1	//=- AnalysisBasedWarnings.cpp - Sema warnings based on libAnalysis -*- C++ -*-=//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines analysis_warnings::[Policy,Executor].
10	// Together they are used by Sema to issue warnings based on inexpensive
11	// static analysis algorithms in libAnalysis.
12	//
13	//===----------------------------------------------------------------------===//
14
15	#include "clang/Sema/AnalysisBasedWarnings.h"
16	#include "clang/AST/Decl.h"
17	#include "clang/AST/DeclCXX.h"
18	#include "clang/AST/DeclObjC.h"
19	#include "clang/AST/EvaluatedExprVisitor.h"
20	#include "clang/AST/Expr.h"
21	#include "clang/AST/ExprCXX.h"
22	#include "clang/AST/ExprObjC.h"
23	#include "clang/AST/OperationKinds.h"
24	#include "clang/AST/ParentMap.h"
25	#include "clang/AST/RecursiveASTVisitor.h"
26	#include "clang/AST/StmtCXX.h"
27	#include "clang/AST/StmtObjC.h"
28	#include "clang/AST/StmtVisitor.h"
29	#include "clang/AST/Type.h"
30	#include "clang/Analysis/Analyses/CFGReachabilityAnalysis.h"
31	#include "clang/Analysis/Analyses/CalledOnceCheck.h"
32	#include "clang/Analysis/Analyses/Consumed.h"
33	#include "clang/Analysis/Analyses/ReachableCode.h"
34	#include "clang/Analysis/Analyses/ThreadSafety.h"
35	#include "clang/Analysis/Analyses/UninitializedValues.h"
36	#include "clang/Analysis/Analyses/UnsafeBufferUsage.h"
37	#include "clang/Analysis/AnalysisDeclContext.h"
38	#include "clang/Analysis/CFG.h"
39	#include "clang/Analysis/CFGStmtMap.h"
40	#include "clang/Basic/Diagnostic.h"
41	#include "clang/Basic/DiagnosticSema.h"
42	#include "clang/Basic/SourceLocation.h"
43	#include "clang/Basic/SourceManager.h"
44	#include "clang/Lex/Preprocessor.h"
45	#include "clang/Sema/ScopeInfo.h"
46	#include "clang/Sema/SemaInternal.h"
47	#include "llvm/ADT/ArrayRef.h"
48	#include "llvm/ADT/BitVector.h"
49	#include "llvm/ADT/MapVector.h"
50	#include "llvm/ADT/STLFunctionalExtras.h"
51	#include "llvm/ADT/SmallString.h"
52	#include "llvm/ADT/SmallVector.h"
53	#include "llvm/ADT/StringRef.h"
54	#include "llvm/Support/Casting.h"
55	#include <algorithm>
56	#include <deque>
57	#include <iterator>
58	#include <optional>
59
60	using namespace clang;
61
62	//===----------------------------------------------------------------------===//
63	// Unreachable code analysis.
64	//===----------------------------------------------------------------------===//
65
66	namespace {
67	class UnreachableCodeHandler : public reachable_code::Callback {
68	Sema &S;
69	SourceRange PreviousSilenceableCondVal;
70
71	public:
72	UnreachableCodeHandler(Sema &s) : S(s) {}
73
74	void HandleUnreachable(reachable_code::UnreachableKind UK, SourceLocation L,
75	SourceRange SilenceableCondVal, SourceRange R1,
76	SourceRange R2, bool HasFallThroughAttr) override {
77	// If the diagnosed code is `[[fallthrough]];` and
78	// `-Wunreachable-code-fallthrough` is enabled, suppress `code will never
79	// be executed` warning to avoid generating diagnostic twice
80	if (HasFallThroughAttr &&
81	!S.getDiagnostics().isIgnored(diag::warn_unreachable_fallthrough_attr,
82	SourceLocation()))
83	return;
84
85	// Avoid reporting multiple unreachable code diagnostics that are
86	// triggered by the same conditional value.
87	if (PreviousSilenceableCondVal.isValid() &&
88	SilenceableCondVal.isValid() &&
89	PreviousSilenceableCondVal == SilenceableCondVal)
90	return;
91	PreviousSilenceableCondVal = SilenceableCondVal;
92
93	unsigned diag = diag::warn_unreachable;
94	switch (UK) {
95	case reachable_code::UK_Break:
96	diag = diag::warn_unreachable_break;
97	break;
98	case reachable_code::UK_Return:
99	diag = diag::warn_unreachable_return;
100	break;
101	case reachable_code::UK_Loop_Increment:
102	diag = diag::warn_unreachable_loop_increment;
103	break;
104	case reachable_code::UK_Other:
105	break;
106	}
107
108	S.Diag(Loc: L, DiagID: diag) << R1 << R2;
109
110	SourceLocation Open = SilenceableCondVal.getBegin();
111	if (Open.isValid()) {
112	SourceLocation Close = SilenceableCondVal.getEnd();
113	Close = S.getLocForEndOfToken(Loc: Close);
114	if (Close.isValid()) {
115	S.Diag(Open, diag::note_unreachable_silence)
116	<< FixItHint::CreateInsertion(Open, "/* DISABLES CODE */ (")
117	<< FixItHint::CreateInsertion(Close, ")");
118	}
119	}
120	}
121	};
122	} // anonymous namespace
123
124	/// CheckUnreachable - Check for unreachable code.
125	static void CheckUnreachable(Sema &S, AnalysisDeclContext &AC) {
126	// As a heuristic prune all diagnostics not in the main file. Currently
127	// the majority of warnings in headers are false positives. These
128	// are largely caused by configuration state, e.g. preprocessor
129	// defined code, etc.
130	//
131	// Note that this is also a performance optimization. Analyzing
132	// headers many times can be expensive.
133	if (!S.getSourceManager().isInMainFile(Loc: AC.getDecl()->getBeginLoc()))
134	return;
135
136	UnreachableCodeHandler UC(S);
137	reachable_code::FindUnreachableCode(AC, PP&: S.getPreprocessor(), CB&: UC);
138	}
139
140	namespace {
141	/// Warn on logical operator errors in CFGBuilder
142	class LogicalErrorHandler : public CFGCallback {
143	Sema &S;
144
145	public:
146	LogicalErrorHandler(Sema &S) : S(S) {}
147
148	static bool HasMacroID(const Expr *E) {
149	if (E->getExprLoc().isMacroID())
150	return true;
151
152	// Recurse to children.
153	for (const Stmt *SubStmt : E->children())
154	if (const Expr *SubExpr = dyn_cast_or_null<Expr>(SubStmt))
155	if (HasMacroID(SubExpr))
156	return true;
157
158	return false;
159	}
160
161	void logicAlwaysTrue(const BinaryOperator *B, bool isAlwaysTrue) override {
162	if (HasMacroID(B))
163	return;
164
165	unsigned DiagID = isAlwaysTrue
166	? diag::warn_tautological_negation_or_compare
167	: diag::warn_tautological_negation_and_compare;
168	SourceRange DiagRange = B->getSourceRange();
169	S.Diag(Loc: B->getExprLoc(), DiagID) << DiagRange;
170	}
171
172	void compareAlwaysTrue(const BinaryOperator *B, bool isAlwaysTrue) override {
173	if (HasMacroID(B))
174	return;
175
176	SourceRange DiagRange = B->getSourceRange();
177	S.Diag(B->getExprLoc(), diag::warn_tautological_overlap_comparison)
178	<< DiagRange << isAlwaysTrue;
179	}
180
181	void compareBitwiseEquality(const BinaryOperator *B,
182	bool isAlwaysTrue) override {
183	if (HasMacroID(B))
184	return;
185
186	SourceRange DiagRange = B->getSourceRange();
187	S.Diag(B->getExprLoc(), diag::warn_comparison_bitwise_always)
188	<< DiagRange << isAlwaysTrue;
189	}
190
191	void compareBitwiseOr(const BinaryOperator *B) override {
192	if (HasMacroID(B))
193	return;
194
195	SourceRange DiagRange = B->getSourceRange();
196	S.Diag(B->getExprLoc(), diag::warn_comparison_bitwise_or) << DiagRange;
197	}
198
199	static bool hasActiveDiagnostics(DiagnosticsEngine &Diags,
200	SourceLocation Loc) {
201	return !Diags.isIgnored(diag::warn_tautological_overlap_comparison, Loc) ||
202	!Diags.isIgnored(diag::warn_comparison_bitwise_or, Loc) ||
203	!Diags.isIgnored(diag::warn_tautological_negation_and_compare, Loc);
204	}
205	};
206	} // anonymous namespace
207
208	//===----------------------------------------------------------------------===//
209	// Check for infinite self-recursion in functions
210	//===----------------------------------------------------------------------===//
211
212	// Returns true if the function is called anywhere within the CFGBlock.
213	// For member functions, the additional condition of being call from the
214	// this pointer is required.
215	static bool hasRecursiveCallInPath(const FunctionDecl *FD, CFGBlock &Block) {
216	// Process all the Stmt's in this block to find any calls to FD.
217	for (const auto &B : Block) {
218	if (B.getKind() != CFGElement::Statement)
219	continue;
220
221	const CallExpr *CE = dyn_cast<CallExpr>(Val: B.getAs<CFGStmt>()->getStmt());
222	if (!CE || !CE->getCalleeDecl() ||
223	CE->getCalleeDecl()->getCanonicalDecl() != FD)
224	continue;
225
226	// Skip function calls which are qualified with a templated class.
227	if (const DeclRefExpr *DRE =
228	dyn_cast<DeclRefExpr>(Val: CE->getCallee()->IgnoreParenImpCasts())) {
229	if (NestedNameSpecifier *NNS = DRE->getQualifier()) {
230	if (NNS->getKind() == NestedNameSpecifier::TypeSpec &&
231	isa<TemplateSpecializationType>(Val: NNS->getAsType())) {
232	continue;
233	}
234	}
235	}
236
237	const CXXMemberCallExpr *MCE = dyn_cast<CXXMemberCallExpr>(Val: CE);
238	if (!MCE || isa<CXXThisExpr>(Val: MCE->getImplicitObjectArgument()) ||
239	!MCE->getMethodDecl()->isVirtual())
240	return true;
241	}
242	return false;
243	}
244
245	// Returns true if every path from the entry block passes through a call to FD.
246	static bool checkForRecursiveFunctionCall(const FunctionDecl *FD, CFG *cfg) {
247	llvm::SmallPtrSet<CFGBlock *, 16> Visited;
248	llvm::SmallVector<CFGBlock *, 16> WorkList;
249	// Keep track of whether we found at least one recursive path.
250	bool foundRecursion = false;
251
252	const unsigned ExitID = cfg->getExit().getBlockID();
253
254	// Seed the work list with the entry block.
255	WorkList.push_back(Elt: &cfg->getEntry());
256
257	while (!WorkList.empty()) {
258	CFGBlock *Block = WorkList.pop_back_val();
259
260	for (auto I = Block->succ_begin(), E = Block->succ_end(); I != E; ++I) {
261	if (CFGBlock *SuccBlock = *I) {
262	if (!Visited.insert(Ptr: SuccBlock).second)
263	continue;
264
265	// Found a path to the exit node without a recursive call.
266	if (ExitID == SuccBlock->getBlockID())
267	return false;
268
269	// If the successor block contains a recursive call, end analysis there.
270	if (hasRecursiveCallInPath(FD, Block&: *SuccBlock)) {
271	foundRecursion = true;
272	continue;
273	}
274
275	WorkList.push_back(Elt: SuccBlock);
276	}
277	}
278	}
279	return foundRecursion;
280	}
281
282	static void checkRecursiveFunction(Sema &S, const FunctionDecl *FD,
283	const Stmt *Body, AnalysisDeclContext &AC) {
284	FD = FD->getCanonicalDecl();
285
286	// Only run on non-templated functions and non-templated members of
287	// templated classes.
288	if (FD->getTemplatedKind() != FunctionDecl::TK_NonTemplate &&
289	FD->getTemplatedKind() != FunctionDecl::TK_MemberSpecialization)
290	return;
291
292	CFG *cfg = AC.getCFG();
293	if (!cfg) return;
294
295	// If the exit block is unreachable, skip processing the function.
296	if (cfg->getExit().pred_empty())
297	return;
298
299	// Emit diagnostic if a recursive function call is detected for all paths.
300	if (checkForRecursiveFunctionCall(FD, cfg))
301	S.Diag(Body->getBeginLoc(), diag::warn_infinite_recursive_function);
302	}
303
304	//===----------------------------------------------------------------------===//
305	// Check for throw in a non-throwing function.
306	//===----------------------------------------------------------------------===//
307
308	/// Determine whether an exception thrown by E, unwinding from ThrowBlock,
309	/// can reach ExitBlock.
310	static bool throwEscapes(Sema &S, const CXXThrowExpr *E, CFGBlock &ThrowBlock,
311	CFG *Body) {
312	SmallVector<CFGBlock *, 16> Stack;
313	llvm::BitVector Queued(Body->getNumBlockIDs());
314
315	Stack.push_back(Elt: &ThrowBlock);
316	Queued[ThrowBlock.getBlockID()] = true;
317
318	while (!Stack.empty()) {
319	CFGBlock &UnwindBlock = *Stack.back();
320	Stack.pop_back();
321
322	for (auto &Succ : UnwindBlock.succs()) {
323	if (!Succ.isReachable() || Queued[Succ->getBlockID()])
324	continue;
325
326	if (Succ->getBlockID() == Body->getExit().getBlockID())
327	return true;
328
329	if (auto *Catch =
330	dyn_cast_or_null<CXXCatchStmt>(Val: Succ->getLabel())) {
331	QualType Caught = Catch->getCaughtType();
332	if (Caught.isNull() || // catch (...) catches everything
333	!E->getSubExpr() || // throw; is considered cuaght by any handler
334	S.handlerCanCatch(HandlerType: Caught, ExceptionType: E->getSubExpr()->getType()))
335	// Exception doesn't escape via this path.
336	break;
337	} else {
338	Stack.push_back(Elt: Succ);
339	Queued[Succ->getBlockID()] = true;
340	}
341	}
342	}
343
344	return false;
345	}
346
347	static void visitReachableThrows(
348	CFG *BodyCFG,
349	llvm::function_ref<void(const CXXThrowExpr *, CFGBlock &)> Visit) {
350	llvm::BitVector Reachable(BodyCFG->getNumBlockIDs());
351	clang::reachable_code::ScanReachableFromBlock(Start: &BodyCFG->getEntry(), Reachable);
352	for (CFGBlock *B : *BodyCFG) {
353	if (!Reachable[B->getBlockID()])
354	continue;
355	for (CFGElement &E : *B) {
356	std::optional<CFGStmt> S = E.getAs<CFGStmt>();
357	if (!S)
358	continue;
359	if (auto *Throw = dyn_cast<CXXThrowExpr>(Val: S->getStmt()))
360	Visit(Throw, *B);
361	}
362	}
363	}
364
365	static void EmitDiagForCXXThrowInNonThrowingFunc(Sema &S, SourceLocation OpLoc,
366	const FunctionDecl *FD) {
367	if (!S.getSourceManager().isInSystemHeader(Loc: OpLoc) &&
368	FD->getTypeSourceInfo()) {
369	S.Diag(OpLoc, diag::warn_throw_in_noexcept_func) << FD;
370	if (S.getLangOpts().CPlusPlus11 &&
371	(isa<CXXDestructorDecl>(Val: FD) ||
372	FD->getDeclName().getCXXOverloadedOperator() == OO_Delete ||
373	FD->getDeclName().getCXXOverloadedOperator() == OO_Array_Delete)) {
374	if (const auto *Ty = FD->getTypeSourceInfo()->getType()->
375	getAs<FunctionProtoType>())
376	S.Diag(FD->getLocation(), diag::note_throw_in_dtor)
377	<< !isa<CXXDestructorDecl>(FD) << !Ty->hasExceptionSpec()
378	<< FD->getExceptionSpecSourceRange();
379	} else
380	S.Diag(FD->getLocation(), diag::note_throw_in_function)
381	<< FD->getExceptionSpecSourceRange();
382	}
383	}
384
385	static void checkThrowInNonThrowingFunc(Sema &S, const FunctionDecl *FD,
386	AnalysisDeclContext &AC) {
387	CFG *BodyCFG = AC.getCFG();
388	if (!BodyCFG)
389	return;
390	if (BodyCFG->getExit().pred_empty())
391	return;
392	visitReachableThrows(BodyCFG, Visit: [&](const CXXThrowExpr *Throw, CFGBlock &Block) {
393	if (throwEscapes(S, E: Throw, ThrowBlock&: Block, Body: BodyCFG))
394	EmitDiagForCXXThrowInNonThrowingFunc(S, OpLoc: Throw->getThrowLoc(), FD);
395	});
396	}
397
398	static bool isNoexcept(const FunctionDecl *FD) {
399	const auto *FPT = FD->getType()->castAs<FunctionProtoType>();
400	if (FPT->isNothrow() || FD->hasAttr<NoThrowAttr>())
401	return true;
402	return false;
403	}
404
405	//===----------------------------------------------------------------------===//
406	// Check for missing return value.
