1 | //===---- SemaAccess.cpp - C++ Access Control -------------------*- C++ -*-===// |
2 | // |
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | // See https://llvm.org/LICENSE.txt for license information. |
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | // |
7 | //===----------------------------------------------------------------------===// |
8 | // |
9 | // This file provides Sema routines for C++ access control semantics. |
10 | // |
11 | //===----------------------------------------------------------------------===// |
12 | |
13 | #include "clang/Basic/Specifiers.h" |
14 | #include "clang/Sema/SemaInternal.h" |
15 | #include "clang/AST/ASTContext.h" |
16 | #include "clang/AST/CXXInheritance.h" |
17 | #include "clang/AST/DeclCXX.h" |
18 | #include "clang/AST/DeclFriend.h" |
19 | #include "clang/AST/DeclObjC.h" |
20 | #include "clang/AST/DependentDiagnostic.h" |
21 | #include "clang/AST/ExprCXX.h" |
22 | #include "clang/Sema/DelayedDiagnostic.h" |
23 | #include "clang/Sema/Initialization.h" |
24 | #include "clang/Sema/Lookup.h" |
25 | |
26 | using namespace clang; |
27 | using namespace sema; |
28 | |
29 | /// A copy of Sema's enum without AR_delayed. |
30 | enum AccessResult { |
31 | AR_accessible, |
32 | AR_inaccessible, |
33 | AR_dependent |
34 | }; |
35 | |
36 | /// SetMemberAccessSpecifier - Set the access specifier of a member. |
37 | /// Returns true on error (when the previous member decl access specifier |
38 | /// is different from the new member decl access specifier). |
39 | bool Sema::SetMemberAccessSpecifier(NamedDecl *MemberDecl, |
40 | NamedDecl *PrevMemberDecl, |
41 | AccessSpecifier LexicalAS) { |
42 | if (!PrevMemberDecl) { |
43 | // Use the lexical access specifier. |
44 | MemberDecl->setAccess(LexicalAS); |
45 | return false; |
46 | } |
47 | |
48 | // C++ [class.access.spec]p3: When a member is redeclared its access |
49 | // specifier must be same as its initial declaration. |
50 | if (LexicalAS != AS_none && LexicalAS != PrevMemberDecl->getAccess()) { |
51 | Diag(MemberDecl->getLocation(), |
52 | diag::err_class_redeclared_with_different_access) |
53 | << MemberDecl << LexicalAS; |
54 | Diag(PrevMemberDecl->getLocation(), diag::note_previous_access_declaration) |
55 | << PrevMemberDecl << PrevMemberDecl->getAccess(); |
56 | |
57 | MemberDecl->setAccess(LexicalAS); |
58 | return true; |
59 | } |
60 | |
61 | MemberDecl->setAccess(PrevMemberDecl->getAccess()); |
62 | return false; |
63 | } |
64 | |
65 | static CXXRecordDecl *FindDeclaringClass(NamedDecl *D) { |
66 | DeclContext *DC = D->getDeclContext(); |
67 | |
68 | // This can only happen at top: enum decls only "publish" their |
69 | // immediate members. |
70 | if (isa<EnumDecl>(Val: DC)) |
71 | DC = cast<EnumDecl>(Val: DC)->getDeclContext(); |
72 | |
73 | CXXRecordDecl *DeclaringClass = cast<CXXRecordDecl>(Val: DC); |
74 | while (DeclaringClass->isAnonymousStructOrUnion()) |
75 | DeclaringClass = cast<CXXRecordDecl>(DeclaringClass->getDeclContext()); |
76 | return DeclaringClass; |
77 | } |
78 | |
79 | namespace { |
80 | struct EffectiveContext { |
81 | EffectiveContext() : Inner(nullptr), Dependent(false) {} |
82 | |
83 | explicit EffectiveContext(DeclContext *DC) |
84 | : Inner(DC), |
85 | Dependent(DC->isDependentContext()) { |
86 | |
87 | // An implicit deduction guide is semantically in the context enclosing the |
88 | // class template, but for access purposes behaves like the constructor |
89 | // from which it was produced. |
90 | if (auto *DGD = dyn_cast<CXXDeductionGuideDecl>(Val: DC)) { |
91 | if (DGD->isImplicit()) { |
92 | DC = DGD->getCorrespondingConstructor(); |
93 | if (!DC) { |
94 | // The copy deduction candidate doesn't have a corresponding |
95 | // constructor. |
96 | DC = cast<DeclContext>(Val: DGD->getDeducedTemplate()->getTemplatedDecl()); |
97 | } |
98 | } |
99 | } |
100 | |
101 | // C++11 [class.access.nest]p1: |
102 | // A nested class is a member and as such has the same access |
103 | // rights as any other member. |
104 | // C++11 [class.access]p2: |
105 | // A member of a class can also access all the names to which |
106 | // the class has access. A local class of a member function |
107 | // may access the same names that the member function itself |
108 | // may access. |
109 | // This almost implies that the privileges of nesting are transitive. |
110 | // Technically it says nothing about the local classes of non-member |
111 | // functions (which can gain privileges through friendship), but we |
112 | // take that as an oversight. |
113 | while (true) { |
114 | // We want to add canonical declarations to the EC lists for |
115 | // simplicity of checking, but we need to walk up through the |
116 | // actual current DC chain. Otherwise, something like a local |
117 | // extern or friend which happens to be the canonical |
118 | // declaration will really mess us up. |
119 | |
120 | if (isa<CXXRecordDecl>(Val: DC)) { |
121 | CXXRecordDecl *Record = cast<CXXRecordDecl>(Val: DC); |
122 | Records.push_back(Elt: Record->getCanonicalDecl()); |
123 | DC = Record->getDeclContext(); |
124 | } else if (isa<FunctionDecl>(Val: DC)) { |
125 | FunctionDecl *Function = cast<FunctionDecl>(Val: DC); |
126 | Functions.push_back(Elt: Function->getCanonicalDecl()); |
127 | if (Function->getFriendObjectKind()) |
128 | DC = Function->getLexicalDeclContext(); |
129 | else |
130 | DC = Function->getDeclContext(); |
131 | } else if (DC->isFileContext()) { |
132 | break; |
133 | } else { |
134 | DC = DC->getParent(); |
135 | } |
136 | } |
137 | } |
138 | |
139 | bool isDependent() const { return Dependent; } |
140 | |
141 | bool includesClass(const CXXRecordDecl *R) const { |
142 | R = R->getCanonicalDecl(); |
143 | return llvm::is_contained(Range: Records, Element: R); |
144 | } |
145 | |
146 | /// Retrieves the innermost "useful" context. Can be null if we're |
147 | /// doing access-control without privileges. |
148 | DeclContext *getInnerContext() const { |
