search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[RISCV][GISel] Make s16->s32 G_ANYEXT/SEXT/ZEXT legal.
[llvm-project.git] / clang / lib / Sema / SemaChecking.cpp
blob2fd990750ed212afe246c60d84f223d2b258af7b
1 //===- SemaChecking.cpp - Extra Semantic Checking -------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file implements extra semantic analysis beyond what is enforced
10 // by the C type system.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "CheckExprLifetime.h"
15 #include "clang/AST/APValue.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/Attr.h"
18 #include "clang/AST/AttrIterator.h"
19 #include "clang/AST/CharUnits.h"
20 #include "clang/AST/Decl.h"
21 #include "clang/AST/DeclBase.h"
22 #include "clang/AST/DeclCXX.h"
23 #include "clang/AST/DeclObjC.h"
24 #include "clang/AST/DeclarationName.h"
25 #include "clang/AST/EvaluatedExprVisitor.h"
26 #include "clang/AST/Expr.h"
27 #include "clang/AST/ExprCXX.h"
28 #include "clang/AST/ExprObjC.h"
29 #include "clang/AST/FormatString.h"
30 #include "clang/AST/IgnoreExpr.h"
31 #include "clang/AST/NSAPI.h"
32 #include "clang/AST/NonTrivialTypeVisitor.h"
33 #include "clang/AST/OperationKinds.h"
34 #include "clang/AST/RecordLayout.h"
35 #include "clang/AST/Stmt.h"
36 #include "clang/AST/TemplateBase.h"
37 #include "clang/AST/Type.h"
38 #include "clang/AST/TypeLoc.h"
39 #include "clang/AST/UnresolvedSet.h"
40 #include "clang/Basic/AddressSpaces.h"
41 #include "clang/Basic/Diagnostic.h"
42 #include "clang/Basic/IdentifierTable.h"
43 #include "clang/Basic/LLVM.h"
44 #include "clang/Basic/LangOptions.h"
45 #include "clang/Basic/OpenCLOptions.h"
46 #include "clang/Basic/OperatorKinds.h"
47 #include "clang/Basic/PartialDiagnostic.h"
48 #include "clang/Basic/SourceLocation.h"
49 #include "clang/Basic/SourceManager.h"
50 #include "clang/Basic/Specifiers.h"
51 #include "clang/Basic/SyncScope.h"
52 #include "clang/Basic/TargetInfo.h"
53 #include "clang/Basic/TypeTraits.h"
54 #include "clang/Lex/Lexer.h" // TODO: Extract static functions to fix layering.
55 #include "clang/Sema/Initialization.h"
56 #include "clang/Sema/Lookup.h"
57 #include "clang/Sema/Ownership.h"
58 #include "clang/Sema/Scope.h"
59 #include "clang/Sema/ScopeInfo.h"
60 #include "clang/Sema/Sema.h"
61 #include "clang/Sema/SemaAMDGPU.h"
62 #include "clang/Sema/SemaARM.h"
63 #include "clang/Sema/SemaBPF.h"
64 #include "clang/Sema/SemaHLSL.h"
65 #include "clang/Sema/SemaHexagon.h"
66 #include "clang/Sema/SemaLoongArch.h"
67 #include "clang/Sema/SemaMIPS.h"
68 #include "clang/Sema/SemaNVPTX.h"
69 #include "clang/Sema/SemaObjC.h"
70 #include "clang/Sema/SemaOpenCL.h"
71 #include "clang/Sema/SemaPPC.h"
72 #include "clang/Sema/SemaRISCV.h"
73 #include "clang/Sema/SemaSystemZ.h"
74 #include "clang/Sema/SemaWasm.h"
75 #include "clang/Sema/SemaX86.h"
76 #include "llvm/ADT/APFloat.h"
77 #include "llvm/ADT/APInt.h"
78 #include "llvm/ADT/APSInt.h"
79 #include "llvm/ADT/ArrayRef.h"
80 #include "llvm/ADT/DenseMap.h"
81 #include "llvm/ADT/FoldingSet.h"
82 #include "llvm/ADT/STLExtras.h"
83 #include "llvm/ADT/SmallBitVector.h"
84 #include "llvm/ADT/SmallPtrSet.h"
85 #include "llvm/ADT/SmallString.h"
86 #include "llvm/ADT/SmallVector.h"
87 #include "llvm/ADT/StringExtras.h"
88 #include "llvm/ADT/StringRef.h"
89 #include "llvm/ADT/StringSet.h"
90 #include "llvm/ADT/StringSwitch.h"
91 #include "llvm/Support/AtomicOrdering.h"
92 #include "llvm/Support/Compiler.h"
93 #include "llvm/Support/ConvertUTF.h"
94 #include "llvm/Support/ErrorHandling.h"
95 #include "llvm/Support/Format.h"
96 #include "llvm/Support/Locale.h"
97 #include "llvm/Support/MathExtras.h"
98 #include "llvm/Support/SaveAndRestore.h"
99 #include "llvm/Support/raw_ostream.h"
100 #include "llvm/TargetParser/RISCVTargetParser.h"
101 #include "llvm/TargetParser/Triple.h"
102 #include <algorithm>
103 #include <cassert>
104 #include <cctype>
105 #include <cstddef>
106 #include <cstdint>
107 #include <functional>
108 #include <limits>
109 #include <optional>
110 #include <string>
111 #include <tuple>
112 #include <utility>
113
114 using namespace clang;
115 using namespace sema;
116
117 SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
118 unsigned ByteNo) const {
119 return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
120 Context.getTargetInfo());
121 }
122
123 static constexpr unsigned short combineFAPK(Sema::FormatArgumentPassingKind A,
124 Sema::FormatArgumentPassingKind B) {
125 return (A << 8) | B;
126 }
127
128 bool Sema::checkArgCountAtLeast(CallExpr *Call, unsigned MinArgCount) {
129 unsigned ArgCount = Call->getNumArgs();
130 if (ArgCount >= MinArgCount)
131 return false;
132
133 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_few_args)
134 << 0 /*function call*/ << MinArgCount << ArgCount
135 << /*is non object*/ 0 << Call->getSourceRange();
136 }
137
138 bool Sema::checkArgCountAtMost(CallExpr *Call, unsigned MaxArgCount) {
139 unsigned ArgCount = Call->getNumArgs();
140 if (ArgCount <= MaxArgCount)
141 return false;
142 return Diag(Call->getEndLoc(), diag::err_typecheck_call_too_many_args_at_most)
143 << 0 /*function call*/ << MaxArgCount << ArgCount
144 << /*is non object*/ 0 << Call->getSourceRange();
145 }
146
147 bool Sema::checkArgCountRange(CallExpr *Call, unsigned MinArgCount,
148 unsigned MaxArgCount) {
149 return checkArgCountAtLeast(Call, MinArgCount) ||
150 checkArgCountAtMost(Call, MaxArgCount);
151 }
152
153 bool Sema::checkArgCount(CallExpr *Call, unsigned DesiredArgCount) {
154 unsigned ArgCount = Call->getNumArgs();
155 if (ArgCount == DesiredArgCount)
156 return false;
157
158 if (checkArgCountAtLeast(Call, DesiredArgCount))
159 return true;
160 assert(ArgCount > DesiredArgCount && "should have diagnosed this");
161
162 // Highlight all the excess arguments.
163 SourceRange Range(Call->getArg(DesiredArgCount)->getBeginLoc(),
164 Call->getArg(ArgCount - 1)->getEndLoc());
165
166 return Diag(Range.getBegin(), diag::err_typecheck_call_too_many_args)
167 << 0 /*function call*/ << DesiredArgCount << ArgCount
168 << /*is non object*/ 0 << Call->getArg(1)->getSourceRange();
169 }
170
171 static bool checkBuiltinVerboseTrap(CallExpr *Call, Sema &S) {
172 bool HasError = false;
173
174 for (unsigned I = 0; I < Call->getNumArgs(); ++I) {
175 Expr *Arg = Call->getArg(I);
176
177 if (Arg->isValueDependent())
178 continue;
179
180 std::optional<std::string> ArgString = Arg->tryEvaluateString(S.Context);
181 int DiagMsgKind = -1;
182 // Arguments must be pointers to constant strings and cannot use '$'.
183 if (!ArgString.has_value())
184 DiagMsgKind = 0;
185 else if (ArgString->find('$') != std::string::npos)
186 DiagMsgKind = 1;
187
188 if (DiagMsgKind >= 0) {
189 S.Diag(Arg->getBeginLoc(), diag::err_builtin_verbose_trap_arg)
190 << DiagMsgKind << Arg->getSourceRange();
191 HasError = true;
192 }
193 }
194
195 return !HasError;
196 }
197
198 static bool convertArgumentToType(Sema &S, Expr *&Value, QualType Ty) {
199 if (Value->isTypeDependent())
200 return false;
201
202 InitializedEntity Entity =
203 InitializedEntity::InitializeParameter(S.Context, Ty, false);
204 ExprResult Result =
205 S.PerformCopyInitialization(Entity, SourceLocation(), Value);
206 if (Result.isInvalid())
207 return true;
208 Value = Result.get();
209 return false;
210 }
211
212 /// Check that the first argument to __builtin_annotation is an integer
213 /// and the second argument is a non-wide string literal.
214 static bool BuiltinAnnotation(Sema &S, CallExpr *TheCall) {
215 if (S.checkArgCount(TheCall, 2))
216 return true;
217
218 // First argument should be an integer.
219 Expr *ValArg = TheCall->getArg(0);
220 QualType Ty = ValArg->getType();
221 if (!Ty->isIntegerType()) {
222 S.Diag(ValArg->getBeginLoc(), diag::err_builtin_annotation_first_arg)
223 << ValArg->getSourceRange();
224 return true;
225 }
226
227 // Second argument should be a constant string.
228 Expr *StrArg = TheCall->getArg(1)->IgnoreParenCasts();
229 StringLiteral *Literal = dyn_cast<StringLiteral>(StrArg);
230 if (!Literal || !Literal->isOrdinary()) {
231 S.Diag(StrArg->getBeginLoc(), diag::err_builtin_annotation_second_arg)
232 << StrArg->getSourceRange();
233 return true;
234 }
235
236 TheCall->setType(Ty);
237 return false;
238 }
239
240 static bool BuiltinMSVCAnnotation(Sema &S, CallExpr *TheCall) {
241 // We need at least one argument.
242 if (TheCall->getNumArgs() < 1) {
243 S.Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
244 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
245 << TheCall->getCallee()->getSourceRange();
246 return true;
247 }
248
249 // All arguments should be wide string literals.
250 for (Expr *Arg : TheCall->arguments()) {
251 auto *Literal = dyn_cast<StringLiteral>(Arg->IgnoreParenCasts());
252 if (!Literal || !Literal->isWide()) {
253 S.Diag(Arg->getBeginLoc(), diag::err_msvc_annotation_wide_str)
254 << Arg->getSourceRange();
255 return true;
256 }
257 }
258
259 return false;
260 }
261
262 /// Check that the argument to __builtin_addressof is a glvalue, and set the
263 /// result type to the corresponding pointer type.
264 static bool BuiltinAddressof(Sema &S, CallExpr *TheCall) {
265 if (S.checkArgCount(TheCall, 1))
266 return true;
267
268 ExprResult Arg(TheCall->getArg(0));
269 QualType ResultType = S.CheckAddressOfOperand(Arg, TheCall->getBeginLoc());
270 if (ResultType.isNull())
271 return true;
272
273 TheCall->setArg(0, Arg.get());
274 TheCall->setType(ResultType);
275 return false;
276 }
277
278 /// Check that the argument to __builtin_function_start is a function.
279 static bool BuiltinFunctionStart(Sema &S, CallExpr *TheCall) {
280 if (S.checkArgCount(TheCall, 1))
281 return true;
282
283 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
284 if (Arg.isInvalid())
285 return true;
286
287 TheCall->setArg(0, Arg.get());
288 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(
289 Arg.get()->getAsBuiltinConstantDeclRef(S.getASTContext()));
290
291 if (!FD) {
292 S.Diag(TheCall->getBeginLoc(), diag::err_function_start_invalid_type)
293 << TheCall->getSourceRange();
294 return true;
295 }
296
297 return !S.checkAddressOfFunctionIsAvailable(FD, /*Complain=*/true,
298 TheCall->getBeginLoc());
299 }
300
301 /// Check the number of arguments and set the result type to
302 /// the argument type.
303 static bool BuiltinPreserveAI(Sema &S, CallExpr *TheCall) {
304 if (S.checkArgCount(TheCall, 1))
305 return true;
306
307 TheCall->setType(TheCall->getArg(0)->getType());
308 return false;
309 }
310
311 /// Check that the value argument for __builtin_is_aligned(value, alignment) and
312 /// __builtin_aligned_{up,down}(value, alignment) is an integer or a pointer
313 /// type (but not a function pointer) and that the alignment is a power-of-two.
314 static bool BuiltinAlignment(Sema &S, CallExpr *TheCall, unsigned ID) {
315 if (S.checkArgCount(TheCall, 2))
316 return true;
317
318 clang::Expr *Source = TheCall->getArg(0);
319 bool IsBooleanAlignBuiltin = ID == Builtin::BI__builtin_is_aligned;
320
321 auto IsValidIntegerType = [](QualType Ty) {
322 return Ty->isIntegerType() && !Ty->isEnumeralType() && !Ty->isBooleanType();
323 };
324 QualType SrcTy = Source->getType();
325 // We should also be able to use it with arrays (but not functions!).
326 if (SrcTy->canDecayToPointerType() && SrcTy->isArrayType()) {
327 SrcTy = S.Context.getDecayedType(SrcTy);
328 }
329 if ((!SrcTy->isPointerType() && !IsValidIntegerType(SrcTy)) ||
330 SrcTy->isFunctionPointerType()) {
331 // FIXME: this is not quite the right error message since we don't allow
332 // floating point types, or member pointers.
333 S.Diag(Source->getExprLoc(), diag::err_typecheck_expect_scalar_operand)
334 << SrcTy;
335 return true;
336 }
337
338 clang::Expr *AlignOp = TheCall->getArg(1);
339 if (!IsValidIntegerType(AlignOp->getType())) {
340 S.Diag(AlignOp->getExprLoc(), diag::err_typecheck_expect_int)
341 << AlignOp->getType();
342 return true;
343 }
344 Expr::EvalResult AlignResult;
345 unsigned MaxAlignmentBits = S.Context.getIntWidth(SrcTy) - 1;
346 // We can't check validity of alignment if it is value dependent.
347 if (!AlignOp->isValueDependent() &&
348 AlignOp->EvaluateAsInt(AlignResult, S.Context,
349 Expr::SE_AllowSideEffects)) {
350 llvm::APSInt AlignValue = AlignResult.Val.getInt();
351 llvm::APSInt MaxValue(
352 llvm::APInt::getOneBitSet(MaxAlignmentBits + 1, MaxAlignmentBits));
353 if (AlignValue < 1) {
354 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_small) << 1;
355 return true;
356 }
357 if (llvm::APSInt::compareValues(AlignValue, MaxValue) > 0) {
358 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_too_big)
359 << toString(MaxValue, 10);
360 return true;
361 }
362 if (!AlignValue.isPowerOf2()) {
363 S.Diag(AlignOp->getExprLoc(), diag::err_alignment_not_power_of_two);
364 return true;
365 }
366 if (AlignValue == 1) {
367 S.Diag(AlignOp->getExprLoc(), diag::warn_alignment_builtin_useless)
368 << IsBooleanAlignBuiltin;
369 }
370 }
371
372 ExprResult SrcArg = S.PerformCopyInitialization(
373 InitializedEntity::InitializeParameter(S.Context, SrcTy, false),
374 SourceLocation(), Source);
375 if (SrcArg.isInvalid())
376 return true;
377 TheCall->setArg(0, SrcArg.get());
378 ExprResult AlignArg =
379 S.PerformCopyInitialization(InitializedEntity::InitializeParameter(
380 S.Context, AlignOp->getType(), false),
381 SourceLocation(), AlignOp);
382 if (AlignArg.isInvalid())
383 return true;
384 TheCall->setArg(1, AlignArg.get());
385 // For align_up/align_down, the return type is the same as the (potentially
386 // decayed) argument type including qualifiers. For is_aligned(), the result
387 // is always bool.
388 TheCall->setType(IsBooleanAlignBuiltin ? S.Context.BoolTy : SrcTy);
389 return false;
390 }
391
392 static bool BuiltinOverflow(Sema &S, CallExpr *TheCall, unsigned BuiltinID) {
393 if (S.checkArgCount(TheCall, 3))
394 return true;
395
396 std::pair<unsigned, const char *> Builtins[] = {
397 { Builtin::BI__builtin_add_overflow, "ckd_add" },
398 { Builtin::BI__builtin_sub_overflow, "ckd_sub" },
399 { Builtin::BI__builtin_mul_overflow, "ckd_mul" },
400 };
401
402 bool CkdOperation = llvm::any_of(Builtins, [&](const std::pair<unsigned,
403 const char *> &P) {
404 return BuiltinID == P.first && TheCall->getExprLoc().isMacroID() &&
405 Lexer::getImmediateMacroName(TheCall->getExprLoc(),
406 S.getSourceManager(), S.getLangOpts()) == P.second;
407 });
408
409 auto ValidCkdIntType = [](QualType QT) {
410 // A valid checked integer type is an integer type other than a plain char,
411 // bool, a bit-precise type, or an enumeration type.
412 if (const auto *BT = QT.getCanonicalType()->getAs<BuiltinType>())
413 return (BT->getKind() >= BuiltinType::Short &&
414 BT->getKind() <= BuiltinType::Int128) || (
415 BT->getKind() >= BuiltinType::UShort &&
416 BT->getKind() <= BuiltinType::UInt128) ||
417 BT->getKind() == BuiltinType::UChar ||
418 BT->getKind() == BuiltinType::SChar;
419 return false;
420 };
421
422 // First two arguments should be integers.
423 for (unsigned I = 0; I < 2; ++I) {
424 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(I));
425 if (Arg.isInvalid()) return true;
426 TheCall->setArg(I, Arg.get());
427
428 QualType Ty = Arg.get()->getType();
429 bool IsValid = CkdOperation ? ValidCkdIntType(Ty) : Ty->isIntegerType();
430 if (!IsValid) {
431 S.Diag(Arg.get()->getBeginLoc(), diag::err_overflow_builtin_must_be_int)
432 << CkdOperation << Ty << Arg.get()->getSourceRange();
433 return true;
434 }
435 }
436
437 // Third argument should be a pointer to a non-const integer.
438 // IRGen correctly handles volatile, restrict, and address spaces, and
439 // the other qualifiers aren't possible.
440 {
441 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(2));
442 if (Arg.isInvalid()) return true;
443 TheCall->setArg(2, Arg.get());
444
445 QualType Ty = Arg.get()->getType();
446 const auto *PtrTy = Ty->getAs<PointerType>();
447 if (!PtrTy ||
448 !PtrTy->getPointeeType()->isIntegerType() ||
449 (!ValidCkdIntType(PtrTy->getPointeeType()) && CkdOperation) ||
450 PtrTy->getPointeeType().isConstQualified()) {
451 S.Diag(Arg.get()->getBeginLoc(),
452 diag::err_overflow_builtin_must_be_ptr_int)
453 << CkdOperation << Ty << Arg.get()->getSourceRange();
454 return true;
455 }
456 }
457
458 // Disallow signed bit-precise integer args larger than 128 bits to mul
459 // function until we improve backend support.
460 if (BuiltinID == Builtin::BI__builtin_mul_overflow) {
461 for (unsigned I = 0; I < 3; ++I) {
462 const auto Arg = TheCall->getArg(I);
463 // Third argument will be a pointer.
464 auto Ty = I < 2 ? Arg->getType() : Arg->getType()->getPointeeType();
465 if (Ty->isBitIntType() && Ty->isSignedIntegerType() &&
466 S.getASTContext().getIntWidth(Ty) > 128)
467 return S.Diag(Arg->getBeginLoc(),
468 diag::err_overflow_builtin_bit_int_max_size)
469 << 128;
470 }
471 }
472
473 return false;
474 }
475
476 namespace {
477 struct BuiltinDumpStructGenerator {
478 Sema &S;
479 CallExpr *TheCall;
480 SourceLocation Loc = TheCall->getBeginLoc();
481 SmallVector<Expr *, 32> Actions;
482 DiagnosticErrorTrap ErrorTracker;
483 PrintingPolicy Policy;
484
485 BuiltinDumpStructGenerator(Sema &S, CallExpr *TheCall)
486 : S(S), TheCall(TheCall), ErrorTracker(S.getDiagnostics()),
487 Policy(S.Context.getPrintingPolicy()) {
488 Policy.AnonymousTagLocations = false;
489 }
490
491 Expr *makeOpaqueValueExpr(Expr *Inner) {
492 auto *OVE = new (S.Context)
493 OpaqueValueExpr(Loc, Inner->getType(), Inner->getValueKind(),
494 Inner->getObjectKind(), Inner);
495 Actions.push_back(OVE);
496 return OVE;
497 }
498
499 Expr *getStringLiteral(llvm::StringRef Str) {
500 Expr *Lit = S.Context.getPredefinedStringLiteralFromCache(Str);
501 // Wrap the literal in parentheses to attach a source location.
502 return new (S.Context) ParenExpr(Loc, Loc, Lit);
503 }
504
505 bool callPrintFunction(llvm::StringRef Format,
506 llvm::ArrayRef<Expr *> Exprs = {}) {
507 SmallVector<Expr *, 8> Args;
508 assert(TheCall->getNumArgs() >= 2);
509 Args.reserve((TheCall->getNumArgs() - 2) + /*Format*/ 1 + Exprs.size());
510 Args.assign(TheCall->arg_begin() + 2, TheCall->arg_end());
511 Args.push_back(getStringLiteral(Format));
512 Args.insert(Args.end(), Exprs.begin(), Exprs.end());
513
514 // Register a note to explain why we're performing the call.
515 Sema::CodeSynthesisContext Ctx;
516 Ctx.Kind = Sema::CodeSynthesisContext::BuildingBuiltinDumpStructCall;
517 Ctx.PointOfInstantiation = Loc;
518 Ctx.CallArgs = Args.data();
519 Ctx.NumCallArgs = Args.size();
520 S.pushCodeSynthesisContext(Ctx);
521
522 ExprResult RealCall =
523 S.BuildCallExpr(/*Scope=*/nullptr, TheCall->getArg(1),
524 TheCall->getBeginLoc(), Args, TheCall->getRParenLoc());
525
526 S.popCodeSynthesisContext();
527 if (!RealCall.isInvalid())
528 Actions.push_back(RealCall.get());
529 // Bail out if we've hit any errors, even if we managed to build the
530 // call. We don't want to produce more than one error.
531 return RealCall.isInvalid() || ErrorTracker.hasErrorOccurred();
532 }
533
534 Expr *getIndentString(unsigned Depth) {
535 if (!Depth)
536 return nullptr;
537
538 llvm::SmallString<32> Indent;
539 Indent.resize(Depth * Policy.Indentation, ' ');
540 return getStringLiteral(Indent);
541 }
542
543 Expr *getTypeString(QualType T) {
544 return getStringLiteral(T.getAsString(Policy));
545 }
546
547 bool appendFormatSpecifier(QualType T, llvm::SmallVectorImpl<char> &Str) {
548 llvm::raw_svector_ostream OS(Str);
549
550 // Format 'bool', 'char', 'signed char', 'unsigned char' as numbers, rather
551 // than trying to print a single character.
552 if (auto *BT = T->getAs<BuiltinType>()) {
553 switch (BT->getKind()) {
554 case BuiltinType::Bool:
555 OS << "%d";
556 return true;
557 case BuiltinType::Char_U:
558 case BuiltinType::UChar:
559 OS << "%hhu";
560 return true;
561 case BuiltinType::Char_S:
562 case BuiltinType::SChar:
563 OS << "%hhd";
564 return true;
565 default:
566 break;
567 }
568 }
569
570 analyze_printf::PrintfSpecifier Specifier;
571 if (Specifier.fixType(T, S.getLangOpts(), S.Context, /*IsObjCLiteral=*/false)) {
572 // We were able to guess how to format this.
573 if (Specifier.getConversionSpecifier().getKind() ==
574 analyze_printf::PrintfConversionSpecifier::sArg) {
575 // Wrap double-quotes around a '%s' specifier and limit its maximum
576 // length. Ideally we'd also somehow escape special characters in the
577 // contents but printf doesn't support that.
578 // FIXME: '%s' formatting is not safe in general.
579 OS << '"';
580 Specifier.setPrecision(analyze_printf::OptionalAmount(32u));
581 Specifier.toString(OS);
582 OS << '"';
583 // FIXME: It would be nice to include a '...' if the string doesn't fit
584 // in the length limit.
585 } else {
586 Specifier.toString(OS);
587 }
588 return true;
589 }
590
591 if (T->isPointerType()) {
592 // Format all pointers with '%p'.
593 OS << "%p";
594 return true;
595 }
596
597 return false;
598 }
599
600 bool dumpUnnamedRecord(const RecordDecl *RD, Expr *E, unsigned Depth) {
601 Expr *IndentLit = getIndentString(Depth);
602 Expr *TypeLit = getTypeString(S.Context.getRecordType(RD));
603 if (IndentLit ? callPrintFunction("%s%s", {IndentLit, TypeLit})
604 : callPrintFunction("%s", {TypeLit}))
605 return true;
606
607 return dumpRecordValue(RD, E, IndentLit, Depth);
608 }
609
610 // Dump a record value. E should be a pointer or lvalue referring to an RD.
611 bool dumpRecordValue(const RecordDecl *RD, Expr *E, Expr *RecordIndent,
612 unsigned Depth) {
613 // FIXME: Decide what to do if RD is a union. At least we should probably
614 // turn off printing `const char*` members with `%s`, because that is very
615 // likely to crash if that's not the active member. Whatever we decide, we
616 // should document it.
617
618 // Build an OpaqueValueExpr so we can refer to E more than once without
619 // triggering re-evaluation.
620 Expr *RecordArg = makeOpaqueValueExpr(E);
621 bool RecordArgIsPtr = RecordArg->getType()->isPointerType();
622
623 if (callPrintFunction(" {\n"))
624 return true;
625
626 // Dump each base class, regardless of whether they're aggregates.
627 if (const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD)) {
628 for (const auto &Base : CXXRD->bases()) {
629 QualType BaseType =
630 RecordArgIsPtr ? S.Context.getPointerType(Base.getType())
631 : S.Context.getLValueReferenceType(Base.getType());
632 ExprResult BasePtr = S.BuildCStyleCastExpr(
633 Loc, S.Context.getTrivialTypeSourceInfo(BaseType, Loc), Loc,
634 RecordArg);
635 if (BasePtr.isInvalid() ||
636 dumpUnnamedRecord(Base.getType()->getAsRecordDecl(), BasePtr.get(),
637 Depth + 1))
638 return true;
639 }
640 }
641
642 Expr *FieldIndentArg = getIndentString(Depth + 1);
643
644 // Dump each field.
645 for (auto *D : RD->decls()) {
646 auto *IFD = dyn_cast<IndirectFieldDecl>(D);
647 auto *FD = IFD ? IFD->getAnonField() : dyn_cast<FieldDecl>(D);
648 if (!FD || FD->isUnnamedBitField() || FD->isAnonymousStructOrUnion())
649 continue;
650
651 llvm::SmallString<20> Format = llvm::StringRef("%s%s %s ");
652 llvm::SmallVector<Expr *, 5> Args = {FieldIndentArg,
653 getTypeString(FD->getType()),
654 getStringLiteral(FD->getName())};
655
656 if (FD->isBitField()) {
657 Format += ": %zu ";
658 QualType SizeT = S.Context.getSizeType();
659 llvm::APInt BitWidth(S.Context.getIntWidth(SizeT),
660 FD->getBitWidthValue(S.Context));
661 Args.push_back(IntegerLiteral::Create(S.Context, BitWidth, SizeT, Loc));
662 }
663
664 Format += "=";
665
666 ExprResult Field =
667 IFD ? S.BuildAnonymousStructUnionMemberReference(
668 CXXScopeSpec(), Loc, IFD,
669 DeclAccessPair::make(IFD, AS_public), RecordArg, Loc)
670 : S.BuildFieldReferenceExpr(
671 RecordArg, RecordArgIsPtr, Loc, CXXScopeSpec(), FD,
672 DeclAccessPair::make(FD, AS_public),
673 DeclarationNameInfo(FD->getDeclName(), Loc));
674 if (Field.isInvalid())
675 return true;
676
677 auto *InnerRD = FD->getType()->getAsRecordDecl();
678 auto *InnerCXXRD = dyn_cast_or_null<CXXRecordDecl>(InnerRD);
679 if (InnerRD && (!InnerCXXRD || InnerCXXRD->isAggregate())) {
680 // Recursively print the values of members of aggregate record type.
681 if (callPrintFunction(Format, Args) ||
682 dumpRecordValue(InnerRD, Field.get(), FieldIndentArg, Depth + 1))
683 return true;
684 } else {
685 Format += " ";
686 if (appendFormatSpecifier(FD->getType(), Format)) {
687 // We know how to print this field.
688 Args.push_back(Field.get());
689 } else {
690 // We don't know how to print this field. Print out its address
691 // with a format specifier that a smart tool will be able to
692 // recognize and treat specially.
693 Format += "*%p";
694 ExprResult FieldAddr =
695 S.BuildUnaryOp(nullptr, Loc, UO_AddrOf, Field.get());
696 if (FieldAddr.isInvalid())
697 return true;
698 Args.push_back(FieldAddr.get());
699 }
700 Format += "\n";
701 if (callPrintFunction(Format, Args))
702 return true;
703 }
704 }
705
706 return RecordIndent ? callPrintFunction("%s}\n", RecordIndent)
707 : callPrintFunction("}\n");
708 }
709
710 Expr *buildWrapper() {
711 auto *Wrapper = PseudoObjectExpr::Create(S.Context, TheCall, Actions,
712 PseudoObjectExpr::NoResult);
713 TheCall->setType(Wrapper->getType());
714 TheCall->setValueKind(Wrapper->getValueKind());
715 return Wrapper;
716 }
717 };
718 } // namespace
719
720 static ExprResult BuiltinDumpStruct(Sema &S, CallExpr *TheCall) {
721 if (S.checkArgCountAtLeast(TheCall, 2))
722 return ExprError();
723
724 ExprResult PtrArgResult = S.DefaultLvalueConversion(TheCall->getArg(0));
725 if (PtrArgResult.isInvalid())
726 return ExprError();
727 TheCall->setArg(0, PtrArgResult.get());
728
729 // First argument should be a pointer to a struct.
730 QualType PtrArgType = PtrArgResult.get()->getType();
731 if (!PtrArgType->isPointerType() ||
732 !PtrArgType->getPointeeType()->isRecordType()) {
733 S.Diag(PtrArgResult.get()->getBeginLoc(),
734 diag::err_expected_struct_pointer_argument)
735 << 1 << TheCall->getDirectCallee() << PtrArgType;
736 return ExprError();
737 }
738 QualType Pointee = PtrArgType->getPointeeType();
739 const RecordDecl *RD = Pointee->getAsRecordDecl();
740 // Try to instantiate the class template as appropriate; otherwise, access to
741 // its data() may lead to a crash.
742 if (S.RequireCompleteType(PtrArgResult.get()->getBeginLoc(), Pointee,
743 diag::err_incomplete_type))
744 return ExprError();
745 // Second argument is a callable, but we can't fully validate it until we try
746 // calling it.
747 QualType FnArgType = TheCall->getArg(1)->getType();
748 if (!FnArgType->isFunctionType() && !FnArgType->isFunctionPointerType() &&
749 !FnArgType->isBlockPointerType() &&
750 !(S.getLangOpts().CPlusPlus && FnArgType->isRecordType())) {
751 auto *BT = FnArgType->getAs<BuiltinType>();
752 switch (BT ? BT->getKind() : BuiltinType::Void) {
753 case BuiltinType::Dependent:
754 case BuiltinType::Overload:
755 case BuiltinType::BoundMember:
756 case BuiltinType::PseudoObject:
757 case BuiltinType::UnknownAny:
758 case BuiltinType::BuiltinFn:
759 // This might be a callable.
760 break;
761
762 default:
763 S.Diag(TheCall->getArg(1)->getBeginLoc(),
764 diag::err_expected_callable_argument)
765 << 2 << TheCall->getDirectCallee() << FnArgType;
766 return ExprError();
767 }
768 }
769
770 BuiltinDumpStructGenerator Generator(S, TheCall);
771
772 // Wrap parentheses around the given pointer. This is not necessary for
773 // correct code generation, but it means that when we pretty-print the call
774 // arguments in our diagnostics we will produce '(&s)->n' instead of the
775 // incorrect '&s->n'.
776 Expr *PtrArg = PtrArgResult.get();
777 PtrArg = new (S.Context)
778 ParenExpr(PtrArg->getBeginLoc(),
779 S.getLocForEndOfToken(PtrArg->getEndLoc()), PtrArg);
780 if (Generator.dumpUnnamedRecord(RD, PtrArg, 0))
781 return ExprError();
782
783 return Generator.buildWrapper();
784 }
785
786 static bool BuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
787 if (S.checkArgCount(BuiltinCall, 2))
788 return true;
789
790 SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc();
791 Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts();
792 Expr *Call = BuiltinCall->getArg(0);
793 Expr *Chain = BuiltinCall->getArg(1);
794
795 if (Call->getStmtClass() != Stmt::CallExprClass) {
796 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_not_call)
797 << Call->getSourceRange();
798 return true;
799 }
800
801 auto CE = cast<CallExpr>(Call);
802 if (CE->getCallee()->getType()->isBlockPointerType()) {
803 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_block_call)
804 << Call->getSourceRange();
805 return true;
806 }
807
808 const Decl *TargetDecl = CE->getCalleeDecl();
809 if (const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(TargetDecl))
810 if (FD->getBuiltinID()) {
811 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_builtin_call)
812 << Call->getSourceRange();
813 return true;
814 }
815
816 if (isa<CXXPseudoDestructorExpr>(CE->getCallee()->IgnoreParens())) {
817 S.Diag(BuiltinLoc, diag::err_first_argument_to_cwsc_pdtor_call)
818 << Call->getSourceRange();
819 return true;
820 }
821
822 ExprResult ChainResult = S.UsualUnaryConversions(Chain);
823 if (ChainResult.isInvalid())
824 return true;
825 if (!ChainResult.get()->getType()->isPointerType()) {
826 S.Diag(BuiltinLoc, diag::err_second_argument_to_cwsc_not_pointer)
827 << Chain->getSourceRange();
828 return true;
829 }
830
831 QualType ReturnTy = CE->getCallReturnType(S.Context);
832 QualType ArgTys[2] = { ReturnTy, ChainResult.get()->getType() };
833 QualType BuiltinTy = S.Context.getFunctionType(
834 ReturnTy, ArgTys, FunctionProtoType::ExtProtoInfo());
835 QualType BuiltinPtrTy = S.Context.getPointerType(BuiltinTy);
836
837 Builtin =
838 S.ImpCastExprToType(Builtin, BuiltinPtrTy, CK_BuiltinFnToFnPtr).get();
839
840 BuiltinCall->setType(CE->getType());
841 BuiltinCall->setValueKind(CE->getValueKind());
842 BuiltinCall->setObjectKind(CE->getObjectKind());
843 BuiltinCall->setCallee(Builtin);
844 BuiltinCall->setArg(1, ChainResult.get());
845
846 return false;
847 }
848
849 namespace {
850
851 class ScanfDiagnosticFormatHandler
852 : public analyze_format_string::FormatStringHandler {
853 // Accepts the argument index (relative to the first destination index) of the
854 // argument whose size we want.
855 using ComputeSizeFunction =
856 llvm::function_ref<std::optional<llvm::APSInt>(unsigned)>;
857
858 // Accepts the argument index (relative to the first destination index), the
859 // destination size, and the source size).
860 using DiagnoseFunction =
861 llvm::function_ref<void(unsigned, unsigned, unsigned)>;
862
863 ComputeSizeFunction ComputeSizeArgument;
864 DiagnoseFunction Diagnose;
865
866 public:
867 ScanfDiagnosticFormatHandler(ComputeSizeFunction ComputeSizeArgument,
868 DiagnoseFunction Diagnose)
869 : ComputeSizeArgument(ComputeSizeArgument), Diagnose(Diagnose) {}
870
871 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
872 const char *StartSpecifier,
873 unsigned specifierLen) override {
874 if (!FS.consumesDataArgument())
875 return true;
876
877 unsigned NulByte = 0;
878 switch ((FS.getConversionSpecifier().getKind())) {
879 default:
880 return true;
881 case analyze_format_string::ConversionSpecifier::sArg:
882 case analyze_format_string::ConversionSpecifier::ScanListArg:
883 NulByte = 1;
884 break;
885 case analyze_format_string::ConversionSpecifier::cArg:
886 break;
887 }
888
889 analyze_format_string::OptionalAmount FW = FS.getFieldWidth();
890 if (FW.getHowSpecified() !=
891 analyze_format_string::OptionalAmount::HowSpecified::Constant)
892 return true;
893
894 unsigned SourceSize = FW.getConstantAmount() + NulByte;
895
896 std::optional<llvm::APSInt> DestSizeAPS =
897 ComputeSizeArgument(FS.getArgIndex());
898 if (!DestSizeAPS)
899 return true;
900
901 unsigned DestSize = DestSizeAPS->getZExtValue();
902
903 if (DestSize < SourceSize)
904 Diagnose(FS.getArgIndex(), DestSize, SourceSize);
905
906 return true;
907 }
908 };
909
910 class EstimateSizeFormatHandler
911 : public analyze_format_string::FormatStringHandler {
912 size_t Size;
913 /// Whether the format string contains Linux kernel's format specifier
914 /// extension.
915 bool IsKernelCompatible = true;
916
917 public:
918 EstimateSizeFormatHandler(StringRef Format)
919 : Size(std::min(Format.find(0), Format.size()) +
920 1 /* null byte always written by sprintf */) {}
921
922 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
923 const char *, unsigned SpecifierLen,
924 const TargetInfo &) override {
925
926 const size_t FieldWidth = computeFieldWidth(FS);
927 const size_t Precision = computePrecision(FS);
928
929 // The actual format.
930 switch (FS.getConversionSpecifier().getKind()) {
931 // Just a char.
932 case analyze_format_string::ConversionSpecifier::cArg:
933 case analyze_format_string::ConversionSpecifier::CArg:
934 Size += std::max(FieldWidth, (size_t)1);
935 break;
936 // Just an integer.
937 case analyze_format_string::ConversionSpecifier::dArg:
938 case analyze_format_string::ConversionSpecifier::DArg:
939 case analyze_format_string::ConversionSpecifier::iArg:
940 case analyze_format_string::ConversionSpecifier::oArg:
941 case analyze_format_string::ConversionSpecifier::OArg:
942 case analyze_format_string::ConversionSpecifier::uArg:
943 case analyze_format_string::ConversionSpecifier::UArg:
944 case analyze_format_string::ConversionSpecifier::xArg:
945 case analyze_format_string::ConversionSpecifier::XArg:
946 Size += std::max(FieldWidth, Precision);
947 break;
948
949 // %g style conversion switches between %f or %e style dynamically.
950 // %g removes trailing zeros, and does not print decimal point if there are
951 // no digits that follow it. Thus %g can print a single digit.
952 // FIXME: If it is alternative form:
953 // For g and G conversions, trailing zeros are not removed from the result.
954 case analyze_format_string::ConversionSpecifier::gArg:
955 case analyze_format_string::ConversionSpecifier::GArg:
956 Size += 1;
957 break;
958
959 // Floating point number in the form '[+]ddd.ddd'.
960 case analyze_format_string::ConversionSpecifier::fArg:
961 case analyze_format_string::ConversionSpecifier::FArg:
962 Size += std::max(FieldWidth, 1 /* integer part */ +
963 (Precision ? 1 + Precision
964 : 0) /* period + decimal */);
965 break;
966
967 // Floating point number in the form '[-]d.ddde[+-]dd'.
968 case analyze_format_string::ConversionSpecifier::eArg:
969 case analyze_format_string::ConversionSpecifier::EArg:
970 Size +=
971 std::max(FieldWidth,
972 1 /* integer part */ +
973 (Precision ? 1 + Precision : 0) /* period + decimal */ +
974 1 /* e or E letter */ + 2 /* exponent */);
975 break;
976
977 // Floating point number in the form '[-]0xh.hhhhp±dd'.
978 case analyze_format_string::ConversionSpecifier::aArg:
979 case analyze_format_string::ConversionSpecifier::AArg:
980 Size +=
981 std::max(FieldWidth,
982 2 /* 0x */ + 1 /* integer part */ +
983 (Precision ? 1 + Precision : 0) /* period + decimal */ +
984 1 /* p or P letter */ + 1 /* + or - */ + 1 /* value */);
985 break;
986
987 // Just a string.
988 case analyze_format_string::ConversionSpecifier::sArg:
989 case analyze_format_string::ConversionSpecifier::SArg:
990 Size += FieldWidth;
991 break;
992
993 // Just a pointer in the form '0xddd'.
994 case analyze_format_string::ConversionSpecifier::pArg:
995 // Linux kernel has its own extesion for `%p` specifier.
996 // Kernel Document:
997 // https://docs.kernel.org/core-api/printk-formats.html#pointer-types
998 IsKernelCompatible = false;
999 Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
1000 break;
1001
1002 // A plain percent.
1003 case analyze_format_string::ConversionSpecifier::PercentArg:
1004 Size += 1;
1005 break;
1006
1007 default:
1008 break;
1009 }
1010
1011 Size += FS.hasPlusPrefix() || FS.hasSpacePrefix();
1012
1013 if (FS.hasAlternativeForm()) {
1014 switch (FS.getConversionSpecifier().getKind()) {
1015 // For o conversion, it increases the precision, if and only if necessary,
1016 // to force the first digit of the result to be a zero
1017 // (if the value and precision are both 0, a single 0 is printed)
1018 case analyze_format_string::ConversionSpecifier::oArg:
1019 // For b conversion, a nonzero result has 0b prefixed to it.
1020 case analyze_format_string::ConversionSpecifier::bArg:
1021 // For x (or X) conversion, a nonzero result has 0x (or 0X) prefixed to
1022 // it.
1023 case analyze_format_string::ConversionSpecifier::xArg:
1024 case analyze_format_string::ConversionSpecifier::XArg:
1025 // Note: even when the prefix is added, if
1026 // (prefix_width <= FieldWidth - formatted_length) holds,
1027 // the prefix does not increase the format
1028 // size. e.g.(("%#3x", 0xf) is "0xf")
1029
1030 // If the result is zero, o, b, x, X adds nothing.
1031 break;
1032 // For a, A, e, E, f, F, g, and G conversions,
1033 // the result of converting a floating-point number always contains a
1034 // decimal-point
1035 case analyze_format_string::ConversionSpecifier::aArg:
1036 case analyze_format_string::ConversionSpecifier::AArg:
1037 case analyze_format_string::ConversionSpecifier::eArg:
1038 case analyze_format_string::ConversionSpecifier::EArg:
1039 case analyze_format_string::ConversionSpecifier::fArg:
1040 case analyze_format_string::ConversionSpecifier::FArg:
1041 case analyze_format_string::ConversionSpecifier::gArg:
1042 case analyze_format_string::ConversionSpecifier::GArg:
1043 Size += (Precision ? 0 : 1);
1044 break;
1045 // For other conversions, the behavior is undefined.
1046 default:
1047 break;
1048 }
1049 }
1050 assert(SpecifierLen <= Size && "no underflow");
1051 Size -= SpecifierLen;
1052 return true;
1053 }
1054
1055 size_t getSizeLowerBound() const { return Size; }
1056 bool isKernelCompatible() const { return IsKernelCompatible; }
1057
1058 private:
1059 static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
1060 const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
1061 size_t FieldWidth = 0;
1062 if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
1063 FieldWidth = FW.getConstantAmount();
1064 return FieldWidth;
1065 }
1066
1067 static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
1068 const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
1069 size_t Precision = 0;
1070
1071 // See man 3 printf for default precision value based on the specifier.
1072 switch (FW.getHowSpecified()) {
1073 case analyze_format_string::OptionalAmount::NotSpecified:
1074 switch (FS.getConversionSpecifier().getKind()) {
1075 default:
1076 break;
1077 case analyze_format_string::ConversionSpecifier::dArg: // %d
1078 case analyze_format_string::ConversionSpecifier::DArg: // %D
1079 case analyze_format_string::ConversionSpecifier::iArg: // %i
1080 Precision = 1;
1081 break;
1082 case analyze_format_string::ConversionSpecifier::oArg: // %d
1083 case analyze_format_string::ConversionSpecifier::OArg: // %D
1084 case analyze_format_string::ConversionSpecifier::uArg: // %d
1085 case analyze_format_string::ConversionSpecifier::UArg: // %D
1086 case analyze_format_string::ConversionSpecifier::xArg: // %d
1087 case analyze_format_string::ConversionSpecifier::XArg: // %D
1088 Precision = 1;
1089 break;
1090 case analyze_format_string::ConversionSpecifier::fArg: // %f
1091 case analyze_format_string::ConversionSpecifier::FArg: // %F
1092 case analyze_format_string::ConversionSpecifier::eArg: // %e
1093 case analyze_format_string::ConversionSpecifier::EArg: // %E
1094 case analyze_format_string::ConversionSpecifier::gArg: // %g
1095 case analyze_format_string::ConversionSpecifier::GArg: // %G
1096 Precision = 6;
1097 break;
1098 case analyze_format_string::ConversionSpecifier::pArg: // %d
1099 Precision = 1;
1100 break;
1101 }
1102 break;
1103 case analyze_format_string::OptionalAmount::Constant:
1104 Precision = FW.getConstantAmount();
1105 break;
1106 default:
1107 break;
1108 }
1109 return Precision;
1110 }
1111 };
1112
1113 } // namespace
1114
1115 static bool ProcessFormatStringLiteral(const Expr *FormatExpr,
1116 StringRef &FormatStrRef, size_t &StrLen,
1117 ASTContext &Context) {
1118 if (const auto *Format = dyn_cast<StringLiteral>(FormatExpr);
1119 Format && (Format->isOrdinary() || Format->isUTF8())) {
1120 FormatStrRef = Format->getString();
1121 const ConstantArrayType *T =
1122 Context.getAsConstantArrayType(Format->getType());
1123 assert(T && "String literal not of constant array type!");
1124 size_t TypeSize = T->getZExtSize();
1125 // In case there's a null byte somewhere.
1126 StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
1127 return true;
1128 }
1129 return false;
1130 }
1131
1132 void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
1133 CallExpr *TheCall) {
1134 if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
1135 isConstantEvaluatedContext())
1136 return;
1137
1138 bool UseDABAttr = false;
1139 const FunctionDecl *UseDecl = FD;
1140
1141 const auto *DABAttr = FD->getAttr<DiagnoseAsBuiltinAttr>();
1142 if (DABAttr) {
1143 UseDecl = DABAttr->getFunction();
1144 assert(UseDecl && "Missing FunctionDecl in DiagnoseAsBuiltin attribute!");
1145 UseDABAttr = true;
1146 }
1147
1148 unsigned BuiltinID = UseDecl->getBuiltinID(/*ConsiderWrappers=*/true);
1149
1150 if (!BuiltinID)
1151 return;
1152
1153 const TargetInfo &TI = getASTContext().getTargetInfo();
1154 unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
1155
1156 auto TranslateIndex = [&](unsigned Index) -> std::optional<unsigned> {
1157 // If we refer to a diagnose_as_builtin attribute, we need to change the
1158 // argument index to refer to the arguments of the called function. Unless
1159 // the index is out of bounds, which presumably means it's a variadic
1160 // function.
1161 if (!UseDABAttr)
1162 return Index;
1163 unsigned DABIndices = DABAttr->argIndices_size();
1164 unsigned NewIndex = Index < DABIndices
1165 ? DABAttr->argIndices_begin()[Index]
1166 : Index - DABIndices + FD->getNumParams();
1167 if (NewIndex >= TheCall->getNumArgs())
1168 return std::nullopt;
1169 return NewIndex;
1170 };
1171
1172 auto ComputeExplicitObjectSizeArgument =
1173 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1174 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1175 if (!IndexOptional)
1176 return std::nullopt;
1177 unsigned NewIndex = *IndexOptional;
1178 Expr::EvalResult Result;
1179 Expr *SizeArg = TheCall->getArg(NewIndex);
1180 if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
1181 return std::nullopt;
1182 llvm::APSInt Integer = Result.Val.getInt();
1183 Integer.setIsUnsigned(true);
1184 return Integer;
1185 };
1186
1187 auto ComputeSizeArgument =
1188 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1189 // If the parameter has a pass_object_size attribute, then we should use its
1190 // (potentially) more strict checking mode. Otherwise, conservatively assume
1191 // type 0.
1192 int BOSType = 0;
1193 // This check can fail for variadic functions.
1194 if (Index < FD->getNumParams()) {
1195 if (const auto *POS =
1196 FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
1197 BOSType = POS->getType();
1198 }
1199
1200 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1201 if (!IndexOptional)
1202 return std::nullopt;
1203 unsigned NewIndex = *IndexOptional;
1204
1205 if (NewIndex >= TheCall->getNumArgs())
1206 return std::nullopt;
1207
1208 const Expr *ObjArg = TheCall->getArg(NewIndex);
1209 uint64_t Result;
1210 if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
1211 return std::nullopt;
1212
1213 // Get the object size in the target's size_t width.
1214 return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
1215 };
1216
1217 auto ComputeStrLenArgument =
1218 [&](unsigned Index) -> std::optional<llvm::APSInt> {
1219 std::optional<unsigned> IndexOptional = TranslateIndex(Index);
1220 if (!IndexOptional)
1221 return std::nullopt;
1222 unsigned NewIndex = *IndexOptional;
1223
1224 const Expr *ObjArg = TheCall->getArg(NewIndex);
1225 uint64_t Result;
1226 if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
1227 return std::nullopt;
1228 // Add 1 for null byte.
1229 return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
1230 };
1231
1232 std::optional<llvm::APSInt> SourceSize;
1233 std::optional<llvm::APSInt> DestinationSize;
1234 unsigned DiagID = 0;
1235 bool IsChkVariant = false;
1236
1237 auto GetFunctionName = [&]() {
1238 StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
1239 // Skim off the details of whichever builtin was called to produce a better
1240 // diagnostic, as it's unlikely that the user wrote the __builtin
1241 // explicitly.
1242 if (IsChkVariant) {
1243 FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
1244 FunctionName = FunctionName.drop_back(std::strlen("_chk"));
1245 } else {
1246 FunctionName.consume_front("__builtin_");
1247 }
1248 return FunctionName;
1249 };
1250
1251 switch (BuiltinID) {
1252 default:
1253 return;
1254 case Builtin::BI__builtin_strcpy:
1255 case Builtin::BIstrcpy: {
1256 DiagID = diag::warn_fortify_strlen_overflow;
1257 SourceSize = ComputeStrLenArgument(1);
1258 DestinationSize = ComputeSizeArgument(0);
1259 break;
1260 }
1261
1262 case Builtin::BI__builtin___strcpy_chk: {
1263 DiagID = diag::warn_fortify_strlen_overflow;
1264 SourceSize = ComputeStrLenArgument(1);
1265 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1266 IsChkVariant = true;
1267 break;
1268 }
1269
1270 case Builtin::BIscanf:
1271 case Builtin::BIfscanf:
1272 case Builtin::BIsscanf: {
1273 unsigned FormatIndex = 1;
1274 unsigned DataIndex = 2;
1275 if (BuiltinID == Builtin::BIscanf) {
1276 FormatIndex = 0;
1277 DataIndex = 1;
1278 }
1279
1280 const auto *FormatExpr =
1281 TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1282
1283 StringRef FormatStrRef;
1284 size_t StrLen;
1285 if (!ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context))
1286 return;
1287
1288 auto Diagnose = [&](unsigned ArgIndex, unsigned DestSize,
1289 unsigned SourceSize) {
1290 DiagID = diag::warn_fortify_scanf_overflow;
1291 unsigned Index = ArgIndex + DataIndex;
1292 StringRef FunctionName = GetFunctionName();
1293 DiagRuntimeBehavior(TheCall->getArg(Index)->getBeginLoc(), TheCall,
1294 PDiag(DiagID) << FunctionName << (Index + 1)
1295 << DestSize << SourceSize);
1296 };
1297
1298 auto ShiftedComputeSizeArgument = [&](unsigned Index) {
1299 return ComputeSizeArgument(Index + DataIndex);
1300 };
1301 ScanfDiagnosticFormatHandler H(ShiftedComputeSizeArgument, Diagnose);
1302 const char *FormatBytes = FormatStrRef.data();
1303 analyze_format_string::ParseScanfString(H, FormatBytes,
1304 FormatBytes + StrLen, getLangOpts(),
1305 Context.getTargetInfo());
1306
1307 // Unlike the other cases, in this one we have already issued the diagnostic
1308 // here, so no need to continue (because unlike the other cases, here the
1309 // diagnostic refers to the argument number).
1310 return;
1311 }
1312
1313 case Builtin::BIsprintf:
1314 case Builtin::BI__builtin___sprintf_chk: {
1315 size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
1316 auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
1317
1318 StringRef FormatStrRef;
1319 size_t StrLen;
1320 if (ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1321 EstimateSizeFormatHandler H(FormatStrRef);
1322 const char *FormatBytes = FormatStrRef.data();
1323 if (!analyze_format_string::ParsePrintfString(
1324 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1325 Context.getTargetInfo(), false)) {
1326 DiagID = H.isKernelCompatible()
1327 ? diag::warn_format_overflow
1328 : diag::warn_format_overflow_non_kprintf;
1329 SourceSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1330 .extOrTrunc(SizeTypeWidth);
1331 if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
1332 DestinationSize = ComputeExplicitObjectSizeArgument(2);
1333 IsChkVariant = true;
1334 } else {
1335 DestinationSize = ComputeSizeArgument(0);
1336 }
1337 break;
1338 }
1339 }
1340 return;
1341 }
1342 case Builtin::BI__builtin___memcpy_chk:
1343 case Builtin::BI__builtin___memmove_chk:
1344 case Builtin::BI__builtin___memset_chk:
1345 case Builtin::BI__builtin___strlcat_chk:
1346 case Builtin::BI__builtin___strlcpy_chk:
1347 case Builtin::BI__builtin___strncat_chk:
1348 case Builtin::BI__builtin___strncpy_chk:
1349 case Builtin::BI__builtin___stpncpy_chk:
1350 case Builtin::BI__builtin___memccpy_chk:
1351 case Builtin::BI__builtin___mempcpy_chk: {
1352 DiagID = diag::warn_builtin_chk_overflow;
1353 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
1354 DestinationSize =
1355 ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1356 IsChkVariant = true;
1357 break;
1358 }
1359
1360 case Builtin::BI__builtin___snprintf_chk:
1361 case Builtin::BI__builtin___vsnprintf_chk: {
1362 DiagID = diag::warn_builtin_chk_overflow;
1363 SourceSize = ComputeExplicitObjectSizeArgument(1);
1364 DestinationSize = ComputeExplicitObjectSizeArgument(3);
1365 IsChkVariant = true;
1366 break;
1367 }
1368
1369 case Builtin::BIstrncat:
1370 case Builtin::BI__builtin_strncat:
1371 case Builtin::BIstrncpy:
1372 case Builtin::BI__builtin_strncpy:
1373 case Builtin::BIstpncpy:
1374 case Builtin::BI__builtin_stpncpy: {
1375 // Whether these functions overflow depends on the runtime strlen of the
1376 // string, not just the buffer size, so emitting the "always overflow"
1377 // diagnostic isn't quite right. We should still diagnose passing a buffer
1378 // size larger than the destination buffer though; this is a runtime abort
1379 // in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
1380 DiagID = diag::warn_fortify_source_size_mismatch;
1381 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1382 DestinationSize = ComputeSizeArgument(0);
1383 break;
1384 }
1385
1386 case Builtin::BImemcpy:
1387 case Builtin::BI__builtin_memcpy:
1388 case Builtin::BImemmove:
1389 case Builtin::BI__builtin_memmove:
1390 case Builtin::BImemset:
1391 case Builtin::BI__builtin_memset:
1392 case Builtin::BImempcpy:
1393 case Builtin::BI__builtin_mempcpy: {
1394 DiagID = diag::warn_fortify_source_overflow;
1395 SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
1396 DestinationSize = ComputeSizeArgument(0);
1397 break;
1398 }
1399 case Builtin::BIsnprintf:
1400 case Builtin::BI__builtin_snprintf:
1401 case Builtin::BIvsnprintf:
1402 case Builtin::BI__builtin_vsnprintf: {
1403 DiagID = diag::warn_fortify_source_size_mismatch;
1404 SourceSize = ComputeExplicitObjectSizeArgument(1);
1405 const auto *FormatExpr = TheCall->getArg(2)->IgnoreParenImpCasts();
1406 StringRef FormatStrRef;
1407 size_t StrLen;
1408 if (SourceSize &&
1409 ProcessFormatStringLiteral(FormatExpr, FormatStrRef, StrLen, Context)) {
1410 EstimateSizeFormatHandler H(FormatStrRef);
1411 const char *FormatBytes = FormatStrRef.data();
1412 if (!analyze_format_string::ParsePrintfString(
1413 H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
1414 Context.getTargetInfo(), /*isFreeBSDKPrintf=*/false)) {
1415 llvm::APSInt FormatSize =
1416 llvm::APSInt::getUnsigned(H.getSizeLowerBound())
1417 .extOrTrunc(SizeTypeWidth);
1418 if (FormatSize > *SourceSize && *SourceSize != 0) {
1419 unsigned TruncationDiagID =
1420 H.isKernelCompatible() ? diag::warn_format_truncation
1421 : diag::warn_format_truncation_non_kprintf;
1422 SmallString<16> SpecifiedSizeStr;
1423 SmallString<16> FormatSizeStr;
1424 SourceSize->toString(SpecifiedSizeStr, /*Radix=*/10);
1425 FormatSize.toString(FormatSizeStr, /*Radix=*/10);
1426 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1427 PDiag(TruncationDiagID)
1428 << GetFunctionName() << SpecifiedSizeStr
1429 << FormatSizeStr);
1430 }
1431 }
1432 }
1433 DestinationSize = ComputeSizeArgument(0);
1434 }
1435 }
1436
1437 if (!SourceSize || !DestinationSize ||
1438 llvm::APSInt::compareValues(*SourceSize, *DestinationSize) <= 0)
1439 return;
1440
1441 StringRef FunctionName = GetFunctionName();
1442
1443 SmallString<16> DestinationStr;
1444 SmallString<16> SourceStr;
1445 DestinationSize->toString(DestinationStr, /*Radix=*/10);
1446 SourceSize->toString(SourceStr, /*Radix=*/10);
1447 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
1448 PDiag(DiagID)
1449 << FunctionName << DestinationStr << SourceStr);
1450 }
1451
1452 static bool BuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
1453 Scope::ScopeFlags NeededScopeFlags,
1454 unsigned DiagID) {
1455 // Scopes aren't available during instantiation. Fortunately, builtin
1456 // functions cannot be template args so they cannot be formed through template
1457 // instantiation. Therefore checking once during the parse is sufficient.
1458 if (SemaRef.inTemplateInstantiation())
1459 return false;
1460
1461 Scope *S = SemaRef.getCurScope();
1462 while (S && !S->isSEHExceptScope())
1463 S = S->getParent();
1464 if (!S || !(S->getFlags() & NeededScopeFlags)) {
1465 auto *DRE = cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
1466 SemaRef.Diag(TheCall->getExprLoc(), DiagID)
1467 << DRE->getDecl()->getIdentifier();
1468 return true;
1469 }
1470
1471 return false;
1472 }
1473
1474 // In OpenCL, __builtin_alloca_* should return a pointer to address space
1475 // that corresponds to the stack address space i.e private address space.
1476 static void builtinAllocaAddrSpace(Sema &S, CallExpr *TheCall) {
1477 QualType RT = TheCall->getType();
1478 assert((RT->isPointerType() && !(RT->getPointeeType().hasAddressSpace())) &&
1479 "__builtin_alloca has invalid address space");
1480
1481 RT = RT->getPointeeType();
1482 RT = S.Context.getAddrSpaceQualType(RT, LangAS::opencl_private);
1483 TheCall->setType(S.Context.getPointerType(RT));
1484 }
1485
1486 namespace {
1487 enum PointerAuthOpKind {
1488 PAO_Strip,
1489 PAO_Sign,
1490 PAO_Auth,
1491 PAO_SignGeneric,
1492 PAO_Discriminator,
1493 PAO_BlendPointer,
1494 PAO_BlendInteger
1495 };
1496 }
1497
1498 bool Sema::checkPointerAuthEnabled(SourceLocation Loc, SourceRange Range) {
1499 if (getLangOpts().PointerAuthIntrinsics)
1500 return false;
1501
1502 Diag(Loc, diag::err_ptrauth_disabled) << Range;
1503 return true;
1504 }
1505
1506 static bool checkPointerAuthEnabled(Sema &S, Expr *E) {
1507 return S.checkPointerAuthEnabled(E->getExprLoc(), E->getSourceRange());
1508 }
1509
1510 static bool checkPointerAuthKey(Sema &S, Expr *&Arg) {
1511 // Convert it to type 'int'.
1512 if (convertArgumentToType(S, Arg, S.Context.IntTy))
1513 return true;
1514
1515 // Value-dependent expressions are okay; wait for template instantiation.
1516 if (Arg->isValueDependent())
1517 return false;
1518
1519 unsigned KeyValue;
1520 return S.checkConstantPointerAuthKey(Arg, KeyValue);
1521 }
1522
1523 bool Sema::checkConstantPointerAuthKey(Expr *Arg, unsigned &Result) {
1524 // Attempt to constant-evaluate the expression.
1525 std::optional<llvm::APSInt> KeyValue = Arg->getIntegerConstantExpr(Context);
1526 if (!KeyValue) {
1527 Diag(Arg->getExprLoc(), diag::err_expr_not_ice)
1528 << 0 << Arg->getSourceRange();
1529 return true;
1530 }
1531
1532 // Ask the target to validate the key parameter.
1533 if (!Context.getTargetInfo().validatePointerAuthKey(*KeyValue)) {
1534 llvm::SmallString<32> Value;
1535 {
1536 llvm::raw_svector_ostream Str(Value);
1537 Str << *KeyValue;
1538 }
1539
1540 Diag(Arg->getExprLoc(), diag::err_ptrauth_invalid_key)
1541 << Value << Arg->getSourceRange();
1542 return true;
1543 }
1544
1545 Result = KeyValue->getZExtValue();
1546 return false;
1547 }
1548
1549 static std::pair<const ValueDecl *, CharUnits>
1550 findConstantBaseAndOffset(Sema &S, Expr *E) {
1551 // Must evaluate as a pointer.
1552 Expr::EvalResult Result;
1553 if (!E->EvaluateAsRValue(Result, S.Context) || !Result.Val.isLValue())
1554 return {nullptr, CharUnits()};
1555
1556 const auto *BaseDecl =
1557 Result.Val.getLValueBase().dyn_cast<const ValueDecl *>();
1558 if (!BaseDecl)
1559 return {nullptr, CharUnits()};
1560
1561 return {BaseDecl, Result.Val.getLValueOffset()};
1562 }
1563
1564 static bool checkPointerAuthValue(Sema &S, Expr *&Arg, PointerAuthOpKind OpKind,
1565 bool RequireConstant = false) {
1566 if (Arg->hasPlaceholderType()) {
1567 ExprResult R = S.CheckPlaceholderExpr(Arg);
1568 if (R.isInvalid())
1569 return true;
1570 Arg = R.get();
1571 }
1572
1573 auto AllowsPointer = [](PointerAuthOpKind OpKind) {
1574 return OpKind != PAO_BlendInteger;
1575 };
1576 auto AllowsInteger = [](PointerAuthOpKind OpKind) {
1577 return OpKind == PAO_Discriminator || OpKind == PAO_BlendInteger ||
1578 OpKind == PAO_SignGeneric;
1579 };
1580
1581 // Require the value to have the right range of type.
1582 QualType ExpectedTy;
1583 if (AllowsPointer(OpKind) && Arg->getType()->isPointerType()) {
1584 ExpectedTy = Arg->getType().getUnqualifiedType();
1585 } else if (AllowsPointer(OpKind) && Arg->getType()->isNullPtrType()) {
1586 ExpectedTy = S.Context.VoidPtrTy;
1587 } else if (AllowsInteger(OpKind) &&
1588 Arg->getType()->isIntegralOrUnscopedEnumerationType()) {
1589 ExpectedTy = S.Context.getUIntPtrType();
1590
1591 } else {
1592 // Diagnose the failures.
1593 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_value_bad_type)
1594 << unsigned(OpKind == PAO_Discriminator ? 1
1595 : OpKind == PAO_BlendPointer ? 2
1596 : OpKind == PAO_BlendInteger ? 3
1597 : 0)
1598 << unsigned(AllowsInteger(OpKind) ? (AllowsPointer(OpKind) ? 2 : 1) : 0)
1599 << Arg->getType() << Arg->getSourceRange();
1600 return true;
1601 }
1602
1603 // Convert to that type. This should just be an lvalue-to-rvalue
1604 // conversion.
1605 if (convertArgumentToType(S, Arg, ExpectedTy))
1606 return true;
1607
1608 if (!RequireConstant) {
1609 // Warn about null pointers for non-generic sign and auth operations.
1610 if ((OpKind == PAO_Sign || OpKind == PAO_Auth) &&
1611 Arg->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNull)) {
1612 S.Diag(Arg->getExprLoc(), OpKind == PAO_Sign
1613 ? diag::warn_ptrauth_sign_null_pointer
1614 : diag::warn_ptrauth_auth_null_pointer)
1615 << Arg->getSourceRange();
1616 }
1617
1618 return false;
1619 }
1620
1621 // Perform special checking on the arguments to ptrauth_sign_constant.
1622
1623 // The main argument.
1624 if (OpKind == PAO_Sign) {
1625 // Require the value we're signing to have a special form.
1626 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Arg);
1627 bool Invalid;
1628
1629 // Must be rooted in a declaration reference.
1630 if (!BaseDecl)
1631 Invalid = true;
1632
1633 // If it's a function declaration, we can't have an offset.
1634 else if (isa<FunctionDecl>(BaseDecl))
1635 Invalid = !Offset.isZero();
1636
1637 // Otherwise we're fine.
1638 else
1639 Invalid = false;
1640
1641 if (Invalid)
1642 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_pointer);
1643 return Invalid;
1644 }
1645
1646 // The discriminator argument.
1647 assert(OpKind == PAO_Discriminator);
1648
1649 // Must be a pointer or integer or blend thereof.
1650 Expr *Pointer = nullptr;
1651 Expr *Integer = nullptr;
1652 if (auto *Call = dyn_cast<CallExpr>(Arg->IgnoreParens())) {
1653 if (Call->getBuiltinCallee() ==
1654 Builtin::BI__builtin_ptrauth_blend_discriminator) {
1655 Pointer = Call->getArg(0);
1656 Integer = Call->getArg(1);
1657 }
1658 }
1659 if (!Pointer && !Integer) {
1660 if (Arg->getType()->isPointerType())
1661 Pointer = Arg;
1662 else
1663 Integer = Arg;
1664 }
1665
1666 // Check the pointer.
1667 bool Invalid = false;
1668 if (Pointer) {
1669 assert(Pointer->getType()->isPointerType());
1670
1671 // TODO: if we're initializing a global, check that the address is
1672 // somehow related to what we're initializing. This probably will
1673 // never really be feasible and we'll have to catch it at link-time.
1674 auto [BaseDecl, Offset] = findConstantBaseAndOffset(S, Pointer);
1675 if (!BaseDecl || !isa<VarDecl>(BaseDecl))
1676 Invalid = true;
1677 }
1678
1679 // Check the integer.
1680 if (Integer) {
1681 assert(Integer->getType()->isIntegerType());
1682 if (!Integer->isEvaluatable(S.Context))
1683 Invalid = true;
1684 }
1685
1686 if (Invalid)
1687 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_bad_constant_discriminator);
1688 return Invalid;
1689 }
1690
1691 static ExprResult PointerAuthStrip(Sema &S, CallExpr *Call) {
1692 if (S.checkArgCount(Call, 2))
1693 return ExprError();
1694 if (checkPointerAuthEnabled(S, Call))
1695 return ExprError();
1696 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Strip) ||
1697 checkPointerAuthKey(S, Call->getArgs()[1]))
1698 return ExprError();
1699
1700 Call->setType(Call->getArgs()[0]->getType());
1701 return Call;
1702 }
1703
1704 static ExprResult PointerAuthBlendDiscriminator(Sema &S, CallExpr *Call) {
1705 if (S.checkArgCount(Call, 2))
1706 return ExprError();
1707 if (checkPointerAuthEnabled(S, Call))
1708 return ExprError();
1709 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_BlendPointer) ||
1710 checkPointerAuthValue(S, Call->getArgs()[1], PAO_BlendInteger))
1711 return ExprError();
1712
1713 Call->setType(S.Context.getUIntPtrType());
1714 return Call;
1715 }
1716
1717 static ExprResult PointerAuthSignGenericData(Sema &S, CallExpr *Call) {
1718 if (S.checkArgCount(Call, 2))
1719 return ExprError();
1720 if (checkPointerAuthEnabled(S, Call))
1721 return ExprError();
1722 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_SignGeneric) ||
1723 checkPointerAuthValue(S, Call->getArgs()[1], PAO_Discriminator))
1724 return ExprError();
1725
1726 Call->setType(S.Context.getUIntPtrType());
1727 return Call;
1728 }
1729
1730 static ExprResult PointerAuthSignOrAuth(Sema &S, CallExpr *Call,
1731 PointerAuthOpKind OpKind,
1732 bool RequireConstant) {
1733 if (S.checkArgCount(Call, 3))
1734 return ExprError();
1735 if (checkPointerAuthEnabled(S, Call))
1736 return ExprError();
1737 if (checkPointerAuthValue(S, Call->getArgs()[0], OpKind, RequireConstant) ||
1738 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1739 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator,
1740 RequireConstant))
1741 return ExprError();
1742
1743 Call->setType(Call->getArgs()[0]->getType());
1744 return Call;
1745 }
1746
1747 static ExprResult PointerAuthAuthAndResign(Sema &S, CallExpr *Call) {
1748 if (S.checkArgCount(Call, 5))
1749 return ExprError();
1750 if (checkPointerAuthEnabled(S, Call))
1751 return ExprError();
1752 if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Auth) ||
1753 checkPointerAuthKey(S, Call->getArgs()[1]) ||
1754 checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator) ||
1755 checkPointerAuthKey(S, Call->getArgs()[3]) ||
1756 checkPointerAuthValue(S, Call->getArgs()[4], PAO_Discriminator))
1757 return ExprError();
1758
1759 Call->setType(Call->getArgs()[0]->getType());
1760 return Call;
1761 }
1762
1763 static ExprResult PointerAuthStringDiscriminator(Sema &S, CallExpr *Call) {
1764 if (checkPointerAuthEnabled(S, Call))
1765 return ExprError();
1766
1767 // We've already performed normal call type-checking.
1768 const Expr *Arg = Call->getArg(0)->IgnoreParenImpCasts();
1769
1770 // Operand must be an ordinary or UTF-8 string literal.
1771 const auto *Literal = dyn_cast<StringLiteral>(Arg);
1772 if (!Literal || Literal->getCharByteWidth() != 1) {
1773 S.Diag(Arg->getExprLoc(), diag::err_ptrauth_string_not_literal)
1774 << (Literal ? 1 : 0) << Arg->getSourceRange();
1775 return ExprError();
1776 }
1777
1778 return Call;
1779 }
1780
1781 static ExprResult BuiltinLaunder(Sema &S, CallExpr *TheCall) {
1782 if (S.checkArgCount(TheCall, 1))
1783 return ExprError();
1784
1785 // Compute __builtin_launder's parameter type from the argument.
1786 // The parameter type is:
1787 // * The type of the argument if it's not an array or function type,
1788 // Otherwise,
1789 // * The decayed argument type.
1790 QualType ParamTy = [&]() {
1791 QualType ArgTy = TheCall->getArg(0)->getType();
1792 if (const ArrayType *Ty = ArgTy->getAsArrayTypeUnsafe())
1793 return S.Context.getPointerType(Ty->getElementType());
1794 if (ArgTy->isFunctionType()) {
1795 return S.Context.getPointerType(ArgTy);
1796 }
1797 return ArgTy;
1798 }();
1799
1800 TheCall->setType(ParamTy);
1801
1802 auto DiagSelect = [&]() -> std::optional<unsigned> {
1803 if (!ParamTy->isPointerType())
1804 return 0;
1805 if (ParamTy->isFunctionPointerType())
1806 return 1;
1807 if (ParamTy->isVoidPointerType())
1808 return 2;
1809 return std::optional<unsigned>{};
1810 }();
1811 if (DiagSelect) {
1812 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_launder_invalid_arg)
1813 << *DiagSelect << TheCall->getSourceRange();
1814 return ExprError();
1815 }
1816
1817 // We either have an incomplete class type, or we have a class template
1818 // whose instantiation has not been forced. Example:
1819 //
1820 // template <class T> struct Foo { T value; };
1821 // Foo<int> *p = nullptr;
1822 // auto *d = __builtin_launder(p);
1823 if (S.RequireCompleteType(TheCall->getBeginLoc(), ParamTy->getPointeeType(),
1824 diag::err_incomplete_type))
1825 return ExprError();
1826
1827 assert(ParamTy->getPointeeType()->isObjectType() &&
1828 "Unhandled non-object pointer case");
1829
1830 InitializedEntity Entity =
1831 InitializedEntity::InitializeParameter(S.Context, ParamTy, false);
1832 ExprResult Arg =
1833 S.PerformCopyInitialization(Entity, SourceLocation(), TheCall->getArg(0));
1834 if (Arg.isInvalid())
1835 return ExprError();
1836 TheCall->setArg(0, Arg.get());
1837
1838 return TheCall;
1839 }
1840
1841 static ExprResult BuiltinIsWithinLifetime(Sema &S, CallExpr *TheCall) {
1842 if (S.checkArgCount(TheCall, 1))
1843 return ExprError();
1844
1845 ExprResult Arg = S.DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
1846 if (Arg.isInvalid())
1847 return ExprError();
1848 QualType ParamTy = Arg.get()->getType();
1849 TheCall->setArg(0, Arg.get());
1850 TheCall->setType(S.Context.BoolTy);
1851
1852 // Only accept pointers to objects as arguments, which should have object
1853 // pointer or void pointer types.
1854 if (const auto *PT = ParamTy->getAs<PointerType>()) {
1855 // LWG4138: Function pointer types not allowed
1856 if (PT->getPointeeType()->isFunctionType()) {
1857 S.Diag(TheCall->getArg(0)->getExprLoc(),
1858 diag::err_builtin_is_within_lifetime_invalid_arg)
1859 << 1;
1860 return ExprError();
1861 }
1862 // Disallow VLAs too since those shouldn't be able to
1863 // be a template parameter for `std::is_within_lifetime`
1864 if (PT->getPointeeType()->isVariableArrayType()) {
1865 S.Diag(TheCall->getArg(0)->getExprLoc(), diag::err_vla_unsupported)
1866 << 1 << "__builtin_is_within_lifetime";
1867 return ExprError();
1868 }
1869 } else {
1870 S.Diag(TheCall->getArg(0)->getExprLoc(),
1871 diag::err_builtin_is_within_lifetime_invalid_arg)
1872 << 0;
1873 return ExprError();
1874 }
1875
1876 return TheCall;
1877 }
1878
1879 // Emit an error and return true if the current object format type is in the
1880 // list of unsupported types.
1881 static bool CheckBuiltinTargetNotInUnsupported(
1882 Sema &S, unsigned BuiltinID, CallExpr *TheCall,
1883 ArrayRef<llvm::Triple::ObjectFormatType> UnsupportedObjectFormatTypes) {
1884 llvm::Triple::ObjectFormatType CurObjFormat =
1885 S.getASTContext().getTargetInfo().getTriple().getObjectFormat();
1886 if (llvm::is_contained(UnsupportedObjectFormatTypes, CurObjFormat)) {
1887 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
1888 << TheCall->getSourceRange();
1889 return true;
1890 }
1891 return false;
1892 }
1893
1894 // Emit an error and return true if the current architecture is not in the list
1895 // of supported architectures.
1896 static bool
1897 CheckBuiltinTargetInSupported(Sema &S, CallExpr *TheCall,
1898 ArrayRef<llvm::Triple::ArchType> SupportedArchs) {
1899 llvm::Triple::ArchType CurArch =
1900 S.getASTContext().getTargetInfo().getTriple().getArch();
1901 if (llvm::is_contained(SupportedArchs, CurArch))
1902 return false;
1903 S.Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
1904 << TheCall->getSourceRange();
1905 return true;
1906 }
1907
1908 static void CheckNonNullArgument(Sema &S, const Expr *ArgExpr,
1909 SourceLocation CallSiteLoc);
1910
1911 bool Sema::CheckTSBuiltinFunctionCall(const TargetInfo &TI, unsigned BuiltinID,
1912 CallExpr *TheCall) {
1913 switch (TI.getTriple().getArch()) {
1914 default:
1915 // Some builtins don't require additional checking, so just consider these
1916 // acceptable.
1917 return false;
1918 case llvm::Triple::arm:
1919 case llvm::Triple::armeb:
1920 case llvm::Triple::thumb:
1921 case llvm::Triple::thumbeb:
1922 return ARM().CheckARMBuiltinFunctionCall(TI, BuiltinID, TheCall);
1923 case llvm::Triple::aarch64:
1924 case llvm::Triple::aarch64_32:
1925 case llvm::Triple::aarch64_be:
1926 return ARM().CheckAArch64BuiltinFunctionCall(TI, BuiltinID, TheCall);
1927 case llvm::Triple::bpfeb:
1928 case llvm::Triple::bpfel:
1929 return BPF().CheckBPFBuiltinFunctionCall(BuiltinID, TheCall);
1930 case llvm::Triple::hexagon:
1931 return Hexagon().CheckHexagonBuiltinFunctionCall(BuiltinID, TheCall);
1932 case llvm::Triple::mips:
1933 case llvm::Triple::mipsel:
1934 case llvm::Triple::mips64:
1935 case llvm::Triple::mips64el:
1936 return MIPS().CheckMipsBuiltinFunctionCall(TI, BuiltinID, TheCall);
1937 case llvm::Triple::systemz:
1938 return SystemZ().CheckSystemZBuiltinFunctionCall(BuiltinID, TheCall);
1939 case llvm::Triple::x86:
1940 case llvm::Triple::x86_64:
1941 return X86().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
1942 case llvm::Triple::ppc:
1943 case llvm::Triple::ppcle:
1944 case llvm::Triple::ppc64:
1945 case llvm::Triple::ppc64le:
1946 return PPC().CheckPPCBuiltinFunctionCall(TI, BuiltinID, TheCall);
1947 case llvm::Triple::amdgcn:
1948 return AMDGPU().CheckAMDGCNBuiltinFunctionCall(BuiltinID, TheCall);
1949 case llvm::Triple::riscv32:
1950 case llvm::Triple::riscv64:
1951 return RISCV().CheckBuiltinFunctionCall(TI, BuiltinID, TheCall);
1952 case llvm::Triple::loongarch32:
1953 case llvm::Triple::loongarch64:
1954 return LoongArch().CheckLoongArchBuiltinFunctionCall(TI, BuiltinID,
1955 TheCall);
1956 case llvm::Triple::wasm32:
1957 case llvm::Triple::wasm64:
1958 return Wasm().CheckWebAssemblyBuiltinFunctionCall(TI, BuiltinID, TheCall);
1959 case llvm::Triple::nvptx:
1960 case llvm::Triple::nvptx64:
1961 return NVPTX().CheckNVPTXBuiltinFunctionCall(TI, BuiltinID, TheCall);
1962 }
1963 }
1964
1965 // Check if \p Ty is a valid type for the elementwise math builtins. If it is
1966 // not a valid type, emit an error message and return true. Otherwise return
1967 // false.
1968 static bool checkMathBuiltinElementType(Sema &S, SourceLocation Loc,
1969 QualType ArgTy, int ArgIndex) {
1970 if (!ArgTy->getAs<VectorType>() &&
1971 !ConstantMatrixType::isValidElementType(ArgTy)) {
1972 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
1973 << ArgIndex << /* vector, integer or float ty*/ 0 << ArgTy;
1974 }
1975
1976 return false;
1977 }
1978
1979 static bool checkFPMathBuiltinElementType(Sema &S, SourceLocation Loc,
1980 QualType ArgTy, int ArgIndex) {
1981 QualType EltTy = ArgTy;
1982 if (auto *VecTy = EltTy->getAs<VectorType>())
1983 EltTy = VecTy->getElementType();
1984
1985 if (!EltTy->isRealFloatingType()) {
1986 return S.Diag(Loc, diag::err_builtin_invalid_arg_type)
1987 << ArgIndex << /* vector or float ty*/ 5 << ArgTy;
1988 }
1989
1990 return false;
1991 }
1992
1993 /// BuiltinCpu{Supports|Is} - Handle __builtin_cpu_{supports|is}(char *).
