::DiagnoseMisalignedMembers() {
15543   for (MisalignedMember &m : MisalignedMembers) {
15544     const NamedDecl *ND = m.RD;
15545     if (ND->getName().empty()) {
15546       if (const TypedefNameDecl *TD = m.RD->getTypedefNameForAnonDecl())
15547         ND = TD;
15548     }
15549     Diag(m.E->getBeginLoc(), diag::warn_taking_address_of_packed_member)
15550         << m.MD << ND << m.E->getSourceRange();
15551   }
15552   MisalignedMembers.clear();
15553 }
15554 
15555 void Sema::DiscardMisalignedMemberAddress(const Type *T, Expr *E) {
15556   E = E->IgnoreParens();
15557   if (!T->isPointerType() && !T->isIntegerType() && !T->isDependentType())
15558     return;
15559   if (isa<UnaryOperator>(E) &&
15560       cast<UnaryOperator>(E)->getOpcode() == UO_AddrOf) {
15561     auto *Op = cast<UnaryOperator>(E)->getSubExpr()->IgnoreParens();
15562     if (isa<MemberExpr>(Op)) {
15563       auto *MA = llvm::find(MisalignedMembers, MisalignedMember(Op));
15564       if (MA != MisalignedMembers.end() &&
15565           (T->isDependentType() || T->isIntegerType() ||
15566            (T->isPointerType() && (T->getPointeeType()->isIncompleteType() ||
15567                                    Context.getTypeAlignInChars(
15568                                        T->getPointeeType()) <= MA->Alignment))))
15569         MisalignedMembers.erase(MA);
15570     }
15571   }
15572 }
15573 
15574 void Sema::RefersToMemberWithReducedAlignment(
15575     Expr *E,
15576     llvm::function_ref<void(Expr *, RecordDecl *, FieldDecl *, CharUnits)>
15577         Action) {
15578   const auto *ME = dyn_cast<MemberExpr>(E);
15579   if (!ME)
15580     return;
15581 
15582   // No need to check expressions with an __unaligned-qualified type.
15583   if (E->getType().getQualifiers().hasUnaligned())
15584     return;
15585 
15586   // For a chain of MemberExpr like "a.b.c.d" this list
15587   // will keep FieldDecl's like [d, c, b].
15588   SmallVector<FieldDecl *, 4> ReverseMemberChain;
15589   const MemberExpr *TopME = nullptr;
15590   bool AnyIsPacked = false;
15591   do {
15592     QualType BaseType = ME->getBase()->getType();
15593     if (BaseType->isDependentType())
15594       return;
15595     if (ME->isArrow())
15596       BaseType = BaseType->getPointeeType();
15597     RecordDecl *RD = BaseType->castAs<RecordType>()->getDecl();
15598     if (RD->isInvalidDecl())
15599       return;
15600 
15601     ValueDecl *MD = ME->getMemberDecl();
15602     auto *FD = dyn_cast<FieldDecl>(MD);
15603     // We do not care about non-data members.
15604     if (!FD || FD->isInvalidDecl())
15605       return;
15606 
15607     AnyIsPacked =
15608         AnyIsPacked || (RD->hasAttr<PackedAttr>() || MD->hasAttr<PackedAttr>());
15609     ReverseMemberChain.push_back(FD);
15610 
15611     TopME = ME;
15612     ME = dyn_cast<MemberExpr>(ME->getBase()->IgnoreParens());
15613   } while (ME);
15614   assert(TopME && "We did not compute a topmost MemberExpr!");
15615 
15616   // Not the scope of this diagnostic.
15617   if (!AnyIsPacked)
15618     return;
15619 
15620   const Expr *TopBase = TopME->getBase()->IgnoreParenImpCasts();
15621   const auto *DRE = dyn_cast<DeclRefExpr>(TopBase);
15622   // TODO: The innermost base of the member expression may be too complicated.
15623   // For now, just disregard these cases. This is left for future
15624   // improvement.
15625   if (!DRE && !isa<CXXThisExpr>(TopBase))
15626       return;
15627 
15628   // Alignment expected by the whole expression.
15629   CharUnits ExpectedAlignment = Context.getTypeAlignInChars(E->getType());
15630 
15631   // No need to do anything else with this case.
15632   if (ExpectedAlignment.isOne())
15633     return;
15634 
15635   // Synthesize offset of the whole access.