149 | return Inner; |
150 | } |
151 | |
152 | typedef SmallVectorImpl<CXXRecordDecl*>::const_iterator record_iterator; |
153 | |
154 | DeclContext *Inner; |
155 | SmallVector<FunctionDecl*, 4> Functions; |
156 | SmallVector<CXXRecordDecl*, 4> Records; |
157 | bool Dependent; |
158 | }; |
159 | |
160 | /// Like sema::AccessedEntity, but kindly lets us scribble all over |
161 | /// it. |
162 | struct AccessTarget : public AccessedEntity { |
163 | AccessTarget(const AccessedEntity &Entity) |
164 | : AccessedEntity(Entity) { |
165 | initialize(); |
166 | } |
167 | |
168 | AccessTarget(ASTContext &Context, |
169 | MemberNonce _, |
170 | CXXRecordDecl *NamingClass, |
171 | DeclAccessPair FoundDecl, |
172 | QualType BaseObjectType) |
173 | : AccessedEntity(Context.getDiagAllocator(), Member, NamingClass, |
174 | FoundDecl, BaseObjectType) { |
175 | initialize(); |
176 | } |
177 | |
178 | AccessTarget(ASTContext &Context, |
179 | BaseNonce _, |
180 | CXXRecordDecl *BaseClass, |
181 | CXXRecordDecl *DerivedClass, |
182 | AccessSpecifier Access) |
183 | : AccessedEntity(Context.getDiagAllocator(), Base, BaseClass, DerivedClass, |
184 | Access) { |
185 | initialize(); |
186 | } |
187 | |
188 | bool isInstanceMember() const { |
189 | return (isMemberAccess() && getTargetDecl()->isCXXInstanceMember()); |
190 | } |
191 | |
192 | bool hasInstanceContext() const { |
193 | return HasInstanceContext; |
194 | } |
195 | |
196 | class SavedInstanceContext { |
197 | public: |
198 | SavedInstanceContext(SavedInstanceContext &&S) |
199 | : Target(S.Target), Has(S.Has) { |
200 | S.Target = nullptr; |
201 | } |
202 | |
203 | // The move assignment operator is defined as deleted pending further |
204 | // motivation. |
205 | SavedInstanceContext &operator=(SavedInstanceContext &&) = delete; |
206 | |
207 | // The copy constrcutor and copy assignment operator is defined as deleted |
208 | // pending further motivation. |
209 | SavedInstanceContext(const SavedInstanceContext &) = delete; |
210 | SavedInstanceContext &operator=(const SavedInstanceContext &) = delete; |
211 | |
212 | ~SavedInstanceContext() { |
213 | if (Target) |
214 | Target->HasInstanceContext = Has; |
215 | } |
216 | |
217 | private: |
218 | friend struct AccessTarget; |
219 | explicit SavedInstanceContext(AccessTarget &Target) |
220 | : Target(&Target), Has(Target.HasInstanceContext) {} |
221 | AccessTarget *Target; |
222 | bool Has; |
223 | }; |
224 | |
225 | SavedInstanceContext saveInstanceContext() { |
226 | return SavedInstanceContext(*this); |
227 | } |
228 | |
229 | void suppressInstanceContext() { |
230 | HasInstanceContext = false; |
231 | } |
232 | |
233 | const CXXRecordDecl *resolveInstanceContext(Sema &S) const { |
234 | assert(HasInstanceContext); |
235 | if (CalculatedInstanceContext) |
236 | return InstanceContext; |
237 | |
238 | CalculatedInstanceContext = true; |
239 | DeclContext *IC = S.computeDeclContext(getBaseObjectType()); |
240 | InstanceContext = (IC ? cast<CXXRecordDecl>(Val: IC)->getCanonicalDecl() |
241 | : nullptr); |
242 | return InstanceContext; |
243 | } |
244 | |
245 | const CXXRecordDecl *getDeclaringClass() const { |
246 | return DeclaringClass; |
247 | } |
248 | |
249 | /// The "effective" naming class is the canonical non-anonymous |
250 | /// class containing the actual naming class. |
251 | const CXXRecordDecl *getEffectiveNamingClass() const { |
252 | const CXXRecordDecl *namingClass = getNamingClass(); |
253 | while (namingClass->isAnonymousStructOrUnion()) |
254 | namingClass = cast<CXXRecordDecl>(namingClass->getParent()); |
255 | return namingClass->getCanonicalDecl(); |
256 | } |
257 | |
258 | private: |
259 | void initialize() { |
260 | HasInstanceContext = (isMemberAccess() && |
261 | !getBaseObjectType().isNull() && |
262 | getTargetDecl()->isCXXInstanceMember()); |
263 | CalculatedInstanceContext = false; |
264 | InstanceContext = nullptr; |
265 | |
266 | if (isMemberAccess()) |
267 | DeclaringClass = FindDeclaringClass(getTargetDecl()); |
268 | else |
269 | DeclaringClass = getBaseClass(); |
270 | DeclaringClass = DeclaringClass->getCanonicalDecl(); |
271 | } |
272 | |
273 | bool HasInstanceContext : 1; |
274 | mutable bool CalculatedInstanceContext : 1; |
275 | mutable const CXXRecordDecl *InstanceContext; |
276 | const CXXRecordDecl *DeclaringClass; |
277 | }; |
278 | |
279 | } |
280 | |
281 | /// Checks whether one class might instantiate to the other. |
282 | static bool MightInstantiateTo(const CXXRecordDecl *From, |
283 | const CXXRecordDecl *To) { |
284 | // Declaration names are always preserved by instantiation. |
285 | if (From->getDeclName() != To->getDeclName()) |
286 | return false; |
287 | |
288 | const DeclContext *FromDC = From->getDeclContext()->getPrimaryContext(); |
289 | const DeclContext *ToDC = To->getDeclContext()->getPrimaryContext(); |
290 | if (FromDC == ToDC) return true; |
291 | if (FromDC->isFileContext() || ToDC->isFileContext()) return false; |
292 | |
293 | // Be conservative. |
294 | return true; |
295 | } |
296 | |
297 | /// Checks whether one class is derived from another, inclusively. |
298 | /// Properly indicates when it couldn't be determined due to |
299 | /// dependence. |
300 | /// |
301 | /// This should probably be donated to AST or at least Sema. |
302 | static AccessResult IsDerivedFromInclusive(const CXXRecordDecl *Derived, |
303 | const CXXRecordDecl *Target) { |
304 | assert(Derived->getCanonicalDecl() == Derived); |
305 | assert(Target->getCanonicalDecl() == Target); |
306 | |
307 | if (Derived == Target) return AR_accessible; |
308 | |
309 | bool CheckDependent = Derived->isDependentContext(); |
310 | if (CheckDependent && MightInstantiateTo(From: Derived, To: Target)) |
311 | return AR_dependent; |
312 | |
313 | AccessResult OnFailure = AR_inaccessible; |
314 | SmallVector<const CXXRecordDecl*, 8> Queue; // actually a stack |
315 | |
316 | while (true) { |
317 | if (Derived->isDependentContext() && !Derived->hasDefinition() && |