407	//===----------------------------------------------------------------------===//
408
409	enum ControlFlowKind {
410	UnknownFallThrough,
411	NeverFallThrough,
412	MaybeFallThrough,
413	AlwaysFallThrough,
414	NeverFallThroughOrReturn
415	};
416
417	/// CheckFallThrough - Check that we don't fall off the end of a
418	/// Statement that should return a value.
419	///
420	/// \returns AlwaysFallThrough iff we always fall off the end of the statement,
421	/// MaybeFallThrough iff we might or might not fall off the end,
422	/// NeverFallThroughOrReturn iff we never fall off the end of the statement or
423	/// return. We assume NeverFallThrough iff we never fall off the end of the
424	/// statement but we may return. We assume that functions not marked noreturn
425	/// will return.
426	static ControlFlowKind CheckFallThrough(AnalysisDeclContext &AC) {
427	CFG *cfg = AC.getCFG();
428	if (!cfg) return UnknownFallThrough;
429
430	// The CFG leaves in dead things, and we don't want the dead code paths to
431	// confuse us, so we mark all live things first.
432	llvm::BitVector live(cfg->getNumBlockIDs());
433	unsigned count = reachable_code::ScanReachableFromBlock(Start: &cfg->getEntry(),
434	Reachable&: live);
435
436	bool AddEHEdges = AC.getAddEHEdges();
437	if (!AddEHEdges && count != cfg->getNumBlockIDs())
438	// When there are things remaining dead, and we didn't add EH edges
439	// from CallExprs to the catch clauses, we have to go back and
440	// mark them as live.
441	for (const auto *B : *cfg) {
442	if (!live[B->getBlockID()]) {
443	if (B->pred_begin() == B->pred_end()) {
444	const Stmt *Term = B->getTerminatorStmt();
445	if (Term && isa<CXXTryStmt>(Val: Term))
446	// When not adding EH edges from calls, catch clauses
447	// can otherwise seem dead. Avoid noting them as dead.
448	count += reachable_code::ScanReachableFromBlock(Start: B, Reachable&: live);
449	continue;
450	}
451	}
452	}
453
454	// Now we know what is live, we check the live precessors of the exit block
455	// and look for fall through paths, being careful to ignore normal returns,
456	// and exceptional paths.
457	bool HasLiveReturn = false;
458	bool HasFakeEdge = false;
459	bool HasPlainEdge = false;
460	bool HasAbnormalEdge = false;
461
462	// Ignore default cases that aren't likely to be reachable because all
463	// enums in a switch(X) have explicit case statements.
464	CFGBlock::FilterOptions FO;
465	FO.IgnoreDefaultsWithCoveredEnums = 1;
466
467	for (CFGBlock::filtered_pred_iterator I =
468	cfg->getExit().filtered_pred_start_end(f: FO);
469	I.hasMore(); ++I) {
470	const CFGBlock &B = **I;
471	if (!live[B.getBlockID()])
472	continue;
473
474	// Skip blocks which contain an element marked as no-return. They don't
475	// represent actually viable edges into the exit block, so mark them as
476	// abnormal.
477	if (B.hasNoReturnElement()) {
478	HasAbnormalEdge = true;
479	continue;
480	}
481
482	// Destructors can appear after the 'return' in the CFG. This is
483	// normal. We need to look pass the destructors for the return
484	// statement (if it exists).
485	CFGBlock::const_reverse_iterator ri = B.rbegin(), re = B.rend();
486
487	for ( ; ri != re ; ++ri)
488	if (ri->getAs<CFGStmt>())
489	break;
490
491	// No more CFGElements in the block?
492	if (ri == re) {
493	const Stmt *Term = B.getTerminatorStmt();
494	if (Term && (isa<CXXTryStmt>(Val: Term) || isa<ObjCAtTryStmt>(Val: Term))) {
495	HasAbnormalEdge = true;
496	continue;
497	}
498	// A labeled empty statement, or the entry block...
499	HasPlainEdge = true;
500	continue;
501	}
502
503	CFGStmt CS = ri->castAs<CFGStmt>();
504	const Stmt *S = CS.getStmt();
505	if (isa<ReturnStmt>(Val: S) || isa<CoreturnStmt>(Val: S)) {
506	HasLiveReturn = true;
507	continue;
508	}
509	if (isa<ObjCAtThrowStmt>(Val: S)) {
510	HasFakeEdge = true;
511	continue;
512	}
513	if (isa<CXXThrowExpr>(Val: S)) {
514	HasFakeEdge = true;
515	continue;
516	}
517	if (isa<MSAsmStmt>(Val: S)) {
518	// TODO: Verify this is correct.
519	HasFakeEdge = true;
520	HasLiveReturn = true;
521	continue;
522	}
523	if (isa<CXXTryStmt>(Val: S)) {
524	HasAbnormalEdge = true;
525	continue;
526	}
527	if (!llvm::is_contained(Range: B.succs(), Element: &cfg->getExit())) {
528	HasAbnormalEdge = true;
529	continue;
530	}
531
532	HasPlainEdge = true;
533	}
534	if (!HasPlainEdge) {
535	if (HasLiveReturn)
536	return NeverFallThrough;
537	return NeverFallThroughOrReturn;
538	}
539	if (HasAbnormalEdge || HasFakeEdge || HasLiveReturn)
540	return MaybeFallThrough;
541	// This says AlwaysFallThrough for calls to functions that are not marked
542	// noreturn, that don't return. If people would like this warning to be more
543	// accurate, such functions should be marked as noreturn.
544	return AlwaysFallThrough;
545	}
546
547	namespace {
548
549	struct CheckFallThroughDiagnostics {
550	unsigned diag_MaybeFallThrough_HasNoReturn;
551	unsigned diag_MaybeFallThrough_ReturnsNonVoid;
552	unsigned diag_AlwaysFallThrough_HasNoReturn;
553	unsigned diag_AlwaysFallThrough_ReturnsNonVoid;
554	unsigned diag_NeverFallThroughOrReturn;
555	enum { Function, Block, Lambda, Coroutine } funMode;
556	SourceLocation FuncLoc;
557
558	static CheckFallThroughDiagnostics MakeForFunction(const Decl *Func) {
559	CheckFallThroughDiagnostics D;
560	D.FuncLoc = Func->getLocation();
561	D.diag_MaybeFallThrough_HasNoReturn =
562	diag::warn_falloff_noreturn_function;
563	D.diag_MaybeFallThrough_ReturnsNonVoid =
564	diag::warn_maybe_falloff_nonvoid_function;
565	D.diag_AlwaysFallThrough_HasNoReturn =
566	diag::warn_falloff_noreturn_function;
567	D.diag_AlwaysFallThrough_ReturnsNonVoid =
568	diag::warn_falloff_nonvoid_function;
569
570	// Don't suggest that virtual functions be marked "noreturn", since they
571	// might be overridden by non-noreturn functions.
572	bool isVirtualMethod = false;
573	if (const CXXMethodDecl *Method = dyn_cast<CXXMethodDecl>(Val: Func))
574	isVirtualMethod = Method->isVirtual();
575
576	// Don't suggest that template instantiations be marked "noreturn"
577	bool isTemplateInstantiation = false;
578	if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(Val: Func))
579	isTemplateInstantiation = Function->isTemplateInstantiation();
580
581	if (!isVirtualMethod && !isTemplateInstantiation)
582	D.diag_NeverFallThroughOrReturn =
583	diag::warn_suggest_noreturn_function;
584	else
585	D.diag_NeverFallThroughOrReturn = 0;
586
587	D.funMode = Function;
588	return D;
589	}
590
591	static CheckFallThroughDiagnostics MakeForCoroutine(const Decl *Func) {
592	CheckFallThroughDiagnostics D;
593	D.FuncLoc = Func->getLocation();
594	D.diag_MaybeFallThrough_HasNoReturn = 0;
595	D.diag_MaybeFallThrough_ReturnsNonVoid =
596	diag::warn_maybe_falloff_nonvoid_coroutine;
597	D.diag_AlwaysFallThrough_HasNoReturn = 0;
598	D.diag_AlwaysFallThrough_ReturnsNonVoid =
599	diag::warn_falloff_nonvoid_coroutine;
600	D.diag_NeverFallThroughOrReturn = 0;
601	D.funMode = Coroutine;
602	return D;
603	}
604
605	static CheckFallThroughDiagnostics MakeForBlock() {
606	CheckFallThroughDiagnostics D;
607	D.diag_MaybeFallThrough_HasNoReturn =
608	diag::err_noreturn_block_has_return_expr;
609	D.diag_MaybeFallThrough_ReturnsNonVoid =
610	diag::err_maybe_falloff_nonvoid_block;
611	D.diag_AlwaysFallThrough_HasNoReturn =
612	diag::err_noreturn_block_has_return_expr;
613	D.diag_AlwaysFallThrough_ReturnsNonVoid =
614	diag::err_falloff_nonvoid_block;
615	D.diag_NeverFallThroughOrReturn = 0;
616	D.funMode = Block;
617	return D;
618	}
619
620	static CheckFallThroughDiagnostics MakeForLambda() {
621	CheckFallThroughDiagnostics D;
622	D.diag_MaybeFallThrough_HasNoReturn =
623	diag::err_noreturn_lambda_has_return_expr;
624	D.diag_MaybeFallThrough_ReturnsNonVoid =
625	diag::warn_maybe_falloff_nonvoid_lambda;
626	D.diag_AlwaysFallThrough_HasNoReturn =
627	diag::err_noreturn_lambda_has_return_expr;
628	D.diag_AlwaysFallThrough_ReturnsNonVoid =
629	diag::warn_falloff_nonvoid_lambda;
630	D.diag_NeverFallThroughOrReturn = 0;
631	D.funMode = Lambda;
632	return D;
633	}
634
635	bool checkDiagnostics(DiagnosticsEngine &D, bool ReturnsVoid,
636	bool HasNoReturn) const {
637	if (funMode == Function) {
638	return (ReturnsVoid ||
639	D.isIgnored(diag::warn_maybe_falloff_nonvoid_function,
640	FuncLoc)) &&
641	(!HasNoReturn ||
642	D.isIgnored(diag::warn_noreturn_function_has_return_expr,
643	FuncLoc)) &&
644	(!ReturnsVoid ||
645	D.isIgnored(diag::warn_suggest_noreturn_block, FuncLoc));
646	}
647	if (funMode == Coroutine) {
648	return (ReturnsVoid ||
649	D.isIgnored(diag::warn_maybe_falloff_nonvoid_function, FuncLoc) ||
650	D.isIgnored(diag::warn_maybe_falloff_nonvoid_coroutine,
651	FuncLoc)) &&
652	(!HasNoReturn);
653	}
654	// For blocks / lambdas.
655	return ReturnsVoid && !HasNoReturn;
656	}
657	};
658
659	} // anonymous namespace
660
661	/// CheckFallThroughForBody - Check that we don't fall off the end of a
662	/// function that should return a value. Check that we don't fall off the end
663	/// of a noreturn function. We assume that functions and blocks not marked
664	/// noreturn will return.
665	static void CheckFallThroughForBody(Sema &S, const Decl *D, const Stmt *Body,
666	QualType BlockType,
667	const CheckFallThroughDiagnostics &CD,
668	AnalysisDeclContext &AC,
669	sema::FunctionScopeInfo *FSI) {
670
671	bool ReturnsVoid = false;
672	bool HasNoReturn = false;
673	bool IsCoroutine = FSI->isCoroutine();
674
675	if (const auto *FD = dyn_cast<FunctionDecl>(Val: D)) {
676	if (const auto *CBody = dyn_cast<CoroutineBodyStmt>(Val: Body))
677	ReturnsVoid = CBody->getFallthroughHandler() != nullptr;
678	else
679	ReturnsVoid = FD->getReturnType()->isVoidType();
680	HasNoReturn = FD->isNoReturn();
681	}
682	else if (const auto *MD = dyn_cast<ObjCMethodDecl>(Val: D)) {
683	ReturnsVoid = MD->getReturnType()->isVoidType();
684	HasNoReturn = MD->hasAttr<NoReturnAttr>();
685	}
686	else if (isa<BlockDecl>(Val: D)) {
687	if (const FunctionType *FT =
688	BlockType->getPointeeType()->getAs<FunctionType>()) {
689	if (FT->getReturnType()->isVoidType())
690	ReturnsVoid = true;
691	if (FT->getNoReturnAttr())
692	HasNoReturn = true;
693	}
694	}
695
696	DiagnosticsEngine &Diags = S.getDiagnostics();
697
698	// Short circuit for compilation speed.
699	if (CD.checkDiagnostics(D&: Diags, ReturnsVoid, HasNoReturn))
700	return;
701	SourceLocation LBrace = Body->getBeginLoc(), RBrace = Body->getEndLoc();
702	auto EmitDiag = [&](SourceLocation Loc, unsigned DiagID) {
703	if (IsCoroutine)
704	S.Diag(Loc, DiagID) << FSI->CoroutinePromise->getType();
705	else
706	S.Diag(Loc, DiagID);
707	};
708
709	// cpu_dispatch functions permit empty function bodies for ICC compatibility.
710	if (D->getAsFunction() && D->getAsFunction()->isCPUDispatchMultiVersion())
711	return;
712
713	// Either in a function body compound statement, or a function-try-block.