1994 /// This checks that the target supports the builtin and that the string
1995 /// argument is constant and valid.
1996 static bool BuiltinCpu(Sema &S, const TargetInfo &TI, CallExpr *TheCall,
1997 const TargetInfo *AuxTI, unsigned BuiltinID) {
1998 assert((BuiltinID == Builtin::BI__builtin_cpu_supports ||
1999 BuiltinID == Builtin::BI__builtin_cpu_is) &&
2000 "Expecting __builtin_cpu_...");
2001
2002 bool IsCPUSupports = BuiltinID == Builtin::BI__builtin_cpu_supports;
2003 const TargetInfo *TheTI = &TI;
2004 auto SupportsBI = [=](const TargetInfo *TInfo) {
2005 return TInfo && ((IsCPUSupports && TInfo->supportsCpuSupports()) ||
2006 (!IsCPUSupports && TInfo->supportsCpuIs()));
2007 };
2008 if (!SupportsBI(&TI) && SupportsBI(AuxTI))
2009 TheTI = AuxTI;
2010
2011 if ((!IsCPUSupports && !TheTI->supportsCpuIs()) ||
2012 (IsCPUSupports && !TheTI->supportsCpuSupports()))
2013 return S.Diag(TheCall->getBeginLoc(),
2014 TI.getTriple().isOSAIX()
2015 ? diag::err_builtin_aix_os_unsupported
2016 : diag::err_builtin_target_unsupported)
2017 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2018
2019 Expr *Arg = TheCall->getArg(0)->IgnoreParenImpCasts();
2020 // Check if the argument is a string literal.
2021 if (!isa<StringLiteral>(Arg))
2022 return S.Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
2023 << Arg->getSourceRange();
2024
2025 // Check the contents of the string.
2026 StringRef Feature = cast<StringLiteral>(Arg)->getString();
2027 if (IsCPUSupports && !TheTI->validateCpuSupports(Feature)) {
2028 S.Diag(TheCall->getBeginLoc(), diag::warn_invalid_cpu_supports)
2029 << Arg->getSourceRange();
2030 return false;
2031 }
2032 if (!IsCPUSupports && !TheTI->validateCpuIs(Feature))
2033 return S.Diag(TheCall->getBeginLoc(), diag::err_invalid_cpu_is)
2034 << Arg->getSourceRange();
2035 return false;
2036 }
2037
2038 /// Checks that __builtin_popcountg was called with a single argument, which is
2039 /// an unsigned integer.
2040 static bool BuiltinPopcountg(Sema &S, CallExpr *TheCall) {
2041 if (S.checkArgCount(TheCall, 1))
2042 return true;
2043
2044 ExprResult ArgRes = S.DefaultLvalueConversion(TheCall->getArg(0));
2045 if (ArgRes.isInvalid())
2046 return true;
2047
2048 Expr *Arg = ArgRes.get();
2049 TheCall->setArg(0, Arg);
2050
2051 QualType ArgTy = Arg->getType();
2052
2053 if (!ArgTy->isUnsignedIntegerType()) {
2054 S.Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2055 << 1 << /*unsigned integer ty*/ 7 << ArgTy;
2056 return true;
2057 }
2058 return false;
2059 }
2060
2061 /// Checks that __builtin_{clzg,ctzg} was called with a first argument, which is
2062 /// an unsigned integer, and an optional second argument, which is promoted to
2063 /// an 'int'.
2064 static bool BuiltinCountZeroBitsGeneric(Sema &S, CallExpr *TheCall) {
2065 if (S.checkArgCountRange(TheCall, 1, 2))
2066 return true;
2067
2068 ExprResult Arg0Res = S.DefaultLvalueConversion(TheCall->getArg(0));
2069 if (Arg0Res.isInvalid())
2070 return true;
2071
2072 Expr *Arg0 = Arg0Res.get();
2073 TheCall->setArg(0, Arg0);
2074
2075 QualType Arg0Ty = Arg0->getType();
2076
2077 if (!Arg0Ty->isUnsignedIntegerType()) {
2078 S.Diag(Arg0->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2079 << 1 << /*unsigned integer ty*/ 7 << Arg0Ty;
2080 return true;
2081 }
2082
2083 if (TheCall->getNumArgs() > 1) {
2084 ExprResult Arg1Res = S.UsualUnaryConversions(TheCall->getArg(1));
2085 if (Arg1Res.isInvalid())
2086 return true;
2087
2088 Expr *Arg1 = Arg1Res.get();
2089 TheCall->setArg(1, Arg1);
2090
2091 QualType Arg1Ty = Arg1->getType();
2092
2093 if (!Arg1Ty->isSpecificBuiltinType(BuiltinType::Int)) {
2094 S.Diag(Arg1->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2095 << 2 << /*'int' ty*/ 8 << Arg1Ty;
2096 return true;
2097 }
2098 }
2099
2100 return false;
2101 }
2102
2103 ExprResult
2104 Sema::CheckBuiltinFunctionCall(FunctionDecl *FDecl, unsigned BuiltinID,
2105 CallExpr *TheCall) {
2106 ExprResult TheCallResult(TheCall);
2107
2108 // Find out if any arguments are required to be integer constant expressions.
2109 unsigned ICEArguments = 0;
2110 ASTContext::GetBuiltinTypeError Error;
2111 Context.GetBuiltinType(BuiltinID, Error, &ICEArguments);
2112 if (Error != ASTContext::GE_None)
2113 ICEArguments = 0; // Don't diagnose previously diagnosed errors.
2114
2115 // If any arguments are required to be ICE's, check and diagnose.
2116 for (unsigned ArgNo = 0; ICEArguments != 0; ++ArgNo) {
2117 // Skip arguments not required to be ICE's.
2118 if ((ICEArguments & (1 << ArgNo)) == 0) continue;
2119
2120 llvm::APSInt Result;
2121 // If we don't have enough arguments, continue so we can issue better
2122 // diagnostic in checkArgCount(...)
2123 if (ArgNo < TheCall->getNumArgs() &&
2124 BuiltinConstantArg(TheCall, ArgNo, Result))
2125 return true;
2126 ICEArguments &= ~(1 << ArgNo);
2127 }
2128
2129 FPOptions FPO;
2130 switch (BuiltinID) {
2131 case Builtin::BI__builtin_cpu_supports:
2132 case Builtin::BI__builtin_cpu_is:
2133 if (BuiltinCpu(*this, Context.getTargetInfo(), TheCall,
2134 Context.getAuxTargetInfo(), BuiltinID))
2135 return ExprError();
2136 break;
2137 case Builtin::BI__builtin_cpu_init:
2138 if (!Context.getTargetInfo().supportsCpuInit()) {
2139 Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
2140 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
2141 return ExprError();
2142 }
2143 break;
2144 case Builtin::BI__builtin___CFStringMakeConstantString:
2145 // CFStringMakeConstantString is currently not implemented for GOFF (i.e.,
2146 // on z/OS) and for XCOFF (i.e., on AIX). Emit unsupported
2147 if (CheckBuiltinTargetNotInUnsupported(
2148 *this, BuiltinID, TheCall,
2149 {llvm::Triple::GOFF, llvm::Triple::XCOFF}))
2150 return ExprError();
2151 assert(TheCall->getNumArgs() == 1 &&
2152 "Wrong # arguments to builtin CFStringMakeConstantString");
2153 if (ObjC().CheckObjCString(TheCall->getArg(0)))
2154 return ExprError();
2155 break;
2156 case Builtin::BI__builtin_ms_va_start:
2157 case Builtin::BI__builtin_stdarg_start:
2158 case Builtin::BI__builtin_va_start:
2159 if (BuiltinVAStart(BuiltinID, TheCall))
2160 return ExprError();
2161 break;
2162 case Builtin::BI__va_start: {
2163 switch (Context.getTargetInfo().getTriple().getArch()) {
2164 case llvm::Triple::aarch64:
2165 case llvm::Triple::arm:
2166 case llvm::Triple::thumb:
2167 if (BuiltinVAStartARMMicrosoft(TheCall))
2168 return ExprError();
2169 break;
2170 default:
2171 if (BuiltinVAStart(BuiltinID, TheCall))
2172 return ExprError();
2173 break;
2174 }
2175 break;
2176 }
2177
2178 // The acquire, release, and no fence variants are ARM and AArch64 only.
2179 case Builtin::BI_interlockedbittestandset_acq:
2180 case Builtin::BI_interlockedbittestandset_rel:
2181 case Builtin::BI_interlockedbittestandset_nf:
2182 case Builtin::BI_interlockedbittestandreset_acq:
2183 case Builtin::BI_interlockedbittestandreset_rel:
2184 case Builtin::BI_interlockedbittestandreset_nf:
2185 if (CheckBuiltinTargetInSupported(
2186 *this, TheCall,
2187 {llvm::Triple::arm, llvm::Triple::thumb, llvm::Triple::aarch64}))
2188 return ExprError();
2189 break;
2190
2191 // The 64-bit bittest variants are x64, ARM, and AArch64 only.
2192 case Builtin::BI_bittest64:
2193 case Builtin::BI_bittestandcomplement64:
2194 case Builtin::BI_bittestandreset64:
2195 case Builtin::BI_bittestandset64:
2196 case Builtin::BI_interlockedbittestandreset64:
2197 case Builtin::BI_interlockedbittestandset64:
2198 if (CheckBuiltinTargetInSupported(
2199 *this, TheCall,
2200 {llvm::Triple::x86_64, llvm::Triple::arm, llvm::Triple::thumb,
2201 llvm::Triple::aarch64, llvm::Triple::amdgcn}))
2202 return ExprError();
2203 break;
2204
2205 case Builtin::BI__builtin_set_flt_rounds:
2206 if (CheckBuiltinTargetInSupported(
2207 *this, TheCall,
2208 {llvm::Triple::x86, llvm::Triple::x86_64, llvm::Triple::arm,
2209 llvm::Triple::thumb, llvm::Triple::aarch64, llvm::Triple::amdgcn,
2210 llvm::Triple::ppc, llvm::Triple::ppc64, llvm::Triple::ppcle,
2211 llvm::Triple::ppc64le}))
2212 return ExprError();
2213 break;
2214
2215 case Builtin::BI__builtin_isgreater:
2216 case Builtin::BI__builtin_isgreaterequal:
2217 case Builtin::BI__builtin_isless:
2218 case Builtin::BI__builtin_islessequal:
2219 case Builtin::BI__builtin_islessgreater:
2220 case Builtin::BI__builtin_isunordered:
2221 if (BuiltinUnorderedCompare(TheCall, BuiltinID))
2222 return ExprError();
2223 break;
2224 case Builtin::BI__builtin_fpclassify:
2225 if (BuiltinFPClassification(TheCall, 6, BuiltinID))
2226 return ExprError();
2227 break;
2228 case Builtin::BI__builtin_isfpclass:
2229 if (BuiltinFPClassification(TheCall, 2, BuiltinID))
2230 return ExprError();
2231 break;
2232 case Builtin::BI__builtin_isfinite:
2233 case Builtin::BI__builtin_isinf:
2234 case Builtin::BI__builtin_isinf_sign:
2235 case Builtin::BI__builtin_isnan:
2236 case Builtin::BI__builtin_issignaling:
2237 case Builtin::BI__builtin_isnormal:
2238 case Builtin::BI__builtin_issubnormal:
2239 case Builtin::BI__builtin_iszero:
2240 case Builtin::BI__builtin_signbit:
2241 case Builtin::BI__builtin_signbitf:
2242 case Builtin::BI__builtin_signbitl:
2243 if (BuiltinFPClassification(TheCall, 1, BuiltinID))
2244 return ExprError();
2245 break;
2246 case Builtin::BI__builtin_shufflevector:
2247 return BuiltinShuffleVector(TheCall);
2248 // TheCall will be freed by the smart pointer here, but that's fine, since
2249 // BuiltinShuffleVector guts it, but then doesn't release it.
2250 case Builtin::BI__builtin_prefetch:
2251 if (BuiltinPrefetch(TheCall))
2252 return ExprError();
2253 break;
2254 case Builtin::BI__builtin_alloca_with_align:
2255 case Builtin::BI__builtin_alloca_with_align_uninitialized:
2256 if (BuiltinAllocaWithAlign(TheCall))
2257 return ExprError();
2258 [[fallthrough]];
2259 case Builtin::BI__builtin_alloca:
2260 case Builtin::BI__builtin_alloca_uninitialized:
2261 Diag(TheCall->getBeginLoc(), diag::warn_alloca)
2262 << TheCall->getDirectCallee();
2263 if (getLangOpts().OpenCL) {
2264 builtinAllocaAddrSpace(*this, TheCall);
2265 }
2266 break;
2267 case Builtin::BI__arithmetic_fence:
2268 if (BuiltinArithmeticFence(TheCall))
2269 return ExprError();
2270 break;
2271 case Builtin::BI__assume:
2272 case Builtin::BI__builtin_assume:
2273 if (BuiltinAssume(TheCall))
2274 return ExprError();
2275 break;
2276 case Builtin::BI__builtin_assume_aligned:
2277 if (BuiltinAssumeAligned(TheCall))
2278 return ExprError();
2279 break;
2280 case Builtin::BI__builtin_dynamic_object_size:
2281 case Builtin::BI__builtin_object_size:
2282 if (BuiltinConstantArgRange(TheCall, 1, 0, 3))
2283 return ExprError();
2284 break;
2285 case Builtin::BI__builtin_longjmp:
2286 if (BuiltinLongjmp(TheCall))
2287 return ExprError();
2288 break;
2289 case Builtin::BI__builtin_setjmp:
2290 if (BuiltinSetjmp(TheCall))
2291 return ExprError();
2292 break;
2293 case Builtin::BI__builtin_classify_type:
2294 if (checkArgCount(TheCall, 1))
2295 return true;
2296 TheCall->setType(Context.IntTy);
2297 break;
2298 case Builtin::BI__builtin_complex:
2299 if (BuiltinComplex(TheCall))
2300 return ExprError();
2301 break;
2302 case Builtin::BI__builtin_constant_p: {
2303 if (checkArgCount(TheCall, 1))
2304 return true;
2305 ExprResult Arg = DefaultFunctionArrayLvalueConversion(TheCall->getArg(0));
2306 if (Arg.isInvalid()) return true;
2307 TheCall->setArg(0, Arg.get());
2308 TheCall->setType(Context.IntTy);
2309 break;
2310 }
2311 case Builtin::BI__builtin_launder:
2312 return BuiltinLaunder(*this, TheCall);
2313 case Builtin::BI__builtin_is_within_lifetime:
2314 return BuiltinIsWithinLifetime(*this, TheCall);
2315 case Builtin::BI__sync_fetch_and_add:
2316 case Builtin::BI__sync_fetch_and_add_1:
2317 case Builtin::BI__sync_fetch_and_add_2:
2318 case Builtin::BI__sync_fetch_and_add_4:
2319 case Builtin::BI__sync_fetch_and_add_8:
2320 case Builtin::BI__sync_fetch_and_add_16:
2321 case Builtin::BI__sync_fetch_and_sub:
2322 case Builtin::BI__sync_fetch_and_sub_1:
2323 case Builtin::BI__sync_fetch_and_sub_2:
2324 case Builtin::BI__sync_fetch_and_sub_4:
2325 case Builtin::BI__sync_fetch_and_sub_8:
2326 case Builtin::BI__sync_fetch_and_sub_16:
2327 case Builtin::BI__sync_fetch_and_or:
2328 case Builtin::BI__sync_fetch_and_or_1:
2329 case Builtin::BI__sync_fetch_and_or_2:
2330 case Builtin::BI__sync_fetch_and_or_4:
2331 case Builtin::BI__sync_fetch_and_or_8:
2332 case Builtin::BI__sync_fetch_and_or_16:
2333 case Builtin::BI__sync_fetch_and_and:
2334 case Builtin::BI__sync_fetch_and_and_1:
2335 case Builtin::BI__sync_fetch_and_and_2:
2336 case Builtin::BI__sync_fetch_and_and_4:
2337 case Builtin::BI__sync_fetch_and_and_8:
2338 case Builtin::BI__sync_fetch_and_and_16:
2339 case Builtin::BI__sync_fetch_and_xor:
2340 case Builtin::BI__sync_fetch_and_xor_1:
2341 case Builtin::BI__sync_fetch_and_xor_2:
2342 case Builtin::BI__sync_fetch_and_xor_4:
2343 case Builtin::BI__sync_fetch_and_xor_8:
2344 case Builtin::BI__sync_fetch_and_xor_16:
2345 case Builtin::BI__sync_fetch_and_nand:
2346 case Builtin::BI__sync_fetch_and_nand_1:
2347 case Builtin::BI__sync_fetch_and_nand_2:
2348 case Builtin::BI__sync_fetch_and_nand_4:
2349 case Builtin::BI__sync_fetch_and_nand_8:
2350 case Builtin::BI__sync_fetch_and_nand_16:
2351 case Builtin::BI__sync_add_and_fetch:
2352 case Builtin::BI__sync_add_and_fetch_1:
2353 case Builtin::BI__sync_add_and_fetch_2:
2354 case Builtin::BI__sync_add_and_fetch_4:
2355 case Builtin::BI__sync_add_and_fetch_8:
2356 case Builtin::BI__sync_add_and_fetch_16:
2357 case Builtin::BI__sync_sub_and_fetch:
2358 case Builtin::BI__sync_sub_and_fetch_1:
2359 case Builtin::BI__sync_sub_and_fetch_2:
2360 case Builtin::BI__sync_sub_and_fetch_4:
2361 case Builtin::BI__sync_sub_and_fetch_8:
2362 case Builtin::BI__sync_sub_and_fetch_16:
2363 case Builtin::BI__sync_and_and_fetch:
2364 case Builtin::BI__sync_and_and_fetch_1:
2365 case Builtin::BI__sync_and_and_fetch_2:
2366 case Builtin::BI__sync_and_and_fetch_4:
2367 case Builtin::BI__sync_and_and_fetch_8:
2368 case Builtin::BI__sync_and_and_fetch_16:
2369 case Builtin::BI__sync_or_and_fetch:
2370 case Builtin::BI__sync_or_and_fetch_1:
2371 case Builtin::BI__sync_or_and_fetch_2:
2372 case Builtin::BI__sync_or_and_fetch_4:
2373 case Builtin::BI__sync_or_and_fetch_8:
2374 case Builtin::BI__sync_or_and_fetch_16:
2375 case Builtin::BI__sync_xor_and_fetch:
2376 case Builtin::BI__sync_xor_and_fetch_1:
2377 case Builtin::BI__sync_xor_and_fetch_2:
2378 case Builtin::BI__sync_xor_and_fetch_4:
2379 case Builtin::BI__sync_xor_and_fetch_8:
2380 case Builtin::BI__sync_xor_and_fetch_16:
2381 case Builtin::BI__sync_nand_and_fetch:
2382 case Builtin::BI__sync_nand_and_fetch_1:
2383 case Builtin::BI__sync_nand_and_fetch_2:
2384 case Builtin::BI__sync_nand_and_fetch_4:
2385 case Builtin::BI__sync_nand_and_fetch_8:
2386 case Builtin::BI__sync_nand_and_fetch_16:
2387 case Builtin::BI__sync_val_compare_and_swap:
2388 case Builtin::BI__sync_val_compare_and_swap_1:
2389 case Builtin::BI__sync_val_compare_and_swap_2:
2390 case Builtin::BI__sync_val_compare_and_swap_4:
2391 case Builtin::BI__sync_val_compare_and_swap_8:
2392 case Builtin::BI__sync_val_compare_and_swap_16:
2393 case Builtin::BI__sync_bool_compare_and_swap:
2394 case Builtin::BI__sync_bool_compare_and_swap_1:
2395 case Builtin::BI__sync_bool_compare_and_swap_2:
2396 case Builtin::BI__sync_bool_compare_and_swap_4:
2397 case Builtin::BI__sync_bool_compare_and_swap_8:
2398 case Builtin::BI__sync_bool_compare_and_swap_16:
2399 case Builtin::BI__sync_lock_test_and_set:
2400 case Builtin::BI__sync_lock_test_and_set_1:
2401 case Builtin::BI__sync_lock_test_and_set_2:
2402 case Builtin::BI__sync_lock_test_and_set_4:
2403 case Builtin::BI__sync_lock_test_and_set_8:
2404 case Builtin::BI__sync_lock_test_and_set_16:
2405 case Builtin::BI__sync_lock_release:
2406 case Builtin::BI__sync_lock_release_1:
2407 case Builtin::BI__sync_lock_release_2:
2408 case Builtin::BI__sync_lock_release_4:
2409 case Builtin::BI__sync_lock_release_8:
2410 case Builtin::BI__sync_lock_release_16:
2411 case Builtin::BI__sync_swap:
2412 case Builtin::BI__sync_swap_1:
2413 case Builtin::BI__sync_swap_2:
2414 case Builtin::BI__sync_swap_4:
2415 case Builtin::BI__sync_swap_8:
2416 case Builtin::BI__sync_swap_16:
2417 return BuiltinAtomicOverloaded(TheCallResult);
2418 case Builtin::BI__sync_synchronize:
2419 Diag(TheCall->getBeginLoc(), diag::warn_atomic_implicit_seq_cst)
2420 << TheCall->getCallee()->getSourceRange();
2421 break;
2422 case Builtin::BI__builtin_nontemporal_load:
2423 case Builtin::BI__builtin_nontemporal_store:
2424 return BuiltinNontemporalOverloaded(TheCallResult);
2425 case Builtin::BI__builtin_memcpy_inline: {
2426 clang::Expr *SizeOp = TheCall->getArg(2);
2427 // We warn about copying to or from `nullptr` pointers when `size` is
2428 // greater than 0. When `size` is value dependent we cannot evaluate its
2429 // value so we bail out.
2430 if (SizeOp->isValueDependent())
2431 break;
2432 if (!SizeOp->EvaluateKnownConstInt(Context).isZero()) {
2433 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2434 CheckNonNullArgument(*this, TheCall->getArg(1), TheCall->getExprLoc());
2435 }
2436 break;
2437 }
2438 case Builtin::BI__builtin_memset_inline: {
2439 clang::Expr *SizeOp = TheCall->getArg(2);
2440 // We warn about filling to `nullptr` pointers when `size` is greater than
2441 // 0. When `size` is value dependent we cannot evaluate its value so we bail
2442 // out.
2443 if (SizeOp->isValueDependent())
2444 break;
2445 if (!SizeOp->EvaluateKnownConstInt(Context).isZero())
2446 CheckNonNullArgument(*this, TheCall->getArg(0), TheCall->getExprLoc());
2447 break;
2448 }
2449 #define BUILTIN(ID, TYPE, ATTRS)
2450 #define ATOMIC_BUILTIN(ID, TYPE, ATTRS) \
2451 case Builtin::BI##ID: \
2452 return AtomicOpsOverloaded(TheCallResult, AtomicExpr::AO##ID);
2453 #include "clang/Basic/Builtins.inc"
2454 case Builtin::BI__annotation:
2455 if (BuiltinMSVCAnnotation(*this, TheCall))
2456 return ExprError();
2457 break;
2458 case Builtin::BI__builtin_annotation:
2459 if (BuiltinAnnotation(*this, TheCall))
2460 return ExprError();
2461 break;
2462 case Builtin::BI__builtin_addressof:
2463 if (BuiltinAddressof(*this, TheCall))
2464 return ExprError();
2465 break;
2466 case Builtin::BI__builtin_function_start:
2467 if (BuiltinFunctionStart(*this, TheCall))
2468 return ExprError();
2469 break;
2470 case Builtin::BI__builtin_is_aligned:
2471 case Builtin::BI__builtin_align_up:
2472 case Builtin::BI__builtin_align_down:
2473 if (BuiltinAlignment(*this, TheCall, BuiltinID))
2474 return ExprError();
2475 break;
2476 case Builtin::BI__builtin_add_overflow:
2477 case Builtin::BI__builtin_sub_overflow:
2478 case Builtin::BI__builtin_mul_overflow:
2479 if (BuiltinOverflow(*this, TheCall, BuiltinID))
2480 return ExprError();
2481 break;
2482 case Builtin::BI__builtin_operator_new:
2483 case Builtin::BI__builtin_operator_delete: {
2484 bool IsDelete = BuiltinID == Builtin::BI__builtin_operator_delete;
2485 ExprResult Res =
2486 BuiltinOperatorNewDeleteOverloaded(TheCallResult, IsDelete);
2487 if (Res.isInvalid())
2488 CorrectDelayedTyposInExpr(TheCallResult.get());
2489 return Res;
2490 }
2491 case Builtin::BI__builtin_dump_struct:
2492 return BuiltinDumpStruct(*this, TheCall);
2493 case Builtin::BI__builtin_expect_with_probability: {
2494 // We first want to ensure we are called with 3 arguments
2495 if (checkArgCount(TheCall, 3))
2496 return ExprError();
2497 // then check probability is constant float in range [0.0, 1.0]
2498 const Expr *ProbArg = TheCall->getArg(2);
2499 SmallVector<PartialDiagnosticAt, 8> Notes;
2500 Expr::EvalResult Eval;
2501 Eval.Diag = &Notes;
2502 if ((!ProbArg->EvaluateAsConstantExpr(Eval, Context)) ||
2503 !Eval.Val.isFloat()) {
2504 Diag(ProbArg->getBeginLoc(), diag::err_probability_not_constant_float)
2505 << ProbArg->getSourceRange();
2506 for (const PartialDiagnosticAt &PDiag : Notes)
2507 Diag(PDiag.first, PDiag.second);
2508 return ExprError();
2509 }
2510 llvm::APFloat Probability = Eval.Val.getFloat();
2511 bool LoseInfo = false;
2512 Probability.convert(llvm::APFloat::IEEEdouble(),
2513 llvm::RoundingMode::Dynamic, &LoseInfo);
2514 if (!(Probability >= llvm::APFloat(0.0) &&
2515 Probability <= llvm::APFloat(1.0))) {
2516 Diag(ProbArg->getBeginLoc(), diag::err_probability_out_of_range)
2517 << ProbArg->getSourceRange();
2518 return ExprError();
2519 }
2520 break;
2521 }
2522 case Builtin::BI__builtin_preserve_access_index:
2523 if (BuiltinPreserveAI(*this, TheCall))
2524 return ExprError();
2525 break;
2526 case Builtin::BI__builtin_call_with_static_chain:
2527 if (BuiltinCallWithStaticChain(*this, TheCall))
2528 return ExprError();
2529 break;
2530 case Builtin::BI__exception_code:
2531 case Builtin::BI_exception_code:
2532 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope,
2533 diag::err_seh___except_block))
2534 return ExprError();
2535 break;
2536 case Builtin::BI__exception_info:
2537 case Builtin::BI_exception_info:
2538 if (BuiltinSEHScopeCheck(*this, TheCall, Scope::SEHFilterScope,
2539 diag::err_seh___except_filter))
2540 return ExprError();
2541 break;
2542 case Builtin::BI__GetExceptionInfo:
2543 if (checkArgCount(TheCall, 1))
2544 return ExprError();
2545
2546 if (CheckCXXThrowOperand(
2547 TheCall->getBeginLoc(),
2548 Context.getExceptionObjectType(FDecl->getParamDecl(0)->getType()),
2549 TheCall))
2550 return ExprError();
2551
2552 TheCall->setType(Context.VoidPtrTy);
2553 break;
2554 case Builtin::BIaddressof:
2555 case Builtin::BI__addressof:
2556 case Builtin::BIforward:
2557 case Builtin::BIforward_like:
2558 case Builtin::BImove:
2559 case Builtin::BImove_if_noexcept:
2560 case Builtin::BIas_const: {
2561 // These are all expected to be of the form
2562 // T &/&&/* f(U &/&&)
2563 // where T and U only differ in qualification.
2564 if (checkArgCount(TheCall, 1))
2565 return ExprError();
2566 QualType Param = FDecl->getParamDecl(0)->getType();
2567 QualType Result = FDecl->getReturnType();
2568 bool ReturnsPointer = BuiltinID == Builtin::BIaddressof ||
2569 BuiltinID == Builtin::BI__addressof;
2570 if (!(Param->isReferenceType() &&
2571 (ReturnsPointer ? Result->isAnyPointerType()
2572 : Result->isReferenceType()) &&
2573 Context.hasSameUnqualifiedType(Param->getPointeeType(),
2574 Result->getPointeeType()))) {
2575 Diag(TheCall->getBeginLoc(), diag::err_builtin_move_forward_unsupported)
2576 << FDecl;
2577 return ExprError();
2578 }
2579 break;
2580 }
2581 case Builtin::BI__builtin_ptrauth_strip:
2582 return PointerAuthStrip(*this, TheCall);
2583 case Builtin::BI__builtin_ptrauth_blend_discriminator:
2584 return PointerAuthBlendDiscriminator(*this, TheCall);
2585 case Builtin::BI__builtin_ptrauth_sign_constant:
2586 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2587 /*RequireConstant=*/true);
2588 case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
2589 return PointerAuthSignOrAuth(*this, TheCall, PAO_Sign,
2590 /*RequireConstant=*/false);
2591 case Builtin::BI__builtin_ptrauth_auth:
2592 return PointerAuthSignOrAuth(*this, TheCall, PAO_Auth,
2593 /*RequireConstant=*/false);
2594 case Builtin::BI__builtin_ptrauth_sign_generic_data:
2595 return PointerAuthSignGenericData(*this, TheCall);
2596 case Builtin::BI__builtin_ptrauth_auth_and_resign:
2597 return PointerAuthAuthAndResign(*this, TheCall);
2598 case Builtin::BI__builtin_ptrauth_string_discriminator:
2599 return PointerAuthStringDiscriminator(*this, TheCall);
2600 // OpenCL v2.0, s6.13.16 - Pipe functions
2601 case Builtin::BIread_pipe:
2602 case Builtin::BIwrite_pipe:
2603 // Since those two functions are declared with var args, we need a semantic
2604 // check for the argument.
2605 if (OpenCL().checkBuiltinRWPipe(TheCall))
2606 return ExprError();
2607 break;
2608 case Builtin::BIreserve_read_pipe:
2609 case Builtin::BIreserve_write_pipe:
2610 case Builtin::BIwork_group_reserve_read_pipe:
2611 case Builtin::BIwork_group_reserve_write_pipe:
2612 if (OpenCL().checkBuiltinReserveRWPipe(TheCall))
2613 return ExprError();
2614 break;
2615 case Builtin::BIsub_group_reserve_read_pipe:
2616 case Builtin::BIsub_group_reserve_write_pipe:
2617 if (OpenCL().checkSubgroupExt(TheCall) ||
2618 OpenCL().checkBuiltinReserveRWPipe(TheCall))
2619 return ExprError();
2620 break;
2621 case Builtin::BIcommit_read_pipe:
2622 case Builtin::BIcommit_write_pipe:
2623 case Builtin::BIwork_group_commit_read_pipe:
2624 case Builtin::BIwork_group_commit_write_pipe:
2625 if (OpenCL().checkBuiltinCommitRWPipe(TheCall))
2626 return ExprError();
2627 break;
2628 case Builtin::BIsub_group_commit_read_pipe:
2629 case Builtin::BIsub_group_commit_write_pipe:
2630 if (OpenCL().checkSubgroupExt(TheCall) ||
2631 OpenCL().checkBuiltinCommitRWPipe(TheCall))
2632 return ExprError();
2633 break;
2634 case Builtin::BIget_pipe_num_packets:
2635 case Builtin::BIget_pipe_max_packets:
2636 if (OpenCL().checkBuiltinPipePackets(TheCall))
2637 return ExprError();
2638 break;
2639 case Builtin::BIto_global:
2640 case Builtin::BIto_local:
2641 case Builtin::BIto_private:
2642 if (OpenCL().checkBuiltinToAddr(BuiltinID, TheCall))
2643 return ExprError();
2644 break;
2645 // OpenCL v2.0, s6.13.17 - Enqueue kernel functions.
2646 case Builtin::BIenqueue_kernel:
2647 if (OpenCL().checkBuiltinEnqueueKernel(TheCall))
2648 return ExprError();
2649 break;
2650 case Builtin::BIget_kernel_work_group_size:
2651 case Builtin::BIget_kernel_preferred_work_group_size_multiple:
2652 if (OpenCL().checkBuiltinKernelWorkGroupSize(TheCall))
2653 return ExprError();
2654 break;
2655 case Builtin::BIget_kernel_max_sub_group_size_for_ndrange:
2656 case Builtin::BIget_kernel_sub_group_count_for_ndrange:
2657 if (OpenCL().checkBuiltinNDRangeAndBlock(TheCall))
2658 return ExprError();
2659 break;
2660 case Builtin::BI__builtin_os_log_format:
2661 Cleanup.setExprNeedsCleanups(true);
2662 [[fallthrough]];
2663 case Builtin::BI__builtin_os_log_format_buffer_size:
2664 if (BuiltinOSLogFormat(TheCall))
2665 return ExprError();
2666 break;
2667 case Builtin::BI__builtin_frame_address:
2668 case Builtin::BI__builtin_return_address: {
2669 if (BuiltinConstantArgRange(TheCall, 0, 0, 0xFFFF))
2670 return ExprError();
2671
2672 // -Wframe-address warning if non-zero passed to builtin
2673 // return/frame address.
2674 Expr::EvalResult Result;
2675 if (!TheCall->getArg(0)->isValueDependent() &&
2676 TheCall->getArg(0)->EvaluateAsInt(Result, getASTContext()) &&
2677 Result.Val.getInt() != 0)
2678 Diag(TheCall->getBeginLoc(), diag::warn_frame_address)
2679 << ((BuiltinID == Builtin::BI__builtin_return_address)
2680 ? "__builtin_return_address"
2681 : "__builtin_frame_address")
2682 << TheCall->getSourceRange();
2683 break;
2684 }
2685
2686 case Builtin::BI__builtin_nondeterministic_value: {
2687 if (BuiltinNonDeterministicValue(TheCall))
2688 return ExprError();
2689 break;
2690 }
2691
2692 // __builtin_elementwise_abs restricts the element type to signed integers or
2693 // floating point types only.
2694 case Builtin::BI__builtin_elementwise_abs: {
2695 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2696 return ExprError();
2697
2698 QualType ArgTy = TheCall->getArg(0)->getType();
2699 QualType EltTy = ArgTy;
2700
2701 if (auto *VecTy = EltTy->getAs<VectorType>())
2702 EltTy = VecTy->getElementType();
2703 if (EltTy->isUnsignedIntegerType()) {
2704 Diag(TheCall->getArg(0)->getBeginLoc(),
2705 diag::err_builtin_invalid_arg_type)
2706 << 1 << /* signed integer or float ty*/ 3 << ArgTy;
2707 return ExprError();
2708 }
2709 break;
2710 }
2711
2712 // These builtins restrict the element type to floating point
2713 // types only.
2714 case Builtin::BI__builtin_elementwise_acos:
2715 case Builtin::BI__builtin_elementwise_asin:
2716 case Builtin::BI__builtin_elementwise_atan:
2717 case Builtin::BI__builtin_elementwise_ceil:
2718 case Builtin::BI__builtin_elementwise_cos:
2719 case Builtin::BI__builtin_elementwise_cosh:
2720 case Builtin::BI__builtin_elementwise_exp:
2721 case Builtin::BI__builtin_elementwise_exp2:
2722 case Builtin::BI__builtin_elementwise_floor:
2723 case Builtin::BI__builtin_elementwise_log:
2724 case Builtin::BI__builtin_elementwise_log2:
2725 case Builtin::BI__builtin_elementwise_log10:
2726 case Builtin::BI__builtin_elementwise_roundeven:
2727 case Builtin::BI__builtin_elementwise_round:
2728 case Builtin::BI__builtin_elementwise_rint:
2729 case Builtin::BI__builtin_elementwise_nearbyint:
2730 case Builtin::BI__builtin_elementwise_sin:
2731 case Builtin::BI__builtin_elementwise_sinh:
2732 case Builtin::BI__builtin_elementwise_sqrt:
2733 case Builtin::BI__builtin_elementwise_tan:
2734 case Builtin::BI__builtin_elementwise_tanh:
2735 case Builtin::BI__builtin_elementwise_trunc:
2736 case Builtin::BI__builtin_elementwise_canonicalize: {
2737 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2738 return ExprError();
2739
2740 QualType ArgTy = TheCall->getArg(0)->getType();
2741 if (checkFPMathBuiltinElementType(*this, TheCall->getArg(0)->getBeginLoc(),
2742 ArgTy, 1))
2743 return ExprError();
2744 break;
2745 }
2746 case Builtin::BI__builtin_elementwise_fma: {
2747 if (BuiltinElementwiseTernaryMath(TheCall))
2748 return ExprError();
2749 break;
2750 }
2751
2752 // These builtins restrict the element type to floating point
2753 // types only, and take in two arguments.
2754 case Builtin::BI__builtin_elementwise_minimum:
2755 case Builtin::BI__builtin_elementwise_maximum:
2756 case Builtin::BI__builtin_elementwise_atan2:
2757 case Builtin::BI__builtin_elementwise_fmod:
2758 case Builtin::BI__builtin_elementwise_pow: {
2759 if (BuiltinElementwiseMath(TheCall, /*FPOnly=*/true))
2760 return ExprError();
2761 break;
2762 }
2763
2764 // These builtins restrict the element type to integer
2765 // types only.
2766 case Builtin::BI__builtin_elementwise_add_sat:
2767 case Builtin::BI__builtin_elementwise_sub_sat: {
2768 if (BuiltinElementwiseMath(TheCall))
2769 return ExprError();
2770
2771 const Expr *Arg = TheCall->getArg(0);
2772 QualType ArgTy = Arg->getType();
2773 QualType EltTy = ArgTy;
2774
2775 if (auto *VecTy = EltTy->getAs<VectorType>())
2776 EltTy = VecTy->getElementType();
2777
2778 if (!EltTy->isIntegerType()) {
2779 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2780 << 1 << /* integer ty */ 6 << ArgTy;
2781 return ExprError();
2782 }
2783 break;
2784 }
2785
2786 case Builtin::BI__builtin_elementwise_min:
2787 case Builtin::BI__builtin_elementwise_max:
2788 if (BuiltinElementwiseMath(TheCall))
2789 return ExprError();
2790 break;
2791 case Builtin::BI__builtin_elementwise_popcount:
2792 case Builtin::BI__builtin_elementwise_bitreverse: {
2793 if (PrepareBuiltinElementwiseMathOneArgCall(TheCall))
2794 return ExprError();
2795
2796 const Expr *Arg = TheCall->getArg(0);
2797 QualType ArgTy = Arg->getType();
2798 QualType EltTy = ArgTy;
2799
2800 if (auto *VecTy = EltTy->getAs<VectorType>())
2801 EltTy = VecTy->getElementType();
2802
2803 if (!EltTy->isIntegerType()) {
2804 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2805 << 1 << /* integer ty */ 6 << ArgTy;
2806 return ExprError();
2807 }
2808 break;
2809 }
2810
2811 case Builtin::BI__builtin_elementwise_copysign: {
2812 if (checkArgCount(TheCall, 2))
2813 return ExprError();
2814
2815 ExprResult Magnitude = UsualUnaryConversions(TheCall->getArg(0));
2816 ExprResult Sign = UsualUnaryConversions(TheCall->getArg(1));
2817 if (Magnitude.isInvalid() || Sign.isInvalid())
2818 return ExprError();
2819
2820 QualType MagnitudeTy = Magnitude.get()->getType();
2821 QualType SignTy = Sign.get()->getType();
2822 if (checkFPMathBuiltinElementType(*this, TheCall->getArg(0)->getBeginLoc(),
2823 MagnitudeTy, 1) ||
2824 checkFPMathBuiltinElementType(*this, TheCall->getArg(1)->getBeginLoc(),
2825 SignTy, 2)) {
2826 return ExprError();
2827 }
2828
2829 if (MagnitudeTy.getCanonicalType() != SignTy.getCanonicalType()) {
2830 return Diag(Sign.get()->getBeginLoc(),
2831 diag::err_typecheck_call_different_arg_types)
2832 << MagnitudeTy << SignTy;
2833 }
2834
2835 TheCall->setArg(0, Magnitude.get());
2836 TheCall->setArg(1, Sign.get());
2837 TheCall->setType(Magnitude.get()->getType());
2838 break;
2839 }
2840 case Builtin::BI__builtin_reduce_max:
2841 case Builtin::BI__builtin_reduce_min: {
2842 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
2843 return ExprError();
2844
2845 const Expr *Arg = TheCall->getArg(0);
2846 const auto *TyA = Arg->getType()->getAs<VectorType>();
2847
2848 QualType ElTy;
2849 if (TyA)
2850 ElTy = TyA->getElementType();
2851 else if (Arg->getType()->isSizelessVectorType())
2852 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
2853
2854 if (ElTy.isNull()) {
2855 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2856 << 1 << /* vector ty*/ 4 << Arg->getType();
2857 return ExprError();
2858 }
2859
2860 TheCall->setType(ElTy);
2861 break;
2862 }
2863 case Builtin::BI__builtin_reduce_maximum:
2864 case Builtin::BI__builtin_reduce_minimum: {
2865 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
2866 return ExprError();
2867
2868 const Expr *Arg = TheCall->getArg(0);
2869 const auto *TyA = Arg->getType()->getAs<VectorType>();
2870
2871 QualType ElTy;
2872 if (TyA)
2873 ElTy = TyA->getElementType();
2874 else if (Arg->getType()->isSizelessVectorType())
2875 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
2876
2877 if (ElTy.isNull() || !ElTy->isFloatingType()) {
2878 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2879 << 1 << /* vector of floating points */ 9 << Arg->getType();
2880 return ExprError();
2881 }
2882
2883 TheCall->setType(ElTy);
2884 break;
2885 }
2886
2887 // These builtins support vectors of integers only.
2888 // TODO: ADD/MUL should support floating-point types.
2889 case Builtin::BI__builtin_reduce_add:
2890 case Builtin::BI__builtin_reduce_mul:
2891 case Builtin::BI__builtin_reduce_xor:
2892 case Builtin::BI__builtin_reduce_or:
2893 case Builtin::BI__builtin_reduce_and: {
2894 if (PrepareBuiltinReduceMathOneArgCall(TheCall))
2895 return ExprError();
2896
2897 const Expr *Arg = TheCall->getArg(0);
2898 const auto *TyA = Arg->getType()->getAs<VectorType>();
2899
2900 QualType ElTy;
2901 if (TyA)
2902 ElTy = TyA->getElementType();
2903 else if (Arg->getType()->isSizelessVectorType())
2904 ElTy = Arg->getType()->getSizelessVectorEltType(Context);
2905
2906 if (ElTy.isNull() || !ElTy->isIntegerType()) {
2907 Diag(Arg->getBeginLoc(), diag::err_builtin_invalid_arg_type)
2908 << 1 << /* vector of integers */ 6 << Arg->getType();
2909 return ExprError();
2910 }
2911
2912 TheCall->setType(ElTy);
2913 break;
2914 }
2915
2916 case Builtin::BI__builtin_matrix_transpose:
2917 return BuiltinMatrixTranspose(TheCall, TheCallResult);
2918
2919 case Builtin::BI__builtin_matrix_column_major_load:
2920 return BuiltinMatrixColumnMajorLoad(TheCall, TheCallResult);
2921
2922 case Builtin::BI__builtin_matrix_column_major_store:
2923 return BuiltinMatrixColumnMajorStore(TheCall, TheCallResult);
2924
2925 case Builtin::BI__builtin_verbose_trap:
2926 if (!checkBuiltinVerboseTrap(TheCall, *this))
2927 return ExprError();
2928 break;
2929
2930 case Builtin::BI__builtin_get_device_side_mangled_name: {
2931 auto Check = [](CallExpr *TheCall) {
2932 if (TheCall->getNumArgs() != 1)
2933 return false;
2934 auto *DRE = dyn_cast<DeclRefExpr>(TheCall->getArg(0)->IgnoreImpCasts());
2935 if (!DRE)
2936 return false;
2937 auto *D = DRE->getDecl();
2938 if (!isa<FunctionDecl>(D) && !isa<VarDecl>(D))
2939 return false;
2940 return D->hasAttr<CUDAGlobalAttr>() || D->hasAttr<CUDADeviceAttr>() ||
2941 D->hasAttr<CUDAConstantAttr>() || D->hasAttr<HIPManagedAttr>();
2942 };
2943 if (!Check(TheCall)) {
2944 Diag(TheCall->getBeginLoc(),
2945 diag::err_hip_invalid_args_builtin_mangled_name);
2946 return ExprError();
2947 }
2948 break;
2949 }
2950 case Builtin::BI__builtin_popcountg:
2951 if (BuiltinPopcountg(*this, TheCall))
2952 return ExprError();
2953 break;
2954 case Builtin::BI__builtin_clzg:
2955 case Builtin::BI__builtin_ctzg:
2956 if (BuiltinCountZeroBitsGeneric(*this, TheCall))
2957 return ExprError();
2958 break;
2959
2960 case Builtin::BI__builtin_allow_runtime_check: {
2961 Expr *Arg = TheCall->getArg(0);
2962 // Check if the argument is a string literal.
2963 if (!isa<StringLiteral>(Arg->IgnoreParenImpCasts())) {
2964 Diag(TheCall->getBeginLoc(), diag::err_expr_not_string_literal)
2965 << Arg->getSourceRange();
2966 return ExprError();
2967 }
2968 break;
2969 }
2970 case Builtin::BI__builtin_counted_by_ref:
2971 if (BuiltinCountedByRef(TheCall))
2972 return ExprError();
2973 break;
2974 }
2975
2976 if (getLangOpts().HLSL && HLSL().CheckBuiltinFunctionCall(BuiltinID, TheCall))
2977 return ExprError();
2978
2979 // Since the target specific builtins for each arch overlap, only check those
2980 // of the arch we are compiling for.
2981 if (Context.BuiltinInfo.isTSBuiltin(BuiltinID)) {
2982 if (Context.BuiltinInfo.isAuxBuiltinID(BuiltinID)) {
2983 assert(Context.getAuxTargetInfo() &&
2984 "Aux Target Builtin, but not an aux target?");
2985
2986 if (CheckTSBuiltinFunctionCall(
2987 *Context.getAuxTargetInfo(),
2988 Context.BuiltinInfo.getAuxBuiltinID(BuiltinID), TheCall))
2989 return ExprError();
2990 } else {
2991 if (CheckTSBuiltinFunctionCall(Context.getTargetInfo(), BuiltinID,
2992 TheCall))
2993 return ExprError();
2994 }
2995 }
2996
2997 return TheCallResult;
2998 }
2999
3000 bool Sema::ValueIsRunOfOnes(CallExpr *TheCall, unsigned ArgNum) {
3001 llvm::APSInt Result;
3002 // We can't check the value of a dependent argument.
3003 Expr *Arg = TheCall->getArg(ArgNum);
3004 if (Arg->isTypeDependent() || Arg->isValueDependent())
3005 return false;
3006
3007 // Check constant-ness first.
3008 if (BuiltinConstantArg(TheCall, ArgNum, Result))
3009 return true;
3010
3011 // Check contiguous run of 1s, 0xFF0000FF is also a run of 1s.
3012 if (Result.isShiftedMask() || (~Result).isShiftedMask())
3013 return false;
3014
3015 return Diag(TheCall->getBeginLoc(),
3016 diag::err_argument_not_contiguous_bit_field)
3017 << ArgNum << Arg->getSourceRange();
3018 }
3019
3020 bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember,
3021 bool IsVariadic, FormatStringInfo *FSI) {
3022 if (Format->getFirstArg() == 0)
3023 FSI->ArgPassingKind = FAPK_VAList;
3024 else if (IsVariadic)
3025 FSI->ArgPassingKind = FAPK_Variadic;
3026 else
3027 FSI->ArgPassingKind = FAPK_Fixed;
3028 FSI->FormatIdx = Format->getFormatIdx() - 1;
3029 FSI->FirstDataArg =
3030 FSI->ArgPassingKind == FAPK_VAList ? 0 : Format->getFirstArg() - 1;
3031
3032 // The way the format attribute works in GCC, the implicit this argument
3033 // of member functions is counted. However, it doesn't appear in our own
3034 // lists, so decrement format_idx in that case.
3035 if (IsCXXMember) {
3036 if(FSI->FormatIdx == 0)
3037 return false;
3038 --FSI->FormatIdx;
3039 if (FSI->FirstDataArg != 0)
3040 --FSI->FirstDataArg;
3041 }
3042 return true;
3043 }
3044
3045 /// Checks if a the given expression evaluates to null.
3046 ///
3047 /// Returns true if the value evaluates to null.
3048 static bool CheckNonNullExpr(Sema &S, const Expr *Expr) {
3049 // Treat (smart) pointers constructed from nullptr as null, whether we can
3050 // const-evaluate them or not.
3051 // This must happen first: the smart pointer expr might have _Nonnull type!
3052 if (isa<CXXNullPtrLiteralExpr>(
3053 IgnoreExprNodes(Expr, IgnoreImplicitAsWrittenSingleStep,
3054 IgnoreElidableImplicitConstructorSingleStep)))
3055 return true;
3056
3057 // If the expression has non-null type, it doesn't evaluate to null.
3058 if (auto nullability = Expr->IgnoreImplicit()->getType()->getNullability()) {
3059 if (*nullability == NullabilityKind::NonNull)
3060 return false;
3061 }
3062
3063 // As a special case, transparent unions initialized with zero are
3064 // considered null for the purposes of the nonnull attribute.
3065 if (const RecordType *UT = Expr->getType()->getAsUnionType();
3066 UT && UT->getDecl()->hasAttr<TransparentUnionAttr>()) {
3067 if (const auto *CLE = dyn_cast<CompoundLiteralExpr>(Expr))
3068 if (const auto *ILE = dyn_cast<InitListExpr>(CLE->getInitializer()))
3069 Expr = ILE->getInit(0);
3070 }
3071
3072 bool Result;
3073 return (!Expr->isValueDependent() &&
3074 Expr->EvaluateAsBooleanCondition(Result, S.Context) &&
3075 !Result);
3076 }
3077
3078 static void CheckNonNullArgument(Sema &S,
3079 const Expr *ArgExpr,
3080 SourceLocation CallSiteLoc) {
3081 if (CheckNonNullExpr(S, ArgExpr))
3082 S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr,
3083 S.PDiag(diag::warn_null_arg)
3084 << ArgExpr->getSourceRange());
3085 }
3086
3087 /// Determine whether the given type has a non-null nullability annotation.
3088 static bool isNonNullType(QualType type) {
3089 if (auto nullability = type->getNullability())
3090 return *nullability == NullabilityKind::NonNull;
3091
3092 return false;
3093 }
3094
3095 static void CheckNonNullArguments(Sema &S,
3096 const NamedDecl *FDecl,
3097 const FunctionProtoType *Proto,
3098 ArrayRef<const Expr *> Args,
3099 SourceLocation CallSiteLoc) {
3100 assert((FDecl || Proto) && "Need a function declaration or prototype");
3101
3102 // Already checked by constant evaluator.
3103 if (S.isConstantEvaluatedContext())
3104 return;
3105 // Check the attributes attached to the method/function itself.
3106 llvm::SmallBitVector NonNullArgs;
3107 if (FDecl) {
3108 // Handle the nonnull attribute on the function/method declaration itself.
3109 for (const auto *NonNull : FDecl->specific_attrs<NonNullAttr>()) {
3110 if (!NonNull->args_size()) {
3111 // Easy case: all pointer arguments are nonnull.
3112 for (const auto *Arg : Args)
3113 if (S.isValidPointerAttrType(Arg->getType()))
3114 CheckNonNullArgument(S, Arg, CallSiteLoc);
3115 return;
3116 }
3117
3118 for (const ParamIdx &Idx : NonNull->args()) {
3119 unsigned IdxAST = Idx.getASTIndex();
3120 if (IdxAST >= Args.size())
3121 continue;
3122 if (NonNullArgs.empty())
3123 NonNullArgs.resize(Args.size());
3124 NonNullArgs.set(IdxAST);
3125 }
3126 }
3127 }
3128
3129 if (FDecl && (isa<FunctionDecl>(FDecl) || isa<ObjCMethodDecl>(FDecl))) {
3130 // Handle the nonnull attribute on the parameters of the
3131 // function/method.
3132 ArrayRef<ParmVarDecl*> parms;
3133 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FDecl))
3134 parms = FD->parameters();
3135 else
3136 parms = cast<ObjCMethodDecl>(FDecl)->parameters();
3137
3138 unsigned ParamIndex = 0;
3139 for (ArrayRef<ParmVarDecl*>::iterator I = parms.begin(), E = parms.end();
3140 I != E; ++I, ++ParamIndex) {
3141 const ParmVarDecl *PVD = *I;
3142 if (PVD->hasAttr<NonNullAttr>() || isNonNullType(PVD->getType())) {
3143 if (NonNullArgs.empty())
3144 NonNullArgs.resize(Args.size());
3145
3146 NonNullArgs.set(ParamIndex);
3147 }
3148 }
3149 } else {
3150 // If we have a non-function, non-method declaration but no
3151 // function prototype, try to dig out the function prototype.
3152 if (!Proto) {
3153 if (const ValueDecl *VD = dyn_cast<ValueDecl>(FDecl)) {
3154 QualType type = VD->getType().getNonReferenceType();
3155 if (auto pointerType = type->getAs<PointerType>())
3156 type = pointerType->getPointeeType();
3157 else if (auto blockType = type->getAs<BlockPointerType>())
3158 type = blockType->getPointeeType();
3159 // FIXME: data member pointers?
3160
3161 // Dig out the function prototype, if there is one.
3162 Proto = type->getAs<FunctionProtoType>();
3163 }
3164 }
3165
3166 // Fill in non-null argument information from the nullability
3167 // information on the parameter types (if we have them).
3168 if (Proto) {
3169 unsigned Index = 0;
3170 for (auto paramType : Proto->getParamTypes()) {
3171 if (isNonNullType(paramType)) {
3172 if (NonNullArgs.empty())
3173 NonNullArgs.resize(Args.size());
3174
3175 NonNullArgs.set(Index);
3176 }
3177
3178 ++Index;
3179 }
3180 }
3181 }
3182
3183 // Check for non-null arguments.
3184 for (unsigned ArgIndex = 0, ArgIndexEnd = NonNullArgs.size();
3185 ArgIndex != ArgIndexEnd; ++ArgIndex) {
3186 if (NonNullArgs[ArgIndex])
3187 CheckNonNullArgument(S, Args[ArgIndex], Args[ArgIndex]->getExprLoc());
3188 }
3189 }
3190
3191 void Sema::CheckArgAlignment(SourceLocation Loc, NamedDecl *FDecl,
3192 StringRef ParamName, QualType ArgTy,
3193 QualType ParamTy) {
3194
3195 // If a function accepts a pointer or reference type
3196 if (!ParamTy->isPointerType() && !ParamTy->isReferenceType())
3197 return;
3198
3199 // If the parameter is a pointer type, get the pointee type for the
3200 // argument too. If the parameter is a reference type, don't try to get
3201 // the pointee type for the argument.
3202 if (ParamTy->isPointerType())
3203 ArgTy = ArgTy->getPointeeType();
3204
3205 // Remove reference or pointer
3206 ParamTy = ParamTy->getPointeeType();
3207
3208 // Find expected alignment, and the actual alignment of the passed object.
3209 // getTypeAlignInChars requires complete types
3210 if (ArgTy.isNull() || ParamTy->isDependentType() ||
3211 ParamTy->isIncompleteType() || ArgTy->isIncompleteType() ||
3212 ParamTy->isUndeducedType() || ArgTy->isUndeducedType())
3213 return;
3214
3215 CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy);
3216 CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy);
3217
3218 // If the argument is less aligned than the parameter, there is a
3219 // potential alignment issue.
3220 if (ArgAlign < ParamAlign)
3221 Diag(Loc, diag::warn_param_mismatched_alignment)
3222 << (int)ArgAlign.getQuantity() << (int)ParamAlign.getQuantity()
3223 << ParamName << (FDecl != nullptr) << FDecl;
3224 }
3225
3226 void Sema::checkLifetimeCaptureBy(FunctionDecl *FD, bool IsMemberFunction,
3227 const Expr *ThisArg,
3228 ArrayRef<const Expr *> Args) {
3229 if (!FD || Args.empty())
3230 return;
3231 auto GetArgAt = [&](int Idx) -> const Expr * {
3232 if (Idx == LifetimeCaptureByAttr::GLOBAL ||
3233 Idx == LifetimeCaptureByAttr::UNKNOWN)
3234 return nullptr;
3235 if (IsMemberFunction && Idx == 0)
3236 return ThisArg;
3237 return Args[Idx - IsMemberFunction];
3238 };
3239 auto HandleCaptureByAttr = [&](const LifetimeCaptureByAttr *Attr,
3240 unsigned ArgIdx) {
3241 if (!Attr)
3242 return;
3243 Expr *Captured = const_cast<Expr *>(GetArgAt(ArgIdx));
3244 for (int CapturingParamIdx : Attr->params()) {
3245 Expr *Capturing = const_cast<Expr *>(GetArgAt(CapturingParamIdx));
3246 CapturingEntity CE{Capturing};
3247 // Ensure that 'Captured' outlives the 'Capturing' entity.
3248 checkCaptureByLifetime(*this, CE, Captured);
3249 }
3250 };
3251 for (unsigned I = 0; I < FD->getNumParams(); ++I)
3252 HandleCaptureByAttr(FD->getParamDecl(I)->getAttr<LifetimeCaptureByAttr>(),
3253 I + IsMemberFunction);
3254 // Check when the implicit object param is captured.
3255 if (IsMemberFunction) {
3256 TypeSourceInfo *TSI = FD->getTypeSourceInfo();
3257 if (!TSI)
3258 return;
3259 AttributedTypeLoc ATL;
3260 for (TypeLoc TL = TSI->getTypeLoc();
3261 (ATL = TL.getAsAdjusted<AttributedTypeLoc>());
3262 TL = ATL.getModifiedLoc())
3263 HandleCaptureByAttr(ATL.getAttrAs<LifetimeCaptureByAttr>(), 0);
3264 }
3265 }
3266
3267 void Sema::checkCall(NamedDecl *FDecl, const FunctionProtoType *Proto,
3268 const Expr *ThisArg, ArrayRef<const Expr *> Args,
3269 bool IsMemberFunction, SourceLocation Loc,
3270 SourceRange Range, VariadicCallType CallType) {
3271 // FIXME: We should check as much as we can in the template definition.
3272 if (CurContext->isDependentContext())
3273 return;
3274
3275 // Printf and scanf checking.
3276 llvm::SmallBitVector CheckedVarArgs;
3277 if (FDecl) {
3278 for (const auto *I : FDecl->specific_attrs<FormatAttr>()) {
3279 // Only create vector if there are format attributes.
3280 CheckedVarArgs.resize(Args.size());
3281
3282 CheckFormatArguments(I, Args, IsMemberFunction, CallType, Loc, Range,
3283 CheckedVarArgs);
3284 }
3285 }
3286
3287 // Refuse POD arguments that weren't caught by the format string
3288 // checks above.
3289 auto *FD = dyn_cast_or_null<FunctionDecl>(FDecl);
3290 if (CallType != VariadicDoesNotApply &&
3291 (!FD || FD->getBuiltinID() != Builtin::BI__noop)) {
3292 unsigned NumParams = Proto ? Proto->getNumParams()
3293 : isa_and_nonnull<FunctionDecl>(FDecl)
3294 ? cast<FunctionDecl>(FDecl)->getNumParams()
3295 : isa_and_nonnull<ObjCMethodDecl>(FDecl)
3296 ? cast<ObjCMethodDecl>(FDecl)->param_size()
3297 : 0;
3298
3299 for (unsigned ArgIdx = NumParams; ArgIdx < Args.size(); ++ArgIdx) {
3300 // Args[ArgIdx] can be null in malformed code.
3301 if (const Expr *Arg = Args[ArgIdx]) {
3302 if (CheckedVarArgs.empty() || !CheckedVarArgs[ArgIdx])
3303 checkVariadicArgument(Arg, CallType);
3304 }
3305 }
3306 }
3307 if (FD)
3308 checkLifetimeCaptureBy(FD, IsMemberFunction, ThisArg, Args);
3309 if (FDecl || Proto) {
3310 CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);
3311
3312 // Type safety checking.
3313 if (FDecl) {
3314 for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
3315 CheckArgumentWithTypeTag(I, Args, Loc);
3316 }
3317 }
3318
3319 // Check that passed arguments match the alignment of original arguments.
3320 // Try to get the missing prototype from the declaration.
3321 if (!Proto && FDecl) {
3322 const auto *FT = FDecl->getFunctionType();
3323 if (isa_and_nonnull<FunctionProtoType>(FT))
3324 Proto = cast<FunctionProtoType>(FDecl->getFunctionType());
3325 }
3326 if (Proto) {
3327 // For variadic functions, we may have more args than parameters.
3328 // For some K&R functions, we may have less args than parameters.
3329 const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size());
3330 bool IsScalableRet = Proto->getReturnType()->isSizelessVectorType();
3331 bool IsScalableArg = false;
3332 for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) {
3333 // Args[ArgIdx] can be null in malformed code.
3334 if (const Expr *Arg = Args[ArgIdx]) {
3335 if (Arg->containsErrors())
3336 continue;
3337
3338 if (Context.getTargetInfo().getTriple().isOSAIX() && FDecl && Arg &&
3339 FDecl->hasLinkage() &&
3340 FDecl->getFormalLinkage() != Linkage::Internal &&
3341 CallType == VariadicDoesNotApply)
3342 PPC().checkAIXMemberAlignment((Arg->getExprLoc()), Arg);
3343
3344 QualType ParamTy = Proto->getParamType(ArgIdx);
3345 if (ParamTy->isSizelessVectorType())
3346 IsScalableArg = true;
3347 QualType ArgTy = Arg->getType();
3348 CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1),
3349 ArgTy, ParamTy);
3350 }
3351 }
3352
3353 // If the callee has an AArch64 SME attribute to indicate that it is an
3354 // __arm_streaming function, then the caller requires SME to be available.
3355 FunctionProtoType::ExtProtoInfo ExtInfo = Proto->getExtProtoInfo();
3356 if (ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask) {
3357 if (auto *CallerFD = dyn_cast<FunctionDecl>(CurContext)) {
3358 llvm::StringMap<bool> CallerFeatureMap;
3359 Context.getFunctionFeatureMap(CallerFeatureMap, CallerFD);
3360 if (!CallerFeatureMap.contains("sme"))
3361 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3362 } else if (!Context.getTargetInfo().hasFeature("sme")) {
3363 Diag(Loc, diag::err_sme_call_in_non_sme_target);
3364 }
3365 }
3366
3367 // If the call requires a streaming-mode change and has scalable vector
3368 // arguments or return values, then warn the user that the streaming and
3369 // non-streaming vector lengths may be different.
3370 const auto *CallerFD = dyn_cast<FunctionDecl>(CurContext);
3371 if (CallerFD && (!FD || !FD->getBuiltinID()) &&
3372 (IsScalableArg || IsScalableRet)) {
3373 bool IsCalleeStreaming =
3374 ExtInfo.AArch64SMEAttributes & FunctionType::SME_PStateSMEnabledMask;
3375 bool IsCalleeStreamingCompatible =
3376 ExtInfo.AArch64SMEAttributes &
3377 FunctionType::SME_PStateSMCompatibleMask;
3378 SemaARM::ArmStreamingType CallerFnType = getArmStreamingFnType(CallerFD);
3379 if (!IsCalleeStreamingCompatible &&
3380 (CallerFnType == SemaARM::ArmStreamingCompatible ||
3381 ((CallerFnType == SemaARM::ArmStreaming) ^ IsCalleeStreaming))) {
3382 if (IsScalableArg)
3383 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3384 << /*IsArg=*/true;
3385 if (IsScalableRet)
3386 Diag(Loc, diag::warn_sme_streaming_pass_return_vl_to_non_streaming)
3387 << /*IsArg=*/false;
3388 }
3389 }
3390
3391 FunctionType::ArmStateValue CalleeArmZAState =
3392 FunctionType::getArmZAState(ExtInfo.AArch64SMEAttributes);
3393 FunctionType::ArmStateValue CalleeArmZT0State =
3394 FunctionType::getArmZT0State(ExtInfo.AArch64SMEAttributes);
3395 if (CalleeArmZAState != FunctionType::ARM_None ||
3396 CalleeArmZT0State != FunctionType::ARM_None) {
3397 bool CallerHasZAState = false;
3398 bool CallerHasZT0State = false;
3399 if (CallerFD) {
3400 auto *Attr = CallerFD->getAttr<ArmNewAttr>();
3401 if (Attr && Attr->isNewZA())
3402 CallerHasZAState = true;
3403 if (Attr && Attr->isNewZT0())
3404 CallerHasZT0State = true;
3405 if (const auto *FPT = CallerFD->getType()->getAs<FunctionProtoType>()) {
3406 CallerHasZAState |=
3407 FunctionType::getArmZAState(
3408 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3409 FunctionType::ARM_None;
3410 CallerHasZT0State |=
3411 FunctionType::getArmZT0State(
3412 FPT->getExtProtoInfo().AArch64SMEAttributes) !=
3413 FunctionType::ARM_None;
3414 }
3415 }
3416
3417 if (CalleeArmZAState != FunctionType::ARM_None && !CallerHasZAState)
3418 Diag(Loc, diag::err_sme_za_call_no_za_state);
3419
3420 if (CalleeArmZT0State != FunctionType::ARM_None && !CallerHasZT0State)
3421 Diag(Loc, diag::err_sme_zt0_call_no_zt0_state);
3422
3423 if (CallerHasZAState && CalleeArmZAState == FunctionType::ARM_None &&
3424 CalleeArmZT0State != FunctionType::ARM_None) {
3425 Diag(Loc, diag::err_sme_unimplemented_za_save_restore);
3426 Diag(Loc, diag::note_sme_use_preserves_za);
3427 }
3428 }
3429 }
3430
3431 if (FDecl && FDecl->hasAttr<AllocAlignAttr>()) {
3432 auto *AA = FDecl->getAttr<AllocAlignAttr>();
3433 const Expr *Arg = Args[AA->getParamIndex().getASTIndex()];
3434 if (!Arg->isValueDependent()) {
3435 Expr::EvalResult Align;
3436 if (Arg->EvaluateAsInt(Align, Context)) {
3437 const llvm::APSInt &I = Align.Val.getInt();
3438 if (!I.isPowerOf2())
3439 Diag(Arg->getExprLoc(), diag::warn_alignment_not_power_of_two)
3440 << Arg->getSourceRange();
3441
3442 if (I > Sema::MaximumAlignment)
3443 Diag(Arg->getExprLoc(), diag::warn_assume_aligned_too_great)
3444 << Arg->getSourceRange() << Sema::MaximumAlignment;
3445 }
3446 }
3447 }
3448
3449 if (FD)
3450 diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);
3451 }
3452
3453 void Sema::CheckConstrainedAuto(const AutoType *AutoT, SourceLocation Loc) {
3454 if (ConceptDecl *Decl = AutoT->getTypeConstraintConcept()) {
3455 DiagnoseUseOfDecl(Decl, Loc);
3456 }
3457 }
3458
3459 void Sema::CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType,
3460 ArrayRef<const Expr *> Args,
3461 const FunctionProtoType *Proto,
3462 SourceLocation Loc) {
3463 VariadicCallType CallType =
3464 Proto->isVariadic() ? VariadicConstructor : VariadicDoesNotApply;
3465
3466 auto *Ctor = cast<CXXConstructorDecl>(FDecl);
3467 CheckArgAlignment(
3468 Loc, FDecl, "'this'", Context.getPointerType(ThisType),
3469 Context.getPointerType(Ctor->getFunctionObjectParameterType()));
3470
3471 checkCall(FDecl, Proto, /*ThisArg=*/nullptr, Args, /*IsMemberFunction=*/true,
3472 Loc, SourceRange(), CallType);
3473 }
3474
3475 bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
3476 const FunctionProtoType *Proto) {
3477 bool IsMemberOperatorCall = isa<CXXOperatorCallExpr>(TheCall) &&
3478 isa<CXXMethodDecl>(FDecl);
3479 bool IsMemberFunction = isa<CXXMemberCallExpr>(TheCall) ||
3480 IsMemberOperatorCall;
3481 VariadicCallType CallType = getVariadicCallType(FDecl, Proto,
3482 TheCall->getCallee());
3483 Expr** Args = TheCall->getArgs();
3484 unsigned NumArgs = TheCall->getNumArgs();
3485
3486 Expr *ImplicitThis = nullptr;
3487 if (IsMemberOperatorCall && !FDecl->hasCXXExplicitFunctionObjectParameter()) {
3488 // If this is a call to a member operator, hide the first
3489 // argument from checkCall.
3490 // FIXME: Our choice of AST representation here is less than ideal.
3491 ImplicitThis = Args[0];
3492 ++Args;
3493 --NumArgs;
3494 } else if (IsMemberFunction && !FDecl->isStatic() &&
3495 !FDecl->hasCXXExplicitFunctionObjectParameter())
3496 ImplicitThis =
3497 cast<CXXMemberCallExpr>(TheCall)->getImplicitObjectArgument();
3498
3499 if (ImplicitThis) {
3500 // ImplicitThis may or may not be a pointer, depending on whether . or -> is
3501 // used.
3502 QualType ThisType = ImplicitThis->getType();
3503 if (!ThisType->isPointerType()) {
3504 assert(!ThisType->isReferenceType());
3505 ThisType = Context.getPointerType(ThisType);
3506 }
3507
3508 QualType ThisTypeFromDecl = Context.getPointerType(
3509 cast<CXXMethodDecl>(FDecl)->getFunctionObjectParameterType());
3510
3511 CheckArgAlignment(TheCall->getRParenLoc(), FDecl, "'this'", ThisType,
3512 ThisTypeFromDecl);
3513 }
3514
3515 checkCall(FDecl, Proto, ImplicitThis, llvm::ArrayRef(Args, NumArgs),
3516 IsMemberFunction, TheCall->getRParenLoc(),
3517 TheCall->getCallee()->getSourceRange(), CallType);
3518
3519 IdentifierInfo *FnInfo = FDecl->getIdentifier();
3520 // None of the checks below are needed for functions that don't have
3521 // simple names (e.g., C++ conversion functions).
3522 if (!FnInfo)
3523 return false;
3524
3525 // Enforce TCB except for builtin calls, which are always allowed.
3526 if (FDecl->getBuiltinID() == 0)
3527 CheckTCBEnforcement(TheCall->getExprLoc(), FDecl);
3528
3529 CheckAbsoluteValueFunction(TheCall, FDecl);
3530 CheckMaxUnsignedZero(TheCall, FDecl);
3531 CheckInfNaNFunction(TheCall, FDecl);
3532
3533 if (getLangOpts().ObjC)
3534 ObjC().DiagnoseCStringFormatDirectiveInCFAPI(FDecl, Args, NumArgs);
3535
3536 unsigned CMId = FDecl->getMemoryFunctionKind();
3537
3538 // Handle memory setting and copying functions.
3539 switch (CMId) {
3540 case 0:
3541 return false;
3542 case Builtin::BIstrlcpy: // fallthrough
3543 case Builtin::BIstrlcat:
3544 CheckStrlcpycatArguments(TheCall, FnInfo);
3545 break;
3546 case Builtin::BIstrncat:
3547 CheckStrncatArguments(TheCall, FnInfo);
3548 break;
3549 case Builtin::BIfree:
3550 CheckFreeArguments(TheCall);
3551 break;
3552 default:
3553 CheckMemaccessArguments(TheCall, CMId, FnInfo);
3554 }
3555
3556 return false;
3557 }
3558
3559 bool Sema::CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
3560 const FunctionProtoType *Proto) {
3561 QualType Ty;
3562 if (const auto *V = dyn_cast<VarDecl>(NDecl))
3563 Ty = V->getType().getNonReferenceType();
3564 else if (const auto *F = dyn_cast<FieldDecl>(NDecl))
3565 Ty = F->getType().getNonReferenceType();
3566 else
3567 return false;
3568
3569 if (!Ty->isBlockPointerType() && !Ty->isFunctionPointerType() &&
3570 !Ty->isFunctionProtoType())
3571 return false;
3572
3573 VariadicCallType CallType;
3574 if (!Proto || !Proto->isVariadic()) {
3575 CallType = VariadicDoesNotApply;
3576 } else if (Ty->isBlockPointerType()) {
3577 CallType = VariadicBlock;
3578 } else { // Ty->isFunctionPointerType()
3579 CallType = VariadicFunction;
3580 }
3581
3582 checkCall(NDecl, Proto, /*ThisArg=*/nullptr,
3583 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3584 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3585 TheCall->getCallee()->getSourceRange(), CallType);
3586
3587 return false;
3588 }
3589
3590 bool Sema::CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto) {
3591 VariadicCallType CallType = getVariadicCallType(/*FDecl=*/nullptr, Proto,
3592 TheCall->getCallee());
3593 checkCall(/*FDecl=*/nullptr, Proto, /*ThisArg=*/nullptr,
3594 llvm::ArrayRef(TheCall->getArgs(), TheCall->getNumArgs()),
3595 /*IsMemberFunction=*/false, TheCall->getRParenLoc(),
3596 TheCall->getCallee()->getSourceRange(), CallType);
3597
3598 return false;
3599 }
3600
3601 static bool isValidOrderingForOp(int64_t Ordering, AtomicExpr::AtomicOp Op) {
3602 if (!llvm::isValidAtomicOrderingCABI(Ordering))
3603 return false;
3604
3605 auto OrderingCABI = (llvm::AtomicOrderingCABI)Ordering;
3606 switch (Op) {
3607 case AtomicExpr::AO__c11_atomic_init:
3608 case AtomicExpr::AO__opencl_atomic_init:
3609 llvm_unreachable("There is no ordering argument for an init");
3610
3611 case AtomicExpr::AO__c11_atomic_load:
3612 case AtomicExpr::AO__opencl_atomic_load:
3613 case AtomicExpr::AO__hip_atomic_load:
3614 case AtomicExpr::AO__atomic_load_n:
3615 case AtomicExpr::AO__atomic_load:
3616 case AtomicExpr::AO__scoped_atomic_load_n:
3617 case AtomicExpr::AO__scoped_atomic_load:
3618 return OrderingCABI != llvm::AtomicOrderingCABI::release &&
3619 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3620
3621 case AtomicExpr::AO__c11_atomic_store:
3622 case AtomicExpr::AO__opencl_atomic_store:
3623 case AtomicExpr::AO__hip_atomic_store:
3624 case AtomicExpr::AO__atomic_store:
3625 case AtomicExpr::AO__atomic_store_n:
3626 case AtomicExpr::AO__scoped_atomic_store:
3627 case AtomicExpr::AO__scoped_atomic_store_n:
3628 return OrderingCABI != llvm::AtomicOrderingCABI::consume &&
3629 OrderingCABI != llvm::AtomicOrderingCABI::acquire &&
3630 OrderingCABI != llvm::AtomicOrderingCABI::acq_rel;
3631
3632 default:
3633 return true;
3634 }
3635 }
3636
3637 ExprResult Sema::AtomicOpsOverloaded(ExprResult TheCallResult,
3638 AtomicExpr::AtomicOp Op) {
3639 CallExpr *TheCall = cast<CallExpr>(TheCallResult.get());
3640 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
3641 MultiExprArg Args{TheCall->getArgs(), TheCall->getNumArgs()};
3642 return BuildAtomicExpr({TheCall->getBeginLoc(), TheCall->getEndLoc()},
3643 DRE->getSourceRange(), TheCall->getRParenLoc(), Args,
3644 Op);
3645 }
3646
3647 ExprResult Sema::BuildAtomicExpr(SourceRange CallRange, SourceRange ExprRange,
3648 SourceLocation RParenLoc, MultiExprArg Args,
3649 AtomicExpr::AtomicOp Op,
3650 AtomicArgumentOrder ArgOrder) {
3651 // All the non-OpenCL operations take one of the following forms.
3652 // The OpenCL operations take the __c11 forms with one extra argument for
3653 // synchronization scope.
3654 enum {
3655 // C __c11_atomic_init(A *, C)
3656 Init,
3657
3658 // C __c11_atomic_load(A *, int)
3659 Load,
3660
3661 // void __atomic_load(A *, CP, int)
3662 LoadCopy,
3663
3664 // void __atomic_store(A *, CP, int)
3665 Copy,
3666
3667 // C __c11_atomic_add(A *, M, int)
3668 Arithmetic,
3669
3670 // C __atomic_exchange_n(A *, CP, int)
3671 Xchg,
3672
3673 // void __atomic_exchange(A *, C *, CP, int)
3674 GNUXchg,
3675
3676 // bool __c11_atomic_compare_exchange_strong(A *, C *, CP, int, int)
3677 C11CmpXchg,
3678
3679 // bool __atomic_compare_exchange(A *, C *, CP, bool, int, int)
3680 GNUCmpXchg
3681 } Form = Init;
3682
3683 const unsigned NumForm = GNUCmpXchg + 1;
3684 const unsigned NumArgs[] = { 2, 2, 3, 3, 3, 3, 4, 5, 6 };
3685 const unsigned NumVals[] = { 1, 0, 1, 1, 1, 1, 2, 2, 3 };
3686 // where:
3687 // C is an appropriate type,
3688 // A is volatile _Atomic(C) for __c11 builtins and is C for GNU builtins,
3689 // CP is C for __c11 builtins and GNU _n builtins and is C * otherwise,
3690 // M is C if C is an integer, and ptrdiff_t if C is a pointer, and
3691 // the int parameters are for orderings.
3692
3693 static_assert(sizeof(NumArgs)/sizeof(NumArgs[0]) == NumForm
3694 && sizeof(NumVals)/sizeof(NumVals[0]) == NumForm,
3695 "need to update code for modified forms");
3696 static_assert(AtomicExpr::AO__atomic_add_fetch == 0 &&
3697 AtomicExpr::AO__atomic_xor_fetch + 1 ==
3698 AtomicExpr::AO__c11_atomic_compare_exchange_strong,
3699 "need to update code for modified C11 atomics");
3700 bool IsOpenCL = Op >= AtomicExpr::AO__opencl_atomic_compare_exchange_strong &&
3701 Op <= AtomicExpr::AO__opencl_atomic_store;
3702 bool IsHIP = Op >= AtomicExpr::AO__hip_atomic_compare_exchange_strong &&
3703 Op <= AtomicExpr::AO__hip_atomic_store;
3704 bool IsScoped = Op >= AtomicExpr::AO__scoped_atomic_add_fetch &&
3705 Op <= AtomicExpr::AO__scoped_atomic_xor_fetch;
3706 bool IsC11 = (Op >= AtomicExpr::AO__c11_atomic_compare_exchange_strong &&
3707 Op <= AtomicExpr::AO__c11_atomic_store) ||
3708 IsOpenCL;
3709 bool IsN = Op == AtomicExpr::AO__atomic_load_n ||
3710 Op == AtomicExpr::AO__atomic_store_n ||
3711 Op == AtomicExpr::AO__atomic_exchange_n ||
3712 Op == AtomicExpr::AO__atomic_compare_exchange_n ||
3713 Op == AtomicExpr::AO__scoped_atomic_load_n ||
3714 Op == AtomicExpr::AO__scoped_atomic_store_n ||
3715 Op == AtomicExpr::AO__scoped_atomic_exchange_n ||
3716 Op == AtomicExpr::AO__scoped_atomic_compare_exchange_n;
3717 // Bit mask for extra allowed value types other than integers for atomic
3718 // arithmetic operations. Add/sub allow pointer and floating point. Min/max
3719 // allow floating point.