318 | !Derived->isLambda()) |
319 | return AR_dependent; |
320 | |
321 | for (const auto &I : Derived->bases()) { |
322 | const CXXRecordDecl *RD; |
323 | |
324 | QualType T = I.getType(); |
325 | if (const RecordType *RT = T->getAs<RecordType>()) { |
326 | RD = cast<CXXRecordDecl>(Val: RT->getDecl()); |
327 | } else if (const InjectedClassNameType *IT |
328 | = T->getAs<InjectedClassNameType>()) { |
329 | RD = IT->getDecl(); |
330 | } else { |
331 | assert(T->isDependentType() && "non-dependent base wasn't a record?" ); |
332 | OnFailure = AR_dependent; |
333 | continue; |
334 | } |
335 | |
336 | RD = RD->getCanonicalDecl(); |
337 | if (RD == Target) return AR_accessible; |
338 | if (CheckDependent && MightInstantiateTo(From: RD, To: Target)) |
339 | OnFailure = AR_dependent; |
340 | |
341 | Queue.push_back(Elt: RD); |
342 | } |
343 | |
344 | if (Queue.empty()) break; |
345 | |
346 | Derived = Queue.pop_back_val(); |
347 | } |
348 | |
349 | return OnFailure; |
350 | } |
351 | |
352 | |
353 | static bool MightInstantiateTo(Sema &S, DeclContext *Context, |
354 | DeclContext *Friend) { |
355 | if (Friend == Context) |
356 | return true; |
357 | |
358 | assert(!Friend->isDependentContext() && |
359 | "can't handle friends with dependent contexts here" ); |
360 | |
361 | if (!Context->isDependentContext()) |
362 | return false; |
363 | |
364 | if (Friend->isFileContext()) |
365 | return false; |
366 | |
367 | // TODO: this is very conservative |
368 | return true; |
369 | } |
370 | |
371 | // Asks whether the type in 'context' can ever instantiate to the type |
372 | // in 'friend'. |
373 | static bool MightInstantiateTo(Sema &S, CanQualType Context, CanQualType Friend) { |
374 | if (Friend == Context) |
375 | return true; |
376 | |
377 | if (!Friend->isDependentType() && !Context->isDependentType()) |
378 | return false; |
379 | |
380 | // TODO: this is very conservative. |
381 | return true; |
382 | } |
383 | |
384 | static bool MightInstantiateTo(Sema &S, |
385 | FunctionDecl *Context, |
386 | FunctionDecl *Friend) { |
387 | if (Context->getDeclName() != Friend->getDeclName()) |
388 | return false; |
389 | |
390 | if (!MightInstantiateTo(S, |
391 | Context->getDeclContext(), |
392 | Friend->getDeclContext())) |
393 | return false; |
394 | |
395 | CanQual<FunctionProtoType> FriendTy |
396 | = S.Context.getCanonicalType(Friend->getType()) |
397 | ->getAs<FunctionProtoType>(); |
398 | CanQual<FunctionProtoType> ContextTy |
399 | = S.Context.getCanonicalType(Context->getType()) |
400 | ->getAs<FunctionProtoType>(); |
401 | |
402 | // There isn't any way that I know of to add qualifiers |
403 | // during instantiation. |
404 | if (FriendTy.getQualifiers() != ContextTy.getQualifiers()) |
405 | return false; |
406 | |
407 | if (FriendTy->getNumParams() != ContextTy->getNumParams()) |
408 | return false; |
409 | |
410 | if (!MightInstantiateTo(S, ContextTy->getReturnType(), |
411 | FriendTy->getReturnType())) |
412 | return false; |
413 | |
414 | for (unsigned I = 0, E = FriendTy->getNumParams(); I != E; ++I) |
415 | if (!MightInstantiateTo(S, ContextTy->getParamType(I), |
416 | FriendTy->getParamType(I))) |
417 | return false; |
418 | |
419 | return true; |
420 | } |
421 | |
422 | static bool MightInstantiateTo(Sema &S, |
423 | FunctionTemplateDecl *Context, |
424 | FunctionTemplateDecl *Friend) { |
425 | return MightInstantiateTo(S, |
426 | Context: Context->getTemplatedDecl(), |
427 | Friend: Friend->getTemplatedDecl()); |
428 | } |
429 | |
430 | static AccessResult MatchesFriend(Sema &S, |
431 | const EffectiveContext &EC, |
432 | const CXXRecordDecl *Friend) { |
433 | if (EC.includesClass(R: Friend)) |
434 | return AR_accessible; |
435 | |
436 | if (EC.isDependent()) { |
437 | for (const CXXRecordDecl *Context : EC.Records) { |
438 | if (MightInstantiateTo(From: Context, To: Friend)) |
439 | return AR_dependent; |
440 | } |
441 | } |
442 | |
443 | return AR_inaccessible; |
444 | } |
445 | |
446 | static AccessResult MatchesFriend(Sema &S, |
447 | const EffectiveContext &EC, |
448 | CanQualType Friend) { |
449 | if (const RecordType *RT = Friend->getAs<RecordType>()) |
450 | return MatchesFriend(S, EC, Friend: cast<CXXRecordDecl>(Val: RT->getDecl())); |
451 | |
452 | // TODO: we can do better than this |
453 | if (Friend->isDependentType()) |
454 | return AR_dependent; |
455 | |
456 | return AR_inaccessible; |
457 | } |
458 | |
459 | /// Determines whether the given friend class template matches |
460 | /// anything in the effective context. |
461 | static AccessResult MatchesFriend(Sema &S, |
462 | const EffectiveContext &EC, |
463 | ClassTemplateDecl *Friend) { |
464 | AccessResult OnFailure = AR_inaccessible; |
465 | |
466 | // Check whether the friend is the template of a class in the |
467 | // context chain. |
468 | for (SmallVectorImpl<CXXRecordDecl*>::const_iterator |
469 | I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { |
470 | CXXRecordDecl *Record = *I; |
471 | |
472 | // Figure out whether the current class has a template: |
473 | ClassTemplateDecl *CTD; |
474 | |
475 | // A specialization of the template... |
476 | if (isa<ClassTemplateSpecializationDecl>(Val: Record)) { |
477 | CTD = cast<ClassTemplateSpecializationDecl>(Val: Record) |
478 | ->getSpecializedTemplate(); |
479 | |
480 | // ... or the template pattern itself. |
481 | } else { |
482 | CTD = Record->getDescribedClassTemplate(); |
483 | if (!CTD) continue; |
484 | } |
485 | |
486 | // It's a match. |
487 | if (Friend == CTD->getCanonicalDecl()) |
488 | return AR_accessible; |
489 | |
490 | // If the context isn't dependent, it can't be a dependent match. |
491 | if (!EC.isDependent()) |
492 | continue; |
493 | |
494 | // If the template names don't match, it can't be a dependent |
495 | // match. |
496 | if (CTD->getDeclName() != Friend->getDeclName()) |
497 | continue; |
498 | |
499 | // If the class's context can't instantiate to the friend's |
500 | // context, it can't be a dependent match. |