714	switch (CheckFallThrough(AC)) {
715	case UnknownFallThrough:
716	break;
717
718	case MaybeFallThrough:
719	if (HasNoReturn)
720	EmitDiag(RBrace, CD.diag_MaybeFallThrough_HasNoReturn);
721	else if (!ReturnsVoid)
722	EmitDiag(RBrace, CD.diag_MaybeFallThrough_ReturnsNonVoid);
723	break;
724	case AlwaysFallThrough:
725	if (HasNoReturn)
726	EmitDiag(RBrace, CD.diag_AlwaysFallThrough_HasNoReturn);
727	else if (!ReturnsVoid)
728	EmitDiag(RBrace, CD.diag_AlwaysFallThrough_ReturnsNonVoid);
729	break;
730	case NeverFallThroughOrReturn:
731	if (ReturnsVoid && !HasNoReturn && CD.diag_NeverFallThroughOrReturn) {
732	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: D)) {
733	S.Diag(Loc: LBrace, DiagID: CD.diag_NeverFallThroughOrReturn) << 0 << FD;
734	} else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(Val: D)) {
735	S.Diag(Loc: LBrace, DiagID: CD.diag_NeverFallThroughOrReturn) << 1 << MD;
736	} else {
737	S.Diag(Loc: LBrace, DiagID: CD.diag_NeverFallThroughOrReturn);
738	}
739	}
740	break;
741	case NeverFallThrough:
742	break;
743	}
744	}
745
746	//===----------------------------------------------------------------------===//
747	// -Wuninitialized
748	//===----------------------------------------------------------------------===//
749
750	namespace {
751	/// ContainsReference - A visitor class to search for references to
752	/// a particular declaration (the needle) within any evaluated component of an
753	/// expression (recursively).
754	class ContainsReference : public ConstEvaluatedExprVisitor<ContainsReference> {
755	bool FoundReference;
756	const DeclRefExpr *Needle;
757
758	public:
759	typedef ConstEvaluatedExprVisitor<ContainsReference> Inherited;
760
761	ContainsReference(ASTContext &Context, const DeclRefExpr *Needle)
762	: Inherited(Context), FoundReference(false), Needle(Needle) {}
763
764	void VisitExpr(const Expr *E) {
765	// Stop evaluating if we already have a reference.
766	if (FoundReference)
767	return;
768
769	Inherited::VisitExpr(E);
770	}
771
772	void VisitDeclRefExpr(const DeclRefExpr *E) {
773	if (E == Needle)
774	FoundReference = true;
775	else
776	Inherited::VisitDeclRefExpr(E);
777	}
778
779	bool doesContainReference() const { return FoundReference; }
780	};
781	} // anonymous namespace
782
783	static bool SuggestInitializationFixit(Sema &S, const VarDecl *VD) {
784	QualType VariableTy = VD->getType().getCanonicalType();
785	if (VariableTy->isBlockPointerType() &&
786	!VD->hasAttr<BlocksAttr>()) {
787	S.Diag(VD->getLocation(), diag::note_block_var_fixit_add_initialization)
788	<< VD->getDeclName()
789	<< FixItHint::CreateInsertion(VD->getLocation(), "__block ");
790	return true;
791	}
792
793	// Don't issue a fixit if there is already an initializer.
794	if (VD->getInit())
795	return false;
796
797	// Don't suggest a fixit inside macros.
798	if (VD->getEndLoc().isMacroID())
799	return false;
800
801	SourceLocation Loc = S.getLocForEndOfToken(Loc: VD->getEndLoc());
802
803	// Suggest possible initialization (if any).
804	std::string Init = S.getFixItZeroInitializerForType(T: VariableTy, Loc);
805	if (Init.empty())
806	return false;
807
808	S.Diag(Loc, diag::note_var_fixit_add_initialization) << VD->getDeclName()
809	<< FixItHint::CreateInsertion(Loc, Init);
810	return true;
811	}
812
813	/// Create a fixit to remove an if-like statement, on the assumption that its
814	/// condition is CondVal.
815	static void CreateIfFixit(Sema &S, const Stmt *If, const Stmt *Then,
816	const Stmt *Else, bool CondVal,
817	FixItHint &Fixit1, FixItHint &Fixit2) {
818	if (CondVal) {
819	// If condition is always true, remove all but the 'then'.
820	Fixit1 = FixItHint::CreateRemoval(
821	RemoveRange: CharSourceRange::getCharRange(B: If->getBeginLoc(), E: Then->getBeginLoc()));
822	if (Else) {
823	SourceLocation ElseKwLoc = S.getLocForEndOfToken(Loc: Then->getEndLoc());
824	Fixit2 =
825	FixItHint::CreateRemoval(RemoveRange: SourceRange(ElseKwLoc, Else->getEndLoc()));
826	}
827	} else {
828	// If condition is always false, remove all but the 'else'.
829	if (Else)
830	Fixit1 = FixItHint::CreateRemoval(RemoveRange: CharSourceRange::getCharRange(
831	B: If->getBeginLoc(), E: Else->getBeginLoc()));
832	else
833	Fixit1 = FixItHint::CreateRemoval(RemoveRange: If->getSourceRange());
834	}
835	}
836
837	/// DiagUninitUse -- Helper function to produce a diagnostic for an
838	/// uninitialized use of a variable.
839	static void DiagUninitUse(Sema &S, const VarDecl *VD, const UninitUse &Use,
840	bool IsCapturedByBlock) {
841	bool Diagnosed = false;
842
843	switch (Use.getKind()) {
844	case UninitUse::Always:
845	S.Diag(Use.getUser()->getBeginLoc(), diag::warn_uninit_var)
846	<< VD->getDeclName() << IsCapturedByBlock
847	<< Use.getUser()->getSourceRange();
848	return;
849
850	case UninitUse::AfterDecl:
851	case UninitUse::AfterCall:
852	S.Diag(VD->getLocation(), diag::warn_sometimes_uninit_var)
853	<< VD->getDeclName() << IsCapturedByBlock
854	<< (Use.getKind() == UninitUse::AfterDecl ? 4 : 5)
855	<< const_cast<DeclContext*>(VD->getLexicalDeclContext())
856	<< VD->getSourceRange();
857	S.Diag(Use.getUser()->getBeginLoc(), diag::note_uninit_var_use)
858	<< IsCapturedByBlock << Use.getUser()->getSourceRange();
859	return;
860
861	case UninitUse::Maybe:
862	case UninitUse::Sometimes:
863	// Carry on to report sometimes-uninitialized branches, if possible,
864	// or a 'may be used uninitialized' diagnostic otherwise.
865	break;
866	}
867
868	// Diagnose each branch which leads to a sometimes-uninitialized use.
869	for (UninitUse::branch_iterator I = Use.branch_begin(), E = Use.branch_end();
870	I != E; ++I) {
871	assert(Use.getKind() == UninitUse::Sometimes);
872
873	const Expr *User = Use.getUser();
874	const Stmt *Term = I->Terminator;
875
876	// Information used when building the diagnostic.
877	unsigned DiagKind;
878	StringRef Str;
879	SourceRange Range;
880
881	// FixIts to suppress the diagnostic by removing the dead condition.
882	// For all binary terminators, branch 0 is taken if the condition is true,
883	// and branch 1 is taken if the condition is false.
884	int RemoveDiagKind = -1;
885	const char *FixitStr =
886	S.getLangOpts().CPlusPlus ? (I->Output ? "true" : "false")
887	: (I->Output ? "1" : "0");
888	FixItHint Fixit1, Fixit2;
889
890	switch (Term ? Term->getStmtClass() : Stmt::DeclStmtClass) {
891	default:
892	// Don't know how to report this. Just fall back to 'may be used
893	// uninitialized'. FIXME: Can this happen?
894	continue;
895
896	// "condition is true / condition is false".
897	case Stmt::IfStmtClass: {
898	const IfStmt *IS = cast<IfStmt>(Val: Term);
899	DiagKind = 0;
900	Str = "if";
901	Range = IS->getCond()->getSourceRange();
902	RemoveDiagKind = 0;
903	CreateIfFixit(S, IS, IS->getThen(), IS->getElse(),
904	I->Output, Fixit1, Fixit2);
905	break;
906	}
907	case Stmt::ConditionalOperatorClass: {
908	const ConditionalOperator *CO = cast<ConditionalOperator>(Val: Term);
909	DiagKind = 0;
910	Str = "?:";
911	Range = CO->getCond()->getSourceRange();
912	RemoveDiagKind = 0;
913	CreateIfFixit(S, CO, CO->getTrueExpr(), CO->getFalseExpr(),
914	I->Output, Fixit1, Fixit2);
915	break;
916	}
917	case Stmt::BinaryOperatorClass: {
918	const BinaryOperator *BO = cast<BinaryOperator>(Val: Term);
919	if (!BO->isLogicalOp())
920	continue;
921	DiagKind = 0;
922	Str = BO->getOpcodeStr();
923	Range = BO->getLHS()->getSourceRange();
924	RemoveDiagKind = 0;
925	if ((BO->getOpcode() == BO_LAnd && I->Output) ||
926	(BO->getOpcode() == BO_LOr && !I->Output))
927	// true && y -> y, false || y -> y.
928	Fixit1 = FixItHint::CreateRemoval(
929	RemoveRange: SourceRange(BO->getBeginLoc(), BO->getOperatorLoc()));
930	else
931	// false && y -> false, true || y -> true.
932	Fixit1 = FixItHint::CreateReplacement(BO->getSourceRange(), FixitStr);
933	break;
934	}
935
936	// "loop is entered / loop is exited".
937	case Stmt::WhileStmtClass:
938	DiagKind = 1;
939	Str = "while";
940	Range = cast<WhileStmt>(Val: Term)->getCond()->getSourceRange();
941	RemoveDiagKind = 1;
942	Fixit1 = FixItHint::CreateReplacement(RemoveRange: Range, Code: FixitStr);
943	break;
944	case Stmt::ForStmtClass:
945	DiagKind = 1;
946	Str = "for";
947	Range = cast<ForStmt>(Val: Term)->getCond()->getSourceRange();
948	RemoveDiagKind = 1;
949	if (I->Output)
950	Fixit1 = FixItHint::CreateRemoval(RemoveRange: Range);
951	else
952	Fixit1 = FixItHint::CreateReplacement(RemoveRange: Range, Code: FixitStr);
953	break;
954	case Stmt::CXXForRangeStmtClass:
955	if (I->Output == 1) {
956	// The use occurs if a range-based for loop's body never executes.
957	// That may be impossible, and there's no syntactic fix for this,
958	// so treat it as a 'may be uninitialized' case.
959	continue;
960	}
961	DiagKind = 1;
962	Str = "for";
963	Range = cast<CXXForRangeStmt>(Val: Term)->getRangeInit()->getSourceRange();
964	break;
965
966	// "condition is true / loop is exited".
967	case Stmt::DoStmtClass:
968	DiagKind = 2;
969	Str = "do";
970	Range = cast<DoStmt>(Val: Term)->getCond()->getSourceRange();
971	RemoveDiagKind = 1;
972	Fixit1 = FixItHint::CreateReplacement(RemoveRange: Range, Code: FixitStr);
973	break;
974
975	// "switch case is taken".
976	case Stmt::CaseStmtClass:
977	DiagKind = 3;
978	Str = "case";
979	Range = cast<CaseStmt>(Val: Term)->getLHS()->getSourceRange();
980	break;
981	case Stmt::DefaultStmtClass:
982	DiagKind = 3;
983	Str = "default";
984	Range = cast<DefaultStmt>(Val: Term)->getDefaultLoc();
985	break;
986	}
987
988	S.Diag(Range.getBegin(), diag::warn_sometimes_uninit_var)
989	<< VD->getDeclName() << IsCapturedByBlock << DiagKind
990	<< Str << I->Output << Range;
991	S.Diag(User->getBeginLoc(), diag::note_uninit_var_use)
992	<< IsCapturedByBlock << User->getSourceRange();
993	if (RemoveDiagKind != -1)
994	S.Diag(Fixit1.RemoveRange.getBegin(), diag::note_uninit_fixit_remove_cond)
995	<< RemoveDiagKind << Str << I->Output << Fixit1 << Fixit2;
996
997	Diagnosed = true;
998	}
999
1000	if (!Diagnosed)
1001	S.Diag(Use.getUser()->getBeginLoc(), diag::warn_maybe_uninit_var)
1002	<< VD->getDeclName() << IsCapturedByBlock
1003	<< Use.getUser()->getSourceRange();
1004	}
1005
1006	/// Diagnose uninitialized const reference usages.
1007	static bool DiagnoseUninitializedConstRefUse(Sema &S, const VarDecl *VD,
1008	const UninitUse &Use) {
1009	S.Diag(Use.getUser()->getBeginLoc(), diag::warn_uninit_const_reference)
1010	<< VD->getDeclName() << Use.getUser()->getSourceRange();
1011	return true;
1012	}
1013
1014	/// DiagnoseUninitializedUse -- Helper function for diagnosing uses of an
1015	/// uninitialized variable. This manages the different forms of diagnostic
1016	/// emitted for particular types of uses. Returns true if the use was diagnosed
1017	/// as a warning. If a particular use is one we omit warnings for, returns
1018	/// false.
1019	static bool DiagnoseUninitializedUse(Sema &S, const VarDecl *VD,
1020	const UninitUse &Use,
1021	bool alwaysReportSelfInit = false) {
1022	if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Val: Use.getUser())) {
1023	// Inspect the initializer of the variable declaration which is
1024	// being referenced prior to its initialization. We emit
1025	// specialized diagnostics for self-initialization, and we
1026	// specifically avoid warning about self references which take the
1027	// form of:
1028	//
1029	// int x = x;
1030	//
1031	// This is used to indicate to GCC that 'x' is intentionally left
1032	// uninitialized. Proven code paths which access 'x' in
1033	// an uninitialized state after this will still warn.
1034	if (const Expr *Initializer = VD->getInit()) {
1035	if (!alwaysReportSelfInit && DRE == Initializer->IgnoreParenImpCasts())
1036	return false;
1037
1038	ContainsReference CR(S.Context, DRE);
1039	CR.Visit(Initializer);
1040	if (CR.doesContainReference()) {
1041	S.Diag(DRE->getBeginLoc(), diag::warn_uninit_self_reference_in_init)
1042	<< VD->getDeclName() << VD->getLocation() << DRE->getSourceRange();
1043	return true;
1044	}
1045	}
1046
1047	DiagUninitUse(S, VD, Use, IsCapturedByBlock: false);
1048	} else {
1049	const BlockExpr *BE = cast<BlockExpr>(Val: Use.getUser());
1050	if (VD->getType()->isBlockPointerType() && !VD->hasAttr<BlocksAttr>())
1051	S.Diag(BE->getBeginLoc(),
1052	diag::warn_uninit_byref_blockvar_captured_by_block)
1053	<< VD->getDeclName()
1054	<< VD->getType().getQualifiers().hasObjCLifetime();
1055	else
1056	DiagUninitUse(S, VD, Use, IsCapturedByBlock: true);
1057	}
1058
1059	// Report where the variable was declared when the use wasn't within
1060	// the initializer of that declaration & we didn't already suggest
1061	// an initialization fixit.
1062	if (!SuggestInitializationFixit(S, VD))
1063	S.Diag(VD->getBeginLoc(), diag::note_var_declared_here)
1064	<< VD->getDeclName();
1065
1066	return true;
1067	}
1068
1069	namespace {
1070	class FallthroughMapper : public RecursiveASTVisitor<FallthroughMapper> {
1071	public:
1072	FallthroughMapper(Sema &S)
1073	: FoundSwitchStatements(false),
1074	S(S) {
1075	}
1076
1077	bool foundSwitchStatements() const { return FoundSwitchStatements; }
1078
1079	void markFallthroughVisited(const AttributedStmt *Stmt) {
1080	bool Found = FallthroughStmts.erase(Ptr: Stmt);
1081	assert(Found);
1082	(void)Found;
1083	}
1084
1085	typedef llvm::SmallPtrSet<const AttributedStmt*, 8> AttrStmts;
1086
1087	const AttrStmts &getFallthroughStmts() const {
1088	return FallthroughStmts;
1089	}
1090
1091	void fillReachableBlocks(CFG *Cfg) {
1092	assert(ReachableBlocks.empty() && "ReachableBlocks already filled");
1093	std::deque<const CFGBlock *> BlockQueue;
1094
1095	ReachableBlocks.insert(Ptr: &Cfg->getEntry());
1096	BlockQueue.push_back(x: &Cfg->getEntry());
1097	// Mark all case blocks reachable to avoid problems with switching on
1098	// constants, covered enums, etc.