15636   CharUnits Offset;
15637   for (const FieldDecl *FD : llvm::reverse(ReverseMemberChain))
15638     Offset += Context.toCharUnitsFromBits(Context.getFieldOffset(FD));
15639 
15640   // Compute the CompleteObjectAlignment as the alignment of the whole chain.
15641   CharUnits CompleteObjectAlignment = Context.getTypeAlignInChars(
15642       ReverseMemberChain.back()->getParent()->getTypeForDecl());
15643 
15644   // The base expression of the innermost MemberExpr may give
15645   // stronger guarantees than the class containing the member.
15646   if (DRE && !TopME->isArrow()) {
15647     const ValueDecl *VD = DRE->getDecl();
15648     if (!VD->getType()->isReferenceType())
15649       CompleteObjectAlignment =
15650           std::max(CompleteObjectAlignment, Context.getDeclAlign(VD));
15651   }
15652 
15653   // Check if the synthesized offset fulfills the alignment.
15654   if (Offset % ExpectedAlignment != 0 ||
15655       // It may fulfill the offset it but the effective alignment may still be
15656       // lower than the expected expression alignment.
15657       CompleteObjectAlignment < ExpectedAlignment) {
15658     // If this happens, we want to determine a sensible culprit of this.
15659     // Intuitively, watching the chain of member expressions from right to
15660     // left, we start with the required alignment (as required by the field
15661     // type) but some packed attribute in that chain has reduced the alignment.
15662     // It may happen that another packed structure increases it again. But if
15663     // we are here such increase has not been enough. So pointing the first
15664     // FieldDecl that either is packed or else its RecordDecl is,
15665     // seems reasonable.
15666     FieldDecl *FD = nullptr;
15667     CharUnits Alignment;
15668     for (FieldDecl *FDI : ReverseMemberChain) {
15669       if (FDI->hasAttr<PackedAttr>() ||
15670           FDI->getParent()->hasAttr<PackedAttr>()) {
15671         FD = FDI;
15672         Alignment = std::min(
15673             Context.getTypeAlignInChars(FD->getType()),
15674             Context.getTypeAlignInChars(FD->getParent()->getTypeForDecl()));
15675         break;
15676       }
15677     }
15678     assert(FD && "We did not find a packed FieldDecl!");
15679     Action(E, FD->getParent(), FD, Alignment);
15680   }
15681 }
15682 
15683 void Sema::CheckAddressOfPackedMember(Expr *rhs) {
15684   using namespace std::placeholders;
15685 
15686   RefersToMemberWithReducedAlignment(
15687       rhs, std::bind(&Sema::AddPotentialMisalignedMembers, std::ref(*this), _1,
15688                      _2, _3, _4));
15689 }
15690 
15691 // Performs a similar job to Sema::UsualUnaryConversions, but without any
15692 // implicit promotion of integral/enumeration types.
15693 static ExprResult BuiltinVectorMathConversions(Sema &S, Expr *E) {
15694   // First, convert to an r-value.
15695   ExprResult Res = S.DefaultFunctionArrayLvalueConversion(E);
15696   if (Res.isInvalid())
15697     return ExprError();
15698 
15699   // Promote floating-point types.