501 | if (!MightInstantiateTo(S, CTD->getDeclContext(), |
502 | Friend->getDeclContext())) |
503 | continue; |
504 | |
505 | // Otherwise, it's a dependent match. |
506 | OnFailure = AR_dependent; |
507 | } |
508 | |
509 | return OnFailure; |
510 | } |
511 | |
512 | /// Determines whether the given friend function matches anything in |
513 | /// the effective context. |
514 | static AccessResult MatchesFriend(Sema &S, |
515 | const EffectiveContext &EC, |
516 | FunctionDecl *Friend) { |
517 | AccessResult OnFailure = AR_inaccessible; |
518 | |
519 | for (SmallVectorImpl<FunctionDecl*>::const_iterator |
520 | I = EC.Functions.begin(), E = EC.Functions.end(); I != E; ++I) { |
521 | if (Friend == *I) |
522 | return AR_accessible; |
523 | |
524 | if (EC.isDependent() && MightInstantiateTo(S, Context: *I, Friend)) |
525 | OnFailure = AR_dependent; |
526 | } |
527 | |
528 | return OnFailure; |
529 | } |
530 | |
531 | /// Determines whether the given friend function template matches |
532 | /// anything in the effective context. |
533 | static AccessResult MatchesFriend(Sema &S, |
534 | const EffectiveContext &EC, |
535 | FunctionTemplateDecl *Friend) { |
536 | if (EC.Functions.empty()) return AR_inaccessible; |
537 | |
538 | AccessResult OnFailure = AR_inaccessible; |
539 | |
540 | for (SmallVectorImpl<FunctionDecl*>::const_iterator |
541 | I = EC.Functions.begin(), E = EC.Functions.end(); I != E; ++I) { |
542 | |
543 | FunctionTemplateDecl *FTD = (*I)->getPrimaryTemplate(); |
544 | if (!FTD) |
545 | FTD = (*I)->getDescribedFunctionTemplate(); |
546 | if (!FTD) |
547 | continue; |
548 | |
549 | FTD = FTD->getCanonicalDecl(); |
550 | |
551 | if (Friend == FTD) |
552 | return AR_accessible; |
553 | |
554 | if (EC.isDependent() && MightInstantiateTo(S, Context: FTD, Friend)) |
555 | OnFailure = AR_dependent; |
556 | } |
557 | |
558 | return OnFailure; |
559 | } |
560 | |
561 | /// Determines whether the given friend declaration matches anything |
562 | /// in the effective context. |
563 | static AccessResult MatchesFriend(Sema &S, |
564 | const EffectiveContext &EC, |
565 | FriendDecl *FriendD) { |
566 | // Whitelist accesses if there's an invalid or unsupported friend |
567 | // declaration. |
568 | if (FriendD->isInvalidDecl() || FriendD->isUnsupportedFriend()) |
569 | return AR_accessible; |
570 | |
571 | if (TypeSourceInfo *T = FriendD->getFriendType()) |
572 | return MatchesFriend(S, EC, T->getType()->getCanonicalTypeUnqualified()); |
573 | |
574 | NamedDecl *Friend |
575 | = cast<NamedDecl>(FriendD->getFriendDecl()->getCanonicalDecl()); |
576 | |
577 | // FIXME: declarations with dependent or templated scope. |
578 | |
579 | if (isa<ClassTemplateDecl>(Val: Friend)) |
580 | return MatchesFriend(S, EC, Friend: cast<ClassTemplateDecl>(Val: Friend)); |
581 | |
582 | if (isa<FunctionTemplateDecl>(Val: Friend)) |
583 | return MatchesFriend(S, EC, Friend: cast<FunctionTemplateDecl>(Val: Friend)); |
584 | |
585 | if (isa<CXXRecordDecl>(Val: Friend)) |
586 | return MatchesFriend(S, EC, Friend: cast<CXXRecordDecl>(Val: Friend)); |
587 | |
588 | assert(isa<FunctionDecl>(Friend) && "unknown friend decl kind" ); |
589 | return MatchesFriend(S, EC, Friend: cast<FunctionDecl>(Val: Friend)); |
590 | } |
591 | |
592 | static AccessResult GetFriendKind(Sema &S, |
593 | const EffectiveContext &EC, |
594 | const CXXRecordDecl *Class) { |
595 | AccessResult OnFailure = AR_inaccessible; |
596 | |
597 | // Okay, check friends. |
598 | for (auto *Friend : Class->friends()) { |
599 | switch (MatchesFriend(S, EC, FriendD: Friend)) { |
600 | case AR_accessible: |
601 | return AR_accessible; |
602 | |
603 | case AR_inaccessible: |
604 | continue; |
605 | |
606 | case AR_dependent: |
607 | OnFailure = AR_dependent; |
608 | break; |
609 | } |
610 | } |
611 | |
612 | // That's it, give up. |
613 | return OnFailure; |
614 | } |
615 | |
616 | namespace { |
617 | |
618 | /// A helper class for checking for a friend which will grant access |
619 | /// to a protected instance member. |
620 | struct ProtectedFriendContext { |
621 | Sema &S; |
622 | const EffectiveContext &EC; |
623 | const CXXRecordDecl *NamingClass; |
624 | bool CheckDependent; |
625 | bool EverDependent; |
626 | |
627 | /// The path down to the current base class. |
628 | SmallVector<const CXXRecordDecl*, 20> CurPath; |
629 | |
630 | ProtectedFriendContext(Sema &S, const EffectiveContext &EC, |
631 | const CXXRecordDecl *InstanceContext, |
632 | const CXXRecordDecl *NamingClass) |
633 | : S(S), EC(EC), NamingClass(NamingClass), |
634 | CheckDependent(InstanceContext->isDependentContext() || |
635 | NamingClass->isDependentContext()), |
636 | EverDependent(false) {} |
637 | |
638 | /// Check classes in the current path for friendship, starting at |
639 | /// the given index. |
640 | bool checkFriendshipAlongPath(unsigned I) { |
641 | assert(I < CurPath.size()); |
642 | for (unsigned E = CurPath.size(); I != E; ++I) { |
643 | switch (GetFriendKind(S, EC, Class: CurPath[I])) { |
644 | case AR_accessible: return true; |
645 | case AR_inaccessible: continue; |
646 | case AR_dependent: EverDependent = true; continue; |
647 | } |
648 | } |
649 | return false; |
650 | } |
651 | |
652 | /// Perform a search starting at the given class. |
653 | /// |
654 | /// PrivateDepth is the index of the last (least derived) class |
655 | /// along the current path such that a notional public member of |
656 | /// the final class in the path would have access in that class. |
657 | bool findFriendship(const CXXRecordDecl *Cur, unsigned PrivateDepth) { |
658 | // If we ever reach the naming class, check the current path for |
659 | // friendship. We can also stop recursing because we obviously |
660 | // won't find the naming class there again. |
661 | if (Cur == NamingClass) |
662 | return checkFriendshipAlongPath(I: PrivateDepth); |
663 | |
664 | if (CheckDependent && MightInstantiateTo(From: Cur, To: NamingClass)) |
665 | EverDependent = true; |