1099	// These blocks can contain fall-through annotations, and we don't want to
1100	// issue a warn_fallthrough_attr_unreachable for them.
1101	for (const auto *B : *Cfg) {
1102	const Stmt *L = B->getLabel();
1103	if (L && isa<SwitchCase>(Val: L) && ReachableBlocks.insert(Ptr: B).second)
1104	BlockQueue.push_back(x: B);
1105	}
1106
1107	while (!BlockQueue.empty()) {
1108	const CFGBlock *P = BlockQueue.front();
1109	BlockQueue.pop_front();
1110	for (const CFGBlock *B : P->succs()) {
1111	if (B && ReachableBlocks.insert(Ptr: B).second)
1112	BlockQueue.push_back(x: B);
1113	}
1114	}
1115	}
1116
1117	bool checkFallThroughIntoBlock(const CFGBlock &B, int &AnnotatedCnt,
1118	bool IsTemplateInstantiation) {
1119	assert(!ReachableBlocks.empty() && "ReachableBlocks empty");
1120
1121	int UnannotatedCnt = 0;
1122	AnnotatedCnt = 0;
1123
1124	std::deque<const CFGBlock*> BlockQueue(B.pred_begin(), B.pred_end());
1125	while (!BlockQueue.empty()) {
1126	const CFGBlock *P = BlockQueue.front();
1127	BlockQueue.pop_front();
1128	if (!P) continue;
1129
1130	const Stmt *Term = P->getTerminatorStmt();
1131	if (Term && isa<SwitchStmt>(Val: Term))
1132	continue; // Switch statement, good.
1133
1134	const SwitchCase *SW = dyn_cast_or_null<SwitchCase>(Val: P->getLabel());
1135	if (SW && SW->getSubStmt() == B.getLabel() && P->begin() == P->end())
1136	continue; // Previous case label has no statements, good.
1137
1138	const LabelStmt *L = dyn_cast_or_null<LabelStmt>(Val: P->getLabel());
1139	if (L && L->getSubStmt() == B.getLabel() && P->begin() == P->end())
1140	continue; // Case label is preceded with a normal label, good.
1141
1142	if (!ReachableBlocks.count(Ptr: P)) {
1143	for (const CFGElement &Elem : llvm::reverse(C: *P)) {
1144	if (std::optional<CFGStmt> CS = Elem.getAs<CFGStmt>()) {
1145	if (const AttributedStmt *AS = asFallThroughAttr(S: CS->getStmt())) {
1146	// Don't issue a warning for an unreachable fallthrough
1147	// attribute in template instantiations as it may not be
1148	// unreachable in all instantiations of the template.
1149	if (!IsTemplateInstantiation)
1150	S.Diag(AS->getBeginLoc(),
1151	diag::warn_unreachable_fallthrough_attr);
1152	markFallthroughVisited(Stmt: AS);
1153	++AnnotatedCnt;
1154	break;
1155	}
1156	// Don't care about other unreachable statements.
1157	}
1158	}
1159	// If there are no unreachable statements, this may be a special
1160	// case in CFG:
1161	// case X: {
1162	// A a; // A has a destructor.
1163	// break;
1164	// }
1165	// // <<<< This place is represented by a 'hanging' CFG block.
1166	// case Y:
1167	continue;
1168	}
1169
1170	const Stmt *LastStmt = getLastStmt(B: *P);
1171	if (const AttributedStmt *AS = asFallThroughAttr(S: LastStmt)) {
1172	markFallthroughVisited(Stmt: AS);
1173	++AnnotatedCnt;
1174	continue; // Fallthrough annotation, good.
1175	}
1176
1177	if (!LastStmt) { // This block contains no executable statements.
1178	// Traverse its predecessors.
1179	std::copy(first: P->pred_begin(), last: P->pred_end(),
1180	result: std::back_inserter(x&: BlockQueue));
1181	continue;
1182	}
1183
1184	++UnannotatedCnt;
1185	}
1186	return !!UnannotatedCnt;
1187	}
1188
1189	// RecursiveASTVisitor setup.
1190	bool shouldWalkTypesOfTypeLocs() const { return false; }
1191
1192	bool VisitAttributedStmt(AttributedStmt *S) {
1193	if (asFallThroughAttr(S))
1194	FallthroughStmts.insert(Ptr: S);
1195	return true;
1196	}
1197
1198	bool VisitSwitchStmt(SwitchStmt *S) {
1199	FoundSwitchStatements = true;
1200	return true;
1201	}
1202
1203	// We don't want to traverse local type declarations. We analyze their
1204	// methods separately.
1205	bool TraverseDecl(Decl *D) { return true; }
1206
1207	// We analyze lambda bodies separately. Skip them here.
1208	bool TraverseLambdaExpr(LambdaExpr *LE) {
1209	// Traverse the captures, but not the body.
1210	for (const auto C : zip(t: LE->captures(), u: LE->capture_inits()))
1211	TraverseLambdaCapture(LE, C: &std::get<0>(t: C), Init: std::get<1>(t: C));
1212	return true;
1213	}
1214
1215	private:
1216
1217	static const AttributedStmt *asFallThroughAttr(const Stmt *S) {
1218	if (const AttributedStmt *AS = dyn_cast_or_null<AttributedStmt>(Val: S)) {
1219	if (hasSpecificAttr<FallThroughAttr>(AS->getAttrs()))
1220	return AS;
1221	}
1222	return nullptr;
1223	}
1224
1225	static const Stmt *getLastStmt(const CFGBlock &B) {
1226	if (const Stmt *Term = B.getTerminatorStmt())
1227	return Term;
1228	for (const CFGElement &Elem : llvm::reverse(C: B))
1229	if (std::optional<CFGStmt> CS = Elem.getAs<CFGStmt>())
1230	return CS->getStmt();
1231	// Workaround to detect a statement thrown out by CFGBuilder:
1232	// case X: {} case Y:
1233	// case X: ; case Y:
1234	if (const SwitchCase *SW = dyn_cast_or_null<SwitchCase>(Val: B.getLabel()))
1235	if (!isa<SwitchCase>(Val: SW->getSubStmt()))
1236	return SW->getSubStmt();
1237
1238	return nullptr;
1239	}
1240
1241	bool FoundSwitchStatements;
1242	AttrStmts FallthroughStmts;
1243	Sema &S;
1244	llvm::SmallPtrSet<const CFGBlock *, 16> ReachableBlocks;
1245	};
1246	} // anonymous namespace
1247
1248	static StringRef getFallthroughAttrSpelling(Preprocessor &PP,
1249	SourceLocation Loc) {
1250	TokenValue FallthroughTokens[] = {
1251	tok::l_square, tok::l_square,
1252	PP.getIdentifierInfo(Name: "fallthrough"),
1253	tok::r_square, tok::r_square
1254	};
1255
1256	TokenValue ClangFallthroughTokens[] = {
1257	tok::l_square, tok::l_square, PP.getIdentifierInfo(Name: "clang"),
1258	tok::coloncolon, PP.getIdentifierInfo(Name: "fallthrough"),
1259	tok::r_square, tok::r_square
1260	};
1261
1262	bool PreferClangAttr = !PP.getLangOpts().CPlusPlus17 && !PP.getLangOpts().C23;
1263
1264	StringRef MacroName;
1265	if (PreferClangAttr)
1266	MacroName = PP.getLastMacroWithSpelling(Loc, Tokens: ClangFallthroughTokens);
1267	if (MacroName.empty())
1268	MacroName = PP.getLastMacroWithSpelling(Loc, Tokens: FallthroughTokens);
1269	if (MacroName.empty() && !PreferClangAttr)
1270	MacroName = PP.getLastMacroWithSpelling(Loc, Tokens: ClangFallthroughTokens);
1271	if (MacroName.empty()) {
1272	if (!PreferClangAttr)
1273	MacroName = "[[fallthrough]]";
1274	else if (PP.getLangOpts().CPlusPlus)
1275	MacroName = "[[clang::fallthrough]]";
1276	else
1277	MacroName = "__attribute__((fallthrough))";
1278	}
1279	return MacroName;
1280	}
1281
1282	static void DiagnoseSwitchLabelsFallthrough(Sema &S, AnalysisDeclContext &AC,
1283	bool PerFunction) {
1284	FallthroughMapper FM(S);
1285	FM.TraverseStmt(S: AC.getBody());
1286
1287	if (!FM.foundSwitchStatements())
1288	return;
1289
1290	if (PerFunction && FM.getFallthroughStmts().empty())
1291	return;
1292
1293	CFG *Cfg = AC.getCFG();
1294
1295	if (!Cfg)
1296	return;
1297
1298	FM.fillReachableBlocks(Cfg);
1299
1300	for (const CFGBlock *B : llvm::reverse(C&: *Cfg)) {
1301	const Stmt *Label = B->getLabel();
1302
1303	if (!isa_and_nonnull<SwitchCase>(Val: Label))
1304	continue;
1305
1306	int AnnotatedCnt;
1307
1308	bool IsTemplateInstantiation = false;
1309	if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(Val: AC.getDecl()))
1310	IsTemplateInstantiation = Function->isTemplateInstantiation();
1311	if (!FM.checkFallThroughIntoBlock(B: *B, AnnotatedCnt,
1312	IsTemplateInstantiation))
1313	continue;
1314
1315	S.Diag(Label->getBeginLoc(),
1316	PerFunction ? diag::warn_unannotated_fallthrough_per_function
1317	: diag::warn_unannotated_fallthrough);
1318
1319	if (!AnnotatedCnt) {
1320	SourceLocation L = Label->getBeginLoc();
1321	if (L.isMacroID())
1322	continue;
1323
1324	const Stmt *Term = B->getTerminatorStmt();
1325	// Skip empty cases.
1326	while (B->empty() && !Term && B->succ_size() == 1) {
1327	B = *B->succ_begin();
1328	Term = B->getTerminatorStmt();
1329	}
1330	if (!(B->empty() && Term && isa<BreakStmt>(Val: Term))) {
1331	Preprocessor &PP = S.getPreprocessor();
1332	StringRef AnnotationSpelling = getFallthroughAttrSpelling(PP, Loc: L);
1333	SmallString<64> TextToInsert(AnnotationSpelling);
1334	TextToInsert += "; ";
1335	S.Diag(L, diag::note_insert_fallthrough_fixit)
1336	<< AnnotationSpelling
1337	<< FixItHint::CreateInsertion(L, TextToInsert);
1338	}
1339	S.Diag(L, diag::note_insert_break_fixit)
1340	<< FixItHint::CreateInsertion(L, "break; ");
1341	}
1342	}
1343
1344	for (const auto *F : FM.getFallthroughStmts())
1345	S.Diag(F->getBeginLoc(), diag::err_fallthrough_attr_invalid_placement);
1346	}
1347
1348	static bool isInLoop(const ASTContext &Ctx, const ParentMap &PM,
1349	const Stmt *S) {
1350	assert(S);
1351
1352	do {
1353	switch (S->getStmtClass()) {
1354	case Stmt::ForStmtClass:
1355	case Stmt::WhileStmtClass:
1356	case Stmt::CXXForRangeStmtClass:
1357	case Stmt::ObjCForCollectionStmtClass:
1358	return true;
1359	case Stmt::DoStmtClass: {
1360	Expr::EvalResult Result;
1361	if (!cast<DoStmt>(Val: S)->getCond()->EvaluateAsInt(Result, Ctx))
1362	return true;
1363	return Result.Val.getInt().getBoolValue();
1364	}
1365	default:
1366	break;
1367	}
1368	} while ((S = PM.getParent(S)));
1369
1370	return false;
1371	}
1372
1373	static void diagnoseRepeatedUseOfWeak(Sema &S,
1374	const sema::FunctionScopeInfo *CurFn,
1375	const Decl *D,
1376	const ParentMap &PM) {
1377	typedef sema::FunctionScopeInfo::WeakObjectProfileTy WeakObjectProfileTy;
1378	typedef sema::FunctionScopeInfo::WeakObjectUseMap WeakObjectUseMap;
1379	typedef sema::FunctionScopeInfo::WeakUseVector WeakUseVector;
1380	typedef std::pair<const Stmt *, WeakObjectUseMap::const_iterator>
1381	StmtUsesPair;
1382
1383	ASTContext &Ctx = S.getASTContext();
1384
1385	const WeakObjectUseMap &WeakMap = CurFn->getWeakObjectUses();
1386
1387	// Extract all weak objects that are referenced more than once.
1388	SmallVector<StmtUsesPair, 8> UsesByStmt;
1389	for (WeakObjectUseMap::const_iterator I = WeakMap.begin(), E = WeakMap.end();
1390	I != E; ++I) {
1391	const WeakUseVector &Uses = I->second;
1392
1393	// Find the first read of the weak object.
1394	WeakUseVector::const_iterator UI = Uses.begin(), UE = Uses.end();
1395	for ( ; UI != UE; ++UI) {
1396	if (UI->isUnsafe())
1397	break;
1398	}
1399
1400	// If there were only writes to this object, don't warn.
1401	if (UI == UE)
1402	continue;
1403
1404	// If there was only one read, followed by any number of writes, and the
1405	// read is not within a loop, don't warn. Additionally, don't warn in a
1406	// loop if the base object is a local variable -- local variables are often
1407	// changed in loops.
1408	if (UI == Uses.begin()) {
1409	WeakUseVector::const_iterator UI2 = UI;
1410	for (++UI2; UI2 != UE; ++UI2)
1411	if (UI2->isUnsafe())
1412	break;
1413
1414	if (UI2 == UE) {
1415	if (!isInLoop(Ctx, PM, UI->getUseExpr()))
1416	continue;
1417
1418	const WeakObjectProfileTy &Profile = I->first;
1419	if (!Profile.isExactProfile())
1420	continue;
1421
1422	const NamedDecl *Base = Profile.getBase();
1423	if (!Base)
1424	Base = Profile.getProperty();
1425	assert(Base && "A profile always has a base or property.");
1426
1427	if (const VarDecl *BaseVar = dyn_cast<VarDecl>(Val: Base))
1428	if (BaseVar->hasLocalStorage() && !isa<ParmVarDecl>(Val: Base))
1429	continue;
1430	}
1431	}
1432
1433	UsesByStmt.push_back(Elt: StmtUsesPair(UI->getUseExpr(), I));
1434	}
1435
1436	if (UsesByStmt.empty())
1437	return;
1438
1439	// Sort by first use so that we emit the warnings in a deterministic order.
1440	SourceManager &SM = S.getSourceManager();
1441	llvm::sort(C&: UsesByStmt,
1442	Comp: [&SM](const StmtUsesPair &LHS, const StmtUsesPair &RHS) {
1443	return SM.isBeforeInTranslationUnit(LHS: LHS.first->getBeginLoc(),
1444	RHS: RHS.first->getBeginLoc());
1445	});
1446
1447	// Classify the current code body for better warning text.
1448	// This enum should stay in sync with the cases in
1449	// warn_arc_repeated_use_of_weak and warn_arc_possible_repeated_use_of_weak.
1450	// FIXME: Should we use a common classification enum and the same set of
1451	// possibilities all throughout Sema?
