This is an archive of the discontinued LLVM Phabricator instance.

Differential D112579

Allow non-variadic functions to be attributed with `__attribute__((format))`
ClosedPublic

Authored by fcloutier on Oct 26 2021, 3:35 PM.

Details

Reviewers
dcoughlin
doug.gregor
rsmith
aaron.ballman
Commits
rG92edd74b37c7: Allow non-variadic functions to be attributed with `__attribute__((format))`
Summary

Clang only allows you to use __attribute__((format)) on variadic functions. There are legit use cases for __attribute__((format)) on non-variadic functions, such as:

(1) variadic templates

template<typename… Args>
void print(const char *fmt, Args… &&args) __attribute__((format(1, 2))); // error: format attribute requires variadic function

(2) functions which take fixed arguments and a custom format:

void print_number_string(const char *fmt, unsigned number, const char *string) __attribute__((format(1, 2)));
// ^error: format attribute requires variadic function

void foo(void) {
    print_number_string(“%08x %s\n”, 0xdeadbeef, “hello”);
    print_number_string(“%d %s”, 0xcafebabe, “bar”);
}

This change allows Clang users to attach __attribute__((format)) to non-variadic functions, including functions with C++ variadic templates. It replaces the error with a GCC compatibility warning and improves the type checker to ensure that received arrays are treated like pointers (this is a possibility in C++ since references to template types can bind to arrays).

Diff Detail

Event Timeline

fcloutier created this revision.Oct 26 2021, 3:35 PM
Herald added a reviewer: aaron.ballman. · View Herald TranscriptOct 26 2021, 3:35 PM
fcloutier requested review of this revision.Oct 26 2021, 3:35 PM
Herald added a subscriber: cfe-commits. · View Herald TranscriptOct 26 2021, 3:35 PM
Harbormaster completed remote builds in B130820: Diff 382473.Oct 26 2021, 4:01 PM
aaron.ballman added a comment.Oct 29 2021, 12:00 PM

Thank you for this! I have some concerns that I'd like to talk out to hopefully make myself feel more comfortable with this.

My understanding of the utility from -Wformat warnings comes from the fact that the function receiving the format string has no way to validate that the variadic arguments passed have the correct types when compared to the format string. However, in both of the new cases you propose to support, that type information is present in the function signature (you may have to go through a bunch of template instantiations in the variadic template cases, but you get there eventually). Having the types in the signatures changes something I think might be pretty fundamental to the way the format string checker works -- it tries to figure out types *after default argument promotions* because those promotions are a lossy operation. However, when the types are specified in the signature, those default argument promotions no longer happen. The type passed for a %f may actually be a float rather than promoted to a double, the type for a char may actually be char rather than int, etc. I'm not convinced this is as simple as "now we allow non-vararg functions" for the implementation. I think we need some more extensive testing to prove that the diagnostics actually make sense or not.

In terms of the specific cases allowed, I think I am happier about variadic templates than I am about fixed-signature functions. For the variadic template, I think supporting -Wformat would mean users don't have to reimplement similar logic to what that check already handles even though they can do it themselves. But for a fixed-signature function, I'm not certain I see what the value add is -- the only valid format strings such a function could accept would have to be fixed to the function signature anyway. Can you explain what use cases you have for that situation?

fcloutier added a comment.Oct 29 2021, 3:34 PM

Thanks for looking, Aaron. You're right that the main utility of the aggregation of format warnings is to extend C's type checking because there is no other good way, or good place, to do it. I have built hundreds of millions of shipping lines of C, C++ and Objective-C, and this change seems like it would be an effective fix in several places where we don't currently have anywhere else to go.

For variadic templates, you're right that at some final instantiation, the compiler will have all the format argument types in hand. What gets lost in piping and substitution is actually the format string that Clang must type-check against. You can see this in action in the LLVM code base, actually: if we turn on -Wformat-nonliteral for files including llvm/include/Support/Format.h, the warning will trigger for users of the llvm::format function. This is because the format string is stored in format_object_base::Fmt instead of being directly forwarded, and sprinkling constexpr in strategic places won't resolve this issue because SemaChecking has its own custom expression evaluator. Swapping it out for the more common ExprConstant stuff is probably not impossible, but it's difficult because SemaChecking supports its own kind of symbolism. For instance, it's OK to use a format string parameter as the format string argument of another function that wants one, and other attributes like format_arg can tell you to assume the same specifiers as you get from another expression. So, we could fix this, but it would be more work, and the same purpose is served by allowing fixed arguments to participate in the format attribute checking. Verifying that users of the LLVM llvm::format function are doing the right thing is a better experience than letting this bubble up from however many levels of template instantiation there is.

Type checking may well actually need to be tested better for the case where variadic argument promotions don't happen, but there's a fairly finite number of ways it could go wrong, and I still think that's the easier way to go.

I don't think that we can easily distinguish between parameters created by variadic templates and fixed parameters from a function without variadic templates. I also think that most people who write functions like llvm::format aggressively do not want to be in charge of type-checking the format string themselves, and would much rather defer to Clang's existing type checker. If Clang allows the format attribute to type-check parameters created by variadic templates, it follows that the path of least resistance is to allow it on functions with fixed arguments.

With that said, there are still use cases for allowing format strings in functions with fixed arguments. (Interestingly, it would not be possible to mix fixed format arguments with variadic format arguments in a C function, so maybe we can prevent that altogether, but it does not remove from the general usefulness of the feature). You'll have to take my word for this, but it's one of the handful of blockers that we have for very broad adoption of -Wformat-nonliteral. The story usually goes like this: there's some function NSString *foo(NSString *fmt, NSMyFoo *obj1, NSMyBar *obj2) that needs to do something with obj1 and obj2 before it decides whether it actually wants to print them, return something unrelated altogether, throw an exception, etc. General limitations of the C language make it difficult to untangle the print parts from the logic parts for reasons which, to me, align rather closely to compiler capriciousness given how close it is to supporting the feature. This is more common in Objective-C code bases as %@ is a universal format specifier for all object types.

Another way we could approach this problem is to have a new attribute to say that a format argument must have a string that conforms to another constant format string. For instance, I think that NSString *foo(NSString *fmt, NSMyFoo *obj1, NSMyBar *obj2) __attribute__((format_like(1, @"hello %@ %@!"))), by the compiler checks that fmt has specifiers equivalent to %@ %@, would give us roughly the same safety improvements. It would allow for even more fun things, like passing a format string to a function that will then itself supply arguments to a formatting function.

What do you think?

Quuxplusone added a subscriber: Quuxplusone.Oct 29 2021, 3:52 PM
In D112579#3097360, @aaron.ballman wrote:

[...] Having the types in the signatures changes something I think might be pretty fundamental to the way the format string checker works -- it tries to figure out types *after default argument promotions* because those promotions are a lossy operation. However, when the types are specified in the signature, those default argument promotions no longer happen. The type passed for a %f may actually be a float rather than promoted to a double, the type for a char may actually be char rather than int, etc.

True, and I think you're right that this change needs some really exhaustive tests. First, notice that the point of format(printf) is still ultimately to pass the arguments to some printf-like varargs function that will do the default argument promotions. So if our argument type is float, well, in the non-pathological cases, eventually it should become a double (when it is finally passed to printf, possibly several levels deeper in the function call stack). But second, consider situations like

void myprintf(const char *fmt, int n) __attribute__((format(printf, 1, 2)));  // N.B.: int, not unsigned long
int main() {
    myprintf("%lu", 3uL);  // this should error
    myprintf("%d", 3uL);  // this should not error
}

In terms of the specific cases allowed, I think I am happier about variadic templates than I am about fixed-signature functions. [...] For a fixed-signature function, I'm not certain I see what the value add is -- the only valid format strings such a function could accept would have to be fixed to the function signature anyway.

Or, in some situations (like logging), the format string could be some weird amalgam of the signature and something else, right?

void mydebug(const char *fmt, int line) { printf(fmt, "test.cpp", line); }
int main() {
    mydebug("%s:%d", 42);  // printf("%s:%d", 42) would not be correct; but the way mydebug ultimately uses printf, this is actually safe and intentional
}

When we receive a va_list or a varargs ..., this scenario doesn't arise (AFAIK), because there is no way to manipulate or insert-more-arguments-into a va_list after the fact.

Initially I thought this PR was a slam-dunk, but thinking about all the pathological-but-possible corner cases here does make me more skeptical now.

fcloutier added a comment.Oct 29 2021, 5:25 PM

Thanks Arthur for your feedback.

void myprintf(const char *fmt, int n) __attribute__((format(printf, 1, 2)));  // N.B.: int, not unsigned long
int main() {
    myprintf("%lu", 3uL);  // this should error
    myprintf("%d", 3uL);  // this should not error
}

This is handled naturally by the current implementation. The integer literal undergoes an implicit cast to int because that's the type of the n parameter, and it causes the %lu case to fail and the %d case to succeed.

Your second example is the scenario of concern for adding an attribute like the format_like attribute that I described in my response to Aaron. I think that these two features don't need to be tied together.

Quuxplusone mentioned this in D112927: [libc++] Enable -Wformat-nonliteral when building libc++.Nov 1 2021, 7:45 AM
aaron.ballman added a comment.Nov 4 2021, 7:08 AM
In D112579#3097890, @fcloutier wrote:

Thanks for looking, Aaron.

Thank you for the detailed response!

Type checking may well actually need to be tested better for the case where variadic argument promotions don't happen, but there's a fairly finite number of ways it could go wrong, and I still think that's the easier way to go.

I think this is the current thing for us to test and try out. It shouldn't be impossible to do somewhat exhaustive testing (there's only so many format specifiers and length modifiers to worry about), but it's those edge cases that have me worried.

I don't think that we can easily distinguish between parameters created by variadic templates and fixed parameters from a function without variadic templates.

Agreed. This should be checking the instantiations, so by that point, the variadic template is really more like a fixed parameter list anyway.

I also think that most people who write functions like llvm::format aggressively do not want to be in charge of type-checking the format string themselves, and would much rather defer to Clang's existing type checker. If Clang allows the format attribute to type-check parameters created by variadic templates, it follows that the path of least resistance is to allow it on functions with fixed arguments.

Also agreed.

With that said, there are still use cases for allowing format strings in functions with fixed arguments. (Interestingly, it would not be possible to mix fixed format arguments with variadic format arguments in a C function, so maybe we can prevent that altogether, but it does not remove from the general usefulness of the feature). You'll have to take my word for this, but it's one of the handful of blockers that we have for very broad adoption of -Wformat-nonliteral. The story usually goes like this: there's some function NSString *foo(NSString *fmt, NSMyFoo *obj1, NSMyBar *obj2) that needs to do something with obj1 and obj2 before it decides whether it actually wants to print them, return something unrelated altogether, throw an exception, etc. General limitations of the C language make it difficult to untangle the print parts from the logic parts for reasons which, to me, align rather closely to compiler capriciousness given how close it is to supporting the feature. This is more common in Objective-C code bases as %@ is a universal format specifier for all object types.

Another way we could approach this problem is to have a new attribute to say that a format argument must have a string that conforms to another constant format string. For instance, I think that NSString *foo(NSString *fmt, NSMyFoo *obj1, NSMyBar *obj2) __attribute__((format_like(1, @"hello %@ %@!"))), by the compiler checks that fmt has specifiers equivalent to %@ %@, would give us roughly the same safety improvements. It would allow for even more fun things, like passing a format string to a function that will then itself supply arguments to a formatting function.

What do you think?

I think the second option may be an idea worth exploring, but if we can avoid adding another attribute, that's usually preferred. I think that if we add sufficient test coverage, it'd make sense to use the existing attribute. As Arthur pointed out, ultimately this stuff is expected to be passed to printf (et al) and so long as the attribute continues to honor pointing out issues with that goal, I think it's a reasonable one to use in these situations. I think we only need to consider a secondary attribute if we find that the semantics we need are sufficiently different to warrant it.

Quuxplusone added a comment.Nov 4 2021, 8:03 AM

Agreed. This should be checking the instantiations, so by that point, the variadic template is really more like a fixed parameter list anyway.

FWIW, in my own mental model, there's a big semantic difference between (varargs functions, variadic templates) on the one hand and (non-template functions) on the other. In my experience, there's nothing you can do with a varargs ellipsis except forward it along as a va_list; and it's uncommon to do anything with a variadic parameter pack except forward it along via std::forward; but messing with fixed arguments is quite common. Technically, you can mess with a parameter pack too:

void apple(const char *fmt, int x, int y) __attribute__((format(printf, 1, 2))) {
    printf(fmt, double(x), double(y));
}
void banana(const char *fmt, auto... args) __attribute__((format(printf, 1, 2))) {
    printf(fmt, double(args)...);
}
int main() {
    apple("%g %g", 17, 42);  // well-defined; shall we warn anyway? (My gut feeling is that this is relatively common)
    banana("%g %g", 17, 42);  // well-defined; shall we warn anyway? (My gut feeling is that this is extremely rare)
}

This morning I am leaning in favor of this PR as written. If a programmer wants apple/banana to be callable like that, without any diagnostics, then their appropriate course of action is simply not to apply the __attribute__((format(printf, 1, 2))) annotation.

clang/include/clang/Basic/DiagnosticSemaKinds.td
4129

I'd say with the %0 attribute (add "the")

clang/lib/AST/FormatString.cpp
324–328

Also, function references will decay to function pointers. I have no idea if you need to do anything special here to get the "right behavior" for function references. But please add a (compile-only?) test case for the function-pointer codepath, just to prove it doesn't crash or anything.

clang/test/Sema/attr-format.cpp
5–7 ↗(On Diff #382473)

Can we also do an example of a member function variadic template?

struct S {
  template<class... Args>
  void format(const char *fmt, Args&&... args)
    __attribute__((format(printf, 2, 3)));
};

Also, I believe that this entire file should be removed from Sema/ and combined into SemaCXX/attr-format.cpp.

I also notice that we have literally zero test coverage for cases where the format string is not the first argument to the function; but that can-and-should be addressed in a separate PR.