666 | |
667 | // Recurse into the base classes. |
668 | for (const auto &I : Cur->bases()) { |
669 | // If this is private inheritance, then a public member of the |
670 | // base will not have any access in classes derived from Cur. |
671 | unsigned BasePrivateDepth = PrivateDepth; |
672 | if (I.getAccessSpecifier() == AS_private) |
673 | BasePrivateDepth = CurPath.size() - 1; |
674 | |
675 | const CXXRecordDecl *RD; |
676 | |
677 | QualType T = I.getType(); |
678 | if (const RecordType *RT = T->getAs<RecordType>()) { |
679 | RD = cast<CXXRecordDecl>(Val: RT->getDecl()); |
680 | } else if (const InjectedClassNameType *IT |
681 | = T->getAs<InjectedClassNameType>()) { |
682 | RD = IT->getDecl(); |
683 | } else { |
684 | assert(T->isDependentType() && "non-dependent base wasn't a record?" ); |
685 | EverDependent = true; |
686 | continue; |
687 | } |
688 | |
689 | // Recurse. We don't need to clean up if this returns true. |
690 | CurPath.push_back(Elt: RD); |
691 | if (findFriendship(Cur: RD->getCanonicalDecl(), PrivateDepth: BasePrivateDepth)) |
692 | return true; |
693 | CurPath.pop_back(); |
694 | } |
695 | |
696 | return false; |
697 | } |
698 | |
699 | bool findFriendship(const CXXRecordDecl *Cur) { |
700 | assert(CurPath.empty()); |
701 | CurPath.push_back(Elt: Cur); |
702 | return findFriendship(Cur, PrivateDepth: 0); |
703 | } |
704 | }; |
705 | } |
706 | |
707 | /// Search for a class P that EC is a friend of, under the constraint |
708 | /// InstanceContext <= P |
709 | /// if InstanceContext exists, or else |
710 | /// NamingClass <= P |
711 | /// and with the additional restriction that a protected member of |
712 | /// NamingClass would have some natural access in P, which implicitly |
713 | /// imposes the constraint that P <= NamingClass. |
714 | /// |
715 | /// This isn't quite the condition laid out in the standard. |
716 | /// Instead of saying that a notional protected member of NamingClass |
717 | /// would have to have some natural access in P, it says the actual |
718 | /// target has to have some natural access in P, which opens up the |
719 | /// possibility that the target (which is not necessarily a member |
720 | /// of NamingClass) might be more accessible along some path not |
721 | /// passing through it. That's really a bad idea, though, because it |
722 | /// introduces two problems: |
723 | /// - Most importantly, it breaks encapsulation because you can |
724 | /// access a forbidden base class's members by directly subclassing |
725 | /// it elsewhere. |
726 | /// - It also makes access substantially harder to compute because it |
727 | /// breaks the hill-climbing algorithm: knowing that the target is |
728 | /// accessible in some base class would no longer let you change |
729 | /// the question solely to whether the base class is accessible, |
730 | /// because the original target might have been more accessible |
731 | /// because of crazy subclassing. |
732 | /// So we don't implement that. |
733 | static AccessResult GetProtectedFriendKind(Sema &S, const EffectiveContext &EC, |
734 | const CXXRecordDecl *InstanceContext, |
735 | const CXXRecordDecl *NamingClass) { |
736 | assert(InstanceContext == nullptr || |
737 | InstanceContext->getCanonicalDecl() == InstanceContext); |
738 | assert(NamingClass->getCanonicalDecl() == NamingClass); |
739 | |
740 | // If we don't have an instance context, our constraints give us |
741 | // that NamingClass <= P <= NamingClass, i.e. P == NamingClass. |
742 | // This is just the usual friendship check. |
743 | if (!InstanceContext) return GetFriendKind(S, EC, Class: NamingClass); |
744 | |
745 | ProtectedFriendContext PRC(S, EC, InstanceContext, NamingClass); |
746 | if (PRC.findFriendship(Cur: InstanceContext)) return AR_accessible; |
747 | if (PRC.EverDependent) return AR_dependent; |
748 | return AR_inaccessible; |
749 | } |
750 | |
751 | static AccessResult HasAccess(Sema &S, |
752 | const EffectiveContext &EC, |
753 | const CXXRecordDecl *NamingClass, |
754 | AccessSpecifier Access, |
755 | const AccessTarget &Target) { |
756 | assert(NamingClass->getCanonicalDecl() == NamingClass && |
757 | "declaration should be canonicalized before being passed here" ); |
758 | |
759 | if (Access == AS_public) return AR_accessible; |
760 | assert(Access == AS_private || Access == AS_protected); |
761 | |
762 | AccessResult OnFailure = AR_inaccessible; |
763 | |
764 | for (EffectiveContext::record_iterator |
765 | I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { |
766 | // All the declarations in EC have been canonicalized, so pointer |
767 | // equality from this point on will work fine. |
768 | const CXXRecordDecl *ECRecord = *I; |
769 | |
770 | // [B2] and [M2] |
771 | if (Access == AS_private) { |
772 | if (ECRecord == NamingClass) |
773 | return AR_accessible; |
774 | |
775 | if (EC.isDependent() && MightInstantiateTo(From: ECRecord, To: NamingClass)) |
776 | OnFailure = AR_dependent; |
777 | |
778 | // [B3] and [M3] |
779 | } else { |
780 | assert(Access == AS_protected); |
781 | switch (IsDerivedFromInclusive(Derived: ECRecord, Target: NamingClass)) { |
782 | case AR_accessible: break; |
783 | case AR_inaccessible: continue; |
784 | case AR_dependent: OnFailure = AR_dependent; continue; |
785 | } |
786 | |
787 | // C++ [class.protected]p1: |
788 | // An additional access check beyond those described earlier in |
789 | // [class.access] is applied when a non-static data member or |
790 | // non-static member function is a protected member of its naming |
791 | // class. As described earlier, access to a protected member is |
792 | // granted because the reference occurs in a friend or member of |
793 | // some class C. If the access is to form a pointer to member, |
794 | // the nested-name-specifier shall name C or a class derived from |
795 | // C. All other accesses involve a (possibly implicit) object |
796 | // expression. In this case, the class of the object expression |