3720 enum ArithOpExtraValueType {
3721 AOEVT_None = 0,
3722 AOEVT_Pointer = 1,
3723 AOEVT_FP = 2,
3724 };
3725 unsigned ArithAllows = AOEVT_None;
3726
3727 switch (Op) {
3728 case AtomicExpr::AO__c11_atomic_init:
3729 case AtomicExpr::AO__opencl_atomic_init:
3730 Form = Init;
3731 break;
3732
3733 case AtomicExpr::AO__c11_atomic_load:
3734 case AtomicExpr::AO__opencl_atomic_load:
3735 case AtomicExpr::AO__hip_atomic_load:
3736 case AtomicExpr::AO__atomic_load_n:
3737 case AtomicExpr::AO__scoped_atomic_load_n:
3738 Form = Load;
3739 break;
3740
3741 case AtomicExpr::AO__atomic_load:
3742 case AtomicExpr::AO__scoped_atomic_load:
3743 Form = LoadCopy;
3744 break;
3745
3746 case AtomicExpr::AO__c11_atomic_store:
3747 case AtomicExpr::AO__opencl_atomic_store:
3748 case AtomicExpr::AO__hip_atomic_store:
3749 case AtomicExpr::AO__atomic_store:
3750 case AtomicExpr::AO__atomic_store_n:
3751 case AtomicExpr::AO__scoped_atomic_store:
3752 case AtomicExpr::AO__scoped_atomic_store_n:
3753 Form = Copy;
3754 break;
3755 case AtomicExpr::AO__atomic_fetch_add:
3756 case AtomicExpr::AO__atomic_fetch_sub:
3757 case AtomicExpr::AO__atomic_add_fetch:
3758 case AtomicExpr::AO__atomic_sub_fetch:
3759 case AtomicExpr::AO__scoped_atomic_fetch_add:
3760 case AtomicExpr::AO__scoped_atomic_fetch_sub:
3761 case AtomicExpr::AO__scoped_atomic_add_fetch:
3762 case AtomicExpr::AO__scoped_atomic_sub_fetch:
3763 case AtomicExpr::AO__c11_atomic_fetch_add:
3764 case AtomicExpr::AO__c11_atomic_fetch_sub:
3765 case AtomicExpr::AO__opencl_atomic_fetch_add:
3766 case AtomicExpr::AO__opencl_atomic_fetch_sub:
3767 case AtomicExpr::AO__hip_atomic_fetch_add:
3768 case AtomicExpr::AO__hip_atomic_fetch_sub:
3769 ArithAllows = AOEVT_Pointer | AOEVT_FP;
3770 Form = Arithmetic;
3771 break;
3772 case AtomicExpr::AO__atomic_fetch_max:
3773 case AtomicExpr::AO__atomic_fetch_min:
3774 case AtomicExpr::AO__atomic_max_fetch:
3775 case AtomicExpr::AO__atomic_min_fetch:
3776 case AtomicExpr::AO__scoped_atomic_fetch_max:
3777 case AtomicExpr::AO__scoped_atomic_fetch_min:
3778 case AtomicExpr::AO__scoped_atomic_max_fetch:
3779 case AtomicExpr::AO__scoped_atomic_min_fetch:
3780 case AtomicExpr::AO__c11_atomic_fetch_max:
3781 case AtomicExpr::AO__c11_atomic_fetch_min:
3782 case AtomicExpr::AO__opencl_atomic_fetch_max:
3783 case AtomicExpr::AO__opencl_atomic_fetch_min:
3784 case AtomicExpr::AO__hip_atomic_fetch_max:
3785 case AtomicExpr::AO__hip_atomic_fetch_min:
3786 ArithAllows = AOEVT_FP;
3787 Form = Arithmetic;
3788 break;
3789 case AtomicExpr::AO__c11_atomic_fetch_and:
3790 case AtomicExpr::AO__c11_atomic_fetch_or:
3791 case AtomicExpr::AO__c11_atomic_fetch_xor:
3792 case AtomicExpr::AO__hip_atomic_fetch_and:
3793 case AtomicExpr::AO__hip_atomic_fetch_or:
3794 case AtomicExpr::AO__hip_atomic_fetch_xor:
3795 case AtomicExpr::AO__c11_atomic_fetch_nand:
3796 case AtomicExpr::AO__opencl_atomic_fetch_and:
3797 case AtomicExpr::AO__opencl_atomic_fetch_or:
3798 case AtomicExpr::AO__opencl_atomic_fetch_xor:
3799 case AtomicExpr::AO__atomic_fetch_and:
3800 case AtomicExpr::AO__atomic_fetch_or:
3801 case AtomicExpr::AO__atomic_fetch_xor:
3802 case AtomicExpr::AO__atomic_fetch_nand:
3803 case AtomicExpr::AO__atomic_and_fetch:
3804 case AtomicExpr::AO__atomic_or_fetch:
3805 case AtomicExpr::AO__atomic_xor_fetch:
3806 case AtomicExpr::AO__atomic_nand_fetch:
3807 case AtomicExpr::AO__scoped_atomic_fetch_and:
3808 case AtomicExpr::AO__scoped_atomic_fetch_or:
3809 case AtomicExpr::AO__scoped_atomic_fetch_xor:
3810 case AtomicExpr::AO__scoped_atomic_fetch_nand:
3811 case AtomicExpr::AO__scoped_atomic_and_fetch:
3812 case AtomicExpr::AO__scoped_atomic_or_fetch:
3813 case AtomicExpr::AO__scoped_atomic_xor_fetch:
3814 case AtomicExpr::AO__scoped_atomic_nand_fetch:
3815 Form = Arithmetic;
3816 break;
3817
3818 case AtomicExpr::AO__c11_atomic_exchange:
3819 case AtomicExpr::AO__hip_atomic_exchange:
3820 case AtomicExpr::AO__opencl_atomic_exchange:
3821 case AtomicExpr::AO__atomic_exchange_n:
3822 case AtomicExpr::AO__scoped_atomic_exchange_n:
3823 Form = Xchg;
3824 break;
3825
3826 case AtomicExpr::AO__atomic_exchange:
3827 case AtomicExpr::AO__scoped_atomic_exchange:
3828 Form = GNUXchg;
3829 break;
3830
3831 case AtomicExpr::AO__c11_atomic_compare_exchange_strong:
3832 case AtomicExpr::AO__c11_atomic_compare_exchange_weak:
3833 case AtomicExpr::AO__hip_atomic_compare_exchange_strong:
3834 case AtomicExpr::AO__opencl_atomic_compare_exchange_strong:
3835 case AtomicExpr::AO__opencl_atomic_compare_exchange_weak:
3836 case AtomicExpr::AO__hip_atomic_compare_exchange_weak:
3837 Form = C11CmpXchg;
3838 break;
3839
3840 case AtomicExpr::AO__atomic_compare_exchange:
3841 case AtomicExpr::AO__atomic_compare_exchange_n:
3842 case AtomicExpr::AO__scoped_atomic_compare_exchange:
3843 case AtomicExpr::AO__scoped_atomic_compare_exchange_n:
3844 Form = GNUCmpXchg;
3845 break;
3846 }
3847
3848 unsigned AdjustedNumArgs = NumArgs[Form];
3849 if ((IsOpenCL || IsHIP || IsScoped) &&
3850 Op != AtomicExpr::AO__opencl_atomic_init)
3851 ++AdjustedNumArgs;
3852 // Check we have the right number of arguments.
3853 if (Args.size() < AdjustedNumArgs) {
3854 Diag(CallRange.getEnd(), diag::err_typecheck_call_too_few_args)
3855 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
3856 << /*is non object*/ 0 << ExprRange;
3857 return ExprError();
3858 } else if (Args.size() > AdjustedNumArgs) {
3859 Diag(Args[AdjustedNumArgs]->getBeginLoc(),
3860 diag::err_typecheck_call_too_many_args)
3861 << 0 << AdjustedNumArgs << static_cast<unsigned>(Args.size())
3862 << /*is non object*/ 0 << ExprRange;
3863 return ExprError();
3864 }
3865
3866 // Inspect the first argument of the atomic operation.
3867 Expr *Ptr = Args[0];
3868 ExprResult ConvertedPtr = DefaultFunctionArrayLvalueConversion(Ptr);
3869 if (ConvertedPtr.isInvalid())
3870 return ExprError();
3871
3872 Ptr = ConvertedPtr.get();
3873 const PointerType *pointerType = Ptr->getType()->getAs<PointerType>();
3874 if (!pointerType) {
3875 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
3876 << Ptr->getType() << 0 << Ptr->getSourceRange();
3877 return ExprError();
3878 }
3879
3880 // For a __c11 builtin, this should be a pointer to an _Atomic type.
3881 QualType AtomTy = pointerType->getPointeeType(); // 'A'
3882 QualType ValType = AtomTy; // 'C'
3883 if (IsC11) {
3884 if (!AtomTy->isAtomicType()) {
3885 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic)
3886 << Ptr->getType() << Ptr->getSourceRange();
3887 return ExprError();
3888 }
3889 if ((Form != Load && Form != LoadCopy && AtomTy.isConstQualified()) ||
3890 AtomTy.getAddressSpace() == LangAS::opencl_constant) {
3891 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_atomic)
3892 << (AtomTy.isConstQualified() ? 0 : 1) << Ptr->getType()
3893 << Ptr->getSourceRange();
3894 return ExprError();
3895 }
3896 ValType = AtomTy->castAs<AtomicType>()->getValueType();
3897 } else if (Form != Load && Form != LoadCopy) {
3898 if (ValType.isConstQualified()) {
3899 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_non_const_pointer)
3900 << Ptr->getType() << Ptr->getSourceRange();
3901 return ExprError();
3902 }
3903 }
3904
3905 // Pointer to object of size zero is not allowed.
3906 if (RequireCompleteType(Ptr->getBeginLoc(), AtomTy,
3907 diag::err_incomplete_type))
3908 return ExprError();
3909 if (Context.getTypeInfoInChars(AtomTy).Width.isZero()) {
3910 Diag(ExprRange.getBegin(), diag::err_atomic_builtin_must_be_pointer)
3911 << Ptr->getType() << 1 << Ptr->getSourceRange();
3912 return ExprError();
3913 }
3914
3915 // For an arithmetic operation, the implied arithmetic must be well-formed.
3916 if (Form == Arithmetic) {
3917 // GCC does not enforce these rules for GNU atomics, but we do to help catch
3918 // trivial type errors.
3919 auto IsAllowedValueType = [&](QualType ValType,
3920 unsigned AllowedType) -> bool {
3921 if (ValType->isIntegerType())
3922 return true;
3923 if (ValType->isPointerType())
3924 return AllowedType & AOEVT_Pointer;
3925 if (!(ValType->isFloatingType() && (AllowedType & AOEVT_FP)))
3926 return false;
3927 // LLVM Parser does not allow atomicrmw with x86_fp80 type.
3928 if (ValType->isSpecificBuiltinType(BuiltinType::LongDouble) &&
3929 &Context.getTargetInfo().getLongDoubleFormat() ==
3930 &llvm::APFloat::x87DoubleExtended())
3931 return false;
3932 return true;
3933 };
3934 if (!IsAllowedValueType(ValType, ArithAllows)) {
3935 auto DID = ArithAllows & AOEVT_FP
3936 ? (ArithAllows & AOEVT_Pointer
3937 ? diag::err_atomic_op_needs_atomic_int_ptr_or_fp
3938 : diag::err_atomic_op_needs_atomic_int_or_fp)
3939 : diag::err_atomic_op_needs_atomic_int;
3940 Diag(ExprRange.getBegin(), DID)
3941 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
3942 return ExprError();
3943 }
3944 if (IsC11 && ValType->isPointerType() &&
3945 RequireCompleteType(Ptr->getBeginLoc(), ValType->getPointeeType(),
3946 diag::err_incomplete_type)) {
3947 return ExprError();
3948 }
3949 } else if (IsN && !ValType->isIntegerType() && !ValType->isPointerType()) {
3950 // For __atomic_*_n operations, the value type must be a scalar integral or
3951 // pointer type which is 1, 2, 4, 8 or 16 bytes in length.
3952 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_atomic_int_or_ptr)
3953 << IsC11 << Ptr->getType() << Ptr->getSourceRange();
3954 return ExprError();
3955 }
3956
3957 if (!IsC11 && !AtomTy.isTriviallyCopyableType(Context) &&
3958 !AtomTy->isScalarType()) {
3959 // For GNU atomics, require a trivially-copyable type. This is not part of
3960 // the GNU atomics specification but we enforce it for consistency with
3961 // other atomics which generally all require a trivially-copyable type. This
3962 // is because atomics just copy bits.
3963 Diag(ExprRange.getBegin(), diag::err_atomic_op_needs_trivial_copy)
3964 << Ptr->getType() << Ptr->getSourceRange();
3965 return ExprError();
3966 }
3967
3968 switch (ValType.getObjCLifetime()) {
3969 case Qualifiers::OCL_None:
3970 case Qualifiers::OCL_ExplicitNone:
3971 // okay
3972 break;
3973
3974 case Qualifiers::OCL_Weak:
3975 case Qualifiers::OCL_Strong:
3976 case Qualifiers::OCL_Autoreleasing:
3977 // FIXME: Can this happen? By this point, ValType should be known
3978 // to be trivially copyable.
3979 Diag(ExprRange.getBegin(), diag::err_arc_atomic_ownership)
3980 << ValType << Ptr->getSourceRange();
3981 return ExprError();
3982 }
3983
3984 // All atomic operations have an overload which takes a pointer to a volatile
3985 // 'A'. We shouldn't let the volatile-ness of the pointee-type inject itself
3986 // into the result or the other operands. Similarly atomic_load takes a
3987 // pointer to a const 'A'.
3988 ValType.removeLocalVolatile();
3989 ValType.removeLocalConst();
3990 QualType ResultType = ValType;
3991 if (Form == Copy || Form == LoadCopy || Form == GNUXchg ||
3992 Form == Init)
3993 ResultType = Context.VoidTy;
3994 else if (Form == C11CmpXchg || Form == GNUCmpXchg)
3995 ResultType = Context.BoolTy;
3996
3997 // The type of a parameter passed 'by value'. In the GNU atomics, such
3998 // arguments are actually passed as pointers.
3999 QualType ByValType = ValType; // 'CP'
4000 bool IsPassedByAddress = false;
4001 if (!IsC11 && !IsHIP && !IsN) {
4002 ByValType = Ptr->getType();
4003 IsPassedByAddress = true;
4004 }
4005
4006 SmallVector<Expr *, 5> APIOrderedArgs;
4007 if (ArgOrder == Sema::AtomicArgumentOrder::AST) {
4008 APIOrderedArgs.push_back(Args[0]);
4009 switch (Form) {
4010 case Init:
4011 case Load:
4012 APIOrderedArgs.push_back(Args[1]); // Val1/Order
4013 break;
4014 case LoadCopy:
4015 case Copy:
4016 case Arithmetic:
4017 case Xchg:
4018 APIOrderedArgs.push_back(Args[2]); // Val1
4019 APIOrderedArgs.push_back(Args[1]); // Order
4020 break;
4021 case GNUXchg:
4022 APIOrderedArgs.push_back(Args[2]); // Val1
4023 APIOrderedArgs.push_back(Args[3]); // Val2
4024 APIOrderedArgs.push_back(Args[1]); // Order
4025 break;
4026 case C11CmpXchg:
4027 APIOrderedArgs.push_back(Args[2]); // Val1
4028 APIOrderedArgs.push_back(Args[4]); // Val2
4029 APIOrderedArgs.push_back(Args[1]); // Order
4030 APIOrderedArgs.push_back(Args[3]); // OrderFail
4031 break;
4032 case GNUCmpXchg:
4033 APIOrderedArgs.push_back(Args[2]); // Val1
4034 APIOrderedArgs.push_back(Args[4]); // Val2
4035 APIOrderedArgs.push_back(Args[5]); // Weak
4036 APIOrderedArgs.push_back(Args[1]); // Order
4037 APIOrderedArgs.push_back(Args[3]); // OrderFail
4038 break;
4039 }
4040 } else
4041 APIOrderedArgs.append(Args.begin(), Args.end());
4042
4043 // The first argument's non-CV pointer type is used to deduce the type of
4044 // subsequent arguments, except for:
4045 // - weak flag (always converted to bool)
4046 // - memory order (always converted to int)
4047 // - scope (always converted to int)
4048 for (unsigned i = 0; i != APIOrderedArgs.size(); ++i) {
4049 QualType Ty;
4050 if (i < NumVals[Form] + 1) {
4051 switch (i) {
4052 case 0:
4053 // The first argument is always a pointer. It has a fixed type.
4054 // It is always dereferenced, a nullptr is undefined.
4055 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4056 // Nothing else to do: we already know all we want about this pointer.
4057 continue;
4058 case 1:
4059 // The second argument is the non-atomic operand. For arithmetic, this
4060 // is always passed by value, and for a compare_exchange it is always
4061 // passed by address. For the rest, GNU uses by-address and C11 uses
4062 // by-value.
4063 assert(Form != Load);
4064 if (Form == Arithmetic && ValType->isPointerType())
4065 Ty = Context.getPointerDiffType();
4066 else if (Form == Init || Form == Arithmetic)
4067 Ty = ValType;
4068 else if (Form == Copy || Form == Xchg) {
4069 if (IsPassedByAddress) {
4070 // The value pointer is always dereferenced, a nullptr is undefined.
4071 CheckNonNullArgument(*this, APIOrderedArgs[i],
4072 ExprRange.getBegin());
4073 }
4074 Ty = ByValType;
4075 } else {
4076 Expr *ValArg = APIOrderedArgs[i];
4077 // The value pointer is always dereferenced, a nullptr is undefined.
4078 CheckNonNullArgument(*this, ValArg, ExprRange.getBegin());
4079 LangAS AS = LangAS::Default;
4080 // Keep address space of non-atomic pointer type.
4081 if (const PointerType *PtrTy =
4082 ValArg->getType()->getAs<PointerType>()) {
4083 AS = PtrTy->getPointeeType().getAddressSpace();
4084 }
4085 Ty = Context.getPointerType(
4086 Context.getAddrSpaceQualType(ValType.getUnqualifiedType(), AS));
4087 }
4088 break;
4089 case 2:
4090 // The third argument to compare_exchange / GNU exchange is the desired
4091 // value, either by-value (for the C11 and *_n variant) or as a pointer.
4092 if (IsPassedByAddress)
4093 CheckNonNullArgument(*this, APIOrderedArgs[i], ExprRange.getBegin());
4094 Ty = ByValType;
4095 break;
4096 case 3:
4097 // The fourth argument to GNU compare_exchange is a 'weak' flag.
4098 Ty = Context.BoolTy;
4099 break;
4100 }
4101 } else {
4102 // The order(s) and scope are always converted to int.
4103 Ty = Context.IntTy;
4104 }
4105
4106 InitializedEntity Entity =
4107 InitializedEntity::InitializeParameter(Context, Ty, false);
4108 ExprResult Arg = APIOrderedArgs[i];
4109 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4110 if (Arg.isInvalid())
4111 return true;
4112 APIOrderedArgs[i] = Arg.get();
4113 }
4114
4115 // Permute the arguments into a 'consistent' order.
4116 SmallVector<Expr*, 5> SubExprs;
4117 SubExprs.push_back(Ptr);
4118 switch (Form) {
4119 case Init:
4120 // Note, AtomicExpr::getVal1() has a special case for this atomic.
4121 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4122 break;
4123 case Load:
4124 SubExprs.push_back(APIOrderedArgs[1]); // Order
4125 break;
4126 case LoadCopy:
4127 case Copy:
4128 case Arithmetic:
4129 case Xchg:
4130 SubExprs.push_back(APIOrderedArgs[2]); // Order
4131 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4132 break;
4133 case GNUXchg:
4134 // Note, AtomicExpr::getVal2() has a special case for this atomic.
4135 SubExprs.push_back(APIOrderedArgs[3]); // Order
4136 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4137 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4138 break;
4139 case C11CmpXchg:
4140 SubExprs.push_back(APIOrderedArgs[3]); // Order
4141 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4142 SubExprs.push_back(APIOrderedArgs[4]); // OrderFail
4143 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4144 break;
4145 case GNUCmpXchg:
4146 SubExprs.push_back(APIOrderedArgs[4]); // Order
4147 SubExprs.push_back(APIOrderedArgs[1]); // Val1
4148 SubExprs.push_back(APIOrderedArgs[5]); // OrderFail
4149 SubExprs.push_back(APIOrderedArgs[2]); // Val2
4150 SubExprs.push_back(APIOrderedArgs[3]); // Weak
4151 break;
4152 }
4153
4154 // If the memory orders are constants, check they are valid.
4155 if (SubExprs.size() >= 2 && Form != Init) {
4156 std::optional<llvm::APSInt> Success =
4157 SubExprs[1]->getIntegerConstantExpr(Context);
4158 if (Success && !isValidOrderingForOp(Success->getSExtValue(), Op)) {
4159 Diag(SubExprs[1]->getBeginLoc(),
4160 diag::warn_atomic_op_has_invalid_memory_order)
4161 << /*success=*/(Form == C11CmpXchg || Form == GNUCmpXchg)
4162 << SubExprs[1]->getSourceRange();
4163 }
4164 if (SubExprs.size() >= 5) {
4165 if (std::optional<llvm::APSInt> Failure =
4166 SubExprs[3]->getIntegerConstantExpr(Context)) {
4167 if (!llvm::is_contained(
4168 {llvm::AtomicOrderingCABI::relaxed,
4169 llvm::AtomicOrderingCABI::consume,
4170 llvm::AtomicOrderingCABI::acquire,
4171 llvm::AtomicOrderingCABI::seq_cst},
4172 (llvm::AtomicOrderingCABI)Failure->getSExtValue())) {
4173 Diag(SubExprs[3]->getBeginLoc(),
4174 diag::warn_atomic_op_has_invalid_memory_order)
4175 << /*failure=*/2 << SubExprs[3]->getSourceRange();
4176 }
4177 }
4178 }
4179 }
4180
4181 if (auto ScopeModel = AtomicExpr::getScopeModel(Op)) {
4182 auto *Scope = Args[Args.size() - 1];
4183 if (std::optional<llvm::APSInt> Result =
4184 Scope->getIntegerConstantExpr(Context)) {
4185 if (!ScopeModel->isValid(Result->getZExtValue()))
4186 Diag(Scope->getBeginLoc(), diag::err_atomic_op_has_invalid_synch_scope)
4187 << Scope->getSourceRange();
4188 }
4189 SubExprs.push_back(Scope);
4190 }
4191
4192 AtomicExpr *AE = new (Context)
4193 AtomicExpr(ExprRange.getBegin(), SubExprs, ResultType, Op, RParenLoc);
4194
4195 if ((Op == AtomicExpr::AO__c11_atomic_load ||
4196 Op == AtomicExpr::AO__c11_atomic_store ||
4197 Op == AtomicExpr::AO__opencl_atomic_load ||
4198 Op == AtomicExpr::AO__hip_atomic_load ||
4199 Op == AtomicExpr::AO__opencl_atomic_store ||
4200 Op == AtomicExpr::AO__hip_atomic_store) &&
4201 Context.AtomicUsesUnsupportedLibcall(AE))
4202 Diag(AE->getBeginLoc(), diag::err_atomic_load_store_uses_lib)
4203 << ((Op == AtomicExpr::AO__c11_atomic_load ||
4204 Op == AtomicExpr::AO__opencl_atomic_load ||
4205 Op == AtomicExpr::AO__hip_atomic_load)
4206 ? 0
4207 : 1);
4208
4209 if (ValType->isBitIntType()) {
4210 Diag(Ptr->getExprLoc(), diag::err_atomic_builtin_bit_int_prohibit);
4211 return ExprError();
4212 }
4213
4214 return AE;
4215 }
4216
4217 /// checkBuiltinArgument - Given a call to a builtin function, perform
4218 /// normal type-checking on the given argument, updating the call in
4219 /// place. This is useful when a builtin function requires custom
4220 /// type-checking for some of its arguments but not necessarily all of
4221 /// them.
4222 ///
4223 /// Returns true on error.
4224 static bool checkBuiltinArgument(Sema &S, CallExpr *E, unsigned ArgIndex) {
4225 FunctionDecl *Fn = E->getDirectCallee();
4226 assert(Fn && "builtin call without direct callee!");
4227
4228 ParmVarDecl *Param = Fn->getParamDecl(ArgIndex);
4229 InitializedEntity Entity =
4230 InitializedEntity::InitializeParameter(S.Context, Param);
4231
4232 ExprResult Arg = E->getArg(ArgIndex);
4233 Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
4234 if (Arg.isInvalid())
4235 return true;
4236
4237 E->setArg(ArgIndex, Arg.get());
4238 return false;
4239 }
4240
4241 ExprResult Sema::BuiltinAtomicOverloaded(ExprResult TheCallResult) {
4242 CallExpr *TheCall = static_cast<CallExpr *>(TheCallResult.get());
4243 Expr *Callee = TheCall->getCallee();
4244 DeclRefExpr *DRE = cast<DeclRefExpr>(Callee->IgnoreParenCasts());
4245 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4246
4247 // Ensure that we have at least one argument to do type inference from.
4248 if (TheCall->getNumArgs() < 1) {
4249 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4250 << 0 << 1 << TheCall->getNumArgs() << /*is non object*/ 0
4251 << Callee->getSourceRange();
4252 return ExprError();
4253 }
4254
4255 // Inspect the first argument of the atomic builtin. This should always be
4256 // a pointer type, whose element is an integral scalar or pointer type.
4257 // Because it is a pointer type, we don't have to worry about any implicit
4258 // casts here.
4259 // FIXME: We don't allow floating point scalars as input.
4260 Expr *FirstArg = TheCall->getArg(0);
4261 ExprResult FirstArgResult = DefaultFunctionArrayLvalueConversion(FirstArg);
4262 if (FirstArgResult.isInvalid())
4263 return ExprError();
4264 FirstArg = FirstArgResult.get();
4265 TheCall->setArg(0, FirstArg);
4266
4267 const PointerType *pointerType = FirstArg->getType()->getAs<PointerType>();
4268 if (!pointerType) {
4269 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer)
4270 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4271 return ExprError();
4272 }
4273
4274 QualType ValType = pointerType->getPointeeType();
4275 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4276 !ValType->isBlockPointerType()) {
4277 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_must_be_pointer_intptr)
4278 << FirstArg->getType() << 0 << FirstArg->getSourceRange();
4279 return ExprError();
4280 }
4281
4282 if (ValType.isConstQualified()) {
4283 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_cannot_be_const)
4284 << FirstArg->getType() << FirstArg->getSourceRange();
4285 return ExprError();
4286 }
4287
4288 switch (ValType.getObjCLifetime()) {
4289 case Qualifiers::OCL_None:
4290 case Qualifiers::OCL_ExplicitNone:
4291 // okay
4292 break;
4293
4294 case Qualifiers::OCL_Weak:
4295 case Qualifiers::OCL_Strong:
4296 case Qualifiers::OCL_Autoreleasing:
4297 Diag(DRE->getBeginLoc(), diag::err_arc_atomic_ownership)
4298 << ValType << FirstArg->getSourceRange();
4299 return ExprError();
4300 }
4301
4302 // Strip any qualifiers off ValType.
4303 ValType = ValType.getUnqualifiedType();
4304
4305 // The majority of builtins return a value, but a few have special return
4306 // types, so allow them to override appropriately below.
4307 QualType ResultType = ValType;
4308
4309 // We need to figure out which concrete builtin this maps onto. For example,
4310 // __sync_fetch_and_add with a 2 byte object turns into
4311 // __sync_fetch_and_add_2.
4312 #define BUILTIN_ROW(x) \
4313 { Builtin::BI##x##_1, Builtin::BI##x##_2, Builtin::BI##x##_4, \
4314 Builtin::BI##x##_8, Builtin::BI##x##_16 }
4315
4316 static const unsigned BuiltinIndices[][5] = {
4317 BUILTIN_ROW(__sync_fetch_and_add),
4318 BUILTIN_ROW(__sync_fetch_and_sub),
4319 BUILTIN_ROW(__sync_fetch_and_or),
4320 BUILTIN_ROW(__sync_fetch_and_and),
4321 BUILTIN_ROW(__sync_fetch_and_xor),
4322 BUILTIN_ROW(__sync_fetch_and_nand),
4323
4324 BUILTIN_ROW(__sync_add_and_fetch),
4325 BUILTIN_ROW(__sync_sub_and_fetch),
4326 BUILTIN_ROW(__sync_and_and_fetch),
4327 BUILTIN_ROW(__sync_or_and_fetch),
4328 BUILTIN_ROW(__sync_xor_and_fetch),
4329 BUILTIN_ROW(__sync_nand_and_fetch),
4330
4331 BUILTIN_ROW(__sync_val_compare_and_swap),
4332 BUILTIN_ROW(__sync_bool_compare_and_swap),
4333 BUILTIN_ROW(__sync_lock_test_and_set),
4334 BUILTIN_ROW(__sync_lock_release),
4335 BUILTIN_ROW(__sync_swap)
4336 };
4337 #undef BUILTIN_ROW
4338
4339 // Determine the index of the size.
4340 unsigned SizeIndex;
4341 switch (Context.getTypeSizeInChars(ValType).getQuantity()) {
4342 case 1: SizeIndex = 0; break;
4343 case 2: SizeIndex = 1; break;
4344 case 4: SizeIndex = 2; break;
4345 case 8: SizeIndex = 3; break;
4346 case 16: SizeIndex = 4; break;
4347 default:
4348 Diag(DRE->getBeginLoc(), diag::err_atomic_builtin_pointer_size)
4349 << FirstArg->getType() << FirstArg->getSourceRange();
4350 return ExprError();
4351 }
4352
4353 // Each of these builtins has one pointer argument, followed by some number of
4354 // values (0, 1 or 2) followed by a potentially empty varags list of stuff
4355 // that we ignore. Find out which row of BuiltinIndices to read from as well
4356 // as the number of fixed args.
4357 unsigned BuiltinID = FDecl->getBuiltinID();
4358 unsigned BuiltinIndex, NumFixed = 1;
4359 bool WarnAboutSemanticsChange = false;
4360 switch (BuiltinID) {
4361 default: llvm_unreachable("Unknown overloaded atomic builtin!");
4362 case Builtin::BI__sync_fetch_and_add:
4363 case Builtin::BI__sync_fetch_and_add_1:
4364 case Builtin::BI__sync_fetch_and_add_2:
4365 case Builtin::BI__sync_fetch_and_add_4:
4366 case Builtin::BI__sync_fetch_and_add_8:
4367 case Builtin::BI__sync_fetch_and_add_16:
4368 BuiltinIndex = 0;
4369 break;
4370
4371 case Builtin::BI__sync_fetch_and_sub:
4372 case Builtin::BI__sync_fetch_and_sub_1:
4373 case Builtin::BI__sync_fetch_and_sub_2:
4374 case Builtin::BI__sync_fetch_and_sub_4:
4375 case Builtin::BI__sync_fetch_and_sub_8:
4376 case Builtin::BI__sync_fetch_and_sub_16:
4377 BuiltinIndex = 1;
4378 break;
4379
4380 case Builtin::BI__sync_fetch_and_or:
4381 case Builtin::BI__sync_fetch_and_or_1:
4382 case Builtin::BI__sync_fetch_and_or_2:
4383 case Builtin::BI__sync_fetch_and_or_4:
4384 case Builtin::BI__sync_fetch_and_or_8:
4385 case Builtin::BI__sync_fetch_and_or_16:
4386 BuiltinIndex = 2;
4387 break;
4388
4389 case Builtin::BI__sync_fetch_and_and:
4390 case Builtin::BI__sync_fetch_and_and_1:
4391 case Builtin::BI__sync_fetch_and_and_2:
4392 case Builtin::BI__sync_fetch_and_and_4:
4393 case Builtin::BI__sync_fetch_and_and_8:
4394 case Builtin::BI__sync_fetch_and_and_16:
4395 BuiltinIndex = 3;
4396 break;
4397
4398 case Builtin::BI__sync_fetch_and_xor:
4399 case Builtin::BI__sync_fetch_and_xor_1:
4400 case Builtin::BI__sync_fetch_and_xor_2:
4401 case Builtin::BI__sync_fetch_and_xor_4:
4402 case Builtin::BI__sync_fetch_and_xor_8:
4403 case Builtin::BI__sync_fetch_and_xor_16:
4404 BuiltinIndex = 4;
4405 break;
4406
4407 case Builtin::BI__sync_fetch_and_nand:
4408 case Builtin::BI__sync_fetch_and_nand_1:
4409 case Builtin::BI__sync_fetch_and_nand_2:
4410 case Builtin::BI__sync_fetch_and_nand_4:
4411 case Builtin::BI__sync_fetch_and_nand_8:
4412 case Builtin::BI__sync_fetch_and_nand_16:
4413 BuiltinIndex = 5;
4414 WarnAboutSemanticsChange = true;
4415 break;
4416
4417 case Builtin::BI__sync_add_and_fetch:
4418 case Builtin::BI__sync_add_and_fetch_1:
4419 case Builtin::BI__sync_add_and_fetch_2:
4420 case Builtin::BI__sync_add_and_fetch_4:
4421 case Builtin::BI__sync_add_and_fetch_8:
4422 case Builtin::BI__sync_add_and_fetch_16:
4423 BuiltinIndex = 6;
4424 break;
4425
4426 case Builtin::BI__sync_sub_and_fetch:
4427 case Builtin::BI__sync_sub_and_fetch_1:
4428 case Builtin::BI__sync_sub_and_fetch_2:
4429 case Builtin::BI__sync_sub_and_fetch_4:
4430 case Builtin::BI__sync_sub_and_fetch_8:
4431 case Builtin::BI__sync_sub_and_fetch_16:
4432 BuiltinIndex = 7;
4433 break;
4434
4435 case Builtin::BI__sync_and_and_fetch:
4436 case Builtin::BI__sync_and_and_fetch_1:
4437 case Builtin::BI__sync_and_and_fetch_2:
4438 case Builtin::BI__sync_and_and_fetch_4:
4439 case Builtin::BI__sync_and_and_fetch_8:
4440 case Builtin::BI__sync_and_and_fetch_16:
4441 BuiltinIndex = 8;
4442 break;
4443
4444 case Builtin::BI__sync_or_and_fetch:
4445 case Builtin::BI__sync_or_and_fetch_1:
4446 case Builtin::BI__sync_or_and_fetch_2:
4447 case Builtin::BI__sync_or_and_fetch_4:
4448 case Builtin::BI__sync_or_and_fetch_8:
4449 case Builtin::BI__sync_or_and_fetch_16:
4450 BuiltinIndex = 9;
4451 break;
4452
4453 case Builtin::BI__sync_xor_and_fetch:
4454 case Builtin::BI__sync_xor_and_fetch_1:
4455 case Builtin::BI__sync_xor_and_fetch_2:
4456 case Builtin::BI__sync_xor_and_fetch_4:
4457 case Builtin::BI__sync_xor_and_fetch_8:
4458 case Builtin::BI__sync_xor_and_fetch_16:
4459 BuiltinIndex = 10;
4460 break;
4461
4462 case Builtin::BI__sync_nand_and_fetch:
4463 case Builtin::BI__sync_nand_and_fetch_1:
4464 case Builtin::BI__sync_nand_and_fetch_2:
4465 case Builtin::BI__sync_nand_and_fetch_4:
4466 case Builtin::BI__sync_nand_and_fetch_8:
4467 case Builtin::BI__sync_nand_and_fetch_16:
4468 BuiltinIndex = 11;
4469 WarnAboutSemanticsChange = true;
4470 break;
4471
4472 case Builtin::BI__sync_val_compare_and_swap:
4473 case Builtin::BI__sync_val_compare_and_swap_1:
4474 case Builtin::BI__sync_val_compare_and_swap_2:
4475 case Builtin::BI__sync_val_compare_and_swap_4:
4476 case Builtin::BI__sync_val_compare_and_swap_8:
4477 case Builtin::BI__sync_val_compare_and_swap_16:
4478 BuiltinIndex = 12;
4479 NumFixed = 2;
4480 break;
4481
4482 case Builtin::BI__sync_bool_compare_and_swap:
4483 case Builtin::BI__sync_bool_compare_and_swap_1:
4484 case Builtin::BI__sync_bool_compare_and_swap_2:
4485 case Builtin::BI__sync_bool_compare_and_swap_4:
4486 case Builtin::BI__sync_bool_compare_and_swap_8:
4487 case Builtin::BI__sync_bool_compare_and_swap_16:
4488 BuiltinIndex = 13;
4489 NumFixed = 2;
4490 ResultType = Context.BoolTy;
4491 break;
4492
4493 case Builtin::BI__sync_lock_test_and_set:
4494 case Builtin::BI__sync_lock_test_and_set_1:
4495 case Builtin::BI__sync_lock_test_and_set_2:
4496 case Builtin::BI__sync_lock_test_and_set_4:
4497 case Builtin::BI__sync_lock_test_and_set_8:
4498 case Builtin::BI__sync_lock_test_and_set_16:
4499 BuiltinIndex = 14;
4500 break;
4501
4502 case Builtin::BI__sync_lock_release:
4503 case Builtin::BI__sync_lock_release_1:
4504 case Builtin::BI__sync_lock_release_2:
4505 case Builtin::BI__sync_lock_release_4:
4506 case Builtin::BI__sync_lock_release_8:
4507 case Builtin::BI__sync_lock_release_16:
4508 BuiltinIndex = 15;
4509 NumFixed = 0;
4510 ResultType = Context.VoidTy;
4511 break;
4512
4513 case Builtin::BI__sync_swap:
4514 case Builtin::BI__sync_swap_1:
4515 case Builtin::BI__sync_swap_2:
4516 case Builtin::BI__sync_swap_4:
4517 case Builtin::BI__sync_swap_8:
4518 case Builtin::BI__sync_swap_16:
4519 BuiltinIndex = 16;
4520 break;
4521 }
4522
4523 // Now that we know how many fixed arguments we expect, first check that we
4524 // have at least that many.
4525 if (TheCall->getNumArgs() < 1+NumFixed) {
4526 Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args_at_least)
4527 << 0 << 1 + NumFixed << TheCall->getNumArgs() << /*is non object*/ 0
4528 << Callee->getSourceRange();
4529 return ExprError();
4530 }
4531
4532 Diag(TheCall->getEndLoc(), diag::warn_atomic_implicit_seq_cst)
4533 << Callee->getSourceRange();
4534
4535 if (WarnAboutSemanticsChange) {
4536 Diag(TheCall->getEndLoc(), diag::warn_sync_fetch_and_nand_semantics_change)
4537 << Callee->getSourceRange();
4538 }
4539
4540 // Get the decl for the concrete builtin from this, we can tell what the
4541 // concrete integer type we should convert to is.
4542 unsigned NewBuiltinID = BuiltinIndices[BuiltinIndex][SizeIndex];
4543 StringRef NewBuiltinName = Context.BuiltinInfo.getName(NewBuiltinID);
4544 FunctionDecl *NewBuiltinDecl;
4545 if (NewBuiltinID == BuiltinID)
4546 NewBuiltinDecl = FDecl;
4547 else {
4548 // Perform builtin lookup to avoid redeclaring it.
4549 DeclarationName DN(&Context.Idents.get(NewBuiltinName));
4550 LookupResult Res(*this, DN, DRE->getBeginLoc(), LookupOrdinaryName);
4551 LookupName(Res, TUScope, /*AllowBuiltinCreation=*/true);
4552 assert(Res.getFoundDecl());
4553 NewBuiltinDecl = dyn_cast<FunctionDecl>(Res.getFoundDecl());
4554 if (!NewBuiltinDecl)
4555 return ExprError();
4556 }
4557
4558 // The first argument --- the pointer --- has a fixed type; we
4559 // deduce the types of the rest of the arguments accordingly. Walk
4560 // the remaining arguments, converting them to the deduced value type.
4561 for (unsigned i = 0; i != NumFixed; ++i) {
4562 ExprResult Arg = TheCall->getArg(i+1);
4563
4564 // GCC does an implicit conversion to the pointer or integer ValType. This
4565 // can fail in some cases (1i -> int**), check for this error case now.
4566 // Initialize the argument.
4567 InitializedEntity Entity = InitializedEntity::InitializeParameter(Context,
4568 ValType, /*consume*/ false);
4569 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
4570 if (Arg.isInvalid())
4571 return ExprError();
4572
4573 // Okay, we have something that *can* be converted to the right type. Check
4574 // to see if there is a potentially weird extension going on here. This can
4575 // happen when you do an atomic operation on something like an char* and
4576 // pass in 42. The 42 gets converted to char. This is even more strange
4577 // for things like 45.123 -> char, etc.
4578 // FIXME: Do this check.
4579 TheCall->setArg(i+1, Arg.get());
4580 }
4581
4582 // Create a new DeclRefExpr to refer to the new decl.
4583 DeclRefExpr *NewDRE = DeclRefExpr::Create(
4584 Context, DRE->getQualifierLoc(), SourceLocation(), NewBuiltinDecl,
4585 /*enclosing*/ false, DRE->getLocation(), Context.BuiltinFnTy,
4586 DRE->getValueKind(), nullptr, nullptr, DRE->isNonOdrUse());
4587
4588 // Set the callee in the CallExpr.
4589 // FIXME: This loses syntactic information.
4590 QualType CalleePtrTy = Context.getPointerType(NewBuiltinDecl->getType());
4591 ExprResult PromotedCall = ImpCastExprToType(NewDRE, CalleePtrTy,
4592 CK_BuiltinFnToFnPtr);
4593 TheCall->setCallee(PromotedCall.get());
4594
4595 // Change the result type of the call to match the original value type. This
4596 // is arbitrary, but the codegen for these builtins ins design to handle it
4597 // gracefully.
4598 TheCall->setType(ResultType);
4599
4600 // Prohibit problematic uses of bit-precise integer types with atomic
4601 // builtins. The arguments would have already been converted to the first
4602 // argument's type, so only need to check the first argument.
4603 const auto *BitIntValType = ValType->getAs<BitIntType>();
4604 if (BitIntValType && !llvm::isPowerOf2_64(BitIntValType->getNumBits())) {
4605 Diag(FirstArg->getExprLoc(), diag::err_atomic_builtin_ext_int_size);
4606 return ExprError();
4607 }
4608
4609 return TheCallResult;
4610 }
4611
4612 ExprResult Sema::BuiltinNontemporalOverloaded(ExprResult TheCallResult) {
4613 CallExpr *TheCall = (CallExpr *)TheCallResult.get();
4614 DeclRefExpr *DRE =
4615 cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
4616 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
4617 unsigned BuiltinID = FDecl->getBuiltinID();
4618 assert((BuiltinID == Builtin::BI__builtin_nontemporal_store ||
4619 BuiltinID == Builtin::BI__builtin_nontemporal_load) &&
4620 "Unexpected nontemporal load/store builtin!");
4621 bool isStore = BuiltinID == Builtin::BI__builtin_nontemporal_store;
4622 unsigned numArgs = isStore ? 2 : 1;
4623
4624 // Ensure that we have the proper number of arguments.
4625 if (checkArgCount(TheCall, numArgs))
4626 return ExprError();
4627
4628 // Inspect the last argument of the nontemporal builtin. This should always
4629 // be a pointer type, from which we imply the type of the memory access.
4630 // Because it is a pointer type, we don't have to worry about any implicit
4631 // casts here.
4632 Expr *PointerArg = TheCall->getArg(numArgs - 1);
4633 ExprResult PointerArgResult =
4634 DefaultFunctionArrayLvalueConversion(PointerArg);
4635
4636 if (PointerArgResult.isInvalid())
4637 return ExprError();
4638 PointerArg = PointerArgResult.get();
4639 TheCall->setArg(numArgs - 1, PointerArg);
4640
4641 const PointerType *pointerType = PointerArg->getType()->getAs<PointerType>();
4642 if (!pointerType) {
4643 Diag(DRE->getBeginLoc(), diag::err_nontemporal_builtin_must_be_pointer)
4644 << PointerArg->getType() << PointerArg->getSourceRange();
4645 return ExprError();
4646 }
4647
4648 QualType ValType = pointerType->getPointeeType();
4649
4650 // Strip any qualifiers off ValType.
4651 ValType = ValType.getUnqualifiedType();
4652 if (!ValType->isIntegerType() && !ValType->isAnyPointerType() &&
4653 !ValType->isBlockPointerType() && !ValType->isFloatingType() &&
4654 !ValType->isVectorType()) {
4655 Diag(DRE->getBeginLoc(),
4656 diag::err_nontemporal_builtin_must_be_pointer_intfltptr_or_vector)
4657 << PointerArg->getType() << PointerArg->getSourceRange();
4658 return ExprError();
4659 }
4660
4661 if (!isStore) {
4662 TheCall->setType(ValType);
4663 return TheCallResult;
4664 }
4665
4666 ExprResult ValArg = TheCall->getArg(0);
4667 InitializedEntity Entity = InitializedEntity::InitializeParameter(
4668 Context, ValType, /*consume*/ false);
4669 ValArg = PerformCopyInitialization(Entity, SourceLocation(), ValArg);
4670 if (ValArg.isInvalid())
4671 return ExprError();
4672
4673 TheCall->setArg(0, ValArg.get());
4674 TheCall->setType(Context.VoidTy);
4675 return TheCallResult;
4676 }
4677
4678 /// CheckObjCString - Checks that the format string argument to the os_log()
4679 /// and os_trace() functions is correct, and converts it to const char *.
4680 ExprResult Sema::CheckOSLogFormatStringArg(Expr *Arg) {
4681 Arg = Arg->IgnoreParenCasts();
4682 auto *Literal = dyn_cast<StringLiteral>(Arg);
4683 if (!Literal) {
4684 if (auto *ObjcLiteral = dyn_cast<ObjCStringLiteral>(Arg)) {
4685 Literal = ObjcLiteral->getString();
4686 }
4687 }
4688
4689 if (!Literal || (!Literal->isOrdinary() && !Literal->isUTF8())) {
4690 return ExprError(
4691 Diag(Arg->getBeginLoc(), diag::err_os_log_format_not_string_constant)
4692 << Arg->getSourceRange());
4693 }
4694
4695 ExprResult Result(Literal);
4696 QualType ResultTy = Context.getPointerType(Context.CharTy.withConst());
4697 InitializedEntity Entity =
4698 InitializedEntity::InitializeParameter(Context, ResultTy, false);
4699 Result = PerformCopyInitialization(Entity, SourceLocation(), Result);
4700 return Result;
4701 }
4702
4703 /// Check that the user is calling the appropriate va_start builtin for the
4704 /// target and calling convention.
4705 static bool checkVAStartABI(Sema &S, unsigned BuiltinID, Expr *Fn) {
4706 const llvm::Triple &TT = S.Context.getTargetInfo().getTriple();
4707 bool IsX64 = TT.getArch() == llvm::Triple::x86_64;
4708 bool IsAArch64 = (TT.getArch() == llvm::Triple::aarch64 ||
4709 TT.getArch() == llvm::Triple::aarch64_32);
4710 bool IsWindows = TT.isOSWindows();
4711 bool IsMSVAStart = BuiltinID == Builtin::BI__builtin_ms_va_start;
4712 if (IsX64 || IsAArch64) {
4713 CallingConv CC = CC_C;
4714 if (const FunctionDecl *FD = S.getCurFunctionDecl())
4715 CC = FD->getType()->castAs<FunctionType>()->getCallConv();
4716 if (IsMSVAStart) {
4717 // Don't allow this in System V ABI functions.
4718 if (CC == CC_X86_64SysV || (!IsWindows && CC != CC_Win64))
4719 return S.Diag(Fn->getBeginLoc(),
4720 diag::err_ms_va_start_used_in_sysv_function);
4721 } else {
4722 // On x86-64/AArch64 Unix, don't allow this in Win64 ABI functions.
4723 // On x64 Windows, don't allow this in System V ABI functions.
4724 // (Yes, that means there's no corresponding way to support variadic
4725 // System V ABI functions on Windows.)
4726 if ((IsWindows && CC == CC_X86_64SysV) ||
4727 (!IsWindows && CC == CC_Win64))
4728 return S.Diag(Fn->getBeginLoc(),
4729 diag::err_va_start_used_in_wrong_abi_function)
4730 << !IsWindows;
4731 }
4732 return false;
4733 }
4734
4735 if (IsMSVAStart)
4736 return S.Diag(Fn->getBeginLoc(), diag::err_builtin_x64_aarch64_only);
4737 return false;
4738 }
4739
4740 static bool checkVAStartIsInVariadicFunction(Sema &S, Expr *Fn,
4741 ParmVarDecl **LastParam = nullptr) {
4742 // Determine whether the current function, block, or obj-c method is variadic
4743 // and get its parameter list.
4744 bool IsVariadic = false;
4745 ArrayRef<ParmVarDecl *> Params;
4746 DeclContext *Caller = S.CurContext;
4747 if (auto *Block = dyn_cast<BlockDecl>(Caller)) {
4748 IsVariadic = Block->isVariadic();
4749 Params = Block->parameters();
4750 } else if (auto *FD = dyn_cast<FunctionDecl>(Caller)) {
4751 IsVariadic = FD->isVariadic();
4752 Params = FD->parameters();
4753 } else if (auto *MD = dyn_cast<ObjCMethodDecl>(Caller)) {
4754 IsVariadic = MD->isVariadic();
4755 // FIXME: This isn't correct for methods (results in bogus warning).
4756 Params = MD->parameters();
4757 } else if (isa<CapturedDecl>(Caller)) {
4758 // We don't support va_start in a CapturedDecl.
4759 S.Diag(Fn->getBeginLoc(), diag::err_va_start_captured_stmt);
4760 return true;
4761 } else {
4762 // This must be some other declcontext that parses exprs.
4763 S.Diag(Fn->getBeginLoc(), diag::err_va_start_outside_function);
4764 return true;
4765 }
4766
4767 if (!IsVariadic) {
4768 S.Diag(Fn->getBeginLoc(), diag::err_va_start_fixed_function);
4769 return true;
4770 }
4771
4772 if (LastParam)
4773 *LastParam = Params.empty() ? nullptr : Params.back();
4774
4775 return false;
4776 }
4777
4778 bool Sema::BuiltinVAStart(unsigned BuiltinID, CallExpr *TheCall) {
4779 Expr *Fn = TheCall->getCallee();
4780
4781 if (checkVAStartABI(*this, BuiltinID, Fn))
4782 return true;
4783
4784 // In C23 mode, va_start only needs one argument. However, the builtin still
4785 // requires two arguments (which matches the behavior of the GCC builtin),
4786 // <stdarg.h> passes `0` as the second argument in C23 mode.
4787 if (checkArgCount(TheCall, 2))
4788 return true;
4789
4790 // Type-check the first argument normally.
4791 if (checkBuiltinArgument(*this, TheCall, 0))
4792 return true;
4793
4794 // Check that the current function is variadic, and get its last parameter.
4795 ParmVarDecl *LastParam;
4796 if (checkVAStartIsInVariadicFunction(*this, Fn, &LastParam))
4797 return true;
4798
4799 // Verify that the second argument to the builtin is the last argument of the
4800 // current function or method. In C23 mode, if the second argument is an
4801 // integer constant expression with value 0, then we don't bother with this
4802 // check.
4803 bool SecondArgIsLastNamedArgument = false;
4804 const Expr *Arg = TheCall->getArg(1)->IgnoreParenCasts();
4805 if (std::optional<llvm::APSInt> Val =
4806 TheCall->getArg(1)->getIntegerConstantExpr(Context);
4807 Val && LangOpts.C23 && *Val == 0)
4808 return false;
4809
4810 // These are valid if SecondArgIsLastNamedArgument is false after the next
4811 // block.
4812 QualType Type;
4813 SourceLocation ParamLoc;
4814 bool IsCRegister = false;
4815
4816 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Arg)) {
4817 if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(DR->getDecl())) {
4818 SecondArgIsLastNamedArgument = PV == LastParam;
4819
4820 Type = PV->getType();
4821 ParamLoc = PV->getLocation();
4822 IsCRegister =
4823 PV->getStorageClass() == SC_Register && !getLangOpts().CPlusPlus;
4824 }
4825 }
4826
4827 if (!SecondArgIsLastNamedArgument)
4828 Diag(TheCall->getArg(1)->getBeginLoc(),
4829 diag::warn_second_arg_of_va_start_not_last_named_param);
4830 else if (IsCRegister || Type->isReferenceType() ||
4831 Type->isSpecificBuiltinType(BuiltinType::Float) || [=] {
4832 // Promotable integers are UB, but enumerations need a bit of
4833 // extra checking to see what their promotable type actually is.
4834 if (!Context.isPromotableIntegerType(Type))
4835 return false;
4836 if (!Type->isEnumeralType())
4837 return true;
4838 const EnumDecl *ED = Type->castAs<EnumType>()->getDecl();
4839 return !(ED &&
4840 Context.typesAreCompatible(ED->getPromotionType(), Type));
4841 }()) {
4842 unsigned Reason = 0;
4843 if (Type->isReferenceType()) Reason = 1;
4844 else if (IsCRegister) Reason = 2;
4845 Diag(Arg->getBeginLoc(), diag::warn_va_start_type_is_undefined) << Reason;
4846 Diag(ParamLoc, diag::note_parameter_type) << Type;
4847 }
4848
4849 return false;
4850 }
4851
4852 bool Sema::BuiltinVAStartARMMicrosoft(CallExpr *Call) {
4853 auto IsSuitablyTypedFormatArgument = [this](const Expr *Arg) -> bool {
4854 const LangOptions &LO = getLangOpts();
4855
4856 if (LO.CPlusPlus)
4857 return Arg->getType()
4858 .getCanonicalType()
4859 .getTypePtr()
4860 ->getPointeeType()
4861 .withoutLocalFastQualifiers() == Context.CharTy;
4862
4863 // In C, allow aliasing through `char *`, this is required for AArch64 at
4864 // least.
4865 return true;
4866 };
4867
4868 // void __va_start(va_list *ap, const char *named_addr, size_t slot_size,
4869 // const char *named_addr);
4870
4871 Expr *Func = Call->getCallee();
4872
4873 if (Call->getNumArgs() < 3)
4874 return Diag(Call->getEndLoc(),
4875 diag::err_typecheck_call_too_few_args_at_least)
4876 << 0 /*function call*/ << 3 << Call->getNumArgs()
4877 << /*is non object*/ 0;
4878
4879 // Type-check the first argument normally.
4880 if (checkBuiltinArgument(*this, Call, 0))
4881 return true;
4882
4883 // Check that the current function is variadic.
4884 if (checkVAStartIsInVariadicFunction(*this, Func))
4885 return true;
4886
4887 // __va_start on Windows does not validate the parameter qualifiers
4888
4889 const Expr *Arg1 = Call->getArg(1)->IgnoreParens();
4890 const Type *Arg1Ty = Arg1->getType().getCanonicalType().getTypePtr();
4891
4892 const Expr *Arg2 = Call->getArg(2)->IgnoreParens();
4893 const Type *Arg2Ty = Arg2->getType().getCanonicalType().getTypePtr();
4894
4895 const QualType &ConstCharPtrTy =
4896 Context.getPointerType(Context.CharTy.withConst());
4897 if (!Arg1Ty->isPointerType() || !IsSuitablyTypedFormatArgument(Arg1))
4898 Diag(Arg1->getBeginLoc(), diag::err_typecheck_convert_incompatible)
4899 << Arg1->getType() << ConstCharPtrTy << 1 /* different class */
4900 << 0 /* qualifier difference */
4901 << 3 /* parameter mismatch */
4902 << 2 << Arg1->getType() << ConstCharPtrTy;
4903
4904 const QualType SizeTy = Context.getSizeType();
4905 if (Arg2Ty->getCanonicalTypeInternal().withoutLocalFastQualifiers() != SizeTy)
4906 Diag(Arg2->getBeginLoc(), diag::err_typecheck_convert_incompatible)
4907 << Arg2->getType() << SizeTy << 1 /* different class */
4908 << 0 /* qualifier difference */
4909 << 3 /* parameter mismatch */
4910 << 3 << Arg2->getType() << SizeTy;
4911
4912 return false;
4913 }
4914
4915 bool Sema::BuiltinUnorderedCompare(CallExpr *TheCall, unsigned BuiltinID) {
4916 if (checkArgCount(TheCall, 2))
4917 return true;
4918
4919 if (BuiltinID == Builtin::BI__builtin_isunordered &&
4920 TheCall->getFPFeaturesInEffect(getLangOpts()).getNoHonorNaNs())
4921 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4922 << 1 << 0 << TheCall->getSourceRange();
4923
4924 ExprResult OrigArg0 = TheCall->getArg(0);
4925 ExprResult OrigArg1 = TheCall->getArg(1);
4926
4927 // Do standard promotions between the two arguments, returning their common
4928 // type.
4929 QualType Res = UsualArithmeticConversions(
4930 OrigArg0, OrigArg1, TheCall->getExprLoc(), ACK_Comparison);
4931 if (OrigArg0.isInvalid() || OrigArg1.isInvalid())
4932 return true;
4933
4934 // Make sure any conversions are pushed back into the call; this is
4935 // type safe since unordered compare builtins are declared as "_Bool
4936 // foo(...)".
4937 TheCall->setArg(0, OrigArg0.get());
4938 TheCall->setArg(1, OrigArg1.get());
4939
4940 if (OrigArg0.get()->isTypeDependent() || OrigArg1.get()->isTypeDependent())
4941 return false;
4942
4943 // If the common type isn't a real floating type, then the arguments were
4944 // invalid for this operation.
4945 if (Res.isNull() || !Res->isRealFloatingType())
4946 return Diag(OrigArg0.get()->getBeginLoc(),
4947 diag::err_typecheck_call_invalid_ordered_compare)
4948 << OrigArg0.get()->getType() << OrigArg1.get()->getType()
4949 << SourceRange(OrigArg0.get()->getBeginLoc(),
4950 OrigArg1.get()->getEndLoc());
4951
4952 return false;
4953 }
4954
4955 bool Sema::BuiltinFPClassification(CallExpr *TheCall, unsigned NumArgs,
4956 unsigned BuiltinID) {
4957 if (checkArgCount(TheCall, NumArgs))
4958 return true;
4959
4960 FPOptions FPO = TheCall->getFPFeaturesInEffect(getLangOpts());
4961 if (FPO.getNoHonorInfs() && (BuiltinID == Builtin::BI__builtin_isfinite ||
4962 BuiltinID == Builtin::BI__builtin_isinf ||
4963 BuiltinID == Builtin::BI__builtin_isinf_sign))
4964 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4965 << 0 << 0 << TheCall->getSourceRange();
4966
4967 if (FPO.getNoHonorNaNs() && (BuiltinID == Builtin::BI__builtin_isnan ||
4968 BuiltinID == Builtin::BI__builtin_isunordered))
4969 Diag(TheCall->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
4970 << 1 << 0 << TheCall->getSourceRange();
4971
4972 bool IsFPClass = NumArgs == 2;
4973
4974 // Find out position of floating-point argument.
4975 unsigned FPArgNo = IsFPClass ? 0 : NumArgs - 1;
4976
4977 // We can count on all parameters preceding the floating-point just being int.
4978 // Try all of those.
4979 for (unsigned i = 0; i < FPArgNo; ++i) {
4980 Expr *Arg = TheCall->getArg(i);
4981
4982 if (Arg->isTypeDependent())
4983 return false;
4984
4985 ExprResult Res = PerformImplicitConversion(Arg, Context.IntTy,
4986 AssignmentAction::Passing);
4987
4988 if (Res.isInvalid())
4989 return true;
4990 TheCall->setArg(i, Res.get());
4991 }
4992
4993 Expr *OrigArg = TheCall->getArg(FPArgNo);
4994
4995 if (OrigArg->isTypeDependent())
4996 return false;
4997
4998 // Usual Unary Conversions will convert half to float, which we want for
4999 // machines that use fp16 conversion intrinsics. Else, we wnat to leave the
5000 // type how it is, but do normal L->Rvalue conversions.
5001 if (Context.getTargetInfo().useFP16ConversionIntrinsics()) {
5002 ExprResult Res = UsualUnaryConversions(OrigArg);
5003
5004 if (!Res.isUsable())
5005 return true;
5006 OrigArg = Res.get();
5007 } else {
5008 ExprResult Res = DefaultFunctionArrayLvalueConversion(OrigArg);
5009
5010 if (!Res.isUsable())
5011 return true;
5012 OrigArg = Res.get();
5013 }
5014 TheCall->setArg(FPArgNo, OrigArg);
5015
5016 QualType VectorResultTy;
5017 QualType ElementTy = OrigArg->getType();
5018 // TODO: When all classification function are implemented with is_fpclass,
5019 // vector argument can be supported in all of them.
5020 if (ElementTy->isVectorType() && IsFPClass) {
5021 VectorResultTy = GetSignedVectorType(ElementTy);
5022 ElementTy = ElementTy->castAs<VectorType>()->getElementType();
5023 }
5024
5025 // This operation requires a non-_Complex floating-point number.
5026 if (!ElementTy->isRealFloatingType())
5027 return Diag(OrigArg->getBeginLoc(),
5028 diag::err_typecheck_call_invalid_unary_fp)
5029 << OrigArg->getType() << OrigArg->getSourceRange();
5030
5031 // __builtin_isfpclass has integer parameter that specify test mask. It is
5032 // passed in (...), so it should be analyzed completely here.
5033 if (IsFPClass)
5034 if (BuiltinConstantArgRange(TheCall, 1, 0, llvm::fcAllFlags))
5035 return true;
5036
5037 // TODO: enable this code to all classification functions.
5038 if (IsFPClass) {
5039 QualType ResultTy;
5040 if (!VectorResultTy.isNull())
5041 ResultTy = VectorResultTy;
5042 else
5043 ResultTy = Context.IntTy;
5044 TheCall->setType(ResultTy);
5045 }
5046
5047 return false;
5048 }
5049
5050 bool Sema::BuiltinComplex(CallExpr *TheCall) {
5051 if (checkArgCount(TheCall, 2))
5052 return true;
5053
5054 bool Dependent = false;
5055 for (unsigned I = 0; I != 2; ++I) {
5056 Expr *Arg = TheCall->getArg(I);
5057 QualType T = Arg->getType();
5058 if (T->isDependentType()) {
5059 Dependent = true;
5060 continue;
5061 }
5062
5063 // Despite supporting _Complex int, GCC requires a real floating point type
5064 // for the operands of __builtin_complex.
5065 if (!T->isRealFloatingType()) {
5066 return Diag(Arg->getBeginLoc(), diag::err_typecheck_call_requires_real_fp)
5067 << Arg->getType() << Arg->getSourceRange();
5068 }
5069
5070 ExprResult Converted = DefaultLvalueConversion(Arg);
5071 if (Converted.isInvalid())
5072 return true;
5073 TheCall->setArg(I, Converted.get());
5074 }
5075
5076 if (Dependent) {
5077 TheCall->setType(Context.DependentTy);
5078 return false;
5079 }
5080
5081 Expr *Real = TheCall->getArg(0);
5082 Expr *Imag = TheCall->getArg(1);
5083 if (!Context.hasSameType(Real->getType(), Imag->getType())) {
5084 return Diag(Real->getBeginLoc(),
5085 diag::err_typecheck_call_different_arg_types)
5086 << Real->getType() << Imag->getType()
5087 << Real->getSourceRange() << Imag->getSourceRange();
5088 }
5089
5090 // We don't allow _Complex _Float16 nor _Complex __fp16 as type specifiers;
5091 // don't allow this builtin to form those types either.
5092 // FIXME: Should we allow these types?
5093 if (Real->getType()->isFloat16Type())
5094 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5095 << "_Float16";
5096 if (Real->getType()->isHalfType())
5097 return Diag(TheCall->getBeginLoc(), diag::err_invalid_complex_spec)
5098 << "half";
5099
5100 TheCall->setType(Context.getComplexType(Real->getType()));
5101 return false;
5102 }
5103
5104 /// BuiltinShuffleVector - Handle __builtin_shufflevector.
5105 // This is declared to take (...), so we have to check everything.
5106 ExprResult Sema::BuiltinShuffleVector(CallExpr *TheCall) {
5107 if (TheCall->getNumArgs() < 2)
5108 return ExprError(Diag(TheCall->getEndLoc(),
5109 diag::err_typecheck_call_too_few_args_at_least)
5110 << 0 /*function call*/ << 2 << TheCall->getNumArgs()
5111 << /*is non object*/ 0 << TheCall->getSourceRange());
5112
5113 // Determine which of the following types of shufflevector we're checking:
5114 // 1) unary, vector mask: (lhs, mask)
5115 // 2) binary, scalar mask: (lhs, rhs, index, ..., index)
5116 QualType resType = TheCall->getArg(0)->getType();
5117 unsigned numElements = 0;
5118
5119 if (!TheCall->getArg(0)->isTypeDependent() &&
5120 !TheCall->getArg(1)->isTypeDependent()) {
5121 QualType LHSType = TheCall->getArg(0)->getType();
5122 QualType RHSType = TheCall->getArg(1)->getType();
5123
5124 if (!LHSType->isVectorType() || !RHSType->isVectorType())
5125 return ExprError(
5126 Diag(TheCall->getBeginLoc(), diag::err_vec_builtin_non_vector)
5127 << TheCall->getDirectCallee() << /*isMorethantwoArgs*/ false
5128 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5129 TheCall->getArg(1)->getEndLoc()));
5130
5131 numElements = LHSType->castAs<VectorType>()->getNumElements();
5132 unsigned numResElements = TheCall->getNumArgs() - 2;
5133
5134 // Check to see if we have a call with 2 vector arguments, the unary shuffle
5135 // with mask. If so, verify that RHS is an integer vector type with the
5136 // same number of elts as lhs.
5137 if (TheCall->getNumArgs() == 2) {
5138 if (!RHSType->hasIntegerRepresentation() ||
5139 RHSType->castAs<VectorType>()->getNumElements() != numElements)
5140 return ExprError(Diag(TheCall->getBeginLoc(),
5141 diag::err_vec_builtin_incompatible_vector)
5142 << TheCall->getDirectCallee()
5143 << /*isMorethantwoArgs*/ false
5144 << SourceRange(TheCall->getArg(1)->getBeginLoc(),
5145 TheCall->getArg(1)->getEndLoc()));
5146 } else if (!Context.hasSameUnqualifiedType(LHSType, RHSType)) {
5147 return ExprError(Diag(TheCall->getBeginLoc(),
5148 diag::err_vec_builtin_incompatible_vector)
5149 << TheCall->getDirectCallee()
5150 << /*isMorethantwoArgs*/ false
5151 << SourceRange(TheCall->getArg(0)->getBeginLoc(),
5152 TheCall->getArg(1)->getEndLoc()));
5153 } else if (numElements != numResElements) {
5154 QualType eltType = LHSType->castAs<VectorType>()->getElementType();
5155 resType =
5156 Context.getVectorType(eltType, numResElements, VectorKind::Generic);
5157 }
5158 }
5159
5160 for (unsigned i = 2; i < TheCall->getNumArgs(); i++) {
5161 if (TheCall->getArg(i)->isTypeDependent() ||
5162 TheCall->getArg(i)->isValueDependent())
5163 continue;
5164
5165 std::optional<llvm::APSInt> Result;
5166 if (!(Result = TheCall->getArg(i)->getIntegerConstantExpr(Context)))
5167 return ExprError(Diag(TheCall->getBeginLoc(),
5168 diag::err_shufflevector_nonconstant_argument)
5169 << TheCall->getArg(i)->getSourceRange());
5170
5171 // Allow -1 which will be translated to undef in the IR.
5172 if (Result->isSigned() && Result->isAllOnes())
5173 continue;
5174
5175 if (Result->getActiveBits() > 64 ||
5176 Result->getZExtValue() >= numElements * 2)
5177 return ExprError(Diag(TheCall->getBeginLoc(),
5178 diag::err_shufflevector_argument_too_large)
5179 << TheCall->getArg(i)->getSourceRange());
5180 }
5181
5182 SmallVector<Expr*, 32> exprs;
5183
5184 for (unsigned i = 0, e = TheCall->getNumArgs(); i != e; i++) {
5185 exprs.push_back(TheCall->getArg(i));
5186 TheCall->setArg(i, nullptr);
5187 }
5188
5189 return new (Context) ShuffleVectorExpr(Context, exprs, resType,
5190 TheCall->getCallee()->getBeginLoc(),
5191 TheCall->getRParenLoc());
5192 }
5193
5194 ExprResult Sema::ConvertVectorExpr(Expr *E, TypeSourceInfo *TInfo,
5195 SourceLocation BuiltinLoc,
5196 SourceLocation RParenLoc) {
5197 ExprValueKind VK = VK_PRValue;
5198 ExprObjectKind OK = OK_Ordinary;
5199 QualType DstTy = TInfo->getType();
5200 QualType SrcTy = E->getType();
5201
5202 if (!SrcTy->isVectorType() && !SrcTy->isDependentType())
5203 return ExprError(Diag(BuiltinLoc,
5204 diag::err_convertvector_non_vector)
5205 << E->getSourceRange());
5206 if (!DstTy->isVectorType() && !DstTy->isDependentType())
5207 return ExprError(Diag(BuiltinLoc, diag::err_builtin_non_vector_type)
5208 << "second"
5209 << "__builtin_convertvector");
5210
5211 if (!SrcTy->isDependentType() && !DstTy->isDependentType()) {
5212 unsigned SrcElts = SrcTy->castAs<VectorType>()->getNumElements();
5213 unsigned DstElts = DstTy->castAs<VectorType>()->getNumElements();
5214 if (SrcElts != DstElts)
5215 return ExprError(Diag(BuiltinLoc,
5216 diag::err_convertvector_incompatible_vector)
5217 << E->getSourceRange());
5218 }
5219
5220 return new (Context) class ConvertVectorExpr(E, TInfo, DstTy, VK, OK,
5221 BuiltinLoc, RParenLoc);
5222 }
5223
5224 bool Sema::BuiltinPrefetch(CallExpr *TheCall) {
5225 unsigned NumArgs = TheCall->getNumArgs();
5226
5227 if (NumArgs > 3)
5228 return Diag(TheCall->getEndLoc(),
5229 diag::err_typecheck_call_too_many_args_at_most)
5230 << 0 /*function call*/ << 3 << NumArgs << /*is non object*/ 0
5231 << TheCall->getSourceRange();
5232
5233 // Argument 0 is checked for us and the remaining arguments must be
5234 // constant integers.
5235 for (unsigned i = 1; i != NumArgs; ++i)
5236 if (BuiltinConstantArgRange(TheCall, i, 0, i == 1 ? 1 : 3))
5237 return true;
5238
5239 return false;
5240 }
5241
5242 bool Sema::BuiltinArithmeticFence(CallExpr *TheCall) {
5243 if (!Context.getTargetInfo().checkArithmeticFenceSupported())
5244 return Diag(TheCall->getBeginLoc(), diag::err_builtin_target_unsupported)
5245 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5246 if (checkArgCount(TheCall, 1))
5247 return true;
5248 Expr *Arg = TheCall->getArg(0);
5249 if (Arg->isInstantiationDependent())
5250 return false;
5251
5252 QualType ArgTy = Arg->getType();
5253 if (!ArgTy->hasFloatingRepresentation())
5254 return Diag(TheCall->getEndLoc(), diag::err_typecheck_expect_flt_or_vector)
5255 << ArgTy;
5256 if (Arg->isLValue()) {
5257 ExprResult FirstArg = DefaultLvalueConversion(Arg);
5258 TheCall->setArg(0, FirstArg.get());
5259 }
5260 TheCall->setType(TheCall->getArg(0)->getType());
5261 return false;
5262 }
5263
5264 bool Sema::BuiltinAssume(CallExpr *TheCall) {
5265 Expr *Arg = TheCall->getArg(0);
5266 if (Arg->isInstantiationDependent()) return false;
5267
5268 if (Arg->HasSideEffects(Context))
5269 Diag(Arg->getBeginLoc(), diag::warn_assume_side_effects)
5270 << Arg->getSourceRange()
5271 << cast<FunctionDecl>(TheCall->getCalleeDecl())->getIdentifier();
5272
5273 return false;
5274 }
5275
5276 bool Sema::BuiltinAllocaWithAlign(CallExpr *TheCall) {
5277 // The alignment must be a constant integer.
5278 Expr *Arg = TheCall->getArg(1);
5279
5280 // We can't check the value of a dependent argument.
5281 if (!Arg->isTypeDependent() && !Arg->isValueDependent()) {
5282 if (const auto *UE =
5283 dyn_cast<UnaryExprOrTypeTraitExpr>(Arg->IgnoreParenImpCasts()))
5284 if (UE->getKind() == UETT_AlignOf ||
5285 UE->getKind() == UETT_PreferredAlignOf)
5286 Diag(TheCall->getBeginLoc(), diag::warn_alloca_align_alignof)
5287 << Arg->getSourceRange();
5288
5289 llvm::APSInt Result = Arg->EvaluateKnownConstInt(Context);
5290
5291 if (!Result.isPowerOf2())
5292 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5293 << Arg->getSourceRange();
5294
5295 if (Result < Context.getCharWidth())
5296 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_small)
5297 << (unsigned)Context.getCharWidth() << Arg->getSourceRange();
5298
5299 if (Result > std::numeric_limits<int32_t>::max())
5300 return Diag(TheCall->getBeginLoc(), diag::err_alignment_too_big)
5301 << std::numeric_limits<int32_t>::max() << Arg->getSourceRange();
5302 }
5303
5304 return false;
5305 }
5306
5307 bool Sema::BuiltinAssumeAligned(CallExpr *TheCall) {
5308 if (checkArgCountRange(TheCall, 2, 3))
5309 return true;
5310
5311 unsigned NumArgs = TheCall->getNumArgs();
5312 Expr *FirstArg = TheCall->getArg(0);
5313
5314 {
5315 ExprResult FirstArgResult =
5316 DefaultFunctionArrayLvalueConversion(FirstArg);
5317 if (checkBuiltinArgument(*this, TheCall, 0))
5318 return true;
5319 /// In-place updation of FirstArg by checkBuiltinArgument is ignored.
5320 TheCall->setArg(0, FirstArgResult.get());
5321 }
5322
5323 // The alignment must be a constant integer.
5324 Expr *SecondArg = TheCall->getArg(1);
5325
5326 // We can't check the value of a dependent argument.
5327 if (!SecondArg->isValueDependent()) {
5328 llvm::APSInt Result;
5329 if (BuiltinConstantArg(TheCall, 1, Result))
5330 return true;
5331
5332 if (!Result.isPowerOf2())
5333 return Diag(TheCall->getBeginLoc(), diag::err_alignment_not_power_of_two)
5334 << SecondArg->getSourceRange();
5335
5336 if (Result > Sema::MaximumAlignment)
5337 Diag(TheCall->getBeginLoc(), diag::warn_assume_aligned_too_great)
5338 << SecondArg->getSourceRange() << Sema::MaximumAlignment;
5339 }
5340
5341 if (NumArgs > 2) {
5342 Expr *ThirdArg = TheCall->getArg(2);
5343 if (convertArgumentToType(*this, ThirdArg, Context.getSizeType()))
5344 return true;
5345 TheCall->setArg(2, ThirdArg);
5346 }
5347
5348 return false;
5349 }
5350
5351 bool Sema::BuiltinOSLogFormat(CallExpr *TheCall) {
5352 unsigned BuiltinID =
5353 cast<FunctionDecl>(TheCall->getCalleeDecl())->getBuiltinID();
5354 bool IsSizeCall = BuiltinID == Builtin::BI__builtin_os_log_format_buffer_size;
5355
5356 unsigned NumArgs = TheCall->getNumArgs();
5357 unsigned NumRequiredArgs = IsSizeCall ? 1 : 2;
5358 if (NumArgs < NumRequiredArgs) {
5359 return Diag(TheCall->getEndLoc(), diag::err_typecheck_call_too_few_args)
5360 << 0 /* function call */ << NumRequiredArgs << NumArgs
5361 << /*is non object*/ 0 << TheCall->getSourceRange();
5362 }
5363 if (NumArgs >= NumRequiredArgs + 0x100) {
5364 return Diag(TheCall->getEndLoc(),
5365 diag::err_typecheck_call_too_many_args_at_most)
5366 << 0 /* function call */ << (NumRequiredArgs + 0xff) << NumArgs
5367 << /*is non object*/ 0 << TheCall->getSourceRange();
5368 }
5369 unsigned i = 0;
5370
5371 // For formatting call, check buffer arg.
5372 if (!IsSizeCall) {
5373 ExprResult Arg(TheCall->getArg(i));
5374 InitializedEntity Entity = InitializedEntity::InitializeParameter(
5375 Context, Context.VoidPtrTy, false);
5376 Arg = PerformCopyInitialization(Entity, SourceLocation(), Arg);
5377 if (Arg.isInvalid())
5378 return true;
5379 TheCall->setArg(i, Arg.get());
5380 i++;
5381 }
5382
5383 // Check string literal arg.
5384 unsigned FormatIdx = i;
5385 {
5386 ExprResult Arg = CheckOSLogFormatStringArg(TheCall->getArg(i));
5387 if (Arg.isInvalid())
5388 return true;
5389 TheCall->setArg(i, Arg.get());
5390 i++;
5391 }
5392
5393 // Make sure variadic args are scalar.
5394 unsigned FirstDataArg = i;
5395 while (i < NumArgs) {
5396 ExprResult Arg = DefaultVariadicArgumentPromotion(
5397 TheCall->getArg(i), VariadicFunction, nullptr);
5398 if (Arg.isInvalid())
5399 return true;
5400 CharUnits ArgSize = Context.getTypeSizeInChars(Arg.get()->getType());
5401 if (ArgSize.getQuantity() >= 0x100) {
5402 return Diag(Arg.get()->getEndLoc(), diag::err_os_log_argument_too_big)
5403 << i << (int)ArgSize.getQuantity() << 0xff
5404 << TheCall->getSourceRange();
5405 }
5406 TheCall->setArg(i, Arg.get());
5407 i++;
5408 }
5409
5410 // Check formatting specifiers. NOTE: We're only doing this for the non-size
5411 // call to avoid duplicate diagnostics.
5412 if (!IsSizeCall) {
5413 llvm::SmallBitVector CheckedVarArgs(NumArgs, false);
5414 ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs());
5415 bool Success = CheckFormatArguments(
5416 Args, FAPK_Variadic, FormatIdx, FirstDataArg, FST_OSLog,
5417 VariadicFunction, TheCall->getBeginLoc(), SourceRange(),
5418 CheckedVarArgs);
5419 if (!Success)
5420 return true;
5421 }
5422
5423 if (IsSizeCall) {
5424 TheCall->setType(Context.getSizeType());
5425 } else {
5426 TheCall->setType(Context.VoidPtrTy);
5427 }
5428 return false;
5429 }
5430
5431 bool Sema::BuiltinConstantArg(CallExpr *TheCall, int ArgNum,
5432 llvm::APSInt &Result) {
5433 Expr *Arg = TheCall->getArg(ArgNum);
5434 DeclRefExpr *DRE =cast<DeclRefExpr>(TheCall->getCallee()->IgnoreParenCasts());
5435 FunctionDecl *FDecl = cast<FunctionDecl>(DRE->getDecl());
5436
5437 if (Arg->isTypeDependent() || Arg->isValueDependent()) return false;
5438
5439 std::optional<llvm::APSInt> R;
5440 if (!(R = Arg->getIntegerConstantExpr(Context)))
5441 return Diag(TheCall->getBeginLoc(), diag::err_constant_integer_arg_type)
5442 << FDecl->getDeclName() << Arg->getSourceRange();
5443 Result = *R;
5444 return false;
5445 }
5446
5447 bool Sema::BuiltinConstantArgRange(CallExpr *TheCall, int ArgNum, int Low,
5448 int High, bool RangeIsError) {
5449 if (isConstantEvaluatedContext())
5450 return false;
5451 llvm::APSInt Result;
5452
5453 // We can't check the value of a dependent argument.
5454 Expr *Arg = TheCall->getArg(ArgNum);
5455 if (Arg->isTypeDependent() || Arg->isValueDependent())
5456 return false;
5457
5458 // Check constant-ness first.
5459 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5460 return true;
5461
5462 if (Result.getSExtValue() < Low || Result.getSExtValue() > High) {
5463 if (RangeIsError)
5464 return Diag(TheCall->getBeginLoc(), diag::err_argument_invalid_range)
5465 << toString(Result, 10) << Low << High << Arg->getSourceRange();
5466 else
5467 // Defer the warning until we know if the code will be emitted so that
5468 // dead code can ignore this.
5469 DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
5470 PDiag(diag::warn_argument_invalid_range)
5471 << toString(Result, 10) << Low << High
5472 << Arg->getSourceRange());
5473 }
5474
5475 return false;
5476 }
5477
5478 bool Sema::BuiltinConstantArgMultiple(CallExpr *TheCall, int ArgNum,
5479 unsigned Num) {
5480 llvm::APSInt Result;
5481
5482 // We can't check the value of a dependent argument.
5483 Expr *Arg = TheCall->getArg(ArgNum);
5484 if (Arg->isTypeDependent() || Arg->isValueDependent())
5485 return false;
5486
5487 // Check constant-ness first.
5488 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5489 return true;
5490
5491 if (Result.getSExtValue() % Num != 0)
5492 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_multiple)
5493 << Num << Arg->getSourceRange();
5494
5495 return false;
5496 }
5497
5498 bool Sema::BuiltinConstantArgPower2(CallExpr *TheCall, int ArgNum) {
5499 llvm::APSInt Result;
5500
5501 // We can't check the value of a dependent argument.
5502 Expr *Arg = TheCall->getArg(ArgNum);
5503 if (Arg->isTypeDependent() || Arg->isValueDependent())
5504 return false;
5505
5506 // Check constant-ness first.
5507 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5508 return true;
5509
5510 // Bit-twiddling to test for a power of 2: for x > 0, x & (x-1) is zero if
5511 // and only if x is a power of 2.
5512 if (Result.isStrictlyPositive() && (Result & (Result - 1)) == 0)
5513 return false;
5514
5515 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_power_of_2)
5516 << Arg->getSourceRange();
5517 }
5518
5519 static bool IsShiftedByte(llvm::APSInt Value) {
5520 if (Value.isNegative())
5521 return false;
5522
5523 // Check if it's a shifted byte, by shifting it down
5524 while (true) {
5525 // If the value fits in the bottom byte, the check passes.
5526 if (Value < 0x100)
5527 return true;
5528
5529 // Otherwise, if the value has _any_ bits in the bottom byte, the check
5530 // fails.