15700   return S.UsualUnaryFPConversions(Res.get());
15701 }
15702 
15703 bool Sema::PrepareBuiltinElementwiseMathOneArgCall(
15704     CallExpr *TheCall, EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15705   if (checkArgCount(TheCall, 1))
15706     return true;
15707 
15708   ExprResult A = BuiltinVectorMathConversions(*this, TheCall->getArg(0));
15709   if (A.isInvalid())
15710     return true;
15711 
15712   TheCall->setArg(0, A.get());
15713   QualType TyA = A.get()->getType();
15714 
15715   if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA,
15716                                   ArgTyRestr, 1))
15717     return true;
15718 
15719   TheCall->setType(TyA);
15720   return false;
15721 }
15722 
15723 bool Sema::BuiltinElementwiseMath(CallExpr *TheCall,
15724                                   EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15725   if (auto Res = BuiltinVectorMath(TheCall, ArgTyRestr); Res.has_value()) {
15726     TheCall->setType(*Res);
15727     return false;
15728   }
15729   return true;
15730 }
15731 
15732 bool Sema::BuiltinVectorToScalarMath(CallExpr *TheCall) {
15733   std::optional<QualType> Res = BuiltinVectorMath(TheCall);
15734   if (!Res)
15735     return true;
15736 
15737   if (auto *VecTy0 = (*Res)->getAs<VectorType>())
15738     TheCall->setType(VecTy0->getElementType());
15739   else
15740     TheCall->setType(*Res);
15741 
15742   return false;
15743 }
15744 
15745 static bool checkBuiltinVectorMathMixedEnums(Sema &S, Expr *LHS, Expr *RHS,
15746                                              SourceLocation Loc) {
15747   QualType L = LHS->getEnumCoercedType(S.Context),
15748            R = RHS->getEnumCoercedType(S.Context);
15749   if (L->isUnscopedEnumerationType() && R->isUnscopedEnumerationType() &&
15750       !S.Context.hasSameUnqualifiedType(L, R)) {
15751     return S.Diag(Loc, diag::err_conv_mixed_enum_types)
15752            << LHS->getSourceRange() << RHS->getSourceRange()
15753            << /*Arithmetic Between*/ 0 << L << R;
15754   }
15755   return false;
15756 }
15757 
15758 std::optional<QualType>
15759 Sema::BuiltinVectorMath(CallExpr *TheCall,
15760                         EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15761   if (checkArgCount(TheCall, 2))
15762     return std::nullopt;
15763 
15764   if (checkBuiltinVectorMathMixedEnums(
15765           *this, TheCall->getArg(0), TheCall->getArg(1), TheCall->getExprLoc()))
15766     return std::nullopt;
15767 
15768   Expr *Args[2];
15769   for (int I = 0; I < 2; ++I) {
15770     ExprResult Converted =
15771         BuiltinVectorMathConversions(*this, TheCall->getArg(I));
15772     if (Converted.isInvalid())
15773       return std::nullopt;
15774     Args[I] = Converted.get();
15775   }
15776 
15777   SourceLocation LocA = Args[0]->getBeginLoc();
15778   QualType TyA = Args[0]->getType();
15779   QualType TyB = Args[1]->getType();
15780 
15781   if (checkMathBuiltinElementType(*this, LocA, TyA, ArgTyRestr, 1))
15782     return std::nullopt;
15783 
15784   if (!Context.hasSameUnqualifiedType(TyA, TyB)) {
15785     Diag(LocA, diag::err_typecheck_call_different_arg_types) << TyA << TyB;
15786     return std::nullopt;
15787   }
15788 
15789   TheCall->setArg(0, Args[0]);
15790   TheCall->setArg(1, Args[1]);
15791   return TyA;
15792 }
15793 
15794 bool Sema::BuiltinElementwiseTernaryMath(
15795     CallExpr *TheCall, EltwiseBuiltinArgTyRestriction ArgTyRestr) {
15796   if (checkArgCount(TheCall, 3))
15797     return true;
15798 
15799   SourceLocation Loc = TheCall->getExprLoc();
15800   if (checkBuiltinVectorMathMixedEnums(*this, TheCall->getArg(0),
15801                                        TheCall->getArg(1), Loc) ||
15802       checkBuiltinVectorMathMixedEnums(*this, TheCall->getArg(1),
15803                                        TheCall->getArg(2), Loc))
15804     return true;
15805 
15806   Expr *Args[3];
15807   for (int I = 0; I < 3; ++I) {
15808     ExprResult Converted =
15809         BuiltinVectorMathConversions(*this, TheCall->getArg(I));
15810     if (Converted.isInvalid())
15811       return true;
15812     Args[I] = Converted.get();
15813   }
15814 
15815   int ArgOrdinal = 1;
15816   for (Expr *Arg : Args) {
15817     if (checkMathBuiltinElementType(*this, Arg->getBeginLoc(), Arg->getType(),