1452	enum {
1453	Function,
1454	Method,
1455	Block,
1456	Lambda
1457	} FunctionKind;
1458
1459	if (isa<sema::BlockScopeInfo>(Val: CurFn))
1460	FunctionKind = Block;
1461	else if (isa<sema::LambdaScopeInfo>(Val: CurFn))
1462	FunctionKind = Lambda;
1463	else if (isa<ObjCMethodDecl>(Val: D))
1464	FunctionKind = Method;
1465	else
1466	FunctionKind = Function;
1467
1468	// Iterate through the sorted problems and emit warnings for each.
1469	for (const auto &P : UsesByStmt) {
1470	const Stmt *FirstRead = P.first;
1471	const WeakObjectProfileTy &Key = P.second->first;
1472	const WeakUseVector &Uses = P.second->second;
1473
1474	// For complicated expressions like 'a.b.c' and 'x.b.c', WeakObjectProfileTy
1475	// may not contain enough information to determine that these are different
1476	// properties. We can only be 100% sure of a repeated use in certain cases,
1477	// and we adjust the diagnostic kind accordingly so that the less certain
1478	// case can be turned off if it is too noisy.
1479	unsigned DiagKind;
1480	if (Key.isExactProfile())
1481	DiagKind = diag::warn_arc_repeated_use_of_weak;
1482	else
1483	DiagKind = diag::warn_arc_possible_repeated_use_of_weak;
1484
1485	// Classify the weak object being accessed for better warning text.
1486	// This enum should stay in sync with the cases in
1487	// warn_arc_repeated_use_of_weak and warn_arc_possible_repeated_use_of_weak.
1488	enum {
1489	Variable,
1490	Property,
1491	ImplicitProperty,
1492	Ivar
1493	} ObjectKind;
1494
1495	const NamedDecl *KeyProp = Key.getProperty();
1496	if (isa<VarDecl>(Val: KeyProp))
1497	ObjectKind = Variable;
1498	else if (isa<ObjCPropertyDecl>(Val: KeyProp))
1499	ObjectKind = Property;
1500	else if (isa<ObjCMethodDecl>(Val: KeyProp))
1501	ObjectKind = ImplicitProperty;
1502	else if (isa<ObjCIvarDecl>(Val: KeyProp))
1503	ObjectKind = Ivar;
1504	else
1505	llvm_unreachable("Unexpected weak object kind!");
1506
1507	// Do not warn about IBOutlet weak property receivers being set to null
1508	// since they are typically only used from the main thread.
1509	if (const ObjCPropertyDecl *Prop = dyn_cast<ObjCPropertyDecl>(Val: KeyProp))
1510	if (Prop->hasAttr<IBOutletAttr>())
1511	continue;
1512
1513	// Show the first time the object was read.
1514	S.Diag(Loc: FirstRead->getBeginLoc(), DiagID: DiagKind)
1515	<< int(ObjectKind) << KeyProp << int(FunctionKind)
1516	<< FirstRead->getSourceRange();
1517
1518	// Print all the other accesses as notes.
1519	for (const auto &Use : Uses) {
1520	if (Use.getUseExpr() == FirstRead)
1521	continue;
1522	S.Diag(Use.getUseExpr()->getBeginLoc(),
1523	diag::note_arc_weak_also_accessed_here)
1524	<< Use.getUseExpr()->getSourceRange();
1525	}
1526	}
1527	}
1528
1529	namespace clang {
1530	namespace {
1531	typedef SmallVector<PartialDiagnosticAt, 1> OptionalNotes;
1532	typedef std::pair<PartialDiagnosticAt, OptionalNotes> DelayedDiag;
1533	typedef std::list<DelayedDiag> DiagList;
1534
1535	struct SortDiagBySourceLocation {
1536	SourceManager &SM;
1537	SortDiagBySourceLocation(SourceManager &SM) : SM(SM) {}
1538
1539	bool operator()(const DelayedDiag &left, const DelayedDiag &right) {
1540	// Although this call will be slow, this is only called when outputting
1541	// multiple warnings.
1542	return SM.isBeforeInTranslationUnit(LHS: left.first.first, RHS: right.first.first);
1543	}
1544	};
1545	} // anonymous namespace
1546	} // namespace clang
1547
1548	namespace {
1549	class UninitValsDiagReporter : public UninitVariablesHandler {
1550	Sema &S;
1551	typedef SmallVector<UninitUse, 2> UsesVec;
1552	typedef llvm::PointerIntPair<UsesVec *, 1, bool> MappedType;
1553	// Prefer using MapVector to DenseMap, so that iteration order will be
1554	// the same as insertion order. This is needed to obtain a deterministic
1555	// order of diagnostics when calling flushDiagnostics().
1556	typedef llvm::MapVector<const VarDecl *, MappedType> UsesMap;
1557	UsesMap uses;
1558	UsesMap constRefUses;
1559
1560	public:
1561	UninitValsDiagReporter(Sema &S) : S(S) {}
1562	~UninitValsDiagReporter() override { flushDiagnostics(); }
1563
1564	MappedType &getUses(UsesMap &um, const VarDecl *vd) {
1565	MappedType &V = um[vd];
1566	if (!V.getPointer())
1567	V.setPointer(new UsesVec());
1568	return V;
1569	}
1570
1571	void handleUseOfUninitVariable(const VarDecl *vd,
1572	const UninitUse &use) override {
1573	getUses(um&: uses, vd).getPointer()->push_back(Elt: use);
1574	}
1575
1576	void handleConstRefUseOfUninitVariable(const VarDecl *vd,
1577	const UninitUse &use) override {
1578	getUses(um&: constRefUses, vd).getPointer()->push_back(Elt: use);
1579	}
1580
1581	void handleSelfInit(const VarDecl *vd) override {
1582	getUses(um&: uses, vd).setInt(true);
1583	getUses(um&: constRefUses, vd).setInt(true);
1584	}
1585
1586	void flushDiagnostics() {
1587	for (const auto &P : uses) {
1588	const VarDecl *vd = P.first;
1589	const MappedType &V = P.second;
1590
1591	UsesVec *vec = V.getPointer();
1592	bool hasSelfInit = V.getInt();
1593
1594	// Specially handle the case where we have uses of an uninitialized
1595	// variable, but the root cause is an idiomatic self-init. We want
1596	// to report the diagnostic at the self-init since that is the root cause.
1597	if (!vec->empty() && hasSelfInit && hasAlwaysUninitializedUse(vec))
1598	DiagnoseUninitializedUse(S, VD: vd,
1599	Use: UninitUse(vd->getInit()->IgnoreParenCasts(),
1600	/* isAlwaysUninit */ true),
1601	/* alwaysReportSelfInit */ true);
1602	else {
1603	// Sort the uses by their SourceLocations. While not strictly
1604	// guaranteed to produce them in line/column order, this will provide
1605	// a stable ordering.
1606	llvm::sort(C&: *vec, Comp: [](const UninitUse &a, const UninitUse &b) {
1607	// Prefer a more confident report over a less confident one.
1608	if (a.getKind() != b.getKind())
1609	return a.getKind() > b.getKind();
1610	return a.getUser()->getBeginLoc() < b.getUser()->getBeginLoc();
1611	});
1612
1613	for (const auto &U : *vec) {
1614	// If we have self-init, downgrade all uses to 'may be uninitialized'.
1615	UninitUse Use = hasSelfInit ? UninitUse(U.getUser(), false) : U;
1616
1617	if (DiagnoseUninitializedUse(S, VD: vd, Use))
1618	// Skip further diagnostics for this variable. We try to warn only
1619	// on the first point at which a variable is used uninitialized.
1620	break;
1621	}
1622	}
1623
1624	// Release the uses vector.
1625	delete vec;
1626	}
1627
1628	uses.clear();
1629
1630	// Flush all const reference uses diags.
1631	for (const auto &P : constRefUses) {
1632	const VarDecl *vd = P.first;
1633	const MappedType &V = P.second;
1634
1635	UsesVec *vec = V.getPointer();
1636	bool hasSelfInit = V.getInt();
1637
1638	if (!vec->empty() && hasSelfInit && hasAlwaysUninitializedUse(vec))
1639	DiagnoseUninitializedUse(S, VD: vd,
1640	Use: UninitUse(vd->getInit()->IgnoreParenCasts(),
1641	/* isAlwaysUninit */ true),
1642	/* alwaysReportSelfInit */ true);
1643	else {
1644	for (const auto &U : *vec) {
1645	if (DiagnoseUninitializedConstRefUse(S, VD: vd, Use: U))
1646	break;
1647	}
1648	}
1649
1650	// Release the uses vector.
1651	delete vec;
1652	}
1653
1654	constRefUses.clear();
1655	}
1656
1657	private:
1658	static bool hasAlwaysUninitializedUse(const UsesVec* vec) {
1659	return llvm::any_of(Range: *vec, P: [](const UninitUse &U) {
1660	return U.getKind() == UninitUse::Always ||
1661	U.getKind() == UninitUse::AfterCall ||
1662	U.getKind() == UninitUse::AfterDecl;
1663	});
1664	}
1665	};
1666
1667	/// Inter-procedural data for the called-once checker.
1668	class CalledOnceInterProceduralData {
1669	public:
1670	// Add the delayed warning for the given block.
1671	void addDelayedWarning(const BlockDecl *Block,
1672	PartialDiagnosticAt &&Warning) {
1673	DelayedBlockWarnings[Block].emplace_back(Args: std::move(Warning));
1674	}
1675	// Report all of the warnings we've gathered for the given block.
1676	void flushWarnings(const BlockDecl *Block, Sema &S) {
1677	for (const PartialDiagnosticAt &Delayed : DelayedBlockWarnings[Block])
1678	S.Diag(Loc: Delayed.first, PD: Delayed.second);
1679
1680	discardWarnings(Block);
1681	}
1682	// Discard all of the warnings we've gathered for the given block.
1683	void discardWarnings(const BlockDecl *Block) {
1684	DelayedBlockWarnings.erase(Val: Block);
1685	}
1686
1687	private:
1688	using DelayedDiagnostics = SmallVector<PartialDiagnosticAt, 2>;
1689	llvm::DenseMap<const BlockDecl *, DelayedDiagnostics> DelayedBlockWarnings;
1690	};
1691
1692	class CalledOnceCheckReporter : public CalledOnceCheckHandler {
1693	public:
1694	CalledOnceCheckReporter(Sema &S, CalledOnceInterProceduralData &Data)
1695	: S(S), Data(Data) {}
1696	void handleDoubleCall(const ParmVarDecl *Parameter, const Expr *Call,
1697	const Expr *PrevCall, bool IsCompletionHandler,
1698	bool Poised) override {
1699	auto DiagToReport = IsCompletionHandler
1700	? diag::warn_completion_handler_called_twice
1701	: diag::warn_called_once_gets_called_twice;
1702	S.Diag(Call->getBeginLoc(), DiagToReport) << Parameter;
1703	S.Diag(PrevCall->getBeginLoc(), diag::note_called_once_gets_called_twice)
1704	<< Poised;
1705	}
1706
1707	void handleNeverCalled(const ParmVarDecl *Parameter,
1708	bool IsCompletionHandler) override {
1709	auto DiagToReport = IsCompletionHandler
1710	? diag::warn_completion_handler_never_called
1711	: diag::warn_called_once_never_called;
1712	S.Diag(Parameter->getBeginLoc(), DiagToReport)
1713	<< Parameter << /* Captured */ false;
1714	}
1715
1716	void handleNeverCalled(const ParmVarDecl *Parameter, const Decl *Function,
1717	const Stmt *Where, NeverCalledReason Reason,
1718	bool IsCalledDirectly,
1719	bool IsCompletionHandler) override {
1720	auto DiagToReport = IsCompletionHandler
1721	? diag::warn_completion_handler_never_called_when
1722	: diag::warn_called_once_never_called_when;
1723	PartialDiagnosticAt Warning(Where->getBeginLoc(), S.PDiag(DiagID: DiagToReport)
1724	<< Parameter
1725	<< IsCalledDirectly
1726	<< (unsigned)Reason);
1727
1728	if (const auto *Block = dyn_cast<BlockDecl>(Val: Function)) {
1729	// We shouldn't report these warnings on blocks immediately
1730	Data.addDelayedWarning(Block, Warning: std::move(Warning));
1731	} else {
1732	S.Diag(Loc: Warning.first, PD: Warning.second);
1733	}
1734	}
1735
1736	void handleCapturedNeverCalled(const ParmVarDecl *Parameter,
1737	const Decl *Where,
1738	bool IsCompletionHandler) override {
1739	auto DiagToReport = IsCompletionHandler
1740	? diag::warn_completion_handler_never_called
1741	: diag::warn_called_once_never_called;
1742	S.Diag(Where->getBeginLoc(), DiagToReport)
1743	<< Parameter << /* Captured */ true;
1744	}
1745
1746	void
1747	handleBlockThatIsGuaranteedToBeCalledOnce(const BlockDecl *Block) override {
1748	Data.flushWarnings(Block, S);
1749	}
1750
1751	void handleBlockWithNoGuarantees(const BlockDecl *Block) override {
1752	Data.discardWarnings(Block);
1753	}
1754
1755	private:
1756	Sema &S;
1757	CalledOnceInterProceduralData &Data;
1758	};
1759
1760	constexpr unsigned CalledOnceWarnings[] = {
1761	diag::warn_called_once_never_called,
1762	diag::warn_called_once_never_called_when,
1763	diag::warn_called_once_gets_called_twice};
1764
1765	constexpr unsigned CompletionHandlerWarnings[]{
1766	diag::warn_completion_handler_never_called,
1767	diag::warn_completion_handler_never_called_when,
1768	diag::warn_completion_handler_called_twice};
1769
1770	bool shouldAnalyzeCalledOnceImpl(llvm::ArrayRef<unsigned> DiagIDs,
1771	const DiagnosticsEngine &Diags,
1772	SourceLocation At) {
1773	return llvm::any_of(Range&: DiagIDs, P: [&Diags, At](unsigned DiagID) {
1774	return !Diags.isIgnored(DiagID, Loc: At);
1775	});
1776	}
1777
1778	bool shouldAnalyzeCalledOnceConventions(const DiagnosticsEngine &Diags,
1779	SourceLocation At) {
1780	return shouldAnalyzeCalledOnceImpl(CompletionHandlerWarnings, Diags, At);
1781	}
1782
1783	bool shouldAnalyzeCalledOnceParameters(const DiagnosticsEngine &Diags,
1784	SourceLocation At) {
1785	return shouldAnalyzeCalledOnceImpl(CalledOnceWarnings, Diags, At) ||
1786	shouldAnalyzeCalledOnceConventions(Diags, At);
1787	}
1788	} // anonymous namespace
1789
1790	//===----------------------------------------------------------------------===//
1791	// -Wthread-safety
1792	//===----------------------------------------------------------------------===//
1793	namespace clang {
1794	namespace threadSafety {
1795	namespace {
1796	class ThreadSafetyReporter : public clang::threadSafety::ThreadSafetyHandler {
1797	Sema &S;
1798	DiagList Warnings;
1799	SourceLocation FunLocation, FunEndLocation;
1800
1801	const FunctionDecl *CurrentFunction;
1802	bool Verbose;
1803
1804	OptionalNotes getNotes() const {
1805	if (Verbose && CurrentFunction) {
1806	PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1807	S.PDiag(diag::note_thread_warning_in_fun)
1808	<< CurrentFunction);
1809	return OptionalNotes(1, FNote);
1810	}
1811	return OptionalNotes();
1812	}
1813
1814	OptionalNotes getNotes(const PartialDiagnosticAt &Note) const {
1815	OptionalNotes ONS(1, Note);
1816	if (Verbose && CurrentFunction) {
1817	PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1818	S.PDiag(diag::note_thread_warning_in_fun)
1819	<< CurrentFunction);
1820	ONS.push_back(Elt: std::move(FNote));
1821	}
1822	return ONS;
1823	}
1824
1825	OptionalNotes getNotes(const PartialDiagnosticAt &Note1,
1826	const PartialDiagnosticAt &Note2) const {
1827	OptionalNotes ONS;
1828	ONS.push_back(Elt: Note1);
1829	ONS.push_back(Elt: Note2);
1830	if (Verbose && CurrentFunction) {
1831	PartialDiagnosticAt FNote(CurrentFunction->getBody()->getBeginLoc(),
1832	S.PDiag(diag::note_thread_warning_in_fun)
1833	<< CurrentFunction);
1834	ONS.push_back(Elt: std::move(FNote));
1835	}
1836	return ONS;
1837	}
1838
1839	OptionalNotes makeLockedHereNote(SourceLocation LocLocked, StringRef Kind) {
1840	return LocLocked.isValid()
1841	? getNotes(PartialDiagnosticAt(
1842	LocLocked, S.PDiag(diag::note_locked_here) << Kind))
1843	: getNotes();
1844	}
1845
1846	OptionalNotes makeUnlockedHereNote(SourceLocation LocUnlocked,
1847	StringRef Kind) {
1848	return LocUnlocked.isValid()
1849	? getNotes(PartialDiagnosticAt(
1850	LocUnlocked, S.PDiag(diag::note_unlocked_here) << Kind))
1851	: getNotes();
1852	}
1853
1854	public:
1855	ThreadSafetyReporter(Sema &S, SourceLocation FL, SourceLocation FEL)
1856	: S(S), FunLocation(FL), FunEndLocation(FEL),
1857	CurrentFunction(nullptr), Verbose(false) {}
1858
1859	void setVerbose(bool b) { Verbose = b; }
1860
1861	/// Emit all buffered diagnostics in order of sourcelocation.