5531 if ((Value & 0xFF) != 0)
5532 return false;
5533
5534 // If the bottom 8 bits are all 0, but something above that is nonzero,
5535 // then shifting the value right by 8 bits won't affect whether it's a
5536 // shifted byte or not. So do that, and go round again.
5537 Value >>= 8;
5538 }
5539 }
5540
5541 bool Sema::BuiltinConstantArgShiftedByte(CallExpr *TheCall, int ArgNum,
5542 unsigned ArgBits) {
5543 llvm::APSInt Result;
5544
5545 // We can't check the value of a dependent argument.
5546 Expr *Arg = TheCall->getArg(ArgNum);
5547 if (Arg->isTypeDependent() || Arg->isValueDependent())
5548 return false;
5549
5550 // Check constant-ness first.
5551 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5552 return true;
5553
5554 // Truncate to the given size.
5555 Result = Result.getLoBits(ArgBits);
5556 Result.setIsUnsigned(true);
5557
5558 if (IsShiftedByte(Result))
5559 return false;
5560
5561 return Diag(TheCall->getBeginLoc(), diag::err_argument_not_shifted_byte)
5562 << Arg->getSourceRange();
5563 }
5564
5565 bool Sema::BuiltinConstantArgShiftedByteOrXXFF(CallExpr *TheCall, int ArgNum,
5566 unsigned ArgBits) {
5567 llvm::APSInt Result;
5568
5569 // We can't check the value of a dependent argument.
5570 Expr *Arg = TheCall->getArg(ArgNum);
5571 if (Arg->isTypeDependent() || Arg->isValueDependent())
5572 return false;
5573
5574 // Check constant-ness first.
5575 if (BuiltinConstantArg(TheCall, ArgNum, Result))
5576 return true;
5577
5578 // Truncate to the given size.
5579 Result = Result.getLoBits(ArgBits);
5580 Result.setIsUnsigned(true);
5581
5582 // Check to see if it's in either of the required forms.
5583 if (IsShiftedByte(Result) ||
5584 (Result > 0 && Result < 0x10000 && (Result & 0xFF) == 0xFF))
5585 return false;
5586
5587 return Diag(TheCall->getBeginLoc(),
5588 diag::err_argument_not_shifted_byte_or_xxff)
5589 << Arg->getSourceRange();
5590 }
5591
5592 bool Sema::BuiltinLongjmp(CallExpr *TheCall) {
5593 if (!Context.getTargetInfo().hasSjLjLowering())
5594 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_unsupported)
5595 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5596
5597 Expr *Arg = TheCall->getArg(1);
5598 llvm::APSInt Result;
5599
5600 // TODO: This is less than ideal. Overload this to take a value.
5601 if (BuiltinConstantArg(TheCall, 1, Result))
5602 return true;
5603
5604 if (Result != 1)
5605 return Diag(TheCall->getBeginLoc(), diag::err_builtin_longjmp_invalid_val)
5606 << SourceRange(Arg->getBeginLoc(), Arg->getEndLoc());
5607
5608 return false;
5609 }
5610
5611 bool Sema::BuiltinSetjmp(CallExpr *TheCall) {
5612 if (!Context.getTargetInfo().hasSjLjLowering())
5613 return Diag(TheCall->getBeginLoc(), diag::err_builtin_setjmp_unsupported)
5614 << SourceRange(TheCall->getBeginLoc(), TheCall->getEndLoc());
5615 return false;
5616 }
5617
5618 bool Sema::BuiltinCountedByRef(CallExpr *TheCall) {
5619 if (checkArgCount(TheCall, 1))
5620 return true;
5621
5622 ExprResult ArgRes = UsualUnaryConversions(TheCall->getArg(0));
5623 if (ArgRes.isInvalid())
5624 return true;
5625
5626 // For simplicity, we support only limited expressions for the argument.
5627 // Specifically a pointer to a flexible array member:'ptr->array'. This
5628 // allows us to reject arguments with complex casting, which really shouldn't
5629 // be a huge problem.
5630 const Expr *Arg = ArgRes.get()->IgnoreParenImpCasts();
5631 if (!isa<PointerType>(Arg->getType()) && !Arg->getType()->isArrayType())
5632 return Diag(Arg->getBeginLoc(),
5633 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5634 << Arg->getSourceRange();
5635
5636 if (Arg->HasSideEffects(Context))
5637 return Diag(Arg->getBeginLoc(),
5638 diag::err_builtin_counted_by_ref_has_side_effects)
5639 << Arg->getSourceRange();
5640
5641 if (const auto *ME = dyn_cast<MemberExpr>(Arg)) {
5642 if (!ME->isFlexibleArrayMemberLike(
5643 Context, getLangOpts().getStrictFlexArraysLevel()))
5644 return Diag(Arg->getBeginLoc(),
5645 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5646 << Arg->getSourceRange();
5647
5648 if (auto *CATy =
5649 ME->getMemberDecl()->getType()->getAs<CountAttributedType>();
5650 CATy && CATy->getKind() == CountAttributedType::CountedBy) {
5651 const auto *FAMDecl = cast<FieldDecl>(ME->getMemberDecl());
5652 if (const FieldDecl *CountFD = FAMDecl->findCountedByField()) {
5653 TheCall->setType(Context.getPointerType(CountFD->getType()));
5654 return false;
5655 }
5656 }
5657 } else {
5658 return Diag(Arg->getBeginLoc(),
5659 diag::err_builtin_counted_by_ref_must_be_flex_array_member)
5660 << Arg->getSourceRange();
5661 }
5662
5663 TheCall->setType(Context.getPointerType(Context.VoidTy));
5664 return false;
5665 }
5666
5667 namespace {
5668
5669 class UncoveredArgHandler {
5670 enum { Unknown = -1, AllCovered = -2 };
5671
5672 signed FirstUncoveredArg = Unknown;
5673 SmallVector<const Expr *, 4> DiagnosticExprs;
5674
5675 public:
5676 UncoveredArgHandler() = default;
5677
5678 bool hasUncoveredArg() const {
5679 return (FirstUncoveredArg >= 0);
5680 }
5681
5682 unsigned getUncoveredArg() const {
5683 assert(hasUncoveredArg() && "no uncovered argument");
5684 return FirstUncoveredArg;
5685 }
5686
5687 void setAllCovered() {
5688 // A string has been found with all arguments covered, so clear out
5689 // the diagnostics.
5690 DiagnosticExprs.clear();
5691 FirstUncoveredArg = AllCovered;
5692 }
5693
5694 void Update(signed NewFirstUncoveredArg, const Expr *StrExpr) {
5695 assert(NewFirstUncoveredArg >= 0 && "Outside range");
5696
5697 // Don't update if a previous string covers all arguments.
5698 if (FirstUncoveredArg == AllCovered)
5699 return;
5700
5701 // UncoveredArgHandler tracks the highest uncovered argument index
5702 // and with it all the strings that match this index.
5703 if (NewFirstUncoveredArg == FirstUncoveredArg)
5704 DiagnosticExprs.push_back(StrExpr);
5705 else if (NewFirstUncoveredArg > FirstUncoveredArg) {
5706 DiagnosticExprs.clear();
5707 DiagnosticExprs.push_back(StrExpr);
5708 FirstUncoveredArg = NewFirstUncoveredArg;
5709 }
5710 }
5711
5712 void Diagnose(Sema &S, bool IsFunctionCall, const Expr *ArgExpr);
5713 };
5714
5715 enum StringLiteralCheckType {
5716 SLCT_NotALiteral,
5717 SLCT_UncheckedLiteral,
5718 SLCT_CheckedLiteral
5719 };
5720
5721 } // namespace
5722
5723 static void sumOffsets(llvm::APSInt &Offset, llvm::APSInt Addend,
5724 BinaryOperatorKind BinOpKind,
5725 bool AddendIsRight) {
5726 unsigned BitWidth = Offset.getBitWidth();
5727 unsigned AddendBitWidth = Addend.getBitWidth();
5728 // There might be negative interim results.
5729 if (Addend.isUnsigned()) {
5730 Addend = Addend.zext(++AddendBitWidth);
5731 Addend.setIsSigned(true);
5732 }
5733 // Adjust the bit width of the APSInts.
5734 if (AddendBitWidth > BitWidth) {
5735 Offset = Offset.sext(AddendBitWidth);
5736 BitWidth = AddendBitWidth;
5737 } else if (BitWidth > AddendBitWidth) {
5738 Addend = Addend.sext(BitWidth);
5739 }
5740
5741 bool Ov = false;
5742 llvm::APSInt ResOffset = Offset;
5743 if (BinOpKind == BO_Add)
5744 ResOffset = Offset.sadd_ov(Addend, Ov);
5745 else {
5746 assert(AddendIsRight && BinOpKind == BO_Sub &&
5747 "operator must be add or sub with addend on the right");
5748 ResOffset = Offset.ssub_ov(Addend, Ov);
5749 }
5750
5751 // We add an offset to a pointer here so we should support an offset as big as
5752 // possible.
5753 if (Ov) {
5754 assert(BitWidth <= std::numeric_limits<unsigned>::max() / 2 &&
5755 "index (intermediate) result too big");
5756 Offset = Offset.sext(2 * BitWidth);
5757 sumOffsets(Offset, Addend, BinOpKind, AddendIsRight);
5758 return;
5759 }
5760
5761 Offset = ResOffset;
5762 }
5763
5764 namespace {
5765
5766 // This is a wrapper class around StringLiteral to support offsetted string
5767 // literals as format strings. It takes the offset into account when returning
5768 // the string and its length or the source locations to display notes correctly.
5769 class FormatStringLiteral {
5770 const StringLiteral *FExpr;
5771 int64_t Offset;
5772
5773 public:
5774 FormatStringLiteral(const StringLiteral *fexpr, int64_t Offset = 0)
5775 : FExpr(fexpr), Offset(Offset) {}
5776
5777 StringRef getString() const {
5778 return FExpr->getString().drop_front(Offset);
5779 }
5780
5781 unsigned getByteLength() const {
5782 return FExpr->getByteLength() - getCharByteWidth() * Offset;
5783 }
5784
5785 unsigned getLength() const { return FExpr->getLength() - Offset; }
5786 unsigned getCharByteWidth() const { return FExpr->getCharByteWidth(); }
5787
5788 StringLiteralKind getKind() const { return FExpr->getKind(); }
5789
5790 QualType getType() const { return FExpr->getType(); }
5791
5792 bool isAscii() const { return FExpr->isOrdinary(); }
5793 bool isWide() const { return FExpr->isWide(); }
5794 bool isUTF8() const { return FExpr->isUTF8(); }
5795 bool isUTF16() const { return FExpr->isUTF16(); }
5796 bool isUTF32() const { return FExpr->isUTF32(); }
5797 bool isPascal() const { return FExpr->isPascal(); }
5798
5799 SourceLocation getLocationOfByte(
5800 unsigned ByteNo, const SourceManager &SM, const LangOptions &Features,
5801 const TargetInfo &Target, unsigned *StartToken = nullptr,
5802 unsigned *StartTokenByteOffset = nullptr) const {
5803 return FExpr->getLocationOfByte(ByteNo + Offset, SM, Features, Target,
5804 StartToken, StartTokenByteOffset);
5805 }
5806
5807 SourceLocation getBeginLoc() const LLVM_READONLY {
5808 return FExpr->getBeginLoc().getLocWithOffset(Offset);
5809 }
5810
5811 SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); }
5812 };
5813
5814 } // namespace
5815
5816 static void CheckFormatString(
5817 Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
5818 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
5819 unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
5820 bool inFunctionCall, Sema::VariadicCallType CallType,
5821 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
5822 bool IgnoreStringsWithoutSpecifiers);
5823
5824 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
5825 const Expr *E);
5826
5827 // Determine if an expression is a string literal or constant string.
5828 // If this function returns false on the arguments to a function expecting a
5829 // format string, we will usually need to emit a warning.
5830 // True string literals are then checked by CheckFormatString.
5831 static StringLiteralCheckType
5832 checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args,
5833 Sema::FormatArgumentPassingKind APK, unsigned format_idx,
5834 unsigned firstDataArg, Sema::FormatStringType Type,
5835 Sema::VariadicCallType CallType, bool InFunctionCall,
5836 llvm::SmallBitVector &CheckedVarArgs,
5837 UncoveredArgHandler &UncoveredArg, llvm::APSInt Offset,
5838 bool IgnoreStringsWithoutSpecifiers = false) {
5839 if (S.isConstantEvaluatedContext())
5840 return SLCT_NotALiteral;
5841 tryAgain:
5842 assert(Offset.isSigned() && "invalid offset");
5843
5844 if (E->isTypeDependent() || E->isValueDependent())
5845 return SLCT_NotALiteral;
5846
5847 E = E->IgnoreParenCasts();
5848
5849 if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
5850 // Technically -Wformat-nonliteral does not warn about this case.
5851 // The behavior of printf and friends in this case is implementation
5852 // dependent. Ideally if the format string cannot be null then
5853 // it should have a 'nonnull' attribute in the function prototype.
5854 return SLCT_UncheckedLiteral;
5855
5856 switch (E->getStmtClass()) {
5857 case Stmt::InitListExprClass:
5858 // Handle expressions like {"foobar"}.
5859 if (const clang::Expr *SLE = maybeConstEvalStringLiteral(S.Context, E)) {
5860 return checkFormatStringExpr(S, SLE, Args, APK, format_idx, firstDataArg,
5861 Type, CallType, /*InFunctionCall*/ false,
5862 CheckedVarArgs, UncoveredArg, Offset,
5863 IgnoreStringsWithoutSpecifiers);
5864 }
5865 return SLCT_NotALiteral;
5866 case Stmt::BinaryConditionalOperatorClass:
5867 case Stmt::ConditionalOperatorClass: {
5868 // The expression is a literal if both sub-expressions were, and it was
5869 // completely checked only if both sub-expressions were checked.
5870 const AbstractConditionalOperator *C =
5871 cast<AbstractConditionalOperator>(E);
5872
5873 // Determine whether it is necessary to check both sub-expressions, for
5874 // example, because the condition expression is a constant that can be
5875 // evaluated at compile time.
5876 bool CheckLeft = true, CheckRight = true;
5877
5878 bool Cond;
5879 if (C->getCond()->EvaluateAsBooleanCondition(
5880 Cond, S.getASTContext(), S.isConstantEvaluatedContext())) {
5881 if (Cond)
5882 CheckRight = false;
5883 else
5884 CheckLeft = false;
5885 }
5886
5887 // We need to maintain the offsets for the right and the left hand side
5888 // separately to check if every possible indexed expression is a valid
5889 // string literal. They might have different offsets for different string
5890 // literals in the end.
5891 StringLiteralCheckType Left;
5892 if (!CheckLeft)
5893 Left = SLCT_UncheckedLiteral;
5894 else {
5895 Left = checkFormatStringExpr(S, C->getTrueExpr(), Args, APK, format_idx,
5896 firstDataArg, Type, CallType, InFunctionCall,
5897 CheckedVarArgs, UncoveredArg, Offset,
5898 IgnoreStringsWithoutSpecifiers);
5899 if (Left == SLCT_NotALiteral || !CheckRight) {
5900 return Left;
5901 }
5902 }
5903
5904 StringLiteralCheckType Right = checkFormatStringExpr(
5905 S, C->getFalseExpr(), Args, APK, format_idx, firstDataArg, Type,
5906 CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
5907 IgnoreStringsWithoutSpecifiers);
5908
5909 return (CheckLeft && Left < Right) ? Left : Right;
5910 }
5911
5912 case Stmt::ImplicitCastExprClass:
5913 E = cast<ImplicitCastExpr>(E)->getSubExpr();
5914 goto tryAgain;
5915
5916 case Stmt::OpaqueValueExprClass:
5917 if (const Expr *src = cast<OpaqueValueExpr>(E)->getSourceExpr()) {
5918 E = src;
5919 goto tryAgain;
5920 }
5921 return SLCT_NotALiteral;
5922
5923 case Stmt::PredefinedExprClass:
5924 // While __func__, etc., are technically not string literals, they
5925 // cannot contain format specifiers and thus are not a security
5926 // liability.
5927 return SLCT_UncheckedLiteral;
5928
5929 case Stmt::DeclRefExprClass: {
5930 const DeclRefExpr *DR = cast<DeclRefExpr>(E);
5931
5932 // As an exception, do not flag errors for variables binding to
5933 // const string literals.
5934 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
5935 bool isConstant = false;
5936 QualType T = DR->getType();
5937
5938 if (const ArrayType *AT = S.Context.getAsArrayType(T)) {
5939 isConstant = AT->getElementType().isConstant(S.Context);
5940 } else if (const PointerType *PT = T->getAs<PointerType>()) {
5941 isConstant = T.isConstant(S.Context) &&
5942 PT->getPointeeType().isConstant(S.Context);
5943 } else if (T->isObjCObjectPointerType()) {
5944 // In ObjC, there is usually no "const ObjectPointer" type,
5945 // so don't check if the pointee type is constant.
5946 isConstant = T.isConstant(S.Context);
5947 }
5948
5949 if (isConstant) {
5950 if (const Expr *Init = VD->getAnyInitializer()) {
5951 // Look through initializers like const char c[] = { "foo" }
5952 if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
5953 if (InitList->isStringLiteralInit())
5954 Init = InitList->getInit(0)->IgnoreParenImpCasts();
5955 }
5956 return checkFormatStringExpr(
5957 S, Init, Args, APK, format_idx, firstDataArg, Type, CallType,
5958 /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
5959 }
5960 }
5961
5962 // When the format argument is an argument of this function, and this
5963 // function also has the format attribute, there are several interactions
5964 // for which there shouldn't be a warning. For instance, when calling
5965 // v*printf from a function that has the printf format attribute, we
5966 // should not emit a warning about using `fmt`, even though it's not
5967 // constant, because the arguments have already been checked for the
5968 // caller of `logmessage`:
5969 //
5970 // __attribute__((format(printf, 1, 2)))
5971 // void logmessage(char const *fmt, ...) {
5972 // va_list ap;
5973 // va_start(ap, fmt);
5974 // vprintf(fmt, ap); /* do not emit a warning about "fmt" */
5975 // ...
5976 // }
5977 //
5978 // Another interaction that we need to support is calling a variadic
5979 // format function from a format function that has fixed arguments. For
5980 // instance:
5981 //
5982 // __attribute__((format(printf, 1, 2)))
5983 // void logstring(char const *fmt, char const *str) {
5984 // printf(fmt, str); /* do not emit a warning about "fmt" */
5985 // }
5986 //
5987 // Same (and perhaps more relatably) for the variadic template case:
5988 //
5989 // template<typename... Args>
5990 // __attribute__((format(printf, 1, 2)))
5991 // void log(const char *fmt, Args&&... args) {
5992 // printf(fmt, forward<Args>(args)...);
5993 // /* do not emit a warning about "fmt" */
5994 // }
5995 //
5996 // Due to implementation difficulty, we only check the format, not the
5997 // format arguments, in all cases.
5998 //
5999 if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
6000 if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
6001 for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) {
6002 bool IsCXXMember = false;
6003 if (const auto *MD = dyn_cast<CXXMethodDecl>(D))
6004 IsCXXMember = MD->isInstance();
6005
6006 bool IsVariadic = false;
6007 if (const FunctionType *FnTy = D->getFunctionType())
6008 IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();
6009 else if (const auto *BD = dyn_cast<BlockDecl>(D))
6010 IsVariadic = BD->isVariadic();
6011 else if (const auto *OMD = dyn_cast<ObjCMethodDecl>(D))
6012 IsVariadic = OMD->isVariadic();
6013
6014 Sema::FormatStringInfo CallerFSI;
6015 if (Sema::getFormatStringInfo(PVFormat, IsCXXMember, IsVariadic,
6016 &CallerFSI)) {
6017 // We also check if the formats are compatible.
6018 // We can't pass a 'scanf' string to a 'printf' function.
6019 if (PV->getFunctionScopeIndex() == CallerFSI.FormatIdx &&
6020 Type == S.GetFormatStringType(PVFormat)) {
6021 // Lastly, check that argument passing kinds transition in a
6022 // way that makes sense:
6023 // from a caller with FAPK_VAList, allow FAPK_VAList
6024 // from a caller with FAPK_Fixed, allow FAPK_Fixed
6025 // from a caller with FAPK_Fixed, allow FAPK_Variadic
6026 // from a caller with FAPK_Variadic, allow FAPK_VAList
6027 switch (combineFAPK(CallerFSI.ArgPassingKind, APK)) {
6028 case combineFAPK(Sema::FAPK_VAList, Sema::FAPK_VAList):
6029 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Fixed):
6030 case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Variadic):
6031 case combineFAPK(Sema::FAPK_Variadic, Sema::FAPK_VAList):
6032 return SLCT_UncheckedLiteral;
6033 }
6034 }
6035 }
6036 }
6037 }
6038 }
6039 }
6040
6041 return SLCT_NotALiteral;
6042 }
6043
6044 case Stmt::CallExprClass:
6045 case Stmt::CXXMemberCallExprClass: {
6046 const CallExpr *CE = cast<CallExpr>(E);
6047 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
6048 bool IsFirst = true;
6049 StringLiteralCheckType CommonResult;
6050 for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) {
6051 const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex());
6052 StringLiteralCheckType Result = checkFormatStringExpr(
6053 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
6054 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
6055 IgnoreStringsWithoutSpecifiers);
6056 if (IsFirst) {
6057 CommonResult = Result;
6058 IsFirst = false;
6059 }
6060 }
6061 if (!IsFirst)
6062 return CommonResult;
6063
6064 if (const auto *FD = dyn_cast<FunctionDecl>(ND)) {
6065 unsigned BuiltinID = FD->getBuiltinID();
6066 if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
6067 BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
6068 const Expr *Arg = CE->getArg(0);
6069 return checkFormatStringExpr(
6070 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
6071 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
6072 IgnoreStringsWithoutSpecifiers);
6073 }
6074 }
6075 }
6076 if (const Expr *SLE = maybeConstEvalStringLiteral(S.Context, E))
6077 return checkFormatStringExpr(S, SLE, Args, APK, format_idx, firstDataArg,
6078 Type, CallType, /*InFunctionCall*/ false,
6079 CheckedVarArgs, UncoveredArg, Offset,
6080 IgnoreStringsWithoutSpecifiers);
6081 return SLCT_NotALiteral;
6082 }
6083 case Stmt::ObjCMessageExprClass: {
6084 const auto *ME = cast<ObjCMessageExpr>(E);
6085 if (const auto *MD = ME->getMethodDecl()) {
6086 if (const auto *FA = MD->getAttr<FormatArgAttr>()) {
6087 // As a special case heuristic, if we're using the method -[NSBundle
6088 // localizedStringForKey:value:table:], ignore any key strings that lack
6089 // format specifiers. The idea is that if the key doesn't have any
6090 // format specifiers then its probably just a key to map to the
6091 // localized strings. If it does have format specifiers though, then its
6092 // likely that the text of the key is the format string in the
6093 // programmer's language, and should be checked.
6094 const ObjCInterfaceDecl *IFace;
6095 if (MD->isInstanceMethod() && (IFace = MD->getClassInterface()) &&
6096 IFace->getIdentifier()->isStr("NSBundle") &&
6097 MD->getSelector().isKeywordSelector(
6098 {"localizedStringForKey", "value", "table"})) {
6099 IgnoreStringsWithoutSpecifiers = true;
6100 }
6101
6102 const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex());
6103 return checkFormatStringExpr(
6104 S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
6105 InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
6106 IgnoreStringsWithoutSpecifiers);
6107 }
6108 }
6109
6110 return SLCT_NotALiteral;
6111 }
6112 case Stmt::ObjCStringLiteralClass:
6113 case Stmt::StringLiteralClass: {
6114 const StringLiteral *StrE = nullptr;
6115
6116 if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
6117 StrE = ObjCFExpr->getString();
6118 else
6119 StrE = cast<StringLiteral>(E);
6120
6121 if (StrE) {
6122 if (Offset.isNegative() || Offset > StrE->getLength()) {
6123 // TODO: It would be better to have an explicit warning for out of
6124 // bounds literals.
6125 return SLCT_NotALiteral;
6126 }
6127 FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue());
6128 CheckFormatString(S, &FStr, E, Args, APK, format_idx, firstDataArg, Type,
6129 InFunctionCall, CallType, CheckedVarArgs, UncoveredArg,
6130 IgnoreStringsWithoutSpecifiers);
6131 return SLCT_CheckedLiteral;
6132 }
6133
6134 return SLCT_NotALiteral;
6135 }
6136 case Stmt::BinaryOperatorClass: {
6137 const BinaryOperator *BinOp = cast<BinaryOperator>(E);
6138
6139 // A string literal + an int offset is still a string literal.
6140 if (BinOp->isAdditiveOp()) {
6141 Expr::EvalResult LResult, RResult;
6142
6143 bool LIsInt = BinOp->getLHS()->EvaluateAsInt(
6144 LResult, S.Context, Expr::SE_NoSideEffects,
6145 S.isConstantEvaluatedContext());
6146 bool RIsInt = BinOp->getRHS()->EvaluateAsInt(
6147 RResult, S.Context, Expr::SE_NoSideEffects,
6148 S.isConstantEvaluatedContext());
6149
6150 if (LIsInt != RIsInt) {
6151 BinaryOperatorKind BinOpKind = BinOp->getOpcode();
6152
6153 if (LIsInt) {
6154 if (BinOpKind == BO_Add) {
6155 sumOffsets(Offset, LResult.Val.getInt(), BinOpKind, RIsInt);
6156 E = BinOp->getRHS();
6157 goto tryAgain;
6158 }
6159 } else {
6160 sumOffsets(Offset, RResult.Val.getInt(), BinOpKind, RIsInt);
6161 E = BinOp->getLHS();
6162 goto tryAgain;
6163 }
6164 }
6165 }
6166
6167 return SLCT_NotALiteral;
6168 }
6169 case Stmt::UnaryOperatorClass: {
6170 const UnaryOperator *UnaOp = cast<UnaryOperator>(E);
6171 auto ASE = dyn_cast<ArraySubscriptExpr>(UnaOp->getSubExpr());
6172 if (UnaOp->getOpcode() == UO_AddrOf && ASE) {
6173 Expr::EvalResult IndexResult;
6174 if (ASE->getRHS()->EvaluateAsInt(IndexResult, S.Context,
6175 Expr::SE_NoSideEffects,
6176 S.isConstantEvaluatedContext())) {
6177 sumOffsets(Offset, IndexResult.Val.getInt(), BO_Add,
6178 /*RHS is int*/ true);
6179 E = ASE->getBase();
6180 goto tryAgain;
6181 }
6182 }
6183
6184 return SLCT_NotALiteral;
6185 }
6186
6187 default:
6188 return SLCT_NotALiteral;
6189 }
6190 }
6191
6192 // If this expression can be evaluated at compile-time,
6193 // check if the result is a StringLiteral and return it
6194 // otherwise return nullptr
6195 static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
6196 const Expr *E) {
6197 Expr::EvalResult Result;
6198 if (E->EvaluateAsRValue(Result, Context) && Result.Val.isLValue()) {
6199 const auto *LVE = Result.Val.getLValueBase().dyn_cast<const Expr *>();
6200 if (isa_and_nonnull<StringLiteral>(LVE))
6201 return LVE;
6202 }
6203 return nullptr;
6204 }
6205
6206 Sema::FormatStringType Sema::GetFormatStringType(const FormatAttr *Format) {
6207 return llvm::StringSwitch<FormatStringType>(Format->getType()->getName())
6208 .Case("scanf", FST_Scanf)
6209 .Cases("printf", "printf0", "syslog", FST_Printf)
6210 .Cases("NSString", "CFString", FST_NSString)
6211 .Case("strftime", FST_Strftime)
6212 .Case("strfmon", FST_Strfmon)
6213 .Cases("kprintf", "cmn_err", "vcmn_err", "zcmn_err", FST_Kprintf)
6214 .Case("freebsd_kprintf", FST_FreeBSDKPrintf)
6215 .Case("os_trace", FST_OSLog)
6216 .Case("os_log", FST_OSLog)
6217 .Default(FST_Unknown);
6218 }
6219
6220 bool Sema::CheckFormatArguments(const FormatAttr *Format,
6221 ArrayRef<const Expr *> Args, bool IsCXXMember,
6222 VariadicCallType CallType, SourceLocation Loc,
6223 SourceRange Range,
6224 llvm::SmallBitVector &CheckedVarArgs) {
6225 FormatStringInfo FSI;
6226 if (getFormatStringInfo(Format, IsCXXMember, CallType != VariadicDoesNotApply,
6227 &FSI))
6228 return CheckFormatArguments(Args, FSI.ArgPassingKind, FSI.FormatIdx,
6229 FSI.FirstDataArg, GetFormatStringType(Format),
6230 CallType, Loc, Range, CheckedVarArgs);
6231 return false;
6232 }
6233
6234 bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
6235 Sema::FormatArgumentPassingKind APK,
6236 unsigned format_idx, unsigned firstDataArg,
6237 FormatStringType Type,
6238 VariadicCallType CallType, SourceLocation Loc,
6239 SourceRange Range,
6240 llvm::SmallBitVector &CheckedVarArgs) {
6241 // CHECK: printf/scanf-like function is called with no format string.
6242 if (format_idx >= Args.size()) {
6243 Diag(Loc, diag::warn_missing_format_string) << Range;
6244 return false;
6245 }
6246
6247 const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
6248
6249 // CHECK: format string is not a string literal.
6250 //
6251 // Dynamically generated format strings are difficult to
6252 // automatically vet at compile time. Requiring that format strings
6253 // are string literals: (1) permits the checking of format strings by
6254 // the compiler and thereby (2) can practically remove the source of
6255 // many format string exploits.
6256
6257 // Format string can be either ObjC string (e.g. @"%d") or
6258 // C string (e.g. "%d")
6259 // ObjC string uses the same format specifiers as C string, so we can use
6260 // the same format string checking logic for both ObjC and C strings.
6261 UncoveredArgHandler UncoveredArg;
6262 StringLiteralCheckType CT = checkFormatStringExpr(
6263 *this, OrigFormatExpr, Args, APK, format_idx, firstDataArg, Type,
6264 CallType,
6265 /*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
6266 /*no string offset*/ llvm::APSInt(64, false) = 0);
6267
6268 // Generate a diagnostic where an uncovered argument is detected.
6269 if (UncoveredArg.hasUncoveredArg()) {
6270 unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg;
6271 assert(ArgIdx < Args.size() && "ArgIdx outside bounds");
6272 UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]);
6273 }
6274
6275 if (CT != SLCT_NotALiteral)
6276 // Literal format string found, check done!
6277 return CT == SLCT_CheckedLiteral;
6278
6279 // Strftime is particular as it always uses a single 'time' argument,
6280 // so it is safe to pass a non-literal string.
6281 if (Type == FST_Strftime)
6282 return false;
6283
6284 // Do not emit diag when the string param is a macro expansion and the
6285 // format is either NSString or CFString. This is a hack to prevent
6286 // diag when using the NSLocalizedString and CFCopyLocalizedString macros
6287 // which are usually used in place of NS and CF string literals.
6288 SourceLocation FormatLoc = Args[format_idx]->getBeginLoc();
6289 if (Type == FST_NSString && SourceMgr.isInSystemMacro(FormatLoc))
6290 return false;
6291
6292 // If there are no arguments specified, warn with -Wformat-security, otherwise
6293 // warn only with -Wformat-nonliteral.
6294 if (Args.size() == firstDataArg) {
6295 Diag(FormatLoc, diag::warn_format_nonliteral_noargs)
6296 << OrigFormatExpr->getSourceRange();
6297 switch (Type) {
6298 default:
6299 break;
6300 case FST_Kprintf:
6301 case FST_FreeBSDKPrintf:
6302 case FST_Printf:
6303 case FST_Syslog:
6304 Diag(FormatLoc, diag::note_format_security_fixit)
6305 << FixItHint::CreateInsertion(FormatLoc, "\"%s\", ");
6306 break;
6307 case FST_NSString:
6308 Diag(FormatLoc, diag::note_format_security_fixit)
6309 << FixItHint::CreateInsertion(FormatLoc, "@\"%@\", ");
6310 break;
6311 }
6312 } else {
6313 Diag(FormatLoc, diag::warn_format_nonliteral)
6314 << OrigFormatExpr->getSourceRange();
6315 }
6316 return false;
6317 }
6318
6319 namespace {
6320
6321 class CheckFormatHandler : public analyze_format_string::FormatStringHandler {
6322 protected:
6323 Sema &S;
6324 const FormatStringLiteral *FExpr;
6325 const Expr *OrigFormatExpr;
6326 const Sema::FormatStringType FSType;
6327 const unsigned FirstDataArg;
6328 const unsigned NumDataArgs;
6329 const char *Beg; // Start of format string.
6330 const Sema::FormatArgumentPassingKind ArgPassingKind;
6331 ArrayRef<const Expr *> Args;
6332 unsigned FormatIdx;
6333 llvm::SmallBitVector CoveredArgs;
6334 bool usesPositionalArgs = false;
6335 bool atFirstArg = true;
6336 bool inFunctionCall;
6337 Sema::VariadicCallType CallType;
6338 llvm::SmallBitVector &CheckedVarArgs;
6339 UncoveredArgHandler &UncoveredArg;
6340
6341 public:
6342 CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr,
6343 const Expr *origFormatExpr,
6344 const Sema::FormatStringType type, unsigned firstDataArg,
6345 unsigned numDataArgs, const char *beg,
6346 Sema::FormatArgumentPassingKind APK,
6347 ArrayRef<const Expr *> Args, unsigned formatIdx,
6348 bool inFunctionCall, Sema::VariadicCallType callType,
6349 llvm::SmallBitVector &CheckedVarArgs,
6350 UncoveredArgHandler &UncoveredArg)
6351 : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type),
6352 FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg),
6353 ArgPassingKind(APK), Args(Args), FormatIdx(formatIdx),
6354 inFunctionCall(inFunctionCall), CallType(callType),
6355 CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) {
6356 CoveredArgs.resize(numDataArgs);
6357 CoveredArgs.reset();
6358 }
6359
6360 void DoneProcessing();
6361
6362 void HandleIncompleteSpecifier(const char *startSpecifier,
6363 unsigned specifierLen) override;
6364
6365 void HandleInvalidLengthModifier(
6366 const analyze_format_string::FormatSpecifier &FS,
6367 const analyze_format_string::ConversionSpecifier &CS,
6368 const char *startSpecifier, unsigned specifierLen,
6369 unsigned DiagID);
6370
6371 void HandleNonStandardLengthModifier(
6372 const analyze_format_string::FormatSpecifier &FS,
6373 const char *startSpecifier, unsigned specifierLen);
6374
6375 void HandleNonStandardConversionSpecifier(
6376 const analyze_format_string::ConversionSpecifier &CS,
6377 const char *startSpecifier, unsigned specifierLen);
6378
6379 void HandlePosition(const char *startPos, unsigned posLen) override;
6380
6381 void HandleInvalidPosition(const char *startSpecifier,
6382 unsigned specifierLen,
6383 analyze_format_string::PositionContext p) override;
6384
6385 void HandleZeroPosition(const char *startPos, unsigned posLen) override;
6386
6387 void HandleNullChar(const char *nullCharacter) override;
6388
6389 template <typename Range>
6390 static void
6391 EmitFormatDiagnostic(Sema &S, bool inFunctionCall, const Expr *ArgumentExpr,
6392 const PartialDiagnostic &PDiag, SourceLocation StringLoc,
6393 bool IsStringLocation, Range StringRange,
6394 ArrayRef<FixItHint> Fixit = {});
6395
6396 protected:
6397 bool HandleInvalidConversionSpecifier(unsigned argIndex, SourceLocation Loc,
6398 const char *startSpec,
6399 unsigned specifierLen,
6400 const char *csStart, unsigned csLen);
6401
6402 void HandlePositionalNonpositionalArgs(SourceLocation Loc,
6403 const char *startSpec,
6404 unsigned specifierLen);
6405
6406 SourceRange getFormatStringRange();
6407 CharSourceRange getSpecifierRange(const char *startSpecifier,
6408 unsigned specifierLen);
6409 SourceLocation getLocationOfByte(const char *x);
6410
6411 const Expr *getDataArg(unsigned i) const;
6412
6413 bool CheckNumArgs(const analyze_format_string::FormatSpecifier &FS,
6414 const analyze_format_string::ConversionSpecifier &CS,
6415 const char *startSpecifier, unsigned specifierLen,
6416 unsigned argIndex);
6417
6418 template <typename Range>
6419 void EmitFormatDiagnostic(PartialDiagnostic PDiag, SourceLocation StringLoc,
6420 bool IsStringLocation, Range StringRange,
6421 ArrayRef<FixItHint> Fixit = {});
6422 };
6423
6424 } // namespace
6425
6426 SourceRange CheckFormatHandler::getFormatStringRange() {
6427 return OrigFormatExpr->getSourceRange();
6428 }
6429
6430 CharSourceRange CheckFormatHandler::
6431 getSpecifierRange(const char *startSpecifier, unsigned specifierLen) {
6432 SourceLocation Start = getLocationOfByte(startSpecifier);
6433 SourceLocation End = getLocationOfByte(startSpecifier + specifierLen - 1);
6434
6435 // Advance the end SourceLocation by one due to half-open ranges.
6436 End = End.getLocWithOffset(1);
6437
6438 return CharSourceRange::getCharRange(Start, End);
6439 }
6440
6441 SourceLocation CheckFormatHandler::getLocationOfByte(const char *x) {
6442 return FExpr->getLocationOfByte(x - Beg, S.getSourceManager(),
6443 S.getLangOpts(), S.Context.getTargetInfo());
6444 }
6445
6446 void CheckFormatHandler::HandleIncompleteSpecifier(const char *startSpecifier,
6447 unsigned specifierLen){
6448 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_incomplete_specifier),
6449 getLocationOfByte(startSpecifier),
6450 /*IsStringLocation*/true,
6451 getSpecifierRange(startSpecifier, specifierLen));
6452 }
6453
6454 void CheckFormatHandler::HandleInvalidLengthModifier(
6455 const analyze_format_string::FormatSpecifier &FS,
6456 const analyze_format_string::ConversionSpecifier &CS,
6457 const char *startSpecifier, unsigned specifierLen, unsigned DiagID) {
6458 using namespace analyze_format_string;
6459
6460 const LengthModifier &LM = FS.getLengthModifier();
6461 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6462
6463 // See if we know how to fix this length modifier.
6464 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6465 if (FixedLM) {
6466 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6467 getLocationOfByte(LM.getStart()),
6468 /*IsStringLocation*/true,
6469 getSpecifierRange(startSpecifier, specifierLen));
6470
6471 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6472 << FixedLM->toString()
6473 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6474
6475 } else {
6476 FixItHint Hint;
6477 if (DiagID == diag::warn_format_nonsensical_length)
6478 Hint = FixItHint::CreateRemoval(LMRange);
6479
6480 EmitFormatDiagnostic(S.PDiag(DiagID) << LM.toString() << CS.toString(),
6481 getLocationOfByte(LM.getStart()),
6482 /*IsStringLocation*/true,
6483 getSpecifierRange(startSpecifier, specifierLen),
6484 Hint);
6485 }
6486 }
6487
6488 void CheckFormatHandler::HandleNonStandardLengthModifier(
6489 const analyze_format_string::FormatSpecifier &FS,
6490 const char *startSpecifier, unsigned specifierLen) {
6491 using namespace analyze_format_string;
6492
6493 const LengthModifier &LM = FS.getLengthModifier();
6494 CharSourceRange LMRange = getSpecifierRange(LM.getStart(), LM.getLength());
6495
6496 // See if we know how to fix this length modifier.
6497 std::optional<LengthModifier> FixedLM = FS.getCorrectedLengthModifier();
6498 if (FixedLM) {
6499 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6500 << LM.toString() << 0,
6501 getLocationOfByte(LM.getStart()),
6502 /*IsStringLocation*/true,
6503 getSpecifierRange(startSpecifier, specifierLen));
6504
6505 S.Diag(getLocationOfByte(LM.getStart()), diag::note_format_fix_specifier)
6506 << FixedLM->toString()
6507 << FixItHint::CreateReplacement(LMRange, FixedLM->toString());
6508
6509 } else {
6510 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6511 << LM.toString() << 0,
6512 getLocationOfByte(LM.getStart()),
6513 /*IsStringLocation*/true,
6514 getSpecifierRange(startSpecifier, specifierLen));
6515 }
6516 }
6517
6518 void CheckFormatHandler::HandleNonStandardConversionSpecifier(
6519 const analyze_format_string::ConversionSpecifier &CS,
6520 const char *startSpecifier, unsigned specifierLen) {
6521 using namespace analyze_format_string;
6522
6523 // See if we know how to fix this conversion specifier.
6524 std::optional<ConversionSpecifier> FixedCS = CS.getStandardSpecifier();
6525 if (FixedCS) {
6526 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6527 << CS.toString() << /*conversion specifier*/1,
6528 getLocationOfByte(CS.getStart()),
6529 /*IsStringLocation*/true,
6530 getSpecifierRange(startSpecifier, specifierLen));
6531
6532 CharSourceRange CSRange = getSpecifierRange(CS.getStart(), CS.getLength());
6533 S.Diag(getLocationOfByte(CS.getStart()), diag::note_format_fix_specifier)
6534 << FixedCS->toString()
6535 << FixItHint::CreateReplacement(CSRange, FixedCS->toString());
6536 } else {
6537 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard)
6538 << CS.toString() << /*conversion specifier*/1,
6539 getLocationOfByte(CS.getStart()),
6540 /*IsStringLocation*/true,
6541 getSpecifierRange(startSpecifier, specifierLen));
6542 }
6543 }
6544
6545 void CheckFormatHandler::HandlePosition(const char *startPos,
6546 unsigned posLen) {
6547 EmitFormatDiagnostic(S.PDiag(diag::warn_format_non_standard_positional_arg),
6548 getLocationOfByte(startPos),
6549 /*IsStringLocation*/true,
6550 getSpecifierRange(startPos, posLen));
6551 }
6552
6553 void CheckFormatHandler::HandleInvalidPosition(
6554 const char *startSpecifier, unsigned specifierLen,
6555 analyze_format_string::PositionContext p) {
6556 EmitFormatDiagnostic(
6557 S.PDiag(diag::warn_format_invalid_positional_specifier) << (unsigned)p,
6558 getLocationOfByte(startSpecifier), /*IsStringLocation*/ true,
6559 getSpecifierRange(startSpecifier, specifierLen));
6560 }
6561
6562 void CheckFormatHandler::HandleZeroPosition(const char *startPos,
6563 unsigned posLen) {
6564 EmitFormatDiagnostic(S.PDiag(diag::warn_format_zero_positional_specifier),
6565 getLocationOfByte(startPos),
6566 /*IsStringLocation*/true,
6567 getSpecifierRange(startPos, posLen));
6568 }
6569
6570 void CheckFormatHandler::HandleNullChar(const char *nullCharacter) {
6571 if (!isa<ObjCStringLiteral>(OrigFormatExpr)) {
6572 // The presence of a null character is likely an error.
6573 EmitFormatDiagnostic(
6574 S.PDiag(diag::warn_printf_format_string_contains_null_char),
6575 getLocationOfByte(nullCharacter), /*IsStringLocation*/true,
6576 getFormatStringRange());
6577 }
6578 }
6579
6580 // Note that this may return NULL if there was an error parsing or building
6581 // one of the argument expressions.
6582 const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
6583 return Args[FirstDataArg + i];
6584 }
6585
6586 void CheckFormatHandler::DoneProcessing() {
6587 // Does the number of data arguments exceed the number of
6588 // format conversions in the format string?
6589 if (ArgPassingKind != Sema::FAPK_VAList) {
6590 // Find any arguments that weren't covered.
6591 CoveredArgs.flip();
6592 signed notCoveredArg = CoveredArgs.find_first();
6593 if (notCoveredArg >= 0) {
6594 assert((unsigned)notCoveredArg < NumDataArgs);
6595 UncoveredArg.Update(notCoveredArg, OrigFormatExpr);
6596 } else {
6597 UncoveredArg.setAllCovered();
6598 }
6599 }
6600 }
6601
6602 void UncoveredArgHandler::Diagnose(Sema &S, bool IsFunctionCall,
6603 const Expr *ArgExpr) {
6604 assert(hasUncoveredArg() && !DiagnosticExprs.empty() &&
6605 "Invalid state");
6606
6607 if (!ArgExpr)
6608 return;
6609
6610 SourceLocation Loc = ArgExpr->getBeginLoc();
6611
6612 if (S.getSourceManager().isInSystemMacro(Loc))
6613 return;
6614
6615 PartialDiagnostic PDiag = S.PDiag(diag::warn_printf_data_arg_not_used);
6616 for (auto E : DiagnosticExprs)
6617 PDiag << E->getSourceRange();
6618
6619 CheckFormatHandler::EmitFormatDiagnostic(
6620 S, IsFunctionCall, DiagnosticExprs[0],
6621 PDiag, Loc, /*IsStringLocation*/false,
6622 DiagnosticExprs[0]->getSourceRange());
6623 }
6624
6625 bool
6626 CheckFormatHandler::HandleInvalidConversionSpecifier(unsigned argIndex,
6627 SourceLocation Loc,
6628 const char *startSpec,
6629 unsigned specifierLen,
6630 const char *csStart,
6631 unsigned csLen) {
6632 bool keepGoing = true;
6633 if (argIndex < NumDataArgs) {
6634 // Consider the argument coverered, even though the specifier doesn't
6635 // make sense.
6636 CoveredArgs.set(argIndex);
6637 }
6638 else {
6639 // If argIndex exceeds the number of data arguments we
6640 // don't issue a warning because that is just a cascade of warnings (and
6641 // they may have intended '%%' anyway). We don't want to continue processing
6642 // the format string after this point, however, as we will like just get
6643 // gibberish when trying to match arguments.
6644 keepGoing = false;
6645 }
6646
6647 StringRef Specifier(csStart, csLen);
6648
6649 // If the specifier in non-printable, it could be the first byte of a UTF-8
6650 // sequence. In that case, print the UTF-8 code point. If not, print the byte
6651 // hex value.
6652 std::string CodePointStr;
6653 if (!llvm::sys::locale::isPrint(*csStart)) {
6654 llvm::UTF32 CodePoint;
6655 const llvm::UTF8 **B = reinterpret_cast<const llvm::UTF8 **>(&csStart);
6656 const llvm::UTF8 *E =
6657 reinterpret_cast<const llvm::UTF8 *>(csStart + csLen);
6658 llvm::ConversionResult Result =
6659 llvm::convertUTF8Sequence(B, E, &CodePoint, llvm::strictConversion);
6660
6661 if (Result != llvm::conversionOK) {
6662 unsigned char FirstChar = *csStart;
6663 CodePoint = (llvm::UTF32)FirstChar;
6664 }
6665
6666 llvm::raw_string_ostream OS(CodePointStr);
6667 if (CodePoint < 256)
6668 OS << "\\x" << llvm::format("%02x", CodePoint);
6669 else if (CodePoint <= 0xFFFF)
6670 OS << "\\u" << llvm::format("%04x", CodePoint);
6671 else
6672 OS << "\\U" << llvm::format("%08x", CodePoint);
6673 Specifier = CodePointStr;
6674 }
6675
6676 EmitFormatDiagnostic(
6677 S.PDiag(diag::warn_format_invalid_conversion) << Specifier, Loc,
6678 /*IsStringLocation*/ true, getSpecifierRange(startSpec, specifierLen));
6679
6680 return keepGoing;
6681 }
6682
6683 void
6684 CheckFormatHandler::HandlePositionalNonpositionalArgs(SourceLocation Loc,
6685 const char *startSpec,
6686 unsigned specifierLen) {
6687 EmitFormatDiagnostic(
6688 S.PDiag(diag::warn_format_mix_positional_nonpositional_args),
6689 Loc, /*isStringLoc*/true, getSpecifierRange(startSpec, specifierLen));
6690 }
6691
6692 bool
6693 CheckFormatHandler::CheckNumArgs(
6694 const analyze_format_string::FormatSpecifier &FS,
6695 const analyze_format_string::ConversionSpecifier &CS,
6696 const char *startSpecifier, unsigned specifierLen, unsigned argIndex) {
6697
6698 if (argIndex >= NumDataArgs) {
6699 PartialDiagnostic PDiag = FS.usesPositionalArg()
6700 ? (S.PDiag(diag::warn_printf_positional_arg_exceeds_data_args)
6701 << (argIndex+1) << NumDataArgs)
6702 : S.PDiag(diag::warn_printf_insufficient_data_args);
6703 EmitFormatDiagnostic(
6704 PDiag, getLocationOfByte(CS.getStart()), /*IsStringLocation*/true,
6705 getSpecifierRange(startSpecifier, specifierLen));
6706
6707 // Since more arguments than conversion tokens are given, by extension
6708 // all arguments are covered, so mark this as so.
6709 UncoveredArg.setAllCovered();
6710 return false;
6711 }
6712 return true;
6713 }
6714
6715 template<typename Range>
6716 void CheckFormatHandler::EmitFormatDiagnostic(PartialDiagnostic PDiag,
6717 SourceLocation Loc,
6718 bool IsStringLocation,
6719 Range StringRange,
6720 ArrayRef<FixItHint> FixIt) {
6721 EmitFormatDiagnostic(S, inFunctionCall, Args[FormatIdx], PDiag,
6722 Loc, IsStringLocation, StringRange, FixIt);
6723 }
6724
6725 /// If the format string is not within the function call, emit a note
6726 /// so that the function call and string are in diagnostic messages.
6727 ///
6728 /// \param InFunctionCall if true, the format string is within the function
6729 /// call and only one diagnostic message will be produced. Otherwise, an
6730 /// extra note will be emitted pointing to location of the format string.
6731 ///
6732 /// \param ArgumentExpr the expression that is passed as the format string
6733 /// argument in the function call. Used for getting locations when two
6734 /// diagnostics are emitted.
6735 ///
6736 /// \param PDiag the callee should already have provided any strings for the
6737 /// diagnostic message. This function only adds locations and fixits
6738 /// to diagnostics.
6739 ///
6740 /// \param Loc primary location for diagnostic. If two diagnostics are
6741 /// required, one will be at Loc and a new SourceLocation will be created for
6742 /// the other one.
6743 ///
6744 /// \param IsStringLocation if true, Loc points to the format string should be
6745 /// used for the note. Otherwise, Loc points to the argument list and will
6746 /// be used with PDiag.
6747 ///
6748 /// \param StringRange some or all of the string to highlight. This is
6749 /// templated so it can accept either a CharSourceRange or a SourceRange.
6750 ///
6751 /// \param FixIt optional fix it hint for the format string.
6752 template <typename Range>
6753 void CheckFormatHandler::EmitFormatDiagnostic(
6754 Sema &S, bool InFunctionCall, const Expr *ArgumentExpr,
6755 const PartialDiagnostic &PDiag, SourceLocation Loc, bool IsStringLocation,
6756 Range StringRange, ArrayRef<FixItHint> FixIt) {
6757 if (InFunctionCall) {
6758 const Sema::SemaDiagnosticBuilder &D = S.Diag(Loc, PDiag);
6759 D << StringRange;
6760 D << FixIt;
6761 } else {
6762 S.Diag(IsStringLocation ? ArgumentExpr->getExprLoc() : Loc, PDiag)
6763 << ArgumentExpr->getSourceRange();
6764
6765 const Sema::SemaDiagnosticBuilder &Note =
6766 S.Diag(IsStringLocation ? Loc : StringRange.getBegin(),
6767 diag::note_format_string_defined);
6768
6769 Note << StringRange;
6770 Note << FixIt;
6771 }
6772 }
6773
6774 //===--- CHECK: Printf format string checking -----------------------------===//
6775
6776 namespace {
6777
6778 class CheckPrintfHandler : public CheckFormatHandler {
6779 public:
6780 CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
6781 const Expr *origFormatExpr,
6782 const Sema::FormatStringType type, unsigned firstDataArg,
6783 unsigned numDataArgs, bool isObjC, const char *beg,
6784 Sema::FormatArgumentPassingKind APK,
6785 ArrayRef<const Expr *> Args, unsigned formatIdx,
6786 bool inFunctionCall, Sema::VariadicCallType CallType,
6787 llvm::SmallBitVector &CheckedVarArgs,
6788 UncoveredArgHandler &UncoveredArg)
6789 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
6790 numDataArgs, beg, APK, Args, formatIdx,
6791 inFunctionCall, CallType, CheckedVarArgs,
6792 UncoveredArg) {}
6793
6794 bool isObjCContext() const { return FSType == Sema::FST_NSString; }
6795
6796 /// Returns true if '%@' specifiers are allowed in the format string.
6797 bool allowsObjCArg() const {
6798 return FSType == Sema::FST_NSString || FSType == Sema::FST_OSLog ||
6799 FSType == Sema::FST_OSTrace;
6800 }
6801
6802 bool HandleInvalidPrintfConversionSpecifier(
6803 const analyze_printf::PrintfSpecifier &FS,
6804 const char *startSpecifier,
6805 unsigned specifierLen) override;
6806
6807 void handleInvalidMaskType(StringRef MaskType) override;
6808
6809 bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
6810 const char *startSpecifier, unsigned specifierLen,
6811 const TargetInfo &Target) override;
6812 bool checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
6813 const char *StartSpecifier,
6814 unsigned SpecifierLen,
6815 const Expr *E);
6816
6817 bool HandleAmount(const analyze_format_string::OptionalAmount &Amt, unsigned k,
6818 const char *startSpecifier, unsigned specifierLen);
6819 void HandleInvalidAmount(const analyze_printf::PrintfSpecifier &FS,
6820 const analyze_printf::OptionalAmount &Amt,
6821 unsigned type,
6822 const char *startSpecifier, unsigned specifierLen);
6823 void HandleFlag(const analyze_printf::PrintfSpecifier &FS,
6824 const analyze_printf::OptionalFlag &flag,
6825 const char *startSpecifier, unsigned specifierLen);
6826 void HandleIgnoredFlag(const analyze_printf::PrintfSpecifier &FS,
6827 const analyze_printf::OptionalFlag &ignoredFlag,
6828 const analyze_printf::OptionalFlag &flag,
6829 const char *startSpecifier, unsigned specifierLen);
6830 bool checkForCStrMembers(const analyze_printf::ArgType &AT,
6831 const Expr *E);
6832
6833 void HandleEmptyObjCModifierFlag(const char *startFlag,
6834 unsigned flagLen) override;
6835
6836 void HandleInvalidObjCModifierFlag(const char *startFlag,
6837 unsigned flagLen) override;
6838
6839 void HandleObjCFlagsWithNonObjCConversion(const char *flagsStart,
6840 const char *flagsEnd,
6841 const char *conversionPosition)
6842 override;
6843 };
6844
6845 } // namespace
6846
6847 bool CheckPrintfHandler::HandleInvalidPrintfConversionSpecifier(
6848 const analyze_printf::PrintfSpecifier &FS,
6849 const char *startSpecifier,
6850 unsigned specifierLen) {
6851 const analyze_printf::PrintfConversionSpecifier &CS =
6852 FS.getConversionSpecifier();
6853
6854 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
6855 getLocationOfByte(CS.getStart()),
6856 startSpecifier, specifierLen,
6857 CS.getStart(), CS.getLength());
6858 }
6859
6860 void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) {
6861 S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size);
6862 }
6863
6864 bool CheckPrintfHandler::HandleAmount(
6865 const analyze_format_string::OptionalAmount &Amt, unsigned k,
6866 const char *startSpecifier, unsigned specifierLen) {
6867 if (Amt.hasDataArgument()) {
6868 if (ArgPassingKind != Sema::FAPK_VAList) {
6869 unsigned argIndex = Amt.getArgIndex();
6870 if (argIndex >= NumDataArgs) {
6871 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
6872 << k,
6873 getLocationOfByte(Amt.getStart()),
6874 /*IsStringLocation*/ true,
6875 getSpecifierRange(startSpecifier, specifierLen));
6876 // Don't do any more checking. We will just emit
6877 // spurious errors.
6878 return false;
6879 }
6880
6881 // Type check the data argument. It should be an 'int'.
6882 // Although not in conformance with C99, we also allow the argument to be
6883 // an 'unsigned int' as that is a reasonably safe case. GCC also
6884 // doesn't emit a warning for that case.
6885 CoveredArgs.set(argIndex);
6886 const Expr *Arg = getDataArg(argIndex);
6887 if (!Arg)
6888 return false;
6889
6890 QualType T = Arg->getType();
6891
6892 const analyze_printf::ArgType &AT = Amt.getArgType(S.Context);
6893 assert(AT.isValid());
6894
6895 if (!AT.matchesType(S.Context, T)) {
6896 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_wrong_type)
6897 << k << AT.getRepresentativeTypeName(S.Context)
6898 << T << Arg->getSourceRange(),
6899 getLocationOfByte(Amt.getStart()),
6900 /*IsStringLocation*/true,
6901 getSpecifierRange(startSpecifier, specifierLen));
6902 // Don't do any more checking. We will just emit
6903 // spurious errors.
6904 return false;
6905 }
6906 }
6907 }
6908 return true;
6909 }
6910
6911 void CheckPrintfHandler::HandleInvalidAmount(
6912 const analyze_printf::PrintfSpecifier &FS,
6913 const analyze_printf::OptionalAmount &Amt,
6914 unsigned type,
6915 const char *startSpecifier,
6916 unsigned specifierLen) {
6917 const analyze_printf::PrintfConversionSpecifier &CS =
6918 FS.getConversionSpecifier();
6919
6920 FixItHint fixit =
6921 Amt.getHowSpecified() == analyze_printf::OptionalAmount::Constant
6922 ? FixItHint::CreateRemoval(getSpecifierRange(Amt.getStart(),
6923 Amt.getConstantLength()))
6924 : FixItHint();
6925
6926 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_optional_amount)
6927 << type << CS.toString(),
6928 getLocationOfByte(Amt.getStart()),
6929 /*IsStringLocation*/true,
6930 getSpecifierRange(startSpecifier, specifierLen),
6931 fixit);
6932 }
6933
6934 void CheckPrintfHandler::HandleFlag(const analyze_printf::PrintfSpecifier &FS,
6935 const analyze_printf::OptionalFlag &flag,
6936 const char *startSpecifier,
6937 unsigned specifierLen) {
6938 // Warn about pointless flag with a fixit removal.
6939 const analyze_printf::PrintfConversionSpecifier &CS =
6940 FS.getConversionSpecifier();
6941 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_nonsensical_flag)
6942 << flag.toString() << CS.toString(),
6943 getLocationOfByte(flag.getPosition()),
6944 /*IsStringLocation*/true,
6945 getSpecifierRange(startSpecifier, specifierLen),
6946 FixItHint::CreateRemoval(
6947 getSpecifierRange(flag.getPosition(), 1)));
6948 }
6949
6950 void CheckPrintfHandler::HandleIgnoredFlag(
6951 const analyze_printf::PrintfSpecifier &FS,
6952 const analyze_printf::OptionalFlag &ignoredFlag,
6953 const analyze_printf::OptionalFlag &flag,
6954 const char *startSpecifier,
6955 unsigned specifierLen) {
6956 // Warn about ignored flag with a fixit removal.
6957 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_ignored_flag)
6958 << ignoredFlag.toString() << flag.toString(),
6959 getLocationOfByte(ignoredFlag.getPosition()),
6960 /*IsStringLocation*/true,
6961 getSpecifierRange(startSpecifier, specifierLen),
6962 FixItHint::CreateRemoval(
6963 getSpecifierRange(ignoredFlag.getPosition(), 1)));
6964 }
6965
6966 void CheckPrintfHandler::HandleEmptyObjCModifierFlag(const char *startFlag,
6967 unsigned flagLen) {
6968 // Warn about an empty flag.
6969 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_empty_objc_flag),
6970 getLocationOfByte(startFlag),
6971 /*IsStringLocation*/true,
6972 getSpecifierRange(startFlag, flagLen));
6973 }
6974
6975 void CheckPrintfHandler::HandleInvalidObjCModifierFlag(const char *startFlag,
6976 unsigned flagLen) {
6977 // Warn about an invalid flag.
6978 auto Range = getSpecifierRange(startFlag, flagLen);
6979 StringRef flag(startFlag, flagLen);
6980 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_invalid_objc_flag) << flag,
6981 getLocationOfByte(startFlag),
6982 /*IsStringLocation*/true,
6983 Range, FixItHint::CreateRemoval(Range));
6984 }
6985
6986 void CheckPrintfHandler::HandleObjCFlagsWithNonObjCConversion(
6987 const char *flagsStart, const char *flagsEnd, const char *conversionPosition) {
6988 // Warn about using '[...]' without a '@' conversion.
6989 auto Range = getSpecifierRange(flagsStart, flagsEnd - flagsStart + 1);
6990 auto diag = diag::warn_printf_ObjCflags_without_ObjCConversion;
6991 EmitFormatDiagnostic(S.PDiag(diag) << StringRef(conversionPosition, 1),
6992 getLocationOfByte(conversionPosition),
6993 /*IsStringLocation*/true,
6994 Range, FixItHint::CreateRemoval(Range));
6995 }
6996
6997 // Determines if the specified is a C++ class or struct containing
6998 // a member with the specified name and kind (e.g. a CXXMethodDecl named
6999 // "c_str()").
7000 template<typename MemberKind>
7001 static llvm::SmallPtrSet<MemberKind*, 1>
7002 CXXRecordMembersNamed(StringRef Name, Sema &S, QualType Ty) {
7003 const RecordType *RT = Ty->getAs<RecordType>();
7004 llvm::SmallPtrSet<MemberKind*, 1> Results;
7005
7006 if (!RT)
7007 return Results;
7008 const CXXRecordDecl *RD = dyn_cast<CXXRecordDecl>(RT->getDecl());
7009 if (!RD || !RD->getDefinition())
7010 return Results;
7011
7012 LookupResult R(S, &S.Context.Idents.get(Name), SourceLocation(),
7013 Sema::LookupMemberName);
7014 R.suppressDiagnostics();
7015
7016 // We just need to include all members of the right kind turned up by the
7017 // filter, at this point.
7018 if (S.LookupQualifiedName(R, RT->getDecl()))
7019 for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) {
7020 NamedDecl *decl = (*I)->getUnderlyingDecl();
7021 if (MemberKind *FK = dyn_cast<MemberKind>(decl))
7022 Results.insert(FK);
7023 }
7024 return Results;
7025 }
7026
7027 /// Check if we could call '.c_str()' on an object.
7028 ///
7029 /// FIXME: This returns the wrong results in some cases (if cv-qualifiers don't
7030 /// allow the call, or if it would be ambiguous).
7031 bool Sema::hasCStrMethod(const Expr *E) {
7032 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7033
7034 MethodSet Results =
7035 CXXRecordMembersNamed<CXXMethodDecl>("c_str", *this, E->getType());
7036 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7037 MI != ME; ++MI)
7038 if ((*MI)->getMinRequiredArguments() == 0)
7039 return true;
7040 return false;
7041 }
7042
7043 // Check if a (w)string was passed when a (w)char* was needed, and offer a
7044 // better diagnostic if so. AT is assumed to be valid.
7045 // Returns true when a c_str() conversion method is found.
7046 bool CheckPrintfHandler::checkForCStrMembers(
7047 const analyze_printf::ArgType &AT, const Expr *E) {
7048 using MethodSet = llvm::SmallPtrSet<CXXMethodDecl *, 1>;
7049
7050 MethodSet Results =
7051 CXXRecordMembersNamed<CXXMethodDecl>("c_str", S, E->getType());
7052
7053 for (MethodSet::iterator MI = Results.begin(), ME = Results.end();
7054 MI != ME; ++MI) {
7055 const CXXMethodDecl *Method = *MI;
7056 if (Method->getMinRequiredArguments() == 0 &&
7057 AT.matchesType(S.Context, Method->getReturnType())) {
7058 // FIXME: Suggest parens if the expression needs them.
7059 SourceLocation EndLoc = S.getLocForEndOfToken(E->getEndLoc());
7060 S.Diag(E->getBeginLoc(), diag::note_printf_c_str)
7061 << "c_str()" << FixItHint::CreateInsertion(EndLoc, ".c_str()");
7062 return true;
7063 }
7064 }
7065
7066 return false;
7067 }
7068
7069 bool CheckPrintfHandler::HandlePrintfSpecifier(
7070 const analyze_printf::PrintfSpecifier &FS, const char *startSpecifier,
7071 unsigned specifierLen, const TargetInfo &Target) {
7072 using namespace analyze_format_string;
7073 using namespace analyze_printf;
7074
7075 const PrintfConversionSpecifier &CS = FS.getConversionSpecifier();
7076
7077 if (FS.consumesDataArgument()) {
7078 if (atFirstArg) {
7079 atFirstArg = false;
7080 usesPositionalArgs = FS.usesPositionalArg();
7081 }
7082 else if (usesPositionalArgs != FS.usesPositionalArg()) {
7083 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
7084 startSpecifier, specifierLen);
7085 return false;
7086 }
7087 }
7088
7089 // First check if the field width, precision, and conversion specifier
7090 // have matching data arguments.
7091 if (!HandleAmount(FS.getFieldWidth(), /* field width */ 0,
7092 startSpecifier, specifierLen)) {
7093 return false;
7094 }
7095
7096 if (!HandleAmount(FS.getPrecision(), /* precision */ 1,
7097 startSpecifier, specifierLen)) {
7098 return false;
7099 }
7100
7101 if (!CS.consumesDataArgument()) {
7102 // FIXME: Technically specifying a precision or field width here
7103 // makes no sense. Worth issuing a warning at some point.
7104 return true;
7105 }
7106
7107 // Consume the argument.
7108 unsigned argIndex = FS.getArgIndex();
7109 if (argIndex < NumDataArgs) {
7110 // The check to see if the argIndex is valid will come later.
7111 // We set the bit here because we may exit early from this
7112 // function if we encounter some other error.
7113 CoveredArgs.set(argIndex);
7114 }
7115
7116 // FreeBSD kernel extensions.
7117 if (CS.getKind() == ConversionSpecifier::FreeBSDbArg ||
7118 CS.getKind() == ConversionSpecifier::FreeBSDDArg) {
7119 // We need at least two arguments.
7120 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex + 1))
7121 return false;
7122
7123 // Claim the second argument.
7124 CoveredArgs.set(argIndex + 1);
7125
7126 // Type check the first argument (int for %b, pointer for %D)
7127 const Expr *Ex = getDataArg(argIndex);
7128 const analyze_printf::ArgType &AT =
7129 (CS.getKind() == ConversionSpecifier::FreeBSDbArg) ?
7130 ArgType(S.Context.IntTy) : ArgType::CPointerTy;
7131 if (AT.isValid() && !AT.matchesType(S.Context, Ex->getType()))
7132 EmitFormatDiagnostic(
7133 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7134 << AT.getRepresentativeTypeName(S.Context) << Ex->getType()
7135 << false << Ex->getSourceRange(),
7136 Ex->getBeginLoc(), /*IsStringLocation*/ false,
7137 getSpecifierRange(startSpecifier, specifierLen));
7138
7139 // Type check the second argument (char * for both %b and %D)
7140 Ex = getDataArg(argIndex + 1);
7141 const analyze_printf::ArgType &AT2 = ArgType::CStrTy;
7142 if (AT2.isValid() && !AT2.matchesType(S.Context, Ex->getType()))
7143 EmitFormatDiagnostic(
7144 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7145 << AT2.getRepresentativeTypeName(S.Context) << Ex->getType()
7146 << false << Ex->getSourceRange(),
7147 Ex->getBeginLoc(), /*IsStringLocation*/ false,
7148 getSpecifierRange(startSpecifier, specifierLen));
7149
7150 return true;
7151 }
7152
7153 // Check for using an Objective-C specific conversion specifier
7154 // in a non-ObjC literal.
7155 if (!allowsObjCArg() && CS.isObjCArg()) {
7156 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7157 specifierLen);
7158 }
7159
7160 // %P can only be used with os_log.
7161 if (FSType != Sema::FST_OSLog && CS.getKind() == ConversionSpecifier::PArg) {
7162 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7163 specifierLen);
7164 }
7165
7166 // %n is not allowed with os_log.
7167 if (FSType == Sema::FST_OSLog && CS.getKind() == ConversionSpecifier::nArg) {
7168 EmitFormatDiagnostic(S.PDiag(diag::warn_os_log_format_narg),
7169 getLocationOfByte(CS.getStart()),
7170 /*IsStringLocation*/ false,
7171 getSpecifierRange(startSpecifier, specifierLen));
7172
7173 return true;
7174 }
7175
7176 // Only scalars are allowed for os_trace.
7177 if (FSType == Sema::FST_OSTrace &&
7178 (CS.getKind() == ConversionSpecifier::PArg ||
7179 CS.getKind() == ConversionSpecifier::sArg ||
7180 CS.getKind() == ConversionSpecifier::ObjCObjArg)) {
7181 return HandleInvalidPrintfConversionSpecifier(FS, startSpecifier,
7182 specifierLen);
7183 }
7184
7185 // Check for use of public/private annotation outside of os_log().
7186 if (FSType != Sema::FST_OSLog) {
7187 if (FS.isPublic().isSet()) {
7188 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7189 << "public",
7190 getLocationOfByte(FS.isPublic().getPosition()),
7191 /*IsStringLocation*/ false,
7192 getSpecifierRange(startSpecifier, specifierLen));
7193 }
7194 if (FS.isPrivate().isSet()) {
7195 EmitFormatDiagnostic(S.PDiag(diag::warn_format_invalid_annotation)
7196 << "private",
7197 getLocationOfByte(FS.isPrivate().getPosition()),
7198 /*IsStringLocation*/ false,
7199 getSpecifierRange(startSpecifier, specifierLen));
7200 }
7201 }
7202
7203 const llvm::Triple &Triple = Target.getTriple();
7204 if (CS.getKind() == ConversionSpecifier::nArg &&
7205 (Triple.isAndroid() || Triple.isOSFuchsia())) {
7206 EmitFormatDiagnostic(S.PDiag(diag::warn_printf_narg_not_supported),
7207 getLocationOfByte(CS.getStart()),
7208 /*IsStringLocation*/ false,
7209 getSpecifierRange(startSpecifier, specifierLen));
7210 }
7211
7212 // Check for invalid use of field width
7213 if (!FS.hasValidFieldWidth()) {
7214 HandleInvalidAmount(FS, FS.getFieldWidth(), /* field width */ 0,
7215 startSpecifier, specifierLen);
7216 }
7217
7218 // Check for invalid use of precision
7219 if (!FS.hasValidPrecision()) {
7220 HandleInvalidAmount(FS, FS.getPrecision(), /* precision */ 1,
7221 startSpecifier, specifierLen);
7222 }
7223
7224 // Precision is mandatory for %P specifier.
7225 if (CS.getKind() == ConversionSpecifier::PArg &&
7226 FS.getPrecision().getHowSpecified() == OptionalAmount::NotSpecified) {
7227 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_no_precision),
7228 getLocationOfByte(startSpecifier),
7229 /*IsStringLocation*/ false,
7230 getSpecifierRange(startSpecifier, specifierLen));
7231 }
7232
7233 // Check each flag does not conflict with any other component.
7234 if (!FS.hasValidThousandsGroupingPrefix())
7235 HandleFlag(FS, FS.hasThousandsGrouping(), startSpecifier, specifierLen);
7236 if (!FS.hasValidLeadingZeros())
7237 HandleFlag(FS, FS.hasLeadingZeros(), startSpecifier, specifierLen);
7238 if (!FS.hasValidPlusPrefix())
7239 HandleFlag(FS, FS.hasPlusPrefix(), startSpecifier, specifierLen);
7240 if (!FS.hasValidSpacePrefix())
7241 HandleFlag(FS, FS.hasSpacePrefix(), startSpecifier, specifierLen);
7242 if (!FS.hasValidAlternativeForm())
7243 HandleFlag(FS, FS.hasAlternativeForm(), startSpecifier, specifierLen);
7244 if (!FS.hasValidLeftJustified())
7245 HandleFlag(FS, FS.isLeftJustified(), startSpecifier, specifierLen);
7246
7247 // Check that flags are not ignored by another flag
7248 if (FS.hasSpacePrefix() && FS.hasPlusPrefix()) // ' ' ignored by '+'
7249 HandleIgnoredFlag(FS, FS.hasSpacePrefix(), FS.hasPlusPrefix(),
7250 startSpecifier, specifierLen);
7251 if (FS.hasLeadingZeros() && FS.isLeftJustified()) // '0' ignored by '-'
7252 HandleIgnoredFlag(FS, FS.hasLeadingZeros(), FS.isLeftJustified(),
7253 startSpecifier, specifierLen);
7254
7255 // Check the length modifier is valid with the given conversion specifier.
7256 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
7257 S.getLangOpts()))
7258 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7259 diag::warn_format_nonsensical_length);
7260 else if (!FS.hasStandardLengthModifier())
7261 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
7262 else if (!FS.hasStandardLengthConversionCombination())
7263 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7264 diag::warn_format_non_standard_conversion_spec);
7265
7266 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
7267 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
7268
7269 // The remaining checks depend on the data arguments.
7270 if (ArgPassingKind == Sema::FAPK_VAList)
7271 return true;
7272
7273 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
7274 return false;
7275
7276 const Expr *Arg = getDataArg(argIndex);
7277 if (!Arg)
7278 return true;
7279
7280 return checkFormatExpr(FS, startSpecifier, specifierLen, Arg);
7281 }
7282
7283 static bool requiresParensToAddCast(const Expr *E) {
7284 // FIXME: We should have a general way to reason about operator
7285 // precedence and whether parens are actually needed here.
7286 // Take care of a few common cases where they aren't.
7287 const Expr *Inside = E->IgnoreImpCasts();
7288 if (const PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(Inside))
7289 Inside = POE->getSyntacticForm()->IgnoreImpCasts();
7290
7291 switch (Inside->getStmtClass()) {
7292 case Stmt::ArraySubscriptExprClass:
7293 case Stmt::CallExprClass:
7294 case Stmt::CharacterLiteralClass:
7295 case Stmt::CXXBoolLiteralExprClass:
7296 case Stmt::DeclRefExprClass:
7297 case Stmt::FloatingLiteralClass:
7298 case Stmt::IntegerLiteralClass:
7299 case Stmt::MemberExprClass:
7300 case Stmt::ObjCArrayLiteralClass:
7301 case Stmt::ObjCBoolLiteralExprClass:
7302 case Stmt::ObjCBoxedExprClass:
7303 case Stmt::ObjCDictionaryLiteralClass:
7304 case Stmt::ObjCEncodeExprClass:
7305 case Stmt::ObjCIvarRefExprClass:
7306 case Stmt::ObjCMessageExprClass:
7307 case Stmt::ObjCPropertyRefExprClass:
7308 case Stmt::ObjCStringLiteralClass:
7309 case Stmt::ObjCSubscriptRefExprClass:
7310 case Stmt::ParenExprClass:
7311 case Stmt::StringLiteralClass:
7312 case Stmt::UnaryOperatorClass:
7313 return false;
7314 default:
7315 return true;
7316 }
7317 }
7318
7319 static std::pair<QualType, StringRef>
7320 shouldNotPrintDirectly(const ASTContext &Context,
7321 QualType IntendedTy,
7322 const Expr *E) {
7323 // Use a 'while' to peel off layers of typedefs.
7324 QualType TyTy = IntendedTy;
7325 while (const TypedefType *UserTy = TyTy->getAs<TypedefType>()) {
7326 StringRef Name = UserTy->getDecl()->getName();
7327 QualType CastTy = llvm::StringSwitch<QualType>(Name)
7328 .Case("CFIndex", Context.getNSIntegerType())
7329 .Case("NSInteger", Context.getNSIntegerType())
7330 .Case("NSUInteger", Context.getNSUIntegerType())
7331 .Case("SInt32", Context.IntTy)
7332 .Case("UInt32", Context.UnsignedIntTy)
7333 .Default(QualType());
7334
7335 if (!CastTy.isNull())
7336 return std::make_pair(CastTy, Name);
7337
7338 TyTy = UserTy->desugar();
7339 }
7340
7341 // Strip parens if necessary.
7342 if (const ParenExpr *PE = dyn_cast<ParenExpr>(E))
7343 return shouldNotPrintDirectly(Context,
7344 PE->getSubExpr()->getType(),
7345 PE->getSubExpr());
7346
7347 // If this is a conditional expression, then its result type is constructed
7348 // via usual arithmetic conversions and thus there might be no necessary
7349 // typedef sugar there. Recurse to operands to check for NSInteger &
7350 // Co. usage condition.
7351 if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(E)) {
7352 QualType TrueTy, FalseTy;
7353 StringRef TrueName, FalseName;
7354
7355 std::tie(TrueTy, TrueName) =
7356 shouldNotPrintDirectly(Context,
7357 CO->getTrueExpr()->getType(),
7358 CO->getTrueExpr());
7359 std::tie(FalseTy, FalseName) =
7360 shouldNotPrintDirectly(Context,
7361 CO->getFalseExpr()->getType(),
7362 CO->getFalseExpr());
7363
7364 if (TrueTy == FalseTy)
7365 return std::make_pair(TrueTy, TrueName);
7366 else if (TrueTy.isNull())
7367 return std::make_pair(FalseTy, FalseName);
7368 else if (FalseTy.isNull())
7369 return std::make_pair(TrueTy, TrueName);
7370 }
7371
7372 return std::make_pair(QualType(), StringRef());
7373 }
7374
7375 /// Return true if \p ICE is an implicit argument promotion of an arithmetic
7376 /// type. Bit-field 'promotions' from a higher ranked type to a lower ranked
7377 /// type do not count.
7378 static bool
7379 isArithmeticArgumentPromotion(Sema &S, const ImplicitCastExpr *ICE) {
7380 QualType From = ICE->getSubExpr()->getType();
7381 QualType To = ICE->getType();
7382 // It's an integer promotion if the destination type is the promoted
7383 // source type.
7384 if (ICE->getCastKind() == CK_IntegralCast &&
7385 S.Context.isPromotableIntegerType(From) &&
7386 S.Context.getPromotedIntegerType(From) == To)
7387 return true;
7388 // Look through vector types, since we do default argument promotion for
7389 // those in OpenCL.
7390 if (const auto *VecTy = From->getAs<ExtVectorType>())
7391 From = VecTy->getElementType();
7392 if (const auto *VecTy = To->getAs<ExtVectorType>())
7393 To = VecTy->getElementType();
7394 // It's a floating promotion if the source type is a lower rank.
7395 return ICE->getCastKind() == CK_FloatingCast &&
7396 S.Context.getFloatingTypeOrder(From, To) < 0;
7397 }
7398
7399 static analyze_format_string::ArgType::MatchKind
7400 handleFormatSignedness(analyze_format_string::ArgType::MatchKind Match,
7401 DiagnosticsEngine &Diags, SourceLocation Loc) {
7402 if (Match == analyze_format_string::ArgType::NoMatchSignedness) {
7403 Match =
7404 Diags.isIgnored(
7405 diag::warn_format_conversion_argument_type_mismatch_signedness, Loc)
7406 ? analyze_format_string::ArgType::Match
7407 : analyze_format_string::ArgType::NoMatch;
7408 }
7409 return Match;
7410 }
7411
7412 bool
7413 CheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
7414 const char *StartSpecifier,
7415 unsigned SpecifierLen,
7416 const Expr *E) {
7417 using namespace analyze_format_string;
7418 using namespace analyze_printf;
7419
7420 // Now type check the data expression that matches the
7421 // format specifier.
7422 const analyze_printf::ArgType &AT = FS.getArgType(S.Context, isObjCContext());
7423 if (!AT.isValid())
7424 return true;
7425
7426 QualType ExprTy = E->getType();
7427 while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
7428 ExprTy = TET->getUnderlyingExpr()->getType();
7429 }
7430
7431 // When using the format attribute in C++, you can receive a function or an
7432 // array that will necessarily decay to a pointer when passed to the final
7433 // format consumer. Apply decay before type comparison.
7434 if (ExprTy->canDecayToPointerType())
7435 ExprTy = S.Context.getDecayedType(ExprTy);
7436
7437 // Diagnose attempts to print a boolean value as a character. Unlike other
7438 // -Wformat diagnostics, this is fine from a type perspective, but it still
7439 // doesn't make sense.
7440 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg &&
7441 E->isKnownToHaveBooleanValue()) {
7442 const CharSourceRange &CSR =
7443 getSpecifierRange(StartSpecifier, SpecifierLen);
7444 SmallString<4> FSString;
7445 llvm::raw_svector_ostream os(FSString);
7446 FS.toString(os);
7447 EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character)
7448 << FSString,
7449 E->getExprLoc(), false, CSR);
7450 return true;
7451 }
7452
7453 // Diagnose attempts to use '%P' with ObjC object types, which will result in
7454 // dumping raw class data (like is-a pointer), not actual data.