797 | // shall be C or a class derived from C. |
798 | // |
799 | // We interpret this as a restriction on [M3]. |
800 | |
801 | // In this part of the code, 'C' is just our context class ECRecord. |
802 | |
803 | // These rules are different if we don't have an instance context. |
804 | if (!Target.hasInstanceContext()) { |
805 | // If it's not an instance member, these restrictions don't apply. |
806 | if (!Target.isInstanceMember()) return AR_accessible; |
807 | |
808 | // If it's an instance member, use the pointer-to-member rule |
809 | // that the naming class has to be derived from the effective |
810 | // context. |
811 | |
812 | // Emulate a MSVC bug where the creation of pointer-to-member |
813 | // to protected member of base class is allowed but only from |
814 | // static member functions. |
815 | if (S.getLangOpts().MSVCCompat && !EC.Functions.empty()) |
816 | if (CXXMethodDecl* MD = dyn_cast<CXXMethodDecl>(Val: EC.Functions.front())) |
817 | if (MD->isStatic()) return AR_accessible; |
818 | |
819 | // Despite the standard's confident wording, there is a case |
820 | // where you can have an instance member that's neither in a |
821 | // pointer-to-member expression nor in a member access: when |
822 | // it names a field in an unevaluated context that can't be an |
823 | // implicit member. Pending clarification, we just apply the |
824 | // same naming-class restriction here. |
825 | // FIXME: we're probably not correctly adding the |
826 | // protected-member restriction when we retroactively convert |
827 | // an expression to being evaluated. |
828 | |
829 | // We know that ECRecord derives from NamingClass. The |
830 | // restriction says to check whether NamingClass derives from |
831 | // ECRecord, but that's not really necessary: two distinct |
832 | // classes can't be recursively derived from each other. So |
833 | // along this path, we just need to check whether the classes |
834 | // are equal. |
835 | if (NamingClass == ECRecord) return AR_accessible; |
836 | |
837 | // Otherwise, this context class tells us nothing; on to the next. |
838 | continue; |
839 | } |
840 | |
841 | assert(Target.isInstanceMember()); |
842 | |
843 | const CXXRecordDecl *InstanceContext = Target.resolveInstanceContext(S); |
844 | if (!InstanceContext) { |
845 | OnFailure = AR_dependent; |
846 | continue; |
847 | } |
848 | |
849 | switch (IsDerivedFromInclusive(Derived: InstanceContext, Target: ECRecord)) { |
850 | case AR_accessible: return AR_accessible; |
851 | case AR_inaccessible: continue; |
852 | case AR_dependent: OnFailure = AR_dependent; continue; |
853 | } |
854 | } |
855 | } |
856 | |
857 | // [M3] and [B3] say that, if the target is protected in N, we grant |
858 | // access if the access occurs in a friend or member of some class P |
859 | // that's a subclass of N and where the target has some natural |
860 | // access in P. The 'member' aspect is easy to handle because P |
861 | // would necessarily be one of the effective-context records, and we |
862 | // address that above. The 'friend' aspect is completely ridiculous |
863 | // to implement because there are no restrictions at all on P |
864 | // *unless* the [class.protected] restriction applies. If it does, |
865 | // however, we should ignore whether the naming class is a friend, |
866 | // and instead rely on whether any potential P is a friend. |
867 | if (Access == AS_protected && Target.isInstanceMember()) { |
868 | // Compute the instance context if possible. |
869 | const CXXRecordDecl *InstanceContext = nullptr; |
870 | if (Target.hasInstanceContext()) { |
871 | InstanceContext = Target.resolveInstanceContext(S); |
872 | if (!InstanceContext) return AR_dependent; |
873 | } |
874 | |
875 | switch (GetProtectedFriendKind(S, EC, InstanceContext, NamingClass)) { |
876 | case AR_accessible: return AR_accessible; |
877 | case AR_inaccessible: return OnFailure; |
878 | case AR_dependent: return AR_dependent; |
879 | } |
880 | llvm_unreachable("impossible friendship kind" ); |
881 | } |
882 | |
883 | switch (GetFriendKind(S, EC, Class: NamingClass)) { |
884 | case AR_accessible: return AR_accessible; |
885 | case AR_inaccessible: return OnFailure; |
886 | case AR_dependent: return AR_dependent; |
887 | } |
888 | |
889 | // Silence bogus warnings |
890 | llvm_unreachable("impossible friendship kind" ); |
891 | } |
892 | |
893 | /// Finds the best path from the naming class to the declaring class, |
894 | /// taking friend declarations into account. |
895 | /// |
896 | /// C++0x [class.access.base]p5: |
897 | /// A member m is accessible at the point R when named in class N if |
898 | /// [M1] m as a member of N is public, or |
899 | /// [M2] m as a member of N is private, and R occurs in a member or |
900 | /// friend of class N, or |
901 | /// [M3] m as a member of N is protected, and R occurs in a member or |
902 | /// friend of class N, or in a member or friend of a class P |
903 | /// derived from N, where m as a member of P is public, private, |
904 | /// or protected, or |
905 | /// [M4] there exists a base class B of N that is accessible at R, and |
906 | /// m is accessible at R when named in class B. |
907 | /// |
908 | /// C++0x [class.access.base]p4: |
909 | /// A base class B of N is accessible at R, if |
910 | /// [B1] an invented public member of B would be a public member of N, or |
911 | /// [B2] R occurs in a member or friend of class N, and an invented public |
912 | /// member of B would be a private or protected member of N, or |
913 | /// [B3] R occurs in a member or friend of a class P derived from N, and an |
914 | /// invented public member of B would be a private or protected member |
915 | /// of P, or |
916 | /// [B4] there exists a class S such that B is a base class of S accessible |
917 | /// at R and S is a base class of N accessible at R. |
918 | /// |
919 | /// Along a single inheritance path we can restate both of these |
920 | /// iteratively: |