14 ↗(On Diff #382473)

Basically, add , do_format here.
(Aside: I'm surprised that Clang quietly lets you print a function pointer with %p. It'll work on sane architectures, but in general C and C++ don't require that function pointers even be the same size as void* — technically this should be UB or at least impl-defined behavior.)

fcloutier updated this revision to Diff 435302.Jun 8 2022, 12:47 PM

Apologies the long delay: things happened and I was pulled away. I have some time to finish this change now. I recommend re-reading the discussion up to now since it's not _that_ long and it provides a lot of very useful context.

The new change addresses requests from the previous round. The most substantial changes are around how Clang detects that a format string is being forwarded to another format function. This is now expressed in terms of transitions from format argument passing styles, such that given the following 3 function archetypes:

c
void fixed(const char *, int) __attribute__((format(printf, 1, 2)));
void variadic(const char *, ...) __attribute__((format(printf, 1, 2)));
void valist(const char *, va_list) __attribute__((format(printf, 1, 0)));

there are no warnings for:

  • a variadic function forwarding its format to a valist function
  • a valist function forwarding its format to another valist function
  • a fixed function forwarding its format to another fixed function (new)
  • a fixed function forwarding its format to a variadic function (new)

In other words, for instance, fixed can call variadic in its implementation without a warning. Anything else, like forwarding the format of a valist function to a fixed function, is a diagnostic.

fixed to fixed/variadic transitions don't check that arguments have compatible types, but it conceivably could. This is a limitation of the current implementation. However, at this point, we don't think that this is a very worthwhile effort; this could change in the future if adoption of the format attribute on functions with a fixed signature ramps up.

I also added a number of tests to make sure that we still have reasonable warnings. One interesting edge case when using __attribute__((format)) on functions with fixed parameters is that it's possible to come up with combinations that are impossible, for instance:

c
struct nontrivial { nontrivial(); ~nontrivial(); };
void foo(const char *, nontrivial) __attribute__((format(printf, 1, 2)));

It's not a diagnostic to declare this function, however it is always a diagnostic to call it because no printf format specifier can format a nontrivial object. Ideally there would be a diagnostic on the declaration, but I think that it's sufficient as it is.

Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2022, 12:47 PM
Harbormaster completed remote builds in B168660: Diff 435302.Jun 8 2022, 1:59 PM
fcloutier added a comment.Jun 16 2022, 11:10 AM

Ping

fcloutier added a comment.Jun 22 2022, 6:04 PM

Would it be better if I asked a colleague to finish the review?

aaron.ballman added a comment.Jun 23 2022, 5:05 AM
In D112579#3603629, @fcloutier wrote:

Would it be better if I asked a colleague to finish the review?

Typically, you should try to get a LG from the reviewers who have been active on the review in the past (assuming they're still active in the community now). So no -- It just takes a while because there's a lot of review work to be done and only so many hours in the day; sorry for the delays!

I think there are some missing changes to AttrDocs.td for the new functionality, and this should have a release note as well.

clang/include/clang/Basic/DiagnosticSemaKinds.td
4126

Slight tweaks: GCC requires a function with the 'format' attribute to be variadic

clang/lib/AST/FormatString.cpp
327

I think this should be:

if (argTy->canDecayToPointerType())
  argTy = C.getDecayedType(argTy);
clang/lib/Sema/SemaChecking.cpp
5434–5440

Elide braces here (coding style rule).

8622–8623

Can use const auto * in these cases.

8626

Same here.

8630–8631

A better way to write this would be:

if (const auto *FnTy = D->getType()->getAs<FunctionProtoType>())
  IsVariadic = FnTy->isVariadic();
...
10027

Same suggestion here as above to use canDecayToPointerType() instead.

clang/lib/Sema/SemaDeclAttr.cpp
3881–3885

There's some braces you can elide here now.

fcloutier updated this revision to Diff 441703.Jul 1 2022, 8:47 AM
fcloutier set the repository for this revision to rG LLVM Github Monorepo.

Thanks, Aaron. I wasn't sure how to follow up given how long it had been since the review started. I understand that we're all busy (which explains the week delay on my part here as well).

I've addressed all of your comments except the one on this bit:

if (const FunctionType *FnTy = D->getFunctionType())
  IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();

The proposed change isn't identical because D->getFunctionType() can return nullptr (for instance, if D is a BlockDecl). However, in the case FnTy isn't nullptr, then it is guaranteed to be a FunctionProtoType as the attribute is rejected on functions without a prototype.

Harbormaster completed remote builds in B173248: Diff 441703.Jul 1 2022, 8:48 AM
aaron.ballman added a comment.Jul 5 2022, 8:51 AM
In D112579#3625195, @fcloutier wrote:

Thanks, Aaron. I wasn't sure how to follow up given how long it had been since the review started. I understand that we're all busy (which explains the week delay on my part here as well).

No worries, pinging the review like you did is a good way to try to get it more attention, though it sometimes takes a few tries depending on the review.

I've addressed all of your comments except the one on this bit:

if (const FunctionType *FnTy = D->getFunctionType())
  IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();

The proposed change isn't identical because D->getFunctionType() can return nullptr (for instance, if D is a BlockDecl). However, in the case FnTy isn't nullptr, then it is guaranteed to be a FunctionProtoType as the attribute is rejected on functions without a prototype.

The suggestion I had was slightly different:

if (const auto *FnTy = D->getType()->getAs<FunctionProtoType>())
  IsVariadic = FnTy->isVariadic();

It's getting as a prototyped function, and only if that succeeds do we check whether it's variadic. I think that is equivalent to what you have now, but is more clearly expressed. WDYT?

fcloutier added a comment.Jul 5 2022, 9:31 AM

I'm afraid that's also not possible: D is a Decl, so it doesn't have getType(). Decl is the tightest-fitting superclass of BlockDecl, FunctionDecl and ObjCMethodDecl (because BlockDecl is a direct subclass of it).

One option could be to cast the Decl to a FunctionDecl and then use FDecl->isVariadic(), similarly to how it goes for BlockDecl and ObjCMethodDecl. I'm not sure that it's equivalent, but if you believe it is and like it better, I can do that.

aaron.ballman added a comment.Jul 5 2022, 11:23 AM
In D112579#3630647, @fcloutier wrote:

I'm afraid that's also not possible: D is a Decl, so it doesn't have getType(). Decl is the tightest-fitting superclass of BlockDecl, FunctionDecl and ObjCMethodDecl (because BlockDecl is a direct subclass of it).

One option could be to cast the Decl to a FunctionDecl and then use FDecl->isVariadic(), similarly to how it goes for BlockDecl and ObjCMethodDecl. I'm not sure that it's equivalent, but if you believe it is and like it better, I can do that.

Ahhhhhh, I had forgotten about BlockDecl not being a ValueDecl. In that case, I think the code is fine as-is, sorry for the noise!

I think this generally LG; I found a few minor nits in the documentation and some questions on the tests. The test stuff can be handled in a follow-up if you think it's worthwhile.

clang/include/clang/Basic/AttrDocs.td
3147
3165
clang/test/SemaCXX/attr-format.cpp
76

This pointed out an interesting test case. What should the behavior be for:

format("%p", 0);

Because that sure feels like a more reasonable thing for someone to write expecting it to be treated as a null pointer constant.

77–78

This likely isn't specific to your changes, but the %p in these examples should be warning the user (a function or function pointer is not a pointer to void or a pointer to a character type, so that call is UB).

fcloutier updated this revision to Diff 442373.Jul 5 2022, 12:31 PM
fcloutier marked 2 inline comments as done.

Address documentation comments.

clang/test/SemaCXX/attr-format.cpp
76

I think that the current behavior is the right one:

test.c:4:17: warning: format specifies type 'void *' but the argument has type 'int' [-Wformat]
        printf("%p\n", 0);
                ~~     ^
                %d

The warning goes away if you use (void *)0, as expected. __attribute__((format)) has no semantic meaning, so we can't (and shouldn't) infer that 0 is a pointer based on the usage of %p.

77–78

This is already a -Wformat-pedantic warning, which IMO is the right warning group for it:

test.c:4:17: warning: format specifies type 'void *' but the argument has type 'int (*)()' [-Wformat-pedantic]
        printf("%p\n", main);
                ~~     ^~~~
1 warning generated.

The relevant bit is clang/lib/AST/FormatString.cpp:

case CPointerTy:
  if (argTy->isVoidPointerType()) {
    return Match;
  } if (argTy->isPointerType() || argTy->isObjCObjectPointerType() ||
        argTy->isBlockPointerType() || argTy->isNullPtrType()) {
    return NoMatchPedantic;
  } else {
    return NoMatch;
  }
Harbormaster completed remote builds in B173752: Diff 442373.Jul 5 2022, 12:32 PM
aaron.ballman accepted this revision.Jul 5 2022, 1:01 PM

LGTM!

clang/test/SemaCXX/attr-format.cpp
76

Ah, you know what, I've convinced myself I was wrong and you're right. C2x 7.22.6.1p9 gives the latest conversion rules here, and I think passing 0, despite being the null pointer constant, is UB when the format specifier is %p. On targets where int and void * are the same width, this diagnostic feels rather pedantic. But on systems where those differ, it seems more important to issue the warning... so I think you're correct that we should leave this behavior alone.

Thanks for thinking it through with me. :-)

77–78

Ah, good that we have it in a pedantic diagnostic. I agree, it is a pedantic one, I thought we were missing it entirely.

This revision is now accepted and ready to land.Jul 5 2022, 1:01 PM
fcloutier updated this revision to Diff 442396.Jul 5 2022, 2:23 PM

There was a merge conflict on the release notes, updating the differential to get a CI build.

Harbormaster completed remote builds in B173773: Diff 442396.Jul 5 2022, 3:08 PM
Closed by commit rG92edd74b37c7: Allow non-variadic functions to be attributed with `__attribute__((format))` (authored by fcloutier). · Explain WhyJul 5 2022, 5:27 PM
This revision was automatically updated to reflect the committed changes.
fcloutier added a commit: rG92edd74b37c7: Allow non-variadic functions to be attributed with `__attribute__((format))`.
Unknown Object (User) added a subscriber: Unknown Object (User).Oct 19 2022, 6:49 PM

Thank you for your contribution! It is quite beneficial to me!
fireboy and watergirl

fcloutier mentioned this in rGcd95d7998c1d: [Clang][Sema] Fix attribute((format)) bug on non-variadic functions.Dec 6 2022, 1:09 PM
efriedma mentioned this in D153800: [ARM] Adjust strd/ldrd codegen alignment requirements.Jul 12 2023, 12:50 AM

Revision Contents

PathSize
clang/
docs/
4 lines
include/
clang/
Basic/
25 lines
5 lines
Sema/
35 lines
lib/
AST/
6 lines
Sema/
335 lines
8 lines
test/
Sema/
79 lines
1 line
SemaCXX/
51 lines

Diff 442415

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 379 Lines▼ Show 20 Lines
- When the ``weak`` attribute is applied to a const qualified variable clang no longer - When the ``weak`` attribute is applied to a const qualified variable clang no longer
tells the backend it is allowed to optimize based on initializer value. tells the backend it is allowed to optimize based on initializer value.
- Added the ``clang::annotate_type`` attribute, which can be used to add - Added the ``clang::annotate_type`` attribute, which can be used to add
annotations to types (see documentation for details). annotations to types (see documentation for details).
- Added half float to types that can be represented by ``__attribute__((mode(XX)))``. - Added half float to types that can be represented by ``__attribute__((mode(XX)))``.
- The ``format`` attribute can now be applied to non-variadic functions. The
format string must correctly format the fixed parameter types of the function.
Using the attribute this way emits a GCC compatibility diagnostic.
Windows Support Windows Support
--------------- ---------------
- Add support for MSVC-compatible ``/JMC``/``/JMC-`` flag in clang-cl (supports - Add support for MSVC-compatible ``/JMC``/``/JMC-`` flag in clang-cl (supports
X86/X64/ARM/ARM64). ``/JMC`` could only be used when ``/Zi`` or ``/Z7`` is X86/X64/ARM/ARM64). ``/JMC`` could only be used when ``/Zi`` or ``/Z7`` is
turned on. With this addition, clang-cl can be used in Visual Studio for the turned on. With this addition, clang-cl can be used in Visual Studio for the
JustMyCode feature. Note, you may need to manually add ``/JMC`` as additional JustMyCode feature. Note, you may need to manually add ``/JMC`` as additional
compile options in the Visual Studio since it currently assumes clang-cl does not support ``/JMC``. compile options in the Visual Studio since it currently assumes clang-cl does not support ``/JMC``.
▲ Show 20 LinesShow All 269 LinesShow Last 20 Lines