7455 if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::PArg &&
7456 ExprTy->isObjCObjectPointerType()) {
7457 const CharSourceRange &CSR =
7458 getSpecifierRange(StartSpecifier, SpecifierLen);
7459 EmitFormatDiagnostic(S.PDiag(diag::warn_format_P_with_objc_pointer),
7460 E->getExprLoc(), false, CSR);
7461 return true;
7462 }
7463
7464 ArgType::MatchKind ImplicitMatch = ArgType::NoMatch;
7465 ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy);
7466 ArgType::MatchKind OrigMatch = Match;
7467
7468 Match = handleFormatSignedness(Match, S.getDiagnostics(), E->getExprLoc());
7469 if (Match == ArgType::Match)
7470 return true;
7471
7472 // NoMatchPromotionTypeConfusion should be only returned in ImplictCastExpr
7473 assert(Match != ArgType::NoMatchPromotionTypeConfusion);
7474
7475 // Look through argument promotions for our error message's reported type.
7476 // This includes the integral and floating promotions, but excludes array
7477 // and function pointer decay (seeing that an argument intended to be a
7478 // string has type 'char [6]' is probably more confusing than 'char *') and
7479 // certain bitfield promotions (bitfields can be 'demoted' to a lesser type).
7480 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
7481 if (isArithmeticArgumentPromotion(S, ICE)) {
7482 E = ICE->getSubExpr();
7483 ExprTy = E->getType();
7484
7485 // Check if we didn't match because of an implicit cast from a 'char'
7486 // or 'short' to an 'int'. This is done because printf is a varargs
7487 // function.
7488 if (ICE->getType() == S.Context.IntTy ||
7489 ICE->getType() == S.Context.UnsignedIntTy) {
7490 // All further checking is done on the subexpression
7491 ImplicitMatch = AT.matchesType(S.Context, ExprTy);
7492 if (OrigMatch == ArgType::NoMatchSignedness &&
7493 ImplicitMatch != ArgType::NoMatchSignedness)
7494 // If the original match was a signedness match this match on the
7495 // implicit cast type also need to be signedness match otherwise we
7496 // might introduce new unexpected warnings from -Wformat-signedness.
7497 return true;
7498 ImplicitMatch = handleFormatSignedness(
7499 ImplicitMatch, S.getDiagnostics(), E->getExprLoc());
7500 if (ImplicitMatch == ArgType::Match)
7501 return true;
7502 }
7503 }
7504 } else if (const CharacterLiteral *CL = dyn_cast<CharacterLiteral>(E)) {
7505 // Special case for 'a', which has type 'int' in C.
7506 // Note, however, that we do /not/ want to treat multibyte constants like
7507 // 'MooV' as characters! This form is deprecated but still exists. In
7508 // addition, don't treat expressions as of type 'char' if one byte length
7509 // modifier is provided.
7510 if (ExprTy == S.Context.IntTy &&
7511 FS.getLengthModifier().getKind() != LengthModifier::AsChar)
7512 if (llvm::isUIntN(S.Context.getCharWidth(), CL->getValue())) {
7513 ExprTy = S.Context.CharTy;
7514 // To improve check results, we consider a character literal in C
7515 // to be a 'char' rather than an 'int'. 'printf("%hd", 'a');' is
7516 // more likely a type confusion situation, so we will suggest to
7517 // use '%hhd' instead by discarding the MatchPromotion.
7518 if (Match == ArgType::MatchPromotion)
7519 Match = ArgType::NoMatch;
7520 }
7521 }
7522 if (Match == ArgType::MatchPromotion) {
7523 // WG14 N2562 only clarified promotions in *printf
7524 // For NSLog in ObjC, just preserve -Wformat behavior
7525 if (!S.getLangOpts().ObjC &&
7526 ImplicitMatch != ArgType::NoMatchPromotionTypeConfusion &&
7527 ImplicitMatch != ArgType::NoMatchTypeConfusion)
7528 return true;
7529 Match = ArgType::NoMatch;
7530 }
7531 if (ImplicitMatch == ArgType::NoMatchPedantic ||
7532 ImplicitMatch == ArgType::NoMatchTypeConfusion)
7533 Match = ImplicitMatch;
7534 assert(Match != ArgType::MatchPromotion);
7535
7536 // Look through unscoped enums to their underlying type.
7537 bool IsEnum = false;
7538 bool IsScopedEnum = false;
7539 QualType IntendedTy = ExprTy;
7540 if (auto EnumTy = ExprTy->getAs<EnumType>()) {
7541 IntendedTy = EnumTy->getDecl()->getIntegerType();
7542 if (EnumTy->isUnscopedEnumerationType()) {
7543 ExprTy = IntendedTy;
7544 // This controls whether we're talking about the underlying type or not,
7545 // which we only want to do when it's an unscoped enum.
7546 IsEnum = true;
7547 } else {
7548 IsScopedEnum = true;
7549 }
7550 }
7551
7552 // %C in an Objective-C context prints a unichar, not a wchar_t.
7553 // If the argument is an integer of some kind, believe the %C and suggest
7554 // a cast instead of changing the conversion specifier.
7555 if (isObjCContext() &&
7556 FS.getConversionSpecifier().getKind() == ConversionSpecifier::CArg) {
7557 if (ExprTy->isIntegralOrUnscopedEnumerationType() &&
7558 !ExprTy->isCharType()) {
7559 // 'unichar' is defined as a typedef of unsigned short, but we should
7560 // prefer using the typedef if it is visible.
7561 IntendedTy = S.Context.UnsignedShortTy;
7562
7563 // While we are here, check if the value is an IntegerLiteral that happens
7564 // to be within the valid range.
7565 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(E)) {
7566 const llvm::APInt &V = IL->getValue();
7567 if (V.getActiveBits() <= S.Context.getTypeSize(IntendedTy))
7568 return true;
7569 }
7570
7571 LookupResult Result(S, &S.Context.Idents.get("unichar"), E->getBeginLoc(),
7572 Sema::LookupOrdinaryName);
7573 if (S.LookupName(Result, S.getCurScope())) {
7574 NamedDecl *ND = Result.getFoundDecl();
7575 if (TypedefNameDecl *TD = dyn_cast<TypedefNameDecl>(ND))
7576 if (TD->getUnderlyingType() == IntendedTy)
7577 IntendedTy = S.Context.getTypedefType(TD);
7578 }
7579 }
7580 }
7581
7582 // Special-case some of Darwin's platform-independence types by suggesting
7583 // casts to primitive types that are known to be large enough.
7584 bool ShouldNotPrintDirectly = false; StringRef CastTyName;
7585 if (S.Context.getTargetInfo().getTriple().isOSDarwin()) {
7586 QualType CastTy;
7587 std::tie(CastTy, CastTyName) = shouldNotPrintDirectly(S.Context, IntendedTy, E);
7588 if (!CastTy.isNull()) {
7589 // %zi/%zu and %td/%tu are OK to use for NSInteger/NSUInteger of type int
7590 // (long in ASTContext). Only complain to pedants or when they're the
7591 // underlying type of a scoped enum (which always needs a cast).
7592 if (!IsScopedEnum &&
7593 (CastTyName == "NSInteger" || CastTyName == "NSUInteger") &&
7594 (AT.isSizeT() || AT.isPtrdiffT()) &&
7595 AT.matchesType(S.Context, CastTy))
7596 Match = ArgType::NoMatchPedantic;
7597 IntendedTy = CastTy;
7598 ShouldNotPrintDirectly = true;
7599 }
7600 }
7601
7602 // We may be able to offer a FixItHint if it is a supported type.
7603 PrintfSpecifier fixedFS = FS;
7604 bool Success =
7605 fixedFS.fixType(IntendedTy, S.getLangOpts(), S.Context, isObjCContext());
7606
7607 if (Success) {
7608 // Get the fix string from the fixed format specifier
7609 SmallString<16> buf;
7610 llvm::raw_svector_ostream os(buf);
7611 fixedFS.toString(os);
7612
7613 CharSourceRange SpecRange = getSpecifierRange(StartSpecifier, SpecifierLen);
7614
7615 if (IntendedTy == ExprTy && !ShouldNotPrintDirectly && !IsScopedEnum) {
7616 unsigned Diag;
7617 switch (Match) {
7618 case ArgType::Match:
7619 case ArgType::MatchPromotion:
7620 case ArgType::NoMatchPromotionTypeConfusion:
7621 case ArgType::NoMatchSignedness:
7622 llvm_unreachable("expected non-matching");
7623 case ArgType::NoMatchPedantic:
7624 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
7625 break;
7626 case ArgType::NoMatchTypeConfusion:
7627 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
7628 break;
7629 case ArgType::NoMatch:
7630 Diag = diag::warn_format_conversion_argument_type_mismatch;
7631 break;
7632 }
7633
7634 // In this case, the specifier is wrong and should be changed to match
7635 // the argument.
7636 EmitFormatDiagnostic(S.PDiag(Diag)
7637 << AT.getRepresentativeTypeName(S.Context)
7638 << IntendedTy << IsEnum << E->getSourceRange(),
7639 E->getBeginLoc(),
7640 /*IsStringLocation*/ false, SpecRange,
7641 FixItHint::CreateReplacement(SpecRange, os.str()));
7642 } else {
7643 // The canonical type for formatting this value is different from the
7644 // actual type of the expression. (This occurs, for example, with Darwin's
7645 // NSInteger on 32-bit platforms, where it is typedef'd as 'int', but
7646 // should be printed as 'long' for 64-bit compatibility.)
7647 // Rather than emitting a normal format/argument mismatch, we want to
7648 // add a cast to the recommended type (and correct the format string
7649 // if necessary). We should also do so for scoped enumerations.
7650 SmallString<16> CastBuf;
7651 llvm::raw_svector_ostream CastFix(CastBuf);
7652 CastFix << (S.LangOpts.CPlusPlus ? "static_cast<" : "(");
7653 IntendedTy.print(CastFix, S.Context.getPrintingPolicy());
7654 CastFix << (S.LangOpts.CPlusPlus ? ">" : ")");
7655
7656 SmallVector<FixItHint,4> Hints;
7657 ArgType::MatchKind IntendedMatch = AT.matchesType(S.Context, IntendedTy);
7658 IntendedMatch = handleFormatSignedness(IntendedMatch, S.getDiagnostics(),
7659 E->getExprLoc());
7660 if ((IntendedMatch != ArgType::Match) || ShouldNotPrintDirectly)
7661 Hints.push_back(FixItHint::CreateReplacement(SpecRange, os.str()));
7662
7663 if (const CStyleCastExpr *CCast = dyn_cast<CStyleCastExpr>(E)) {
7664 // If there's already a cast present, just replace it.
7665 SourceRange CastRange(CCast->getLParenLoc(), CCast->getRParenLoc());
7666 Hints.push_back(FixItHint::CreateReplacement(CastRange, CastFix.str()));
7667
7668 } else if (!requiresParensToAddCast(E) && !S.LangOpts.CPlusPlus) {
7669 // If the expression has high enough precedence,
7670 // just write the C-style cast.
7671 Hints.push_back(
7672 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
7673 } else {
7674 // Otherwise, add parens around the expression as well as the cast.
7675 CastFix << "(";
7676 Hints.push_back(
7677 FixItHint::CreateInsertion(E->getBeginLoc(), CastFix.str()));
7678
7679 // We don't use getLocForEndOfToken because it returns invalid source
7680 // locations for macro expansions (by design).
7681 SourceLocation EndLoc = S.SourceMgr.getSpellingLoc(E->getEndLoc());
7682 SourceLocation After = EndLoc.getLocWithOffset(
7683 Lexer::MeasureTokenLength(EndLoc, S.SourceMgr, S.LangOpts));
7684 Hints.push_back(FixItHint::CreateInsertion(After, ")"));
7685 }
7686
7687 if (ShouldNotPrintDirectly && !IsScopedEnum) {
7688 // The expression has a type that should not be printed directly.
7689 // We extract the name from the typedef because we don't want to show
7690 // the underlying type in the diagnostic.
7691 StringRef Name;
7692 if (const auto *TypedefTy = ExprTy->getAs<TypedefType>())
7693 Name = TypedefTy->getDecl()->getName();
7694 else
7695 Name = CastTyName;
7696 unsigned Diag = Match == ArgType::NoMatchPedantic
7697 ? diag::warn_format_argument_needs_cast_pedantic
7698 : diag::warn_format_argument_needs_cast;
7699 EmitFormatDiagnostic(S.PDiag(Diag) << Name << IntendedTy << IsEnum
7700 << E->getSourceRange(),
7701 E->getBeginLoc(), /*IsStringLocation=*/false,
7702 SpecRange, Hints);
7703 } else {
7704 // In this case, the expression could be printed using a different
7705 // specifier, but we've decided that the specifier is probably correct
7706 // and we should cast instead. Just use the normal warning message.
7707
7708 unsigned Diag =
7709 IsScopedEnum
7710 ? diag::warn_format_conversion_argument_type_mismatch_pedantic
7711 : diag::warn_format_conversion_argument_type_mismatch;
7712
7713 EmitFormatDiagnostic(
7714 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
7715 << IsEnum << E->getSourceRange(),
7716 E->getBeginLoc(), /*IsStringLocation*/ false, SpecRange, Hints);
7717 }
7718 }
7719 } else {
7720 const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
7721 SpecifierLen);
7722 // Since the warning for passing non-POD types to variadic functions
7723 // was deferred until now, we emit a warning for non-POD
7724 // arguments here.
7725 bool EmitTypeMismatch = false;
7726 switch (S.isValidVarArgType(ExprTy)) {
7727 case Sema::VAK_Valid:
7728 case Sema::VAK_ValidInCXX11: {
7729 unsigned Diag;
7730 switch (Match) {
7731 case ArgType::Match:
7732 case ArgType::MatchPromotion:
7733 case ArgType::NoMatchPromotionTypeConfusion:
7734 case ArgType::NoMatchSignedness:
7735 llvm_unreachable("expected non-matching");
7736 case ArgType::NoMatchPedantic:
7737 Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
7738 break;
7739 case ArgType::NoMatchTypeConfusion:
7740 Diag = diag::warn_format_conversion_argument_type_mismatch_confusion;
7741 break;
7742 case ArgType::NoMatch:
7743 Diag = diag::warn_format_conversion_argument_type_mismatch;
7744 break;
7745 }
7746
7747 EmitFormatDiagnostic(
7748 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
7749 << IsEnum << CSR << E->getSourceRange(),
7750 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7751 break;
7752 }
7753 case Sema::VAK_Undefined:
7754 case Sema::VAK_MSVCUndefined:
7755 if (CallType == Sema::VariadicDoesNotApply) {
7756 EmitTypeMismatch = true;
7757 } else {
7758 EmitFormatDiagnostic(
7759 S.PDiag(diag::warn_non_pod_vararg_with_format_string)
7760 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
7761 << AT.getRepresentativeTypeName(S.Context) << CSR
7762 << E->getSourceRange(),
7763 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7764 checkForCStrMembers(AT, E);
7765 }
7766 break;
7767
7768 case Sema::VAK_Invalid:
7769 if (CallType == Sema::VariadicDoesNotApply)
7770 EmitTypeMismatch = true;
7771 else if (ExprTy->isObjCObjectType())
7772 EmitFormatDiagnostic(
7773 S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
7774 << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
7775 << AT.getRepresentativeTypeName(S.Context) << CSR
7776 << E->getSourceRange(),
7777 E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
7778 else
7779 // FIXME: If this is an initializer list, suggest removing the braces
7780 // or inserting a cast to the target type.
7781 S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format)
7782 << isa<InitListExpr>(E) << ExprTy << CallType
7783 << AT.getRepresentativeTypeName(S.Context) << E->getSourceRange();
7784 break;
7785 }
7786
7787 if (EmitTypeMismatch) {
7788 // The function is not variadic, so we do not generate warnings about
7789 // being allowed to pass that object as a variadic argument. Instead,
7790 // since there are inherently no printf specifiers for types which cannot
7791 // be passed as variadic arguments, emit a plain old specifier mismatch
7792 // argument.
7793 EmitFormatDiagnostic(
7794 S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
7795 << AT.getRepresentativeTypeName(S.Context) << ExprTy << false
7796 << E->getSourceRange(),
7797 E->getBeginLoc(), false, CSR);
7798 }
7799
7800 assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
7801 "format string specifier index out of range");
7802 CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
7803 }
7804
7805 return true;
7806 }
7807
7808 //===--- CHECK: Scanf format string checking ------------------------------===//
7809
7810 namespace {
7811
7812 class CheckScanfHandler : public CheckFormatHandler {
7813 public:
7814 CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr,
7815 const Expr *origFormatExpr, Sema::FormatStringType type,
7816 unsigned firstDataArg, unsigned numDataArgs,
7817 const char *beg, Sema::FormatArgumentPassingKind APK,
7818 ArrayRef<const Expr *> Args, unsigned formatIdx,
7819 bool inFunctionCall, Sema::VariadicCallType CallType,
7820 llvm::SmallBitVector &CheckedVarArgs,
7821 UncoveredArgHandler &UncoveredArg)
7822 : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
7823 numDataArgs, beg, APK, Args, formatIdx,
7824 inFunctionCall, CallType, CheckedVarArgs,
7825 UncoveredArg) {}
7826
7827 bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
7828 const char *startSpecifier,
7829 unsigned specifierLen) override;
7830
7831 bool HandleInvalidScanfConversionSpecifier(
7832 const analyze_scanf::ScanfSpecifier &FS,
7833 const char *startSpecifier,
7834 unsigned specifierLen) override;
7835
7836 void HandleIncompleteScanList(const char *start, const char *end) override;
7837 };
7838
7839 } // namespace
7840
7841 void CheckScanfHandler::HandleIncompleteScanList(const char *start,
7842 const char *end) {
7843 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_scanlist_incomplete),
7844 getLocationOfByte(end), /*IsStringLocation*/true,
7845 getSpecifierRange(start, end - start));
7846 }
7847
7848 bool CheckScanfHandler::HandleInvalidScanfConversionSpecifier(
7849 const analyze_scanf::ScanfSpecifier &FS,
7850 const char *startSpecifier,
7851 unsigned specifierLen) {
7852 const analyze_scanf::ScanfConversionSpecifier &CS =
7853 FS.getConversionSpecifier();
7854
7855 return HandleInvalidConversionSpecifier(FS.getArgIndex(),
7856 getLocationOfByte(CS.getStart()),
7857 startSpecifier, specifierLen,
7858 CS.getStart(), CS.getLength());
7859 }
7860
7861 bool CheckScanfHandler::HandleScanfSpecifier(
7862 const analyze_scanf::ScanfSpecifier &FS,
7863 const char *startSpecifier,
7864 unsigned specifierLen) {
7865 using namespace analyze_scanf;
7866 using namespace analyze_format_string;
7867
7868 const ScanfConversionSpecifier &CS = FS.getConversionSpecifier();
7869
7870 // Handle case where '%' and '*' don't consume an argument. These shouldn't
7871 // be used to decide if we are using positional arguments consistently.
7872 if (FS.consumesDataArgument()) {
7873 if (atFirstArg) {
7874 atFirstArg = false;
7875 usesPositionalArgs = FS.usesPositionalArg();
7876 }
7877 else if (usesPositionalArgs != FS.usesPositionalArg()) {
7878 HandlePositionalNonpositionalArgs(getLocationOfByte(CS.getStart()),
7879 startSpecifier, specifierLen);
7880 return false;
7881 }
7882 }
7883
7884 // Check if the field with is non-zero.
7885 const OptionalAmount &Amt = FS.getFieldWidth();
7886 if (Amt.getHowSpecified() == OptionalAmount::Constant) {
7887 if (Amt.getConstantAmount() == 0) {
7888 const CharSourceRange &R = getSpecifierRange(Amt.getStart(),
7889 Amt.getConstantLength());
7890 EmitFormatDiagnostic(S.PDiag(diag::warn_scanf_nonzero_width),
7891 getLocationOfByte(Amt.getStart()),
7892 /*IsStringLocation*/true, R,
7893 FixItHint::CreateRemoval(R));
7894 }
7895 }
7896
7897 if (!FS.consumesDataArgument()) {
7898 // FIXME: Technically specifying a precision or field width here
7899 // makes no sense. Worth issuing a warning at some point.
7900 return true;
7901 }
7902
7903 // Consume the argument.
7904 unsigned argIndex = FS.getArgIndex();
7905 if (argIndex < NumDataArgs) {
7906 // The check to see if the argIndex is valid will come later.
7907 // We set the bit here because we may exit early from this
7908 // function if we encounter some other error.
7909 CoveredArgs.set(argIndex);
7910 }
7911
7912 // Check the length modifier is valid with the given conversion specifier.
7913 if (!FS.hasValidLengthModifier(S.getASTContext().getTargetInfo(),
7914 S.getLangOpts()))
7915 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7916 diag::warn_format_nonsensical_length);
7917 else if (!FS.hasStandardLengthModifier())
7918 HandleNonStandardLengthModifier(FS, startSpecifier, specifierLen);
7919 else if (!FS.hasStandardLengthConversionCombination())
7920 HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
7921 diag::warn_format_non_standard_conversion_spec);
7922
7923 if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
7924 HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
7925
7926 // The remaining checks depend on the data arguments.
7927 if (ArgPassingKind == Sema::FAPK_VAList)
7928 return true;
7929
7930 if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
7931 return false;
7932
7933 // Check that the argument type matches the format specifier.
7934 const Expr *Ex = getDataArg(argIndex);
7935 if (!Ex)
7936 return true;
7937
7938 const analyze_format_string::ArgType &AT = FS.getArgType(S.Context);
7939
7940 if (!AT.isValid()) {
7941 return true;
7942 }
7943
7944 analyze_format_string::ArgType::MatchKind Match =
7945 AT.matchesType(S.Context, Ex->getType());
7946 Match = handleFormatSignedness(Match, S.getDiagnostics(), Ex->getExprLoc());
7947 bool Pedantic = Match == analyze_format_string::ArgType::NoMatchPedantic;
7948 if (Match == analyze_format_string::ArgType::Match)
7949 return true;
7950
7951 ScanfSpecifier fixedFS = FS;
7952 bool Success = fixedFS.fixType(Ex->getType(), Ex->IgnoreImpCasts()->getType(),
7953 S.getLangOpts(), S.Context);
7954
7955 unsigned Diag =
7956 Pedantic ? diag::warn_format_conversion_argument_type_mismatch_pedantic
7957 : diag::warn_format_conversion_argument_type_mismatch;
7958
7959 if (Success) {
7960 // Get the fix string from the fixed format specifier.
7961 SmallString<128> buf;
7962 llvm::raw_svector_ostream os(buf);
7963 fixedFS.toString(os);
7964
7965 EmitFormatDiagnostic(
7966 S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context)
7967 << Ex->getType() << false << Ex->getSourceRange(),
7968 Ex->getBeginLoc(),
7969 /*IsStringLocation*/ false,
7970 getSpecifierRange(startSpecifier, specifierLen),
7971 FixItHint::CreateReplacement(
7972 getSpecifierRange(startSpecifier, specifierLen), os.str()));
7973 } else {
7974 EmitFormatDiagnostic(S.PDiag(Diag)
7975 << AT.getRepresentativeTypeName(S.Context)
7976 << Ex->getType() << false << Ex->getSourceRange(),
7977 Ex->getBeginLoc(),
7978 /*IsStringLocation*/ false,
7979 getSpecifierRange(startSpecifier, specifierLen));
7980 }
7981
7982 return true;
7983 }
7984
7985 static void CheckFormatString(
7986 Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
7987 ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
7988 unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
7989 bool inFunctionCall, Sema::VariadicCallType CallType,
7990 llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
7991 bool IgnoreStringsWithoutSpecifiers) {
7992 // CHECK: is the format string a wide literal?
7993 if (!FExpr->isAscii() && !FExpr->isUTF8()) {
7994 CheckFormatHandler::EmitFormatDiagnostic(
7995 S, inFunctionCall, Args[format_idx],
7996 S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(),
7997 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
7998 return;
7999 }
8000
8001 // Str - The format string. NOTE: this is NOT null-terminated!
8002 StringRef StrRef = FExpr->getString();
8003 const char *Str = StrRef.data();
8004 // Account for cases where the string literal is truncated in a declaration.
8005 const ConstantArrayType *T =
8006 S.Context.getAsConstantArrayType(FExpr->getType());
8007 assert(T && "String literal not of constant array type!");
8008 size_t TypeSize = T->getZExtSize();
8009 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8010 const unsigned numDataArgs = Args.size() - firstDataArg;
8011
8012 if (IgnoreStringsWithoutSpecifiers &&
8013 !analyze_format_string::parseFormatStringHasFormattingSpecifiers(
8014 Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8015 return;
8016
8017 // Emit a warning if the string literal is truncated and does not contain an
8018 // embedded null character.
8019 if (TypeSize <= StrRef.size() && !StrRef.substr(0, TypeSize).contains('\0')) {
8020 CheckFormatHandler::EmitFormatDiagnostic(
8021 S, inFunctionCall, Args[format_idx],
8022 S.PDiag(diag::warn_printf_format_string_not_null_terminated),
8023 FExpr->getBeginLoc(),
8024 /*IsStringLocation=*/true, OrigFormatExpr->getSourceRange());
8025 return;
8026 }
8027
8028 // CHECK: empty format string?
8029 if (StrLen == 0 && numDataArgs > 0) {
8030 CheckFormatHandler::EmitFormatDiagnostic(
8031 S, inFunctionCall, Args[format_idx],
8032 S.PDiag(diag::warn_empty_format_string), FExpr->getBeginLoc(),
8033 /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
8034 return;
8035 }
8036
8037 if (Type == Sema::FST_Printf || Type == Sema::FST_NSString ||
8038 Type == Sema::FST_FreeBSDKPrintf || Type == Sema::FST_OSLog ||
8039 Type == Sema::FST_OSTrace || Type == Sema::FST_Syslog) {
8040 CheckPrintfHandler H(
8041 S, FExpr, OrigFormatExpr, Type, firstDataArg, numDataArgs,
8042 (Type == Sema::FST_NSString || Type == Sema::FST_OSTrace), Str, APK,
8043 Args, format_idx, inFunctionCall, CallType, CheckedVarArgs,
8044 UncoveredArg);
8045
8046 if (!analyze_format_string::ParsePrintfString(
8047 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo(),
8048 Type == Sema::FST_FreeBSDKPrintf))
8049 H.DoneProcessing();
8050 } else if (Type == Sema::FST_Scanf) {
8051 CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
8052 numDataArgs, Str, APK, Args, format_idx, inFunctionCall,
8053 CallType, CheckedVarArgs, UncoveredArg);
8054
8055 if (!analyze_format_string::ParseScanfString(
8056 H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
8057 H.DoneProcessing();
8058 } // TODO: handle other formats
8059 }
8060
8061 bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) {
8062 // Str - The format string. NOTE: this is NOT null-terminated!
8063 StringRef StrRef = FExpr->getString();
8064 const char *Str = StrRef.data();
8065 // Account for cases where the string literal is truncated in a declaration.
8066 const ConstantArrayType *T = Context.getAsConstantArrayType(FExpr->getType());
8067 assert(T && "String literal not of constant array type!");
8068 size_t TypeSize = T->getZExtSize();
8069 size_t StrLen = std::min(std::max(TypeSize, size_t(1)) - 1, StrRef.size());
8070 return analyze_format_string::ParseFormatStringHasSArg(Str, Str + StrLen,
8071 getLangOpts(),
8072 Context.getTargetInfo());
8073 }
8074
8075 //===--- CHECK: Warn on use of wrong absolute value function. -------------===//
8076
8077 // Returns the related absolute value function that is larger, of 0 if one
8078 // does not exist.
8079 static unsigned getLargerAbsoluteValueFunction(unsigned AbsFunction) {
8080 switch (AbsFunction) {
8081 default:
8082 return 0;
8083
8084 case Builtin::BI__builtin_abs:
8085 return Builtin::BI__builtin_labs;
8086 case Builtin::BI__builtin_labs:
8087 return Builtin::BI__builtin_llabs;
8088 case Builtin::BI__builtin_llabs:
8089 return 0;
8090
8091 case Builtin::BI__builtin_fabsf:
8092 return Builtin::BI__builtin_fabs;
8093 case Builtin::BI__builtin_fabs:
8094 return Builtin::BI__builtin_fabsl;
8095 case Builtin::BI__builtin_fabsl:
8096 return 0;
8097
8098 case Builtin::BI__builtin_cabsf:
8099 return Builtin::BI__builtin_cabs;
8100 case Builtin::BI__builtin_cabs:
8101 return Builtin::BI__builtin_cabsl;
8102 case Builtin::BI__builtin_cabsl:
8103 return 0;
8104
8105 case Builtin::BIabs:
8106 return Builtin::BIlabs;
8107 case Builtin::BIlabs:
8108 return Builtin::BIllabs;
8109 case Builtin::BIllabs:
8110 return 0;
8111
8112 case Builtin::BIfabsf:
8113 return Builtin::BIfabs;
8114 case Builtin::BIfabs:
8115 return Builtin::BIfabsl;
8116 case Builtin::BIfabsl:
8117 return 0;
8118
8119 case Builtin::BIcabsf:
8120 return Builtin::BIcabs;
8121 case Builtin::BIcabs:
8122 return Builtin::BIcabsl;
8123 case Builtin::BIcabsl:
8124 return 0;
8125 }
8126 }
8127
8128 // Returns the argument type of the absolute value function.
8129 static QualType getAbsoluteValueArgumentType(ASTContext &Context,
8130 unsigned AbsType) {
8131 if (AbsType == 0)
8132 return QualType();
8133
8134 ASTContext::GetBuiltinTypeError Error = ASTContext::GE_None;
8135 QualType BuiltinType = Context.GetBuiltinType(AbsType, Error);
8136 if (Error != ASTContext::GE_None)
8137 return QualType();
8138
8139 const FunctionProtoType *FT = BuiltinType->getAs<FunctionProtoType>();
8140 if (!FT)
8141 return QualType();
8142
8143 if (FT->getNumParams() != 1)
8144 return QualType();
8145
8146 return FT->getParamType(0);
8147 }
8148
8149 // Returns the best absolute value function, or zero, based on type and
8150 // current absolute value function.
8151 static unsigned getBestAbsFunction(ASTContext &Context, QualType ArgType,
8152 unsigned AbsFunctionKind) {
8153 unsigned BestKind = 0;
8154 uint64_t ArgSize = Context.getTypeSize(ArgType);
8155 for (unsigned Kind = AbsFunctionKind; Kind != 0;
8156 Kind = getLargerAbsoluteValueFunction(Kind)) {
8157 QualType ParamType = getAbsoluteValueArgumentType(Context, Kind);
8158 if (Context.getTypeSize(ParamType) >= ArgSize) {
8159 if (BestKind == 0)
8160 BestKind = Kind;
8161 else if (Context.hasSameType(ParamType, ArgType)) {
8162 BestKind = Kind;
8163 break;
8164 }
8165 }
8166 }
8167 return BestKind;
8168 }
8169
8170 enum AbsoluteValueKind {
8171 AVK_Integer,
8172 AVK_Floating,
8173 AVK_Complex
8174 };
8175
8176 static AbsoluteValueKind getAbsoluteValueKind(QualType T) {
8177 if (T->isIntegralOrEnumerationType())
8178 return AVK_Integer;
8179 if (T->isRealFloatingType())
8180 return AVK_Floating;
8181 if (T->isAnyComplexType())
8182 return AVK_Complex;
8183
8184 llvm_unreachable("Type not integer, floating, or complex");
8185 }
8186
8187 // Changes the absolute value function to a different type. Preserves whether
8188 // the function is a builtin.
8189 static unsigned changeAbsFunction(unsigned AbsKind,
8190 AbsoluteValueKind ValueKind) {
8191 switch (ValueKind) {
8192 case AVK_Integer:
8193 switch (AbsKind) {
8194 default:
8195 return 0;
8196 case Builtin::BI__builtin_fabsf:
8197 case Builtin::BI__builtin_fabs:
8198 case Builtin::BI__builtin_fabsl:
8199 case Builtin::BI__builtin_cabsf:
8200 case Builtin::BI__builtin_cabs:
8201 case Builtin::BI__builtin_cabsl:
8202 return Builtin::BI__builtin_abs;
8203 case Builtin::BIfabsf:
8204 case Builtin::BIfabs:
8205 case Builtin::BIfabsl:
8206 case Builtin::BIcabsf:
8207 case Builtin::BIcabs:
8208 case Builtin::BIcabsl:
8209 return Builtin::BIabs;
8210 }
8211 case AVK_Floating:
8212 switch (AbsKind) {
8213 default:
8214 return 0;
8215 case Builtin::BI__builtin_abs:
8216 case Builtin::BI__builtin_labs:
8217 case Builtin::BI__builtin_llabs:
8218 case Builtin::BI__builtin_cabsf:
8219 case Builtin::BI__builtin_cabs:
8220 case Builtin::BI__builtin_cabsl:
8221 return Builtin::BI__builtin_fabsf;
8222 case Builtin::BIabs:
8223 case Builtin::BIlabs:
8224 case Builtin::BIllabs:
8225 case Builtin::BIcabsf:
8226 case Builtin::BIcabs:
8227 case Builtin::BIcabsl:
8228 return Builtin::BIfabsf;
8229 }
8230 case AVK_Complex:
8231 switch (AbsKind) {
8232 default:
8233 return 0;
8234 case Builtin::BI__builtin_abs:
8235 case Builtin::BI__builtin_labs:
8236 case Builtin::BI__builtin_llabs:
8237 case Builtin::BI__builtin_fabsf:
8238 case Builtin::BI__builtin_fabs:
8239 case Builtin::BI__builtin_fabsl:
8240 return Builtin::BI__builtin_cabsf;
8241 case Builtin::BIabs:
8242 case Builtin::BIlabs:
8243 case Builtin::BIllabs:
8244 case Builtin::BIfabsf:
8245 case Builtin::BIfabs:
8246 case Builtin::BIfabsl:
8247 return Builtin::BIcabsf;
8248 }
8249 }
8250 llvm_unreachable("Unable to convert function");
8251 }
8252
8253 static unsigned getAbsoluteValueFunctionKind(const FunctionDecl *FDecl) {
8254 const IdentifierInfo *FnInfo = FDecl->getIdentifier();
8255 if (!FnInfo)
8256 return 0;
8257
8258 switch (FDecl->getBuiltinID()) {
8259 default:
8260 return 0;
8261 case Builtin::BI__builtin_abs:
8262 case Builtin::BI__builtin_fabs:
8263 case Builtin::BI__builtin_fabsf:
8264 case Builtin::BI__builtin_fabsl:
8265 case Builtin::BI__builtin_labs:
8266 case Builtin::BI__builtin_llabs:
8267 case Builtin::BI__builtin_cabs:
8268 case Builtin::BI__builtin_cabsf:
8269 case Builtin::BI__builtin_cabsl:
8270 case Builtin::BIabs:
8271 case Builtin::BIlabs:
8272 case Builtin::BIllabs:
8273 case Builtin::BIfabs:
8274 case Builtin::BIfabsf:
8275 case Builtin::BIfabsl:
8276 case Builtin::BIcabs:
8277 case Builtin::BIcabsf:
8278 case Builtin::BIcabsl:
8279 return FDecl->getBuiltinID();
8280 }
8281 llvm_unreachable("Unknown Builtin type");
8282 }
8283
8284 // If the replacement is valid, emit a note with replacement function.
8285 // Additionally, suggest including the proper header if not already included.
8286 static void emitReplacement(Sema &S, SourceLocation Loc, SourceRange Range,
8287 unsigned AbsKind, QualType ArgType) {
8288 bool EmitHeaderHint = true;
8289 const char *HeaderName = nullptr;
8290 StringRef FunctionName;
8291 if (S.getLangOpts().CPlusPlus && !ArgType->isAnyComplexType()) {
8292 FunctionName = "std::abs";
8293 if (ArgType->isIntegralOrEnumerationType()) {
8294 HeaderName = "cstdlib";
8295 } else if (ArgType->isRealFloatingType()) {
8296 HeaderName = "cmath";
8297 } else {
8298 llvm_unreachable("Invalid Type");
8299 }
8300
8301 // Lookup all std::abs
8302 if (NamespaceDecl *Std = S.getStdNamespace()) {
8303 LookupResult R(S, &S.Context.Idents.get("abs"), Loc, Sema::LookupAnyName);
8304 R.suppressDiagnostics();
8305 S.LookupQualifiedName(R, Std);
8306
8307 for (const auto *I : R) {
8308 const FunctionDecl *FDecl = nullptr;
8309 if (const UsingShadowDecl *UsingD = dyn_cast<UsingShadowDecl>(I)) {
8310 FDecl = dyn_cast<FunctionDecl>(UsingD->getTargetDecl());
8311 } else {
8312 FDecl = dyn_cast<FunctionDecl>(I);
8313 }
8314 if (!FDecl)
8315 continue;
8316
8317 // Found std::abs(), check that they are the right ones.
8318 if (FDecl->getNumParams() != 1)
8319 continue;
8320
8321 // Check that the parameter type can handle the argument.
8322 QualType ParamType = FDecl->getParamDecl(0)->getType();
8323 if (getAbsoluteValueKind(ArgType) == getAbsoluteValueKind(ParamType) &&
8324 S.Context.getTypeSize(ArgType) <=
8325 S.Context.getTypeSize(ParamType)) {
8326 // Found a function, don't need the header hint.
8327 EmitHeaderHint = false;
8328 break;
8329 }
8330 }
8331 }
8332 } else {
8333 FunctionName = S.Context.BuiltinInfo.getName(AbsKind);
8334 HeaderName = S.Context.BuiltinInfo.getHeaderName(AbsKind);
8335
8336 if (HeaderName) {
8337 DeclarationName DN(&S.Context.Idents.get(FunctionName));
8338 LookupResult R(S, DN, Loc, Sema::LookupAnyName);
8339 R.suppressDiagnostics();
8340 S.LookupName(R, S.getCurScope());
8341
8342 if (R.isSingleResult()) {
8343 FunctionDecl *FD = dyn_cast<FunctionDecl>(R.getFoundDecl());
8344 if (FD && FD->getBuiltinID() == AbsKind) {
8345 EmitHeaderHint = false;
8346 } else {
8347 return;
8348 }
8349 } else if (!R.empty()) {
8350 return;
8351 }
8352 }
8353 }
8354
8355 S.Diag(Loc, diag::note_replace_abs_function)
8356 << FunctionName << FixItHint::CreateReplacement(Range, FunctionName);
8357
8358 if (!HeaderName)
8359 return;
8360
8361 if (!EmitHeaderHint)
8362 return;
8363
8364 S.Diag(Loc, diag::note_include_header_or_declare) << HeaderName
8365 << FunctionName;
8366 }
8367
8368 template <std::size_t StrLen>
8369 static bool IsStdFunction(const FunctionDecl *FDecl,
8370 const char (&Str)[StrLen]) {
8371 if (!FDecl)
8372 return false;
8373 if (!FDecl->getIdentifier() || !FDecl->getIdentifier()->isStr(Str))
8374 return false;
8375 if (!FDecl->isInStdNamespace())
8376 return false;
8377
8378 return true;
8379 }
8380
8381 enum class MathCheck { NaN, Inf };
8382 static bool IsInfOrNanFunction(StringRef calleeName, MathCheck Check) {
8383 auto MatchesAny = [&](std::initializer_list<llvm::StringRef> names) {
8384 return std::any_of(names.begin(), names.end(), [&](llvm::StringRef name) {
8385 return calleeName == name;
8386 });
8387 };
8388
8389 switch (Check) {
8390 case MathCheck::NaN:
8391 return MatchesAny({"__builtin_nan", "__builtin_nanf", "__builtin_nanl",
8392 "__builtin_nanf16", "__builtin_nanf128"});
8393 case MathCheck::Inf:
8394 return MatchesAny({"__builtin_inf", "__builtin_inff", "__builtin_infl",
8395 "__builtin_inff16", "__builtin_inff128"});
8396 }
8397 llvm_unreachable("unknown MathCheck");
8398 }
8399
8400 void Sema::CheckInfNaNFunction(const CallExpr *Call,
8401 const FunctionDecl *FDecl) {
8402 FPOptions FPO = Call->getFPFeaturesInEffect(getLangOpts());
8403 bool HasIdentifier = FDecl->getIdentifier() != nullptr;
8404 bool IsNaNOrIsUnordered =
8405 IsStdFunction(FDecl, "isnan") || IsStdFunction(FDecl, "isunordered");
8406 bool IsSpecialNaN =
8407 HasIdentifier && IsInfOrNanFunction(FDecl->getName(), MathCheck::NaN);
8408 if ((IsNaNOrIsUnordered || IsSpecialNaN) && FPO.getNoHonorNaNs()) {
8409 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
8410 << 1 << 0 << Call->getSourceRange();
8411 } else {
8412 bool IsInfOrIsFinite =
8413 IsStdFunction(FDecl, "isinf") || IsStdFunction(FDecl, "isfinite");
8414 bool IsInfinityOrIsSpecialInf =
8415 HasIdentifier && ((FDecl->getName() == "infinity") ||
8416 IsInfOrNanFunction(FDecl->getName(), MathCheck::Inf));
8417 if ((IsInfOrIsFinite || IsInfinityOrIsSpecialInf) && FPO.getNoHonorInfs())
8418 Diag(Call->getBeginLoc(), diag::warn_fp_nan_inf_when_disabled)
8419 << 0 << 0 << Call->getSourceRange();
8420 }
8421 }
8422
8423 void Sema::CheckAbsoluteValueFunction(const CallExpr *Call,
8424 const FunctionDecl *FDecl) {
8425 if (Call->getNumArgs() != 1)
8426 return;
8427
8428 unsigned AbsKind = getAbsoluteValueFunctionKind(FDecl);
8429 bool IsStdAbs = IsStdFunction(FDecl, "abs");
8430 if (AbsKind == 0 && !IsStdAbs)
8431 return;
8432
8433 QualType ArgType = Call->getArg(0)->IgnoreParenImpCasts()->getType();
8434 QualType ParamType = Call->getArg(0)->getType();
8435
8436 // Unsigned types cannot be negative. Suggest removing the absolute value
8437 // function call.
8438 if (ArgType->isUnsignedIntegerType()) {
8439 StringRef FunctionName =
8440 IsStdAbs ? "std::abs" : Context.BuiltinInfo.getName(AbsKind);
8441 Diag(Call->getExprLoc(), diag::warn_unsigned_abs) << ArgType << ParamType;
8442 Diag(Call->getExprLoc(), diag::note_remove_abs)
8443 << FunctionName
8444 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange());
8445 return;
8446 }
8447
8448 // Taking the absolute value of a pointer is very suspicious, they probably
8449 // wanted to index into an array, dereference a pointer, call a function, etc.
8450 if (ArgType->isPointerType() || ArgType->canDecayToPointerType()) {
8451 unsigned DiagType = 0;
8452 if (ArgType->isFunctionType())
8453 DiagType = 1;
8454 else if (ArgType->isArrayType())
8455 DiagType = 2;
8456
8457 Diag(Call->getExprLoc(), diag::warn_pointer_abs) << DiagType << ArgType;
8458 return;
8459 }
8460
8461 // std::abs has overloads which prevent most of the absolute value problems
8462 // from occurring.
8463 if (IsStdAbs)
8464 return;
8465
8466 AbsoluteValueKind ArgValueKind = getAbsoluteValueKind(ArgType);
8467 AbsoluteValueKind ParamValueKind = getAbsoluteValueKind(ParamType);
8468
8469 // The argument and parameter are the same kind. Check if they are the right
8470 // size.
8471 if (ArgValueKind == ParamValueKind) {
8472 if (Context.getTypeSize(ArgType) <= Context.getTypeSize(ParamType))
8473 return;
8474
8475 unsigned NewAbsKind = getBestAbsFunction(Context, ArgType, AbsKind);
8476 Diag(Call->getExprLoc(), diag::warn_abs_too_small)
8477 << FDecl << ArgType << ParamType;
8478
8479 if (NewAbsKind == 0)
8480 return;
8481
8482 emitReplacement(*this, Call->getExprLoc(),
8483 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
8484 return;
8485 }
8486
8487 // ArgValueKind != ParamValueKind
8488 // The wrong type of absolute value function was used. Attempt to find the
8489 // proper one.
8490 unsigned NewAbsKind = changeAbsFunction(AbsKind, ArgValueKind);
8491 NewAbsKind = getBestAbsFunction(Context, ArgType, NewAbsKind);
8492 if (NewAbsKind == 0)
8493 return;
8494
8495 Diag(Call->getExprLoc(), diag::warn_wrong_absolute_value_type)
8496 << FDecl << ParamValueKind << ArgValueKind;
8497
8498 emitReplacement(*this, Call->getExprLoc(),
8499 Call->getCallee()->getSourceRange(), NewAbsKind, ArgType);
8500 }
8501
8502 //===--- CHECK: Warn on use of std::max and unsigned zero. r---------------===//
8503 void Sema::CheckMaxUnsignedZero(const CallExpr *Call,
8504 const FunctionDecl *FDecl) {
8505 if (!Call || !FDecl) return;
8506
8507 // Ignore template specializations and macros.
8508 if (inTemplateInstantiation()) return;
8509 if (Call->getExprLoc().isMacroID()) return;
8510
8511 // Only care about the one template argument, two function parameter std::max
8512 if (Call->getNumArgs() != 2) return;
8513 if (!IsStdFunction(FDecl, "max")) return;
8514 const auto * ArgList = FDecl->getTemplateSpecializationArgs();
8515 if (!ArgList) return;
8516 if (ArgList->size() != 1) return;
8517
8518 // Check that template type argument is unsigned integer.
8519 const auto& TA = ArgList->get(0);
8520 if (TA.getKind() != TemplateArgument::Type) return;
8521 QualType ArgType = TA.getAsType();
8522 if (!ArgType->isUnsignedIntegerType()) return;
8523
8524 // See if either argument is a literal zero.
8525 auto IsLiteralZeroArg = [](const Expr* E) -> bool {
8526 const auto *MTE = dyn_cast<MaterializeTemporaryExpr>(E);
8527 if (!MTE) return false;
8528 const auto *Num = dyn_cast<IntegerLiteral>(MTE->getSubExpr());
8529 if (!Num) return false;
8530 if (Num->getValue() != 0) return false;
8531 return true;
8532 };
8533
8534 const Expr *FirstArg = Call->getArg(0);
8535 const Expr *SecondArg = Call->getArg(1);
8536 const bool IsFirstArgZero = IsLiteralZeroArg(FirstArg);
8537 const bool IsSecondArgZero = IsLiteralZeroArg(SecondArg);
8538
8539 // Only warn when exactly one argument is zero.
8540 if (IsFirstArgZero == IsSecondArgZero) return;
8541
8542 SourceRange FirstRange = FirstArg->getSourceRange();
8543 SourceRange SecondRange = SecondArg->getSourceRange();
8544
8545 SourceRange ZeroRange = IsFirstArgZero ? FirstRange : SecondRange;
8546
8547 Diag(Call->getExprLoc(), diag::warn_max_unsigned_zero)
8548 << IsFirstArgZero << Call->getCallee()->getSourceRange() << ZeroRange;
8549
8550 // Deduce what parts to remove so that "std::max(0u, foo)" becomes "(foo)".
8551 SourceRange RemovalRange;
8552 if (IsFirstArgZero) {
8553 RemovalRange = SourceRange(FirstRange.getBegin(),
8554 SecondRange.getBegin().getLocWithOffset(-1));
8555 } else {
8556 RemovalRange = SourceRange(getLocForEndOfToken(FirstRange.getEnd()),
8557 SecondRange.getEnd());
8558 }
8559
8560 Diag(Call->getExprLoc(), diag::note_remove_max_call)
8561 << FixItHint::CreateRemoval(Call->getCallee()->getSourceRange())
8562 << FixItHint::CreateRemoval(RemovalRange);
8563 }
8564
8565 //===--- CHECK: Standard memory functions ---------------------------------===//
8566
8567 /// Takes the expression passed to the size_t parameter of functions
8568 /// such as memcmp, strncat, etc and warns if it's a comparison.
8569 ///
8570 /// This is to catch typos like `if (memcmp(&a, &b, sizeof(a) > 0))`.
8571 static bool CheckMemorySizeofForComparison(Sema &S, const Expr *E,
8572 IdentifierInfo *FnName,
8573 SourceLocation FnLoc,
8574 SourceLocation RParenLoc) {
8575 const BinaryOperator *Size = dyn_cast<BinaryOperator>(E);
8576 if (!Size)
8577 return false;
8578
8579 // if E is binop and op is <=>, >, <, >=, <=, ==, &&, ||:
8580 if (!Size->isComparisonOp() && !Size->isLogicalOp())
8581 return false;
8582
8583 SourceRange SizeRange = Size->getSourceRange();
8584 S.Diag(Size->getOperatorLoc(), diag::warn_memsize_comparison)
8585 << SizeRange << FnName;
8586 S.Diag(FnLoc, diag::note_memsize_comparison_paren)
8587 << FnName
8588 << FixItHint::CreateInsertion(
8589 S.getLocForEndOfToken(Size->getLHS()->getEndLoc()), ")")
8590 << FixItHint::CreateRemoval(RParenLoc);
8591 S.Diag(SizeRange.getBegin(), diag::note_memsize_comparison_cast_silence)
8592 << FixItHint::CreateInsertion(SizeRange.getBegin(), "(size_t)(")
8593 << FixItHint::CreateInsertion(S.getLocForEndOfToken(SizeRange.getEnd()),
8594 ")");
8595
8596 return true;
8597 }
8598
8599 /// Determine whether the given type is or contains a dynamic class type
8600 /// (e.g., whether it has a vtable).
8601 static const CXXRecordDecl *getContainedDynamicClass(QualType T,
8602 bool &IsContained) {
8603 // Look through array types while ignoring qualifiers.
8604 const Type *Ty = T->getBaseElementTypeUnsafe();
8605 IsContained = false;
8606
8607 const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl();
8608 RD = RD ? RD->getDefinition() : nullptr;
8609 if (!RD || RD->isInvalidDecl())
8610 return nullptr;
8611
8612 if (RD->isDynamicClass())
8613 return RD;
8614
8615 // Check all the fields. If any bases were dynamic, the class is dynamic.
8616 // It's impossible for a class to transitively contain itself by value, so
8617 // infinite recursion is impossible.
8618 for (auto *FD : RD->fields()) {
8619 bool SubContained;
8620 if (const CXXRecordDecl *ContainedRD =
8621 getContainedDynamicClass(FD->getType(), SubContained)) {
8622 IsContained = true;
8623 return ContainedRD;
8624 }
8625 }
8626
8627 return nullptr;
8628 }
8629
8630 static const UnaryExprOrTypeTraitExpr *getAsSizeOfExpr(const Expr *E) {
8631 if (const auto *Unary = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
8632 if (Unary->getKind() == UETT_SizeOf)
8633 return Unary;
8634 return nullptr;
8635 }
8636
8637 /// If E is a sizeof expression, returns its argument expression,
8638 /// otherwise returns NULL.
8639 static const Expr *getSizeOfExprArg(const Expr *E) {
8640 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
8641 if (!SizeOf->isArgumentType())
8642 return SizeOf->getArgumentExpr()->IgnoreParenImpCasts();
8643 return nullptr;
8644 }
8645
8646 /// If E is a sizeof expression, returns its argument type.
8647 static QualType getSizeOfArgType(const Expr *E) {
8648 if (const UnaryExprOrTypeTraitExpr *SizeOf = getAsSizeOfExpr(E))
8649 return SizeOf->getTypeOfArgument();
8650 return QualType();
8651 }
8652
8653 namespace {
8654
8655 struct SearchNonTrivialToInitializeField
8656 : DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField> {
8657 using Super =
8658 DefaultInitializedTypeVisitor<SearchNonTrivialToInitializeField>;
8659
8660 SearchNonTrivialToInitializeField(const Expr *E, Sema &S) : E(E), S(S) {}
8661
8662 void visitWithKind(QualType::PrimitiveDefaultInitializeKind PDIK, QualType FT,
8663 SourceLocation SL) {
8664 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
8665 asDerived().visitArray(PDIK, AT, SL);
8666 return;
8667 }
8668
8669 Super::visitWithKind(PDIK, FT, SL);
8670 }
8671
8672 void visitARCStrong(QualType FT, SourceLocation SL) {
8673 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
8674 }
8675 void visitARCWeak(QualType FT, SourceLocation SL) {
8676 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 1);
8677 }
8678 void visitStruct(QualType FT, SourceLocation SL) {
8679 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
8680 visit(FD->getType(), FD->getLocation());
8681 }
8682 void visitArray(QualType::PrimitiveDefaultInitializeKind PDIK,
8683 const ArrayType *AT, SourceLocation SL) {
8684 visit(getContext().getBaseElementType(AT), SL);
8685 }
8686 void visitTrivial(QualType FT, SourceLocation SL) {}
8687
8688 static void diag(QualType RT, const Expr *E, Sema &S) {
8689 SearchNonTrivialToInitializeField(E, S).visitStruct(RT, SourceLocation());
8690 }
8691
8692 ASTContext &getContext() { return S.getASTContext(); }
8693
8694 const Expr *E;
8695 Sema &S;
8696 };
8697
8698 struct SearchNonTrivialToCopyField
8699 : CopiedTypeVisitor<SearchNonTrivialToCopyField, false> {
8700 using Super = CopiedTypeVisitor<SearchNonTrivialToCopyField, false>;
8701
8702 SearchNonTrivialToCopyField(const Expr *E, Sema &S) : E(E), S(S) {}
8703
8704 void visitWithKind(QualType::PrimitiveCopyKind PCK, QualType FT,
8705 SourceLocation SL) {
8706 if (const auto *AT = asDerived().getContext().getAsArrayType(FT)) {
8707 asDerived().visitArray(PCK, AT, SL);
8708 return;
8709 }
8710
8711 Super::visitWithKind(PCK, FT, SL);
8712 }
8713
8714 void visitARCStrong(QualType FT, SourceLocation SL) {
8715 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
8716 }
8717 void visitARCWeak(QualType FT, SourceLocation SL) {
8718 S.DiagRuntimeBehavior(SL, E, S.PDiag(diag::note_nontrivial_field) << 0);
8719 }
8720 void visitStruct(QualType FT, SourceLocation SL) {
8721 for (const FieldDecl *FD : FT->castAs<RecordType>()->getDecl()->fields())
8722 visit(FD->getType(), FD->getLocation());
8723 }
8724 void visitArray(QualType::PrimitiveCopyKind PCK, const ArrayType *AT,
8725 SourceLocation SL) {
8726 visit(getContext().getBaseElementType(AT), SL);
8727 }
8728 void preVisit(QualType::PrimitiveCopyKind PCK, QualType FT,
8729 SourceLocation SL) {}
8730 void visitTrivial(QualType FT, SourceLocation SL) {}
8731 void visitVolatileTrivial(QualType FT, SourceLocation SL) {}
8732
8733 static void diag(QualType RT, const Expr *E, Sema &S) {
8734 SearchNonTrivialToCopyField(E, S).visitStruct(RT, SourceLocation());
8735 }
8736
8737 ASTContext &getContext() { return S.getASTContext(); }
8738
8739 const Expr *E;
8740 Sema &S;
8741 };
8742
8743 }
8744
8745 /// Detect if \c SizeofExpr is likely to calculate the sizeof an object.
8746 static bool doesExprLikelyComputeSize(const Expr *SizeofExpr) {
8747 SizeofExpr = SizeofExpr->IgnoreParenImpCasts();
8748
8749 if (const auto *BO = dyn_cast<BinaryOperator>(SizeofExpr)) {
8750 if (BO->getOpcode() != BO_Mul && BO->getOpcode() != BO_Add)
8751 return false;
8752
8753 return doesExprLikelyComputeSize(BO->getLHS()) ||
8754 doesExprLikelyComputeSize(BO->getRHS());
8755 }
8756
8757 return getAsSizeOfExpr(SizeofExpr) != nullptr;
8758 }
8759
8760 /// Check if the ArgLoc originated from a macro passed to the call at CallLoc.
8761 ///
8762 /// \code
8763 /// #define MACRO 0
8764 /// foo(MACRO);
8765 /// foo(0);
8766 /// \endcode
8767 ///
8768 /// This should return true for the first call to foo, but not for the second
8769 /// (regardless of whether foo is a macro or function).
8770 static bool isArgumentExpandedFromMacro(SourceManager &SM,
8771 SourceLocation CallLoc,
8772 SourceLocation ArgLoc) {
8773 if (!CallLoc.isMacroID())
8774 return SM.getFileID(CallLoc) != SM.getFileID(ArgLoc);
8775
8776 return SM.getFileID(SM.getImmediateMacroCallerLoc(CallLoc)) !=
8777 SM.getFileID(SM.getImmediateMacroCallerLoc(ArgLoc));
8778 }
8779
8780 /// Diagnose cases like 'memset(buf, sizeof(buf), 0)', which should have the
8781 /// last two arguments transposed.
8782 static void CheckMemaccessSize(Sema &S, unsigned BId, const CallExpr *Call) {
8783 if (BId != Builtin::BImemset && BId != Builtin::BIbzero)
8784 return;
8785
8786 const Expr *SizeArg =
8787 Call->getArg(BId == Builtin::BImemset ? 2 : 1)->IgnoreImpCasts();
8788
8789 auto isLiteralZero = [](const Expr *E) {
8790 return (isa<IntegerLiteral>(E) &&
8791 cast<IntegerLiteral>(E)->getValue() == 0) ||
8792 (isa<CharacterLiteral>(E) &&
8793 cast<CharacterLiteral>(E)->getValue() == 0);
8794 };
8795
8796 // If we're memsetting or bzeroing 0 bytes, then this is likely an error.
8797 SourceLocation CallLoc = Call->getRParenLoc();
8798 SourceManager &SM = S.getSourceManager();
8799 if (isLiteralZero(SizeArg) &&
8800 !isArgumentExpandedFromMacro(SM, CallLoc, SizeArg->getExprLoc())) {
8801
8802 SourceLocation DiagLoc = SizeArg->getExprLoc();
8803
8804 // Some platforms #define bzero to __builtin_memset. See if this is the
8805 // case, and if so, emit a better diagnostic.
8806 if (BId == Builtin::BIbzero ||
8807 (CallLoc.isMacroID() && Lexer::getImmediateMacroName(
8808 CallLoc, SM, S.getLangOpts()) == "bzero")) {
8809 S.Diag(DiagLoc, diag::warn_suspicious_bzero_size);
8810 S.Diag(DiagLoc, diag::note_suspicious_bzero_size_silence);
8811 } else if (!isLiteralZero(Call->getArg(1)->IgnoreImpCasts())) {
8812 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 0;
8813 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 0;
8814 }
8815 return;
8816 }
8817
8818 // If the second argument to a memset is a sizeof expression and the third
8819 // isn't, this is also likely an error. This should catch
8820 // 'memset(buf, sizeof(buf), 0xff)'.
8821 if (BId == Builtin::BImemset &&
8822 doesExprLikelyComputeSize(Call->getArg(1)) &&
8823 !doesExprLikelyComputeSize(Call->getArg(2))) {
8824 SourceLocation DiagLoc = Call->getArg(1)->getExprLoc();
8825 S.Diag(DiagLoc, diag::warn_suspicious_sizeof_memset) << 1;
8826 S.Diag(DiagLoc, diag::note_suspicious_sizeof_memset_silence) << 1;
8827 return;
8828 }
8829 }
8830
8831 void Sema::CheckMemaccessArguments(const CallExpr *Call,
8832 unsigned BId,
8833 IdentifierInfo *FnName) {
8834 assert(BId != 0);
8835
8836 // It is possible to have a non-standard definition of memset. Validate
8837 // we have enough arguments, and if not, abort further checking.
8838 unsigned ExpectedNumArgs =
8839 (BId == Builtin::BIstrndup || BId == Builtin::BIbzero ? 2 : 3);
8840 if (Call->getNumArgs() < ExpectedNumArgs)
8841 return;
8842
8843 unsigned LastArg = (BId == Builtin::BImemset || BId == Builtin::BIbzero ||
8844 BId == Builtin::BIstrndup ? 1 : 2);
8845 unsigned LenArg =
8846 (BId == Builtin::BIbzero || BId == Builtin::BIstrndup ? 1 : 2);
8847 const Expr *LenExpr = Call->getArg(LenArg)->IgnoreParenImpCasts();
8848
8849 if (CheckMemorySizeofForComparison(*this, LenExpr, FnName,
8850 Call->getBeginLoc(), Call->getRParenLoc()))
8851 return;
8852
8853 // Catch cases like 'memset(buf, sizeof(buf), 0)'.
8854 CheckMemaccessSize(*this, BId, Call);
8855
8856 // We have special checking when the length is a sizeof expression.
8857 QualType SizeOfArgTy = getSizeOfArgType(LenExpr);
8858 const Expr *SizeOfArg = getSizeOfExprArg(LenExpr);
8859 llvm::FoldingSetNodeID SizeOfArgID;
8860
8861 // Although widely used, 'bzero' is not a standard function. Be more strict
8862 // with the argument types before allowing diagnostics and only allow the
8863 // form bzero(ptr, sizeof(...)).
8864 QualType FirstArgTy = Call->getArg(0)->IgnoreParenImpCasts()->getType();
8865 if (BId == Builtin::BIbzero && !FirstArgTy->getAs<PointerType>())
8866 return;
8867
8868 for (unsigned ArgIdx = 0; ArgIdx != LastArg; ++ArgIdx) {
8869 const Expr *Dest = Call->getArg(ArgIdx)->IgnoreParenImpCasts();
8870 SourceRange ArgRange = Call->getArg(ArgIdx)->getSourceRange();
8871
8872 QualType DestTy = Dest->getType();
8873 QualType PointeeTy;
8874 if (const PointerType *DestPtrTy = DestTy->getAs<PointerType>()) {
8875 PointeeTy = DestPtrTy->getPointeeType();
8876
8877 // Never warn about void type pointers. This can be used to suppress
8878 // false positives.
8879 if (PointeeTy->isVoidType())
8880 continue;
8881
8882 // Catch "memset(p, 0, sizeof(p))" -- needs to be sizeof(*p). Do this by
8883 // actually comparing the expressions for equality. Because computing the
8884 // expression IDs can be expensive, we only do this if the diagnostic is
8885 // enabled.
8886 if (SizeOfArg &&
8887 !Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess,
8888 SizeOfArg->getExprLoc())) {
8889 // We only compute IDs for expressions if the warning is enabled, and
8890 // cache the sizeof arg's ID.
8891 if (SizeOfArgID == llvm::FoldingSetNodeID())
8892 SizeOfArg->Profile(SizeOfArgID, Context, true);
8893 llvm::FoldingSetNodeID DestID;
8894 Dest->Profile(DestID, Context, true);
8895 if (DestID == SizeOfArgID) {
8896 // TODO: For strncpy() and friends, this could suggest sizeof(dst)
8897 // over sizeof(src) as well.
8898 unsigned ActionIdx = 0; // Default is to suggest dereferencing.
8899 StringRef ReadableName = FnName->getName();
8900
8901 if (const UnaryOperator *UnaryOp = dyn_cast<UnaryOperator>(Dest))
8902 if (UnaryOp->getOpcode() == UO_AddrOf)
8903 ActionIdx = 1; // If its an address-of operator, just remove it.
8904 if (!PointeeTy->isIncompleteType() &&
8905 (Context.getTypeSize(PointeeTy) == Context.getCharWidth()))
8906 ActionIdx = 2; // If the pointee's size is sizeof(char),
8907 // suggest an explicit length.
8908
8909 // If the function is defined as a builtin macro, do not show macro
8910 // expansion.
8911 SourceLocation SL = SizeOfArg->getExprLoc();
8912 SourceRange DSR = Dest->getSourceRange();
8913 SourceRange SSR = SizeOfArg->getSourceRange();
8914 SourceManager &SM = getSourceManager();
8915
8916 if (SM.isMacroArgExpansion(SL)) {
8917 ReadableName = Lexer::getImmediateMacroName(SL, SM, LangOpts);
8918 SL = SM.getSpellingLoc(SL);
8919 DSR = SourceRange(SM.getSpellingLoc(DSR.getBegin()),
8920 SM.getSpellingLoc(DSR.getEnd()));
8921 SSR = SourceRange(SM.getSpellingLoc(SSR.getBegin()),
8922 SM.getSpellingLoc(SSR.getEnd()));
8923 }
8924
8925 DiagRuntimeBehavior(SL, SizeOfArg,
8926 PDiag(diag::warn_sizeof_pointer_expr_memaccess)
8927 << ReadableName
8928 << PointeeTy
8929 << DestTy
8930 << DSR
8931 << SSR);
8932 DiagRuntimeBehavior(SL, SizeOfArg,
8933 PDiag(diag::warn_sizeof_pointer_expr_memaccess_note)
8934 << ActionIdx
8935 << SSR);
8936
8937 break;
8938 }
8939 }
8940
8941 // Also check for cases where the sizeof argument is the exact same
8942 // type as the memory argument, and where it points to a user-defined
8943 // record type.
8944 if (SizeOfArgTy != QualType()) {
8945 if (PointeeTy->isRecordType() &&
8946 Context.typesAreCompatible(SizeOfArgTy, DestTy)) {
8947 DiagRuntimeBehavior(LenExpr->getExprLoc(), Dest,
8948 PDiag(diag::warn_sizeof_pointer_type_memaccess)
8949 << FnName << SizeOfArgTy << ArgIdx
8950 << PointeeTy << Dest->getSourceRange()
8951 << LenExpr->getSourceRange());
8952 break;
8953 }
8954 }
8955 } else if (DestTy->isArrayType()) {
8956 PointeeTy = DestTy;
8957 }
8958
8959 if (PointeeTy == QualType())
8960 continue;
8961
8962 // Always complain about dynamic classes.
8963 bool IsContained;
8964 if (const CXXRecordDecl *ContainedRD =
8965 getContainedDynamicClass(PointeeTy, IsContained)) {
8966
8967 unsigned OperationType = 0;
8968 const bool IsCmp = BId == Builtin::BImemcmp || BId == Builtin::BIbcmp;
8969 // "overwritten" if we're warning about the destination for any call
8970 // but memcmp; otherwise a verb appropriate to the call.
8971 if (ArgIdx != 0 || IsCmp) {
8972 if (BId == Builtin::BImemcpy)
8973 OperationType = 1;
8974 else if(BId == Builtin::BImemmove)
8975 OperationType = 2;
8976 else if (IsCmp)
8977 OperationType = 3;
8978 }
8979
8980 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
8981 PDiag(diag::warn_dyn_class_memaccess)
8982 << (IsCmp ? ArgIdx + 2 : ArgIdx) << FnName
8983 << IsContained << ContainedRD << OperationType
8984 << Call->getCallee()->getSourceRange());
8985 } else if (PointeeTy.hasNonTrivialObjCLifetime() &&
8986 BId != Builtin::BImemset)
8987 DiagRuntimeBehavior(
8988 Dest->getExprLoc(), Dest,
8989 PDiag(diag::warn_arc_object_memaccess)
8990 << ArgIdx << FnName << PointeeTy
8991 << Call->getCallee()->getSourceRange());
8992 else if (const auto *RT = PointeeTy->getAs<RecordType>()) {
8993
8994 // FIXME: Do not consider incomplete types even though they may be
8995 // completed later. GCC does not diagnose such code, but we may want to
8996 // consider diagnosing it in the future, perhaps under a different, but
8997 // related, diagnostic group.
8998 bool MayBeTriviallyCopyableCXXRecord =
8999 RT->isIncompleteType() ||
9000 RT->desugar().isTriviallyCopyableType(Context);
9001
9002 if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9003 RT->getDecl()->isNonTrivialToPrimitiveDefaultInitialize()) {
9004 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9005 PDiag(diag::warn_cstruct_memaccess)
9006 << ArgIdx << FnName << PointeeTy << 0);
9007 SearchNonTrivialToInitializeField::diag(PointeeTy, Dest, *this);
9008 } else if ((BId == Builtin::BImemset || BId == Builtin::BIbzero) &&
9009 !MayBeTriviallyCopyableCXXRecord && ArgIdx == 0) {
9010 // FIXME: Limiting this warning to dest argument until we decide
9011 // whether it's valid for source argument too.
9012 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9013 PDiag(diag::warn_cxxstruct_memaccess)
9014 << FnName << PointeeTy);
9015 } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9016 RT->getDecl()->isNonTrivialToPrimitiveCopy()) {
9017 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9018 PDiag(diag::warn_cstruct_memaccess)
9019 << ArgIdx << FnName << PointeeTy << 1);
9020 SearchNonTrivialToCopyField::diag(PointeeTy, Dest, *this);
9021 } else if ((BId == Builtin::BImemcpy || BId == Builtin::BImemmove) &&
9022 !MayBeTriviallyCopyableCXXRecord && ArgIdx == 0) {
9023 // FIXME: Limiting this warning to dest argument until we decide
9024 // whether it's valid for source argument too.
9025 DiagRuntimeBehavior(Dest->getExprLoc(), Dest,
9026 PDiag(diag::warn_cxxstruct_memaccess)
9027 << FnName << PointeeTy);
9028 } else {
9029 continue;
9030 }
9031 } else
9032 continue;
9033
9034 DiagRuntimeBehavior(
9035 Dest->getExprLoc(), Dest,
9036 PDiag(diag::note_bad_memaccess_silence)
9037 << FixItHint::CreateInsertion(ArgRange.getBegin(), "(void*)"));
9038 break;
9039 }
9040 }
9041
9042 // A little helper routine: ignore addition and subtraction of integer literals.
9043 // This intentionally does not ignore all integer constant expressions because
9044 // we don't want to remove sizeof().
9045 static const Expr *ignoreLiteralAdditions(const Expr *Ex, ASTContext &Ctx) {
9046 Ex = Ex->IgnoreParenCasts();
9047
9048 while (true) {
9049 const BinaryOperator * BO = dyn_cast<BinaryOperator>(Ex);
9050 if (!BO || !BO->isAdditiveOp())
9051 break;
9052
9053 const Expr *RHS = BO->getRHS()->IgnoreParenCasts();
9054 const Expr *LHS = BO->getLHS()->IgnoreParenCasts();
9055
9056 if (isa<IntegerLiteral>(RHS))
9057 Ex = LHS;
9058 else if (isa<IntegerLiteral>(LHS))
9059 Ex = RHS;
9060 else
9061 break;
9062 }
9063
9064 return Ex;
9065 }
9066
9067 static bool isConstantSizeArrayWithMoreThanOneElement(QualType Ty,
9068 ASTContext &Context) {
9069 // Only handle constant-sized or VLAs, but not flexible members.
9070 if (const ConstantArrayType *CAT = Context.getAsConstantArrayType(Ty)) {
9071 // Only issue the FIXIT for arrays of size > 1.
9072 if (CAT->getZExtSize() <= 1)
9073 return false;
9074 } else if (!Ty->isVariableArrayType()) {
9075 return false;
9076 }
9077 return true;
9078 }
9079
9080 void Sema::CheckStrlcpycatArguments(const CallExpr *Call,
9081 IdentifierInfo *FnName) {
9082
9083 // Don't crash if the user has the wrong number of arguments
9084 unsigned NumArgs = Call->getNumArgs();
9085 if ((NumArgs != 3) && (NumArgs != 4))
9086 return;
9087
9088 const Expr *SrcArg = ignoreLiteralAdditions(Call->getArg(1), Context);
9089 const Expr *SizeArg = ignoreLiteralAdditions(Call->getArg(2), Context);
9090 const Expr *CompareWithSrc = nullptr;
9091
9092 if (CheckMemorySizeofForComparison(*this, SizeArg, FnName,
9093 Call->getBeginLoc(), Call->getRParenLoc()))
9094 return;
9095
9096 // Look for 'strlcpy(dst, x, sizeof(x))'
9097 if (const Expr *Ex = getSizeOfExprArg(SizeArg))
9098 CompareWithSrc = Ex;
9099 else {
9100 // Look for 'strlcpy(dst, x, strlen(x))'
9101 if (const CallExpr *SizeCall = dyn_cast<CallExpr>(SizeArg)) {
9102 if (SizeCall->getBuiltinCallee() == Builtin::BIstrlen &&
9103 SizeCall->getNumArgs() == 1)
9104 CompareWithSrc = ignoreLiteralAdditions(SizeCall->getArg(0), Context);
9105 }
9106 }
9107
9108 if (!CompareWithSrc)
9109 return;
9110
9111 // Determine if the argument to sizeof/strlen is equal to the source
9112 // argument. In principle there's all kinds of things you could do
9113 // here, for instance creating an == expression and evaluating it with
9114 // EvaluateAsBooleanCondition, but this uses a more direct technique:
9115 const DeclRefExpr *SrcArgDRE = dyn_cast<DeclRefExpr>(SrcArg);
9116 if (!SrcArgDRE)
9117 return;
9118
9119 const DeclRefExpr *CompareWithSrcDRE = dyn_cast<DeclRefExpr>(CompareWithSrc);
9120 if (!CompareWithSrcDRE ||
9121 SrcArgDRE->getDecl() != CompareWithSrcDRE->getDecl())
9122 return;
9123
9124 const Expr *OriginalSizeArg = Call->getArg(2);
9125 Diag(CompareWithSrcDRE->getBeginLoc(), diag::warn_strlcpycat_wrong_size)
9126 << OriginalSizeArg->getSourceRange() << FnName;
9127
9128 // Output a FIXIT hint if the destination is an array (rather than a
9129 // pointer to an array). This could be enhanced to handle some
9130 // pointers if we know the actual size, like if DstArg is 'array+2'
9131 // we could say 'sizeof(array)-2'.
9132 const Expr *DstArg = Call->getArg(0)->IgnoreParenImpCasts();
9133 if (!isConstantSizeArrayWithMoreThanOneElement(DstArg->getType(), Context))
9134 return;
9135
9136 SmallString<128> sizeString;
9137 llvm::raw_svector_ostream OS(sizeString);
9138 OS << "sizeof(";
9139 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
9140 OS << ")";
9141
9142 Diag(OriginalSizeArg->getBeginLoc(), diag::note_strlcpycat_wrong_size)
9143 << FixItHint::CreateReplacement(OriginalSizeArg->getSourceRange(),
9144 OS.str());
9145 }
9146
9147 /// Check if two expressions refer to the same declaration.
9148 static bool referToTheSameDecl(const Expr *E1, const Expr *E2) {
9149 if (const DeclRefExpr *D1 = dyn_cast_or_null<DeclRefExpr>(E1))
9150 if (const DeclRefExpr *D2 = dyn_cast_or_null<DeclRefExpr>(E2))
9151 return D1->getDecl() == D2->getDecl();
9152 return false;
9153 }
9154
9155 static const Expr *getStrlenExprArg(const Expr *E) {
9156 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
9157 const FunctionDecl *FD = CE->getDirectCallee();
9158 if (!FD || FD->getMemoryFunctionKind() != Builtin::BIstrlen)
9159 return nullptr;
9160 return CE->getArg(0)->IgnoreParenCasts();
9161 }
9162 return nullptr;
9163 }
9164
9165 void Sema::CheckStrncatArguments(const CallExpr *CE,
9166 IdentifierInfo *FnName) {
9167 // Don't crash if the user has the wrong number of arguments.
9168 if (CE->getNumArgs() < 3)
9169 return;
9170 const Expr *DstArg = CE->getArg(0)->IgnoreParenCasts();
9171 const Expr *SrcArg = CE->getArg(1)->IgnoreParenCasts();
9172 const Expr *LenArg = CE->getArg(2)->IgnoreParenCasts();
9173
9174 if (CheckMemorySizeofForComparison(*this, LenArg, FnName, CE->getBeginLoc(),
9175 CE->getRParenLoc()))
9176 return;
9177
9178 // Identify common expressions, which are wrongly used as the size argument
9179 // to strncat and may lead to buffer overflows.
9180 unsigned PatternType = 0;
9181 if (const Expr *SizeOfArg = getSizeOfExprArg(LenArg)) {
9182 // - sizeof(dst)
9183 if (referToTheSameDecl(SizeOfArg, DstArg))
9184 PatternType = 1;
9185 // - sizeof(src)
9186 else if (referToTheSameDecl(SizeOfArg, SrcArg))
9187 PatternType = 2;
9188 } else if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(LenArg)) {
9189 if (BE->getOpcode() == BO_Sub) {
9190 const Expr *L = BE->getLHS()->IgnoreParenCasts();
9191 const Expr *R = BE->getRHS()->IgnoreParenCasts();
9192 // - sizeof(dst) - strlen(dst)
9193 if (referToTheSameDecl(DstArg, getSizeOfExprArg(L)) &&
9194 referToTheSameDecl(DstArg, getStrlenExprArg(R)))
9195 PatternType = 1;
9196 // - sizeof(src) - (anything)
9197 else if (referToTheSameDecl(SrcArg, getSizeOfExprArg(L)))
9198 PatternType = 2;
9199 }
9200 }
9201
9202 if (PatternType == 0)
9203 return;
9204
9205 // Generate the diagnostic.
9206 SourceLocation SL = LenArg->getBeginLoc();
9207 SourceRange SR = LenArg->getSourceRange();
9208 SourceManager &SM = getSourceManager();
9209
9210 // If the function is defined as a builtin macro, do not show macro expansion.
9211 if (SM.isMacroArgExpansion(SL)) {
9212 SL = SM.getSpellingLoc(SL);
9213 SR = SourceRange(SM.getSpellingLoc(SR.getBegin()),
9214 SM.getSpellingLoc(SR.getEnd()));
9215 }
9216
9217 // Check if the destination is an array (rather than a pointer to an array).
9218 QualType DstTy = DstArg->getType();
9219 bool isKnownSizeArray = isConstantSizeArrayWithMoreThanOneElement(DstTy,
9220 Context);
9221 if (!isKnownSizeArray) {
9222 if (PatternType == 1)
9223 Diag(SL, diag::warn_strncat_wrong_size) << SR;
9224 else
9225 Diag(SL, diag::warn_strncat_src_size) << SR;
9226 return;
9227 }
9228
9229 if (PatternType == 1)
9230 Diag(SL, diag::warn_strncat_large_size) << SR;
9231 else
9232 Diag(SL, diag::warn_strncat_src_size) << SR;
9233
9234 SmallString<128> sizeString;
9235 llvm::raw_svector_ostream OS(sizeString);
9236 OS << "sizeof(";
9237 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
9238 OS << ") - ";
9239 OS << "strlen(";
9240 DstArg->printPretty(OS, nullptr, getPrintingPolicy());
9241 OS << ") - 1";
9242
9243 Diag(SL, diag::note_strncat_wrong_size)
9244 << FixItHint::CreateReplacement(SR, OS.str());
9245 }
9246
9247 namespace {
9248 void CheckFreeArgumentsOnLvalue(Sema &S, const std::string &CalleeName,
9249 const UnaryOperator *UnaryExpr, const Decl *D) {
9250 if (isa<FieldDecl, FunctionDecl, VarDecl>(D)) {
9251 S.Diag(UnaryExpr->getBeginLoc(), diag::warn_free_nonheap_object)
9252 << CalleeName << 0 /*object: */ << cast<NamedDecl>(D);
9253 return;
9254 }
9255 }
9256
9257 void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName,
9258 const UnaryOperator *UnaryExpr) {
9259 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) {
9260 const Decl *D = Lvalue->getDecl();
9261 if (isa<DeclaratorDecl>(D))
9262 if (!dyn_cast<DeclaratorDecl>(D)->getType()->isReferenceType())
9263 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D);
9264 }
9265
9266 if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr()))
9267 return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr,
9268 Lvalue->getMemberDecl());
9269 }
9270
9271 void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName,
9272 const UnaryOperator *UnaryExpr) {
9273 const auto *Lambda = dyn_cast<LambdaExpr>(
9274 UnaryExpr->getSubExpr()->IgnoreImplicitAsWritten()->IgnoreParens());
9275 if (!Lambda)
9276 return;
9277
9278 S.Diag(Lambda->getBeginLoc(), diag::warn_free_nonheap_object)
9279 << CalleeName << 2 /*object: lambda expression*/;
9280 }
9281
9282 void CheckFreeArgumentsStackArray(Sema &S, const std::string &CalleeName,
9283 const DeclRefExpr *Lvalue) {
9284 const auto *Var = dyn_cast<VarDecl>(Lvalue->getDecl());
9285 if (Var == nullptr)
9286 return;
9287
9288 S.Diag(Lvalue->getBeginLoc(), diag::warn_free_nonheap_object)
9289 << CalleeName << 0 /*object: */ << Var;
9290 }
9291
9292 void CheckFreeArgumentsCast(Sema &S, const std::string &CalleeName,
9293 const CastExpr *Cast) {
9294 SmallString<128> SizeString;
9295 llvm::raw_svector_ostream OS(SizeString);
9296
9297 clang::CastKind Kind = Cast->getCastKind();
9298 if (Kind == clang::CK_BitCast &&
9299 !Cast->getSubExpr()->getType()->isFunctionPointerType())
9300 return;
9301 if (Kind == clang::CK_IntegralToPointer &&
9302 !isa<IntegerLiteral>(
9303 Cast->getSubExpr()->IgnoreParenImpCasts()->IgnoreParens()))
9304 return;
9305
9306 switch (Cast->getCastKind()) {
9307 case clang::CK_BitCast:
9308 case clang::CK_IntegralToPointer:
9309 case clang::CK_FunctionToPointerDecay:
9310 OS << '\'';
9311 Cast->printPretty(OS, nullptr, S.getPrintingPolicy());
9312 OS << '\'';
9313 break;
9314 default:
9315 return;
9316 }
9317
9318 S.Diag(Cast->getBeginLoc(), diag::warn_free_nonheap_object)
9319 << CalleeName << 0 /*object: */ << OS.str();
9320 }
9321 } // namespace
9322
9323 void Sema::CheckFreeArguments(const CallExpr *E) {
9324 const std::string CalleeName =
9325 cast<FunctionDecl>(E->getCalleeDecl())->getQualifiedNameAsString();
9326
9327 { // Prefer something that doesn't involve a cast to make things simpler.