1862	/// We need to output diagnostics produced while iterating through
1863	/// the lockset in deterministic order, so this function orders diagnostics
1864	/// and outputs them.
1865	void emitDiagnostics() {
1866	Warnings.sort(comp: SortDiagBySourceLocation(S.getSourceManager()));
1867	for (const auto &Diag : Warnings) {
1868	S.Diag(Loc: Diag.first.first, PD: Diag.first.second);
1869	for (const auto &Note : Diag.second)
1870	S.Diag(Loc: Note.first, PD: Note.second);
1871	}
1872	}
1873
1874	void handleInvalidLockExp(SourceLocation Loc) override {
1875	PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_cannot_resolve_lock)
1876	<< Loc);
1877	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
1878	}
1879
1880	void handleUnmatchedUnlock(StringRef Kind, Name LockName, SourceLocation Loc,
1881	SourceLocation LocPreviousUnlock) override {
1882	if (Loc.isInvalid())
1883	Loc = FunLocation;
1884	PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_unlock_but_no_lock)
1885	<< Kind << LockName);
1886	Warnings.emplace_back(args: std::move(Warning),
1887	args: makeUnlockedHereNote(LocUnlocked: LocPreviousUnlock, Kind));
1888	}
1889
1890	void handleIncorrectUnlockKind(StringRef Kind, Name LockName,
1891	LockKind Expected, LockKind Received,
1892	SourceLocation LocLocked,
1893	SourceLocation LocUnlock) override {
1894	if (LocUnlock.isInvalid())
1895	LocUnlock = FunLocation;
1896	PartialDiagnosticAt Warning(
1897	LocUnlock, S.PDiag(diag::warn_unlock_kind_mismatch)
1898	<< Kind << LockName << Received << Expected);
1899	Warnings.emplace_back(args: std::move(Warning),
1900	args: makeLockedHereNote(LocLocked, Kind));
1901	}
1902
1903	void handleDoubleLock(StringRef Kind, Name LockName, SourceLocation LocLocked,
1904	SourceLocation LocDoubleLock) override {
1905	if (LocDoubleLock.isInvalid())
1906	LocDoubleLock = FunLocation;
1907	PartialDiagnosticAt Warning(LocDoubleLock, S.PDiag(diag::warn_double_lock)
1908	<< Kind << LockName);
1909	Warnings.emplace_back(args: std::move(Warning),
1910	args: makeLockedHereNote(LocLocked, Kind));
1911	}
1912
1913	void handleMutexHeldEndOfScope(StringRef Kind, Name LockName,
1914	SourceLocation LocLocked,
1915	SourceLocation LocEndOfScope,
1916	LockErrorKind LEK) override {
1917	unsigned DiagID = 0;
1918	switch (LEK) {
1919	case LEK_LockedSomePredecessors:
1920	DiagID = diag::warn_lock_some_predecessors;
1921	break;
1922	case LEK_LockedSomeLoopIterations:
1923	DiagID = diag::warn_expecting_lock_held_on_loop;
1924	break;
1925	case LEK_LockedAtEndOfFunction:
1926	DiagID = diag::warn_no_unlock;
1927	break;
1928	case LEK_NotLockedAtEndOfFunction:
1929	DiagID = diag::warn_expecting_locked;
1930	break;
1931	}
1932	if (LocEndOfScope.isInvalid())
1933	LocEndOfScope = FunEndLocation;
1934
1935	PartialDiagnosticAt Warning(LocEndOfScope, S.PDiag(DiagID) << Kind
1936	<< LockName);
1937	Warnings.emplace_back(args: std::move(Warning),
1938	args: makeLockedHereNote(LocLocked, Kind));
1939	}
1940
1941	void handleExclusiveAndShared(StringRef Kind, Name LockName,
1942	SourceLocation Loc1,
1943	SourceLocation Loc2) override {
1944	PartialDiagnosticAt Warning(Loc1,
1945	S.PDiag(diag::warn_lock_exclusive_and_shared)
1946	<< Kind << LockName);
1947	PartialDiagnosticAt Note(Loc2, S.PDiag(diag::note_lock_exclusive_and_shared)
1948	<< Kind << LockName);
1949	Warnings.emplace_back(args: std::move(Warning), args: getNotes(Note));
1950	}
1951
1952	void handleNoMutexHeld(const NamedDecl *D, ProtectedOperationKind POK,
1953	AccessKind AK, SourceLocation Loc) override {
1954	assert((POK == POK_VarAccess || POK == POK_VarDereference) &&
1955	"Only works for variables");
1956	unsigned DiagID = POK == POK_VarAccess?
1957	diag::warn_variable_requires_any_lock:
1958	diag::warn_var_deref_requires_any_lock;
1959	PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID)
1960	<< D << getLockKindFromAccessKind(AK));
1961	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
1962	}
1963
1964	void handleMutexNotHeld(StringRef Kind, const NamedDecl *D,
1965	ProtectedOperationKind POK, Name LockName,
1966	LockKind LK, SourceLocation Loc,
1967	Name *PossibleMatch) override {
1968	unsigned DiagID = 0;
1969	if (PossibleMatch) {
1970	switch (POK) {
1971	case POK_VarAccess:
1972	DiagID = diag::warn_variable_requires_lock_precise;
1973	break;
1974	case POK_VarDereference:
1975	DiagID = diag::warn_var_deref_requires_lock_precise;
1976	break;
1977	case POK_FunctionCall:
1978	DiagID = diag::warn_fun_requires_lock_precise;
1979	break;
1980	case POK_PassByRef:
1981	DiagID = diag::warn_guarded_pass_by_reference;
1982	break;
1983	case POK_PtPassByRef:
1984	DiagID = diag::warn_pt_guarded_pass_by_reference;
1985	break;
1986	case POK_ReturnByRef:
1987	DiagID = diag::warn_guarded_return_by_reference;
1988	break;
1989	case POK_PtReturnByRef:
1990	DiagID = diag::warn_pt_guarded_return_by_reference;
1991	break;
1992	}
1993	PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) << Kind
1994	<< D
1995	<< LockName << LK);
1996	PartialDiagnosticAt Note(Loc, S.PDiag(diag::note_found_mutex_near_match)
1997	<< *PossibleMatch);
1998	if (Verbose && POK == POK_VarAccess) {
1999	PartialDiagnosticAt VNote(D->getLocation(),
2000	S.PDiag(diag::note_guarded_by_declared_here)
2001	<< D->getDeclName());
2002	Warnings.emplace_back(args: std::move(Warning), args: getNotes(Note1: Note, Note2: VNote));
2003	} else
2004	Warnings.emplace_back(args: std::move(Warning), args: getNotes(Note));
2005	} else {
2006	switch (POK) {
2007	case POK_VarAccess:
2008	DiagID = diag::warn_variable_requires_lock;
2009	break;
2010	case POK_VarDereference:
2011	DiagID = diag::warn_var_deref_requires_lock;
2012	break;
2013	case POK_FunctionCall:
2014	DiagID = diag::warn_fun_requires_lock;
2015	break;
2016	case POK_PassByRef:
2017	DiagID = diag::warn_guarded_pass_by_reference;
2018	break;
2019	case POK_PtPassByRef:
2020	DiagID = diag::warn_pt_guarded_pass_by_reference;
2021	break;
2022	case POK_ReturnByRef:
2023	DiagID = diag::warn_guarded_return_by_reference;
2024	break;
2025	case POK_PtReturnByRef:
2026	DiagID = diag::warn_pt_guarded_return_by_reference;
2027	break;
2028	}
2029	PartialDiagnosticAt Warning(Loc, S.PDiag(DiagID) << Kind
2030	<< D
2031	<< LockName << LK);
2032	if (Verbose && POK == POK_VarAccess) {
2033	PartialDiagnosticAt Note(D->getLocation(),
2034	S.PDiag(diag::note_guarded_by_declared_here));
2035	Warnings.emplace_back(args: std::move(Warning), args: getNotes(Note));
2036	} else
2037	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2038	}
2039	}
2040
2041	void handleNegativeNotHeld(StringRef Kind, Name LockName, Name Neg,
2042	SourceLocation Loc) override {
2043	PartialDiagnosticAt Warning(Loc,
2044	S.PDiag(diag::warn_acquire_requires_negative_cap)
2045	<< Kind << LockName << Neg);
2046	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2047	}
2048
2049	void handleNegativeNotHeld(const NamedDecl *D, Name LockName,
2050	SourceLocation Loc) override {
2051	PartialDiagnosticAt Warning(
2052	Loc, S.PDiag(diag::warn_fun_requires_negative_cap) << D << LockName);
2053	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2054	}
2055
2056	void handleFunExcludesLock(StringRef Kind, Name FunName, Name LockName,
2057	SourceLocation Loc) override {
2058	PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_fun_excludes_mutex)
2059	<< Kind << FunName << LockName);
2060	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2061	}
2062
2063	void handleLockAcquiredBefore(StringRef Kind, Name L1Name, Name L2Name,
2064	SourceLocation Loc) override {
2065	PartialDiagnosticAt Warning(Loc,
2066	S.PDiag(diag::warn_acquired_before) << Kind << L1Name << L2Name);
2067	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2068	}
2069
2070	void handleBeforeAfterCycle(Name L1Name, SourceLocation Loc) override {
2071	PartialDiagnosticAt Warning(Loc,
2072	S.PDiag(diag::warn_acquired_before_after_cycle) << L1Name);
2073	Warnings.emplace_back(args: std::move(Warning), args: getNotes());
2074	}
2075
2076	void enterFunction(const FunctionDecl* FD) override {
2077	CurrentFunction = FD;
2078	}
2079
2080	void leaveFunction(const FunctionDecl* FD) override {
2081	CurrentFunction = nullptr;
2082	}
2083	};
2084	} // anonymous namespace
2085	} // namespace threadSafety
2086	} // namespace clang
2087
2088	//===----------------------------------------------------------------------===//
2089	// -Wconsumed
2090	//===----------------------------------------------------------------------===//
2091
2092	namespace clang {
2093	namespace consumed {
2094	namespace {
2095	class ConsumedWarningsHandler : public ConsumedWarningsHandlerBase {
2096
2097	Sema &S;
2098	DiagList Warnings;
2099
2100	public:
2101
2102	ConsumedWarningsHandler(Sema &S) : S(S) {}
2103
2104	void emitDiagnostics() override {
2105	Warnings.sort(comp: SortDiagBySourceLocation(S.getSourceManager()));
2106	for (const auto &Diag : Warnings) {
2107	S.Diag(Loc: Diag.first.first, PD: Diag.first.second);
2108	for (const auto &Note : Diag.second)
2109	S.Diag(Loc: Note.first, PD: Note.second);
2110	}
2111	}
2112
2113	void warnLoopStateMismatch(SourceLocation Loc,
2114	StringRef VariableName) override {
2115	PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_loop_state_mismatch) <<
2116	VariableName);
2117
2118	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2119	}
2120
2121	void warnParamReturnTypestateMismatch(SourceLocation Loc,
2122	StringRef VariableName,
2123	StringRef ExpectedState,
2124	StringRef ObservedState) override {
2125
2126	PartialDiagnosticAt Warning(Loc, S.PDiag(
2127	diag::warn_param_return_typestate_mismatch) << VariableName <<
2128	ExpectedState << ObservedState);
2129
2130	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2131	}
2132
2133	void warnParamTypestateMismatch(SourceLocation Loc, StringRef ExpectedState,
2134	StringRef ObservedState) override {
2135
2136	PartialDiagnosticAt Warning(Loc, S.PDiag(
2137	diag::warn_param_typestate_mismatch) << ExpectedState << ObservedState);
2138
2139	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2140	}
2141
2142	void warnReturnTypestateForUnconsumableType(SourceLocation Loc,
2143	StringRef TypeName) override {
2144	PartialDiagnosticAt Warning(Loc, S.PDiag(
2145	diag::warn_return_typestate_for_unconsumable_type) << TypeName);
2146
2147	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2148	}
2149
2150	void warnReturnTypestateMismatch(SourceLocation Loc, StringRef ExpectedState,
2151	StringRef ObservedState) override {
2152
2153	PartialDiagnosticAt Warning(Loc, S.PDiag(
2154	diag::warn_return_typestate_mismatch) << ExpectedState << ObservedState);
2155
2156	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2157	}
2158
2159	void warnUseOfTempInInvalidState(StringRef MethodName, StringRef State,
2160	SourceLocation Loc) override {
2161
2162	PartialDiagnosticAt Warning(Loc, S.PDiag(
2163	diag::warn_use_of_temp_in_invalid_state) << MethodName << State);
2164
2165	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2166	}
2167
2168	void warnUseInInvalidState(StringRef MethodName, StringRef VariableName,
2169	StringRef State, SourceLocation Loc) override {
2170
2171	PartialDiagnosticAt Warning(Loc, S.PDiag(diag::warn_use_in_invalid_state) <<
2172	MethodName << VariableName << State);
2173
2174	Warnings.emplace_back(args: std::move(Warning), args: OptionalNotes());
2175	}
2176	};
2177	} // anonymous namespace
2178	} // namespace consumed
2179	} // namespace clang
2180
2181	//===----------------------------------------------------------------------===//
2182	// Unsafe buffer usage analysis.
2183	//===----------------------------------------------------------------------===//
2184
2185	namespace {
2186	class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler {
2187	Sema &S;
2188	bool SuggestSuggestions; // Recommend -fsafe-buffer-usage-suggestions?