921 | /// |
922 | /// First, we note that M1-4 are equivalent to B1-4 if the member is |
923 | /// treated as a notional base of its declaring class with inheritance |
924 | /// access equivalent to the member's access. Therefore we need only |
925 | /// ask whether a class B is accessible from a class N in context R. |
926 | /// |
927 | /// Let B_1 .. B_n be the inheritance path in question (i.e. where |
928 | /// B_1 = N, B_n = B, and for all i, B_{i+1} is a direct base class of |
929 | /// B_i). For i in 1..n, we will calculate ACAB(i), the access to the |
930 | /// closest accessible base in the path: |
931 | /// Access(a, b) = (* access on the base specifier from a to b *) |
932 | /// Merge(a, forbidden) = forbidden |
933 | /// Merge(a, private) = forbidden |
934 | /// Merge(a, b) = min(a,b) |
935 | /// Accessible(c, forbidden) = false |
936 | /// Accessible(c, private) = (R is c) || IsFriend(c, R) |
937 | /// Accessible(c, protected) = (R derived from c) || IsFriend(c, R) |
938 | /// Accessible(c, public) = true |
939 | /// ACAB(n) = public |
940 | /// ACAB(i) = |
941 | /// let AccessToBase = Merge(Access(B_i, B_{i+1}), ACAB(i+1)) in |
942 | /// if Accessible(B_i, AccessToBase) then public else AccessToBase |
943 | /// |
944 | /// B is an accessible base of N at R iff ACAB(1) = public. |
945 | /// |
946 | /// \param FinalAccess the access of the "final step", or AS_public if |
947 | /// there is no final step. |
948 | /// \return null if friendship is dependent |
949 | static CXXBasePath *FindBestPath(Sema &S, |
950 | const EffectiveContext &EC, |
951 | AccessTarget &Target, |
952 | AccessSpecifier FinalAccess, |
953 | CXXBasePaths &Paths) { |
954 | // Derive the paths to the desired base. |
955 | const CXXRecordDecl *Derived = Target.getNamingClass(); |
956 | const CXXRecordDecl *Base = Target.getDeclaringClass(); |
957 | |
958 | // FIXME: fail correctly when there are dependent paths. |
959 | bool isDerived = Derived->isDerivedFrom(Base: const_cast<CXXRecordDecl*>(Base), |
960 | Paths); |
961 | assert(isDerived && "derived class not actually derived from base" ); |
962 | (void) isDerived; |
963 | |
964 | CXXBasePath *BestPath = nullptr; |
965 | |
966 | assert(FinalAccess != AS_none && "forbidden access after declaring class" ); |
967 | |
968 | bool AnyDependent = false; |
969 | |
970 | // Derive the friend-modified access along each path. |
971 | for (CXXBasePaths::paths_iterator PI = Paths.begin(), PE = Paths.end(); |
972 | PI != PE; ++PI) { |
973 | AccessTarget::SavedInstanceContext _ = Target.saveInstanceContext(); |
974 | |
975 | // Walk through the path backwards. |
976 | AccessSpecifier PathAccess = FinalAccess; |
977 | CXXBasePath::iterator I = PI->end(), E = PI->begin(); |
978 | while (I != E) { |
979 | --I; |
980 | |
981 | assert(PathAccess != AS_none); |
982 | |
983 | // If the declaration is a private member of a base class, there |
984 | // is no level of friendship in derived classes that can make it |
985 | // accessible. |
986 | if (PathAccess == AS_private) { |
987 | PathAccess = AS_none; |
988 | break; |
989 | } |
990 | |
991 | const CXXRecordDecl *NC = I->Class->getCanonicalDecl(); |
992 | |
993 | AccessSpecifier BaseAccess = I->Base->getAccessSpecifier(); |
994 | PathAccess = std::max(a: PathAccess, b: BaseAccess); |
995 | |
996 | switch (HasAccess(S, EC, NamingClass: NC, Access: PathAccess, Target)) { |
997 | case AR_inaccessible: break; |
998 | case AR_accessible: |
999 | PathAccess = AS_public; |
1000 | |
1001 | // Future tests are not against members and so do not have |
1002 | // instance context. |
1003 | Target.suppressInstanceContext(); |
1004 | break; |
1005 | case AR_dependent: |
1006 | AnyDependent = true; |
1007 | goto Next; |
1008 | } |
1009 | } |
1010 | |
1011 | // Note that we modify the path's Access field to the |
1012 | // friend-modified access. |
1013 | if (BestPath == nullptr || PathAccess < BestPath->Access) { |
1014 | BestPath = &*PI; |
1015 | BestPath->Access = PathAccess; |
1016 | |
1017 | // Short-circuit if we found a public path. |
1018 | if (BestPath->Access == AS_public) |
1019 | return BestPath; |
1020 | } |
1021 | |
1022 | Next: ; |
1023 | } |
1024 | |
1025 | assert((!BestPath || BestPath->Access != AS_public) && |
1026 | "fell out of loop with public path" ); |
1027 | |
1028 | // We didn't find a public path, but at least one path was subject |
1029 | // to dependent friendship, so delay the check. |
1030 | if (AnyDependent) |
1031 | return nullptr; |
1032 | |
1033 | return BestPath; |
1034 | } |
1035 | |
1036 | /// Given that an entity has protected natural access, check whether |
1037 | /// access might be denied because of the protected member access |
1038 | /// restriction. |
1039 | /// |
1040 | /// \return true if a note was emitted |
1041 | static bool TryDiagnoseProtectedAccess(Sema &S, const EffectiveContext &EC, |
1042 | AccessTarget &Target) { |
1043 | // Only applies to instance accesses. |
1044 | if (!Target.isInstanceMember()) |
1045 | return false; |
1046 | |
1047 | assert(Target.isMemberAccess()); |
1048 | |
1049 | const CXXRecordDecl *NamingClass = Target.getEffectiveNamingClass(); |
1050 | |
1051 | for (EffectiveContext::record_iterator |
1052 | I = EC.Records.begin(), E = EC.Records.end(); I != E; ++I) { |
1053 | const CXXRecordDecl *ECRecord = *I; |
1054 | switch (IsDerivedFromInclusive(Derived: ECRecord, Target: NamingClass)) { |
1055 | case AR_accessible: break; |
1056 | case AR_inaccessible: continue; |
1057 | case AR_dependent: continue; |
1058 | } |
1059 | |
1060 | // The effective context is a subclass of the declaring class. |
1061 | // Check whether the [class.protected] restriction is limiting |
1062 | // access. |
1063 | |
1064 | // To get this exactly right, this might need to be checked more |
1065 | // holistically; it's not necessarily the case that gaining |
1066 | // access here would grant us access overall. |
1067 | |
1068 | NamedDecl *D = Target.getTargetDecl(); |
1069 | |