clang/include/clang/Basic/AttrDocs.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,082 Lines▼ Show 20 Linescallee is unavailable or if the callee has the ``noinline`` attribute.
}]; }];
} }
def FormatDocs : Documentation { def FormatDocs : Documentation {
let Category = DocCatFunction; let Category = DocCatFunction;
let Content = [{ let Content = [{
Clang supports the ``format`` attribute, which indicates that the function Clang supports the ``format`` attribute, which indicates that the function
accepts a ``printf`` or ``scanf``-like format string and corresponding accepts (among other possibilities) a ``printf`` or ``scanf``-like format string
arguments or a ``va_list`` that contains these arguments. and corresponding arguments or a ``va_list`` that contains these arguments.
Please see `GCC documentation about format attribute Please see `GCC documentation about format attribute
<http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html>`_ to find details <http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html>`_ to find details
about attribute syntax. about attribute syntax.
Clang implements two kinds of checks with this attribute. Clang implements two kinds of checks with this attribute.
#. Clang checks that the function with the ``format`` attribute is called with #. Clang checks that the function with the ``format`` attribute is called with
Show All 37 Lines void foo(const char* s, char *buf, ...) {
va_start(ap, buf); va_start(ap, buf);
vprintf(s, ap); // warning vprintf(s, ap); // warning
} }
In this case Clang does not warn because the format string ``s`` and In this case Clang does not warn because the format string ``s`` and
the corresponding arguments are annotated. If the arguments are the corresponding arguments are annotated. If the arguments are
incorrect, the caller of ``foo`` will receive a warning. incorrect, the caller of ``foo`` will receive a warning.
As an extension to GCC's behavior, Clang accepts the ``format`` attribute on
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
incorrect, the caller of ``foo`` will receive a warning.
- As an extension to GCC's behavior, Clang accepts the format attribute on
+ As an extension to GCC's behavior, Clang accepts the ``format`` attribute on
non-variadic functions. Clang checks non-variadic format functions for the same
aaron.ballman:
non-variadic functions. Clang checks non-variadic format functions for the same
classes of issues that can be found on variadic functions, as controlled by the
same warning flags, except that the types of formatted arguments is forced by
the function signature. For example:
.. code-block:: c
__attribute__((__format__(__printf__, 1, 2)))
void fmt(const char *s, const char *a, int b);
void bar(void) {
fmt("%s %i", "hello", 123); // OK
fmt("%i %g", "hello", 123); // warning: arguments don't match format
extern const char *fmt;
fmt(fmt, "hello", 123); // warning: format string is not a string literal
}
Using the ``format`` attribute on a non-variadic function emits a GCC
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
fmt(fmt, "hello", 123); // warning: format string is not a string literal
}
- Using the format attribute on a non-variadic function emits a GCC compatibility
+ Using the ``format`` attribute on a non-variadic function emits a GCC compatibility
diagnostic.
aaron.ballman:
compatibility diagnostic.
}]; }];
} }
def AlignValueDocs : Documentation { def AlignValueDocs : Documentation {
let Category = DocCatType; let Category = DocCatType;
let Content = [{ let Content = [{
The align_value attribute can be added to the typedef of a pointer type or the The align_value attribute can be added to the typedef of a pointer type or the
declaration of a variable of pointer or reference type. It specifies that the declaration of a variable of pointer or reference type. It specifies that the
▲ Show 20 LinesShow All 3,437 LinesShow Last 20 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,109 Lines▼ Show 20 Lines
def err_ownership_type : Error< def err_ownership_type : Error<
"%0 attribute only applies to %select{pointer|integer}1 arguments">; "%0 attribute only applies to %select{pointer|integer}1 arguments">;
def err_ownership_returns_index_mismatch : Error< def err_ownership_returns_index_mismatch : Error<
"'ownership_returns' attribute index does not match; here it is %0">; "'ownership_returns' attribute index does not match; here it is %0">;
def note_ownership_returns_index_mismatch : Note< def note_ownership_returns_index_mismatch : Note<
"declared with index %0 here">; "declared with index %0 here">;
def err_format_strftime_third_parameter : Error< def err_format_strftime_third_parameter : Error<
"strftime format attribute requires 3rd parameter to be 0">; "strftime format attribute requires 3rd parameter to be 0">;
def err_format_attribute_requires_variadic : Error<
"format attribute requires variadic function">;
def err_format_attribute_not : Error<"format argument not a string type">; def err_format_attribute_not : Error<"format argument not a string type">;
def err_format_attribute_result_not : Error<"function does not return %0">; def err_format_attribute_result_not : Error<"function does not return %0">;
def err_format_attribute_implicit_this_format_string : Error< def err_format_attribute_implicit_this_format_string : Error<
"format attribute cannot specify the implicit this argument as the format " "format attribute cannot specify the implicit this argument as the format "
"string">; "string">;
def err_callback_attribute_no_callee : Error< def err_callback_attribute_no_callee : Error<
"'callback' attribute specifies no callback callee">; "'callback' attribute specifies no callback callee">;
def err_callback_attribute_invalid_callee : Error< def err_callback_attribute_invalid_callee : Error<
▲ Show 20 LinesShow All 992 Lines▼ Show 20 Linesdef err_attribute_regparm_wrong_platform : Error<
"'regparm' is not valid on this platform">; "'regparm' is not valid on this platform">;
def err_attribute_regparm_invalid_number : Error< def err_attribute_regparm_invalid_number : Error<
"'regparm' parameter must be between 0 and %0 inclusive">; "'regparm' parameter must be between 0 and %0 inclusive">;
def err_attribute_not_supported_in_lang : Error< def err_attribute_not_supported_in_lang : Error<
"%0 attribute is not supported in %select{C|C++|Objective-C}1">; "%0 attribute is not supported in %select{C|C++|Objective-C}1">;
def err_attribute_not_supported_on_arch def err_attribute_not_supported_on_arch
: Error<"%0 attribute is not supported on '%1'">; : Error<"%0 attribute is not supported on '%1'">;
def warn_gcc_ignores_type_attr : Warning< def warn_gcc_ignores_type_attr : Warning<
"GCC does not allow the %0 attribute to be written on a type">, "GCC does not allow the %0 attribute to be written on a type">,
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Slight tweaks: GCC requires a function with the 'format' attribute to be variadic

aaron.ballman: Slight tweaks: `GCC requires a function with the 'format' attribute to be variadic`
InGroup<GccCompat>; InGroup<GccCompat>;
def warn_gcc_requires_variadic_function : Warning<
"GCC requires a function with the %0 attribute to be variadic">,
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

I'd say with the %0 attribute (add "the")

Quuxplusone: I'd say `with the %0 attribute` (add "the")
InGroup<GccCompat>;
// Clang-Specific Attributes // Clang-Specific Attributes
def warn_attribute_iboutlet : Warning< def warn_attribute_iboutlet : Warning<
"%0 attribute can only be applied to instance variables or properties">, "%0 attribute can only be applied to instance variables or properties">,
InGroup<IgnoredAttributes>; InGroup<IgnoredAttributes>;
def err_iboutletcollection_type : Error< def err_iboutletcollection_type : Error<
"invalid type %0 as argument of iboutletcollection attribute">; "invalid type %0 as argument of iboutletcollection attribute">;
def err_iboutletcollection_builtintype : Error< def err_iboutletcollection_builtintype : Error<
▲ Show 20 LinesShow All 7,526 LinesShow Last 20 Lines

clang/include/clang/Sema/Sema.h

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 12,991 Lines▼ Show 20 Linespublic:
//===--------------------------------------------------------------------===// //===--------------------------------------------------------------------===//
// Extra semantic analysis beyond the C type system // Extra semantic analysis beyond the C type system
public: public:
SourceLocation getLocationOfStringLiteralByte(const StringLiteral *SL, SourceLocation getLocationOfStringLiteralByte(const StringLiteral *SL,
unsigned ByteNo) const; unsigned ByteNo) const;
private: enum FormatArgumentPassingKind {
void CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr, FAPK_Fixed, // values to format are fixed (no C-style variadic arguments)
const ArraySubscriptExpr *ASE=nullptr, FAPK_Variadic, // values to format are passed as variadic arguments
bool AllowOnePastEnd=true, bool IndexNegated=false); FAPK_VAList, // values to format are passed in a va_list
void CheckArrayAccess(const Expr *E); };
// Used to grab the relevant information from a FormatAttr and a // Used to grab the relevant information from a FormatAttr and a
// FunctionDeclaration. // FunctionDeclaration.
struct FormatStringInfo { struct FormatStringInfo {
unsigned FormatIdx; unsigned FormatIdx;
unsigned FirstDataArg; unsigned FirstDataArg;
bool HasVAListArg; FormatArgumentPassingKind ArgPassingKind;
}; };
static bool getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, static bool getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember,
FormatStringInfo *FSI); bool IsVariadic, FormatStringInfo *FSI);
private:
void CheckArrayAccess(const Expr *BaseExpr, const Expr *IndexExpr,
const ArraySubscriptExpr *ASE = nullptr,
bool AllowOnePastEnd = true, bool IndexNegated = false);
void CheckArrayAccess(const Expr *E);
bool CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall, bool CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
const FunctionProtoType *Proto); const FunctionProtoType *Proto);
bool CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation loc, bool CheckObjCMethodCall(ObjCMethodDecl *Method, SourceLocation loc,
ArrayRef<const Expr *> Args); ArrayRef<const Expr *> Args);
bool CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall, bool CheckPointerCall(NamedDecl *NDecl, CallExpr *TheCall,
const FunctionProtoType *Proto); const FunctionProtoType *Proto);
bool CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto); bool CheckOtherCall(CallExpr *TheCall, const FunctionProtoType *Proto);
void CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType, void CheckConstructorCall(FunctionDecl *FDecl, QualType ThisType,
▲ Show 20 LinesShow All 138 Lines▼ Show 20 Linespublic:
static FormatStringType GetFormatStringType(const FormatAttr *Format); static FormatStringType GetFormatStringType(const FormatAttr *Format);
bool FormatStringHasSArg(const StringLiteral *FExpr); bool FormatStringHasSArg(const StringLiteral *FExpr);
static bool GetFormatNSStringIdx(const FormatAttr *Format, unsigned &Idx); static bool GetFormatNSStringIdx(const FormatAttr *Format, unsigned &Idx);
private: private:
bool CheckFormatArguments(const FormatAttr *Format, bool CheckFormatArguments(const FormatAttr *Format,
ArrayRef<const Expr *> Args, ArrayRef<const Expr *> Args, bool IsCXXMember,
bool IsCXXMember, VariadicCallType CallType, SourceLocation Loc,
VariadicCallType CallType, SourceRange Range,
SourceLocation Loc, SourceRange Range,
llvm::SmallBitVector &CheckedVarArgs); llvm::SmallBitVector &CheckedVarArgs);
bool CheckFormatArguments(ArrayRef<const Expr *> Args, bool CheckFormatArguments(ArrayRef<const Expr *> Args,
bool HasVAListArg, unsigned format_idx, FormatArgumentPassingKind FAPK, unsigned format_idx,
unsigned firstDataArg, FormatStringType Type, unsigned firstDataArg, FormatStringType Type,
VariadicCallType CallType, VariadicCallType CallType, SourceLocation Loc,
SourceLocation Loc, SourceRange range, SourceRange range,
llvm::SmallBitVector &CheckedVarArgs); llvm::SmallBitVector &CheckedVarArgs);
void CheckAbsoluteValueFunction(const CallExpr *Call, void CheckAbsoluteValueFunction(const CallExpr *Call,
const FunctionDecl *FDecl); const FunctionDecl *FDecl);
void CheckMaxUnsignedZero(const CallExpr *Call, const FunctionDecl *FDecl); void CheckMaxUnsignedZero(const CallExpr *Call, const FunctionDecl *FDecl);
void CheckMemaccessArguments(const CallExpr *Call, void CheckMemaccessArguments(const CallExpr *Call,
▲ Show 20 LinesShow All 410 LinesShow Last 20 Lines

clang/lib/AST/FormatString.cpp

Show First 20 LinesShow All 315 Lines▼ Show 20 Lines
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods on ArgType. // Methods on ArgType.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
clang::analyze_format_string::ArgType::MatchKind clang::analyze_format_string::ArgType::MatchKind
ArgType::matchesType(ASTContext &C, QualType argTy) const { ArgType::matchesType(ASTContext &C, QualType argTy) const {
// When using the format attribute in C++, you can receive a function or an
// array that will necessarily decay to a pointer when passed to the final
// format consumer. Apply decay before type comparison.
if (argTy->canDecayToPointerType())
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I think this should be:

if (argTy->canDecayToPointerType())
  argTy = C.getDecayedType(argTy);
aaron.ballman: I think this should be: ``` if (argTy->canDecayToPointerType()) argTy = C.getDecayedType…
argTy = C.getDecayedType(argTy);
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

Also, function references will decay to function pointers. I have no idea if you need to do anything special here to get the "right behavior" for function references. But please add a (compile-only?) test case for the function-pointer codepath, just to prove it doesn't crash or anything.