9328 const Expr *Arg = E->getArg(0)->IgnoreParenCasts();
9329 if (const auto *UnaryExpr = dyn_cast<UnaryOperator>(Arg))
9330 switch (UnaryExpr->getOpcode()) {
9331 case UnaryOperator::Opcode::UO_AddrOf:
9332 return CheckFreeArgumentsAddressof(*this, CalleeName, UnaryExpr);
9333 case UnaryOperator::Opcode::UO_Plus:
9334 return CheckFreeArgumentsPlus(*this, CalleeName, UnaryExpr);
9335 default:
9336 break;
9337 }
9338
9339 if (const auto *Lvalue = dyn_cast<DeclRefExpr>(Arg))
9340 if (Lvalue->getType()->isArrayType())
9341 return CheckFreeArgumentsStackArray(*this, CalleeName, Lvalue);
9342
9343 if (const auto *Label = dyn_cast<AddrLabelExpr>(Arg)) {
9344 Diag(Label->getBeginLoc(), diag::warn_free_nonheap_object)
9345 << CalleeName << 0 /*object: */ << Label->getLabel()->getIdentifier();
9346 return;
9347 }
9348
9349 if (isa<BlockExpr>(Arg)) {
9350 Diag(Arg->getBeginLoc(), diag::warn_free_nonheap_object)
9351 << CalleeName << 1 /*object: block*/;
9352 return;
9353 }
9354 }
9355 // Maybe the cast was important, check after the other cases.
9356 if (const auto *Cast = dyn_cast<CastExpr>(E->getArg(0)))
9357 return CheckFreeArgumentsCast(*this, CalleeName, Cast);
9358 }
9359
9360 void
9361 Sema::CheckReturnValExpr(Expr *RetValExp, QualType lhsType,
9362 SourceLocation ReturnLoc,
9363 bool isObjCMethod,
9364 const AttrVec *Attrs,
9365 const FunctionDecl *FD) {
9366 // Check if the return value is null but should not be.
9367 if (((Attrs && hasSpecificAttr<ReturnsNonNullAttr>(*Attrs)) ||
9368 (!isObjCMethod && isNonNullType(lhsType))) &&
9369 CheckNonNullExpr(*this, RetValExp))
9370 Diag(ReturnLoc, diag::warn_null_ret)
9371 << (isObjCMethod ? 1 : 0) << RetValExp->getSourceRange();
9372
9373 // C++11 [basic.stc.dynamic.allocation]p4:
9374 // If an allocation function declared with a non-throwing
9375 // exception-specification fails to allocate storage, it shall return
9376 // a null pointer. Any other allocation function that fails to allocate
9377 // storage shall indicate failure only by throwing an exception [...]
9378 if (FD) {
9379 OverloadedOperatorKind Op = FD->getOverloadedOperator();
9380 if (Op == OO_New || Op == OO_Array_New) {
9381 const FunctionProtoType *Proto
9382 = FD->getType()->castAs<FunctionProtoType>();
9383 if (!Proto->isNothrow(/*ResultIfDependent*/true) &&
9384 CheckNonNullExpr(*this, RetValExp))
9385 Diag(ReturnLoc, diag::warn_operator_new_returns_null)
9386 << FD << getLangOpts().CPlusPlus11;
9387 }
9388 }
9389
9390 if (RetValExp && RetValExp->getType()->isWebAssemblyTableType()) {
9391 Diag(ReturnLoc, diag::err_wasm_table_art) << 1;
9392 }
9393
9394 // PPC MMA non-pointer types are not allowed as return type. Checking the type
9395 // here prevent the user from using a PPC MMA type as trailing return type.
9396 if (Context.getTargetInfo().getTriple().isPPC64())
9397 PPC().CheckPPCMMAType(RetValExp->getType(), ReturnLoc);
9398 }
9399
9400 void Sema::CheckFloatComparison(SourceLocation Loc, Expr *LHS, Expr *RHS,
9401 BinaryOperatorKind Opcode) {
9402 if (!BinaryOperator::isEqualityOp(Opcode))
9403 return;
9404
9405 // Match and capture subexpressions such as "(float) X == 0.1".
9406 FloatingLiteral *FPLiteral;
9407 CastExpr *FPCast;
9408 auto getCastAndLiteral = [&FPLiteral, &FPCast](Expr *L, Expr *R) {
9409 FPLiteral = dyn_cast<FloatingLiteral>(L->IgnoreParens());
9410 FPCast = dyn_cast<CastExpr>(R->IgnoreParens());
9411 return FPLiteral && FPCast;
9412 };
9413
9414 if (getCastAndLiteral(LHS, RHS) || getCastAndLiteral(RHS, LHS)) {
9415 auto *SourceTy = FPCast->getSubExpr()->getType()->getAs<BuiltinType>();
9416 auto *TargetTy = FPLiteral->getType()->getAs<BuiltinType>();
9417 if (SourceTy && TargetTy && SourceTy->isFloatingPoint() &&
9418 TargetTy->isFloatingPoint()) {
9419 bool Lossy;
9420 llvm::APFloat TargetC = FPLiteral->getValue();
9421 TargetC.convert(Context.getFloatTypeSemantics(QualType(SourceTy, 0)),
9422 llvm::APFloat::rmNearestTiesToEven, &Lossy);
9423 if (Lossy) {
9424 // If the literal cannot be represented in the source type, then a
9425 // check for == is always false and check for != is always true.
9426 Diag(Loc, diag::warn_float_compare_literal)
9427 << (Opcode == BO_EQ) << QualType(SourceTy, 0)
9428 << LHS->getSourceRange() << RHS->getSourceRange();
9429 return;
9430 }
9431 }
9432 }
9433
9434 // Match a more general floating-point equality comparison (-Wfloat-equal).
9435 Expr* LeftExprSansParen = LHS->IgnoreParenImpCasts();
9436 Expr* RightExprSansParen = RHS->IgnoreParenImpCasts();
9437
9438 // Special case: check for x == x (which is OK).
9439 // Do not emit warnings for such cases.
9440 if (auto *DRL = dyn_cast<DeclRefExpr>(LeftExprSansParen))
9441 if (auto *DRR = dyn_cast<DeclRefExpr>(RightExprSansParen))
9442 if (DRL->getDecl() == DRR->getDecl())
9443 return;
9444
9445 // Special case: check for comparisons against literals that can be exactly
9446 // represented by APFloat. In such cases, do not emit a warning. This
9447 // is a heuristic: often comparison against such literals are used to
9448 // detect if a value in a variable has not changed. This clearly can
9449 // lead to false negatives.
9450 if (FloatingLiteral* FLL = dyn_cast<FloatingLiteral>(LeftExprSansParen)) {
9451 if (FLL->isExact())
9452 return;
9453 } else
9454 if (FloatingLiteral* FLR = dyn_cast<FloatingLiteral>(RightExprSansParen))
9455 if (FLR->isExact())
9456 return;
9457
9458 // Check for comparisons with builtin types.
9459 if (CallExpr* CL = dyn_cast<CallExpr>(LeftExprSansParen))
9460 if (CL->getBuiltinCallee())
9461 return;
9462
9463 if (CallExpr* CR = dyn_cast<CallExpr>(RightExprSansParen))
9464 if (CR->getBuiltinCallee())
9465 return;
9466
9467 // Emit the diagnostic.
9468 Diag(Loc, diag::warn_floatingpoint_eq)
9469 << LHS->getSourceRange() << RHS->getSourceRange();
9470 }
9471
9472 //===--- CHECK: Integer mixed-sign comparisons (-Wsign-compare) --------===//
9473 //===--- CHECK: Lossy implicit conversions (-Wconversion) --------------===//
9474
9475 namespace {
9476
9477 /// Structure recording the 'active' range of an integer-valued
9478 /// expression.
9479 struct IntRange {
9480 /// The number of bits active in the int. Note that this includes exactly one
9481 /// sign bit if !NonNegative.
9482 unsigned Width;
9483
9484 /// True if the int is known not to have negative values. If so, all leading
9485 /// bits before Width are known zero, otherwise they are known to be the
9486 /// same as the MSB within Width.
9487 bool NonNegative;
9488
9489 IntRange(unsigned Width, bool NonNegative)
9490 : Width(Width), NonNegative(NonNegative) {}
9491
9492 /// Number of bits excluding the sign bit.
9493 unsigned valueBits() const {
9494 return NonNegative ? Width : Width - 1;
9495 }
9496
9497 /// Returns the range of the bool type.
9498 static IntRange forBoolType() {
9499 return IntRange(1, true);
9500 }
9501
9502 /// Returns the range of an opaque value of the given integral type.
9503 static IntRange forValueOfType(ASTContext &C, QualType T) {
9504 return forValueOfCanonicalType(C,
9505 T->getCanonicalTypeInternal().getTypePtr());
9506 }
9507
9508 /// Returns the range of an opaque value of a canonical integral type.
9509 static IntRange forValueOfCanonicalType(ASTContext &C, const Type *T) {
9510 assert(T->isCanonicalUnqualified());
9511
9512 if (const VectorType *VT = dyn_cast<VectorType>(T))
9513 T = VT->getElementType().getTypePtr();
9514 if (const ComplexType *CT = dyn_cast<ComplexType>(T))
9515 T = CT->getElementType().getTypePtr();
9516 if (const AtomicType *AT = dyn_cast<AtomicType>(T))
9517 T = AT->getValueType().getTypePtr();
9518
9519 if (!C.getLangOpts().CPlusPlus) {
9520 // For enum types in C code, use the underlying datatype.
9521 if (const EnumType *ET = dyn_cast<EnumType>(T))
9522 T = ET->getDecl()->getIntegerType().getDesugaredType(C).getTypePtr();
9523 } else if (const EnumType *ET = dyn_cast<EnumType>(T)) {
9524 // For enum types in C++, use the known bit width of the enumerators.
9525 EnumDecl *Enum = ET->getDecl();
9526 // In C++11, enums can have a fixed underlying type. Use this type to
9527 // compute the range.
9528 if (Enum->isFixed()) {
9529 return IntRange(C.getIntWidth(QualType(T, 0)),
9530 !ET->isSignedIntegerOrEnumerationType());
9531 }
9532
9533 unsigned NumPositive = Enum->getNumPositiveBits();
9534 unsigned NumNegative = Enum->getNumNegativeBits();
9535
9536 if (NumNegative == 0)
9537 return IntRange(NumPositive, true/*NonNegative*/);
9538 else
9539 return IntRange(std::max(NumPositive + 1, NumNegative),
9540 false/*NonNegative*/);
9541 }
9542
9543 if (const auto *EIT = dyn_cast<BitIntType>(T))
9544 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
9545
9546 const BuiltinType *BT = cast<BuiltinType>(T);
9547 assert(BT->isInteger());
9548
9549 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
9550 }
9551
9552 /// Returns the "target" range of a canonical integral type, i.e.
9553 /// the range of values expressible in the type.
9554 ///
9555 /// This matches forValueOfCanonicalType except that enums have the
9556 /// full range of their type, not the range of their enumerators.
9557 static IntRange forTargetOfCanonicalType(ASTContext &C, const Type *T) {
9558 assert(T->isCanonicalUnqualified());
9559
9560 if (const VectorType *VT = dyn_cast<VectorType>(T))
9561 T = VT->getElementType().getTypePtr();
9562 if (const ComplexType *CT = dyn_cast<ComplexType>(T))
9563 T = CT->getElementType().getTypePtr();
9564 if (const AtomicType *AT = dyn_cast<AtomicType>(T))
9565 T = AT->getValueType().getTypePtr();
9566 if (const EnumType *ET = dyn_cast<EnumType>(T))
9567 T = C.getCanonicalType(ET->getDecl()->getIntegerType()).getTypePtr();
9568
9569 if (const auto *EIT = dyn_cast<BitIntType>(T))
9570 return IntRange(EIT->getNumBits(), EIT->isUnsigned());
9571
9572 const BuiltinType *BT = cast<BuiltinType>(T);
9573 assert(BT->isInteger());
9574
9575 return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
9576 }
9577
9578 /// Returns the supremum of two ranges: i.e. their conservative merge.
9579 static IntRange join(IntRange L, IntRange R) {
9580 bool Unsigned = L.NonNegative && R.NonNegative;
9581 return IntRange(std::max(L.valueBits(), R.valueBits()) + !Unsigned,
9582 L.NonNegative && R.NonNegative);
9583 }
9584
9585 /// Return the range of a bitwise-AND of the two ranges.
9586 static IntRange bit_and(IntRange L, IntRange R) {
9587 unsigned Bits = std::max(L.Width, R.Width);
9588 bool NonNegative = false;
9589 if (L.NonNegative) {
9590 Bits = std::min(Bits, L.Width);
9591 NonNegative = true;
9592 }
9593 if (R.NonNegative) {
9594 Bits = std::min(Bits, R.Width);
9595 NonNegative = true;
9596 }
9597 return IntRange(Bits, NonNegative);
9598 }
9599
9600 /// Return the range of a sum of the two ranges.
9601 static IntRange sum(IntRange L, IntRange R) {
9602 bool Unsigned = L.NonNegative && R.NonNegative;
9603 return IntRange(std::max(L.valueBits(), R.valueBits()) + 1 + !Unsigned,
9604 Unsigned);
9605 }
9606
9607 /// Return the range of a difference of the two ranges.
9608 static IntRange difference(IntRange L, IntRange R) {
9609 // We need a 1-bit-wider range if:
9610 // 1) LHS can be negative: least value can be reduced.
9611 // 2) RHS can be negative: greatest value can be increased.
9612 bool CanWiden = !L.NonNegative || !R.NonNegative;
9613 bool Unsigned = L.NonNegative && R.Width == 0;
9614 return IntRange(std::max(L.valueBits(), R.valueBits()) + CanWiden +
9615 !Unsigned,
9616 Unsigned);
9617 }
9618
9619 /// Return the range of a product of the two ranges.
9620 static IntRange product(IntRange L, IntRange R) {
9621 // If both LHS and RHS can be negative, we can form
9622 // -2^L * -2^R = 2^(L + R)
9623 // which requires L + R + 1 value bits to represent.
9624 bool CanWiden = !L.NonNegative && !R.NonNegative;
9625 bool Unsigned = L.NonNegative && R.NonNegative;
9626 return IntRange(L.valueBits() + R.valueBits() + CanWiden + !Unsigned,
9627 Unsigned);
9628 }
9629
9630 /// Return the range of a remainder operation between the two ranges.
9631 static IntRange rem(IntRange L, IntRange R) {
9632 // The result of a remainder can't be larger than the result of
9633 // either side. The sign of the result is the sign of the LHS.
9634 bool Unsigned = L.NonNegative;
9635 return IntRange(std::min(L.valueBits(), R.valueBits()) + !Unsigned,
9636 Unsigned);
9637 }
9638 };
9639
9640 } // namespace
9641
9642 static IntRange GetValueRange(ASTContext &C, llvm::APSInt &value,
9643 unsigned MaxWidth) {
9644 if (value.isSigned() && value.isNegative())
9645 return IntRange(value.getSignificantBits(), false);
9646
9647 if (value.getBitWidth() > MaxWidth)
9648 value = value.trunc(MaxWidth);
9649
9650 // isNonNegative() just checks the sign bit without considering
9651 // signedness.
9652 return IntRange(value.getActiveBits(), true);
9653 }
9654
9655 static IntRange GetValueRange(ASTContext &C, APValue &result, QualType Ty,
9656 unsigned MaxWidth) {
9657 if (result.isInt())
9658 return GetValueRange(C, result.getInt(), MaxWidth);
9659
9660 if (result.isVector()) {
9661 IntRange R = GetValueRange(C, result.getVectorElt(0), Ty, MaxWidth);
9662 for (unsigned i = 1, e = result.getVectorLength(); i != e; ++i) {
9663 IntRange El = GetValueRange(C, result.getVectorElt(i), Ty, MaxWidth);
9664 R = IntRange::join(R, El);
9665 }
9666 return R;
9667 }
9668
9669 if (result.isComplexInt()) {
9670 IntRange R = GetValueRange(C, result.getComplexIntReal(), MaxWidth);
9671 IntRange I = GetValueRange(C, result.getComplexIntImag(), MaxWidth);
9672 return IntRange::join(R, I);
9673 }
9674
9675 // This can happen with lossless casts to intptr_t of "based" lvalues.
9676 // Assume it might use arbitrary bits.
9677 // FIXME: The only reason we need to pass the type in here is to get
9678 // the sign right on this one case. It would be nice if APValue
9679 // preserved this.
9680 assert(result.isLValue() || result.isAddrLabelDiff());
9681 return IntRange(MaxWidth, Ty->isUnsignedIntegerOrEnumerationType());
9682 }
9683
9684 static QualType GetExprType(const Expr *E) {
9685 QualType Ty = E->getType();
9686 if (const AtomicType *AtomicRHS = Ty->getAs<AtomicType>())
9687 Ty = AtomicRHS->getValueType();
9688 return Ty;
9689 }
9690
9691 /// Attempts to estimate an approximate range for the given integer expression.
9692 /// Returns a range if successful, otherwise it returns \c std::nullopt if a
9693 /// reliable estimation cannot be determined.
9694 ///
9695 /// \param MaxWidth The width to which the value will be truncated.
9696 /// \param InConstantContext If \c true, interpret the expression within a
9697 /// constant context.
9698 /// \param Approximate If \c true, provide a likely range of values by assuming
9699 /// that arithmetic on narrower types remains within those types.
9700 /// If \c false, return a range that includes all possible values
9701 /// resulting from the expression.
9702 /// \returns A range of values that the expression might take, or
9703 /// std::nullopt if a reliable estimation cannot be determined.
9704 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
9705 unsigned MaxWidth,
9706 bool InConstantContext,
9707 bool Approximate) {
9708 E = E->IgnoreParens();
9709
9710 // Try a full evaluation first.
9711 Expr::EvalResult result;
9712 if (E->EvaluateAsRValue(result, C, InConstantContext))
9713 return GetValueRange(C, result.Val, GetExprType(E), MaxWidth);
9714
9715 // I think we only want to look through implicit casts here; if the
9716 // user has an explicit widening cast, we should treat the value as
9717 // being of the new, wider type.
9718 if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) {
9719 if (CE->getCastKind() == CK_NoOp || CE->getCastKind() == CK_LValueToRValue)
9720 return TryGetExprRange(C, CE->getSubExpr(), MaxWidth, InConstantContext,
9721 Approximate);
9722
9723 IntRange OutputTypeRange = IntRange::forValueOfType(C, GetExprType(CE));
9724
9725 bool isIntegerCast = CE->getCastKind() == CK_IntegralCast ||
9726 CE->getCastKind() == CK_BooleanToSignedIntegral;
9727
9728 // Assume that non-integer casts can span the full range of the type.
9729 if (!isIntegerCast)
9730 return OutputTypeRange;
9731
9732 std::optional<IntRange> SubRange = TryGetExprRange(
9733 C, CE->getSubExpr(), std::min(MaxWidth, OutputTypeRange.Width),
9734 InConstantContext, Approximate);
9735 if (!SubRange)
9736 return std::nullopt;
9737
9738 // Bail out if the subexpr's range is as wide as the cast type.
9739 if (SubRange->Width >= OutputTypeRange.Width)
9740 return OutputTypeRange;
9741
9742 // Otherwise, we take the smaller width, and we're non-negative if
9743 // either the output type or the subexpr is.
9744 return IntRange(SubRange->Width,
9745 SubRange->NonNegative || OutputTypeRange.NonNegative);
9746 }
9747
9748 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
9749 // If we can fold the condition, just take that operand.
9750 bool CondResult;
9751 if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
9752 return TryGetExprRange(
9753 C, CondResult ? CO->getTrueExpr() : CO->getFalseExpr(), MaxWidth,
9754 InConstantContext, Approximate);
9755
9756 // Otherwise, conservatively merge.
9757 // TryGetExprRange requires an integer expression, but a throw expression
9758 // results in a void type.
9759 Expr *TrueExpr = CO->getTrueExpr();
9760 if (TrueExpr->getType()->isVoidType())
9761 return std::nullopt;
9762
9763 std::optional<IntRange> L =
9764 TryGetExprRange(C, TrueExpr, MaxWidth, InConstantContext, Approximate);
9765 if (!L)
9766 return std::nullopt;
9767
9768 Expr *FalseExpr = CO->getFalseExpr();
9769 if (FalseExpr->getType()->isVoidType())
9770 return std::nullopt;
9771
9772 std::optional<IntRange> R =
9773 TryGetExprRange(C, FalseExpr, MaxWidth, InConstantContext, Approximate);
9774 if (!R)
9775 return std::nullopt;
9776
9777 return IntRange::join(*L, *R);
9778 }
9779
9780 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
9781 IntRange (*Combine)(IntRange, IntRange) = IntRange::join;
9782
9783 switch (BO->getOpcode()) {
9784 case BO_Cmp:
9785 llvm_unreachable("builtin <=> should have class type");
9786
9787 // Boolean-valued operations are single-bit and positive.
9788 case BO_LAnd:
9789 case BO_LOr:
9790 case BO_LT:
9791 case BO_GT:
9792 case BO_LE:
9793 case BO_GE:
9794 case BO_EQ:
9795 case BO_NE:
9796 return IntRange::forBoolType();
9797
9798 // The type of the assignments is the type of the LHS, so the RHS
9799 // is not necessarily the same type.
9800 case BO_MulAssign:
9801 case BO_DivAssign:
9802 case BO_RemAssign:
9803 case BO_AddAssign:
9804 case BO_SubAssign:
9805 case BO_XorAssign:
9806 case BO_OrAssign:
9807 // TODO: bitfields?
9808 return IntRange::forValueOfType(C, GetExprType(E));
9809
9810 // Simple assignments just pass through the RHS, which will have
9811 // been coerced to the LHS type.
9812 case BO_Assign:
9813 // TODO: bitfields?
9814 return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
9815 Approximate);
9816
9817 // Operations with opaque sources are black-listed.
9818 case BO_PtrMemD:
9819 case BO_PtrMemI:
9820 return IntRange::forValueOfType(C, GetExprType(E));
9821
9822 // Bitwise-and uses the *infinum* of the two source ranges.
9823 case BO_And:
9824 case BO_AndAssign:
9825 Combine = IntRange::bit_and;
9826 break;
9827
9828 // Left shift gets black-listed based on a judgement call.
9829 case BO_Shl:
9830 // ...except that we want to treat '1 << (blah)' as logically
9831 // positive. It's an important idiom.
9832 if (IntegerLiteral *I
9833 = dyn_cast<IntegerLiteral>(BO->getLHS()->IgnoreParenCasts())) {
9834 if (I->getValue() == 1) {
9835 IntRange R = IntRange::forValueOfType(C, GetExprType(E));
9836 return IntRange(R.Width, /*NonNegative*/ true);
9837 }
9838 }
9839 [[fallthrough]];
9840
9841 case BO_ShlAssign:
9842 return IntRange::forValueOfType(C, GetExprType(E));
9843
9844 // Right shift by a constant can narrow its left argument.
9845 case BO_Shr:
9846 case BO_ShrAssign: {
9847 std::optional<IntRange> L = TryGetExprRange(
9848 C, BO->getLHS(), MaxWidth, InConstantContext, Approximate);
9849 if (!L)
9850 return std::nullopt;
9851
9852 // If the shift amount is a positive constant, drop the width by
9853 // that much.
9854 if (std::optional<llvm::APSInt> shift =
9855 BO->getRHS()->getIntegerConstantExpr(C)) {
9856 if (shift->isNonNegative()) {
9857 if (shift->uge(L->Width))
9858 L->Width = (L->NonNegative ? 0 : 1);
9859 else
9860 L->Width -= shift->getZExtValue();
9861 }
9862 }
9863
9864 return L;
9865 }
9866
9867 // Comma acts as its right operand.
9868 case BO_Comma:
9869 return TryGetExprRange(C, BO->getRHS(), MaxWidth, InConstantContext,
9870 Approximate);
9871
9872 case BO_Add:
9873 if (!Approximate)
9874 Combine = IntRange::sum;
9875 break;
9876
9877 case BO_Sub:
9878 if (BO->getLHS()->getType()->isPointerType())
9879 return IntRange::forValueOfType(C, GetExprType(E));
9880 if (!Approximate)
9881 Combine = IntRange::difference;
9882 break;
9883
9884 case BO_Mul:
9885 if (!Approximate)
9886 Combine = IntRange::product;
9887 break;
9888
9889 // The width of a division result is mostly determined by the size
9890 // of the LHS.
9891 case BO_Div: {
9892 // Don't 'pre-truncate' the operands.
9893 unsigned opWidth = C.getIntWidth(GetExprType(E));
9894 std::optional<IntRange> L = TryGetExprRange(
9895 C, BO->getLHS(), opWidth, InConstantContext, Approximate);
9896 if (!L)
9897 return std::nullopt;
9898
9899 // If the divisor is constant, use that.
9900 if (std::optional<llvm::APSInt> divisor =
9901 BO->getRHS()->getIntegerConstantExpr(C)) {
9902 unsigned log2 = divisor->logBase2(); // floor(log_2(divisor))
9903 if (log2 >= L->Width)
9904 L->Width = (L->NonNegative ? 0 : 1);
9905 else
9906 L->Width = std::min(L->Width - log2, MaxWidth);
9907 return L;
9908 }
9909
9910 // Otherwise, just use the LHS's width.
9911 // FIXME: This is wrong if the LHS could be its minimal value and the RHS
9912 // could be -1.
9913 std::optional<IntRange> R = TryGetExprRange(
9914 C, BO->getRHS(), opWidth, InConstantContext, Approximate);
9915 if (!R)
9916 return std::nullopt;
9917
9918 return IntRange(L->Width, L->NonNegative && R->NonNegative);
9919 }
9920
9921 case BO_Rem:
9922 Combine = IntRange::rem;
9923 break;
9924
9925 // The default behavior is okay for these.
9926 case BO_Xor:
9927 case BO_Or:
9928 break;
9929 }
9930
9931 // Combine the two ranges, but limit the result to the type in which we
9932 // performed the computation.
9933 QualType T = GetExprType(E);
9934 unsigned opWidth = C.getIntWidth(T);
9935 std::optional<IntRange> L = TryGetExprRange(C, BO->getLHS(), opWidth,
9936 InConstantContext, Approximate);
9937 if (!L)
9938 return std::nullopt;
9939
9940 std::optional<IntRange> R = TryGetExprRange(C, BO->getRHS(), opWidth,
9941 InConstantContext, Approximate);
9942 if (!R)
9943 return std::nullopt;
9944
9945 IntRange C = Combine(*L, *R);
9946 C.NonNegative |= T->isUnsignedIntegerOrEnumerationType();
9947 C.Width = std::min(C.Width, MaxWidth);
9948 return C;
9949 }
9950
9951 if (const auto *UO = dyn_cast<UnaryOperator>(E)) {
9952 switch (UO->getOpcode()) {
9953 // Boolean-valued operations are white-listed.
9954 case UO_LNot:
9955 return IntRange::forBoolType();
9956
9957 // Operations with opaque sources are black-listed.
9958 case UO_Deref:
9959 case UO_AddrOf: // should be impossible
9960 return IntRange::forValueOfType(C, GetExprType(E));
9961
9962 default:
9963 return TryGetExprRange(C, UO->getSubExpr(), MaxWidth, InConstantContext,
9964 Approximate);
9965 }
9966 }
9967
9968 if (const auto *OVE = dyn_cast<OpaqueValueExpr>(E))
9969 return TryGetExprRange(C, OVE->getSourceExpr(), MaxWidth, InConstantContext,
9970 Approximate);
9971
9972 if (const auto *BitField = E->getSourceBitField())
9973 return IntRange(BitField->getBitWidthValue(C),
9974 BitField->getType()->isUnsignedIntegerOrEnumerationType());
9975
9976 if (GetExprType(E)->isVoidType())
9977 return std::nullopt;
9978
9979 return IntRange::forValueOfType(C, GetExprType(E));
9980 }
9981
9982 static std::optional<IntRange> TryGetExprRange(ASTContext &C, const Expr *E,
9983 bool InConstantContext,
9984 bool Approximate) {
9985 return TryGetExprRange(C, E, C.getIntWidth(GetExprType(E)), InConstantContext,
9986 Approximate);
9987 }
9988
9989 /// Checks whether the given value, which currently has the given
9990 /// source semantics, has the same value when coerced through the
9991 /// target semantics.
9992 static bool IsSameFloatAfterCast(const llvm::APFloat &value,
9993 const llvm::fltSemantics &Src,
9994 const llvm::fltSemantics &Tgt) {
9995 llvm::APFloat truncated = value;
9996
9997 bool ignored;
9998 truncated.convert(Src, llvm::APFloat::rmNearestTiesToEven, &ignored);
9999 truncated.convert(Tgt, llvm::APFloat::rmNearestTiesToEven, &ignored);
10000
10001 return truncated.bitwiseIsEqual(value);
10002 }
10003
10004 /// Checks whether the given value, which currently has the given
10005 /// source semantics, has the same value when coerced through the
10006 /// target semantics.
10007 ///
10008 /// The value might be a vector of floats (or a complex number).
10009 static bool IsSameFloatAfterCast(const APValue &value,
10010 const llvm::fltSemantics &Src,
10011 const llvm::fltSemantics &Tgt) {
10012 if (value.isFloat())
10013 return IsSameFloatAfterCast(value.getFloat(), Src, Tgt);
10014
10015 if (value.isVector()) {
10016 for (unsigned i = 0, e = value.getVectorLength(); i != e; ++i)
10017 if (!IsSameFloatAfterCast(value.getVectorElt(i), Src, Tgt))
10018 return false;
10019 return true;
10020 }
10021
10022 assert(value.isComplexFloat());
10023 return (IsSameFloatAfterCast(value.getComplexFloatReal(), Src, Tgt) &&
10024 IsSameFloatAfterCast(value.getComplexFloatImag(), Src, Tgt));
10025 }
10026
10027 static void AnalyzeImplicitConversions(Sema &S, Expr *E, SourceLocation CC,
10028 bool IsListInit = false);
10029
10030 static bool IsEnumConstOrFromMacro(Sema &S, Expr *E) {
10031 // Suppress cases where we are comparing against an enum constant.
10032 if (const DeclRefExpr *DR =
10033 dyn_cast<DeclRefExpr>(E->IgnoreParenImpCasts()))
10034 if (isa<EnumConstantDecl>(DR->getDecl()))
10035 return true;
10036
10037 // Suppress cases where the value is expanded from a macro, unless that macro
10038 // is how a language represents a boolean literal. This is the case in both C
10039 // and Objective-C.
10040 SourceLocation BeginLoc = E->getBeginLoc();
10041 if (BeginLoc.isMacroID()) {
10042 StringRef MacroName = Lexer::getImmediateMacroName(
10043 BeginLoc, S.getSourceManager(), S.getLangOpts());
10044 return MacroName != "YES" && MacroName != "NO" &&
10045 MacroName != "true" && MacroName != "false";
10046 }
10047
10048 return false;
10049 }
10050
10051 static bool isKnownToHaveUnsignedValue(Expr *E) {
10052 return E->getType()->isIntegerType() &&
10053 (!E->getType()->isSignedIntegerType() ||
10054 !E->IgnoreParenImpCasts()->getType()->isSignedIntegerType());
10055 }
10056
10057 namespace {
10058 /// The promoted range of values of a type. In general this has the
10059 /// following structure:
10060 ///
10061 /// |-----------| . . . |-----------|
10062 /// ^ ^ ^ ^
10063 /// Min HoleMin HoleMax Max
10064 ///
10065 /// ... where there is only a hole if a signed type is promoted to unsigned
10066 /// (in which case Min and Max are the smallest and largest representable
10067 /// values).
10068 struct PromotedRange {
10069 // Min, or HoleMax if there is a hole.
10070 llvm::APSInt PromotedMin;
10071 // Max, or HoleMin if there is a hole.
10072 llvm::APSInt PromotedMax;
10073
10074 PromotedRange(IntRange R, unsigned BitWidth, bool Unsigned) {
10075 if (R.Width == 0)
10076 PromotedMin = PromotedMax = llvm::APSInt(BitWidth, Unsigned);
10077 else if (R.Width >= BitWidth && !Unsigned) {
10078 // Promotion made the type *narrower*. This happens when promoting
10079 // a < 32-bit unsigned / <= 32-bit signed bit-field to 'signed int'.
10080 // Treat all values of 'signed int' as being in range for now.
10081 PromotedMin = llvm::APSInt::getMinValue(BitWidth, Unsigned);
10082 PromotedMax = llvm::APSInt::getMaxValue(BitWidth, Unsigned);
10083 } else {
10084 PromotedMin = llvm::APSInt::getMinValue(R.Width, R.NonNegative)
10085 .extOrTrunc(BitWidth);
10086 PromotedMin.setIsUnsigned(Unsigned);
10087
10088 PromotedMax = llvm::APSInt::getMaxValue(R.Width, R.NonNegative)
10089 .extOrTrunc(BitWidth);
10090 PromotedMax.setIsUnsigned(Unsigned);
10091 }
10092 }
10093
10094 // Determine whether this range is contiguous (has no hole).
10095 bool isContiguous() const { return PromotedMin <= PromotedMax; }
10096
10097 // Where a constant value is within the range.
10098 enum ComparisonResult {
10099 LT = 0x1,
10100 LE = 0x2,
10101 GT = 0x4,
10102 GE = 0x8,
10103 EQ = 0x10,
10104 NE = 0x20,
10105 InRangeFlag = 0x40,
10106
10107 Less = LE | LT | NE,
10108 Min = LE | InRangeFlag,
10109 InRange = InRangeFlag,
10110 Max = GE | InRangeFlag,
10111 Greater = GE | GT | NE,
10112
10113 OnlyValue = LE | GE | EQ | InRangeFlag,
10114 InHole = NE
10115 };
10116
10117 ComparisonResult compare(const llvm::APSInt &Value) const {
10118 assert(Value.getBitWidth() == PromotedMin.getBitWidth() &&
10119 Value.isUnsigned() == PromotedMin.isUnsigned());
10120 if (!isContiguous()) {
10121 assert(Value.isUnsigned() && "discontiguous range for signed compare");
10122 if (Value.isMinValue()) return Min;
10123 if (Value.isMaxValue()) return Max;
10124 if (Value >= PromotedMin) return InRange;
10125 if (Value <= PromotedMax) return InRange;
10126 return InHole;
10127 }
10128
10129 switch (llvm::APSInt::compareValues(Value, PromotedMin)) {
10130 case -1: return Less;
10131 case 0: return PromotedMin == PromotedMax ? OnlyValue : Min;
10132 case 1:
10133 switch (llvm::APSInt::compareValues(Value, PromotedMax)) {
10134 case -1: return InRange;
10135 case 0: return Max;
10136 case 1: return Greater;
10137 }
10138 }
10139
10140 llvm_unreachable("impossible compare result");
10141 }
10142
10143 static std::optional<StringRef>
10144 constantValue(BinaryOperatorKind Op, ComparisonResult R, bool ConstantOnRHS) {
10145 if (Op == BO_Cmp) {
10146 ComparisonResult LTFlag = LT, GTFlag = GT;
10147 if (ConstantOnRHS) std::swap(LTFlag, GTFlag);
10148
10149 if (R & EQ) return StringRef("'std::strong_ordering::equal'");
10150 if (R & LTFlag) return StringRef("'std::strong_ordering::less'");
10151 if (R & GTFlag) return StringRef("'std::strong_ordering::greater'");
10152 return std::nullopt;
10153 }
10154
10155 ComparisonResult TrueFlag, FalseFlag;
10156 if (Op == BO_EQ) {
10157 TrueFlag = EQ;
10158 FalseFlag = NE;
10159 } else if (Op == BO_NE) {
10160 TrueFlag = NE;
10161 FalseFlag = EQ;
10162 } else {
10163 if ((Op == BO_LT || Op == BO_GE) ^ ConstantOnRHS) {
10164 TrueFlag = LT;
10165 FalseFlag = GE;
10166 } else {
10167 TrueFlag = GT;
10168 FalseFlag = LE;
10169 }
10170 if (Op == BO_GE || Op == BO_LE)
10171 std::swap(TrueFlag, FalseFlag);
10172 }
10173 if (R & TrueFlag)
10174 return StringRef("true");
10175 if (R & FalseFlag)
10176 return StringRef("false");
10177 return std::nullopt;
10178 }
10179 };
10180 }
10181
10182 static bool HasEnumType(Expr *E) {
10183 // Strip off implicit integral promotions.
10184 while (ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
10185 if (ICE->getCastKind() != CK_IntegralCast &&
10186 ICE->getCastKind() != CK_NoOp)
10187 break;
10188 E = ICE->getSubExpr();
10189 }
10190
10191 return E->getType()->isEnumeralType();
10192 }
10193
10194 static int classifyConstantValue(Expr *Constant) {
10195 // The values of this enumeration are used in the diagnostics
10196 // diag::warn_out_of_range_compare and diag::warn_tautological_bool_compare.
10197 enum ConstantValueKind {
10198 Miscellaneous = 0,
10199 LiteralTrue,
10200 LiteralFalse
10201 };
10202 if (auto *BL = dyn_cast<CXXBoolLiteralExpr>(Constant))
10203 return BL->getValue() ? ConstantValueKind::LiteralTrue
10204 : ConstantValueKind::LiteralFalse;
10205 return ConstantValueKind::Miscellaneous;
10206 }
10207
10208 static bool CheckTautologicalComparison(Sema &S, BinaryOperator *E,
10209 Expr *Constant, Expr *Other,
10210 const llvm::APSInt &Value,
10211 bool RhsConstant) {
10212 if (S.inTemplateInstantiation())
10213 return false;
10214
10215 Expr *OriginalOther = Other;
10216
10217 Constant = Constant->IgnoreParenImpCasts();
10218 Other = Other->IgnoreParenImpCasts();
10219
10220 // Suppress warnings on tautological comparisons between values of the same
10221 // enumeration type. There are only two ways we could warn on this:
10222 // - If the constant is outside the range of representable values of
10223 // the enumeration. In such a case, we should warn about the cast
10224 // to enumeration type, not about the comparison.
10225 // - If the constant is the maximum / minimum in-range value. For an
10226 // enumeratin type, such comparisons can be meaningful and useful.
10227 if (Constant->getType()->isEnumeralType() &&
10228 S.Context.hasSameUnqualifiedType(Constant->getType(), Other->getType()))
10229 return false;
10230
10231 std::optional<IntRange> OtherValueRange = TryGetExprRange(
10232 S.Context, Other, S.isConstantEvaluatedContext(), /*Approximate=*/false);
10233 if (!OtherValueRange)
10234 return false;
10235
10236 QualType OtherT = Other->getType();
10237 if (const auto *AT = OtherT->getAs<AtomicType>())
10238 OtherT = AT->getValueType();
10239 IntRange OtherTypeRange = IntRange::forValueOfType(S.Context, OtherT);
10240
10241 // Special case for ObjC BOOL on targets where its a typedef for a signed char
10242 // (Namely, macOS). FIXME: IntRange::forValueOfType should do this.
10243 bool IsObjCSignedCharBool = S.getLangOpts().ObjC &&
10244 S.ObjC().NSAPIObj->isObjCBOOLType(OtherT) &&
10245 OtherT->isSpecificBuiltinType(BuiltinType::SChar);
10246
10247 // Whether we're treating Other as being a bool because of the form of
10248 // expression despite it having another type (typically 'int' in C).
10249 bool OtherIsBooleanDespiteType =
10250 !OtherT->isBooleanType() && Other->isKnownToHaveBooleanValue();
10251 if (OtherIsBooleanDespiteType || IsObjCSignedCharBool)
10252 OtherTypeRange = *OtherValueRange = IntRange::forBoolType();
10253
10254 // Check if all values in the range of possible values of this expression
10255 // lead to the same comparison outcome.
10256 PromotedRange OtherPromotedValueRange(*OtherValueRange, Value.getBitWidth(),
10257 Value.isUnsigned());
10258 auto Cmp = OtherPromotedValueRange.compare(Value);
10259 auto Result = PromotedRange::constantValue(E->getOpcode(), Cmp, RhsConstant);
10260 if (!Result)
10261 return false;
10262
10263 // Also consider the range determined by the type alone. This allows us to
10264 // classify the warning under the proper diagnostic group.
10265 bool TautologicalTypeCompare = false;
10266 {
10267 PromotedRange OtherPromotedTypeRange(OtherTypeRange, Value.getBitWidth(),
10268 Value.isUnsigned());
10269 auto TypeCmp = OtherPromotedTypeRange.compare(Value);
10270 if (auto TypeResult = PromotedRange::constantValue(E->getOpcode(), TypeCmp,
10271 RhsConstant)) {
10272 TautologicalTypeCompare = true;
10273 Cmp = TypeCmp;
10274 Result = TypeResult;
10275 }
10276 }
10277
10278 // Don't warn if the non-constant operand actually always evaluates to the
10279 // same value.
10280 if (!TautologicalTypeCompare && OtherValueRange->Width == 0)
10281 return false;
10282
10283 // Suppress the diagnostic for an in-range comparison if the constant comes
10284 // from a macro or enumerator. We don't want to diagnose
10285 //
10286 // some_long_value <= INT_MAX
10287 //
10288 // when sizeof(int) == sizeof(long).
10289 bool InRange = Cmp & PromotedRange::InRangeFlag;
10290 if (InRange && IsEnumConstOrFromMacro(S, Constant))
10291 return false;
10292
10293 // A comparison of an unsigned bit-field against 0 is really a type problem,
10294 // even though at the type level the bit-field might promote to 'signed int'.
10295 if (Other->refersToBitField() && InRange && Value == 0 &&
10296 Other->getType()->isUnsignedIntegerOrEnumerationType())
10297 TautologicalTypeCompare = true;
10298
10299 // If this is a comparison to an enum constant, include that
10300 // constant in the diagnostic.
10301 const EnumConstantDecl *ED = nullptr;
10302 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Constant))
10303 ED = dyn_cast<EnumConstantDecl>(DR->getDecl());
10304
10305 // Should be enough for uint128 (39 decimal digits)
10306 SmallString<64> PrettySourceValue;
10307 llvm::raw_svector_ostream OS(PrettySourceValue);
10308 if (ED) {
10309 OS << '\'' << *ED << "' (" << Value << ")";
10310 } else if (auto *BL = dyn_cast<ObjCBoolLiteralExpr>(
10311 Constant->IgnoreParenImpCasts())) {
10312 OS << (BL->getValue() ? "YES" : "NO");
10313 } else {
10314 OS << Value;
10315 }
10316
10317 if (!TautologicalTypeCompare) {
10318 S.Diag(E->getOperatorLoc(), diag::warn_tautological_compare_value_range)
10319 << RhsConstant << OtherValueRange->Width << OtherValueRange->NonNegative
10320 << E->getOpcodeStr() << OS.str() << *Result
10321 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
10322 return true;
10323 }
10324
10325 if (IsObjCSignedCharBool) {
10326 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
10327 S.PDiag(diag::warn_tautological_compare_objc_bool)
10328 << OS.str() << *Result);
10329 return true;
10330 }
10331
10332 // FIXME: We use a somewhat different formatting for the in-range cases and
10333 // cases involving boolean values for historical reasons. We should pick a
10334 // consistent way of presenting these diagnostics.
10335 if (!InRange || Other->isKnownToHaveBooleanValue()) {
10336
10337 S.DiagRuntimeBehavior(
10338 E->getOperatorLoc(), E,
10339 S.PDiag(!InRange ? diag::warn_out_of_range_compare
10340 : diag::warn_tautological_bool_compare)
10341 << OS.str() << classifyConstantValue(Constant) << OtherT
10342 << OtherIsBooleanDespiteType << *Result
10343 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange());
10344 } else {
10345 bool IsCharTy = OtherT.withoutLocalFastQualifiers() == S.Context.CharTy;
10346 unsigned Diag =
10347 (isKnownToHaveUnsignedValue(OriginalOther) && Value == 0)
10348 ? (HasEnumType(OriginalOther)
10349 ? diag::warn_unsigned_enum_always_true_comparison
10350 : IsCharTy ? diag::warn_unsigned_char_always_true_comparison
10351 : diag::warn_unsigned_always_true_comparison)
10352 : diag::warn_tautological_constant_compare;
10353
10354 S.Diag(E->getOperatorLoc(), Diag)
10355 << RhsConstant << OtherT << E->getOpcodeStr() << OS.str() << *Result
10356 << E->getLHS()->getSourceRange() << E->getRHS()->getSourceRange();
10357 }
10358
10359 return true;
10360 }
10361
10362 /// Analyze the operands of the given comparison. Implements the
10363 /// fallback case from AnalyzeComparison.
10364 static void AnalyzeImpConvsInComparison(Sema &S, BinaryOperator *E) {
10365 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10366 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10367 }
10368
10369 /// Implements -Wsign-compare.
10370 ///
10371 /// \param E the binary operator to check for warnings
10372 static void AnalyzeComparison(Sema &S, BinaryOperator *E) {
10373 // The type the comparison is being performed in.
10374 QualType T = E->getLHS()->getType();
10375
10376 // Only analyze comparison operators where both sides have been converted to
10377 // the same type.
10378 if (!S.Context.hasSameUnqualifiedType(T, E->getRHS()->getType()))
10379 return AnalyzeImpConvsInComparison(S, E);
10380
10381 // Don't analyze value-dependent comparisons directly.
10382 if (E->isValueDependent())
10383 return AnalyzeImpConvsInComparison(S, E);
10384
10385 Expr *LHS = E->getLHS();
10386 Expr *RHS = E->getRHS();
10387
10388 if (T->isIntegralType(S.Context)) {
10389 std::optional<llvm::APSInt> RHSValue =
10390 RHS->getIntegerConstantExpr(S.Context);
10391 std::optional<llvm::APSInt> LHSValue =
10392 LHS->getIntegerConstantExpr(S.Context);
10393
10394 // We don't care about expressions whose result is a constant.
10395 if (RHSValue && LHSValue)
10396 return AnalyzeImpConvsInComparison(S, E);
10397
10398 // We only care about expressions where just one side is literal
10399 if ((bool)RHSValue ^ (bool)LHSValue) {
10400 // Is the constant on the RHS or LHS?
10401 const bool RhsConstant = (bool)RHSValue;
10402 Expr *Const = RhsConstant ? RHS : LHS;
10403 Expr *Other = RhsConstant ? LHS : RHS;
10404 const llvm::APSInt &Value = RhsConstant ? *RHSValue : *LHSValue;
10405
10406 // Check whether an integer constant comparison results in a value
10407 // of 'true' or 'false'.
10408 if (CheckTautologicalComparison(S, E, Const, Other, Value, RhsConstant))
10409 return AnalyzeImpConvsInComparison(S, E);
10410 }
10411 }
10412
10413 if (!T->hasUnsignedIntegerRepresentation()) {
10414 // We don't do anything special if this isn't an unsigned integral
10415 // comparison: we're only interested in integral comparisons, and
10416 // signed comparisons only happen in cases we don't care to warn about.
10417 return AnalyzeImpConvsInComparison(S, E);
10418 }
10419
10420 LHS = LHS->IgnoreParenImpCasts();
10421 RHS = RHS->IgnoreParenImpCasts();
10422
10423 if (!S.getLangOpts().CPlusPlus) {
10424 // Avoid warning about comparison of integers with different signs when
10425 // RHS/LHS has a `typeof(E)` type whose sign is different from the sign of
10426 // the type of `E`.
10427 if (const auto *TET = dyn_cast<TypeOfExprType>(LHS->getType()))
10428 LHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
10429 if (const auto *TET = dyn_cast<TypeOfExprType>(RHS->getType()))
10430 RHS = TET->getUnderlyingExpr()->IgnoreParenImpCasts();
10431 }
10432
10433 // Check to see if one of the (unmodified) operands is of different
10434 // signedness.
10435 Expr *signedOperand, *unsignedOperand;
10436 if (LHS->getType()->hasSignedIntegerRepresentation()) {
10437 assert(!RHS->getType()->hasSignedIntegerRepresentation() &&
10438 "unsigned comparison between two signed integer expressions?");
10439 signedOperand = LHS;
10440 unsignedOperand = RHS;
10441 } else if (RHS->getType()->hasSignedIntegerRepresentation()) {
10442 signedOperand = RHS;
10443 unsignedOperand = LHS;
10444 } else {
10445 return AnalyzeImpConvsInComparison(S, E);
10446 }
10447
10448 // Otherwise, calculate the effective range of the signed operand.
10449 std::optional<IntRange> signedRange =
10450 TryGetExprRange(S.Context, signedOperand, S.isConstantEvaluatedContext(),
10451 /*Approximate=*/true);
10452 if (!signedRange)
10453 return;
10454
10455 // Go ahead and analyze implicit conversions in the operands. Note
10456 // that we skip the implicit conversions on both sides.
10457 AnalyzeImplicitConversions(S, LHS, E->getOperatorLoc());
10458 AnalyzeImplicitConversions(S, RHS, E->getOperatorLoc());
10459
10460 // If the signed range is non-negative, -Wsign-compare won't fire.
10461 if (signedRange->NonNegative)
10462 return;
10463
10464 // For (in)equality comparisons, if the unsigned operand is a
10465 // constant which cannot collide with a overflowed signed operand,
10466 // then reinterpreting the signed operand as unsigned will not
10467 // change the result of the comparison.
10468 if (E->isEqualityOp()) {
10469 unsigned comparisonWidth = S.Context.getIntWidth(T);
10470 std::optional<IntRange> unsignedRange = TryGetExprRange(
10471 S.Context, unsignedOperand, S.isConstantEvaluatedContext(),
10472 /*Approximate=*/true);
10473 if (!unsignedRange)
10474 return;
10475
10476 // We should never be unable to prove that the unsigned operand is
10477 // non-negative.
10478 assert(unsignedRange->NonNegative && "unsigned range includes negative?");
10479
10480 if (unsignedRange->Width < comparisonWidth)
10481 return;
10482 }
10483
10484 S.DiagRuntimeBehavior(E->getOperatorLoc(), E,
10485 S.PDiag(diag::warn_mixed_sign_comparison)
10486 << LHS->getType() << RHS->getType()
10487 << LHS->getSourceRange() << RHS->getSourceRange());
10488 }
10489
10490 /// Analyzes an attempt to assign the given value to a bitfield.
10491 ///
10492 /// Returns true if there was something fishy about the attempt.
10493 static bool AnalyzeBitFieldAssignment(Sema &S, FieldDecl *Bitfield, Expr *Init,
10494 SourceLocation InitLoc) {
10495 assert(Bitfield->isBitField());
10496 if (Bitfield->isInvalidDecl())
10497 return false;
10498
10499 // White-list bool bitfields.
10500 QualType BitfieldType = Bitfield->getType();
10501 if (BitfieldType->isBooleanType())
10502 return false;
10503
10504 if (BitfieldType->isEnumeralType()) {
10505 EnumDecl *BitfieldEnumDecl = BitfieldType->castAs<EnumType>()->getDecl();
10506 // If the underlying enum type was not explicitly specified as an unsigned
10507 // type and the enum contain only positive values, MSVC++ will cause an
10508 // inconsistency by storing this as a signed type.
10509 if (S.getLangOpts().CPlusPlus11 &&
10510 !BitfieldEnumDecl->getIntegerTypeSourceInfo() &&
10511 BitfieldEnumDecl->getNumPositiveBits() > 0 &&
10512 BitfieldEnumDecl->getNumNegativeBits() == 0) {
10513 S.Diag(InitLoc, diag::warn_no_underlying_type_specified_for_enum_bitfield)
10514 << BitfieldEnumDecl;
10515 }
10516 }
10517
10518 // Ignore value- or type-dependent expressions.
10519 if (Bitfield->getBitWidth()->isValueDependent() ||
10520 Bitfield->getBitWidth()->isTypeDependent() ||
10521 Init->isValueDependent() ||
10522 Init->isTypeDependent())
10523 return false;
10524
10525 Expr *OriginalInit = Init->IgnoreParenImpCasts();
10526 unsigned FieldWidth = Bitfield->getBitWidthValue(S.Context);
10527
10528 Expr::EvalResult Result;
10529 if (!OriginalInit->EvaluateAsInt(Result, S.Context,
10530 Expr::SE_AllowSideEffects)) {
10531 // The RHS is not constant. If the RHS has an enum type, make sure the
10532 // bitfield is wide enough to hold all the values of the enum without
10533 // truncation.
10534 if (const auto *EnumTy = OriginalInit->getType()->getAs<EnumType>()) {
10535 EnumDecl *ED = EnumTy->getDecl();
10536 bool SignedBitfield = BitfieldType->isSignedIntegerType();
10537
10538 // Enum types are implicitly signed on Windows, so check if there are any
10539 // negative enumerators to see if the enum was intended to be signed or
10540 // not.
10541 bool SignedEnum = ED->getNumNegativeBits() > 0;
10542
10543 // Check for surprising sign changes when assigning enum values to a
10544 // bitfield of different signedness. If the bitfield is signed and we
10545 // have exactly the right number of bits to store this unsigned enum,
10546 // suggest changing the enum to an unsigned type. This typically happens
10547 // on Windows where unfixed enums always use an underlying type of 'int'.
10548 unsigned DiagID = 0;
10549 if (SignedEnum && !SignedBitfield) {
10550 DiagID = diag::warn_unsigned_bitfield_assigned_signed_enum;
10551 } else if (SignedBitfield && !SignedEnum &&
10552 ED->getNumPositiveBits() == FieldWidth) {
10553 DiagID = diag::warn_signed_bitfield_enum_conversion;
10554 }
10555
10556 if (DiagID) {
10557 S.Diag(InitLoc, DiagID) << Bitfield << ED;
10558 TypeSourceInfo *TSI = Bitfield->getTypeSourceInfo();
10559 SourceRange TypeRange =
10560 TSI ? TSI->getTypeLoc().getSourceRange() : SourceRange();
10561 S.Diag(Bitfield->getTypeSpecStartLoc(), diag::note_change_bitfield_sign)
10562 << SignedEnum << TypeRange;
10563 }
10564
10565 // Compute the required bitwidth. If the enum has negative values, we need
10566 // one more bit than the normal number of positive bits to represent the
10567 // sign bit.
10568 unsigned BitsNeeded = SignedEnum ? std::max(ED->getNumPositiveBits() + 1,
10569 ED->getNumNegativeBits())
10570 : ED->getNumPositiveBits();
10571
10572 // Check the bitwidth.
10573 if (BitsNeeded > FieldWidth) {
10574 Expr *WidthExpr = Bitfield->getBitWidth();
10575 S.Diag(InitLoc, diag::warn_bitfield_too_small_for_enum)
10576 << Bitfield << ED;
10577 S.Diag(WidthExpr->getExprLoc(), diag::note_widen_bitfield)
10578 << BitsNeeded << ED << WidthExpr->getSourceRange();
10579 }
10580 }
10581
10582 return false;
10583 }
10584
10585 llvm::APSInt Value = Result.Val.getInt();
10586
10587 unsigned OriginalWidth = Value.getBitWidth();
10588
10589 // In C, the macro 'true' from stdbool.h will evaluate to '1'; To reduce
10590 // false positives where the user is demonstrating they intend to use the
10591 // bit-field as a Boolean, check to see if the value is 1 and we're assigning
10592 // to a one-bit bit-field to see if the value came from a macro named 'true'.
10593 bool OneAssignedToOneBitBitfield = FieldWidth == 1 && Value == 1;
10594 if (OneAssignedToOneBitBitfield && !S.LangOpts.CPlusPlus) {
10595 SourceLocation MaybeMacroLoc = OriginalInit->getBeginLoc();
10596 if (S.SourceMgr.isInSystemMacro(MaybeMacroLoc) &&
10597 S.findMacroSpelling(MaybeMacroLoc, "true"))
10598 return false;
10599 }
10600
10601 if (!Value.isSigned() || Value.isNegative())
10602 if (UnaryOperator *UO = dyn_cast<UnaryOperator>(OriginalInit))
10603 if (UO->getOpcode() == UO_Minus || UO->getOpcode() == UO_Not)
10604 OriginalWidth = Value.getSignificantBits();
10605
10606 if (OriginalWidth <= FieldWidth)
10607 return false;
10608
10609 // Compute the value which the bitfield will contain.
10610 llvm::APSInt TruncatedValue = Value.trunc(FieldWidth);
10611 TruncatedValue.setIsSigned(BitfieldType->isSignedIntegerType());
10612
10613 // Check whether the stored value is equal to the original value.
10614 TruncatedValue = TruncatedValue.extend(OriginalWidth);
10615 if (llvm::APSInt::isSameValue(Value, TruncatedValue))
10616 return false;
10617
10618 std::string PrettyValue = toString(Value, 10);
10619 std::string PrettyTrunc = toString(TruncatedValue, 10);
10620
10621 S.Diag(InitLoc, OneAssignedToOneBitBitfield
10622 ? diag::warn_impcast_single_bit_bitield_precision_constant
10623 : diag::warn_impcast_bitfield_precision_constant)
10624 << PrettyValue << PrettyTrunc << OriginalInit->getType()
10625 << Init->getSourceRange();
10626
10627 return true;
10628 }
10629
10630 /// Analyze the given simple or compound assignment for warning-worthy
10631 /// operations.
10632 static void AnalyzeAssignment(Sema &S, BinaryOperator *E) {
10633 // Just recurse on the LHS.
10634 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10635
10636 // We want to recurse on the RHS as normal unless we're assigning to
10637 // a bitfield.
10638 if (FieldDecl *Bitfield = E->getLHS()->getSourceBitField()) {
10639 if (AnalyzeBitFieldAssignment(S, Bitfield, E->getRHS(),
10640 E->getOperatorLoc())) {
10641 // Recurse, ignoring any implicit conversions on the RHS.
10642 return AnalyzeImplicitConversions(S, E->getRHS()->IgnoreParenImpCasts(),
10643 E->getOperatorLoc());
10644 }
10645 }
10646
10647 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10648
10649 // Diagnose implicitly sequentially-consistent atomic assignment.
10650 if (E->getLHS()->getType()->isAtomicType())
10651 S.Diag(E->getRHS()->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
10652 }
10653
10654 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
10655 static void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T,
10656 SourceLocation CContext, unsigned diag,
10657 bool pruneControlFlow = false) {
10658 if (pruneControlFlow) {
10659 S.DiagRuntimeBehavior(E->getExprLoc(), E,
10660 S.PDiag(diag)
10661 << SourceType << T << E->getSourceRange()
10662 << SourceRange(CContext));
10663 return;
10664 }
10665 S.Diag(E->getExprLoc(), diag)
10666 << SourceType << T << E->getSourceRange() << SourceRange(CContext);
10667 }
10668
10669 /// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
10670 static void DiagnoseImpCast(Sema &S, Expr *E, QualType T,
10671 SourceLocation CContext,
10672 unsigned diag, bool pruneControlFlow = false) {
10673 DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow);
10674 }
10675
10676 /// Diagnose an implicit cast from a floating point value to an integer value.
10677 static void DiagnoseFloatingImpCast(Sema &S, Expr *E, QualType T,
10678 SourceLocation CContext) {
10679 const bool IsBool = T->isSpecificBuiltinType(BuiltinType::Bool);
10680 const bool PruneWarnings = S.inTemplateInstantiation();
10681
10682 Expr *InnerE = E->IgnoreParenImpCasts();
10683 // We also want to warn on, e.g., "int i = -1.234"
10684 if (UnaryOperator *UOp = dyn_cast<UnaryOperator>(InnerE))
10685 if (UOp->getOpcode() == UO_Minus || UOp->getOpcode() == UO_Plus)
10686 InnerE = UOp->getSubExpr()->IgnoreParenImpCasts();
10687
10688 const bool IsLiteral =
10689 isa<FloatingLiteral>(E) || isa<FloatingLiteral>(InnerE);
10690
10691 llvm::APFloat Value(0.0);
10692 bool IsConstant =
10693 E->EvaluateAsFloat(Value, S.Context, Expr::SE_AllowSideEffects);
10694 if (!IsConstant) {
10695 if (S.ObjC().isSignedCharBool(T)) {
10696 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
10697 E, S.Diag(CContext, diag::warn_impcast_float_to_objc_signed_char_bool)
10698 << E->getType());
10699 }
10700
10701 return DiagnoseImpCast(S, E, T, CContext,
10702 diag::warn_impcast_float_integer, PruneWarnings);
10703 }
10704
10705 bool isExact = false;
10706
10707 llvm::APSInt IntegerValue(S.Context.getIntWidth(T),
10708 T->hasUnsignedIntegerRepresentation());
10709 llvm::APFloat::opStatus Result = Value.convertToInteger(
10710 IntegerValue, llvm::APFloat::rmTowardZero, &isExact);
10711
10712 // FIXME: Force the precision of the source value down so we don't print
10713 // digits which are usually useless (we don't really care here if we
10714 // truncate a digit by accident in edge cases). Ideally, APFloat::toString
10715 // would automatically print the shortest representation, but it's a bit
10716 // tricky to implement.
10717 SmallString<16> PrettySourceValue;
10718 unsigned precision = llvm::APFloat::semanticsPrecision(Value.getSemantics());
10719 precision = (precision * 59 + 195) / 196;
10720 Value.toString(PrettySourceValue, precision);
10721
10722 if (S.ObjC().isSignedCharBool(T) && IntegerValue != 0 && IntegerValue != 1) {
10723 return S.ObjC().adornBoolConversionDiagWithTernaryFixit(
10724 E, S.Diag(CContext, diag::warn_impcast_constant_value_to_objc_bool)
10725 << PrettySourceValue);
10726 }
10727
10728 if (Result == llvm::APFloat::opOK && isExact) {
10729 if (IsLiteral) return;
10730 return DiagnoseImpCast(S, E, T, CContext, diag::warn_impcast_float_integer,
10731 PruneWarnings);
10732 }
10733
10734 // Conversion of a floating-point value to a non-bool integer where the
10735 // integral part cannot be represented by the integer type is undefined.
10736 if (!IsBool && Result == llvm::APFloat::opInvalidOp)
10737 return DiagnoseImpCast(
10738 S, E, T, CContext,
10739 IsLiteral ? diag::warn_impcast_literal_float_to_integer_out_of_range
10740 : diag::warn_impcast_float_to_integer_out_of_range,
10741 PruneWarnings);
10742
10743 unsigned DiagID = 0;
10744 if (IsLiteral) {
10745 // Warn on floating point literal to integer.
10746 DiagID = diag::warn_impcast_literal_float_to_integer;
10747 } else if (IntegerValue == 0) {
10748 if (Value.isZero()) { // Skip -0.0 to 0 conversion.
10749 return DiagnoseImpCast(S, E, T, CContext,
10750 diag::warn_impcast_float_integer, PruneWarnings);
10751 }
10752 // Warn on non-zero to zero conversion.
10753 DiagID = diag::warn_impcast_float_to_integer_zero;
10754 } else {
10755 if (IntegerValue.isUnsigned()) {
10756 if (!IntegerValue.isMaxValue()) {
10757 return DiagnoseImpCast(S, E, T, CContext,
10758 diag::warn_impcast_float_integer, PruneWarnings);
10759 }
10760 } else { // IntegerValue.isSigned()
10761 if (!IntegerValue.isMaxSignedValue() &&
10762 !IntegerValue.isMinSignedValue()) {
10763 return DiagnoseImpCast(S, E, T, CContext,
10764 diag::warn_impcast_float_integer, PruneWarnings);
10765 }
10766 }
10767 // Warn on evaluatable floating point expression to integer conversion.
10768 DiagID = diag::warn_impcast_float_to_integer;
10769 }
10770
10771 SmallString<16> PrettyTargetValue;
10772 if (IsBool)
10773 PrettyTargetValue = Value.isZero() ? "false" : "true";
10774 else
10775 IntegerValue.toString(PrettyTargetValue);
10776
10777 if (PruneWarnings) {
10778 S.DiagRuntimeBehavior(E->getExprLoc(), E,
10779 S.PDiag(DiagID)
10780 << E->getType() << T.getUnqualifiedType()
10781 << PrettySourceValue << PrettyTargetValue
10782 << E->getSourceRange() << SourceRange(CContext));
10783 } else {
10784 S.Diag(E->getExprLoc(), DiagID)
10785 << E->getType() << T.getUnqualifiedType() << PrettySourceValue
10786 << PrettyTargetValue << E->getSourceRange() << SourceRange(CContext);
10787 }
10788 }
10789
10790 /// Analyze the given compound assignment for the possible losing of
10791 /// floating-point precision.
10792 static void AnalyzeCompoundAssignment(Sema &S, BinaryOperator *E) {
10793 assert(isa<CompoundAssignOperator>(E) &&
10794 "Must be compound assignment operation");
10795 // Recurse on the LHS and RHS in here
10796 AnalyzeImplicitConversions(S, E->getLHS(), E->getOperatorLoc());
10797 AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
10798
10799 if (E->getLHS()->getType()->isAtomicType())
10800 S.Diag(E->getOperatorLoc(), diag::warn_atomic_implicit_seq_cst);
10801
10802 // Now check the outermost expression
10803 const auto *ResultBT = E->getLHS()->getType()->getAs<BuiltinType>();
10804 const auto *RBT = cast<CompoundAssignOperator>(E)
10805 ->getComputationResultType()
10806 ->getAs<BuiltinType>();
10807
10808 // The below checks assume source is floating point.
10809 if (!ResultBT || !RBT || !RBT->isFloatingPoint()) return;
10810
10811 // If source is floating point but target is an integer.
10812 if (ResultBT->isInteger())
10813 return DiagnoseImpCast(S, E, E->getRHS()->getType(), E->getLHS()->getType(),
10814 E->getExprLoc(), diag::warn_impcast_float_integer);
10815
10816 if (!ResultBT->isFloatingPoint())
10817 return;
10818
10819 // If both source and target are floating points, warn about losing precision.
10820 int Order = S.getASTContext().getFloatingTypeSemanticOrder(
10821 QualType(ResultBT, 0), QualType(RBT, 0));
10822 if (Order < 0 && !S.SourceMgr.isInSystemMacro(E->getOperatorLoc()))
10823 // warn about dropping FP rank.
10824 DiagnoseImpCast(S, E->getRHS(), E->getLHS()->getType(), E->getOperatorLoc(),
10825 diag::warn_impcast_float_result_precision);
10826 }
10827
10828 static std::string PrettyPrintInRange(const llvm::APSInt &Value,
10829 IntRange Range) {
10830 if (!Range.Width) return "0";
10831
10832 llvm::APSInt ValueInRange = Value;
10833 ValueInRange.setIsSigned(!Range.NonNegative);
10834 ValueInRange = ValueInRange.trunc(Range.Width);
10835 return toString(ValueInRange, 10);
10836 }
10837
10838 static bool IsImplicitBoolFloatConversion(Sema &S, Expr *Ex, bool ToBool) {
10839 if (!isa<ImplicitCastExpr>(Ex))
10840 return false;
10841
10842 Expr *InnerE = Ex->IgnoreParenImpCasts();
10843 const Type *Target = S.Context.getCanonicalType(Ex->getType()).getTypePtr();
10844 const Type *Source =
10845 S.Context.getCanonicalType(InnerE->getType()).getTypePtr();
10846 if (Target->isDependentType())
10847 return false;
10848
10849 const BuiltinType *FloatCandidateBT =
10850 dyn_cast<BuiltinType>(ToBool ? Source : Target);
10851 const Type *BoolCandidateType = ToBool ? Target : Source;
10852
10853 return (BoolCandidateType->isSpecificBuiltinType(BuiltinType::Bool) &&
10854 FloatCandidateBT && (FloatCandidateBT->isFloatingPoint()));
10855 }
10856
10857 static void CheckImplicitArgumentConversions(Sema &S, CallExpr *TheCall,
10858 SourceLocation CC) {
10859 unsigned NumArgs = TheCall->getNumArgs();
10860 for (unsigned i = 0; i < NumArgs; ++i) {
10861 Expr *CurrA = TheCall->getArg(i);
10862 if (!IsImplicitBoolFloatConversion(S, CurrA, true))
10863 continue;
10864
10865 bool IsSwapped = ((i > 0) &&
10866 IsImplicitBoolFloatConversion(S, TheCall->getArg(i - 1), false));
10867 IsSwapped |= ((i < (NumArgs - 1)) &&
10868 IsImplicitBoolFloatConversion(S, TheCall->getArg(i + 1), false));
10869 if (IsSwapped) {
10870 // Warn on this floating-point to bool conversion.
10871 DiagnoseImpCast(S, CurrA->IgnoreParenImpCasts(),
10872 CurrA->getType(), CC,
10873 diag::warn_impcast_floating_point_to_bool);
10874 }
10875 }
10876 }
10877
10878 static void DiagnoseNullConversion(Sema &S, Expr *E, QualType T,
10879 SourceLocation CC) {
10880 if (S.Diags.isIgnored(diag::warn_impcast_null_pointer_to_integer,
10881 E->getExprLoc()))
10882 return;
10883
10884 // Don't warn on functions which have return type nullptr_t.
10885 if (isa<CallExpr>(E))
10886 return;
10887
10888 // Check for NULL (GNUNull) or nullptr (CXX11_nullptr).
10889 const Expr *NewE = E->IgnoreParenImpCasts();
10890 bool IsGNUNullExpr = isa<GNUNullExpr>(NewE);
10891 bool HasNullPtrType = NewE->getType()->isNullPtrType();
10892 if (!IsGNUNullExpr && !HasNullPtrType)
10893 return;
10894
10895 // Return if target type is a safe conversion.
10896 if (T->isAnyPointerType() || T->isBlockPointerType() ||
10897 T->isMemberPointerType() || !T->isScalarType() || T->isNullPtrType())
10898 return;
10899
10900 SourceLocation Loc = E->getSourceRange().getBegin();
10901
10902 // Venture through the macro stacks to get to the source of macro arguments.
10903 // The new location is a better location than the complete location that was
10904 // passed in.
10905 Loc = S.SourceMgr.getTopMacroCallerLoc(Loc);
10906 CC = S.SourceMgr.getTopMacroCallerLoc(CC);
10907
10908 // __null is usually wrapped in a macro. Go up a macro if that is the case.
10909 if (IsGNUNullExpr && Loc.isMacroID()) {
10910 StringRef MacroName = Lexer::getImmediateMacroNameForDiagnostics(
10911 Loc, S.SourceMgr, S.getLangOpts());
10912 if (MacroName == "NULL")
10913 Loc = S.SourceMgr.getImmediateExpansionRange(Loc).getBegin();
10914 }
10915
10916 // Only warn if the null and context location are in the same macro expansion.
10917 if (S.SourceMgr.getFileID(Loc) != S.SourceMgr.getFileID(CC))
10918 return;
10919
10920 S.Diag(Loc, diag::warn_impcast_null_pointer_to_integer)
10921 << HasNullPtrType << T << SourceRange(CC)
10922 << FixItHint::CreateReplacement(Loc,
10923 S.getFixItZeroLiteralForType(T, Loc));
10924 }
10925
10926 // Helper function to filter out cases for constant width constant conversion.
10927 // Don't warn on char array initialization or for non-decimal values.
10928 static bool isSameWidthConstantConversion(Sema &S, Expr *E, QualType T,
10929 SourceLocation CC) {
10930 // If initializing from a constant, and the constant starts with '0',
10931 // then it is a binary, octal, or hexadecimal. Allow these constants
10932 // to fill all the bits, even if there is a sign change.
10933 if (auto *IntLit = dyn_cast<IntegerLiteral>(E->IgnoreParenImpCasts())) {
10934 const char FirstLiteralCharacter =
10935 S.getSourceManager().getCharacterData(IntLit->getBeginLoc())[0];
10936 if (FirstLiteralCharacter == '0')
10937 return false;
10938 }
10939
10940 // If the CC location points to a '{', and the type is char, then assume
10941 // assume it is an array initialization.
10942 if (CC.isValid() && T->isCharType()) {
10943 const char FirstContextCharacter =
10944 S.getSourceManager().getCharacterData(CC)[0];
10945 if (FirstContextCharacter == '{')
10946 return false;
10947 }
10948
10949 return true;
10950 }
10951
10952 static const IntegerLiteral *getIntegerLiteral(Expr *E) {
10953 const auto *IL = dyn_cast<IntegerLiteral>(E);
10954 if (!IL) {
10955 if (auto *UO = dyn_cast<UnaryOperator>(E)) {
10956 if (UO->getOpcode() == UO_Minus)
10957 return dyn_cast<IntegerLiteral>(UO->getSubExpr());
10958 }
10959 }
10960
10961 return IL;
10962 }
10963
10964 static void DiagnoseIntInBoolContext(Sema &S, Expr *E) {
10965 E = E->IgnoreParenImpCasts();
10966 SourceLocation ExprLoc = E->getExprLoc();
10967
10968 if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
10969 BinaryOperator::Opcode Opc = BO->getOpcode();
10970 Expr::EvalResult Result;
10971 // Do not diagnose unsigned shifts.
10972 if (Opc == BO_Shl) {
10973 const auto *LHS = getIntegerLiteral(BO->getLHS());
10974 const auto *RHS = getIntegerLiteral(BO->getRHS());
10975 if (LHS && LHS->getValue() == 0)
10976 S.Diag(ExprLoc, diag::warn_left_shift_always) << 0;
10977 else if (!E->isValueDependent() && LHS && RHS &&
10978 RHS->getValue().isNonNegative() &&
10979 E->EvaluateAsInt(Result, S.Context, Expr::SE_AllowSideEffects))
10980 S.Diag(ExprLoc, diag::warn_left_shift_always)
10981 << (Result.Val.getInt() != 0);
10982 else if (E->getType()->isSignedIntegerType())
10983 S.Diag(ExprLoc, diag::warn_left_shift_in_bool_context) << E;
10984 }
10985 }
10986
10987 if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
10988 const auto *LHS = getIntegerLiteral(CO->getTrueExpr());
10989 const auto *RHS = getIntegerLiteral(CO->getFalseExpr());
10990 if (!LHS || !RHS)
10991 return;
10992 if ((LHS->getValue() == 0 || LHS->getValue() == 1) &&
10993 (RHS->getValue() == 0 || RHS->getValue() == 1))
10994 // Do not diagnose common idioms.
10995 return;
10996 if (LHS->getValue() != 0 && RHS->getValue() != 0)
10997 S.Diag(ExprLoc, diag::warn_integer_constants_in_conditional_always_true);
10998 }
10999 }
11000
11001 void Sema::CheckImplicitConversion(Expr *E, QualType T, SourceLocation CC,
11002 bool *ICContext, bool IsListInit) {
11003 if (E->isTypeDependent() || E->isValueDependent()) return;
11004
11005 const Type *Source = Context.getCanonicalType(E->getType()).getTypePtr();
11006 const Type *Target = Context.getCanonicalType(T).getTypePtr();
11007 if (Source == Target) return;
11008 if (Target->isDependentType()) return;
11009
11010 // If the conversion context location is invalid don't complain. We also
11011 // don't want to emit a warning if the issue occurs from the expansion of
11012 // a system macro. The problem is that 'getSpellingLoc()' is slow, so we
11013 // delay this check as long as possible. Once we detect we are in that
11014 // scenario, we just return.
11015 if (CC.isInvalid())
11016 return;
11017
11018 if (Source->isAtomicType())
11019 Diag(E->getExprLoc(), diag::warn_atomic_implicit_seq_cst);
11020
11021 // Diagnose implicit casts to bool.
11022 if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {
11023 if (isa<StringLiteral>(E))
11024 // Warn on string literal to bool. Checks for string literals in logical
11025 // and expressions, for instance, assert(0 && "error here"), are
11026 // prevented by a check in AnalyzeImplicitConversions().
11027 return DiagnoseImpCast(*this, E, T, CC,
11028 diag::warn_impcast_string_literal_to_bool);
11029 if (isa<ObjCStringLiteral>(E) || isa<ObjCArrayLiteral>(E) ||
11030 isa<ObjCDictionaryLiteral>(E) || isa<ObjCBoxedExpr>(E)) {
11031 // This covers the literal expressions that evaluate to Objective-C
11032 // objects.
11033 return DiagnoseImpCast(*this, E, T, CC,
11034 diag::warn_impcast_objective_c_literal_to_bool);
11035 }
11036 if (Source->isPointerType() || Source->canDecayToPointerType()) {
11037 // Warn on pointer to bool conversion that is always true.
11038 DiagnoseAlwaysNonNullPointer(E, Expr::NPCK_NotNull, /*IsEqual*/ false,
11039 SourceRange(CC));
11040 }
11041 }
11042
11043 // If the we're converting a constant to an ObjC BOOL on a platform where BOOL
11044 // is a typedef for signed char (macOS), then that constant value has to be 1
11045 // or 0.
11046 if (ObjC().isSignedCharBool(T) && Source->isIntegralType(Context)) {
11047 Expr::EvalResult Result;
11048 if (E->EvaluateAsInt(Result, getASTContext(), Expr::SE_AllowSideEffects)) {
11049 if (Result.Val.getInt() != 1 && Result.Val.getInt() != 0) {
11050 ObjC().adornBoolConversionDiagWithTernaryFixit(
11051 E, Diag(CC, diag::warn_impcast_constant_value_to_objc_bool)
11052 << toString(Result.Val.getInt(), 10));
11053 }
11054 return;
11055 }
11056 }
11057
11058 // Check implicit casts from Objective-C collection literals to specialized
11059 // collection types, e.g., NSArray<NSString *> *.
11060 if (auto *ArrayLiteral = dyn_cast<ObjCArrayLiteral>(E))
11061 ObjC().checkArrayLiteral(QualType(Target, 0), ArrayLiteral);
11062 else if (auto *DictionaryLiteral = dyn_cast<ObjCDictionaryLiteral>(E))
11063 ObjC().checkDictionaryLiteral(QualType(Target, 0), DictionaryLiteral);
11064
11065 // Strip vector types.
11066 if (isa<VectorType>(Source)) {
11067 if (Target->isSveVLSBuiltinType() &&
11068 (Context.areCompatibleSveTypes(QualType(Target, 0),
11069 QualType(Source, 0)) ||
11070 Context.areLaxCompatibleSveTypes(QualType(Target, 0),
11071 QualType(Source, 0))))
11072 return;
11073
11074 if (Target->isRVVVLSBuiltinType() &&
11075 (Context.areCompatibleRVVTypes(QualType(Target, 0),
11076 QualType(Source, 0)) ||
11077 Context.areLaxCompatibleRVVTypes(QualType(Target, 0),
11078 QualType(Source, 0))))
11079 return;
11080
11081 if (!isa<VectorType>(Target)) {
11082 if (SourceMgr.isInSystemMacro(CC))
11083 return;
11084 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_vector_scalar);
11085 } else if (getLangOpts().HLSL &&
11086 Target->castAs<VectorType>()->getNumElements() <
11087 Source->castAs<VectorType>()->getNumElements()) {
11088 // Diagnose vector truncation but don't return. We may also want to
11089 // diagnose an element conversion.
11090 DiagnoseImpCast(*this, E, T, CC,
11091 diag::warn_hlsl_impcast_vector_truncation);
11092 }
11093
11094 // If the vector cast is cast between two vectors of the same size, it is
11095 // a bitcast, not a conversion, except under HLSL where it is a conversion.
11096 if (!getLangOpts().HLSL &&
11097 Context.getTypeSize(Source) == Context.getTypeSize(Target))
11098 return;
11099
11100 Source = cast<VectorType>(Source)->getElementType().getTypePtr();
11101 Target = cast<VectorType>(Target)->getElementType().getTypePtr();
11102 }
11103 if (auto VecTy = dyn_cast<VectorType>(Target))
11104 Target = VecTy->getElementType().getTypePtr();
11105
11106 // Strip complex types.
11107 if (isa<ComplexType>(Source)) {
11108 if (!isa<ComplexType>(Target)) {
11109 if (SourceMgr.isInSystemMacro(CC) || Target->isBooleanType())
11110 return;
11111
11112 return DiagnoseImpCast(*this, E, T, CC,
11113 getLangOpts().CPlusPlus
11114 ? diag::err_impcast_complex_scalar
11115 : diag::warn_impcast_complex_scalar);
11116 }
11117
11118 Source = cast<ComplexType>(Source)->getElementType().getTypePtr();
11119 Target = cast<ComplexType>(Target)->getElementType().getTypePtr();
11120 }
11121
11122 const BuiltinType *SourceBT = dyn_cast<BuiltinType>(Source);
11123 const BuiltinType *TargetBT = dyn_cast<BuiltinType>(Target);
11124
11125 // Strip SVE vector types
11126 if (SourceBT && SourceBT->isSveVLSBuiltinType()) {
11127 // Need the original target type for vector type checks
11128 const Type *OriginalTarget = Context.getCanonicalType(T).getTypePtr();
11129 // Handle conversion from scalable to fixed when msve-vector-bits is
11130 // specified
11131 if (Context.areCompatibleSveTypes(QualType(OriginalTarget, 0),
11132 QualType(Source, 0)) ||
11133 Context.areLaxCompatibleSveTypes(QualType(OriginalTarget, 0),
11134 QualType(Source, 0)))
11135 return;
11136
11137 // If the vector cast is cast between two vectors of the same size, it is
11138 // a bitcast, not a conversion.