15818                                     ArgTyRestr, ArgOrdinal++))
15819       return true;
15820   }
15821 
15822   for (int I = 1; I < 3; ++I) {
15823     if (Args[0]->getType().getCanonicalType() !=
15824         Args[I]->getType().getCanonicalType()) {
15825       return Diag(Args[0]->getBeginLoc(),
15826                   diag::err_typecheck_call_different_arg_types)
15827              << Args[0]->getType() << Args[I]->getType();
15828     }
15829 
15830     TheCall->setArg(I, Args[I]);
15831   }
15832 
15833   TheCall->setType(Args[0]->getType());
15834   return false;
15835 }
15836 
15837 bool Sema::PrepareBuiltinReduceMathOneArgCall(CallExpr *TheCall) {
15838   if (checkArgCount(TheCall, 1))
15839     return true;
15840 
15841   ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
15842   if (A.isInvalid())
15843     return true;
15844 
15845   TheCall->setArg(0, A.get());
15846   return false;
15847 }
15848 
15849 bool Sema::BuiltinNonDeterministicValue(CallExpr *TheCall) {
15850   if (checkArgCount(TheCall, 1))
15851     return true;
15852 
15853   ExprResult Arg = TheCall->getArg(0);
15854   QualType TyArg = Arg.get()->getType();
15855 
15856   if (!TyArg->isBuiltinType() && !TyArg->isVectorType())
15857     return Diag(TheCall->getArg(0)->getBeginLoc(),
15858                 diag::err_builtin_invalid_arg_type)
15859            << 1 << /* vector */ 2 << /* integer */ 1 << /* fp */ 1 << TyArg;
15860 
15861   TheCall->setType(TyArg);
15862   return false;
15863 }
15864 
15865 ExprResult Sema::BuiltinMatrixTranspose(CallExpr *TheCall,
15866                                         ExprResult CallResult) {
15867   if (checkArgCount(TheCall, 1))
15868     return ExprError();
15869 
15870   ExprResult MatrixArg = DefaultLvalueConversion(TheCall->getArg(0));
15871   if (MatrixArg.isInvalid())
15872     return MatrixArg;
15873   Expr *Matrix = MatrixArg.get();
15874 
15875   auto *MType = Matrix->getType()->getAs<ConstantMatrixType>();
15876   if (!MType) {
15877     Diag(Matrix->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15878         << 1 << /* matrix */ 3 << /* no int */ 0 << /* no fp */ 0
15879         << Matrix->getType();
15880     return ExprError();
15881   }
15882 
15883   // Create returned matrix type by swapping rows and columns of the argument
15884   // matrix type.
15885   QualType ResultType = Context.getConstantMatrixType(
15886       MType->getElementType(), MType->getNumColumns(), MType->getNumRows());
15887 
15888   // Change the return type to the type of the returned matrix.
15889   TheCall->setType(ResultType);
15890 
15891   // Update call argument to use the possibly converted matrix argument.
15892   TheCall->setArg(0, Matrix);
15893   return CallResult;
15894 }
15895 
15896 // Get and verify the matrix dimensions.
15897 static std::optional<unsigned>
15898 getAndVerifyMatrixDimension(Expr *Expr, StringRef Name, Sema &S) {
15899   SourceLocation ErrorPos;
15900   std::optional<llvm::APSInt> Value =
15901       Expr->getIntegerConstantExpr(S.Context, &ErrorPos);
15902   if (!Value) {
15903     S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_scalar_unsigned_arg)
15904         << Name;
15905     return {};
15906   }
15907   uint64_t Dim = Value->getZExtValue();
15908   if (!ConstantMatrixType::isDimensionValid(Dim)) {
15909     S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_invalid_dimension)
15910         << Name << ConstantMatrixType::getMaxElementsPerDimension();
15911     return {};
15912   }
15913   return Dim;
15914 }
15915 
15916 ExprResult Sema::BuiltinMatrixColumnMajorLoad(CallExpr *TheCall,
15917                                               ExprResult CallResult) {
15918   if (!getLangOpts().MatrixTypes) {
15919     Diag(TheCall->getBeginLoc(), diag::err_builtin_matrix_disabled);
15920     return ExprError();
15921   }
15922 
15923   if (checkArgCount(TheCall, 4))
15924     return ExprError();
15925 
15926   unsigned PtrArgIdx = 0;
15927   Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
15928   Expr *RowsExpr = TheCall->getArg(1);
15929   Expr *ColumnsExpr = TheCall->getArg(2);
15930   Expr *StrideExpr = TheCall->getArg(3);
15931 
15932   bool ArgError = false;
15933 
15934   // Check pointer argument.