Quuxplusone: Also, function references will decay to function pointers. I have no idea if you need to do…
if (Ptr) { if (Ptr) {
// It has to be a pointer. // It has to be a pointer.
const PointerType *PT = argTy->getAs<PointerType>(); const PointerType *PT = argTy->getAs<PointerType>();
if (!PT) if (!PT)
return NoMatch; return NoMatch;
// We cannot write through a const qualified pointer. // We cannot write through a const qualified pointer.
if (PT->getPointeeType().isConstQualified()) if (PT->getPointeeType().isConstQualified())
▲ Show 20 LinesShow All 677 LinesShow Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 103 Lines▼ Show 20 Lines
using namespace sema; using namespace sema;
SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL, SourceLocation Sema::getLocationOfStringLiteralByte(const StringLiteral *SL,
unsigned ByteNo) const { unsigned ByteNo) const {
return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts, return SL->getLocationOfByte(ByteNo, getSourceManager(), LangOpts,
Context.getTargetInfo()); Context.getTargetInfo());
} }
static constexpr unsigned short combineFAPK(Sema::FormatArgumentPassingKind A,
Sema::FormatArgumentPassingKind B) {
return (A << 8) | B;
}
/// Checks that a call expression's argument count is at least the desired /// Checks that a call expression's argument count is at least the desired
/// number. This is useful when doing custom type-checking on a variadic /// number. This is useful when doing custom type-checking on a variadic
/// function. Returns true on error. /// function. Returns true on error.
static bool checkArgCountAtLeast(Sema &S, CallExpr *Call, static bool checkArgCountAtLeast(Sema &S, CallExpr *Call,
unsigned MinArgCount) { unsigned MinArgCount) {
unsigned ArgCount = Call->getNumArgs(); unsigned ArgCount = Call->getNumArgs();
if (ArgCount >= MinArgCount) if (ArgCount >= MinArgCount)
return false; return false;
▲ Show 20 LinesShow All 5,278 Lines▼ Show 20 Linesbool Sema::CheckX86BuiltinFunctionCall(const TargetInfo &TI, unsigned BuiltinID,
return SemaBuiltinConstantArgRange(TheCall, i, l, u, /*RangeIsError*/ false); return SemaBuiltinConstantArgRange(TheCall, i, l, u, /*RangeIsError*/ false);
} }
/// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo /// Given a FunctionDecl's FormatAttr, attempts to populate the FomatStringInfo
/// parameter with the FormatAttr's correct format_idx and firstDataArg. /// parameter with the FormatAttr's correct format_idx and firstDataArg.
/// Returns true when the format fits the function and the FormatStringInfo has /// Returns true when the format fits the function and the FormatStringInfo has
/// been populated. /// been populated.
bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember, bool Sema::getFormatStringInfo(const FormatAttr *Format, bool IsCXXMember,
FormatStringInfo *FSI) { bool IsVariadic, FormatStringInfo *FSI) {
FSI->HasVAListArg = Format->getFirstArg() == 0; if (Format->getFirstArg() == 0)
FSI->ArgPassingKind = FAPK_VAList;
else if (IsVariadic)
FSI->ArgPassingKind = FAPK_Variadic;
else
FSI->ArgPassingKind = FAPK_Fixed;
FSI->FormatIdx = Format->getFormatIdx() - 1; FSI->FormatIdx = Format->getFormatIdx() - 1;
FSI->FirstDataArg = FSI->HasVAListArg ? 0 : Format->getFirstArg() - 1; FSI->FirstDataArg =
FSI->ArgPassingKind == FAPK_VAList ? 0 : Format->getFirstArg() - 1;
// The way the format attribute works in GCC, the implicit this argument // The way the format attribute works in GCC, the implicit this argument
// of member functions is counted. However, it doesn't appear in our own // of member functions is counted. However, it doesn't appear in our own
// lists, so decrement format_idx in that case. // lists, so decrement format_idx in that case.
if (IsCXXMember) { if (IsCXXMember) {
if(FSI->FormatIdx == 0) if(FSI->FormatIdx == 0)
return false; return false;
--FSI->FormatIdx; --FSI->FormatIdx;
if (FSI->FirstDataArg != 0) if (FSI->FirstDataArg != 0)
--FSI->FirstDataArg; --FSI->FirstDataArg;
} }
return true; return true;
} }
/// Checks if a the given expression evaluates to null. /// Checks if a the given expression evaluates to null.
/// ///
/// Returns true if the value evaluates to null. /// Returns true if the value evaluates to null.
static bool CheckNonNullExpr(Sema &S, const Expr *Expr) { static bool CheckNonNullExpr(Sema &S, const Expr *Expr) {
// If the expression has non-null type, it doesn't evaluate to null. // If the expression has non-null type, it doesn't evaluate to null.
if (auto nullability if (auto nullability
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Elide braces here (coding style rule).

aaron.ballman: Elide braces here (coding style rule).
= Expr->IgnoreImplicit()->getType()->getNullability(S.Context)) { = Expr->IgnoreImplicit()->getType()->getNullability(S.Context)) {
if (*nullability == NullabilityKind::NonNull) if (*nullability == NullabilityKind::NonNull)
return false; return false;
} }
// As a special case, transparent unions initialized with zero are // As a special case, transparent unions initialized with zero are
// considered null for the purposes of the nonnull attribute. // considered null for the purposes of the nonnull attribute.
if (const RecordType *UT = Expr->getType()->getAsUnionType()) { if (const RecordType *UT = Expr->getType()->getAsUnionType()) {
Show All 18 Lines if (CheckNonNullExpr(S, ArgExpr))
S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr, S.DiagRuntimeBehavior(CallSiteLoc, ArgExpr,
S.PDiag(diag::warn_null_arg) S.PDiag(diag::warn_null_arg)
<< ArgExpr->getSourceRange()); << ArgExpr->getSourceRange());
} }
bool Sema::GetFormatNSStringIdx(const FormatAttr *Format, unsigned &Idx) { bool Sema::GetFormatNSStringIdx(const FormatAttr *Format, unsigned &Idx) {
FormatStringInfo FSI; FormatStringInfo FSI;
if ((GetFormatStringType(Format) == FST_NSString) && if ((GetFormatStringType(Format) == FST_NSString) &&
getFormatStringInfo(Format, false, &FSI)) { getFormatStringInfo(Format, false, true, &FSI)) {
Idx = FSI.FormatIdx; Idx = FSI.FormatIdx;
return true; return true;
} }
return false; return false;
} }
/// Diagnose use of %s directive in an NSString which is being passed /// Diagnose use of %s directive in an NSString which is being passed
/// as formatting string to formatting method. /// as formatting string to formatting method.
▲ Show 20 LinesShow All 2,217 Lines▼ Show 20 Linesbool Sema::SemaBuiltinOSLogFormat(CallExpr *TheCall) {
} }
// Check formatting specifiers. NOTE: We're only doing this for the non-size // Check formatting specifiers. NOTE: We're only doing this for the non-size
// call to avoid duplicate diagnostics. // call to avoid duplicate diagnostics.
if (!IsSizeCall) { if (!IsSizeCall) {
llvm::SmallBitVector CheckedVarArgs(NumArgs, false); llvm::SmallBitVector CheckedVarArgs(NumArgs, false);
ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs()); ArrayRef<const Expr *> Args(TheCall->getArgs(), TheCall->getNumArgs());
bool Success = CheckFormatArguments( bool Success = CheckFormatArguments(
Args, /*HasVAListArg*/ false, FormatIdx, FirstDataArg, FST_OSLog, Args, FAPK_Variadic, FormatIdx, FirstDataArg, FST_OSLog,
VariadicFunction, TheCall->getBeginLoc(), SourceRange(), VariadicFunction, TheCall->getBeginLoc(), SourceRange(),
CheckedVarArgs); CheckedVarArgs);
if (!Success) if (!Success)
return true; return true;
} }
if (IsSizeCall) { if (IsSizeCall) {
TheCall->setType(Context.getSizeType()); TheCall->setType(Context.getSizeType());
▲ Show 20 LinesShow All 700 Lines▼ Show 20 Lines public:
SourceLocation getBeginLoc() const LLVM_READONLY { SourceLocation getBeginLoc() const LLVM_READONLY {
return FExpr->getBeginLoc().getLocWithOffset(Offset); return FExpr->getBeginLoc().getLocWithOffset(Offset);
} }
SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); } SourceLocation getEndLoc() const LLVM_READONLY { return FExpr->getEndLoc(); }
}; };
} // namespace } // namespace
static void CheckFormatString(Sema &S, const FormatStringLiteral *FExpr, static void CheckFormatString(
const Expr *OrigFormatExpr, Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
ArrayRef<const Expr *> Args, ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
bool HasVAListArg, unsigned format_idx, unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
unsigned firstDataArg, bool inFunctionCall, Sema::VariadicCallType CallType,
Sema::FormatStringType Type, llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
bool inFunctionCall,
Sema::VariadicCallType CallType,
llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg,
bool IgnoreStringsWithoutSpecifiers); bool IgnoreStringsWithoutSpecifiers);
// Determine if an expression is a string literal or constant string. // Determine if an expression is a string literal or constant string.
// If this function returns false on the arguments to a function expecting a // If this function returns false on the arguments to a function expecting a
// format string, we will usually need to emit a warning. // format string, we will usually need to emit a warning.
// True string literals are then checked by CheckFormatString. // True string literals are then checked by CheckFormatString.
static StringLiteralCheckType static StringLiteralCheckType
checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args, checkFormatStringExpr(Sema &S, const Expr *E, ArrayRef<const Expr *> Args,
bool HasVAListArg, unsigned format_idx, Sema::FormatArgumentPassingKind APK, unsigned format_idx,
unsigned firstDataArg, Sema::FormatStringType Type, unsigned firstDataArg, Sema::FormatStringType Type,
Sema::VariadicCallType CallType, bool InFunctionCall, Sema::VariadicCallType CallType, bool InFunctionCall,
llvm::SmallBitVector &CheckedVarArgs, llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg, UncoveredArgHandler &UncoveredArg, llvm::APSInt Offset,
llvm::APSInt Offset,
bool IgnoreStringsWithoutSpecifiers = false) { bool IgnoreStringsWithoutSpecifiers = false) {
if (S.isConstantEvaluated()) if (S.isConstantEvaluated())
return SLCT_NotALiteral; return SLCT_NotALiteral;
tryAgain: tryAgain:
assert(Offset.isSigned() && "invalid offset"); assert(Offset.isSigned() && "invalid offset");
if (E->isTypeDependent() || E->isValueDependent()) if (E->isTypeDependent() || E->isValueDependent())
return SLCT_NotALiteral; return SLCT_NotALiteral;
E = E->IgnoreParenCasts(); E = E->IgnoreParenCasts();
if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull)) if (E->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNotNull))
Show All 28 Lines case Stmt::ConditionalOperatorClass: {
// We need to maintain the offsets for the right and the left hand side // We need to maintain the offsets for the right and the left hand side
// separately to check if every possible indexed expression is a valid // separately to check if every possible indexed expression is a valid
// string literal. They might have different offsets for different string // string literal. They might have different offsets for different string
// literals in the end. // literals in the end.
StringLiteralCheckType Left; StringLiteralCheckType Left;
if (!CheckLeft) if (!CheckLeft)
Left = SLCT_UncheckedLiteral; Left = SLCT_UncheckedLiteral;
else { else {
Left = checkFormatStringExpr(S, C->getTrueExpr(), Args, Left = checkFormatStringExpr(S, C->getTrueExpr(), Args, APK, format_idx,
HasVAListArg, format_idx, firstDataArg, firstDataArg, Type, CallType, InFunctionCall,
Type, CallType, InFunctionCall,
CheckedVarArgs, UncoveredArg, Offset, CheckedVarArgs, UncoveredArg, Offset,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
if (Left == SLCT_NotALiteral || !CheckRight) { if (Left == SLCT_NotALiteral || !CheckRight) {
return Left; return Left;
} }
} }
StringLiteralCheckType Right = checkFormatStringExpr( StringLiteralCheckType Right = checkFormatStringExpr(
S, C->getFalseExpr(), Args, HasVAListArg, format_idx, firstDataArg, S, C->getFalseExpr(), Args, APK, format_idx, firstDataArg, Type,
Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
return (CheckLeft && Left < Right) ? Left : Right; return (CheckLeft && Left < Right) ? Left : Right;
} }
case Stmt::ImplicitCastExprClass: case Stmt::ImplicitCastExprClass:
E = cast<ImplicitCastExpr>(E)->getSubExpr(); E = cast<ImplicitCastExpr>(E)->getSubExpr();
goto tryAgain; goto tryAgain;
Show All 33 Lines if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
if (isConstant) { if (isConstant) {
if (const Expr *Init = VD->getAnyInitializer()) { if (const Expr *Init = VD->getAnyInitializer()) {
// Look through initializers like const char c[] = { "foo" } // Look through initializers like const char c[] = { "foo" }
if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) { if (const InitListExpr *InitList = dyn_cast<InitListExpr>(Init)) {
if (InitList->isStringLiteralInit()) if (InitList->isStringLiteralInit())
Init = InitList->getInit(0)->IgnoreParenImpCasts(); Init = InitList->getInit(0)->IgnoreParenImpCasts();
} }
return checkFormatStringExpr(S, Init, Args, return checkFormatStringExpr(
HasVAListArg, format_idx, S, Init, Args, APK, format_idx, firstDataArg, Type, CallType,
firstDataArg, Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
/*InFunctionCall*/ false, CheckedVarArgs,
UncoveredArg, Offset);
} }
} }
// For vprintf* functions (i.e., HasVAListArg==true), we add a // When the format argument is an argument of this function, and this
// special check to see if the format string is a function parameter // function also has the format attribute, there are several interactions
// of the function calling the printf function. If the function // for which there shouldn't be a warning. For instance, when calling
// has an attribute indicating it is a printf-like function, then we // v*printf from a function that has the printf format attribute, we
// should suppress warnings concerning non-literals being used in a call // should not emit a warning about using `fmt`, even though it's not
// to a vprintf function. For example: // constant, because the arguments have already been checked for the
// caller of `logmessage`:
// //
// void // __attribute__((format(printf, 1, 2)))
// logmessage(char const *fmt __attribute__ (format (printf, 1, 2)), ...){ // void logmessage(char const *fmt, ...) {
// va_list ap; // va_list ap;
// va_start(ap, fmt); // va_start(ap, fmt);
// vprintf(fmt, ap); // Do NOT emit a warning about "fmt". // vprintf(fmt, ap); /* do not emit a warning about "fmt" */
// ... // ...
// } // }
if (HasVAListArg) { //
if (const ParmVarDecl *PV = dyn_cast<ParmVarDecl>(VD)) { // Another interaction that we need to support is calling a variadic
if (const Decl *D = dyn_cast<Decl>(PV->getDeclContext())) { // format function from a format function that has fixed arguments. For
int PVIndex = PV->getFunctionScopeIndex() + 1; // instance:
//
// __attribute__((format(printf, 1, 2)))
// void logstring(char const *fmt, char const *str) {
// printf(fmt, str); /* do not emit a warning about "fmt" */
// }
//
// Same (and perhaps more relatably) for the variadic template case:
//
// template<typename... Args>
// __attribute__((format(printf, 1, 2)))
// void log(const char *fmt, Args&&... args) {
// printf(fmt, forward<Args>(args)...);
// /* do not emit a warning about "fmt" */
// }
//
// Due to implementation difficulty, we only check the format, not the
// format arguments, in all cases.
//
if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) { for (const auto *PVFormat : D->specific_attrs<FormatAttr>()) {
// adjust for implicit parameter bool IsCXXMember = false;
if (const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(D)) if (const auto *MD = dyn_cast<CXXMethodDecl>(D))
if (MD->isInstance()) IsCXXMember = MD->isInstance();
++PVIndex;
bool IsVariadic = false;
if (const FunctionType *FnTy = D->getFunctionType())
IsVariadic = cast<FunctionProtoType>(FnTy)->isVariadic();
else if (const auto *BD = dyn_cast<BlockDecl>(D))
IsVariadic = BD->isVariadic();
else if (const auto *OMD = dyn_cast<ObjCMethodDecl>(D))
IsVariadic = OMD->isVariadic();
Sema::FormatStringInfo CallerFSI;
if (Sema::getFormatStringInfo(PVFormat, IsCXXMember, IsVariadic,
&CallerFSI)) {
// We also check if the formats are compatible. // We also check if the formats are compatible.
// We can't pass a 'scanf' string to a 'printf' function. // We can't pass a 'scanf' string to a 'printf' function.
if (PVIndex == PVFormat->getFormatIdx() && if (PV->getFunctionScopeIndex() == CallerFSI.FormatIdx &&
Type == S.GetFormatStringType(PVFormat)) Type == S.GetFormatStringType(PVFormat)) {
// Lastly, check that argument passing kinds transition in a
// way that makes sense:
// from a caller with FAPK_VAList, allow FAPK_VAList
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Can use const auto * in these cases.