11139 if (Context.getTypeSize(Source) == Context.getTypeSize(Target))
11140 return;
11141
11142 Source = SourceBT->getSveEltType(Context).getTypePtr();
11143 }
11144
11145 if (TargetBT && TargetBT->isSveVLSBuiltinType())
11146 Target = TargetBT->getSveEltType(Context).getTypePtr();
11147
11148 // If the source is floating point...
11149 if (SourceBT && SourceBT->isFloatingPoint()) {
11150 // ...and the target is floating point...
11151 if (TargetBT && TargetBT->isFloatingPoint()) {
11152 // ...then warn if we're dropping FP rank.
11153
11154 int Order = getASTContext().getFloatingTypeSemanticOrder(
11155 QualType(SourceBT, 0), QualType(TargetBT, 0));
11156 if (Order > 0) {
11157 // Don't warn about float constants that are precisely
11158 // representable in the target type.
11159 Expr::EvalResult result;
11160 if (E->EvaluateAsRValue(result, Context)) {
11161 // Value might be a float, a float vector, or a float complex.
11162 if (IsSameFloatAfterCast(
11163 result.Val,
11164 Context.getFloatTypeSemantics(QualType(TargetBT, 0)),
11165 Context.getFloatTypeSemantics(QualType(SourceBT, 0))))
11166 return;
11167 }
11168
11169 if (SourceMgr.isInSystemMacro(CC))
11170 return;
11171
11172 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_float_precision);
11173 }
11174 // ... or possibly if we're increasing rank, too
11175 else if (Order < 0) {
11176 if (SourceMgr.isInSystemMacro(CC))
11177 return;
11178
11179 DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_double_promotion);
11180 }
11181 return;
11182 }
11183
11184 // If the target is integral, always warn.
11185 if (TargetBT && TargetBT->isInteger()) {
11186 if (SourceMgr.isInSystemMacro(CC))
11187 return;
11188
11189 DiagnoseFloatingImpCast(*this, E, T, CC);
11190 }
11191
11192 // Detect the case where a call result is converted from floating-point to
11193 // to bool, and the final argument to the call is converted from bool, to
11194 // discover this typo:
11195 //
11196 // bool b = fabs(x < 1.0); // should be "bool b = fabs(x) < 1.0;"
11197 //
11198 // FIXME: This is an incredibly special case; is there some more general
11199 // way to detect this class of misplaced-parentheses bug?
11200 if (Target->isBooleanType() && isa<CallExpr>(E)) {
11201 // Check last argument of function call to see if it is an
11202 // implicit cast from a type matching the type the result
11203 // is being cast to.
11204 CallExpr *CEx = cast<CallExpr>(E);
11205 if (unsigned NumArgs = CEx->getNumArgs()) {
11206 Expr *LastA = CEx->getArg(NumArgs - 1);
11207 Expr *InnerE = LastA->IgnoreParenImpCasts();
11208 if (isa<ImplicitCastExpr>(LastA) &&
11209 InnerE->getType()->isBooleanType()) {
11210 // Warn on this floating-point to bool conversion
11211 DiagnoseImpCast(*this, E, T, CC,
11212 diag::warn_impcast_floating_point_to_bool);
11213 }
11214 }
11215 }
11216 return;
11217 }
11218
11219 // Valid casts involving fixed point types should be accounted for here.
11220 if (Source->isFixedPointType()) {
11221 if (Target->isUnsaturatedFixedPointType()) {
11222 Expr::EvalResult Result;
11223 if (E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects,
11224 isConstantEvaluatedContext())) {
11225 llvm::APFixedPoint Value = Result.Val.getFixedPoint();
11226 llvm::APFixedPoint MaxVal = Context.getFixedPointMax(T);
11227 llvm::APFixedPoint MinVal = Context.getFixedPointMin(T);
11228 if (Value > MaxVal || Value < MinVal) {
11229 DiagRuntimeBehavior(E->getExprLoc(), E,
11230 PDiag(diag::warn_impcast_fixed_point_range)
11231 << Value.toString() << T
11232 << E->getSourceRange()
11233 << clang::SourceRange(CC));
11234 return;
11235 }
11236 }
11237 } else if (Target->isIntegerType()) {
11238 Expr::EvalResult Result;
11239 if (!isConstantEvaluatedContext() &&
11240 E->EvaluateAsFixedPoint(Result, Context, Expr::SE_AllowSideEffects)) {
11241 llvm::APFixedPoint FXResult = Result.Val.getFixedPoint();
11242
11243 bool Overflowed;
11244 llvm::APSInt IntResult = FXResult.convertToInt(
11245 Context.getIntWidth(T), Target->isSignedIntegerOrEnumerationType(),
11246 &Overflowed);
11247
11248 if (Overflowed) {
11249 DiagRuntimeBehavior(E->getExprLoc(), E,
11250 PDiag(diag::warn_impcast_fixed_point_range)
11251 << FXResult.toString() << T
11252 << E->getSourceRange()
11253 << clang::SourceRange(CC));
11254 return;
11255 }
11256 }
11257 }
11258 } else if (Target->isUnsaturatedFixedPointType()) {
11259 if (Source->isIntegerType()) {
11260 Expr::EvalResult Result;
11261 if (!isConstantEvaluatedContext() &&
11262 E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects)) {
11263 llvm::APSInt Value = Result.Val.getInt();
11264
11265 bool Overflowed;
11266 llvm::APFixedPoint IntResult = llvm::APFixedPoint::getFromIntValue(
11267 Value, Context.getFixedPointSemantics(T), &Overflowed);
11268
11269 if (Overflowed) {
11270 DiagRuntimeBehavior(E->getExprLoc(), E,
11271 PDiag(diag::warn_impcast_fixed_point_range)
11272 << toString(Value, /*Radix=*/10) << T
11273 << E->getSourceRange()
11274 << clang::SourceRange(CC));
11275 return;
11276 }
11277 }
11278 }
11279 }
11280
11281 // If we are casting an integer type to a floating point type without
11282 // initialization-list syntax, we might lose accuracy if the floating
11283 // point type has a narrower significand than the integer type.
11284 if (SourceBT && TargetBT && SourceBT->isIntegerType() &&
11285 TargetBT->isFloatingType() && !IsListInit) {
11286 // Determine the number of precision bits in the source integer type.
11287 std::optional<IntRange> SourceRange =
11288 TryGetExprRange(Context, E, isConstantEvaluatedContext(),
11289 /*Approximate=*/true);
11290 if (!SourceRange)
11291 return;
11292 unsigned int SourcePrecision = SourceRange->Width;
11293
11294 // Determine the number of precision bits in the
11295 // target floating point type.
11296 unsigned int TargetPrecision = llvm::APFloatBase::semanticsPrecision(
11297 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
11298
11299 if (SourcePrecision > 0 && TargetPrecision > 0 &&
11300 SourcePrecision > TargetPrecision) {
11301
11302 if (std::optional<llvm::APSInt> SourceInt =
11303 E->getIntegerConstantExpr(Context)) {
11304 // If the source integer is a constant, convert it to the target
11305 // floating point type. Issue a warning if the value changes
11306 // during the whole conversion.
11307 llvm::APFloat TargetFloatValue(
11308 Context.getFloatTypeSemantics(QualType(TargetBT, 0)));
11309 llvm::APFloat::opStatus ConversionStatus =
11310 TargetFloatValue.convertFromAPInt(
11311 *SourceInt, SourceBT->isSignedInteger(),
11312 llvm::APFloat::rmNearestTiesToEven);
11313
11314 if (ConversionStatus != llvm::APFloat::opOK) {
11315 SmallString<32> PrettySourceValue;
11316 SourceInt->toString(PrettySourceValue, 10);
11317 SmallString<32> PrettyTargetValue;
11318 TargetFloatValue.toString(PrettyTargetValue, TargetPrecision);
11319
11320 DiagRuntimeBehavior(
11321 E->getExprLoc(), E,
11322 PDiag(diag::warn_impcast_integer_float_precision_constant)
11323 << PrettySourceValue << PrettyTargetValue << E->getType() << T
11324 << E->getSourceRange() << clang::SourceRange(CC));
11325 }
11326 } else {
11327 // Otherwise, the implicit conversion may lose precision.
11328 DiagnoseImpCast(*this, E, T, CC,
11329 diag::warn_impcast_integer_float_precision);
11330 }
11331 }
11332 }
11333
11334 DiagnoseNullConversion(*this, E, T, CC);
11335
11336 DiscardMisalignedMemberAddress(Target, E);
11337
11338 if (Target->isBooleanType())
11339 DiagnoseIntInBoolContext(*this, E);
11340
11341 if (!Source->isIntegerType() || !Target->isIntegerType())
11342 return;
11343
11344 // TODO: remove this early return once the false positives for constant->bool
11345 // in templates, macros, etc, are reduced or removed.
11346 if (Target->isSpecificBuiltinType(BuiltinType::Bool))
11347 return;
11348
11349 if (ObjC().isSignedCharBool(T) && !Source->isCharType() &&
11350 !E->isKnownToHaveBooleanValue(/*Semantic=*/false)) {
11351 return ObjC().adornBoolConversionDiagWithTernaryFixit(
11352 E, Diag(CC, diag::warn_impcast_int_to_objc_signed_char_bool)
11353 << E->getType());
11354 }
11355 std::optional<IntRange> LikelySourceRange = TryGetExprRange(
11356 Context, E, isConstantEvaluatedContext(), /*Approximate=*/true);
11357 if (!LikelySourceRange)
11358 return;
11359
11360 IntRange SourceTypeRange =
11361 IntRange::forTargetOfCanonicalType(Context, Source);
11362 IntRange TargetRange = IntRange::forTargetOfCanonicalType(Context, Target);
11363
11364 if (LikelySourceRange->Width > TargetRange.Width) {
11365 // If the source is a constant, use a default-on diagnostic.
11366 // TODO: this should happen for bitfield stores, too.
11367 Expr::EvalResult Result;
11368 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects,
11369 isConstantEvaluatedContext())) {
11370 llvm::APSInt Value(32);
11371 Value = Result.Val.getInt();
11372
11373 if (SourceMgr.isInSystemMacro(CC))
11374 return;
11375
11376 std::string PrettySourceValue = toString(Value, 10);
11377 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
11378
11379 DiagRuntimeBehavior(E->getExprLoc(), E,
11380 PDiag(diag::warn_impcast_integer_precision_constant)
11381 << PrettySourceValue << PrettyTargetValue
11382 << E->getType() << T << E->getSourceRange()
11383 << SourceRange(CC));
11384 return;
11385 }
11386
11387 // People want to build with -Wshorten-64-to-32 and not -Wconversion.
11388 if (SourceMgr.isInSystemMacro(CC))
11389 return;
11390
11391 if (TargetRange.Width == 32 && Context.getIntWidth(E->getType()) == 64)
11392 return DiagnoseImpCast(*this, E, T, CC, diag::warn_impcast_integer_64_32,
11393 /* pruneControlFlow */ true);
11394 return DiagnoseImpCast(*this, E, T, CC,
11395 diag::warn_impcast_integer_precision);
11396 }
11397
11398 if (TargetRange.Width > SourceTypeRange.Width) {
11399 if (auto *UO = dyn_cast<UnaryOperator>(E))
11400 if (UO->getOpcode() == UO_Minus)
11401 if (Source->isUnsignedIntegerType()) {
11402 if (Target->isUnsignedIntegerType())
11403 return DiagnoseImpCast(*this, E, T, CC,
11404 diag::warn_impcast_high_order_zero_bits);
11405 if (Target->isSignedIntegerType())
11406 return DiagnoseImpCast(*this, E, T, CC,
11407 diag::warn_impcast_nonnegative_result);
11408 }
11409 }
11410
11411 if (TargetRange.Width == LikelySourceRange->Width &&
11412 !TargetRange.NonNegative && LikelySourceRange->NonNegative &&
11413 Source->isSignedIntegerType()) {
11414 // Warn when doing a signed to signed conversion, warn if the positive
11415 // source value is exactly the width of the target type, which will
11416 // cause a negative value to be stored.
11417
11418 Expr::EvalResult Result;
11419 if (E->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects) &&
11420 !SourceMgr.isInSystemMacro(CC)) {
11421 llvm::APSInt Value = Result.Val.getInt();
11422 if (isSameWidthConstantConversion(*this, E, T, CC)) {
11423 std::string PrettySourceValue = toString(Value, 10);
11424 std::string PrettyTargetValue = PrettyPrintInRange(Value, TargetRange);
11425
11426 Diag(E->getExprLoc(),
11427 PDiag(diag::warn_impcast_integer_precision_constant)
11428 << PrettySourceValue << PrettyTargetValue << E->getType() << T
11429 << E->getSourceRange() << SourceRange(CC));
11430 return;
11431 }
11432 }
11433
11434 // Fall through for non-constants to give a sign conversion warning.
11435 }
11436
11437 if ((!isa<EnumType>(Target) || !isa<EnumType>(Source)) &&
11438 ((TargetRange.NonNegative && !LikelySourceRange->NonNegative) ||
11439 (!TargetRange.NonNegative && LikelySourceRange->NonNegative &&
11440 LikelySourceRange->Width == TargetRange.Width))) {
11441 if (SourceMgr.isInSystemMacro(CC))
11442 return;
11443
11444 if (SourceBT && SourceBT->isInteger() && TargetBT &&
11445 TargetBT->isInteger() &&
11446 Source->isSignedIntegerType() == Target->isSignedIntegerType()) {
11447 return;
11448 }
11449
11450 unsigned DiagID = diag::warn_impcast_integer_sign;
11451
11452 // Traditionally, gcc has warned about this under -Wsign-compare.
11453 // We also want to warn about it in -Wconversion.
11454 // So if -Wconversion is off, use a completely identical diagnostic
11455 // in the sign-compare group.
11456 // The conditional-checking code will
11457 if (ICContext) {
11458 DiagID = diag::warn_impcast_integer_sign_conditional;
11459 *ICContext = true;
11460 }
11461
11462 return DiagnoseImpCast(*this, E, T, CC, DiagID);
11463 }
11464
11465 // Diagnose conversions between different enumeration types.
11466 // In C, we pretend that the type of an EnumConstantDecl is its enumeration
11467 // type, to give us better diagnostics.
11468 QualType SourceType = E->getEnumCoercedType(Context);
11469 Source = Context.getCanonicalType(SourceType).getTypePtr();
11470
11471 if (const EnumType *SourceEnum = Source->getAs<EnumType>())
11472 if (const EnumType *TargetEnum = Target->getAs<EnumType>())
11473 if (SourceEnum->getDecl()->hasNameForLinkage() &&
11474 TargetEnum->getDecl()->hasNameForLinkage() &&
11475 SourceEnum != TargetEnum) {
11476 if (SourceMgr.isInSystemMacro(CC))
11477 return;
11478
11479 return DiagnoseImpCast(*this, E, SourceType, T, CC,
11480 diag::warn_impcast_different_enum_types);
11481 }
11482 }
11483
11484 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
11485 SourceLocation CC, QualType T);
11486
11487 static void CheckConditionalOperand(Sema &S, Expr *E, QualType T,
11488 SourceLocation CC, bool &ICContext) {
11489 E = E->IgnoreParenImpCasts();
11490 // Diagnose incomplete type for second or third operand in C.
11491 if (!S.getLangOpts().CPlusPlus && E->getType()->isRecordType())
11492 S.RequireCompleteExprType(E, diag::err_incomplete_type);
11493
11494 if (auto *CO = dyn_cast<AbstractConditionalOperator>(E))
11495 return CheckConditionalOperator(S, CO, CC, T);
11496
11497 AnalyzeImplicitConversions(S, E, CC);
11498 if (E->getType() != T)
11499 return S.CheckImplicitConversion(E, T, CC, &ICContext);
11500 }
11501
11502 static void CheckConditionalOperator(Sema &S, AbstractConditionalOperator *E,
11503 SourceLocation CC, QualType T) {
11504 AnalyzeImplicitConversions(S, E->getCond(), E->getQuestionLoc());
11505
11506 Expr *TrueExpr = E->getTrueExpr();
11507 if (auto *BCO = dyn_cast<BinaryConditionalOperator>(E))
11508 TrueExpr = BCO->getCommon();
11509
11510 bool Suspicious = false;
11511 CheckConditionalOperand(S, TrueExpr, T, CC, Suspicious);
11512 CheckConditionalOperand(S, E->getFalseExpr(), T, CC, Suspicious);
11513
11514 if (T->isBooleanType())
11515 DiagnoseIntInBoolContext(S, E);
11516
11517 // If -Wconversion would have warned about either of the candidates
11518 // for a signedness conversion to the context type...
11519 if (!Suspicious) return;
11520
11521 // ...but it's currently ignored...
11522 if (!S.Diags.isIgnored(diag::warn_impcast_integer_sign_conditional, CC))
11523 return;
11524
11525 // ...then check whether it would have warned about either of the
11526 // candidates for a signedness conversion to the condition type.
11527 if (E->getType() == T) return;
11528
11529 Suspicious = false;
11530 S.CheckImplicitConversion(TrueExpr->IgnoreParenImpCasts(), E->getType(), CC,
11531 &Suspicious);
11532 if (!Suspicious)
11533 S.CheckImplicitConversion(E->getFalseExpr()->IgnoreParenImpCasts(),
11534 E->getType(), CC, &Suspicious);
11535 }
11536
11537 /// Check conversion of given expression to boolean.
11538 /// Input argument E is a logical expression.
11539 static void CheckBoolLikeConversion(Sema &S, Expr *E, SourceLocation CC) {
11540 // Run the bool-like conversion checks only for C since there bools are
11541 // still not used as the return type from "boolean" operators or as the input
11542 // type for conditional operators.
11543 if (S.getLangOpts().CPlusPlus)
11544 return;
11545 if (E->IgnoreParenImpCasts()->getType()->isAtomicType())
11546 return;
11547 S.CheckImplicitConversion(E->IgnoreParenImpCasts(), S.Context.BoolTy, CC);
11548 }
11549
11550 namespace {
11551 struct AnalyzeImplicitConversionsWorkItem {
11552 Expr *E;
11553 SourceLocation CC;
11554 bool IsListInit;
11555 };
11556 }
11557
11558 /// Data recursive variant of AnalyzeImplicitConversions. Subexpressions
11559 /// that should be visited are added to WorkList.
11560 static void AnalyzeImplicitConversions(
11561 Sema &S, AnalyzeImplicitConversionsWorkItem Item,
11562 llvm::SmallVectorImpl<AnalyzeImplicitConversionsWorkItem> &WorkList) {
11563 Expr *OrigE = Item.E;
11564 SourceLocation CC = Item.CC;
11565
11566 QualType T = OrigE->getType();
11567 Expr *E = OrigE->IgnoreParenImpCasts();
11568
11569 // Propagate whether we are in a C++ list initialization expression.
11570 // If so, we do not issue warnings for implicit int-float conversion
11571 // precision loss, because C++11 narrowing already handles it.
11572 bool IsListInit = Item.IsListInit ||
11573 (isa<InitListExpr>(OrigE) && S.getLangOpts().CPlusPlus);
11574
11575 if (E->isTypeDependent() || E->isValueDependent())
11576 return;
11577
11578 Expr *SourceExpr = E;
11579 // Examine, but don't traverse into the source expression of an
11580 // OpaqueValueExpr, since it may have multiple parents and we don't want to
11581 // emit duplicate diagnostics. Its fine to examine the form or attempt to
11582 // evaluate it in the context of checking the specific conversion to T though.
11583 if (auto *OVE = dyn_cast<OpaqueValueExpr>(E))
11584 if (auto *Src = OVE->getSourceExpr())
11585 SourceExpr = Src;
11586
11587 if (const auto *UO = dyn_cast<UnaryOperator>(SourceExpr))
11588 if (UO->getOpcode() == UO_Not &&
11589 UO->getSubExpr()->isKnownToHaveBooleanValue())
11590 S.Diag(UO->getBeginLoc(), diag::warn_bitwise_negation_bool)
11591 << OrigE->getSourceRange() << T->isBooleanType()
11592 << FixItHint::CreateReplacement(UO->getBeginLoc(), "!");
11593
11594 if (const auto *BO = dyn_cast<BinaryOperator>(SourceExpr))
11595 if ((BO->getOpcode() == BO_And || BO->getOpcode() == BO_Or) &&
11596 BO->getLHS()->isKnownToHaveBooleanValue() &&
11597 BO->getRHS()->isKnownToHaveBooleanValue() &&
11598 BO->getLHS()->HasSideEffects(S.Context) &&
11599 BO->getRHS()->HasSideEffects(S.Context)) {
11600 SourceManager &SM = S.getSourceManager();
11601 const LangOptions &LO = S.getLangOpts();
11602 SourceLocation BLoc = BO->getOperatorLoc();
11603 SourceLocation ELoc = Lexer::getLocForEndOfToken(BLoc, 0, SM, LO);
11604 StringRef SR = clang::Lexer::getSourceText(
11605 clang::CharSourceRange::getTokenRange(BLoc, ELoc), SM, LO);
11606 // To reduce false positives, only issue the diagnostic if the operator
11607 // is explicitly spelled as a punctuator. This suppresses the diagnostic
11608 // when using 'bitand' or 'bitor' either as keywords in C++ or as macros
11609 // in C, along with other macro spellings the user might invent.
11610 if (SR.str() == "&" || SR.str() == "|") {
11611
11612 S.Diag(BO->getBeginLoc(), diag::warn_bitwise_instead_of_logical)
11613 << (BO->getOpcode() == BO_And ? "&" : "|")
11614 << OrigE->getSourceRange()
11615 << FixItHint::CreateReplacement(
11616 BO->getOperatorLoc(),
11617 (BO->getOpcode() == BO_And ? "&&" : "||"));
11618 S.Diag(BO->getBeginLoc(), diag::note_cast_operand_to_int);
11619 }
11620 }
11621
11622 // For conditional operators, we analyze the arguments as if they
11623 // were being fed directly into the output.
11624 if (auto *CO = dyn_cast<AbstractConditionalOperator>(SourceExpr)) {
11625 CheckConditionalOperator(S, CO, CC, T);
11626 return;
11627 }
11628
11629 // Check implicit argument conversions for function calls.
11630 if (CallExpr *Call = dyn_cast<CallExpr>(SourceExpr))
11631 CheckImplicitArgumentConversions(S, Call, CC);
11632
11633 // Go ahead and check any implicit conversions we might have skipped.
11634 // The non-canonical typecheck is just an optimization;
11635 // CheckImplicitConversion will filter out dead implicit conversions.
11636 if (SourceExpr->getType() != T)
11637 S.CheckImplicitConversion(SourceExpr, T, CC, nullptr, IsListInit);
11638
11639 // Now continue drilling into this expression.
11640
11641 if (PseudoObjectExpr *POE = dyn_cast<PseudoObjectExpr>(E)) {
11642 // The bound subexpressions in a PseudoObjectExpr are not reachable
11643 // as transitive children.
11644 // FIXME: Use a more uniform representation for this.
11645 for (auto *SE : POE->semantics())
11646 if (auto *OVE = dyn_cast<OpaqueValueExpr>(SE))
11647 WorkList.push_back({OVE->getSourceExpr(), CC, IsListInit});
11648 }
11649
11650 // Skip past explicit casts.
11651 if (auto *CE = dyn_cast<ExplicitCastExpr>(E)) {
11652 E = CE->getSubExpr()->IgnoreParenImpCasts();
11653 if (!CE->getType()->isVoidType() && E->getType()->isAtomicType())
11654 S.Diag(E->getBeginLoc(), diag::warn_atomic_implicit_seq_cst);
11655 WorkList.push_back({E, CC, IsListInit});
11656 return;
11657 }
11658
11659 if (auto *OutArgE = dyn_cast<HLSLOutArgExpr>(E)) {
11660 WorkList.push_back({OutArgE->getArgLValue(), CC, IsListInit});
11661 // The base expression is only used to initialize the parameter for
11662 // arguments to `inout` parameters, so we only traverse down the base
11663 // expression for `inout` cases.
11664 if (OutArgE->isInOut())
11665 WorkList.push_back(
11666 {OutArgE->getCastedTemporary()->getSourceExpr(), CC, IsListInit});
11667 WorkList.push_back({OutArgE->getWritebackCast(), CC, IsListInit});
11668 return;
11669 }
11670
11671 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
11672 // Do a somewhat different check with comparison operators.
11673 if (BO->isComparisonOp())
11674 return AnalyzeComparison(S, BO);
11675
11676 // And with simple assignments.
11677 if (BO->getOpcode() == BO_Assign)
11678 return AnalyzeAssignment(S, BO);
11679 // And with compound assignments.
11680 if (BO->isAssignmentOp())
11681 return AnalyzeCompoundAssignment(S, BO);
11682 }
11683
11684 // These break the otherwise-useful invariant below. Fortunately,
11685 // we don't really need to recurse into them, because any internal
11686 // expressions should have been analyzed already when they were
11687 // built into statements.
11688 if (isa<StmtExpr>(E)) return;
11689
11690 // Don't descend into unevaluated contexts.
11691 if (isa<UnaryExprOrTypeTraitExpr>(E)) return;
11692
11693 // Now just recurse over the expression's children.
11694 CC = E->getExprLoc();
11695 BinaryOperator *BO = dyn_cast<BinaryOperator>(E);
11696 bool IsLogicalAndOperator = BO && BO->getOpcode() == BO_LAnd;
11697 for (Stmt *SubStmt : E->children()) {
11698 Expr *ChildExpr = dyn_cast_or_null<Expr>(SubStmt);
11699 if (!ChildExpr)
11700 continue;
11701
11702 if (auto *CSE = dyn_cast<CoroutineSuspendExpr>(E))
11703 if (ChildExpr == CSE->getOperand())
11704 // Do not recurse over a CoroutineSuspendExpr's operand.
11705 // The operand is also a subexpression of getCommonExpr(), and
11706 // recursing into it directly would produce duplicate diagnostics.
11707 continue;
11708
11709 if (IsLogicalAndOperator &&
11710 isa<StringLiteral>(ChildExpr->IgnoreParenImpCasts()))
11711 // Ignore checking string literals that are in logical and operators.
11712 // This is a common pattern for asserts.
11713 continue;
11714 WorkList.push_back({ChildExpr, CC, IsListInit});
11715 }
11716
11717 if (BO && BO->isLogicalOp()) {
11718 Expr *SubExpr = BO->getLHS()->IgnoreParenImpCasts();
11719 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
11720 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
11721
11722 SubExpr = BO->getRHS()->IgnoreParenImpCasts();
11723 if (!IsLogicalAndOperator || !isa<StringLiteral>(SubExpr))
11724 ::CheckBoolLikeConversion(S, SubExpr, BO->getExprLoc());
11725 }
11726
11727 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
11728 if (U->getOpcode() == UO_LNot) {
11729 ::CheckBoolLikeConversion(S, U->getSubExpr(), CC);
11730 } else if (U->getOpcode() != UO_AddrOf) {
11731 if (U->getSubExpr()->getType()->isAtomicType())
11732 S.Diag(U->getSubExpr()->getBeginLoc(),
11733 diag::warn_atomic_implicit_seq_cst);
11734 }
11735 }
11736 }
11737
11738 /// AnalyzeImplicitConversions - Find and report any interesting
11739 /// implicit conversions in the given expression. There are a couple
11740 /// of competing diagnostics here, -Wconversion and -Wsign-compare.
11741 static void AnalyzeImplicitConversions(Sema &S, Expr *OrigE, SourceLocation CC,
11742 bool IsListInit/*= false*/) {
11743 llvm::SmallVector<AnalyzeImplicitConversionsWorkItem, 16> WorkList;
11744 WorkList.push_back({OrigE, CC, IsListInit});
11745 while (!WorkList.empty())
11746 AnalyzeImplicitConversions(S, WorkList.pop_back_val(), WorkList);
11747 }
11748
11749 // Helper function for Sema::DiagnoseAlwaysNonNullPointer.
11750 // Returns true when emitting a warning about taking the address of a reference.
11751 static bool CheckForReference(Sema &SemaRef, const Expr *E,
11752 const PartialDiagnostic &PD) {
11753 E = E->IgnoreParenImpCasts();
11754
11755 const FunctionDecl *FD = nullptr;
11756
11757 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
11758 if (!DRE->getDecl()->getType()->isReferenceType())
11759 return false;
11760 } else if (const MemberExpr *M = dyn_cast<MemberExpr>(E)) {
11761 if (!M->getMemberDecl()->getType()->isReferenceType())
11762 return false;
11763 } else if (const CallExpr *Call = dyn_cast<CallExpr>(E)) {
11764 if (!Call->getCallReturnType(SemaRef.Context)->isReferenceType())
11765 return false;
11766 FD = Call->getDirectCallee();
11767 } else {
11768 return false;
11769 }
11770
11771 SemaRef.Diag(E->getExprLoc(), PD);
11772
11773 // If possible, point to location of function.
11774 if (FD) {
11775 SemaRef.Diag(FD->getLocation(), diag::note_reference_is_return_value) << FD;
11776 }
11777
11778 return true;
11779 }
11780
11781 // Returns true if the SourceLocation is expanded from any macro body.
11782 // Returns false if the SourceLocation is invalid, is from not in a macro
11783 // expansion, or is from expanded from a top-level macro argument.
11784 static bool IsInAnyMacroBody(const SourceManager &SM, SourceLocation Loc) {
11785 if (Loc.isInvalid())
11786 return false;
11787
11788 while (Loc.isMacroID()) {
11789 if (SM.isMacroBodyExpansion(Loc))
11790 return true;
11791 Loc = SM.getImmediateMacroCallerLoc(Loc);
11792 }
11793
11794 return false;
11795 }
11796
11797 void Sema::DiagnoseAlwaysNonNullPointer(Expr *E,
11798 Expr::NullPointerConstantKind NullKind,
11799 bool IsEqual, SourceRange Range) {
11800 if (!E)
11801 return;
11802
11803 // Don't warn inside macros.
11804 if (E->getExprLoc().isMacroID()) {
11805 const SourceManager &SM = getSourceManager();
11806 if (IsInAnyMacroBody(SM, E->getExprLoc()) ||
11807 IsInAnyMacroBody(SM, Range.getBegin()))
11808 return;
11809 }
11810 E = E->IgnoreImpCasts();
11811
11812 const bool IsCompare = NullKind != Expr::NPCK_NotNull;
11813
11814 if (isa<CXXThisExpr>(E)) {
11815 unsigned DiagID = IsCompare ? diag::warn_this_null_compare
11816 : diag::warn_this_bool_conversion;
11817 Diag(E->getExprLoc(), DiagID) << E->getSourceRange() << Range << IsEqual;
11818 return;
11819 }
11820
11821 bool IsAddressOf = false;
11822
11823 if (auto *UO = dyn_cast<UnaryOperator>(E->IgnoreParens())) {
11824 if (UO->getOpcode() != UO_AddrOf)
11825 return;
11826 IsAddressOf = true;
11827 E = UO->getSubExpr();
11828 }
11829
11830 if (IsAddressOf) {
11831 unsigned DiagID = IsCompare
11832 ? diag::warn_address_of_reference_null_compare
11833 : diag::warn_address_of_reference_bool_conversion;
11834 PartialDiagnostic PD = PDiag(DiagID) << E->getSourceRange() << Range
11835 << IsEqual;
11836 if (CheckForReference(*this, E, PD)) {
11837 return;
11838 }
11839 }
11840
11841 auto ComplainAboutNonnullParamOrCall = [&](const Attr *NonnullAttr) {
11842 bool IsParam = isa<NonNullAttr>(NonnullAttr);
11843 std::string Str;
11844 llvm::raw_string_ostream S(Str);
11845 E->printPretty(S, nullptr, getPrintingPolicy());
11846 unsigned DiagID = IsCompare ? diag::warn_nonnull_expr_compare
11847 : diag::warn_cast_nonnull_to_bool;
11848 Diag(E->getExprLoc(), DiagID) << IsParam << S.str()
11849 << E->getSourceRange() << Range << IsEqual;
11850 Diag(NonnullAttr->getLocation(), diag::note_declared_nonnull) << IsParam;
11851 };
11852
11853 // If we have a CallExpr that is tagged with returns_nonnull, we can complain.
11854 if (auto *Call = dyn_cast<CallExpr>(E->IgnoreParenImpCasts())) {
11855 if (auto *Callee = Call->getDirectCallee()) {
11856 if (const Attr *A = Callee->getAttr<ReturnsNonNullAttr>()) {
11857 ComplainAboutNonnullParamOrCall(A);
11858 return;
11859 }
11860 }
11861 }
11862
11863 // Complain if we are converting a lambda expression to a boolean value
11864 // outside of instantiation.
11865 if (!inTemplateInstantiation()) {
11866 if (const auto *MCallExpr = dyn_cast<CXXMemberCallExpr>(E)) {
11867 if (const auto *MRecordDecl = MCallExpr->getRecordDecl();
11868 MRecordDecl && MRecordDecl->isLambda()) {
11869 Diag(E->getExprLoc(), diag::warn_impcast_pointer_to_bool)
11870 << /*LambdaPointerConversionOperatorType=*/3
11871 << MRecordDecl->getSourceRange() << Range << IsEqual;
11872 return;
11873 }
11874 }
11875 }
11876
11877 // Expect to find a single Decl. Skip anything more complicated.
11878 ValueDecl *D = nullptr;
11879 if (DeclRefExpr *R = dyn_cast<DeclRefExpr>(E)) {
11880 D = R->getDecl();
11881 } else if (MemberExpr *M = dyn_cast<MemberExpr>(E)) {
11882 D = M->getMemberDecl();
11883 }
11884
11885 // Weak Decls can be null.
11886 if (!D || D->isWeak())
11887 return;
11888
11889 // Check for parameter decl with nonnull attribute
11890 if (const auto* PV = dyn_cast<ParmVarDecl>(D)) {
11891 if (getCurFunction() &&
11892 !getCurFunction()->ModifiedNonNullParams.count(PV)) {
11893 if (const Attr *A = PV->getAttr<NonNullAttr>()) {
11894 ComplainAboutNonnullParamOrCall(A);
11895 return;
11896 }
11897
11898 if (const auto *FD = dyn_cast<FunctionDecl>(PV->getDeclContext())) {
11899 // Skip function template not specialized yet.
11900 if (FD->getTemplatedKind() == FunctionDecl::TK_FunctionTemplate)
11901 return;
11902 auto ParamIter = llvm::find(FD->parameters(), PV);
11903 assert(ParamIter != FD->param_end());
11904 unsigned ParamNo = std::distance(FD->param_begin(), ParamIter);
11905
11906 for (const auto *NonNull : FD->specific_attrs<NonNullAttr>()) {
11907 if (!NonNull->args_size()) {
11908 ComplainAboutNonnullParamOrCall(NonNull);
11909 return;
11910 }
11911
11912 for (const ParamIdx &ArgNo : NonNull->args()) {
11913 if (ArgNo.getASTIndex() == ParamNo) {
11914 ComplainAboutNonnullParamOrCall(NonNull);
11915 return;
11916 }
11917 }
11918 }
11919 }
11920 }
11921 }
11922
11923 QualType T = D->getType();
11924 const bool IsArray = T->isArrayType();
11925 const bool IsFunction = T->isFunctionType();
11926
11927 // Address of function is used to silence the function warning.
11928 if (IsAddressOf && IsFunction) {
11929 return;
11930 }
11931
11932 // Found nothing.
11933 if (!IsAddressOf && !IsFunction && !IsArray)
11934 return;
11935
11936 // Pretty print the expression for the diagnostic.
11937 std::string Str;
11938 llvm::raw_string_ostream S(Str);
11939 E->printPretty(S, nullptr, getPrintingPolicy());
11940
11941 unsigned DiagID = IsCompare ? diag::warn_null_pointer_compare
11942 : diag::warn_impcast_pointer_to_bool;
11943 enum {
11944 AddressOf,
11945 FunctionPointer,
11946 ArrayPointer
11947 } DiagType;
11948 if (IsAddressOf)
11949 DiagType = AddressOf;
11950 else if (IsFunction)
11951 DiagType = FunctionPointer;
11952 else if (IsArray)
11953 DiagType = ArrayPointer;
11954 else
11955 llvm_unreachable("Could not determine diagnostic.");
11956 Diag(E->getExprLoc(), DiagID) << DiagType << S.str() << E->getSourceRange()
11957 << Range << IsEqual;
11958
11959 if (!IsFunction)
11960 return;
11961
11962 // Suggest '&' to silence the function warning.
11963 Diag(E->getExprLoc(), diag::note_function_warning_silence)
11964 << FixItHint::CreateInsertion(E->getBeginLoc(), "&");
11965
11966 // Check to see if '()' fixit should be emitted.
11967 QualType ReturnType;
11968 UnresolvedSet<4> NonTemplateOverloads;
11969 tryExprAsCall(*E, ReturnType, NonTemplateOverloads);
11970 if (ReturnType.isNull())
11971 return;
11972
11973 if (IsCompare) {
11974 // There are two cases here. If there is null constant, the only suggest
11975 // for a pointer return type. If the null is 0, then suggest if the return
11976 // type is a pointer or an integer type.
11977 if (!ReturnType->isPointerType()) {
11978 if (NullKind == Expr::NPCK_ZeroExpression ||
11979 NullKind == Expr::NPCK_ZeroLiteral) {
11980 if (!ReturnType->isIntegerType())
11981 return;
11982 } else {
11983 return;
11984 }
11985 }
11986 } else { // !IsCompare
11987 // For function to bool, only suggest if the function pointer has bool
11988 // return type.
11989 if (!ReturnType->isSpecificBuiltinType(BuiltinType::Bool))
11990 return;
11991 }
11992 Diag(E->getExprLoc(), diag::note_function_to_function_call)
11993 << FixItHint::CreateInsertion(getLocForEndOfToken(E->getEndLoc()), "()");
11994 }
11995
11996 void Sema::CheckImplicitConversions(Expr *E, SourceLocation CC) {
11997 // Don't diagnose in unevaluated contexts.
11998 if (isUnevaluatedContext())
11999 return;
12000
12001 // Don't diagnose for value- or type-dependent expressions.
12002 if (E->isTypeDependent() || E->isValueDependent())
12003 return;
12004
12005 // Check for array bounds violations in cases where the check isn't triggered
12006 // elsewhere for other Expr types (like BinaryOperators), e.g. when an
12007 // ArraySubscriptExpr is on the RHS of a variable initialization.
12008 CheckArrayAccess(E);
12009
12010 // This is not the right CC for (e.g.) a variable initialization.
12011 AnalyzeImplicitConversions(*this, E, CC);
12012 }
12013
12014 void Sema::CheckBoolLikeConversion(Expr *E, SourceLocation CC) {
12015 ::CheckBoolLikeConversion(*this, E, CC);
12016 }
12017
12018 void Sema::CheckForIntOverflow (const Expr *E) {
12019 // Use a work list to deal with nested struct initializers.
12020 SmallVector<const Expr *, 2> Exprs(1, E);
12021
12022 do {
12023 const Expr *OriginalE = Exprs.pop_back_val();
12024 const Expr *E = OriginalE->IgnoreParenCasts();
12025
12026 if (isa<BinaryOperator, UnaryOperator>(E)) {
12027 E->EvaluateForOverflow(Context);
12028 continue;
12029 }
12030
12031 if (const auto *InitList = dyn_cast<InitListExpr>(OriginalE))
12032 Exprs.append(InitList->inits().begin(), InitList->inits().end());
12033 else if (isa<ObjCBoxedExpr>(OriginalE))
12034 E->EvaluateForOverflow(Context);
12035 else if (const auto *Call = dyn_cast<CallExpr>(E))
12036 Exprs.append(Call->arg_begin(), Call->arg_end());
12037 else if (const auto *Message = dyn_cast<ObjCMessageExpr>(E))
12038 Exprs.append(Message->arg_begin(), Message->arg_end());
12039 else if (const auto *Construct = dyn_cast<CXXConstructExpr>(E))
12040 Exprs.append(Construct->arg_begin(), Construct->arg_end());
12041 else if (const auto *Temporary = dyn_cast<CXXBindTemporaryExpr>(E))
12042 Exprs.push_back(Temporary->getSubExpr());
12043 else if (const auto *Array = dyn_cast<ArraySubscriptExpr>(E))
12044 Exprs.push_back(Array->getIdx());
12045 else if (const auto *Compound = dyn_cast<CompoundLiteralExpr>(E))
12046 Exprs.push_back(Compound->getInitializer());
12047 else if (const auto *New = dyn_cast<CXXNewExpr>(E);
12048 New && New->isArray()) {
12049 if (auto ArraySize = New->getArraySize())
12050 Exprs.push_back(*ArraySize);
12051 }
12052 } while (!Exprs.empty());
12053 }
12054
12055 namespace {
12056
12057 /// Visitor for expressions which looks for unsequenced operations on the
12058 /// same object.
12059 class SequenceChecker : public ConstEvaluatedExprVisitor<SequenceChecker> {
12060 using Base = ConstEvaluatedExprVisitor<SequenceChecker>;
12061
12062 /// A tree of sequenced regions within an expression. Two regions are
12063 /// unsequenced if one is an ancestor or a descendent of the other. When we
12064 /// finish processing an expression with sequencing, such as a comma
12065 /// expression, we fold its tree nodes into its parent, since they are
12066 /// unsequenced with respect to nodes we will visit later.
12067 class SequenceTree {
12068 struct Value {
12069 explicit Value(unsigned Parent) : Parent(Parent), Merged(false) {}
12070 unsigned Parent : 31;
12071 LLVM_PREFERRED_TYPE(bool)
12072 unsigned Merged : 1;
12073 };
12074 SmallVector<Value, 8> Values;
12075
12076 public:
12077 /// A region within an expression which may be sequenced with respect
12078 /// to some other region.
12079 class Seq {
12080 friend class SequenceTree;
12081
12082 unsigned Index;
12083
12084 explicit Seq(unsigned N) : Index(N) {}
12085
12086 public:
12087 Seq() : Index(0) {}
12088 };
12089
12090 SequenceTree() { Values.push_back(Value(0)); }
12091 Seq root() const { return Seq(0); }
12092
12093 /// Create a new sequence of operations, which is an unsequenced
12094 /// subset of \p Parent. This sequence of operations is sequenced with
12095 /// respect to other children of \p Parent.
12096 Seq allocate(Seq Parent) {
12097 Values.push_back(Value(Parent.Index));
12098 return Seq(Values.size() - 1);
12099 }
12100
12101 /// Merge a sequence of operations into its parent.
12102 void merge(Seq S) {
12103 Values[S.Index].Merged = true;
12104 }
12105
12106 /// Determine whether two operations are unsequenced. This operation
12107 /// is asymmetric: \p Cur should be the more recent sequence, and \p Old
12108 /// should have been merged into its parent as appropriate.
12109 bool isUnsequenced(Seq Cur, Seq Old) {
12110 unsigned C = representative(Cur.Index);
12111 unsigned Target = representative(Old.Index);
12112 while (C >= Target) {
12113 if (C == Target)
12114 return true;
12115 C = Values[C].Parent;
12116 }
12117 return false;
12118 }
12119
12120 private:
12121 /// Pick a representative for a sequence.
12122 unsigned representative(unsigned K) {
12123 if (Values[K].Merged)
12124 // Perform path compression as we go.
12125 return Values[K].Parent = representative(Values[K].Parent);
12126 return K;
12127 }
12128 };
12129
12130 /// An object for which we can track unsequenced uses.
12131 using Object = const NamedDecl *;
12132
12133 /// Different flavors of object usage which we track. We only track the
12134 /// least-sequenced usage of each kind.
12135 enum UsageKind {
12136 /// A read of an object. Multiple unsequenced reads are OK.
12137 UK_Use,
12138
12139 /// A modification of an object which is sequenced before the value
12140 /// computation of the expression, such as ++n in C++.
12141 UK_ModAsValue,
12142
12143 /// A modification of an object which is not sequenced before the value
12144 /// computation of the expression, such as n++.
12145 UK_ModAsSideEffect,
12146
12147 UK_Count = UK_ModAsSideEffect + 1
12148 };
12149
12150 /// Bundle together a sequencing region and the expression corresponding
12151 /// to a specific usage. One Usage is stored for each usage kind in UsageInfo.
12152 struct Usage {
12153 const Expr *UsageExpr = nullptr;
12154 SequenceTree::Seq Seq;
12155
12156 Usage() = default;
12157 };
12158
12159 struct UsageInfo {
12160 Usage Uses[UK_Count];
12161
12162 /// Have we issued a diagnostic for this object already?
12163 bool Diagnosed = false;
12164
12165 UsageInfo();
12166 };
12167 using UsageInfoMap = llvm::SmallDenseMap<Object, UsageInfo, 16>;
12168
12169 Sema &SemaRef;
12170
12171 /// Sequenced regions within the expression.
12172 SequenceTree Tree;
12173
12174 /// Declaration modifications and references which we have seen.
12175 UsageInfoMap UsageMap;
12176
12177 /// The region we are currently within.
12178 SequenceTree::Seq Region;
12179
12180 /// Filled in with declarations which were modified as a side-effect
12181 /// (that is, post-increment operations).
12182 SmallVectorImpl<std::pair<Object, Usage>> *ModAsSideEffect = nullptr;
12183
12184 /// Expressions to check later. We defer checking these to reduce
12185 /// stack usage.
12186 SmallVectorImpl<const Expr *> &WorkList;
12187
12188 /// RAII object wrapping the visitation of a sequenced subexpression of an
12189 /// expression. At the end of this process, the side-effects of the evaluation
12190 /// become sequenced with respect to the value computation of the result, so
12191 /// we downgrade any UK_ModAsSideEffect within the evaluation to
12192 /// UK_ModAsValue.
12193 struct SequencedSubexpression {
12194 SequencedSubexpression(SequenceChecker &Self)
12195 : Self(Self), OldModAsSideEffect(Self.ModAsSideEffect) {
12196 Self.ModAsSideEffect = &ModAsSideEffect;
12197 }
12198
12199 ~SequencedSubexpression() {
12200 for (const std::pair<Object, Usage> &M : llvm::reverse(ModAsSideEffect)) {
12201 // Add a new usage with usage kind UK_ModAsValue, and then restore
12202 // the previous usage with UK_ModAsSideEffect (thus clearing it if
12203 // the previous one was empty).
12204 UsageInfo &UI = Self.UsageMap[M.first];
12205 auto &SideEffectUsage = UI.Uses[UK_ModAsSideEffect];
12206 Self.addUsage(M.first, UI, SideEffectUsage.UsageExpr, UK_ModAsValue);
12207 SideEffectUsage = M.second;
12208 }
12209 Self.ModAsSideEffect = OldModAsSideEffect;
12210 }
12211
12212 SequenceChecker &Self;
12213 SmallVector<std::pair<Object, Usage>, 4> ModAsSideEffect;
12214 SmallVectorImpl<std::pair<Object, Usage>> *OldModAsSideEffect;
12215 };
12216
12217 /// RAII object wrapping the visitation of a subexpression which we might
12218 /// choose to evaluate as a constant. If any subexpression is evaluated and
12219 /// found to be non-constant, this allows us to suppress the evaluation of
12220 /// the outer expression.
12221 class EvaluationTracker {
12222 public:
12223 EvaluationTracker(SequenceChecker &Self)
12224 : Self(Self), Prev(Self.EvalTracker) {
12225 Self.EvalTracker = this;
12226 }
12227
12228 ~EvaluationTracker() {
12229 Self.EvalTracker = Prev;
12230 if (Prev)
12231 Prev->EvalOK &= EvalOK;
12232 }
12233
12234 bool evaluate(const Expr *E, bool &Result) {
12235 if (!EvalOK || E->isValueDependent())
12236 return false;
12237 EvalOK = E->EvaluateAsBooleanCondition(
12238 Result, Self.SemaRef.Context,
12239 Self.SemaRef.isConstantEvaluatedContext());
12240 return EvalOK;
12241 }
12242
12243 private:
12244 SequenceChecker &Self;
12245 EvaluationTracker *Prev;
12246 bool EvalOK = true;
12247 } *EvalTracker = nullptr;
12248
12249 /// Find the object which is produced by the specified expression,
12250 /// if any.
12251 Object getObject(const Expr *E, bool Mod) const {
12252 E = E->IgnoreParenCasts();
12253 if (const UnaryOperator *UO = dyn_cast<UnaryOperator>(E)) {
12254 if (Mod && (UO->getOpcode() == UO_PreInc || UO->getOpcode() == UO_PreDec))
12255 return getObject(UO->getSubExpr(), Mod);
12256 } else if (const BinaryOperator *BO = dyn_cast<BinaryOperator>(E)) {
12257 if (BO->getOpcode() == BO_Comma)
12258 return getObject(BO->getRHS(), Mod);
12259 if (Mod && BO->isAssignmentOp())
12260 return getObject(BO->getLHS(), Mod);
12261 } else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
12262 // FIXME: Check for more interesting cases, like "x.n = ++x.n".
12263 if (isa<CXXThisExpr>(ME->getBase()->IgnoreParenCasts()))
12264 return ME->getMemberDecl();
12265 } else if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E))
12266 // FIXME: If this is a reference, map through to its value.
12267 return DRE->getDecl();
12268 return nullptr;
12269 }
12270
12271 /// Note that an object \p O was modified or used by an expression
12272 /// \p UsageExpr with usage kind \p UK. \p UI is the \p UsageInfo for
12273 /// the object \p O as obtained via the \p UsageMap.
12274 void addUsage(Object O, UsageInfo &UI, const Expr *UsageExpr, UsageKind UK) {
12275 // Get the old usage for the given object and usage kind.
12276 Usage &U = UI.Uses[UK];
12277 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq)) {
12278 // If we have a modification as side effect and are in a sequenced
12279 // subexpression, save the old Usage so that we can restore it later
12280 // in SequencedSubexpression::~SequencedSubexpression.
12281 if (UK == UK_ModAsSideEffect && ModAsSideEffect)
12282 ModAsSideEffect->push_back(std::make_pair(O, U));
12283 // Then record the new usage with the current sequencing region.
12284 U.UsageExpr = UsageExpr;
12285 U.Seq = Region;
12286 }
12287 }
12288
12289 /// Check whether a modification or use of an object \p O in an expression
12290 /// \p UsageExpr conflicts with a prior usage of kind \p OtherKind. \p UI is
12291 /// the \p UsageInfo for the object \p O as obtained via the \p UsageMap.
12292 /// \p IsModMod is true when we are checking for a mod-mod unsequenced
12293 /// usage and false we are checking for a mod-use unsequenced usage.
12294 void checkUsage(Object O, UsageInfo &UI, const Expr *UsageExpr,
12295 UsageKind OtherKind, bool IsModMod) {
12296 if (UI.Diagnosed)
12297 return;
12298
12299 const Usage &U = UI.Uses[OtherKind];
12300 if (!U.UsageExpr || !Tree.isUnsequenced(Region, U.Seq))
12301 return;
12302
12303 const Expr *Mod = U.UsageExpr;
12304 const Expr *ModOrUse = UsageExpr;
12305 if (OtherKind == UK_Use)
12306 std::swap(Mod, ModOrUse);
12307
12308 SemaRef.DiagRuntimeBehavior(
12309 Mod->getExprLoc(), {Mod, ModOrUse},
12310 SemaRef.PDiag(IsModMod ? diag::warn_unsequenced_mod_mod
12311 : diag::warn_unsequenced_mod_use)
12312 << O << SourceRange(ModOrUse->getExprLoc()));
12313 UI.Diagnosed = true;
12314 }
12315
12316 // A note on note{Pre, Post}{Use, Mod}:
12317 //
12318 // (It helps to follow the algorithm with an expression such as
12319 // "((++k)++, k) = k" or "k = (k++, k++)". Both contain unsequenced
12320 // operations before C++17 and both are well-defined in C++17).
12321 //
12322 // When visiting a node which uses/modify an object we first call notePreUse
12323 // or notePreMod before visiting its sub-expression(s). At this point the
12324 // children of the current node have not yet been visited and so the eventual
12325 // uses/modifications resulting from the children of the current node have not
12326 // been recorded yet.
12327 //
12328 // We then visit the children of the current node. After that notePostUse or
12329 // notePostMod is called. These will 1) detect an unsequenced modification
12330 // as side effect (as in "k++ + k") and 2) add a new usage with the
12331 // appropriate usage kind.
12332 //
12333 // We also have to be careful that some operation sequences modification as
12334 // side effect as well (for example: || or ,). To account for this we wrap
12335 // the visitation of such a sub-expression (for example: the LHS of || or ,)
12336 // with SequencedSubexpression. SequencedSubexpression is an RAII object
12337 // which record usages which are modifications as side effect, and then
12338 // downgrade them (or more accurately restore the previous usage which was a
12339 // modification as side effect) when exiting the scope of the sequenced
12340 // subexpression.
12341
12342 void notePreUse(Object O, const Expr *UseExpr) {
12343 UsageInfo &UI = UsageMap[O];
12344 // Uses conflict with other modifications.
12345 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/false);
12346 }
12347
12348 void notePostUse(Object O, const Expr *UseExpr) {
12349 UsageInfo &UI = UsageMap[O];
12350 checkUsage(O, UI, UseExpr, /*OtherKind=*/UK_ModAsSideEffect,
12351 /*IsModMod=*/false);
12352 addUsage(O, UI, UseExpr, /*UsageKind=*/UK_Use);
12353 }
12354
12355 void notePreMod(Object O, const Expr *ModExpr) {
12356 UsageInfo &UI = UsageMap[O];
12357 // Modifications conflict with other modifications and with uses.
12358 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsValue, /*IsModMod=*/true);
12359 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_Use, /*IsModMod=*/false);
12360 }
12361
12362 void notePostMod(Object O, const Expr *ModExpr, UsageKind UK) {
12363 UsageInfo &UI = UsageMap[O];
12364 checkUsage(O, UI, ModExpr, /*OtherKind=*/UK_ModAsSideEffect,
12365 /*IsModMod=*/true);
12366 addUsage(O, UI, ModExpr, /*UsageKind=*/UK);
12367 }
12368
12369 public:
12370 SequenceChecker(Sema &S, const Expr *E,
12371 SmallVectorImpl<const Expr *> &WorkList)
12372 : Base(S.Context), SemaRef(S), Region(Tree.root()), WorkList(WorkList) {
12373 Visit(E);
12374 // Silence a -Wunused-private-field since WorkList is now unused.
12375 // TODO: Evaluate if it can be used, and if not remove it.
12376 (void)this->WorkList;
12377 }
12378
12379 void VisitStmt(const Stmt *S) {
12380 // Skip all statements which aren't expressions for now.
12381 }
12382
12383 void VisitExpr(const Expr *E) {
12384 // By default, just recurse to evaluated subexpressions.
12385 Base::VisitStmt(E);
12386 }
12387
12388 void VisitCoroutineSuspendExpr(const CoroutineSuspendExpr *CSE) {
12389 for (auto *Sub : CSE->children()) {
12390 const Expr *ChildExpr = dyn_cast_or_null<Expr>(Sub);
12391 if (!ChildExpr)
12392 continue;
12393
12394 if (ChildExpr == CSE->getOperand())
12395 // Do not recurse over a CoroutineSuspendExpr's operand.
12396 // The operand is also a subexpression of getCommonExpr(), and
12397 // recursing into it directly could confuse object management
12398 // for the sake of sequence tracking.
12399 continue;
12400
12401 Visit(Sub);
12402 }
12403 }
12404
12405 void VisitCastExpr(const CastExpr *E) {
12406 Object O = Object();
12407 if (E->getCastKind() == CK_LValueToRValue)
12408 O = getObject(E->getSubExpr(), false);
12409
12410 if (O)
12411 notePreUse(O, E);
12412 VisitExpr(E);
12413 if (O)
12414 notePostUse(O, E);
12415 }
12416
12417 void VisitSequencedExpressions(const Expr *SequencedBefore,
12418 const Expr *SequencedAfter) {
12419 SequenceTree::Seq BeforeRegion = Tree.allocate(Region);
12420 SequenceTree::Seq AfterRegion = Tree.allocate(Region);
12421 SequenceTree::Seq OldRegion = Region;
12422
12423 {
12424 SequencedSubexpression SeqBefore(*this);
12425 Region = BeforeRegion;
12426 Visit(SequencedBefore);
12427 }
12428
12429 Region = AfterRegion;
12430 Visit(SequencedAfter);
12431
12432 Region = OldRegion;
12433
12434 Tree.merge(BeforeRegion);
12435 Tree.merge(AfterRegion);
12436 }
12437
12438 void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE) {
12439 // C++17 [expr.sub]p1:
12440 // The expression E1[E2] is identical (by definition) to *((E1)+(E2)). The
12441 // expression E1 is sequenced before the expression E2.
12442 if (SemaRef.getLangOpts().CPlusPlus17)
12443 VisitSequencedExpressions(ASE->getLHS(), ASE->getRHS());
12444 else {
12445 Visit(ASE->getLHS());
12446 Visit(ASE->getRHS());
12447 }
12448 }
12449
12450 void VisitBinPtrMemD(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
12451 void VisitBinPtrMemI(const BinaryOperator *BO) { VisitBinPtrMem(BO); }
12452 void VisitBinPtrMem(const BinaryOperator *BO) {
12453 // C++17 [expr.mptr.oper]p4:
12454 // Abbreviating pm-expression.*cast-expression as E1.*E2, [...]
12455 // the expression E1 is sequenced before the expression E2.
12456 if (SemaRef.getLangOpts().CPlusPlus17)
12457 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12458 else {
12459 Visit(BO->getLHS());
12460 Visit(BO->getRHS());
12461 }
12462 }
12463
12464 void VisitBinShl(const BinaryOperator *BO) { VisitBinShlShr(BO); }
12465 void VisitBinShr(const BinaryOperator *BO) { VisitBinShlShr(BO); }
12466 void VisitBinShlShr(const BinaryOperator *BO) {
12467 // C++17 [expr.shift]p4:
12468 // The expression E1 is sequenced before the expression E2.
12469 if (SemaRef.getLangOpts().CPlusPlus17)
12470 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12471 else {
12472 Visit(BO->getLHS());
12473 Visit(BO->getRHS());
12474 }
12475 }
12476
12477 void VisitBinComma(const BinaryOperator *BO) {
12478 // C++11 [expr.comma]p1:
12479 // Every value computation and side effect associated with the left
12480 // expression is sequenced before every value computation and side
12481 // effect associated with the right expression.
12482 VisitSequencedExpressions(BO->getLHS(), BO->getRHS());
12483 }
12484
12485 void VisitBinAssign(const BinaryOperator *BO) {
12486 SequenceTree::Seq RHSRegion;
12487 SequenceTree::Seq LHSRegion;
12488 if (SemaRef.getLangOpts().CPlusPlus17) {
12489 RHSRegion = Tree.allocate(Region);
12490 LHSRegion = Tree.allocate(Region);
12491 } else {
12492 RHSRegion = Region;
12493 LHSRegion = Region;
12494 }
12495 SequenceTree::Seq OldRegion = Region;
12496
12497 // C++11 [expr.ass]p1:
12498 // [...] the assignment is sequenced after the value computation
12499 // of the right and left operands, [...]
12500 //
12501 // so check it before inspecting the operands and update the
12502 // map afterwards.
12503 Object O = getObject(BO->getLHS(), /*Mod=*/true);
12504 if (O)
12505 notePreMod(O, BO);
12506
12507 if (SemaRef.getLangOpts().CPlusPlus17) {
12508 // C++17 [expr.ass]p1:
12509 // [...] The right operand is sequenced before the left operand. [...]
12510 {
12511 SequencedSubexpression SeqBefore(*this);
12512 Region = RHSRegion;
12513 Visit(BO->getRHS());
12514 }
12515
12516 Region = LHSRegion;
12517 Visit(BO->getLHS());
12518
12519 if (O && isa<CompoundAssignOperator>(BO))
12520 notePostUse(O, BO);
12521
12522 } else {
12523 // C++11 does not specify any sequencing between the LHS and RHS.
12524 Region = LHSRegion;
12525 Visit(BO->getLHS());
12526
12527 if (O && isa<CompoundAssignOperator>(BO))
12528 notePostUse(O, BO);
12529
12530 Region = RHSRegion;
12531 Visit(BO->getRHS());
12532 }
12533
12534 // C++11 [expr.ass]p1:
12535 // the assignment is sequenced [...] before the value computation of the
12536 // assignment expression.
12537 // C11 6.5.16/3 has no such rule.
12538 Region = OldRegion;
12539 if (O)
12540 notePostMod(O, BO,
12541 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
12542 : UK_ModAsSideEffect);
12543 if (SemaRef.getLangOpts().CPlusPlus17) {
12544 Tree.merge(RHSRegion);
12545 Tree.merge(LHSRegion);
12546 }
12547 }
12548
12549 void VisitCompoundAssignOperator(const CompoundAssignOperator *CAO) {
12550 VisitBinAssign(CAO);
12551 }
12552
12553 void VisitUnaryPreInc(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
12554 void VisitUnaryPreDec(const UnaryOperator *UO) { VisitUnaryPreIncDec(UO); }
12555 void VisitUnaryPreIncDec(const UnaryOperator *UO) {
12556 Object O = getObject(UO->getSubExpr(), true);
12557 if (!O)
12558 return VisitExpr(UO);
12559
12560 notePreMod(O, UO);
12561 Visit(UO->getSubExpr());
12562 // C++11 [expr.pre.incr]p1:
12563 // the expression ++x is equivalent to x+=1
12564 notePostMod(O, UO,
12565 SemaRef.getLangOpts().CPlusPlus ? UK_ModAsValue
12566 : UK_ModAsSideEffect);
12567 }
12568
12569 void VisitUnaryPostInc(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
12570 void VisitUnaryPostDec(const UnaryOperator *UO) { VisitUnaryPostIncDec(UO); }
12571 void VisitUnaryPostIncDec(const UnaryOperator *UO) {
12572 Object O = getObject(UO->getSubExpr(), true);
12573 if (!O)
12574 return VisitExpr(UO);
12575
12576 notePreMod(O, UO);
12577 Visit(UO->getSubExpr());
12578 notePostMod(O, UO, UK_ModAsSideEffect);
12579 }
12580
12581 void VisitBinLOr(const BinaryOperator *BO) {
12582 // C++11 [expr.log.or]p2:
12583 // If the second expression is evaluated, every value computation and
12584 // side effect associated with the first expression is sequenced before
12585 // every value computation and side effect associated with the
12586 // second expression.
12587 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
12588 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
12589 SequenceTree::Seq OldRegion = Region;
12590
12591 EvaluationTracker Eval(*this);
12592 {
12593 SequencedSubexpression Sequenced(*this);
12594 Region = LHSRegion;
12595 Visit(BO->getLHS());
12596 }
12597
12598 // C++11 [expr.log.or]p1:
12599 // [...] the second operand is not evaluated if the first operand
12600 // evaluates to true.
12601 bool EvalResult = false;
12602 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
12603 bool ShouldVisitRHS = !EvalOK || !EvalResult;
12604 if (ShouldVisitRHS) {
12605 Region = RHSRegion;
12606 Visit(BO->getRHS());
12607 }
12608
12609 Region = OldRegion;
12610 Tree.merge(LHSRegion);
12611 Tree.merge(RHSRegion);
12612 }
12613
12614 void VisitBinLAnd(const BinaryOperator *BO) {
12615 // C++11 [expr.log.and]p2:
12616 // If the second expression is evaluated, every value computation and
12617 // side effect associated with the first expression is sequenced before
12618 // every value computation and side effect associated with the
12619 // second expression.
12620 SequenceTree::Seq LHSRegion = Tree.allocate(Region);
12621 SequenceTree::Seq RHSRegion = Tree.allocate(Region);
12622 SequenceTree::Seq OldRegion = Region;
12623
12624 EvaluationTracker Eval(*this);
12625 {
12626 SequencedSubexpression Sequenced(*this);
12627 Region = LHSRegion;
12628 Visit(BO->getLHS());
12629 }
12630
12631 // C++11 [expr.log.and]p1:
12632 // [...] the second operand is not evaluated if the first operand is false.
12633 bool EvalResult = false;
12634 bool EvalOK = Eval.evaluate(BO->getLHS(), EvalResult);
12635 bool ShouldVisitRHS = !EvalOK || EvalResult;
12636 if (ShouldVisitRHS) {
12637 Region = RHSRegion;
12638 Visit(BO->getRHS());
12639 }
12640
12641 Region = OldRegion;
12642 Tree.merge(LHSRegion);
12643 Tree.merge(RHSRegion);
12644 }
12645
12646 void VisitAbstractConditionalOperator(const AbstractConditionalOperator *CO) {
12647 // C++11 [expr.cond]p1:
12648 // [...] Every value computation and side effect associated with the first
12649 // expression is sequenced before every value computation and side effect
12650 // associated with the second or third expression.
12651 SequenceTree::Seq ConditionRegion = Tree.allocate(Region);
12652
12653 // No sequencing is specified between the true and false expression.
12654 // However since exactly one of both is going to be evaluated we can
12655 // consider them to be sequenced. This is needed to avoid warning on
12656 // something like "x ? y+= 1 : y += 2;" in the case where we will visit
12657 // both the true and false expressions because we can't evaluate x.
12658 // This will still allow us to detect an expression like (pre C++17)
12659 // "(x ? y += 1 : y += 2) = y".
12660 //
12661 // We don't wrap the visitation of the true and false expression with
12662 // SequencedSubexpression because we don't want to downgrade modifications
12663 // as side effect in the true and false expressions after the visition
12664 // is done. (for example in the expression "(x ? y++ : y++) + y" we should
12665 // not warn between the two "y++", but we should warn between the "y++"
12666 // and the "y".
12667 SequenceTree::Seq TrueRegion = Tree.allocate(Region);
12668 SequenceTree::Seq FalseRegion = Tree.allocate(Region);
12669 SequenceTree::Seq OldRegion = Region;
12670
12671 EvaluationTracker Eval(*this);
12672 {
12673 SequencedSubexpression Sequenced(*this);
12674 Region = ConditionRegion;
12675 Visit(CO->getCond());
12676 }
12677
12678 // C++11 [expr.cond]p1:
12679 // [...] The first expression is contextually converted to bool (Clause 4).
12680 // It is evaluated and if it is true, the result of the conditional
12681 // expression is the value of the second expression, otherwise that of the
12682 // third expression. Only one of the second and third expressions is
12683 // evaluated. [...]
12684 bool EvalResult = false;
12685 bool EvalOK = Eval.evaluate(CO->getCond(), EvalResult);
12686 bool ShouldVisitTrueExpr = !EvalOK || EvalResult;
12687 bool ShouldVisitFalseExpr = !EvalOK || !EvalResult;
12688 if (ShouldVisitTrueExpr) {
12689 Region = TrueRegion;
12690 Visit(CO->getTrueExpr());
12691 }
12692 if (ShouldVisitFalseExpr) {
12693 Region = FalseRegion;
12694 Visit(CO->getFalseExpr());
12695 }
12696
12697 Region = OldRegion;
12698 Tree.merge(ConditionRegion);
12699 Tree.merge(TrueRegion);
12700 Tree.merge(FalseRegion);
12701 }
12702
12703 void VisitCallExpr(const CallExpr *CE) {
12704 // FIXME: CXXNewExpr and CXXDeleteExpr implicitly call functions.
12705
12706 if (CE->isUnevaluatedBuiltinCall(Context))
12707 return;
12708
12709 // C++11 [intro.execution]p15:
12710 // When calling a function [...], every value computation and side effect
12711 // associated with any argument expression, or with the postfix expression
12712 // designating the called function, is sequenced before execution of every
12713 // expression or statement in the body of the function [and thus before
12714 // the value computation of its result].
12715 SequencedSubexpression Sequenced(*this);
12716 SemaRef.runWithSufficientStackSpace(CE->getExprLoc(), [&] {
12717 // C++17 [expr.call]p5
12718 // The postfix-expression is sequenced before each expression in the
12719 // expression-list and any default argument. [...]
12720 SequenceTree::Seq CalleeRegion;
12721 SequenceTree::Seq OtherRegion;
12722 if (SemaRef.getLangOpts().CPlusPlus17) {
12723 CalleeRegion = Tree.allocate(Region);
12724 OtherRegion = Tree.allocate(Region);
12725 } else {
12726 CalleeRegion = Region;
12727 OtherRegion = Region;
12728 }
12729 SequenceTree::Seq OldRegion = Region;
12730
12731 // Visit the callee expression first.
12732 Region = CalleeRegion;
12733 if (SemaRef.getLangOpts().CPlusPlus17) {
12734 SequencedSubexpression Sequenced(*this);
12735 Visit(CE->getCallee());
12736 } else {
12737 Visit(CE->getCallee());
12738 }
12739
12740 // Then visit the argument expressions.
12741 Region = OtherRegion;
12742 for (const Expr *Argument : CE->arguments())
12743 Visit(Argument);
12744
12745 Region = OldRegion;
12746 if (SemaRef.getLangOpts().CPlusPlus17) {
12747 Tree.merge(CalleeRegion);
12748 Tree.merge(OtherRegion);
12749 }
12750 });
12751 }
12752
12753 void VisitCXXOperatorCallExpr(const CXXOperatorCallExpr *CXXOCE) {
12754 // C++17 [over.match.oper]p2:
12755 // [...] the operator notation is first transformed to the equivalent
12756 // function-call notation as summarized in Table 12 (where @ denotes one
12757 // of the operators covered in the specified subclause). However, the
12758 // operands are sequenced in the order prescribed for the built-in
12759 // operator (Clause 8).
12760 //
12761 // From the above only overloaded binary operators and overloaded call
12762 // operators have sequencing rules in C++17 that we need to handle
12763 // separately.
12764 if (!SemaRef.getLangOpts().CPlusPlus17 ||
12765 (CXXOCE->getNumArgs() != 2 && CXXOCE->getOperator() != OO_Call))
12766 return VisitCallExpr(CXXOCE);
12767
12768 enum {
12769 NoSequencing,
12770 LHSBeforeRHS,
12771 RHSBeforeLHS,
12772 LHSBeforeRest
12773 } SequencingKind;
12774 switch (CXXOCE->getOperator()) {
12775 case OO_Equal:
12776 case OO_PlusEqual:
12777 case OO_MinusEqual:
12778 case OO_StarEqual:
12779 case OO_SlashEqual:
12780 case OO_PercentEqual:
12781 case OO_CaretEqual:
12782 case OO_AmpEqual:
12783 case OO_PipeEqual:
12784 case OO_LessLessEqual:
12785 case OO_GreaterGreaterEqual:
12786 SequencingKind = RHSBeforeLHS;
12787 break;
12788
12789 case OO_LessLess:
12790 case OO_GreaterGreater:
12791 case OO_AmpAmp:
12792 case OO_PipePipe:
12793 case OO_Comma:
12794 case OO_ArrowStar:
12795 case OO_Subscript:
12796 SequencingKind = LHSBeforeRHS;
12797 break;
12798
12799 case OO_Call:
12800 SequencingKind = LHSBeforeRest;
12801 break;
12802
12803 default:
12804 SequencingKind = NoSequencing;
12805 break;
12806 }
12807
12808 if (SequencingKind == NoSequencing)
12809 return VisitCallExpr(CXXOCE);
12810
12811 // This is a call, so all subexpressions are sequenced before the result.
12812 SequencedSubexpression Sequenced(*this);
12813
12814 SemaRef.runWithSufficientStackSpace(CXXOCE->getExprLoc(), [&] {
12815 assert(SemaRef.getLangOpts().CPlusPlus17 &&
12816 "Should only get there with C++17 and above!");
12817 assert((CXXOCE->getNumArgs() == 2 || CXXOCE->getOperator() == OO_Call) &&
12818 "Should only get there with an overloaded binary operator"
12819 " or an overloaded call operator!");
12820
12821 if (SequencingKind == LHSBeforeRest) {
12822 assert(CXXOCE->getOperator() == OO_Call &&
12823 "We should only have an overloaded call operator here!");
12824
12825 // This is very similar to VisitCallExpr, except that we only have the
12826 // C++17 case. The postfix-expression is the first argument of the
12827 // CXXOperatorCallExpr. The expressions in the expression-list, if any,
12828 // are in the following arguments.
12829 //
12830 // Note that we intentionally do not visit the callee expression since
12831 // it is just a decayed reference to a function.
12832 SequenceTree::Seq PostfixExprRegion = Tree.allocate(Region);
12833 SequenceTree::Seq ArgsRegion = Tree.allocate(Region);
12834 SequenceTree::Seq OldRegion = Region;
12835
12836 assert(CXXOCE->getNumArgs() >= 1 &&
12837 "An overloaded call operator must have at least one argument"
12838 " for the postfix-expression!");
12839 const Expr *PostfixExpr = CXXOCE->getArgs()[0];
12840 llvm::ArrayRef<const Expr *> Args(CXXOCE->getArgs() + 1,
12841 CXXOCE->getNumArgs() - 1);
12842
12843 // Visit the postfix-expression first.
12844 {
12845 Region = PostfixExprRegion;
12846 SequencedSubexpression Sequenced(*this);
12847 Visit(PostfixExpr);
12848 }
12849
12850 // Then visit the argument expressions.
12851 Region = ArgsRegion;
12852 for (const Expr *Arg : Args)
12853 Visit(Arg);
12854
12855 Region = OldRegion;
12856 Tree.merge(PostfixExprRegion);
12857 Tree.merge(ArgsRegion);
12858 } else {
12859 assert(CXXOCE->getNumArgs() == 2 &&
12860 "Should only have two arguments here!");
12861 assert((SequencingKind == LHSBeforeRHS ||
12862 SequencingKind == RHSBeforeLHS) &&
12863 "Unexpected sequencing kind!");
12864
12865 // We do not visit the callee expression since it is just a decayed
12866 // reference to a function.
12867 const Expr *E1 = CXXOCE->getArg(0);
12868 const Expr *E2 = CXXOCE->getArg(1);
12869 if (SequencingKind == RHSBeforeLHS)
12870 std::swap(E1, E2);
12871
12872 return VisitSequencedExpressions(E1, E2);
12873 }
12874 });
12875 }
12876
12877 void VisitCXXConstructExpr(const CXXConstructExpr *CCE) {
12878 // This is a call, so all subexpressions are sequenced before the result.
12879 SequencedSubexpression Sequenced(*this);
12880
12881 if (!CCE->isListInitialization())
12882 return VisitExpr(CCE);
12883
12884 // In C++11, list initializations are sequenced.
12885 SequenceExpressionsInOrder(
12886 llvm::ArrayRef(CCE->getArgs(), CCE->getNumArgs()));
12887 }
12888
12889 void VisitInitListExpr(const InitListExpr *ILE) {
12890 if (!SemaRef.getLangOpts().CPlusPlus11)
12891 return VisitExpr(ILE);
12892
12893 // In C++11, list initializations are sequenced.
12894 SequenceExpressionsInOrder(ILE->inits());
12895 }
12896
12897 void VisitCXXParenListInitExpr(const CXXParenListInitExpr *PLIE) {
12898 // C++20 parenthesized list initializations are sequenced. See C++20
12899 // [decl.init.general]p16.5 and [decl.init.general]p16.6.2.2.
12900 SequenceExpressionsInOrder(PLIE->getInitExprs());
12901 }
12902
12903 private:
12904 void SequenceExpressionsInOrder(ArrayRef<const Expr *> ExpressionList) {
12905 SmallVector<SequenceTree::Seq, 32> Elts;
12906 SequenceTree::Seq Parent = Region;
12907 for (const Expr *E : ExpressionList) {
12908 if (!E)
12909 continue;
12910 Region = Tree.allocate(Parent);
12911 Elts.push_back(Region);
12912 Visit(E);
12913 }
12914
12915 // Forget that the initializers are sequenced.
12916 Region = Parent;
12917 for (unsigned I = 0; I < Elts.size(); ++I)
12918 Tree.merge(Elts[I]);
12919 }
12920 };
12921
12922 SequenceChecker::UsageInfo::UsageInfo() = default;
12923
12924 } // namespace
12925
12926 void Sema::CheckUnsequencedOperations(const Expr *E) {
12927 SmallVector<const Expr *, 8> WorkList;
12928 WorkList.push_back(E);
12929 while (!WorkList.empty()) {
12930 const Expr *Item = WorkList.pop_back_val();
12931 SequenceChecker(*this, Item, WorkList);
12932 }
12933 }
12934
12935 void Sema::CheckCompletedExpr(Expr *E, SourceLocation CheckLoc,
12936 bool IsConstexpr) {
12937 llvm::SaveAndRestore ConstantContext(isConstantEvaluatedOverride,
12938 IsConstexpr || isa<ConstantExpr>(E));
12939 CheckImplicitConversions(E, CheckLoc);
12940 if (!E->isInstantiationDependent())
12941 CheckUnsequencedOperations(E);
12942 if (!IsConstexpr && !E->isValueDependent())
12943 CheckForIntOverflow(E);
12944 DiagnoseMisalignedMembers();
12945 }
12946
12947 void Sema::CheckBitFieldInitialization(SourceLocation InitLoc,
12948 FieldDecl *BitField,
12949 Expr *Init) {
12950 (void) AnalyzeBitFieldAssignment(*this, BitField, Init, InitLoc);
12951 }
12952
12953 static void diagnoseArrayStarInParamType(Sema &S, QualType PType,
12954 SourceLocation Loc) {
12955 if (!PType->isVariablyModifiedType())
12956 return;
12957 if (const auto *PointerTy = dyn_cast<PointerType>(PType)) {
12958 diagnoseArrayStarInParamType(S, PointerTy->getPointeeType(), Loc);
12959 return;
12960 }
12961 if (const auto *ReferenceTy = dyn_cast<ReferenceType>(PType)) {
12962 diagnoseArrayStarInParamType(S, ReferenceTy->getPointeeType(), Loc);
12963 return;
12964 }
12965 if (const auto *ParenTy = dyn_cast<ParenType>(PType)) {
12966 diagnoseArrayStarInParamType(S, ParenTy->getInnerType(), Loc);
12967 return;
12968 }
12969
12970 const ArrayType *AT = S.Context.getAsArrayType(PType);
12971 if (!AT)
12972 return;
12973
12974 if (AT->getSizeModifier() != ArraySizeModifier::Star) {
12975 diagnoseArrayStarInParamType(S, AT->getElementType(), Loc);
12976 return;
12977 }
12978
12979 S.Diag(Loc, diag::err_array_star_in_function_definition);
12980 }
12981
12982 bool Sema::CheckParmsForFunctionDef(ArrayRef<ParmVarDecl *> Parameters,
12983 bool CheckParameterNames) {
12984 bool HasInvalidParm = false;
12985 for (ParmVarDecl *Param : Parameters) {
12986 assert(Param && "null in a parameter list");
12987 // C99 6.7.5.3p4: the parameters in a parameter type list in a
12988 // function declarator that is part of a function definition of
12989 // that function shall not have incomplete type.
12990 //
12991 // C++23 [dcl.fct.def.general]/p2
12992 // The type of a parameter [...] for a function definition
12993 // shall not be a (possibly cv-qualified) class type that is incomplete
12994 // or abstract within the function body unless the function is deleted.
12995 if (!Param->isInvalidDecl() &&
12996 (RequireCompleteType(Param->getLocation(), Param->getType(),
12997 diag::err_typecheck_decl_incomplete_type) ||
12998 RequireNonAbstractType(Param->getBeginLoc(), Param->getOriginalType(),
12999 diag::err_abstract_type_in_decl,
13000 AbstractParamType))) {
13001 Param->setInvalidDecl();
13002 HasInvalidParm = true;
13003 }
13004
13005 // C99 6.9.1p5: If the declarator includes a parameter type list, the
13006 // declaration of each parameter shall include an identifier.
13007 if (CheckParameterNames && Param->getIdentifier() == nullptr &&
13008 !Param->isImplicit() && !getLangOpts().CPlusPlus) {
13009 // Diagnose this as an extension in C17 and earlier.
13010 if (!getLangOpts().C23)
13011 Diag(Param->getLocation(), diag::ext_parameter_name_omitted_c23);
13012 }
13013
13014 // C99 6.7.5.3p12:
13015 // If the function declarator is not part of a definition of that
13016 // function, parameters may have incomplete type and may use the [*]
13017 // notation in their sequences of declarator specifiers to specify
13018 // variable length array types.
13019 QualType PType = Param->getOriginalType();
13020 // FIXME: This diagnostic should point the '[*]' if source-location
13021 // information is added for it.
13022 diagnoseArrayStarInParamType(*this, PType, Param->getLocation());
13023
13024 // If the parameter is a c++ class type and it has to be destructed in the
13025 // callee function, declare the destructor so that it can be called by the
13026 // callee function. Do not perform any direct access check on the dtor here.