2189
2190	// Lists as a string the names of variables in `VarGroupForVD` except for `VD`
2191	// itself:
2192	std::string listVariableGroupAsString(
2193	const VarDecl *VD, const ArrayRef<const VarDecl *> &VarGroupForVD) const {
2194	if (VarGroupForVD.size() <= 1)
2195	return "";
2196
2197	std::vector<StringRef> VarNames;
2198	auto PutInQuotes = [](StringRef S) -> std::string {
2199	return "'" + S.str() + "'";
2200	};
2201
2202	for (auto *V : VarGroupForVD) {
2203	if (V == VD)
2204	continue;
2205	VarNames.push_back(V->getName());
2206	}
2207	if (VarNames.size() == 1) {
2208	return PutInQuotes(VarNames[0]);
2209	}
2210	if (VarNames.size() == 2) {
2211	return PutInQuotes(VarNames[0]) + " and " + PutInQuotes(VarNames[1]);
2212	}
2213	assert(VarGroupForVD.size() > 3);
2214	const unsigned N = VarNames.size() -
2215	2; // need to print the last two names as "..., X, and Y"
2216	std::string AllVars = "";
2217
2218	for (unsigned I = 0; I < N; ++I)
2219	AllVars.append(str: PutInQuotes(VarNames[I]) + ", ");
2220	AllVars.append(str: PutInQuotes(VarNames[N]) + ", and " +
2221	PutInQuotes(VarNames[N + 1]));
2222	return AllVars;
2223	}
2224
2225	public:
2226	UnsafeBufferUsageReporter(Sema &S, bool SuggestSuggestions)
2227	: S(S), SuggestSuggestions(SuggestSuggestions) {}
2228
2229	void handleUnsafeOperation(const Stmt *Operation, bool IsRelatedToDecl,
2230	ASTContext &Ctx) override {
2231	SourceLocation Loc;
2232	SourceRange Range;
2233	unsigned MsgParam = 0;
2234	if (const auto *ASE = dyn_cast<ArraySubscriptExpr>(Val: Operation)) {
2235	Loc = ASE->getBase()->getExprLoc();
2236	Range = ASE->getBase()->getSourceRange();
2237	MsgParam = 2;
2238	} else if (const auto *BO = dyn_cast<BinaryOperator>(Val: Operation)) {
2239	BinaryOperator::Opcode Op = BO->getOpcode();
2240	if (Op == BO_Add || Op == BO_AddAssign || Op == BO_Sub ||
2241	Op == BO_SubAssign) {
2242	if (BO->getRHS()->getType()->isIntegerType()) {
2243	Loc = BO->getLHS()->getExprLoc();
2244	Range = BO->getLHS()->getSourceRange();
2245	} else {
2246	Loc = BO->getRHS()->getExprLoc();
2247	Range = BO->getRHS()->getSourceRange();
2248	}
2249	MsgParam = 1;
2250	}
2251	} else if (const auto *UO = dyn_cast<UnaryOperator>(Val: Operation)) {
2252	UnaryOperator::Opcode Op = UO->getOpcode();
2253	if (Op == UO_PreInc || Op == UO_PreDec || Op == UO_PostInc ||
2254	Op == UO_PostDec) {
2255	Loc = UO->getSubExpr()->getExprLoc();
2256	Range = UO->getSubExpr()->getSourceRange();
2257	MsgParam = 1;
2258	}
2259	} else if (const auto *CtorExpr = dyn_cast<CXXConstructExpr>(Val: Operation)) {
2260	S.Diag(CtorExpr->getLocation(),
2261	diag::warn_unsafe_buffer_usage_in_container);
2262	} else {
2263	if (isa<CallExpr>(Val: Operation)) {
2264	// note_unsafe_buffer_operation doesn't have this mode yet.
2265	assert(!IsRelatedToDecl && "Not implemented yet!");
2266	MsgParam = 3;
2267	} else if (const auto *ECE = dyn_cast<ExplicitCastExpr>(Val: Operation)) {
2268	QualType destType = ECE->getType();
2269	if (!isa<PointerType>(Val: destType))
2270	return;
2271
2272	const uint64_t dSize =
2273	Ctx.getTypeSize(T: destType.getTypePtr()->getPointeeType());
2274
2275	QualType srcType = ECE->getSubExpr()->getType();
2276	const uint64_t sSize =
2277	Ctx.getTypeSize(T: srcType.getTypePtr()->getPointeeType());
2278	if (sSize >= dSize)
2279	return;
2280
2281	MsgParam = 4;
2282	}
2283	Loc = Operation->getBeginLoc();
2284	Range = Operation->getSourceRange();
2285	}
2286	if (IsRelatedToDecl) {
2287	assert(!SuggestSuggestions &&
2288	"Variables blamed for unsafe buffer usage without suggestions!");
2289	S.Diag(Loc, diag::note_unsafe_buffer_operation) << MsgParam << Range;
2290	} else {
2291	S.Diag(Loc, diag::warn_unsafe_buffer_operation) << MsgParam << Range;
2292	if (SuggestSuggestions) {
2293	S.Diag(Loc, diag::note_safe_buffer_usage_suggestions_disabled);
2294	}
2295	}
2296	}
2297
2298	void handleUnsafeVariableGroup(const VarDecl *Variable,
2299	const VariableGroupsManager &VarGrpMgr,
2300	FixItList &&Fixes, const Decl *D,
2301	const FixitStrategy &VarTargetTypes) override {
2302	assert(!SuggestSuggestions &&
2303	"Unsafe buffer usage fixits displayed without suggestions!");
2304	S.Diag(Variable->getLocation(), diag::warn_unsafe_buffer_variable)
2305	<< Variable << (Variable->getType()->isPointerType() ? 0 : 1)
2306	<< Variable->getSourceRange();
2307	if (!Fixes.empty()) {
2308	assert(isa<NamedDecl>(D) &&
2309	"Fix-its are generated only for `NamedDecl`s");
2310	const NamedDecl *ND = cast<NamedDecl>(Val: D);
2311	bool BriefMsg = false;
2312	// If the variable group involves parameters, the diagnostic message will
2313	// NOT explain how the variables are grouped as the reason is non-trivial
2314	// and irrelavant to users' experience:
2315	const auto VarGroupForVD = VarGrpMgr.getGroupOfVar(Var: Variable, HasParm: &BriefMsg);
2316	unsigned FixItStrategy = 0;
2317	switch (VarTargetTypes.lookup(VD: Variable)) {
2318	case clang::FixitStrategy::Kind::Span:
2319	FixItStrategy = 0;
2320	break;
2321	case clang::FixitStrategy::Kind::Array:
2322	FixItStrategy = 1;
2323	break;
2324	default:
2325	assert(false && "We support only std::span and std::array");
2326	};
2327
2328	const auto &FD =
2329	S.Diag(Variable->getLocation(),
2330	BriefMsg ? diag::note_unsafe_buffer_variable_fixit_together
2331	: diag::note_unsafe_buffer_variable_fixit_group);
2332
2333	FD << Variable << FixItStrategy;
2334	FD << listVariableGroupAsString(VD: Variable, VarGroupForVD)
2335	<< (VarGroupForVD.size() > 1) << ND;
2336	for (const auto &F : Fixes) {
2337	FD << F;
2338	}
2339	}
2340
2341	#ifndef NDEBUG
2342	if (areDebugNotesRequested())
2343	for (const DebugNote &Note: DebugNotesByVar[Variable])
2344	S.Diag(Note.first, diag::note_safe_buffer_debug_mode) << Note.second;
2345	#endif
2346	}
2347
2348	bool isSafeBufferOptOut(const SourceLocation &Loc) const override {
2349	return S.PP.isSafeBufferOptOut(SourceMgr: S.getSourceManager(), Loc);
2350	}
2351
2352	bool ignoreUnsafeBufferInContainer(const SourceLocation &Loc) const override {
2353	return S.Diags.isIgnored(diag::warn_unsafe_buffer_usage_in_container, Loc);
2354	}
2355
2356	// Returns the text representation of clang::unsafe_buffer_usage attribute.
2357	// `WSSuffix` holds customized "white-space"s, e.g., newline or whilespace
2358	// characters.
2359	std::string
2360	getUnsafeBufferUsageAttributeTextAt(SourceLocation Loc,
2361	StringRef WSSuffix = "") const override {
2362	Preprocessor &PP = S.getPreprocessor();
2363	TokenValue ClangUnsafeBufferUsageTokens[] = {
2364	tok::l_square,
2365	tok::l_square,
2366	PP.getIdentifierInfo(Name: "clang"),
2367	tok::coloncolon,
2368	PP.getIdentifierInfo(Name: "unsafe_buffer_usage"),
2369	tok::r_square,
2370	tok::r_square};
2371
2372	StringRef MacroName;
2373
2374	// The returned macro (it returns) is guaranteed not to be function-like:
2375	MacroName = PP.getLastMacroWithSpelling(Loc, Tokens: ClangUnsafeBufferUsageTokens);
2376	if (MacroName.empty())
2377	MacroName = "[[clang::unsafe_buffer_usage]]";
2378	return MacroName.str() + WSSuffix.str();
2379	}
2380	};
2381	} // namespace
2382
2383	//===----------------------------------------------------------------------===//
2384	// AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based
2385	// warnings on a function, method, or block.
2386	//===----------------------------------------------------------------------===//
2387
2388	sema::AnalysisBasedWarnings::Policy::Policy() {
2389	enableCheckFallThrough = 1;
2390	enableCheckUnreachable = 0;
2391	enableThreadSafetyAnalysis = 0;
2392	enableConsumedAnalysis = 0;
2393	}
2394
2395	/// InterProceduralData aims to be a storage of whatever data should be passed
2396	/// between analyses of different functions.
2397	///
2398	/// At the moment, its primary goal is to make the information gathered during
2399	/// the analysis of the blocks available during the analysis of the enclosing
2400	/// function. This is important due to the fact that blocks are analyzed before
2401	/// the enclosed function is even parsed fully, so it is not viable to access
2402	/// anything in the outer scope while analyzing the block. On the other hand,
2403	/// re-building CFG for blocks and re-analyzing them when we do have all the
2404	/// information (i.e. during the analysis of the enclosing function) seems to be
2405	/// ill-designed.
2406	class sema::AnalysisBasedWarnings::InterProceduralData {
2407	public:
2408	// It is important to analyze blocks within functions because it's a very
2409	// common pattern to capture completion handler parameters by blocks.
2410	CalledOnceInterProceduralData CalledOnceData;
2411	};
2412
2413	static unsigned isEnabled(DiagnosticsEngine &D, unsigned diag) {
2414	return (unsigned)!D.isIgnored(DiagID: diag, Loc: SourceLocation());
2415	}
2416
2417	sema::AnalysisBasedWarnings::AnalysisBasedWarnings(Sema &s)
2418	: S(s), IPData(std::make_unique<InterProceduralData>()),
2419	NumFunctionsAnalyzed(0), NumFunctionsWithBadCFGs(0), NumCFGBlocks(0),
2420	MaxCFGBlocksPerFunction(0), NumUninitAnalysisFunctions(0),
2421	NumUninitAnalysisVariables(0), MaxUninitAnalysisVariablesPerFunction(0),
2422	NumUninitAnalysisBlockVisits(0),
2423	MaxUninitAnalysisBlockVisitsPerFunction(0) {
2424
2425	using namespace diag;
2426	DiagnosticsEngine &D = S.getDiagnostics();
2427
2428	DefaultPolicy.enableCheckUnreachable =
2429	isEnabled(D, warn_unreachable) || isEnabled(D, warn_unreachable_break) ||
2430	isEnabled(D, warn_unreachable_return) ||
2431	isEnabled(D, warn_unreachable_loop_increment);
2432
2433	DefaultPolicy.enableThreadSafetyAnalysis = isEnabled(D, warn_double_lock);
2434
2435	DefaultPolicy.enableConsumedAnalysis =
2436	isEnabled(D, warn_use_in_invalid_state);
2437	}
2438
2439	// We need this here for unique_ptr with forward declared class.
2440	sema::AnalysisBasedWarnings::~AnalysisBasedWarnings() = default;
2441
2442	static void flushDiagnostics(Sema &S, const sema::FunctionScopeInfo *fscope) {
2443	for (const auto &D : fscope->PossiblyUnreachableDiags)
2444	S.Diag(Loc: D.Loc, PD: D.PD);
2445	}
2446
2447	// An AST Visitor that calls a callback function on each callable DEFINITION
2448	// that is NOT in a dependent context:
2449	class CallableVisitor : public RecursiveASTVisitor<CallableVisitor> {
2450	private:
2451	llvm::function_ref<void(const Decl *)> Callback;
2452
2453	public:
2454	CallableVisitor(llvm::function_ref<void(const Decl *)> Callback)
2455	: Callback(Callback) {}
2456
2457	bool VisitFunctionDecl(FunctionDecl *Node) {
2458	if (cast<DeclContext>(Val: Node)->isDependentContext())
2459	return true; // Not to analyze dependent decl
2460	// `FunctionDecl->hasBody()` returns true if the function has a body
2461	// somewhere defined. But we want to know if this `Node` has a body
2462	// child. So we use `doesThisDeclarationHaveABody`:
2463	if (Node->doesThisDeclarationHaveABody())
2464	Callback(Node);
2465	return true;
2466	}
2467
2468	bool VisitBlockDecl(BlockDecl *Node) {
2469	if (cast<DeclContext>(Val: Node)->isDependentContext())
2470	return true; // Not to analyze dependent decl
2471	Callback(Node);
2472	return true;
2473	}
2474
2475	bool VisitObjCMethodDecl(ObjCMethodDecl *Node) {
2476	if (cast<DeclContext>(Val: Node)->isDependentContext())
2477	return true; // Not to analyze dependent decl
2478	if (Node->hasBody())
2479	Callback(Node);
2480	return true;
2481	}
2482
2483	bool VisitLambdaExpr(LambdaExpr *Node) {
2484	return VisitFunctionDecl(Node->getCallOperator());
2485	}
2486
2487	bool shouldVisitTemplateInstantiations() const { return true; }
2488	bool shouldVisitImplicitCode() const { return false; }
2489	};
2490
2491	void clang::sema::AnalysisBasedWarnings::IssueWarnings(
2492	TranslationUnitDecl *TU) {
2493	if (!TU)
2494	return; // This is unexpected, give up quietly.
2495
2496	DiagnosticsEngine &Diags = S.getDiagnostics();
2497
2498	if (S.hasUncompilableErrorOccurred() || Diags.getIgnoreAllWarnings())
2499	// exit if having uncompilable errors or ignoring all warnings:
2500	return;
2501
2502	DiagnosticOptions &DiagOpts = Diags.getDiagnosticOptions();
2503
2504	// UnsafeBufferUsage analysis settings.
2505	bool UnsafeBufferUsageCanEmitSuggestions = S.getLangOpts().CPlusPlus20;
2506	bool UnsafeBufferUsageShouldEmitSuggestions = // Should != Can.
2507	UnsafeBufferUsageCanEmitSuggestions &&
2508	DiagOpts.ShowSafeBufferUsageSuggestions;
2509	bool UnsafeBufferUsageShouldSuggestSuggestions =
2510	UnsafeBufferUsageCanEmitSuggestions &&
2511	!DiagOpts.ShowSafeBufferUsageSuggestions;
2512	UnsafeBufferUsageReporter R(S, UnsafeBufferUsageShouldSuggestSuggestions);
2513
2514	// The Callback function that performs analyses:
2515	auto CallAnalyzers = [&](const Decl *Node) -> void {
2516	// Perform unsafe buffer usage analysis:
2517	if (!Diags.isIgnored(diag::warn_unsafe_buffer_operation,
2518	Node->getBeginLoc()) ||
2519	!Diags.isIgnored(diag::warn_unsafe_buffer_variable,
2520	Node->getBeginLoc()) ||
2521	!Diags.isIgnored(diag::warn_unsafe_buffer_usage_in_container,
2522	Node->getBeginLoc())) {
2523	clang::checkUnsafeBufferUsage(D: Node, Handler&: R,
2524	EmitSuggestions: UnsafeBufferUsageShouldEmitSuggestions);
2525	}
2526
2527	// More analysis ...