aaron.ballman: Can use `const auto *` in these cases.
// from a caller with FAPK_Fixed, allow FAPK_Fixed
// from a caller with FAPK_Fixed, allow FAPK_Variadic
// from a caller with FAPK_Variadic, allow FAPK_VAList
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Same here.

aaron.ballman: Same here.
switch (combineFAPK(CallerFSI.ArgPassingKind, APK)) {
case combineFAPK(Sema::FAPK_VAList, Sema::FAPK_VAList):
case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Fixed):
case combineFAPK(Sema::FAPK_Fixed, Sema::FAPK_Variadic):
case combineFAPK(Sema::FAPK_Variadic, Sema::FAPK_VAList):
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

A better way to write this would be:

if (const auto *FnTy = D->getType()->getAs<FunctionProtoType>())
  IsVariadic = FnTy->isVariadic();
...
aaron.ballman: A better way to write this would be: ``` if (const auto *FnTy = D->getType()…
return SLCT_UncheckedLiteral; return SLCT_UncheckedLiteral;
} }
} }
} }
} }
} }
}
}
return SLCT_NotALiteral; return SLCT_NotALiteral;
} }
case Stmt::CallExprClass: case Stmt::CallExprClass:
case Stmt::CXXMemberCallExprClass: { case Stmt::CXXMemberCallExprClass: {
const CallExpr *CE = cast<CallExpr>(E); const CallExpr *CE = cast<CallExpr>(E);
if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) { if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(CE->getCalleeDecl())) {
bool IsFirst = true; bool IsFirst = true;
StringLiteralCheckType CommonResult; StringLiteralCheckType CommonResult;
for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) { for (const auto *FA : ND->specific_attrs<FormatArgAttr>()) {
const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex()); const Expr *Arg = CE->getArg(FA->getFormatIdx().getASTIndex());
StringLiteralCheckType Result = checkFormatStringExpr( StringLiteralCheckType Result = checkFormatStringExpr(
S, Arg, Args, HasVAListArg, format_idx, firstDataArg, Type, S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
if (IsFirst) { if (IsFirst) {
CommonResult = Result; CommonResult = Result;
IsFirst = false; IsFirst = false;
} }
} }
if (!IsFirst) if (!IsFirst)
return CommonResult; return CommonResult;
if (const auto *FD = dyn_cast<FunctionDecl>(ND)) { if (const auto *FD = dyn_cast<FunctionDecl>(ND)) {
unsigned BuiltinID = FD->getBuiltinID(); unsigned BuiltinID = FD->getBuiltinID();
if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString || if (BuiltinID == Builtin::BI__builtin___CFStringMakeConstantString ||
BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) { BuiltinID == Builtin::BI__builtin___NSStringMakeConstantString) {
const Expr *Arg = CE->getArg(0); const Expr *Arg = CE->getArg(0);
return checkFormatStringExpr(S, Arg, Args, return checkFormatStringExpr(
HasVAListArg, format_idx, S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
InFunctionCall, CheckedVarArgs,
UncoveredArg, Offset,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
} }
} }
} }
return SLCT_NotALiteral; return SLCT_NotALiteral;
} }
case Stmt::ObjCMessageExprClass: { case Stmt::ObjCMessageExprClass: {
const auto *ME = cast<ObjCMessageExpr>(E); const auto *ME = cast<ObjCMessageExpr>(E);
Show All 11 Lines if (const auto *MD = ME->getMethodDecl()) {
IFace->getIdentifier()->isStr("NSBundle") && IFace->getIdentifier()->isStr("NSBundle") &&
MD->getSelector().isKeywordSelector( MD->getSelector().isKeywordSelector(
{"localizedStringForKey", "value", "table"})) { {"localizedStringForKey", "value", "table"})) {
IgnoreStringsWithoutSpecifiers = true; IgnoreStringsWithoutSpecifiers = true;
} }
const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex()); const Expr *Arg = ME->getArg(FA->getFormatIdx().getASTIndex());
return checkFormatStringExpr( return checkFormatStringExpr(
S, Arg, Args, HasVAListArg, format_idx, firstDataArg, Type, S, Arg, Args, APK, format_idx, firstDataArg, Type, CallType,
CallType, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset, InFunctionCall, CheckedVarArgs, UncoveredArg, Offset,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
} }
} }
return SLCT_NotALiteral; return SLCT_NotALiteral;
} }
case Stmt::ObjCStringLiteralClass: case Stmt::ObjCStringLiteralClass:
case Stmt::StringLiteralClass: { case Stmt::StringLiteralClass: {
const StringLiteral *StrE = nullptr; const StringLiteral *StrE = nullptr;
if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E)) if (const ObjCStringLiteral *ObjCFExpr = dyn_cast<ObjCStringLiteral>(E))
StrE = ObjCFExpr->getString(); StrE = ObjCFExpr->getString();
else else
StrE = cast<StringLiteral>(E); StrE = cast<StringLiteral>(E);
if (StrE) { if (StrE) {
if (Offset.isNegative() || Offset > StrE->getLength()) { if (Offset.isNegative() || Offset > StrE->getLength()) {
// TODO: It would be better to have an explicit warning for out of // TODO: It would be better to have an explicit warning for out of
// bounds literals. // bounds literals.
return SLCT_NotALiteral; return SLCT_NotALiteral;
} }
FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue()); FormatStringLiteral FStr(StrE, Offset.sextOrTrunc(64).getSExtValue());
CheckFormatString(S, &FStr, E, Args, HasVAListArg, format_idx, CheckFormatString(S, &FStr, E, Args, APK, format_idx, firstDataArg, Type,
firstDataArg, Type, InFunctionCall, CallType, InFunctionCall, CallType, CheckedVarArgs, UncoveredArg,
CheckedVarArgs, UncoveredArg,
IgnoreStringsWithoutSpecifiers); IgnoreStringsWithoutSpecifiers);
return SLCT_CheckedLiteral; return SLCT_CheckedLiteral;
} }
return SLCT_NotALiteral; return SLCT_NotALiteral;
} }
case Stmt::BinaryOperatorClass: { case Stmt::BinaryOperatorClass: {
const BinaryOperator *BinOp = cast<BinaryOperator>(E); const BinaryOperator *BinOp = cast<BinaryOperator>(E);
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Lines return llvm::StringSwitch<FormatStringType>(Format->getType()->getName())
.Case("os_log", FST_OSLog) .Case("os_log", FST_OSLog)
.Default(FST_Unknown); .Default(FST_Unknown);
} }
/// CheckFormatArguments - Check calls to printf and scanf (and similar /// CheckFormatArguments - Check calls to printf and scanf (and similar
/// functions) for correct use of format strings. /// functions) for correct use of format strings.
/// Returns true if a format string has been fully checked. /// Returns true if a format string has been fully checked.
bool Sema::CheckFormatArguments(const FormatAttr *Format, bool Sema::CheckFormatArguments(const FormatAttr *Format,
ArrayRef<const Expr *> Args, ArrayRef<const Expr *> Args, bool IsCXXMember,
bool IsCXXMember, VariadicCallType CallType, SourceLocation Loc,
VariadicCallType CallType, SourceRange Range,
SourceLocation Loc, SourceRange Range,
llvm::SmallBitVector &CheckedVarArgs) { llvm::SmallBitVector &CheckedVarArgs) {
FormatStringInfo FSI; FormatStringInfo FSI;
if (getFormatStringInfo(Format, IsCXXMember, &FSI)) if (getFormatStringInfo(Format, IsCXXMember, CallType != VariadicDoesNotApply,
return CheckFormatArguments(Args, FSI.HasVAListArg, FSI.FormatIdx, &FSI))
return CheckFormatArguments(Args, FSI.ArgPassingKind, FSI.FormatIdx,
FSI.FirstDataArg, GetFormatStringType(Format), FSI.FirstDataArg, GetFormatStringType(Format),
CallType, Loc, Range, CheckedVarArgs); CallType, Loc, Range, CheckedVarArgs);
return false; return false;
} }
bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args, bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
bool HasVAListArg, unsigned format_idx, Sema::FormatArgumentPassingKind APK,
unsigned firstDataArg, FormatStringType Type, unsigned format_idx, unsigned firstDataArg,
VariadicCallType CallType, FormatStringType Type,
SourceLocation Loc, SourceRange Range, VariadicCallType CallType, SourceLocation Loc,
SourceRange Range,
llvm::SmallBitVector &CheckedVarArgs) { llvm::SmallBitVector &CheckedVarArgs) {
// CHECK: printf/scanf-like function is called with no format string. // CHECK: printf/scanf-like function is called with no format string.
if (format_idx >= Args.size()) { if (format_idx >= Args.size()) {
Diag(Loc, diag::warn_missing_format_string) << Range; Diag(Loc, diag::warn_missing_format_string) << Range;
return false; return false;
} }
const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts(); const Expr *OrigFormatExpr = Args[format_idx]->IgnoreParenCasts();
// CHECK: format string is not a string literal. // CHECK: format string is not a string literal.
// //
// Dynamically generated format strings are difficult to // Dynamically generated format strings are difficult to
// automatically vet at compile time. Requiring that format strings // automatically vet at compile time. Requiring that format strings
// are string literals: (1) permits the checking of format strings by // are string literals: (1) permits the checking of format strings by
// the compiler and thereby (2) can practically remove the source of // the compiler and thereby (2) can practically remove the source of
// many format string exploits. // many format string exploits.
// Format string can be either ObjC string (e.g. @"%d") or // Format string can be either ObjC string (e.g. @"%d") or
// C string (e.g. "%d") // C string (e.g. "%d")
// ObjC string uses the same format specifiers as C string, so we can use // ObjC string uses the same format specifiers as C string, so we can use
// the same format string checking logic for both ObjC and C strings. // the same format string checking logic for both ObjC and C strings.
UncoveredArgHandler UncoveredArg; UncoveredArgHandler UncoveredArg;
StringLiteralCheckType CT = StringLiteralCheckType CT = checkFormatStringExpr(
checkFormatStringExpr(*this, OrigFormatExpr, Args, HasVAListArg, *this, OrigFormatExpr, Args, APK, format_idx, firstDataArg, Type,
format_idx, firstDataArg, Type, CallType, CallType,
/*IsFunctionCall*/ true, CheckedVarArgs, /*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
UncoveredArg,
/*no string offset*/ llvm::APSInt(64, false) = 0); /*no string offset*/ llvm::APSInt(64, false) = 0);
// Generate a diagnostic where an uncovered argument is detected. // Generate a diagnostic where an uncovered argument is detected.
if (UncoveredArg.hasUncoveredArg()) { if (UncoveredArg.hasUncoveredArg()) {
unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg; unsigned ArgIdx = UncoveredArg.getUncoveredArg() + firstDataArg;
assert(ArgIdx < Args.size() && "ArgIdx outside bounds"); assert(ArgIdx < Args.size() && "ArgIdx outside bounds");
UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]); UncoveredArg.Diagnose(*this, /*IsFunctionCall*/true, Args[ArgIdx]);
} }
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
protected: protected:
Sema &S; Sema &S;
const FormatStringLiteral *FExpr; const FormatStringLiteral *FExpr;
const Expr *OrigFormatExpr; const Expr *OrigFormatExpr;
const Sema::FormatStringType FSType; const Sema::FormatStringType FSType;
const unsigned FirstDataArg; const unsigned FirstDataArg;
const unsigned NumDataArgs; const unsigned NumDataArgs;
const char *Beg; // Start of format string. const char *Beg; // Start of format string.
const bool HasVAListArg; const Sema::FormatArgumentPassingKind ArgPassingKind;
ArrayRef<const Expr *> Args; ArrayRef<const Expr *> Args;
unsigned FormatIdx; unsigned FormatIdx;
llvm::SmallBitVector CoveredArgs; llvm::SmallBitVector CoveredArgs;
bool usesPositionalArgs = false; bool usesPositionalArgs = false;
bool atFirstArg = true; bool atFirstArg = true;
bool inFunctionCall; bool inFunctionCall;
Sema::VariadicCallType CallType; Sema::VariadicCallType CallType;
llvm::SmallBitVector &CheckedVarArgs; llvm::SmallBitVector &CheckedVarArgs;
UncoveredArgHandler &UncoveredArg; UncoveredArgHandler &UncoveredArg;
public: public:
CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr, CheckFormatHandler(Sema &s, const FormatStringLiteral *fexpr,
const Expr *origFormatExpr, const Expr *origFormatExpr,
const Sema::FormatStringType type, unsigned firstDataArg, const Sema::FormatStringType type, unsigned firstDataArg,
unsigned numDataArgs, const char *beg, bool hasVAListArg, unsigned numDataArgs, const char *beg,
Sema::FormatArgumentPassingKind APK,
ArrayRef<const Expr *> Args, unsigned formatIdx, ArrayRef<const Expr *> Args, unsigned formatIdx,
bool inFunctionCall, Sema::VariadicCallType callType, bool inFunctionCall, Sema::VariadicCallType callType,
llvm::SmallBitVector &CheckedVarArgs, llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg) UncoveredArgHandler &UncoveredArg)
: S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type), : S(s), FExpr(fexpr), OrigFormatExpr(origFormatExpr), FSType(type),
FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg), FirstDataArg(firstDataArg), NumDataArgs(numDataArgs), Beg(beg),
HasVAListArg(hasVAListArg), Args(Args), FormatIdx(formatIdx), ArgPassingKind(APK), Args(Args), FormatIdx(formatIdx),
inFunctionCall(inFunctionCall), CallType(callType), inFunctionCall(inFunctionCall), CallType(callType),
CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) { CheckedVarArgs(CheckedVarArgs), UncoveredArg(UncoveredArg) {
CoveredArgs.resize(numDataArgs); CoveredArgs.resize(numDataArgs);
CoveredArgs.reset(); CoveredArgs.reset();
} }
void DoneProcessing(); void DoneProcessing();
▲ Show 20 LinesShow All 219 Lines▼ Show 20 Lines
// one of the argument expressions. // one of the argument expressions.
const Expr *CheckFormatHandler::getDataArg(unsigned i) const { const Expr *CheckFormatHandler::getDataArg(unsigned i) const {
return Args[FirstDataArg + i]; return Args[FirstDataArg + i];
} }
void CheckFormatHandler::DoneProcessing() { void CheckFormatHandler::DoneProcessing() {
// Does the number of data arguments exceed the number of // Does the number of data arguments exceed the number of
// format conversions in the format string? // format conversions in the format string?
if (!HasVAListArg) { if (ArgPassingKind != Sema::FAPK_VAList) {
// Find any arguments that weren't covered. // Find any arguments that weren't covered.
CoveredArgs.flip(); CoveredArgs.flip();
signed notCoveredArg = CoveredArgs.find_first(); signed notCoveredArg = CoveredArgs.find_first();
if (notCoveredArg >= 0) { if (notCoveredArg >= 0) {
assert((unsigned)notCoveredArg < NumDataArgs); assert((unsigned)notCoveredArg < NumDataArgs);
UncoveredArg.Update(notCoveredArg, OrigFormatExpr); UncoveredArg.Update(notCoveredArg, OrigFormatExpr);
} else { } else {
UncoveredArg.setAllCovered(); UncoveredArg.setAllCovered();
} }
▲ Show 20 LinesShow All 178 Lines▼ Show 20 Lines
namespace { namespace {
class CheckPrintfHandler : public CheckFormatHandler { class CheckPrintfHandler : public CheckFormatHandler {
public: public:
CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr, CheckPrintfHandler(Sema &s, const FormatStringLiteral *fexpr,
const Expr *origFormatExpr, const Expr *origFormatExpr,
const Sema::FormatStringType type, unsigned firstDataArg, const Sema::FormatStringType type, unsigned firstDataArg,
unsigned numDataArgs, bool isObjC, const char *beg, unsigned numDataArgs, bool isObjC, const char *beg,
bool hasVAListArg, ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
unsigned formatIdx, bool inFunctionCall, ArrayRef<const Expr *> Args, unsigned formatIdx,
Sema::VariadicCallType CallType, bool inFunctionCall, Sema::VariadicCallType CallType,
llvm::SmallBitVector &CheckedVarArgs, llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg) UncoveredArgHandler &UncoveredArg)
: CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg, : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
numDataArgs, beg, hasVAListArg, Args, formatIdx, numDataArgs, beg, APK, Args, formatIdx,
inFunctionCall, CallType, CheckedVarArgs, inFunctionCall, CallType, CheckedVarArgs,
UncoveredArg) {} UncoveredArg) {}
bool isObjCContext() const { return FSType == Sema::FST_NSString; } bool isObjCContext() const { return FSType == Sema::FST_NSString; }
/// Returns true if '%@' specifiers are allowed in the format string. /// Returns true if '%@' specifiers are allowed in the format string.
bool allowsObjCArg() const { bool allowsObjCArg() const {
return FSType == Sema::FST_NSString || FSType == Sema::FST_OSLog || return FSType == Sema::FST_NSString || FSType == Sema::FST_OSLog ||
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Lines return HandleInvalidConversionSpecifier(FS.getArgIndex(),
CS.getStart(), CS.getLength()); CS.getStart(), CS.getLength());
} }
void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) { void CheckPrintfHandler::handleInvalidMaskType(StringRef MaskType) {
S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size); S.Diag(getLocationOfByte(MaskType.data()), diag::err_invalid_mask_type_size);
} }
bool CheckPrintfHandler::HandleAmount( bool CheckPrintfHandler::HandleAmount(
const analyze_format_string::OptionalAmount &Amt, const analyze_format_string::OptionalAmount &Amt, unsigned k,
unsigned k, const char *startSpecifier, const char *startSpecifier, unsigned specifierLen) {
unsigned specifierLen) {
if (Amt.hasDataArgument()) { if (Amt.hasDataArgument()) {
if (!HasVAListArg) { if (ArgPassingKind != Sema::FAPK_VAList) {
unsigned argIndex = Amt.getArgIndex(); unsigned argIndex = Amt.getArgIndex();
if (argIndex >= NumDataArgs) { if (argIndex >= NumDataArgs) {
EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg) EmitFormatDiagnostic(S.PDiag(diag::warn_printf_asterisk_missing_arg)
<< k, << k,
getLocationOfByte(Amt.getStart()), getLocationOfByte(Amt.getStart()),
/*IsStringLocation*/true, /*IsStringLocation*/ true,
getSpecifierRange(startSpecifier, specifierLen)); getSpecifierRange(startSpecifier, specifierLen));
// Don't do any more checking. We will just emit // Don't do any more checking. We will just emit
// spurious errors. // spurious errors.
return false; return false;
} }
// Type check the data argument. It should be an 'int'. // Type check the data argument. It should be an 'int'.
// Although not in conformance with C99, we also allow the argument to be // Although not in conformance with C99, we also allow the argument to be
▲ Show 20 LinesShow All 379 Lines▼ Show 20 Linesbool CheckPrintfHandler::HandlePrintfSpecifier(
else if (!FS.hasStandardLengthConversionCombination()) else if (!FS.hasStandardLengthConversionCombination())
HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
diag::warn_format_non_standard_conversion_spec); diag::warn_format_non_standard_conversion_spec);
if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
// The remaining checks depend on the data arguments. // The remaining checks depend on the data arguments.
if (HasVAListArg) if (ArgPassingKind == Sema::FAPK_VAList)
return true; return true;
if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
return false; return false;
const Expr *Arg = getDataArg(argIndex); const Expr *Arg = getDataArg(argIndex);
if (!Arg) if (!Arg)
return true; return true;
▲ Show 20 LinesShow All 131 Lines▼ Show 20 LinesCheckPrintfHandler::checkFormatExpr(const analyze_printf::PrintfSpecifier &FS,
if (!AT.isValid()) if (!AT.isValid())
return true; return true;
QualType ExprTy = E->getType(); QualType ExprTy = E->getType();
while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) { while (const TypeOfExprType *TET = dyn_cast<TypeOfExprType>(ExprTy)) {
ExprTy = TET->getUnderlyingExpr()->getType(); ExprTy = TET->getUnderlyingExpr()->getType();
} }
// When using the format attribute in C++, you can receive a function or an
// array that will necessarily decay to a pointer when passed to the final
// format consumer. Apply decay before type comparison.
if (ExprTy->canDecayToPointerType())
ExprTy = S.Context.getDecayedType(ExprTy);
// Diagnose attempts to print a boolean value as a character. Unlike other // Diagnose attempts to print a boolean value as a character. Unlike other
// -Wformat diagnostics, this is fine from a type perspective, but it still // -Wformat diagnostics, this is fine from a type perspective, but it still
// doesn't make sense. // doesn't make sense.
if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg && if (FS.getConversionSpecifier().getKind() == ConversionSpecifier::cArg &&
E->isKnownToHaveBooleanValue()) { E->isKnownToHaveBooleanValue()) {
const CharSourceRange &CSR = const CharSourceRange &CSR =
getSpecifierRange(StartSpecifier, SpecifierLen); getSpecifierRange(StartSpecifier, SpecifierLen);
SmallString<4> FSString; SmallString<4> FSString;
llvm::raw_svector_ostream os(FSString); llvm::raw_svector_ostream os(FSString);
FS.toString(os); FS.toString(os);
EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character) EmitFormatDiagnostic(S.PDiag(diag::warn_format_bool_as_character)
<< FSString, << FSString,
E->getExprLoc(), false, CSR); E->getExprLoc(), false, CSR);
return true; return true;
} }
analyze_printf::ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy); analyze_printf::ArgType::MatchKind Match = AT.matchesType(S.Context, ExprTy);
if (Match == analyze_printf::ArgType::Match) if (Match == analyze_printf::ArgType::Match)
return true; return true;
// Look through argument promotions for our error message's reported type. // Look through argument promotions for our error message's reported type.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Same suggestion here as above to use canDecayToPointerType() instead.