13027 if (!Param->isInvalidDecl()) {
13028 if (CXXRecordDecl *ClassDecl = Param->getType()->getAsCXXRecordDecl()) {
13029 if (!ClassDecl->isInvalidDecl() &&
13030 !ClassDecl->hasIrrelevantDestructor() &&
13031 !ClassDecl->isDependentContext() &&
13032 ClassDecl->isParamDestroyedInCallee()) {
13033 CXXDestructorDecl *Destructor = LookupDestructor(ClassDecl);
13034 MarkFunctionReferenced(Param->getLocation(), Destructor);
13035 DiagnoseUseOfDecl(Destructor, Param->getLocation());
13036 }
13037 }
13038 }
13039
13040 // Parameters with the pass_object_size attribute only need to be marked
13041 // constant at function definitions. Because we lack information about
13042 // whether we're on a declaration or definition when we're instantiating the
13043 // attribute, we need to check for constness here.
13044 if (const auto *Attr = Param->getAttr<PassObjectSizeAttr>())
13045 if (!Param->getType().isConstQualified())
13046 Diag(Param->getLocation(), diag::err_attribute_pointers_only)
13047 << Attr->getSpelling() << 1;
13048
13049 // Check for parameter names shadowing fields from the class.
13050 if (LangOpts.CPlusPlus && !Param->isInvalidDecl()) {
13051 // The owning context for the parameter should be the function, but we
13052 // want to see if this function's declaration context is a record.
13053 DeclContext *DC = Param->getDeclContext();
13054 if (DC && DC->isFunctionOrMethod()) {
13055 if (auto *RD = dyn_cast<CXXRecordDecl>(DC->getParent()))
13056 CheckShadowInheritedFields(Param->getLocation(), Param->getDeclName(),
13057 RD, /*DeclIsField*/ false);
13058 }
13059 }
13060
13061 if (!Param->isInvalidDecl() &&
13062 Param->getOriginalType()->isWebAssemblyTableType()) {
13063 Param->setInvalidDecl();
13064 HasInvalidParm = true;
13065 Diag(Param->getLocation(), diag::err_wasm_table_as_function_parameter);
13066 }
13067 }
13068
13069 return HasInvalidParm;
13070 }
13071
13072 std::optional<std::pair<
13073 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
13074 *E,
13075 ASTContext
13076 &Ctx);
13077
13078 /// Compute the alignment and offset of the base class object given the
13079 /// derived-to-base cast expression and the alignment and offset of the derived
13080 /// class object.
13081 static std::pair<CharUnits, CharUnits>
13082 getDerivedToBaseAlignmentAndOffset(const CastExpr *CE, QualType DerivedType,
13083 CharUnits BaseAlignment, CharUnits Offset,
13084 ASTContext &Ctx) {
13085 for (auto PathI = CE->path_begin(), PathE = CE->path_end(); PathI != PathE;
13086 ++PathI) {
13087 const CXXBaseSpecifier *Base = *PathI;
13088 const CXXRecordDecl *BaseDecl = Base->getType()->getAsCXXRecordDecl();
13089 if (Base->isVirtual()) {
13090 // The complete object may have a lower alignment than the non-virtual
13091 // alignment of the base, in which case the base may be misaligned. Choose
13092 // the smaller of the non-virtual alignment and BaseAlignment, which is a
13093 // conservative lower bound of the complete object alignment.
13094 CharUnits NonVirtualAlignment =
13095 Ctx.getASTRecordLayout(BaseDecl).getNonVirtualAlignment();
13096 BaseAlignment = std::min(BaseAlignment, NonVirtualAlignment);
13097 Offset = CharUnits::Zero();
13098 } else {
13099 const ASTRecordLayout &RL =
13100 Ctx.getASTRecordLayout(DerivedType->getAsCXXRecordDecl());
13101 Offset += RL.getBaseClassOffset(BaseDecl);
13102 }
13103 DerivedType = Base->getType();
13104 }
13105
13106 return std::make_pair(BaseAlignment, Offset);
13107 }
13108
13109 /// Compute the alignment and offset of a binary additive operator.
13110 static std::optional<std::pair<CharUnits, CharUnits>>
13111 getAlignmentAndOffsetFromBinAddOrSub(const Expr *PtrE, const Expr *IntE,
13112 bool IsSub, ASTContext &Ctx) {
13113 QualType PointeeType = PtrE->getType()->getPointeeType();
13114
13115 if (!PointeeType->isConstantSizeType())
13116 return std::nullopt;
13117
13118 auto P = getBaseAlignmentAndOffsetFromPtr(PtrE, Ctx);
13119
13120 if (!P)
13121 return std::nullopt;
13122
13123 CharUnits EltSize = Ctx.getTypeSizeInChars(PointeeType);
13124 if (std::optional<llvm::APSInt> IdxRes = IntE->getIntegerConstantExpr(Ctx)) {
13125 CharUnits Offset = EltSize * IdxRes->getExtValue();
13126 if (IsSub)
13127 Offset = -Offset;
13128 return std::make_pair(P->first, P->second + Offset);
13129 }
13130
13131 // If the integer expression isn't a constant expression, compute the lower
13132 // bound of the alignment using the alignment and offset of the pointer
13133 // expression and the element size.
13134 return std::make_pair(
13135 P->first.alignmentAtOffset(P->second).alignmentAtOffset(EltSize),
13136 CharUnits::Zero());
13137 }
13138
13139 /// This helper function takes an lvalue expression and returns the alignment of
13140 /// a VarDecl and a constant offset from the VarDecl.
13141 std::optional<std::pair<
13142 CharUnits,
13143 CharUnits>> static getBaseAlignmentAndOffsetFromLValue(const Expr *E,
13144 ASTContext &Ctx) {
13145 E = E->IgnoreParens();
13146 switch (E->getStmtClass()) {
13147 default:
13148 break;
13149 case Stmt::CStyleCastExprClass:
13150 case Stmt::CXXStaticCastExprClass:
13151 case Stmt::ImplicitCastExprClass: {
13152 auto *CE = cast<CastExpr>(E);
13153 const Expr *From = CE->getSubExpr();
13154 switch (CE->getCastKind()) {
13155 default:
13156 break;
13157 case CK_NoOp:
13158 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
13159 case CK_UncheckedDerivedToBase:
13160 case CK_DerivedToBase: {
13161 auto P = getBaseAlignmentAndOffsetFromLValue(From, Ctx);
13162 if (!P)
13163 break;
13164 return getDerivedToBaseAlignmentAndOffset(CE, From->getType(), P->first,
13165 P->second, Ctx);
13166 }
13167 }
13168 break;
13169 }
13170 case Stmt::ArraySubscriptExprClass: {
13171 auto *ASE = cast<ArraySubscriptExpr>(E);
13172 return getAlignmentAndOffsetFromBinAddOrSub(ASE->getBase(), ASE->getIdx(),
13173 false, Ctx);
13174 }
13175 case Stmt::DeclRefExprClass: {
13176 if (auto *VD = dyn_cast<VarDecl>(cast<DeclRefExpr>(E)->getDecl())) {
13177 // FIXME: If VD is captured by copy or is an escaping __block variable,
13178 // use the alignment of VD's type.
13179 if (!VD->getType()->isReferenceType()) {
13180 // Dependent alignment cannot be resolved -> bail out.
13181 if (VD->hasDependentAlignment())
13182 break;
13183 return std::make_pair(Ctx.getDeclAlign(VD), CharUnits::Zero());
13184 }
13185 if (VD->hasInit())
13186 return getBaseAlignmentAndOffsetFromLValue(VD->getInit(), Ctx);
13187 }
13188 break;
13189 }
13190 case Stmt::MemberExprClass: {
13191 auto *ME = cast<MemberExpr>(E);
13192 auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl());
13193 if (!FD || FD->getType()->isReferenceType() ||
13194 FD->getParent()->isInvalidDecl())
13195 break;
13196 std::optional<std::pair<CharUnits, CharUnits>> P;
13197 if (ME->isArrow())
13198 P = getBaseAlignmentAndOffsetFromPtr(ME->getBase(), Ctx);
13199 else
13200 P = getBaseAlignmentAndOffsetFromLValue(ME->getBase(), Ctx);
13201 if (!P)
13202 break;
13203 const ASTRecordLayout &Layout = Ctx.getASTRecordLayout(FD->getParent());
13204 uint64_t Offset = Layout.getFieldOffset(FD->getFieldIndex());
13205 return std::make_pair(P->first,
13206 P->second + CharUnits::fromQuantity(Offset));
13207 }
13208 case Stmt::UnaryOperatorClass: {
13209 auto *UO = cast<UnaryOperator>(E);
13210 switch (UO->getOpcode()) {
13211 default:
13212 break;
13213 case UO_Deref:
13214 return getBaseAlignmentAndOffsetFromPtr(UO->getSubExpr(), Ctx);
13215 }
13216 break;
13217 }
13218 case Stmt::BinaryOperatorClass: {
13219 auto *BO = cast<BinaryOperator>(E);
13220 auto Opcode = BO->getOpcode();
13221 switch (Opcode) {
13222 default:
13223 break;
13224 case BO_Comma:
13225 return getBaseAlignmentAndOffsetFromLValue(BO->getRHS(), Ctx);
13226 }
13227 break;
13228 }
13229 }
13230 return std::nullopt;
13231 }
13232
13233 /// This helper function takes a pointer expression and returns the alignment of
13234 /// a VarDecl and a constant offset from the VarDecl.
13235 std::optional<std::pair<
13236 CharUnits, CharUnits>> static getBaseAlignmentAndOffsetFromPtr(const Expr
13237 *E,
13238 ASTContext
13239 &Ctx) {
13240 E = E->IgnoreParens();
13241 switch (E->getStmtClass()) {
13242 default:
13243 break;
13244 case Stmt::CStyleCastExprClass:
13245 case Stmt::CXXStaticCastExprClass:
13246 case Stmt::ImplicitCastExprClass: {
13247 auto *CE = cast<CastExpr>(E);
13248 const Expr *From = CE->getSubExpr();
13249 switch (CE->getCastKind()) {
13250 default:
13251 break;
13252 case CK_NoOp:
13253 return getBaseAlignmentAndOffsetFromPtr(From, Ctx);
13254 case CK_ArrayToPointerDecay:
13255 return getBaseAlignmentAndOffsetFromLValue(From, Ctx);
13256 case CK_UncheckedDerivedToBase:
13257 case CK_DerivedToBase: {
13258 auto P = getBaseAlignmentAndOffsetFromPtr(From, Ctx);
13259 if (!P)
13260 break;
13261 return getDerivedToBaseAlignmentAndOffset(
13262 CE, From->getType()->getPointeeType(), P->first, P->second, Ctx);
13263 }
13264 }
13265 break;
13266 }
13267 case Stmt::CXXThisExprClass: {
13268 auto *RD = E->getType()->getPointeeType()->getAsCXXRecordDecl();
13269 CharUnits Alignment = Ctx.getASTRecordLayout(RD).getNonVirtualAlignment();
13270 return std::make_pair(Alignment, CharUnits::Zero());
13271 }
13272 case Stmt::UnaryOperatorClass: {
13273 auto *UO = cast<UnaryOperator>(E);
13274 if (UO->getOpcode() == UO_AddrOf)
13275 return getBaseAlignmentAndOffsetFromLValue(UO->getSubExpr(), Ctx);
13276 break;
13277 }
13278 case Stmt::BinaryOperatorClass: {
13279 auto *BO = cast<BinaryOperator>(E);
13280 auto Opcode = BO->getOpcode();
13281 switch (Opcode) {
13282 default:
13283 break;
13284 case BO_Add:
13285 case BO_Sub: {
13286 const Expr *LHS = BO->getLHS(), *RHS = BO->getRHS();
13287 if (Opcode == BO_Add && !RHS->getType()->isIntegralOrEnumerationType())
13288 std::swap(LHS, RHS);
13289 return getAlignmentAndOffsetFromBinAddOrSub(LHS, RHS, Opcode == BO_Sub,
13290 Ctx);
13291 }
13292 case BO_Comma:
13293 return getBaseAlignmentAndOffsetFromPtr(BO->getRHS(), Ctx);
13294 }
13295 break;
13296 }
13297 }
13298 return std::nullopt;
13299 }
13300
13301 static CharUnits getPresumedAlignmentOfPointer(const Expr *E, Sema &S) {
13302 // See if we can compute the alignment of a VarDecl and an offset from it.
13303 std::optional<std::pair<CharUnits, CharUnits>> P =
13304 getBaseAlignmentAndOffsetFromPtr(E, S.Context);
13305
13306 if (P)
13307 return P->first.alignmentAtOffset(P->second);
13308
13309 // If that failed, return the type's alignment.
13310 return S.Context.getTypeAlignInChars(E->getType()->getPointeeType());
13311 }
13312
13313 void Sema::CheckCastAlign(Expr *Op, QualType T, SourceRange TRange) {
13314 // This is actually a lot of work to potentially be doing on every
13315 // cast; don't do it if we're ignoring -Wcast_align (as is the default).
13316 if (getDiagnostics().isIgnored(diag::warn_cast_align, TRange.getBegin()))
13317 return;
13318
13319 // Ignore dependent types.
13320 if (T->isDependentType() || Op->getType()->isDependentType())
13321 return;
13322
13323 // Require that the destination be a pointer type.
13324 const PointerType *DestPtr = T->getAs<PointerType>();
13325 if (!DestPtr) return;
13326
13327 // If the destination has alignment 1, we're done.
13328 QualType DestPointee = DestPtr->getPointeeType();
13329 if (DestPointee->isIncompleteType()) return;
13330 CharUnits DestAlign = Context.getTypeAlignInChars(DestPointee);
13331 if (DestAlign.isOne()) return;
13332
13333 // Require that the source be a pointer type.
13334 const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();
13335 if (!SrcPtr) return;
13336 QualType SrcPointee = SrcPtr->getPointeeType();
13337
13338 // Explicitly allow casts from cv void*. We already implicitly
13339 // allowed casts to cv void*, since they have alignment 1.
13340 // Also allow casts involving incomplete types, which implicitly
13341 // includes 'void'.
13342 if (SrcPointee->isIncompleteType()) return;
13343
13344 CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);
13345
13346 if (SrcAlign >= DestAlign) return;
13347
13348 Diag(TRange.getBegin(), diag::warn_cast_align)
13349 << Op->getType() << T
13350 << static_cast<unsigned>(SrcAlign.getQuantity())
13351 << static_cast<unsigned>(DestAlign.getQuantity())
13352 << TRange << Op->getSourceRange();
13353 }
13354
13355 void Sema::CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
13356 const ArraySubscriptExpr *ASE,
13357 bool AllowOnePastEnd, bool IndexNegated) {
13358 // Already diagnosed by the constant evaluator.
13359 if (isConstantEvaluatedContext())
13360 return;
13361
13362 IndexExpr = IndexExpr->IgnoreParenImpCasts();
13363 if (IndexExpr->isValueDependent())
13364 return;
13365
13366 const Type *EffectiveType =
13367 BaseExpr->getType()->getPointeeOrArrayElementType();
13368 BaseExpr = BaseExpr->IgnoreParenCasts();
13369 const ConstantArrayType *ArrayTy =
13370 Context.getAsConstantArrayType(BaseExpr->getType());
13371
13372 LangOptions::StrictFlexArraysLevelKind
13373 StrictFlexArraysLevel = getLangOpts().getStrictFlexArraysLevel();
13374
13375 const Type *BaseType =
13376 ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();
13377 bool IsUnboundedArray =
13378 BaseType == nullptr || BaseExpr->isFlexibleArrayMemberLike(
13379 Context, StrictFlexArraysLevel,
13380 /*IgnoreTemplateOrMacroSubstitution=*/true);
13381 if (EffectiveType->isDependentType() ||
13382 (!IsUnboundedArray && BaseType->isDependentType()))
13383 return;
13384
13385 Expr::EvalResult Result;
13386 if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))
13387 return;
13388
13389 llvm::APSInt index = Result.Val.getInt();
13390 if (IndexNegated) {
13391 index.setIsUnsigned(false);
13392 index = -index;
13393 }
13394
13395 if (IsUnboundedArray) {
13396 if (EffectiveType->isFunctionType())
13397 return;
13398 if (index.isUnsigned() || !index.isNegative()) {
13399 const auto &ASTC = getASTContext();
13400 unsigned AddrBits = ASTC.getTargetInfo().getPointerWidth(
13401 EffectiveType->getCanonicalTypeInternal().getAddressSpace());
13402 if (index.getBitWidth() < AddrBits)
13403 index = index.zext(AddrBits);
13404 std::optional<CharUnits> ElemCharUnits =
13405 ASTC.getTypeSizeInCharsIfKnown(EffectiveType);
13406 // PR50741 - If EffectiveType has unknown size (e.g., if it's a void
13407 // pointer) bounds-checking isn't meaningful.
13408 if (!ElemCharUnits || ElemCharUnits->isZero())
13409 return;
13410 llvm::APInt ElemBytes(index.getBitWidth(), ElemCharUnits->getQuantity());
13411 // If index has more active bits than address space, we already know
13412 // we have a bounds violation to warn about. Otherwise, compute
13413 // address of (index + 1)th element, and warn about bounds violation
13414 // only if that address exceeds address space.
13415 if (index.getActiveBits() <= AddrBits) {
13416 bool Overflow;
13417 llvm::APInt Product(index);
13418 Product += 1;
13419 Product = Product.umul_ov(ElemBytes, Overflow);
13420 if (!Overflow && Product.getActiveBits() <= AddrBits)
13421 return;
13422 }
13423
13424 // Need to compute max possible elements in address space, since that
13425 // is included in diag message.
13426 llvm::APInt MaxElems = llvm::APInt::getMaxValue(AddrBits);
13427 MaxElems = MaxElems.zext(std::max(AddrBits + 1, ElemBytes.getBitWidth()));
13428 MaxElems += 1;
13429 ElemBytes = ElemBytes.zextOrTrunc(MaxElems.getBitWidth());
13430 MaxElems = MaxElems.udiv(ElemBytes);
13431
13432 unsigned DiagID =
13433 ASE ? diag::warn_array_index_exceeds_max_addressable_bounds
13434 : diag::warn_ptr_arith_exceeds_max_addressable_bounds;
13435
13436 // Diag message shows element size in bits and in "bytes" (platform-
13437 // dependent CharUnits)
13438 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
13439 PDiag(DiagID)
13440 << toString(index, 10, true) << AddrBits
13441 << (unsigned)ASTC.toBits(*ElemCharUnits)
13442 << toString(ElemBytes, 10, false)
13443 << toString(MaxElems, 10, false)
13444 << (unsigned)MaxElems.getLimitedValue(~0U)
13445 << IndexExpr->getSourceRange());
13446
13447 const NamedDecl *ND = nullptr;
13448 // Try harder to find a NamedDecl to point at in the note.
13449 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
13450 BaseExpr = ASE->getBase()->IgnoreParenCasts();
13451 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
13452 ND = DRE->getDecl();
13453 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
13454 ND = ME->getMemberDecl();
13455
13456 if (ND)
13457 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
13458 PDiag(diag::note_array_declared_here) << ND);
13459 }
13460 return;
13461 }
13462
13463 if (index.isUnsigned() || !index.isNegative()) {
13464 // It is possible that the type of the base expression after
13465 // IgnoreParenCasts is incomplete, even though the type of the base
13466 // expression before IgnoreParenCasts is complete (see PR39746 for an
13467 // example). In this case we have no information about whether the array
13468 // access exceeds the array bounds. However we can still diagnose an array
13469 // access which precedes the array bounds.
13470 if (BaseType->isIncompleteType())
13471 return;
13472
13473 llvm::APInt size = ArrayTy->getSize();
13474
13475 if (BaseType != EffectiveType) {
13476 // Make sure we're comparing apples to apples when comparing index to
13477 // size.
13478 uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);
13479 uint64_t array_typesize = Context.getTypeSize(BaseType);
13480
13481 // Handle ptrarith_typesize being zero, such as when casting to void*.
13482 // Use the size in bits (what "getTypeSize()" returns) rather than bytes.
13483 if (!ptrarith_typesize)
13484 ptrarith_typesize = Context.getCharWidth();
13485
13486 if (ptrarith_typesize != array_typesize) {
13487 // There's a cast to a different size type involved.
13488 uint64_t ratio = array_typesize / ptrarith_typesize;
13489
13490 // TODO: Be smarter about handling cases where array_typesize is not a
13491 // multiple of ptrarith_typesize.
13492 if (ptrarith_typesize * ratio == array_typesize)
13493 size *= llvm::APInt(size.getBitWidth(), ratio);
13494 }
13495 }
13496
13497 if (size.getBitWidth() > index.getBitWidth())
13498 index = index.zext(size.getBitWidth());
13499 else if (size.getBitWidth() < index.getBitWidth())
13500 size = size.zext(index.getBitWidth());
13501
13502 // For array subscripting the index must be less than size, but for pointer
13503 // arithmetic also allow the index (offset) to be equal to size since
13504 // computing the next address after the end of the array is legal and
13505 // commonly done e.g. in C++ iterators and range-based for loops.
13506 if (AllowOnePastEnd ? index.ule(size) : index.ult(size))
13507 return;
13508
13509 // Suppress the warning if the subscript expression (as identified by the
13510 // ']' location) and the index expression are both from macro expansions
13511 // within a system header.
13512 if (ASE) {
13513 SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(
13514 ASE->getRBracketLoc());
13515 if (SourceMgr.isInSystemHeader(RBracketLoc)) {
13516 SourceLocation IndexLoc =
13517 SourceMgr.getSpellingLoc(IndexExpr->getBeginLoc());
13518 if (SourceMgr.isWrittenInSameFile(RBracketLoc, IndexLoc))
13519 return;
13520 }
13521 }
13522
13523 unsigned DiagID = ASE ? diag::warn_array_index_exceeds_bounds
13524 : diag::warn_ptr_arith_exceeds_bounds;
13525 unsigned CastMsg = (!ASE || BaseType == EffectiveType) ? 0 : 1;
13526 QualType CastMsgTy = ASE ? ASE->getLHS()->getType() : QualType();
13527
13528 DiagRuntimeBehavior(
13529 BaseExpr->getBeginLoc(), BaseExpr,
13530 PDiag(DiagID) << toString(index, 10, true) << ArrayTy->desugar()
13531 << CastMsg << CastMsgTy << IndexExpr->getSourceRange());
13532 } else {
13533 unsigned DiagID = diag::warn_array_index_precedes_bounds;
13534 if (!ASE) {
13535 DiagID = diag::warn_ptr_arith_precedes_bounds;
13536 if (index.isNegative()) index = -index;
13537 }
13538
13539 DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
13540 PDiag(DiagID) << toString(index, 10, true)
13541 << IndexExpr->getSourceRange());
13542 }
13543
13544 const NamedDecl *ND = nullptr;
13545 // Try harder to find a NamedDecl to point at in the note.
13546 while (const auto *ASE = dyn_cast<ArraySubscriptExpr>(BaseExpr))
13547 BaseExpr = ASE->getBase()->IgnoreParenCasts();
13548 if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
13549 ND = DRE->getDecl();
13550 if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
13551 ND = ME->getMemberDecl();
13552
13553 if (ND)
13554 DiagRuntimeBehavior(ND->getBeginLoc(), BaseExpr,
13555 PDiag(diag::note_array_declared_here) << ND);
13556 }
13557
13558 void Sema::CheckArrayAccess(const Expr *expr) {
13559 int AllowOnePastEnd = 0;
13560 while (expr) {
13561 expr = expr->IgnoreParenImpCasts();
13562 switch (expr->getStmtClass()) {
13563 case Stmt::ArraySubscriptExprClass: {
13564 const ArraySubscriptExpr *ASE = cast<ArraySubscriptExpr>(expr);
13565 CheckArrayAccess(ASE->getBase(), ASE->getIdx(), ASE,
13566 AllowOnePastEnd > 0);
13567 expr = ASE->getBase();
13568 break;
13569 }
13570 case Stmt::MemberExprClass: {
13571 expr = cast<MemberExpr>(expr)->getBase();
13572 break;
13573 }
13574 case Stmt::ArraySectionExprClass: {
13575 const ArraySectionExpr *ASE = cast<ArraySectionExpr>(expr);
13576 // FIXME: We should probably be checking all of the elements to the
13577 // 'length' here as well.
13578 if (ASE->getLowerBound())
13579 CheckArrayAccess(ASE->getBase(), ASE->getLowerBound(),
13580 /*ASE=*/nullptr, AllowOnePastEnd > 0);
13581 return;
13582 }
13583 case Stmt::UnaryOperatorClass: {
13584 // Only unwrap the * and & unary operators
13585 const UnaryOperator *UO = cast<UnaryOperator>(expr);
13586 expr = UO->getSubExpr();
13587 switch (UO->getOpcode()) {
13588 case UO_AddrOf:
13589 AllowOnePastEnd++;
13590 break;
13591 case UO_Deref:
13592 AllowOnePastEnd--;
13593 break;
13594 default:
13595 return;
13596 }
13597 break;
13598 }
13599 case Stmt::ConditionalOperatorClass: {
13600 const ConditionalOperator *cond = cast<ConditionalOperator>(expr);
13601 if (const Expr *lhs = cond->getLHS())
13602 CheckArrayAccess(lhs);
13603 if (const Expr *rhs = cond->getRHS())
13604 CheckArrayAccess(rhs);
13605 return;
13606 }
13607 case Stmt::CXXOperatorCallExprClass: {
13608 const auto *OCE = cast<CXXOperatorCallExpr>(expr);
13609 for (const auto *Arg : OCE->arguments())
13610 CheckArrayAccess(Arg);
13611 return;
13612 }
13613 default:
13614 return;
13615 }
13616 }
13617 }
13618
13619 static bool checkUnsafeAssignLiteral(Sema &S, SourceLocation Loc,
13620 Expr *RHS, bool isProperty) {
13621 // Check if RHS is an Objective-C object literal, which also can get
13622 // immediately zapped in a weak reference. Note that we explicitly
13623 // allow ObjCStringLiterals, since those are designed to never really die.
13624 RHS = RHS->IgnoreParenImpCasts();
13625
13626 // This enum needs to match with the 'select' in
13627 // warn_objc_arc_literal_assign (off-by-1).
13628 SemaObjC::ObjCLiteralKind Kind = S.ObjC().CheckLiteralKind(RHS);
13629 if (Kind == SemaObjC::LK_String || Kind == SemaObjC::LK_None)
13630 return false;
13631
13632 S.Diag(Loc, diag::warn_arc_literal_assign)
13633 << (unsigned) Kind
13634 << (isProperty ? 0 : 1)
13635 << RHS->getSourceRange();
13636
13637 return true;
13638 }
13639
13640 static bool checkUnsafeAssignObject(Sema &S, SourceLocation Loc,
13641 Qualifiers::ObjCLifetime LT,
13642 Expr *RHS, bool isProperty) {
13643 // Strip off any implicit cast added to get to the one ARC-specific.
13644 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
13645 if (cast->getCastKind() == CK_ARCConsumeObject) {
13646 S.Diag(Loc, diag::warn_arc_retained_assign)
13647 << (LT == Qualifiers::OCL_ExplicitNone)
13648 << (isProperty ? 0 : 1)
13649 << RHS->getSourceRange();
13650 return true;
13651 }
13652 RHS = cast->getSubExpr();
13653 }
13654
13655 if (LT == Qualifiers::OCL_Weak &&
13656 checkUnsafeAssignLiteral(S, Loc, RHS, isProperty))
13657 return true;
13658
13659 return false;
13660 }
13661
13662 bool Sema::checkUnsafeAssigns(SourceLocation Loc,
13663 QualType LHS, Expr *RHS) {
13664 Qualifiers::ObjCLifetime LT = LHS.getObjCLifetime();
13665
13666 if (LT != Qualifiers::OCL_Weak && LT != Qualifiers::OCL_ExplicitNone)
13667 return false;
13668
13669 if (checkUnsafeAssignObject(*this, Loc, LT, RHS, false))
13670 return true;
13671
13672 return false;
13673 }
13674
13675 void Sema::checkUnsafeExprAssigns(SourceLocation Loc,
13676 Expr *LHS, Expr *RHS) {
13677 QualType LHSType;
13678 // PropertyRef on LHS type need be directly obtained from
13679 // its declaration as it has a PseudoType.
13680 ObjCPropertyRefExpr *PRE
13681 = dyn_cast<ObjCPropertyRefExpr>(LHS->IgnoreParens());
13682 if (PRE && !PRE->isImplicitProperty()) {
13683 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
13684 if (PD)
13685 LHSType = PD->getType();
13686 }
13687
13688 if (LHSType.isNull())
13689 LHSType = LHS->getType();
13690
13691 Qualifiers::ObjCLifetime LT = LHSType.getObjCLifetime();
13692
13693 if (LT == Qualifiers::OCL_Weak) {
13694 if (!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, Loc))
13695 getCurFunction()->markSafeWeakUse(LHS);
13696 }
13697
13698 if (checkUnsafeAssigns(Loc, LHSType, RHS))
13699 return;
13700
13701 // FIXME. Check for other life times.
13702 if (LT != Qualifiers::OCL_None)
13703 return;
13704
13705 if (PRE) {
13706 if (PRE->isImplicitProperty())
13707 return;
13708 const ObjCPropertyDecl *PD = PRE->getExplicitProperty();
13709 if (!PD)
13710 return;
13711
13712 unsigned Attributes = PD->getPropertyAttributes();
13713 if (Attributes & ObjCPropertyAttribute::kind_assign) {
13714 // when 'assign' attribute was not explicitly specified
13715 // by user, ignore it and rely on property type itself
13716 // for lifetime info.
13717 unsigned AsWrittenAttr = PD->getPropertyAttributesAsWritten();
13718 if (!(AsWrittenAttr & ObjCPropertyAttribute::kind_assign) &&
13719 LHSType->isObjCRetainableType())
13720 return;
13721
13722 while (ImplicitCastExpr *cast = dyn_cast<ImplicitCastExpr>(RHS)) {
13723 if (cast->getCastKind() == CK_ARCConsumeObject) {
13724 Diag(Loc, diag::warn_arc_retained_property_assign)
13725 << RHS->getSourceRange();
13726 return;
13727 }
13728 RHS = cast->getSubExpr();
13729 }
13730 } else if (Attributes & ObjCPropertyAttribute::kind_weak) {
13731 if (checkUnsafeAssignObject(*this, Loc, Qualifiers::OCL_Weak, RHS, true))
13732 return;
13733 }
13734 }
13735 }
13736
13737 //===--- CHECK: Empty statement body (-Wempty-body) ---------------------===//
13738
13739 static bool ShouldDiagnoseEmptyStmtBody(const SourceManager &SourceMgr,
13740 SourceLocation StmtLoc,
13741 const NullStmt *Body) {
13742 // Do not warn if the body is a macro that expands to nothing, e.g:
13743 //
13744 // #define CALL(x)
13745 // if (condition)
13746 // CALL(0);
13747 if (Body->hasLeadingEmptyMacro())
13748 return false;
13749
13750 // Get line numbers of statement and body.
13751 bool StmtLineInvalid;
13752 unsigned StmtLine = SourceMgr.getPresumedLineNumber(StmtLoc,
13753 &StmtLineInvalid);
13754 if (StmtLineInvalid)
13755 return false;
13756
13757 bool BodyLineInvalid;
13758 unsigned BodyLine = SourceMgr.getSpellingLineNumber(Body->getSemiLoc(),
13759 &BodyLineInvalid);
13760 if (BodyLineInvalid)
13761 return false;
13762
13763 // Warn if null statement and body are on the same line.
13764 if (StmtLine != BodyLine)
13765 return false;
13766
13767 return true;
13768 }
13769
13770 void Sema::DiagnoseEmptyStmtBody(SourceLocation StmtLoc,
13771 const Stmt *Body,
13772 unsigned DiagID) {
13773 // Since this is a syntactic check, don't emit diagnostic for template
13774 // instantiations, this just adds noise.
13775 if (CurrentInstantiationScope)
13776 return;
13777
13778 // The body should be a null statement.
13779 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
13780 if (!NBody)
13781 return;
13782
13783 // Do the usual checks.
13784 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
13785 return;
13786
13787 Diag(NBody->getSemiLoc(), DiagID);
13788 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
13789 }
13790
13791 void Sema::DiagnoseEmptyLoopBody(const Stmt *S,
13792 const Stmt *PossibleBody) {
13793 assert(!CurrentInstantiationScope); // Ensured by caller
13794
13795 SourceLocation StmtLoc;
13796 const Stmt *Body;
13797 unsigned DiagID;
13798 if (const ForStmt *FS = dyn_cast<ForStmt>(S)) {
13799 StmtLoc = FS->getRParenLoc();
13800 Body = FS->getBody();
13801 DiagID = diag::warn_empty_for_body;
13802 } else if (const WhileStmt *WS = dyn_cast<WhileStmt>(S)) {
13803 StmtLoc = WS->getRParenLoc();
13804 Body = WS->getBody();
13805 DiagID = diag::warn_empty_while_body;
13806 } else
13807 return; // Neither `for' nor `while'.
13808
13809 // The body should be a null statement.
13810 const NullStmt *NBody = dyn_cast<NullStmt>(Body);
13811 if (!NBody)
13812 return;
13813
13814 // Skip expensive checks if diagnostic is disabled.
13815 if (Diags.isIgnored(DiagID, NBody->getSemiLoc()))
13816 return;
13817
13818 // Do the usual checks.
13819 if (!ShouldDiagnoseEmptyStmtBody(SourceMgr, StmtLoc, NBody))
13820 return;
13821
13822 // `for(...);' and `while(...);' are popular idioms, so in order to keep
13823 // noise level low, emit diagnostics only if for/while is followed by a
13824 // CompoundStmt, e.g.:
13825 // for (int i = 0; i < n; i++);
13826 // {
13827 // a(i);
13828 // }
13829 // or if for/while is followed by a statement with more indentation
13830 // than for/while itself:
13831 // for (int i = 0; i < n; i++);
13832 // a(i);
13833 bool ProbableTypo = isa<CompoundStmt>(PossibleBody);
13834 if (!ProbableTypo) {
13835 bool BodyColInvalid;
13836 unsigned BodyCol = SourceMgr.getPresumedColumnNumber(
13837 PossibleBody->getBeginLoc(), &BodyColInvalid);
13838 if (BodyColInvalid)
13839 return;
13840
13841 bool StmtColInvalid;
13842 unsigned StmtCol =
13843 SourceMgr.getPresumedColumnNumber(S->getBeginLoc(), &StmtColInvalid);
13844 if (StmtColInvalid)
13845 return;
13846
13847 if (BodyCol > StmtCol)
13848 ProbableTypo = true;
13849 }
13850
13851 if (ProbableTypo) {
13852 Diag(NBody->getSemiLoc(), DiagID);
13853 Diag(NBody->getSemiLoc(), diag::note_empty_body_on_separate_line);
13854 }
13855 }
13856
13857 //===--- CHECK: Warn on self move with std::move. -------------------------===//
13858
13859 void Sema::DiagnoseSelfMove(const Expr *LHSExpr, const Expr *RHSExpr,
13860 SourceLocation OpLoc) {
13861 if (Diags.isIgnored(diag::warn_sizeof_pointer_expr_memaccess, OpLoc))
13862 return;
13863
13864 if (inTemplateInstantiation())
13865 return;
13866
13867 // Strip parens and casts away.
13868 LHSExpr = LHSExpr->IgnoreParenImpCasts();
13869 RHSExpr = RHSExpr->IgnoreParenImpCasts();
13870
13871 // Check for a call to std::move or for a static_cast<T&&>(..) to an xvalue
13872 // which we can treat as an inlined std::move
13873 if (const auto *CE = dyn_cast<CallExpr>(RHSExpr);
13874 CE && CE->getNumArgs() == 1 && CE->isCallToStdMove())
13875 RHSExpr = CE->getArg(0);
13876 else if (const auto *CXXSCE = dyn_cast<CXXStaticCastExpr>(RHSExpr);
13877 CXXSCE && CXXSCE->isXValue())
13878 RHSExpr = CXXSCE->getSubExpr();
13879 else
13880 return;
13881
13882 const DeclRefExpr *LHSDeclRef = dyn_cast<DeclRefExpr>(LHSExpr);
13883 const DeclRefExpr *RHSDeclRef = dyn_cast<DeclRefExpr>(RHSExpr);
13884
13885 // Two DeclRefExpr's, check that the decls are the same.
13886 if (LHSDeclRef && RHSDeclRef) {
13887 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
13888 return;
13889 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
13890 RHSDeclRef->getDecl()->getCanonicalDecl())
13891 return;
13892
13893 auto D = Diag(OpLoc, diag::warn_self_move)
13894 << LHSExpr->getType() << LHSExpr->getSourceRange()
13895 << RHSExpr->getSourceRange();
13896 if (const FieldDecl *F =
13897 getSelfAssignmentClassMemberCandidate(RHSDeclRef->getDecl()))
13898 D << 1 << F
13899 << FixItHint::CreateInsertion(LHSDeclRef->getBeginLoc(), "this->");
13900 else
13901 D << 0;
13902 return;
13903 }
13904
13905 // Member variables require a different approach to check for self moves.
13906 // MemberExpr's are the same if every nested MemberExpr refers to the same
13907 // Decl and that the base Expr's are DeclRefExpr's with the same Decl or
13908 // the base Expr's are CXXThisExpr's.
13909 const Expr *LHSBase = LHSExpr;
13910 const Expr *RHSBase = RHSExpr;
13911 const MemberExpr *LHSME = dyn_cast<MemberExpr>(LHSExpr);
13912 const MemberExpr *RHSME = dyn_cast<MemberExpr>(RHSExpr);
13913 if (!LHSME || !RHSME)
13914 return;
13915
13916 while (LHSME && RHSME) {
13917 if (LHSME->getMemberDecl()->getCanonicalDecl() !=
13918 RHSME->getMemberDecl()->getCanonicalDecl())
13919 return;
13920
13921 LHSBase = LHSME->getBase();
13922 RHSBase = RHSME->getBase();
13923 LHSME = dyn_cast<MemberExpr>(LHSBase);
13924 RHSME = dyn_cast<MemberExpr>(RHSBase);
13925 }
13926
13927 LHSDeclRef = dyn_cast<DeclRefExpr>(LHSBase);
13928 RHSDeclRef = dyn_cast<DeclRefExpr>(RHSBase);
13929 if (LHSDeclRef && RHSDeclRef) {
13930 if (!LHSDeclRef->getDecl() || !RHSDeclRef->getDecl())
13931 return;
13932 if (LHSDeclRef->getDecl()->getCanonicalDecl() !=
13933 RHSDeclRef->getDecl()->getCanonicalDecl())
13934 return;
13935
13936 Diag(OpLoc, diag::warn_self_move)
13937 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
13938 << RHSExpr->getSourceRange();
13939 return;
13940 }
13941
13942 if (isa<CXXThisExpr>(LHSBase) && isa<CXXThisExpr>(RHSBase))
13943 Diag(OpLoc, diag::warn_self_move)
13944 << LHSExpr->getType() << 0 << LHSExpr->getSourceRange()
13945 << RHSExpr->getSourceRange();
13946 }
13947
13948 //===--- Layout compatibility ----------------------------------------------//
13949
13950 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2);
13951
13952 /// Check if two enumeration types are layout-compatible.
13953 static bool isLayoutCompatible(const ASTContext &C, const EnumDecl *ED1,
13954 const EnumDecl *ED2) {
13955 // C++11 [dcl.enum] p8:
13956 // Two enumeration types are layout-compatible if they have the same
13957 // underlying type.
13958 return ED1->isComplete() && ED2->isComplete() &&
13959 C.hasSameType(ED1->getIntegerType(), ED2->getIntegerType());
13960 }
13961
13962 /// Check if two fields are layout-compatible.
13963 /// Can be used on union members, which are exempt from alignment requirement
13964 /// of common initial sequence.
13965 static bool isLayoutCompatible(const ASTContext &C, const FieldDecl *Field1,
13966 const FieldDecl *Field2,
13967 bool AreUnionMembers = false) {
13968 [[maybe_unused]] const Type *Field1Parent =
13969 Field1->getParent()->getTypeForDecl();
13970 [[maybe_unused]] const Type *Field2Parent =
13971 Field2->getParent()->getTypeForDecl();
13972 assert(((Field1Parent->isStructureOrClassType() &&
13973 Field2Parent->isStructureOrClassType()) ||
13974 (Field1Parent->isUnionType() && Field2Parent->isUnionType())) &&
13975 "Can't evaluate layout compatibility between a struct field and a "
13976 "union field.");
13977 assert(((!AreUnionMembers && Field1Parent->isStructureOrClassType()) ||
13978 (AreUnionMembers && Field1Parent->isUnionType())) &&
13979 "AreUnionMembers should be 'true' for union fields (only).");
13980
13981 if (!isLayoutCompatible(C, Field1->getType(), Field2->getType()))
13982 return false;
13983
13984 if (Field1->isBitField() != Field2->isBitField())
13985 return false;
13986
13987 if (Field1->isBitField()) {
13988 // Make sure that the bit-fields are the same length.
13989 unsigned Bits1 = Field1->getBitWidthValue(C);
13990 unsigned Bits2 = Field2->getBitWidthValue(C);
13991
13992 if (Bits1 != Bits2)
13993 return false;
13994 }
13995
13996 if (Field1->hasAttr<clang::NoUniqueAddressAttr>() ||
13997 Field2->hasAttr<clang::NoUniqueAddressAttr>())
13998 return false;
13999
14000 if (!AreUnionMembers &&
14001 Field1->getMaxAlignment() != Field2->getMaxAlignment())
14002 return false;
14003
14004 return true;
14005 }
14006
14007 /// Check if two standard-layout structs are layout-compatible.
14008 /// (C++11 [class.mem] p17)
14009 static bool isLayoutCompatibleStruct(const ASTContext &C, const RecordDecl *RD1,
14010 const RecordDecl *RD2) {
14011 // Get to the class where the fields are declared
14012 if (const CXXRecordDecl *D1CXX = dyn_cast<CXXRecordDecl>(RD1))
14013 RD1 = D1CXX->getStandardLayoutBaseWithFields();
14014
14015 if (const CXXRecordDecl *D2CXX = dyn_cast<CXXRecordDecl>(RD2))
14016 RD2 = D2CXX->getStandardLayoutBaseWithFields();
14017
14018 // Check the fields.
14019 return llvm::equal(RD1->fields(), RD2->fields(),
14020 [&C](const FieldDecl *F1, const FieldDecl *F2) -> bool {
14021 return isLayoutCompatible(C, F1, F2);
14022 });
14023 }
14024
14025 /// Check if two standard-layout unions are layout-compatible.
14026 /// (C++11 [class.mem] p18)
14027 static bool isLayoutCompatibleUnion(const ASTContext &C, const RecordDecl *RD1,
14028 const RecordDecl *RD2) {
14029 llvm::SmallPtrSet<const FieldDecl *, 8> UnmatchedFields;
14030 for (auto *Field2 : RD2->fields())
14031 UnmatchedFields.insert(Field2);
14032
14033 for (auto *Field1 : RD1->fields()) {
14034 auto I = UnmatchedFields.begin();
14035 auto E = UnmatchedFields.end();
14036
14037 for ( ; I != E; ++I) {
14038 if (isLayoutCompatible(C, Field1, *I, /*IsUnionMember=*/true)) {
14039 bool Result = UnmatchedFields.erase(*I);
14040 (void) Result;
14041 assert(Result);
14042 break;
14043 }
14044 }
14045 if (I == E)
14046 return false;
14047 }
14048
14049 return UnmatchedFields.empty();
14050 }
14051
14052 static bool isLayoutCompatible(const ASTContext &C, const RecordDecl *RD1,
14053 const RecordDecl *RD2) {
14054 if (RD1->isUnion() != RD2->isUnion())
14055 return false;
14056
14057 if (RD1->isUnion())
14058 return isLayoutCompatibleUnion(C, RD1, RD2);
14059 else
14060 return isLayoutCompatibleStruct(C, RD1, RD2);
14061 }
14062
14063 /// Check if two types are layout-compatible in C++11 sense.
14064 static bool isLayoutCompatible(const ASTContext &C, QualType T1, QualType T2) {
14065 if (T1.isNull() || T2.isNull())
14066 return false;
14067
14068 // C++20 [basic.types] p11:
14069 // Two types cv1 T1 and cv2 T2 are layout-compatible types
14070 // if T1 and T2 are the same type, layout-compatible enumerations (9.7.1),
14071 // or layout-compatible standard-layout class types (11.4).
14072 T1 = T1.getCanonicalType().getUnqualifiedType();
14073 T2 = T2.getCanonicalType().getUnqualifiedType();
14074
14075 if (C.hasSameType(T1, T2))
14076 return true;
14077
14078 const Type::TypeClass TC1 = T1->getTypeClass();
14079 const Type::TypeClass TC2 = T2->getTypeClass();
14080
14081 if (TC1 != TC2)
14082 return false;
14083
14084 if (TC1 == Type::Enum) {
14085 return isLayoutCompatible(C,
14086 cast<EnumType>(T1)->getDecl(),
14087 cast<EnumType>(T2)->getDecl());
14088 } else if (TC1 == Type::Record) {
14089 if (!T1->isStandardLayoutType() || !T2->isStandardLayoutType())
14090 return false;
14091
14092 return isLayoutCompatible(C,
14093 cast<RecordType>(T1)->getDecl(),
14094 cast<RecordType>(T2)->getDecl());
14095 }
14096
14097 return false;
14098 }
14099
14100 bool Sema::IsLayoutCompatible(QualType T1, QualType T2) const {
14101 return isLayoutCompatible(getASTContext(), T1, T2);
14102 }
14103
14104 //===-------------- Pointer interconvertibility ----------------------------//
14105
14106 bool Sema::IsPointerInterconvertibleBaseOf(const TypeSourceInfo *Base,
14107 const TypeSourceInfo *Derived) {
14108 QualType BaseT = Base->getType()->getCanonicalTypeUnqualified();
14109 QualType DerivedT = Derived->getType()->getCanonicalTypeUnqualified();
14110
14111 if (BaseT->isStructureOrClassType() && DerivedT->isStructureOrClassType() &&
14112 getASTContext().hasSameType(BaseT, DerivedT))
14113 return true;
14114
14115 if (!IsDerivedFrom(Derived->getTypeLoc().getBeginLoc(), DerivedT, BaseT))
14116 return false;
14117
14118 // Per [basic.compound]/4.3, containing object has to be standard-layout.
14119 if (DerivedT->getAsCXXRecordDecl()->isStandardLayout())
14120 return true;
14121
14122 return false;
14123 }
14124
14125 //===--- CHECK: pointer_with_type_tag attribute: datatypes should match ----//
14126
14127 /// Given a type tag expression find the type tag itself.
14128 ///
14129 /// \param TypeExpr Type tag expression, as it appears in user's code.
14130 ///
14131 /// \param VD Declaration of an identifier that appears in a type tag.
14132 ///
14133 /// \param MagicValue Type tag magic value.
14134 ///
14135 /// \param isConstantEvaluated whether the evalaution should be performed in
14136
14137 /// constant context.
14138 static bool FindTypeTagExpr(const Expr *TypeExpr, const ASTContext &Ctx,
14139 const ValueDecl **VD, uint64_t *MagicValue,
14140 bool isConstantEvaluated) {
14141 while(true) {
14142 if (!TypeExpr)
14143 return false;
14144
14145 TypeExpr = TypeExpr->IgnoreParenImpCasts()->IgnoreParenCasts();
14146
14147 switch (TypeExpr->getStmtClass()) {
14148 case Stmt::UnaryOperatorClass: {
14149 const UnaryOperator *UO = cast<UnaryOperator>(TypeExpr);
14150 if (UO->getOpcode() == UO_AddrOf || UO->getOpcode() == UO_Deref) {
14151 TypeExpr = UO->getSubExpr();
14152 continue;
14153 }
14154 return false;
14155 }
14156
14157 case Stmt::DeclRefExprClass: {
14158 const DeclRefExpr *DRE = cast<DeclRefExpr>(TypeExpr);
14159 *VD = DRE->getDecl();
14160 return true;
14161 }
14162
14163 case Stmt::IntegerLiteralClass: {
14164 const IntegerLiteral *IL = cast<IntegerLiteral>(TypeExpr);
14165 llvm::APInt MagicValueAPInt = IL->getValue();
14166 if (MagicValueAPInt.getActiveBits() <= 64) {
14167 *MagicValue = MagicValueAPInt.getZExtValue();
14168 return true;
14169 } else
14170 return false;
14171 }
14172
14173 case Stmt::BinaryConditionalOperatorClass:
14174 case Stmt::ConditionalOperatorClass: {
14175 const AbstractConditionalOperator *ACO =
14176 cast<AbstractConditionalOperator>(TypeExpr);
14177 bool Result;
14178 if (ACO->getCond()->EvaluateAsBooleanCondition(Result, Ctx,
14179 isConstantEvaluated)) {
14180 if (Result)
14181 TypeExpr = ACO->getTrueExpr();
14182 else
14183 TypeExpr = ACO->getFalseExpr();
14184 continue;
14185 }
14186 return false;
14187 }
14188
14189 case Stmt::BinaryOperatorClass: {
14190 const BinaryOperator *BO = cast<BinaryOperator>(TypeExpr);
14191 if (BO->getOpcode() == BO_Comma) {
14192 TypeExpr = BO->getRHS();
14193 continue;
14194 }
14195 return false;
14196 }
14197
14198 default:
14199 return false;
14200 }
14201 }
14202 }
14203
14204 /// Retrieve the C type corresponding to type tag TypeExpr.
14205 ///
14206 /// \param TypeExpr Expression that specifies a type tag.
14207 ///
14208 /// \param MagicValues Registered magic values.
14209 ///
14210 /// \param FoundWrongKind Set to true if a type tag was found, but of a wrong
14211 /// kind.
14212 ///
14213 /// \param TypeInfo Information about the corresponding C type.
14214 ///
14215 /// \param isConstantEvaluated whether the evalaution should be performed in
14216 /// constant context.
14217 ///
14218 /// \returns true if the corresponding C type was found.
14219 static bool GetMatchingCType(
14220 const IdentifierInfo *ArgumentKind, const Expr *TypeExpr,
14221 const ASTContext &Ctx,
14222 const llvm::DenseMap<Sema::TypeTagMagicValue, Sema::TypeTagData>
14223 *MagicValues,
14224 bool &FoundWrongKind, Sema::TypeTagData &TypeInfo,
14225 bool isConstantEvaluated) {
14226 FoundWrongKind = false;
14227
14228 // Variable declaration that has type_tag_for_datatype attribute.
14229 const ValueDecl *VD = nullptr;
14230
14231 uint64_t MagicValue;
14232
14233 if (!FindTypeTagExpr(TypeExpr, Ctx, &VD, &MagicValue, isConstantEvaluated))
14234 return false;
14235
14236 if (VD) {
14237 if (TypeTagForDatatypeAttr *I = VD->getAttr<TypeTagForDatatypeAttr>()) {
14238 if (I->getArgumentKind() != ArgumentKind) {
14239 FoundWrongKind = true;
14240 return false;
14241 }
14242 TypeInfo.Type = I->getMatchingCType();
14243 TypeInfo.LayoutCompatible = I->getLayoutCompatible();
14244 TypeInfo.MustBeNull = I->getMustBeNull();
14245 return true;
14246 }
14247 return false;
14248 }
14249
14250 if (!MagicValues)
14251 return false;
14252
14253 llvm::DenseMap<Sema::TypeTagMagicValue,
14254 Sema::TypeTagData>::const_iterator I =
14255 MagicValues->find(std::make_pair(ArgumentKind, MagicValue));
14256 if (I == MagicValues->end())
14257 return false;
14258
14259 TypeInfo = I->second;
14260 return true;
14261 }
14262
14263 void Sema::RegisterTypeTagForDatatype(const IdentifierInfo *ArgumentKind,
14264 uint64_t MagicValue, QualType Type,
14265 bool LayoutCompatible,
14266 bool MustBeNull) {
14267 if (!TypeTagForDatatypeMagicValues)
14268 TypeTagForDatatypeMagicValues.reset(
14269 new llvm::DenseMap<TypeTagMagicValue, TypeTagData>);
14270
14271 TypeTagMagicValue Magic(ArgumentKind, MagicValue);
14272 (*TypeTagForDatatypeMagicValues)[Magic] =
14273 TypeTagData(Type, LayoutCompatible, MustBeNull);
14274 }
14275
14276 static bool IsSameCharType(QualType T1, QualType T2) {
14277 const BuiltinType *BT1 = T1->getAs<BuiltinType>();
14278 if (!BT1)
14279 return false;
14280
14281 const BuiltinType *BT2 = T2->getAs<BuiltinType>();
14282 if (!BT2)
14283 return false;
14284
14285 BuiltinType::Kind T1Kind = BT1->getKind();
14286 BuiltinType::Kind T2Kind = BT2->getKind();
14287
14288 return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) ||
14289 (T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) ||
14290 (T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) ||
14291 (T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);
14292 }
14293
14294 void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
14295 const ArrayRef<const Expr *> ExprArgs,
14296 SourceLocation CallSiteLoc) {
14297 const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();
14298 bool IsPointerAttr = Attr->getIsPointer();
14299
14300 // Retrieve the argument representing the 'type_tag'.
14301 unsigned TypeTagIdxAST = Attr->getTypeTagIdx().getASTIndex();
14302 if (TypeTagIdxAST >= ExprArgs.size()) {
14303 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
14304 << 0 << Attr->getTypeTagIdx().getSourceIndex();
14305 return;
14306 }
14307 const Expr *TypeTagExpr = ExprArgs[TypeTagIdxAST];
14308 bool FoundWrongKind;
14309 TypeTagData TypeInfo;
14310 if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,
14311 TypeTagForDatatypeMagicValues.get(), FoundWrongKind,
14312 TypeInfo, isConstantEvaluatedContext())) {
14313 if (FoundWrongKind)
14314 Diag(TypeTagExpr->getExprLoc(),
14315 diag::warn_type_tag_for_datatype_wrong_kind)
14316 << TypeTagExpr->getSourceRange();
14317 return;
14318 }
14319
14320 // Retrieve the argument representing the 'arg_idx'.
14321 unsigned ArgumentIdxAST = Attr->getArgumentIdx().getASTIndex();
14322 if (ArgumentIdxAST >= ExprArgs.size()) {
14323 Diag(CallSiteLoc, diag::err_tag_index_out_of_range)
14324 << 1 << Attr->getArgumentIdx().getSourceIndex();
14325 return;
14326 }
14327 const Expr *ArgumentExpr = ExprArgs[ArgumentIdxAST];
14328 if (IsPointerAttr) {
14329 // Skip implicit cast of pointer to `void *' (as a function argument).
14330 if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))
14331 if (ICE->getType()->isVoidPointerType() &&
14332 ICE->getCastKind() == CK_BitCast)
14333 ArgumentExpr = ICE->getSubExpr();
14334 }
14335 QualType ArgumentType = ArgumentExpr->getType();
14336
14337 // Passing a `void*' pointer shouldn't trigger a warning.
14338 if (IsPointerAttr && ArgumentType->isVoidPointerType())
14339 return;
14340
14341 if (TypeInfo.MustBeNull) {
14342 // Type tag with matching void type requires a null pointer.
14343 if (!ArgumentExpr->isNullPointerConstant(Context,
14344 Expr::NPC_ValueDependentIsNotNull)) {
14345 Diag(ArgumentExpr->getExprLoc(),
14346 diag::warn_type_safety_null_pointer_required)
14347 << ArgumentKind->getName()
14348 << ArgumentExpr->getSourceRange()
14349 << TypeTagExpr->getSourceRange();
14350 }
14351 return;
14352 }
14353
14354 QualType RequiredType = TypeInfo.Type;
14355 if (IsPointerAttr)
14356 RequiredType = Context.getPointerType(RequiredType);
14357
14358 bool mismatch = false;
14359 if (!TypeInfo.LayoutCompatible) {
14360 mismatch = !Context.hasSameType(ArgumentType, RequiredType);
14361
14362 // C++11 [basic.fundamental] p1:
14363 // Plain char, signed char, and unsigned char are three distinct types.
14364 //
14365 // But we treat plain `char' as equivalent to `signed char' or `unsigned
14366 // char' depending on the current char signedness mode.
14367 if (mismatch)
14368 if ((IsPointerAttr && IsSameCharType(ArgumentType->getPointeeType(),
14369 RequiredType->getPointeeType())) ||
14370 (!IsPointerAttr && IsSameCharType(ArgumentType, RequiredType)))
14371 mismatch = false;
14372 } else
14373 if (IsPointerAttr)
14374 mismatch = !isLayoutCompatible(Context,
14375 ArgumentType->getPointeeType(),
14376 RequiredType->getPointeeType());
14377 else
14378 mismatch = !isLayoutCompatible(Context, ArgumentType, RequiredType);
14379
14380 if (mismatch)
14381 Diag(ArgumentExpr->getExprLoc(), diag::warn_type_safety_type_mismatch)
14382 << ArgumentType << ArgumentKind
14383 << TypeInfo.LayoutCompatible << RequiredType
14384 << ArgumentExpr->getSourceRange()
14385 << TypeTagExpr->getSourceRange();
14386 }
14387
14388 void Sema::AddPotentialMisalignedMembers(Expr *E, RecordDecl *RD, ValueDecl *MD,
14389 CharUnits Alignment) {
14390 MisalignedMembers.emplace_back(E, RD, MD, Alignment);
14391 }
14392
14393 void Sema::DiagnoseMisalignedMembers() {
14394 for (MisalignedMember &m : MisalignedMembers) {
14395 const NamedDecl *ND = m.RD;
14396 if (ND->getName().empty()) {
14397 if (const TypedefNameDecl *TD = m.RD->getTypedefNameForAnonDecl())
14398 ND = TD;
14399 }
14400 Diag(m.E->getBeginLoc(), diag::warn_taking_address_of_packed_member)
14401 << m.MD << ND << m.E->getSourceRange();
14402 }
14403 MisalignedMembers.clear();
14404 }
14405
14406 void Sema::DiscardMisalignedMemberAddress(const Type *T, Expr *E) {
14407 E = E->IgnoreParens();
14408 if (!T->isPointerType() && !T->isIntegerType() && !T->isDependentType())
14409 return;
14410 if (isa<UnaryOperator>(E) &&
14411 cast<UnaryOperator>(E)->getOpcode() == UO_AddrOf) {
14412 auto *Op = cast<UnaryOperator>(E)->getSubExpr()->IgnoreParens();
14413 if (isa<MemberExpr>(Op)) {
14414 auto *MA = llvm::find(MisalignedMembers, MisalignedMember(Op));
14415 if (MA != MisalignedMembers.end() &&
14416 (T->isDependentType() || T->isIntegerType() ||
14417 (T->isPointerType() && (T->getPointeeType()->isIncompleteType() ||
14418 Context.getTypeAlignInChars(
14419 T->getPointeeType()) <= MA->Alignment))))
14420 MisalignedMembers.erase(MA);
14421 }
14422 }
14423 }
14424
14425 void Sema::RefersToMemberWithReducedAlignment(
14426 Expr *E,
14427 llvm::function_ref<void(Expr *, RecordDecl *, FieldDecl *, CharUnits)>
14428 Action) {
14429 const auto *ME = dyn_cast<MemberExpr>(E);
14430 if (!ME)
14431 return;
14432
14433 // No need to check expressions with an __unaligned-qualified type.
14434 if (E->getType().getQualifiers().hasUnaligned())
14435 return;
14436
14437 // For a chain of MemberExpr like "a.b.c.d" this list
14438 // will keep FieldDecl's like [d, c, b].
14439 SmallVector<FieldDecl *, 4> ReverseMemberChain;
14440 const MemberExpr *TopME = nullptr;
14441 bool AnyIsPacked = false;
14442 do {
14443 QualType BaseType = ME->getBase()->getType();
14444 if (BaseType->isDependentType())
14445 return;
14446 if (ME->isArrow())
14447 BaseType = BaseType->getPointeeType();
14448 RecordDecl *RD = BaseType->castAs<RecordType>()->getDecl();
14449 if (RD->isInvalidDecl())
14450 return;
14451
14452 ValueDecl *MD = ME->getMemberDecl();
14453 auto *FD = dyn_cast<FieldDecl>(MD);
14454 // We do not care about non-data members.
14455 if (!FD || FD->isInvalidDecl())
14456 return;
14457
14458 AnyIsPacked =
14459 AnyIsPacked || (RD->hasAttr<PackedAttr>() || MD->hasAttr<PackedAttr>());
14460 ReverseMemberChain.push_back(FD);
14461
14462 TopME = ME;
14463 ME = dyn_cast<MemberExpr>(ME->getBase()->IgnoreParens());
14464 } while (ME);
14465 assert(TopME && "We did not compute a topmost MemberExpr!");
14466
14467 // Not the scope of this diagnostic.
14468 if (!AnyIsPacked)
14469 return;
14470
14471 const Expr *TopBase = TopME->getBase()->IgnoreParenImpCasts();
14472 const auto *DRE = dyn_cast<DeclRefExpr>(TopBase);
14473 // TODO: The innermost base of the member expression may be too complicated.
14474 // For now, just disregard these cases. This is left for future
14475 // improvement.
14476 if (!DRE && !isa<CXXThisExpr>(TopBase))
14477 return;
14478
14479 // Alignment expected by the whole expression.
14480 CharUnits ExpectedAlignment = Context.getTypeAlignInChars(E->getType());
14481
14482 // No need to do anything else with this case.
14483 if (ExpectedAlignment.isOne())
14484 return;
14485
14486 // Synthesize offset of the whole access.
14487 CharUnits Offset;
14488 for (const FieldDecl *FD : llvm::reverse(ReverseMemberChain))
14489 Offset += Context.toCharUnitsFromBits(Context.getFieldOffset(FD));
14490
14491 // Compute the CompleteObjectAlignment as the alignment of the whole chain.
14492 CharUnits CompleteObjectAlignment = Context.getTypeAlignInChars(
14493 ReverseMemberChain.back()->getParent()->getTypeForDecl());
14494
14495 // The base expression of the innermost MemberExpr may give
14496 // stronger guarantees than the class containing the member.
14497 if (DRE && !TopME->isArrow()) {
14498 const ValueDecl *VD = DRE->getDecl();
14499 if (!VD->getType()->isReferenceType())
14500 CompleteObjectAlignment =
14501 std::max(CompleteObjectAlignment, Context.getDeclAlign(VD));
14502 }
14503
14504 // Check if the synthesized offset fulfills the alignment.
14505 if (Offset % ExpectedAlignment != 0 ||
14506 // It may fulfill the offset it but the effective alignment may still be
14507 // lower than the expected expression alignment.
14508 CompleteObjectAlignment < ExpectedAlignment) {
14509 // If this happens, we want to determine a sensible culprit of this.
14510 // Intuitively, watching the chain of member expressions from right to
14511 // left, we start with the required alignment (as required by the field
14512 // type) but some packed attribute in that chain has reduced the alignment.
14513 // It may happen that another packed structure increases it again. But if
14514 // we are here such increase has not been enough. So pointing the first
14515 // FieldDecl that either is packed or else its RecordDecl is,
14516 // seems reasonable.
14517 FieldDecl *FD = nullptr;
14518 CharUnits Alignment;
14519 for (FieldDecl *FDI : ReverseMemberChain) {
14520 if (FDI->hasAttr<PackedAttr>() ||
14521 FDI->getParent()->hasAttr<PackedAttr>()) {
14522 FD = FDI;
14523 Alignment = std::min(
14524 Context.getTypeAlignInChars(FD->getType()),
14525 Context.getTypeAlignInChars(FD->getParent()->getTypeForDecl()));
14526 break;
14527 }
14528 }
14529 assert(FD && "We did not find a packed FieldDecl!");
14530 Action(E, FD->getParent(), FD, Alignment);
14531 }
14532 }
14533
14534 void Sema::CheckAddressOfPackedMember(Expr *rhs) {
14535 using namespace std::placeholders;
14536
14537 RefersToMemberWithReducedAlignment(
14538 rhs, std::bind(&Sema::AddPotentialMisalignedMembers, std::ref(*this), _1,
14539 _2, _3, _4));
14540 }
14541
14542 bool Sema::PrepareBuiltinElementwiseMathOneArgCall(CallExpr *TheCall) {
14543 if (checkArgCount(TheCall, 1))
14544 return true;
14545
14546 ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
14547 if (A.isInvalid())
14548 return true;
14549
14550 TheCall->setArg(0, A.get());
14551 QualType TyA = A.get()->getType();
14552
14553 if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA, 1))
14554 return true;
14555
14556 TheCall->setType(TyA);
14557 return false;
14558 }
14559
14560 bool Sema::BuiltinElementwiseMath(CallExpr *TheCall, bool FPOnly) {
14561 QualType Res;
14562 if (BuiltinVectorMath(TheCall, Res, FPOnly))
14563 return true;
14564 TheCall->setType(Res);
14565 return false;
14566 }
14567
14568 bool Sema::BuiltinVectorToScalarMath(CallExpr *TheCall) {
14569 QualType Res;
14570 if (BuiltinVectorMath(TheCall, Res))
14571 return true;
14572
14573 if (auto *VecTy0 = Res->getAs<VectorType>())
14574 TheCall->setType(VecTy0->getElementType());
14575 else
14576 TheCall->setType(Res);
14577
14578 return false;
14579 }
14580
14581 bool Sema::BuiltinVectorMath(CallExpr *TheCall, QualType &Res, bool FPOnly) {
14582 if (checkArgCount(TheCall, 2))
14583 return true;
14584
14585 ExprResult A = TheCall->getArg(0);
14586 ExprResult B = TheCall->getArg(1);
14587 // Do standard promotions between the two arguments, returning their common
14588 // type.
14589 Res = UsualArithmeticConversions(A, B, TheCall->getExprLoc(), ACK_Comparison);
14590 if (A.isInvalid() || B.isInvalid())
14591 return true;
14592
14593 QualType TyA = A.get()->getType();
14594 QualType TyB = B.get()->getType();
14595
14596 if (Res.isNull() || TyA.getCanonicalType() != TyB.getCanonicalType())
14597 return Diag(A.get()->getBeginLoc(),
14598 diag::err_typecheck_call_different_arg_types)
14599 << TyA << TyB;
14600
14601 if (FPOnly) {
14602 if (checkFPMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA, 1))
14603 return true;
14604 } else {
14605 if (checkMathBuiltinElementType(*this, A.get()->getBeginLoc(), TyA, 1))
14606 return true;
14607 }
14608
14609 TheCall->setArg(0, A.get());
14610 TheCall->setArg(1, B.get());
14611 return false;
14612 }
14613
14614 bool Sema::BuiltinElementwiseTernaryMath(CallExpr *TheCall,
14615 bool CheckForFloatArgs) {
14616 if (checkArgCount(TheCall, 3))
14617 return true;
14618
14619 Expr *Args[3];
14620 for (int I = 0; I < 3; ++I) {
14621 ExprResult Converted = UsualUnaryConversions(TheCall->getArg(I));
14622 if (Converted.isInvalid())
14623 return true;
14624 Args[I] = Converted.get();
14625 }
14626
14627 if (CheckForFloatArgs) {
14628 int ArgOrdinal = 1;
14629 for (Expr *Arg : Args) {
14630 if (checkFPMathBuiltinElementType(*this, Arg->getBeginLoc(),
14631 Arg->getType(), ArgOrdinal++))
14632 return true;
14633 }
14634 } else {
14635 int ArgOrdinal = 1;
14636 for (Expr *Arg : Args) {
14637 if (checkMathBuiltinElementType(*this, Arg->getBeginLoc(), Arg->getType(),
14638 ArgOrdinal++))
14639 return true;
14640 }
14641 }
14642
14643 for (int I = 1; I < 3; ++I) {
14644 if (Args[0]->getType().getCanonicalType() !=
14645 Args[I]->getType().getCanonicalType()) {
14646 return Diag(Args[0]->getBeginLoc(),
14647 diag::err_typecheck_call_different_arg_types)
14648 << Args[0]->getType() << Args[I]->getType();
14649 }
14650
14651 TheCall->setArg(I, Args[I]);
14652 }
14653
14654 TheCall->setType(Args[0]->getType());
14655 return false;
14656 }
14657
14658 bool Sema::PrepareBuiltinReduceMathOneArgCall(CallExpr *TheCall) {
14659 if (checkArgCount(TheCall, 1))
14660 return true;
14661
14662 ExprResult A = UsualUnaryConversions(TheCall->getArg(0));
14663 if (A.isInvalid())
14664 return true;
14665
14666 TheCall->setArg(0, A.get());
14667 return false;
14668 }
14669
14670 bool Sema::BuiltinNonDeterministicValue(CallExpr *TheCall) {
14671 if (checkArgCount(TheCall, 1))
14672 return true;
14673
14674 ExprResult Arg = TheCall->getArg(0);
14675 QualType TyArg = Arg.get()->getType();
14676
14677 if (!TyArg->isBuiltinType() && !TyArg->isVectorType())
14678 return Diag(TheCall->getArg(0)->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14679 << 1 << /*vector, integer or floating point ty*/ 0 << TyArg;
14680
14681 TheCall->setType(TyArg);
14682 return false;
14683 }
14684
14685 ExprResult Sema::BuiltinMatrixTranspose(CallExpr *TheCall,
14686 ExprResult CallResult) {
14687 if (checkArgCount(TheCall, 1))
14688 return ExprError();
14689
14690 ExprResult MatrixArg = DefaultLvalueConversion(TheCall->getArg(0));
14691 if (MatrixArg.isInvalid())
14692 return MatrixArg;
14693 Expr *Matrix = MatrixArg.get();
14694
14695 auto *MType = Matrix->getType()->getAs<ConstantMatrixType>();
14696 if (!MType) {
14697 Diag(Matrix->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14698 << 1 << /* matrix ty*/ 1 << Matrix->getType();
14699 return ExprError();
14700 }
14701
14702 // Create returned matrix type by swapping rows and columns of the argument
14703 // matrix type.
14704 QualType ResultType = Context.getConstantMatrixType(
14705 MType->getElementType(), MType->getNumColumns(), MType->getNumRows());
14706
14707 // Change the return type to the type of the returned matrix.
14708 TheCall->setType(ResultType);
14709
14710 // Update call argument to use the possibly converted matrix argument.
14711 TheCall->setArg(0, Matrix);
14712 return CallResult;
14713 }
14714
14715 // Get and verify the matrix dimensions.
14716 static std::optional<unsigned>
14717 getAndVerifyMatrixDimension(Expr *Expr, StringRef Name, Sema &S) {
14718 SourceLocation ErrorPos;
14719 std::optional<llvm::APSInt> Value =
14720 Expr->getIntegerConstantExpr(S.Context, &ErrorPos);
14721 if (!Value) {
14722 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_scalar_unsigned_arg)
14723 << Name;
14724 return {};
14725 }
14726 uint64_t Dim = Value->getZExtValue();
14727 if (!ConstantMatrixType::isDimensionValid(Dim)) {
14728 S.Diag(Expr->getBeginLoc(), diag::err_builtin_matrix_invalid_dimension)
14729 << Name << ConstantMatrixType::getMaxElementsPerDimension();
14730 return {};
14731 }
14732 return Dim;
14733 }
14734
14735 ExprResult Sema::BuiltinMatrixColumnMajorLoad(CallExpr *TheCall,
14736 ExprResult CallResult) {
14737 if (!getLangOpts().MatrixTypes) {
14738 Diag(TheCall->getBeginLoc(), diag::err_builtin_matrix_disabled);
14739 return ExprError();
14740 }
14741
14742 if (checkArgCount(TheCall, 4))
14743 return ExprError();
14744
14745 unsigned PtrArgIdx = 0;
14746 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
14747 Expr *RowsExpr = TheCall->getArg(1);
14748 Expr *ColumnsExpr = TheCall->getArg(2);
14749 Expr *StrideExpr = TheCall->getArg(3);
14750
14751 bool ArgError = false;
14752
14753 // Check pointer argument.
14754 {
14755 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
14756 if (PtrConv.isInvalid())
14757 return PtrConv;
14758 PtrExpr = PtrConv.get();
14759 TheCall->setArg(0, PtrExpr);
14760 if (PtrExpr->isTypeDependent()) {
14761 TheCall->setType(Context.DependentTy);
14762 return TheCall;
14763 }
14764 }
14765
14766 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
14767 QualType ElementTy;
14768 if (!PtrTy) {
14769 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14770 << PtrArgIdx + 1 << /*pointer to element ty*/ 2 << PtrExpr->getType();
14771 ArgError = true;
14772 } else {
14773 ElementTy = PtrTy->getPointeeType().getUnqualifiedType();
14774
14775 if (!ConstantMatrixType::isValidElementType(ElementTy)) {
14776 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14777 << PtrArgIdx + 1 << /* pointer to element ty*/ 2
14778 << PtrExpr->getType();
14779 ArgError = true;
14780 }
14781 }
14782
14783 // Apply default Lvalue conversions and convert the expression to size_t.
14784 auto ApplyArgumentConversions = [this](Expr *E) {
14785 ExprResult Conv = DefaultLvalueConversion(E);
14786 if (Conv.isInvalid())
14787 return Conv;
14788
14789 return tryConvertExprToType(Conv.get(), Context.getSizeType());
14790 };
14791
14792 // Apply conversion to row and column expressions.
14793 ExprResult RowsConv = ApplyArgumentConversions(RowsExpr);
14794 if (!RowsConv.isInvalid()) {
14795 RowsExpr = RowsConv.get();
14796 TheCall->setArg(1, RowsExpr);
14797 } else
14798 RowsExpr = nullptr;
14799
14800 ExprResult ColumnsConv = ApplyArgumentConversions(ColumnsExpr);
14801 if (!ColumnsConv.isInvalid()) {
14802 ColumnsExpr = ColumnsConv.get();
14803 TheCall->setArg(2, ColumnsExpr);
14804 } else
14805 ColumnsExpr = nullptr;
14806
14807 // If any part of the result matrix type is still pending, just use
14808 // Context.DependentTy, until all parts are resolved.
14809 if ((RowsExpr && RowsExpr->isTypeDependent()) ||
14810 (ColumnsExpr && ColumnsExpr->isTypeDependent())) {
14811 TheCall->setType(Context.DependentTy);
14812 return CallResult;
14813 }
14814
14815 // Check row and column dimensions.
14816 std::optional<unsigned> MaybeRows;
14817 if (RowsExpr)
14818 MaybeRows = getAndVerifyMatrixDimension(RowsExpr, "row", *this);
14819
14820 std::optional<unsigned> MaybeColumns;
14821 if (ColumnsExpr)
14822 MaybeColumns = getAndVerifyMatrixDimension(ColumnsExpr, "column", *this);
14823
14824 // Check stride argument.
14825 ExprResult StrideConv = ApplyArgumentConversions(StrideExpr);
14826 if (StrideConv.isInvalid())
14827 return ExprError();
14828 StrideExpr = StrideConv.get();
14829 TheCall->setArg(3, StrideExpr);
14830
14831 if (MaybeRows) {
14832 if (std::optional<llvm::APSInt> Value =
14833 StrideExpr->getIntegerConstantExpr(Context)) {
14834 uint64_t Stride = Value->getZExtValue();
14835 if (Stride < *MaybeRows) {
14836 Diag(StrideExpr->getBeginLoc(),
14837 diag::err_builtin_matrix_stride_too_small);
14838 ArgError = true;
14839 }
14840 }
14841 }
14842
14843 if (ArgError || !MaybeRows || !MaybeColumns)
14844 return ExprError();
14845
14846 TheCall->setType(
14847 Context.getConstantMatrixType(ElementTy, *MaybeRows, *MaybeColumns));
14848 return CallResult;
14849 }
14850
14851 ExprResult Sema::BuiltinMatrixColumnMajorStore(CallExpr *TheCall,
14852 ExprResult CallResult) {
14853 if (checkArgCount(TheCall, 3))
14854 return ExprError();
14855
14856 unsigned PtrArgIdx = 1;
14857 Expr *MatrixExpr = TheCall->getArg(0);
14858 Expr *PtrExpr = TheCall->getArg(PtrArgIdx);
14859 Expr *StrideExpr = TheCall->getArg(2);
14860
14861 bool ArgError = false;
14862
14863 {
14864 ExprResult MatrixConv = DefaultLvalueConversion(MatrixExpr);
14865 if (MatrixConv.isInvalid())
14866 return MatrixConv;
14867 MatrixExpr = MatrixConv.get();
14868 TheCall->setArg(0, MatrixExpr);
14869 }
14870 if (MatrixExpr->isTypeDependent()) {
14871 TheCall->setType(Context.DependentTy);
14872 return TheCall;
14873 }
14874
14875 auto *MatrixTy = MatrixExpr->getType()->getAs<ConstantMatrixType>();
14876 if (!MatrixTy) {
14877 Diag(MatrixExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14878 << 1 << /*matrix ty */ 1 << MatrixExpr->getType();
14879 ArgError = true;
14880 }
14881
14882 {
14883 ExprResult PtrConv = DefaultFunctionArrayLvalueConversion(PtrExpr);
14884 if (PtrConv.isInvalid())
14885 return PtrConv;
14886 PtrExpr = PtrConv.get();
14887 TheCall->setArg(1, PtrExpr);
14888 if (PtrExpr->isTypeDependent()) {
14889 TheCall->setType(Context.DependentTy);
14890 return TheCall;
14891 }
14892 }
14893
14894 // Check pointer argument.
14895 auto *PtrTy = PtrExpr->getType()->getAs<PointerType>();
14896 if (!PtrTy) {
14897 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_invalid_arg_type)
14898 << PtrArgIdx + 1 << /*pointer to element ty*/ 2 << PtrExpr->getType();
14899 ArgError = true;
14900 } else {
14901 QualType ElementTy = PtrTy->getPointeeType();
14902 if (ElementTy.isConstQualified()) {
14903 Diag(PtrExpr->getBeginLoc(), diag::err_builtin_matrix_store_to_const);
14904 ArgError = true;
14905 }
14906 ElementTy = ElementTy.getUnqualifiedType().getCanonicalType();
14907 if (MatrixTy &&
14908 !Context.hasSameType(ElementTy, MatrixTy->getElementType())) {
14909 Diag(PtrExpr->getBeginLoc(),
14910 diag::err_builtin_matrix_pointer_arg_mismatch)
14911 << ElementTy << MatrixTy->getElementType();
14912 ArgError = true;
14913 }
14914 }
14915
14916 // Apply default Lvalue conversions and convert the stride expression to
14917 // size_t.
14918 {
14919 ExprResult StrideConv = DefaultLvalueConversion(StrideExpr);
14920 if (StrideConv.isInvalid())
14921 return StrideConv;
14922
14923 StrideConv = tryConvertExprToType(StrideConv.get(), Context.getSizeType());
14924 if (StrideConv.isInvalid())
14925 return StrideConv;
14926 StrideExpr = StrideConv.get();
14927 TheCall->setArg(2, StrideExpr);
14928 }
14929
14930 // Check stride argument.
14931 if (MatrixTy) {
14932 if (std::optional<llvm::APSInt> Value =
14933 StrideExpr->getIntegerConstantExpr(Context)) {
14934 uint64_t Stride = Value->getZExtValue();
14935 if (Stride < MatrixTy->getNumRows()) {
14936 Diag(StrideExpr->getBeginLoc(),
14937 diag::err_builtin_matrix_stride_too_small);
14938 ArgError = true;
14939 }
14940 }
14941 }
14942
14943 if (ArgError)
14944 return ExprError();
14945
14946 return CallResult;
14947 }
14948
14949 void Sema::CheckTCBEnforcement(const SourceLocation CallExprLoc,
14950 const NamedDecl *Callee) {
14951 // This warning does not make sense in code that has no runtime behavior.
14952 if (isUnevaluatedContext())
14953 return;
14954
14955 const NamedDecl *Caller = getCurFunctionOrMethodDecl();
14956
14957 if (!Caller || !Caller->hasAttr<EnforceTCBAttr>())
14958 return;
14959
14960 // Search through the enforce_tcb and enforce_tcb_leaf attributes to find
14961 // all TCBs the callee is a part of.
14962 llvm::StringSet<> CalleeTCBs;
14963 for (const auto *A : Callee->specific_attrs<EnforceTCBAttr>())
14964 CalleeTCBs.insert(A->getTCBName());
14965 for (const auto *A : Callee->specific_attrs<EnforceTCBLeafAttr>())
14966 CalleeTCBs.insert(A->getTCBName());
14967
14968 // Go through the TCBs the caller is a part of and emit warnings if Caller
14969 // is in a TCB that the Callee is not.
14970 for (const auto *A : Caller->specific_attrs<EnforceTCBAttr>()) {
14971 StringRef CallerTCB = A->getTCBName();
14972 if (CalleeTCBs.count(CallerTCB) == 0) {
14973 this->Diag(CallExprLoc, diag::warn_tcb_enforcement_violation)
14974 << Callee << CallerTCB;
14975 }
14976 }
14977 }
LLVM monorepo