15935   {
15936     ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
15937     if (PtrConv.isInvalid())
15938       return PtrConv;
15939     PtrExpr = PtrConv.get();
15940     TheCall->setArg(0, PtrExpr);
15941     if (PtrExpr->isTypeDependent()) {
15942       TheCall->setType(Context.DependentTy);
15943       return TheCall;
15944     }
15945   }
15946 
15947   auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
15948   QualType ElementTy;
15949   if (!PtrTy) {
15950     Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15951         << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5 << /* no fp */ 0
15952         << PtrExpr->getType();
15953     ArgError = true;
15954   } else {
15955     ElementTy = PtrTy->getPointeeType().getUnqualifiedType();
15956 
15957     if (!ConstantMatrixType::isValidElementType(ElementTy)) {
15958       Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
15959           << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5
15960           << /* no fp */ 0 << PtrExpr->getType();
15961       ArgError = true;
15962     }
15963   }
15964 
15965   // Apply default Lvalue conversions and convert the expression to size_t.
15966   auto ApplyArgumentConversions = [this](Expr *E) {
15967     ExprResult Conv = DefaultLvalueConversion(E);
15968     if (Conv.isInvalid())
15969       return Conv;
15970 
15971     return tryConvertExprToType(Conv.get(), Context.getSizeType());
15972   };
15973 
15974   // Apply conversion to row and column expressions.
15975   ExprResult RowsConv = ApplyArgumentConversions(RowsExpr);
15976   if (!RowsConv.isInvalid()) {
15977     RowsExpr = RowsConv.get();
15978     TheCall->setArg(1, RowsExpr);
15979   } else
15980     RowsExpr = nullptr;
15981 
15982   ExprResult ColumnsConv = ApplyArgumentConversions(ColumnsExpr);
15983   if (!ColumnsConv.isInvalid()) {
15984     ColumnsExpr = ColumnsConv.get();
15985     TheCall->setArg(2, ColumnsExpr);
15986   } else
15987     ColumnsExpr = nullptr;
15988 
15989   // If any part of the result matrix type is still pending, just use
15990   // Context.DependentTy, until all parts are resolved.
15991   if ((RowsExpr && RowsExpr->isTypeDependent()) ||
15992       (ColumnsExpr && ColumnsExpr->isTypeDependent())) {
15993     TheCall->setType(Context.DependentTy);
15994     return CallResult;
15995   }
15996 
15997   // Check row and column dimensions.
15998   std::optional<unsigned> MaybeRows;
15999   if (RowsExpr)
16000     MaybeRows = getAndVerifyMatrixDimension(RowsExpr, "row", *this);
16001 
16002   std::optional<unsigned> MaybeColumns;
16003   if (ColumnsExpr)
16004     MaybeColumns = getAndVerifyMatrixDimension(ColumnsExpr, "column", *this);
16005 
16006   // Check stride argument.
16007   ExprResult StrideConv = ApplyArgumentConversions(StrideExpr);
16008   if (StrideConv.isInvalid())
16009     return ExprError();
16010   StrideExpr = StrideConv.get();
16011   TheCall->setArg(3, StrideExpr);
16012 
16013   if (MaybeRows) {
16014     if (std::optional<llvm::APSInt> Value =
16015             StrideExpr->getIntegerConstantExpr(Context)) {
16016       uint64_t Stride = Value->getZExtValue();
16017       if (Stride < *MaybeRows) {
16018         Diag(StrideExpr->getBeginLoc(),
16019              diag::err_builtin_matrix_stride_too_small);
16020         ArgError = true;
16021       }
16022     }
16023   }
16024 
16025   if (ArgError || !MaybeRows || !MaybeColumns)
16026     return ExprError();
16027 
16028   TheCall->setType(
16029       Context.getConstantMatrixType(ElementTy, *MaybeRows, *MaybeColumns));
16030   return CallResult;
16031 }
16032 
16033 ExprResult Sema::BuiltinMatrixColumnMajorStore(CallExpr *TheCall,
16034                                                ExprResult CallResult) {
16035   if (checkArgCount(TheCall, 3))
16036     return ExprError();
16037 
16038   unsigned PtrArgIdx = 1;
16039   Expr *MatrixExpr = TheCall->getArg(0);
16040   Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
16041   Expr *StrideExpr = TheCall->getArg(2);
16042 
16043   bool ArgError = false;
16044 
16045   {
16046     ExprResult MatrixConv = DefaultLvalueConversion(MatrixExpr);
16047     if (MatrixConv.isInvalid())
16048       return MatrixConv;
16049     MatrixExpr = MatrixConv.get();
16050     TheCall->setArg(0, MatrixExpr);
16051   }
16052   if (MatrixExpr->isTypeDependent()) {
16053     TheCall->setType(Context.DependentTy);
16054     return TheCall;
16055   }
16056 
16057   auto *MatrixTy = MatrixExpr->getType()->getAs<ConstantMatrixType>();
16058   if (!MatrixTy) {
16059     Diag(MatrixExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
16060         << 1 << /* matrix ty */ 3 << 0 << 0 << MatrixExpr->getType();
16061     ArgError = true;
16062   }
16063 
16064   {
16065     ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
16066     if (PtrConv.isInvalid())
16067       return PtrConv;
16068     PtrExpr = PtrConv.get();
16069     TheCall->setArg(1, PtrExpr);
16070     if (PtrExpr->isTypeDependent()) {
16071       TheCall->setType(Context.DependentTy);
16072       return TheCall;
16073     }
16074   }
16075 
16076   // Check pointer argument.