aaron.ballman: Same suggestion here as above to use `canDecayToPointerType()` instead.
// This includes the integral and floating promotions, but excludes array // This includes the integral and floating promotions, but excludes array
// and function pointer decay (seeing that an argument intended to be a // and function pointer decay (seeing that an argument intended to be a
// string has type 'char [6]' is probably more confusing than 'char *') and // string has type 'char [6]' is probably more confusing than 'char *') and
// certain bitfield promotions (bitfields can be 'demoted' to a lesser type). // certain bitfield promotions (bitfields can be 'demoted' to a lesser type).
if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) { if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(E)) {
if (isArithmeticArgumentPromotion(S, ICE)) { if (isArithmeticArgumentPromotion(S, ICE)) {
E = ICE->getSubExpr(); E = ICE->getSubExpr();
ExprTy = E->getType(); ExprTy = E->getType();
▲ Show 20 LinesShow All 183 Lines▼ Show 20 Lines if (IntendedTy == ExprTy && !ShouldNotPrintDirectly) {
} }
} }
} else { } else {
const CharSourceRange &CSR = getSpecifierRange(StartSpecifier, const CharSourceRange &CSR = getSpecifierRange(StartSpecifier,
SpecifierLen); SpecifierLen);
// Since the warning for passing non-POD types to variadic functions // Since the warning for passing non-POD types to variadic functions
// was deferred until now, we emit a warning for non-POD // was deferred until now, we emit a warning for non-POD
// arguments here. // arguments here.
bool EmitTypeMismatch = false;
switch (S.isValidVarArgType(ExprTy)) { switch (S.isValidVarArgType(ExprTy)) {
case Sema::VAK_Valid: case Sema::VAK_Valid:
case Sema::VAK_ValidInCXX11: { case Sema::VAK_ValidInCXX11: {
unsigned Diag; unsigned Diag;
switch (Match) { switch (Match) {
case ArgType::Match: llvm_unreachable("expected non-matching"); case ArgType::Match: llvm_unreachable("expected non-matching");
case ArgType::NoMatchPedantic: case ArgType::NoMatchPedantic:
Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic; Diag = diag::warn_format_conversion_argument_type_mismatch_pedantic;
Show All 9 Lines case Sema::VAK_ValidInCXX11: {
EmitFormatDiagnostic( EmitFormatDiagnostic(
S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy S.PDiag(Diag) << AT.getRepresentativeTypeName(S.Context) << ExprTy
<< IsEnum << CSR << E->getSourceRange(), << IsEnum << CSR << E->getSourceRange(),
E->getBeginLoc(), /*IsStringLocation*/ false, CSR); E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
break; break;
} }
case Sema::VAK_Undefined: case Sema::VAK_Undefined:
case Sema::VAK_MSVCUndefined: case Sema::VAK_MSVCUndefined:
EmitFormatDiagnostic(S.PDiag(diag::warn_non_pod_vararg_with_format_string) if (CallType == Sema::VariadicDoesNotApply) {
<< S.getLangOpts().CPlusPlus11 << ExprTy EmitTypeMismatch = true;
<< CallType } else {
EmitFormatDiagnostic(
S.PDiag(diag::warn_non_pod_vararg_with_format_string)
<< S.getLangOpts().CPlusPlus11 << ExprTy << CallType
<< AT.getRepresentativeTypeName(S.Context) << CSR << AT.getRepresentativeTypeName(S.Context) << CSR
<< E->getSourceRange(), << E->getSourceRange(),
E->getBeginLoc(), /*IsStringLocation*/ false, CSR); E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
checkForCStrMembers(AT, E); checkForCStrMembers(AT, E);
}
break; break;
case Sema::VAK_Invalid: case Sema::VAK_Invalid:
if (ExprTy->isObjCObjectType()) if (CallType == Sema::VariadicDoesNotApply)
EmitTypeMismatch = true;
else if (ExprTy->isObjCObjectType())
EmitFormatDiagnostic( EmitFormatDiagnostic(
S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format) S.PDiag(diag::err_cannot_pass_objc_interface_to_vararg_format)
<< S.getLangOpts().CPlusPlus11 << ExprTy << CallType << S.getLangOpts().CPlusPlus11 << ExprTy << CallType
<< AT.getRepresentativeTypeName(S.Context) << CSR << AT.getRepresentativeTypeName(S.Context) << CSR
<< E->getSourceRange(), << E->getSourceRange(),
E->getBeginLoc(), /*IsStringLocation*/ false, CSR); E->getBeginLoc(), /*IsStringLocation*/ false, CSR);
else else
// FIXME: If this is an initializer list, suggest removing the braces // FIXME: If this is an initializer list, suggest removing the braces
// or inserting a cast to the target type. // or inserting a cast to the target type.
S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format) S.Diag(E->getBeginLoc(), diag::err_cannot_pass_to_vararg_format)
<< isa<InitListExpr>(E) << ExprTy << CallType << isa<InitListExpr>(E) << ExprTy << CallType
<< AT.getRepresentativeTypeName(S.Context) << E->getSourceRange(); << AT.getRepresentativeTypeName(S.Context) << E->getSourceRange();
break; break;
} }
if (EmitTypeMismatch) {
// The function is not variadic, so we do not generate warnings about
// being allowed to pass that object as a variadic argument. Instead,
// since there are inherently no printf specifiers for types which cannot
// be passed as variadic arguments, emit a plain old specifier mismatch
// argument.
EmitFormatDiagnostic(
S.PDiag(diag::warn_format_conversion_argument_type_mismatch)
<< AT.getRepresentativeTypeName(S.Context) << ExprTy << false
<< E->getSourceRange(),
E->getBeginLoc(), false, CSR);
}
assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() && assert(FirstDataArg + FS.getArgIndex() < CheckedVarArgs.size() &&
"format string specifier index out of range"); "format string specifier index out of range");
CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true; CheckedVarArgs[FirstDataArg + FS.getArgIndex()] = true;
} }
return true; return true;
} }
//===--- CHECK: Scanf format string checking ------------------------------===// //===--- CHECK: Scanf format string checking ------------------------------===//
namespace { namespace {
class CheckScanfHandler : public CheckFormatHandler { class CheckScanfHandler : public CheckFormatHandler {
public: public:
CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr, CheckScanfHandler(Sema &s, const FormatStringLiteral *fexpr,
const Expr *origFormatExpr, Sema::FormatStringType type, const Expr *origFormatExpr, Sema::FormatStringType type,
unsigned firstDataArg, unsigned numDataArgs, unsigned firstDataArg, unsigned numDataArgs,
const char *beg, bool hasVAListArg, const char *beg, Sema::FormatArgumentPassingKind APK,
ArrayRef<const Expr *> Args, unsigned formatIdx, ArrayRef<const Expr *> Args, unsigned formatIdx,
bool inFunctionCall, Sema::VariadicCallType CallType, bool inFunctionCall, Sema::VariadicCallType CallType,
llvm::SmallBitVector &CheckedVarArgs, llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg) UncoveredArgHandler &UncoveredArg)
: CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg, : CheckFormatHandler(s, fexpr, origFormatExpr, type, firstDataArg,
numDataArgs, beg, hasVAListArg, Args, formatIdx, numDataArgs, beg, APK, Args, formatIdx,
inFunctionCall, CallType, CheckedVarArgs, inFunctionCall, CallType, CheckedVarArgs,
UncoveredArg) {} UncoveredArg) {}
bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS, bool HandleScanfSpecifier(const analyze_scanf::ScanfSpecifier &FS,
const char *startSpecifier, const char *startSpecifier,
unsigned specifierLen) override; unsigned specifierLen) override;
bool HandleInvalidScanfConversionSpecifier( bool HandleInvalidScanfConversionSpecifier(
▲ Show 20 LinesShow All 87 Lines▼ Show 20 Linesbool CheckScanfHandler::HandleScanfSpecifier(
else if (!FS.hasStandardLengthConversionCombination()) else if (!FS.hasStandardLengthConversionCombination())
HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen, HandleInvalidLengthModifier(FS, CS, startSpecifier, specifierLen,
diag::warn_format_non_standard_conversion_spec); diag::warn_format_non_standard_conversion_spec);
if (!FS.hasStandardConversionSpecifier(S.getLangOpts())) if (!FS.hasStandardConversionSpecifier(S.getLangOpts()))
HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen); HandleNonStandardConversionSpecifier(CS, startSpecifier, specifierLen);
// The remaining checks depend on the data arguments. // The remaining checks depend on the data arguments.
if (HasVAListArg) if (ArgPassingKind == Sema::FAPK_VAList)
return true; return true;
if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex)) if (!CheckNumArgs(FS, CS, startSpecifier, specifierLen, argIndex))
return false; return false;
// Check that the argument type matches the format specifier. // Check that the argument type matches the format specifier.
const Expr *Ex = getDataArg(argIndex); const Expr *Ex = getDataArg(argIndex);
if (!Ex) if (!Ex)
Show All 40 Lines EmitFormatDiagnostic(S.PDiag(Diag)
Ex->getBeginLoc(), Ex->getBeginLoc(),
/*IsStringLocation*/ false, /*IsStringLocation*/ false,
getSpecifierRange(startSpecifier, specifierLen)); getSpecifierRange(startSpecifier, specifierLen));
} }
return true; return true;
} }
static void CheckFormatString(Sema &S, const FormatStringLiteral *FExpr, static void CheckFormatString(
const Expr *OrigFormatExpr, Sema &S, const FormatStringLiteral *FExpr, const Expr *OrigFormatExpr,
ArrayRef<const Expr *> Args, ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
bool HasVAListArg, unsigned format_idx, unsigned format_idx, unsigned firstDataArg, Sema::FormatStringType Type,
unsigned firstDataArg, bool inFunctionCall, Sema::VariadicCallType CallType,
Sema::FormatStringType Type, llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
bool inFunctionCall,
Sema::VariadicCallType CallType,
llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg,
bool IgnoreStringsWithoutSpecifiers) { bool IgnoreStringsWithoutSpecifiers) {
// CHECK: is the format string a wide literal? // CHECK: is the format string a wide literal?
if (!FExpr->isAscii() && !FExpr->isUTF8()) { if (!FExpr->isAscii() && !FExpr->isUTF8()) {
CheckFormatHandler::EmitFormatDiagnostic( CheckFormatHandler::EmitFormatDiagnostic(
S, inFunctionCall, Args[format_idx], S, inFunctionCall, Args[format_idx],
S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(), S.PDiag(diag::warn_format_string_is_wide_literal), FExpr->getBeginLoc(),
/*IsStringLocation*/ true, OrigFormatExpr->getSourceRange()); /*IsStringLocation*/ true, OrigFormatExpr->getSourceRange());
return; return;
} }
Show All 34 Lines if (StrLen == 0 && numDataArgs > 0) {
return; return;
} }
if (Type == Sema::FST_Printf || Type == Sema::FST_NSString || if (Type == Sema::FST_Printf || Type == Sema::FST_NSString ||
Type == Sema::FST_FreeBSDKPrintf || Type == Sema::FST_OSLog || Type == Sema::FST_FreeBSDKPrintf || Type == Sema::FST_OSLog ||
Type == Sema::FST_OSTrace) { Type == Sema::FST_OSTrace) {
CheckPrintfHandler H( CheckPrintfHandler H(
S, FExpr, OrigFormatExpr, Type, firstDataArg, numDataArgs, S, FExpr, OrigFormatExpr, Type, firstDataArg, numDataArgs,
(Type == Sema::FST_NSString || Type == Sema::FST_OSTrace), Str, (Type == Sema::FST_NSString || Type == Sema::FST_OSTrace), Str, APK,
HasVAListArg, Args, format_idx, inFunctionCall, CallType, Args, format_idx, inFunctionCall, CallType, CheckedVarArgs,
CheckedVarArgs, UncoveredArg); UncoveredArg);
if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, if (!analyze_format_string::ParsePrintfString(
S.getLangOpts(), H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo(),
S.Context.getTargetInfo(),
Type == Sema::FST_FreeBSDKPrintf)) Type == Sema::FST_FreeBSDKPrintf))
H.DoneProcessing(); H.DoneProcessing();
} else if (Type == Sema::FST_Scanf) { } else if (Type == Sema::FST_Scanf) {
CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg, CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
numDataArgs, Str, HasVAListArg, Args, format_idx, numDataArgs, Str, APK, Args, format_idx, inFunctionCall,
inFunctionCall, CallType, CheckedVarArgs, UncoveredArg); CallType, CheckedVarArgs, UncoveredArg);
if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, if (!analyze_format_string::ParseScanfString(
S.getLangOpts(), H, Str, Str + StrLen, S.getLangOpts(), S.Context.getTargetInfo()))
S.Context.getTargetInfo()))
H.DoneProcessing(); H.DoneProcessing();
} // TODO: handle other formats } // TODO: handle other formats
} }
bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) { bool Sema::FormatStringHasSArg(const StringLiteral *FExpr) {
// Str - The format string. NOTE: this is NOT null-terminated! // Str - The format string. NOTE: this is NOT null-terminated!
StringRef StrRef = FExpr->getString(); StringRef StrRef = FExpr->getString();
const char *Str = StrRef.data(); const char *Str = StrRef.data();
▲ Show 20 LinesShow All 7,256 LinesShow Last 20 Lines