2528	};
2529	// Emit per-function analysis-based warnings that require the whole-TU
2530	// reasoning. Check if any of them is enabled at all before scanning the AST:
2531	if (!Diags.isIgnored(diag::warn_unsafe_buffer_operation, SourceLocation()) ||
2532	!Diags.isIgnored(diag::warn_unsafe_buffer_variable, SourceLocation()) ||
2533	!Diags.isIgnored(diag::warn_unsafe_buffer_usage_in_container,
2534	SourceLocation())) {
2535	CallableVisitor(CallAnalyzers).TraverseTranslationUnitDecl(TU);
2536	}
2537	}
2538
2539	void clang::sema::AnalysisBasedWarnings::IssueWarnings(
2540	sema::AnalysisBasedWarnings::Policy P, sema::FunctionScopeInfo *fscope,
2541	const Decl *D, QualType BlockType) {
2542
2543	// We avoid doing analysis-based warnings when there are errors for
2544	// two reasons:
2545	// (1) The CFGs often can't be constructed (if the body is invalid), so
2546	// don't bother trying.
2547	// (2) The code already has problems; running the analysis just takes more
2548	// time.
2549	DiagnosticsEngine &Diags = S.getDiagnostics();
2550
2551	// Do not do any analysis if we are going to just ignore them.
2552	if (Diags.getIgnoreAllWarnings() ||
2553	(Diags.getSuppressSystemWarnings() &&
2554	S.SourceMgr.isInSystemHeader(Loc: D->getLocation())))
2555	return;
2556
2557	// For code in dependent contexts, we'll do this at instantiation time.
2558	if (cast<DeclContext>(Val: D)->isDependentContext())
2559	return;
2560
2561	if (S.hasUncompilableErrorOccurred()) {
2562	// Flush out any possibly unreachable diagnostics.
2563	flushDiagnostics(S, fscope);
2564	return;
2565	}
2566
2567	const Stmt *Body = D->getBody();
2568	assert(Body);
2569
2570	// Construct the analysis context with the specified CFG build options.
2571	AnalysisDeclContext AC(/* AnalysisDeclContextManager */ nullptr, D);
2572
2573	// Don't generate EH edges for CallExprs as we'd like to avoid the n^2
2574	// explosion for destructors that can result and the compile time hit.
2575	AC.getCFGBuildOptions().PruneTriviallyFalseEdges = true;
2576	AC.getCFGBuildOptions().AddEHEdges = false;
2577	AC.getCFGBuildOptions().AddInitializers = true;
2578	AC.getCFGBuildOptions().AddImplicitDtors = true;
2579	AC.getCFGBuildOptions().AddTemporaryDtors = true;
2580	AC.getCFGBuildOptions().AddCXXNewAllocator = false;
2581	AC.getCFGBuildOptions().AddCXXDefaultInitExprInCtors = true;
2582
2583	// Force that certain expressions appear as CFGElements in the CFG. This
2584	// is used to speed up various analyses.
2585	// FIXME: This isn't the right factoring. This is here for initial
2586	// prototyping, but we need a way for analyses to say what expressions they
2587	// expect to always be CFGElements and then fill in the BuildOptions
2588	// appropriately. This is essentially a layering violation.
2589	if (P.enableCheckUnreachable || P.enableThreadSafetyAnalysis ||
2590	P.enableConsumedAnalysis) {
2591	// Unreachable code analysis and thread safety require a linearized CFG.
2592	AC.getCFGBuildOptions().setAllAlwaysAdd();
2593	}
2594	else {
2595	AC.getCFGBuildOptions()
2596	.setAlwaysAdd(Stmt::BinaryOperatorClass)
2597	.setAlwaysAdd(Stmt::CompoundAssignOperatorClass)
2598	.setAlwaysAdd(Stmt::BlockExprClass)
2599	.setAlwaysAdd(Stmt::CStyleCastExprClass)
2600	.setAlwaysAdd(Stmt::DeclRefExprClass)
2601	.setAlwaysAdd(Stmt::ImplicitCastExprClass)
2602	.setAlwaysAdd(Stmt::UnaryOperatorClass);
2603	}
2604
2605	// Install the logical handler.
2606	std::optional<LogicalErrorHandler> LEH;
2607	if (LogicalErrorHandler::hasActiveDiagnostics(Diags, Loc: D->getBeginLoc())) {
2608	LEH.emplace(args&: S);
2609	AC.getCFGBuildOptions().Observer = &*LEH;
2610	}
2611
2612	// Emit delayed diagnostics.
2613	if (!fscope->PossiblyUnreachableDiags.empty()) {
2614	bool analyzed = false;
2615
2616	// Register the expressions with the CFGBuilder.
2617	for (const auto &D : fscope->PossiblyUnreachableDiags) {
2618	for (const Stmt *S : D.Stmts)
2619	AC.registerForcedBlockExpression(stmt: S);
2620	}
2621
2622	if (AC.getCFG()) {
2623	analyzed = true;
2624	for (const auto &D : fscope->PossiblyUnreachableDiags) {
2625	bool AllReachable = true;
2626	for (const Stmt *S : D.Stmts) {
2627	const CFGBlock *block = AC.getBlockForRegisteredExpression(stmt: S);
2628	CFGReverseBlockReachabilityAnalysis *cra =
2629	AC.getCFGReachablityAnalysis();
2630	// FIXME: We should be able to assert that block is non-null, but
2631	// the CFG analysis can skip potentially-evaluated expressions in
2632	// edge cases; see test/Sema/vla-2.c.
2633	if (block && cra) {
2634	// Can this block be reached from the entrance?
2635	if (!cra->isReachable(Src: &AC.getCFG()->getEntry(), Dst: block)) {
2636	AllReachable = false;
2637	break;
2638	}
2639	}
2640	// If we cannot map to a basic block, assume the statement is
2641	// reachable.
2642	}
2643
2644	if (AllReachable)
2645	S.Diag(Loc: D.Loc, PD: D.PD);
2646	}
2647	}
2648
2649	if (!analyzed)
2650	flushDiagnostics(S, fscope);
2651	}
2652
2653	// Warning: check missing 'return'
2654	if (P.enableCheckFallThrough) {
2655	const CheckFallThroughDiagnostics &CD =
2656	(isa<BlockDecl>(Val: D)
2657	? CheckFallThroughDiagnostics::MakeForBlock()
2658	: (isa<CXXMethodDecl>(Val: D) &&
2659	cast<CXXMethodDecl>(Val: D)->getOverloadedOperator() == OO_Call &&
2660	cast<CXXMethodDecl>(Val: D)->getParent()->isLambda())
2661	? CheckFallThroughDiagnostics::MakeForLambda()
2662	: (fscope->isCoroutine()
2663	? CheckFallThroughDiagnostics::MakeForCoroutine(Func: D)
2664	: CheckFallThroughDiagnostics::MakeForFunction(Func: D)));
2665	CheckFallThroughForBody(S, D, Body, BlockType, CD, AC, FSI: fscope);
2666	}
2667
2668	// Warning: check for unreachable code
2669	if (P.enableCheckUnreachable) {
2670	// Only check for unreachable code on non-template instantiations.
2671	// Different template instantiations can effectively change the control-flow
2672	// and it is very difficult to prove that a snippet of code in a template
2673	// is unreachable for all instantiations.
2674	bool isTemplateInstantiation = false;
2675	if (const FunctionDecl *Function = dyn_cast<FunctionDecl>(Val: D))
2676	isTemplateInstantiation = Function->isTemplateInstantiation();
2677	if (!isTemplateInstantiation)
2678	CheckUnreachable(S, AC);
2679	}
2680
2681	// Check for thread safety violations
2682	if (P.enableThreadSafetyAnalysis) {
2683	SourceLocation FL = AC.getDecl()->getLocation();
2684	SourceLocation FEL = AC.getDecl()->getEndLoc();
2685	threadSafety::ThreadSafetyReporter Reporter(S, FL, FEL);
2686	if (!Diags.isIgnored(diag::warn_thread_safety_beta, D->getBeginLoc()))
2687	Reporter.setIssueBetaWarnings(true);
2688	if (!Diags.isIgnored(diag::warn_thread_safety_verbose, D->getBeginLoc()))
2689	Reporter.setVerbose(true);
2690
2691	threadSafety::runThreadSafetyAnalysis(AC, Handler&: Reporter,
2692	Bset: &S.ThreadSafetyDeclCache);
2693	Reporter.emitDiagnostics();
2694	}
2695
2696	// Check for violations of consumed properties.
2697	if (P.enableConsumedAnalysis) {
2698	consumed::ConsumedWarningsHandler WarningHandler(S);
2699	consumed::ConsumedAnalyzer Analyzer(WarningHandler);
2700	Analyzer.run(AC);
2701	}
2702
2703	if (!Diags.isIgnored(diag::warn_uninit_var, D->getBeginLoc()) ||
2704	!Diags.isIgnored(diag::warn_sometimes_uninit_var, D->getBeginLoc()) ||
2705	!Diags.isIgnored(diag::warn_maybe_uninit_var, D->getBeginLoc()) ||
2706	!Diags.isIgnored(diag::warn_uninit_const_reference, D->getBeginLoc())) {
2707	if (CFG *cfg = AC.getCFG()) {
2708	UninitValsDiagReporter reporter(S);
2709	UninitVariablesAnalysisStats stats;
2710	std::memset(s: &stats, c: 0, n: sizeof(UninitVariablesAnalysisStats));
2711	runUninitializedVariablesAnalysis(dc: *cast<DeclContext>(Val: D), cfg: *cfg, ac&: AC,
2712	handler&: reporter, stats);
2713
2714	if (S.CollectStats && stats.NumVariablesAnalyzed > 0) {
2715	++NumUninitAnalysisFunctions;
2716	NumUninitAnalysisVariables += stats.NumVariablesAnalyzed;
2717	NumUninitAnalysisBlockVisits += stats.NumBlockVisits;
2718	MaxUninitAnalysisVariablesPerFunction =
2719	std::max(a: MaxUninitAnalysisVariablesPerFunction,
2720	b: stats.NumVariablesAnalyzed);
2721	MaxUninitAnalysisBlockVisitsPerFunction =
2722	std::max(a: MaxUninitAnalysisBlockVisitsPerFunction,
2723	b: stats.NumBlockVisits);
2724	}
2725	}
2726	}
2727
2728	// Check for violations of "called once" parameter properties.
2729	if (S.getLangOpts().ObjC && !S.getLangOpts().CPlusPlus &&
2730	shouldAnalyzeCalledOnceParameters(Diags, At: D->getBeginLoc())) {
2731	if (AC.getCFG()) {
2732	CalledOnceCheckReporter Reporter(S, IPData->CalledOnceData);
2733	checkCalledOnceParameters(
2734	AC, Handler&: Reporter,
2735	CheckConventionalParameters: shouldAnalyzeCalledOnceConventions(Diags, At: D->getBeginLoc()));
2736	}
2737	}
2738
2739	bool FallThroughDiagFull =
2740	!Diags.isIgnored(diag::warn_unannotated_fallthrough, D->getBeginLoc());
2741	bool FallThroughDiagPerFunction = !Diags.isIgnored(
2742	diag::warn_unannotated_fallthrough_per_function, D->getBeginLoc());
2743	if (FallThroughDiagFull || FallThroughDiagPerFunction ||
2744	fscope->HasFallthroughStmt) {
2745	DiagnoseSwitchLabelsFallthrough(S, AC, PerFunction: !FallThroughDiagFull);
2746	}
2747
2748	if (S.getLangOpts().ObjCWeak &&
2749	!Diags.isIgnored(diag::warn_arc_repeated_use_of_weak, D->getBeginLoc()))
2750	diagnoseRepeatedUseOfWeak(S, CurFn: fscope, D, PM: AC.getParentMap());
2751
2752
2753	// Check for infinite self-recursion in functions
2754	if (!Diags.isIgnored(diag::warn_infinite_recursive_function,
2755	D->getBeginLoc())) {
2756	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: D)) {
2757	checkRecursiveFunction(S, FD, Body, AC);
2758	}
2759	}
2760
2761	// Check for throw out of non-throwing function.
2762	if (!Diags.isIgnored(diag::warn_throw_in_noexcept_func, D->getBeginLoc()))
2763	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: D))
2764	if (S.getLangOpts().CPlusPlus && !fscope->isCoroutine() && isNoexcept(FD))
2765	checkThrowInNonThrowingFunc(S, FD, AC);
2766
2767	// If none of the previous checks caused a CFG build, trigger one here
2768	// for the logical error handler.
2769	if (LogicalErrorHandler::hasActiveDiagnostics(Diags, Loc: D->getBeginLoc())) {
2770	AC.getCFG();
2771	}
2772
2773	// Collect statistics about the CFG if it was built.
2774	if (S.CollectStats && AC.isCFGBuilt()) {
2775	++NumFunctionsAnalyzed;
2776	if (CFG *cfg = AC.getCFG()) {
2777	// If we successfully built a CFG for this context, record some more
2778	// detail information about it.
2779	NumCFGBlocks += cfg->getNumBlockIDs();
2780	MaxCFGBlocksPerFunction = std::max(a: MaxCFGBlocksPerFunction,
2781	b: cfg->getNumBlockIDs());
2782	} else {
2783	++NumFunctionsWithBadCFGs;
2784	}
2785	}
2786	}
2787
2788	void clang::sema::AnalysisBasedWarnings::PrintStats() const {
2789	llvm::errs() << "\n*** Analysis Based Warnings Stats:\n";
2790
2791	unsigned NumCFGsBuilt = NumFunctionsAnalyzed - NumFunctionsWithBadCFGs;
2792	unsigned AvgCFGBlocksPerFunction =
2793	!NumCFGsBuilt ? 0 : NumCFGBlocks/NumCFGsBuilt;
2794	llvm::errs() << NumFunctionsAnalyzed << " functions analyzed ("
2795	<< NumFunctionsWithBadCFGs << " w/o CFGs).\n"
2796	<< " " << NumCFGBlocks << " CFG blocks built.\n"
2797	<< " " << AvgCFGBlocksPerFunction
2798	<< " average CFG blocks per function.\n"
2799	<< " " << MaxCFGBlocksPerFunction
2800	<< " max CFG blocks per function.\n";
2801
2802	unsigned AvgUninitVariablesPerFunction = !NumUninitAnalysisFunctions ? 0
2803	: NumUninitAnalysisVariables/NumUninitAnalysisFunctions;
2804	unsigned AvgUninitBlockVisitsPerFunction = !NumUninitAnalysisFunctions ? 0
2805	: NumUninitAnalysisBlockVisits/NumUninitAnalysisFunctions;
2806	llvm::errs() << NumUninitAnalysisFunctions
2807	<< " functions analyzed for uninitialiazed variables\n"
2808	<< " " << NumUninitAnalysisVariables << " variables analyzed.\n"
2809	<< " " << AvgUninitVariablesPerFunction
2810	<< " average variables per function.\n"
2811	<< " " << MaxUninitAnalysisVariablesPerFunction
2812	<< " max variables per function.\n"
2813	<< " " << NumUninitAnalysisBlockVisits << " block visits.\n"
2814	<< " " << AvgUninitBlockVisitsPerFunction
2815	<< " average block visits per function.\n"
2816	<< " " << MaxUninitAnalysisBlockVisitsPerFunction
2817	<< " max block visits per function.\n";
2818	}
2819