16077   auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
16078   if (!PtrTy) {
16079     Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
16080         << PtrArgIdx + 1 << 0 << /* pointer to element ty */ 5 << 0
16081         << PtrExpr->getType();
16082     ArgError = true;
16083   } else {
16084     QualType ElementTy = PtrTy->getPointeeType();
16085     if (ElementTy.isConstQualified()) {
16086       Diag(PtrExpr->getBeginLoc(), diag::err_builtin_matrix_store_to_const);
16087       ArgError = true;
16088     }
16089     ElementTy = ElementTy.getUnqualifiedType().getCanonicalType();
16090     if (MatrixTy &&
16091         !Context.hasSameType(ElementTy, MatrixTy->getElementType())) {
16092       Diag(PtrExpr->getBeginLoc(),
16093            diag::err_builtin_matrix_pointer_arg_mismatch)
16094           << ElementTy << MatrixTy->getElementType();
16095       ArgError = true;
16096     }
16097   }
16098 
16099   // Apply default Lvalue conversions and convert the stride expression to
16100   // size_t.
16101   {
16102     ExprResult StrideConv = DefaultLvalueConversion(StrideExpr);
16103     if (StrideConv.isInvalid())
16104       return StrideConv;
16105 
16106     StrideConv = tryConvertExprToType(StrideConv.get(), Context.getSizeType());
16107     if (StrideConv.isInvalid())
16108       return StrideConv;
16109     StrideExpr = StrideConv.get();
16110     TheCall->setArg(2, StrideExpr);
16111   }
16112 
16113   // Check stride argument.
16114   if (MatrixTy) {
16115     if (std::optional<llvm::APSInt> Value =
16116             StrideExpr->getIntegerConstantExpr(Context)) {
16117       uint64_t Stride = Value->getZExtValue();
16118       if (Stride < MatrixTy->getNumRows()) {
16119         Diag(StrideExpr->getBeginLoc(),
16120              diag::err_builtin_matrix_stride_too_small);
16121         ArgError = true;
16122       }
16123     }
16124   }
16125 
16126   if (ArgError)
16127     return ExprError();
16128 
16129   return CallResult;
16130 }
16131 
16132 void Sema::CheckTCBEnforcement(const SourceLocation CallExprLoc,
16133                                const NamedDecl *Callee) {
16134   // This warning does not make sense in code that has no runtime behavior.
16135   if (isUnevaluatedContext())
16136     return;
16137 
16138   const NamedDecl *Caller = getCurFunctionOrMethodDecl();
16139 
16140   if (!Caller || !Caller->hasAttr<EnforceTCBAttr>())
16141     return;
16142 
16143   // Search through the enforce_tcb and enforce_tcb_leaf attributes to find
16144   // all TCBs the callee is a part of.
16145   llvm::StringSet<> CalleeTCBs;
16146   for (const auto *A : Callee->specific_attrs<EnforceTCBAttr>())
16147     CalleeTCBs.insert(A->getTCBName());
16148   for (const auto *A : Callee->specific_attrs<EnforceTCBLeafAttr>())
16149     CalleeTCBs.insert(A->getTCBName());
16150 
16151   // Go through the TCBs the caller is a part of and emit warnings if Caller
16152   // is in a TCB that the Callee is not.
16153   for (const auto *A : Caller->specific_attrs<EnforceTCBAttr>()) {
16154     StringRef CallerTCB = A->getTCBName();
16155     if (CalleeTCBs.count(CallerTCB) == 0) {
16156       this->Diag(CallExprLoc, diag::warn_tcb_enforcement_violation)
16157           << Callee << CallerTCB;
16158     }
16159   }
16160 }
16161