clang/lib/Sema/SemaDeclAttr.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,872 Lines▼ Show 20 Lines if (!isNSStringType(Ty, S.Context, true) &&
!isCFStringType(Ty, S.Context) && !isCFStringType(Ty, S.Context) &&
(!Ty->isPointerType() || (!Ty->isPointerType() ||
!Ty->castAs<PointerType>()->getPointeeType()->isCharType())) { !Ty->castAs<PointerType>()->getPointeeType()->isCharType())) {
S.Diag(AL.getLoc(), diag::err_format_attribute_not) S.Diag(AL.getLoc(), diag::err_format_attribute_not)
<< IdxExpr->getSourceRange() << getFunctionOrMethodParamRange(D, ArgIdx); << IdxExpr->getSourceRange() << getFunctionOrMethodParamRange(D, ArgIdx);
return; return;
} }
// check the 3rd argument // check the 3rd argument
Expr *FirstArgExpr = AL.getArgAsExpr(2); Expr *FirstArgExpr = AL.getArgAsExpr(2);
uint32_t FirstArg; uint32_t FirstArg;
if (!checkUInt32Argument(S, AL, FirstArgExpr, FirstArg, 3)) if (!checkUInt32Argument(S, AL, FirstArgExpr, FirstArg, 3))
return; return;
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

There's some braces you can elide here now.

aaron.ballman: There's some braces you can elide here now.
// check if the function is variadic if the 3rd argument non-zero // check if the function is variadic if the 3rd argument non-zero
if (FirstArg != 0) { if (FirstArg != 0) {
if (isFunctionOrMethodVariadic(D)) { if (isFunctionOrMethodVariadic(D))
++NumArgs; // +1 for ... ++NumArgs; // +1 for ...
} else { else
S.Diag(D->getLocation(), diag::err_format_attribute_requires_variadic); S.Diag(D->getLocation(), diag::warn_gcc_requires_variadic_function) << AL;
return;
}
} }
// strftime requires FirstArg to be 0 because it doesn't read from any // strftime requires FirstArg to be 0 because it doesn't read from any
// variable the input is just the current time + the format string. // variable the input is just the current time + the format string.
if (Kind == StrftimeFormat) { if (Kind == StrftimeFormat) {
if (FirstArg != 0) { if (FirstArg != 0) {
S.Diag(AL.getLoc(), diag::err_format_strftime_third_parameter) S.Diag(AL.getLoc(), diag::err_format_strftime_third_parameter)
<< FirstArgExpr->getSourceRange(); << FirstArgExpr->getSourceRange();
▲ Show 20 LinesShow All 5,593 LinesShow Last 20 Lines

clang/test/Sema/attr-format.c

//RUN: %clang_cc1 -fsyntax-only -verify %s //RUN: %clang_cc1 -fsyntax-only -verify %s
#include <stdarg.h> #include <stdarg.h>
void a(const char *a, ...) __attribute__((format(printf, 1,2))); // no-error void a(const char *a, ...) __attribute__((format(printf, 1, 2))); // no-error
void b(const char *a, ...) __attribute__((format(printf, 1,1))); // expected-error {{'format' attribute parameter 3 is out of bounds}} void b(const char *a, ...) __attribute__((format(printf, 1, 1))); // expected-error {{'format' attribute parameter 3 is out of bounds}}
void c(const char *a, ...) __attribute__((format(printf, 0,2))); // expected-error {{'format' attribute parameter 2 is out of bounds}} void c(const char *a, ...) __attribute__((format(printf, 0, 2))); // expected-error {{'format' attribute parameter 2 is out of bounds}}
void d(const char *a, int c) __attribute__((format(printf, 1,2))); // expected-error {{format attribute requires variadic function}} void d(const char *a, int c) __attribute__((format(printf, 1, 2))); // expected-warning {{GCC requires a function with the 'format' attribute to be variadic}}
void e(char *str, int c, ...) __attribute__((format(printf, 2,3))); // expected-error {{format argument not a string type}} void e(char *str, int c, ...) __attribute__((format(printf, 2, 3))); // expected-error {{format argument not a string type}}
typedef const char* xpto; typedef const char *xpto;
void f(xpto c, va_list list) __attribute__((format(printf, 1, 0))); // no-error void f(xpto c, va_list list) __attribute__((format(printf, 1, 0))); // no-error
void g(xpto c) __attribute__((format(printf, 1, 0))); // no-error void g(xpto c) __attribute__((format(printf, 1, 0))); // no-error
void y(char *str) __attribute__((format(strftime, 1,0))); // no-error void y(char *str) __attribute__((format(strftime, 1, 0))); // no-error
void z(char *str, int c, ...) __attribute__((format(strftime, 1,2))); // expected-error {{strftime format attribute requires 3rd parameter to be 0}} void z(char *str, int c, ...) __attribute__((format(strftime, 1, 2))); // expected-error {{strftime format attribute requires 3rd parameter to be 0}}
int (*f_ptr)(char*,...) __attribute__((format(printf, 1,2))); // no-error int (*f_ptr)(char*,...) __attribute__((format(printf, 1,2))); // no-error
int (*f2_ptr)(double,...) __attribute__((format(printf, 1, 2))); // expected-error {{format argument not a string type}} int (*f2_ptr)(double,...) __attribute__((format(printf, 1, 2))); // expected-error {{format argument not a string type}}
struct _mystruct { struct _mystruct {
int (*printf)(const char *format, ...) __attribute__((__format__(printf, 1, 2))); // no-error int (*printf)(const char *format, ...) __attribute__((__format__(printf, 1, 2))); // no-error
int (*printf2)(double format, ...) __attribute__((__format__(printf, 1, 2))); // expected-error {{format argument not a string type}} int (*printf2)(double format, ...) __attribute__((__format__(printf, 1, 2))); // expected-error {{format argument not a string type}}
}; };
typedef int (*f3_ptr)(char*,...) __attribute__((format(printf,1,0))); // no-error typedef int (*f3_ptr)(char*,...) __attribute__((format(printf,1,0))); // no-error
// <rdar://problem/6623513> // <rdar://problem/6623513>
int rdar6623513(void *, const char*, const char*, ...) int rdar6623513(void *, const char*, const char*, ...)
__attribute__ ((format (printf, 3, 0))); __attribute__ ((format (printf, 3, 0)));
int rdar6623513_aux(int len, const char* s) { int rdar6623513_aux(int len, const char* s) {
rdar6623513(0, "hello", "%.*s", len, s); rdar6623513(0, "hello", "%.*s", len, s);
} }
// same as format(printf(...))... // same as format(printf(...))...
void a2(const char *a, ...) __attribute__((format(printf0, 1,2))); // no-error void a2(const char *a, ...) __attribute__((format(printf0, 1, 2))); // no-error
void b2(const char *a, ...) __attribute__((format(printf0, 1,1))); // expected-error {{'format' attribute parameter 3 is out of bounds}} void b2(const char *a, ...) __attribute__((format(printf0, 1, 1))); // expected-error {{'format' attribute parameter 3 is out of bounds}}
void c2(const char *a, ...) __attribute__((format(printf0, 0,2))); // expected-error {{'format' attribute parameter 2 is out of bounds}} void c2(const char *a, ...) __attribute__((format(printf0, 0, 2))); // expected-error {{'format' attribute parameter 2 is out of bounds}}
void d2(const char *a, int c) __attribute__((format(printf0, 1,2))); // expected-error {{format attribute requires variadic function}} void d2(const char *a, int c) __attribute__((format(printf0, 1, 2))); // expected-warning {{GCC requires a function with the 'format' attribute to be variadic}}
void e2(char *str, int c, ...) __attribute__((format(printf0, 2,3))); // expected-error {{format argument not a string type}} void e2(char *str, int c, ...) __attribute__((format(printf0, 2, 3))); // expected-error {{format argument not a string type}}
// FreeBSD usage // FreeBSD usage
#define __printf0like(fmt,va) __attribute__((__format__(__printf0__,fmt,va))) #define __printf0like(fmt, va) __attribute__((__format__(__printf0__, fmt, va)))
void null(int i, const char *a, ...) __printf0like(2,0); // no-error void null(int i, const char *a, ...) __printf0like(2, 0); // no-error
void null(int i, const char *a, ...) { // expected-note{{passing argument to parameter 'a' here}} void null(int i, const char *a, ...) { // expected-note{{passing argument to parameter 'a' here}}
if (a) if (a)
(void)0/* vprintf(...) would go here */; (void)0/* vprintf(...) would go here */;
} }
void callnull(void){ void callnull(void){
null(0, 0); // no error null(0, 0); // no error
null(0, (char*)0); // no error null(0, (char*)0); // no error
null(0, (void*)0); // no error null(0, (void*)0); // no error
null(0, (int*)0); // expected-warning {{incompatible pointer types}} null(0, (int*)0); // expected-warning {{incompatible pointer types}}
} }
// FreeBSD kernel extensions // FreeBSD kernel extensions
void a3(const char *a, ...) __attribute__((format(freebsd_kprintf, 1,2))); // no-error void a3(const char *a, ...) __attribute__((format(freebsd_kprintf, 1, 2))); // no-error
void b3(const char *a, ...) __attribute__((format(freebsd_kprintf, 1,1))); // expected-error {{'format' attribute parameter 3 is out of bounds}} void b3(const char *a, ...) __attribute__((format(freebsd_kprintf, 1, 1))); // expected-error {{'format' attribute parameter 3 is out of bounds}}
void c3(const char *a, ...) __attribute__((format(freebsd_kprintf, 0,2))); // expected-error {{'format' attribute parameter 2 is out of bounds}} void c3(const char *a, ...) __attribute__((format(freebsd_kprintf, 0, 2))); // expected-error {{'format' attribute parameter 2 is out of bounds}}
void d3(const char *a, int c) __attribute__((format(freebsd_kprintf, 1,2))); // expected-error {{format attribute requires variadic function}} void d3(const char *a, int c) __attribute__((format(freebsd_kprintf, 1, 2))); // expected-warning {{GCC requires a function with the 'format' attribute to be variadic}}
void e3(char *str, int c, ...) __attribute__((format(freebsd_kprintf, 2,3))); // expected-error {{format argument not a string type}} void e3(char *str, int c, ...) __attribute__((format(freebsd_kprintf, 2, 3))); // expected-error {{format argument not a string type}}
// PR4470 // PR4470
int xx_vprintf(const char *, va_list); int xx_vprintf(const char *, va_list);
const char *foo(const char *format) __attribute__((format_arg(1))); const char *foo(const char *format) __attribute__((format_arg(1)));
void __attribute__((format(printf, 1, 0))) void __attribute__((format(printf, 1, 0)))
foo2(const char *fmt, va_list va) { foo2(const char *fmt, va_list va) {
xx_vprintf(foo(fmt), va); xx_vprintf(foo(fmt), va);
} }
// PR6542 // PR6542
extern void gcc_format (const char *, ...) extern void gcc_format(const char *, ...)
__attribute__ ((__format__(__gcc_diag__, 1, 2))); __attribute__((__format__(__gcc_diag__, 1, 2)));
extern void gcc_cformat (const char *, ...) extern void gcc_cformat(const char *, ...)
__attribute__ ((__format__(__gcc_cdiag__, 1, 2))); __attribute__((__format__(__gcc_cdiag__, 1, 2)));
extern void gcc_cxxformat (const char *, ...) extern void gcc_cxxformat(const char *, ...)
__attribute__ ((__format__(__gcc_cxxdiag__, 1, 2))); __attribute__((__format__(__gcc_cxxdiag__, 1, 2)));
extern void gcc_tformat (const char *, ...) extern void gcc_tformat(const char *, ...)
__attribute__ ((__format__(__gcc_tdiag__, 1, 2))); __attribute__((__format__(__gcc_tdiag__, 1, 2)));
const char *foo3(const char *format) __attribute__((format_arg("foo"))); // expected-error{{'format_arg' attribute requires parameter 1 to be an integer constant}} const char *foo3(const char *format) __attribute__((format_arg("foo"))); // expected-error{{'format_arg' attribute requires parameter 1 to be an integer constant}}
void call_nonvariadic(void) {
d3("%i", 123);
d3("%d", 123);
d3("%s", 123); // expected-warning{{format specifies type 'char *' but the argument has type 'int'}}
}
__attribute__((format(printf, 1, 2))) void forward_fixed(const char *fmt, int i) { // expected-warning{{GCC requires a function with the 'format' attribute to be variadic}}
forward_fixed(fmt, i);
a(fmt, i);
}

clang/test/Sema/format-strings.c

Show First 20 LinesShow All 810 Lines▼ Show 20 Linesvoid test_block(void) {
printf_arg1("%s string\n", 123); // expected-warning{{format specifies type 'char *' but the argument has type 'int'}} printf_arg1("%s string\n", 123); // expected-warning{{format specifies type 'char *' but the argument has type 'int'}}
void __attribute__((__format__(__printf__, 2, 3))) (^printf_arg2)( void __attribute__((__format__(__printf__, 2, 3))) (^printf_arg2)(
const char *, const char *, ...) = const char *, const char *, ...) =
^(const char *not_fmt, const char *fmt, ...) ^(const char *not_fmt, const char *fmt, ...)
__attribute__((__format__(__printf__, 2, 3))) { __attribute__((__format__(__printf__, 2, 3))) {
va_list ap; va_list ap;
va_start(ap, fmt); va_start(ap, fmt);
vprintf(fmt, ap);
vprintf(not_fmt, ap); // expected-warning{{format string is not a string literal}} vprintf(not_fmt, ap); // expected-warning{{format string is not a string literal}}
va_end(ap); va_end(ap);
}; };
printf_arg2("foo", "%s string %i\n", "aaa", 123); printf_arg2("foo", "%s string %i\n", "aaa", 123);
printf_arg2("%s string\n", "foo", "bar"); // expected-warning{{data argument not used by format string}} printf_arg2("%s string\n", "foo", "bar"); // expected-warning{{data argument not used by format string}}
} }

clang/test/SemaCXX/attr-format.cpp

// RUN: %clang_cc1 -fsyntax-only -Wformat-nonliteral -verify %s // RUN: %clang_cc1 -fsyntax-only -Wformat-nonliteral -verify %s
#include <stdarg.h>
int printf(const char *fmt, ...) __attribute__((format(printf, 1, 2)));
struct S { struct S {
static void f(const char*, ...) __attribute__((format(printf, 1, 2))); static void f(const char *, ...) __attribute__((format(printf, 1, 2)));
static const char* f2(const char*) __attribute__((format_arg(1))); static const char *f2(const char *) __attribute__((format_arg(1)));
// GCC has a hidden 'this' argument in member functions which is why // GCC has a hidden 'this' argument in member functions which is why
// the format argument is argument 2 here. // the format argument is argument 2 here.
void g(const char*, ...) __attribute__((format(printf, 2, 3))); void g(const char*, ...) __attribute__((format(printf, 2, 3)));
const char* g2(const char*) __attribute__((format_arg(2))); const char* g2(const char*) __attribute__((format_arg(2)));
void h(const char*, ...) __attribute__((format(printf, 1, 4))); // \ void h(const char*, ...) __attribute__((format(printf, 1, 4))); // \
expected-error{{implicit this argument as the format string}} expected-error{{implicit this argument as the format string}}
Show All 20 Linesnamespace PR8625 {
}; };
void test(S s, const char* str) { void test(S s, const char* str) {
s.f(str, "%s", str); s.f(str, "%s", str);
} }
} }
// Make sure we interpret member operator calls as having an implicit // Make sure we interpret member operator calls as having an implicit
// this argument. // this argument.
void test_operator_call(S s, const char* str) { void test_operator_call(S s, const char *str) {
s("%s", str); s("%s", str);
} }
template <typename... Args>
void format(const char *fmt, Args &&...args) // expected-warning{{GCC requires a function with the 'format' attribute to be variadic}}
__attribute__((format(printf, 1, 2)));
template <typename Arg>
Arg &expand(Arg &a) { return a; }
struct foo {
int big[10];
foo();
~foo();
template <typename... Args>
void format(const char *const fmt, Args &&...args) // expected-warning{{GCC requires a function with the 'format' attribute to be variadic}}
__attribute__((format(printf, 2, 3))) {
printf(fmt, expand(args)...);
}
};
void format_invalid_nonpod(const char *fmt, struct foo f) // expected-warning{{GCC requires a function with the 'format' attribute to be variadic}}
__attribute__((format(printf, 1, 2)));
void do_format() {
int x = 123;
int &y = x;
const char *s = "world";
format("bare string");
format("%s", 123); // expected-warning{{format specifies type 'char *' but the argument has type 'int'}}
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

This pointed out an interesting test case. What should the behavior be for:

format("%p", 0);

Because that sure feels like a more reasonable thing for someone to write expecting it to be treated as a null pointer constant.

aaron.ballman: This pointed out an interesting test case. What should the behavior be for: ``` format("%p", 0)…
fcloutierAuthorUnsubmitted
Done
ReplyInline Actions

I think that the current behavior is the right one:

test.c:4:17: warning: format specifies type 'void *' but the argument has type 'int' [-Wformat]
        printf("%p\n", 0);
                ~~     ^
                %d

The warning goes away if you use (void *)0, as expected. __attribute__((format)) has no semantic meaning, so we can't (and shouldn't) infer that 0 is a pointer based on the usage of %p.

fcloutier: I think that the current behavior is the right one: ``` test.c:4:17: warning: format specifies…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Ah, you know what, I've convinced myself I was wrong and you're right. C2x 7.22.6.1p9 gives the latest conversion rules here, and I think passing 0, despite being the null pointer constant, is UB when the format specifier is %p. On targets where int and void * are the same width, this diagnostic feels rather pedantic. But on systems where those differ, it seems more important to issue the warning... so I think you're correct that we should leave this behavior alone.

Thanks for thinking it through with me. :-)

aaron.ballman: Ah, you know what, I've convinced myself I was wrong and you're right. C2x 7.22.6.1p9 gives the…
format("%s %s %u %d %i %p\n", "hello", s, 10u, x, y, &do_format);
format("%s %s %u %d %i %p\n", "hello", s, 10u, x, y, do_format);
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

This likely isn't specific to your changes, but the %p in these examples should be warning the user (a function or function pointer is not a pointer to void or a pointer to a character type, so that call is UB).

aaron.ballman: This likely isn't specific to your changes, but the `%p` in these examples should be warning…
fcloutierAuthorUnsubmitted
Done
ReplyInline Actions

This is already a -Wformat-pedantic warning, which IMO is the right warning group for it:

test.c:4:17: warning: format specifies type 'void *' but the argument has type 'int (*)()' [-Wformat-pedantic]
        printf("%p\n", main);
                ~~     ^~~~
1 warning generated.

The relevant bit is clang/lib/AST/FormatString.cpp:

case CPointerTy:
  if (argTy->isVoidPointerType()) {
    return Match;
  } if (argTy->isPointerType() || argTy->isObjCObjectPointerType() ||
        argTy->isBlockPointerType() || argTy->isNullPtrType()) {
    return NoMatchPedantic;
  } else {
    return NoMatch;
  }
fcloutier: This is already a -Wformat-pedantic warning, which IMO is the right warning group for it: ```…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Ah, good that we have it in a pedantic diagnostic. I agree, it is a pedantic one, I thought we were missing it entirely.

aaron.ballman: Ah, good that we have it in a pedantic diagnostic. I agree, it is a pedantic one, I thought we…
format("bad format %s"); // expected-warning{{more '%' conversions than data arguments}}
struct foo f;
format_invalid_nonpod("hello %i", f); // expected-warning{{format specifies type 'int' but the argument has type 'struct foo'}}
f.format("%s", 123); // expected-warning{{format specifies type 'char *' but the argument has type 'int'}}
f.format("%s %s %u %d %i %p\n", "hello", s, 10u, x, y, &do_format);
f.format("%s %s %u %d %i %p\n", "hello", s, 10u, x, y, do_format);
f.format("bad format %s"); // expected-warning{{more '%' conversions than data arguments}}
}