1070 | // If we don't have an instance context, [class.protected] says the |
1071 | // naming class has to equal the context class. |
1072 | if (!Target.hasInstanceContext()) { |
1073 | // If it does, the restriction doesn't apply. |
1074 | if (NamingClass == ECRecord) continue; |
1075 | |
1076 | // TODO: it would be great to have a fixit here, since this is |
1077 | // such an obvious error. |
1078 | S.Diag(D->getLocation(), diag::note_access_protected_restricted_noobject) |
1079 | << S.Context.getTypeDeclType(ECRecord); |
1080 | return true; |
1081 | } |
1082 | |
1083 | const CXXRecordDecl *InstanceContext = Target.resolveInstanceContext(S); |
1084 | assert(InstanceContext && "diagnosing dependent access" ); |
1085 | |
1086 | switch (IsDerivedFromInclusive(Derived: InstanceContext, Target: ECRecord)) { |
1087 | case AR_accessible: continue; |
1088 | case AR_dependent: continue; |
1089 | case AR_inaccessible: |
1090 | break; |
1091 | } |
1092 | |
1093 | // Okay, the restriction seems to be what's limiting us. |
1094 | |
1095 | // Use a special diagnostic for constructors and destructors. |
1096 | if (isa<CXXConstructorDecl>(Val: D) || isa<CXXDestructorDecl>(Val: D) || |
1097 | (isa<FunctionTemplateDecl>(Val: D) && |
1098 | isa<CXXConstructorDecl>( |
1099 | Val: cast<FunctionTemplateDecl>(Val: D)->getTemplatedDecl()))) { |
1100 | return S.Diag(D->getLocation(), |
1101 | diag::note_access_protected_restricted_ctordtor) |
1102 | << isa<CXXDestructorDecl>(D->getAsFunction()); |
1103 | } |
1104 | |
1105 | // Otherwise, use the generic diagnostic. |
1106 | return S.Diag(D->getLocation(), |
1107 | diag::note_access_protected_restricted_object) |
1108 | << S.Context.getTypeDeclType(ECRecord); |
1109 | } |
1110 | |
1111 | return false; |
1112 | } |
1113 | |
1114 | /// We are unable to access a given declaration due to its direct |
1115 | /// access control; diagnose that. |
1116 | static void diagnoseBadDirectAccess(Sema &S, |
1117 | const EffectiveContext &EC, |
1118 | AccessTarget &entity) { |
1119 | assert(entity.isMemberAccess()); |
1120 | NamedDecl *D = entity.getTargetDecl(); |
1121 | |
1122 | if (D->getAccess() == AS_protected && |
1123 | TryDiagnoseProtectedAccess(S, EC, Target&: entity)) |
1124 | return; |
1125 | |
1126 | // Find an original declaration. |
1127 | while (D->isOutOfLine()) { |
1128 | NamedDecl *PrevDecl = nullptr; |
1129 | if (VarDecl *VD = dyn_cast<VarDecl>(Val: D)) |
1130 | PrevDecl = VD->getPreviousDecl(); |
1131 | else if (FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: D)) |
1132 | PrevDecl = FD->getPreviousDecl(); |
1133 | else if (TypedefNameDecl *TND = dyn_cast<TypedefNameDecl>(Val: D)) |
1134 | PrevDecl = TND->getPreviousDecl(); |
1135 | else if (TagDecl *TD = dyn_cast<TagDecl>(Val: D)) { |
1136 | if (isa<RecordDecl>(Val: D) && cast<RecordDecl>(Val: D)->isInjectedClassName()) |
1137 | break; |
1138 | PrevDecl = TD->getPreviousDecl(); |
1139 | } |
1140 | if (!PrevDecl) break; |
1141 | D = PrevDecl; |
1142 | } |
1143 | |
1144 | CXXRecordDecl *DeclaringClass = FindDeclaringClass(D); |
1145 | Decl *ImmediateChild; |
1146 | if (D->getDeclContext() == DeclaringClass) |
1147 | ImmediateChild = D; |
1148 | else { |
1149 | DeclContext *DC = D->getDeclContext(); |
1150 | while (DC->getParent() != DeclaringClass) |
1151 | DC = DC->getParent(); |
1152 | ImmediateChild = cast<Decl>(Val: DC); |
1153 | } |
1154 | |
1155 | // Check whether there's an AccessSpecDecl preceding this in the |
1156 | // chain of the DeclContext. |
1157 | bool isImplicit = true; |
1158 | for (const auto *I : DeclaringClass->decls()) { |
1159 | if (I == ImmediateChild) break; |
1160 | if (isa<AccessSpecDecl>(I)) { |
1161 | isImplicit = false; |
1162 | break; |
1163 | } |
1164 | } |
1165 | |
1166 | S.Diag(D->getLocation(), diag::note_access_natural) |
1167 | << (unsigned) (D->getAccess() == AS_protected) |
1168 | << isImplicit; |
1169 | } |
1170 | |
1171 | /// Diagnose the path which caused the given declaration or base class |
1172 | /// to become inaccessible. |
1173 | static void DiagnoseAccessPath(Sema &S, |
1174 | const EffectiveContext &EC, |
1175 | AccessTarget &entity) { |
1176 | // Save the instance context to preserve invariants. |
1177 | AccessTarget::SavedInstanceContext _ = entity.saveInstanceContext(); |
1178 | |
1179 | // This basically repeats the main algorithm but keeps some more |
1180 | // information. |
1181 | |
1182 | // The natural access so far. |
1183 | AccessSpecifier accessSoFar = AS_public; |
1184 | |
1185 | // Check whether we have special rights to the declaring class. |
1186 | if (entity.isMemberAccess()) { |
1187 | NamedDecl *D = entity.getTargetDecl(); |
1188 | accessSoFar = D->getAccess(); |
1189 | const CXXRecordDecl *declaringClass = entity.getDeclaringClass(); |
1190 | |
1191 | switch (HasAccess(S, EC, NamingClass: declaringClass, Access: accessSoFar, Target: entity)) { |
1192 | // If the declaration is accessible when named in its declaring |
1193 | // class, then we must be constrained by the path. |
1194 | case AR_accessible: |
1195 | accessSoFar = AS_public; |
1196 | entity.suppressInstanceContext(); |
1197 | break; |
1198 | |
1199 | case AR_inaccessible: |
1200 | if (accessSoFar == AS_private || |
1201 | declaringClass == entity.getEffectiveNamingClass()) |
1202 | return diagnoseBadDirectAccess(S, EC, entity); |
1203 | break; |
1204 | |
1205 | case AR_dependent: |
1206 | llvm_unreachable("cannot diagnose dependent access" ); |
1207 | } |
1208 | } |
1209 | |
1210 | CXXBasePaths paths; |
1211 | CXXBasePath &path = *FindBestPath(S, EC, Target&: entity, FinalAccess: accessSoFar, Paths&: paths); |
1212 | assert(path.Access != AS_public); |
1213 | |
1214 | CXXBasePath::iterator i = path.end(), e = path.begin(); |
1215 | CXXBasePath::iterator constrainingBase = i; |
1216 | while (i != e) { |
1217 | --i; |
1218 | |
1219 | assert(accessSoFar != AS_none && accessSoFar != AS_private); |
1220 | |
1221 | // Is the entity accessible when named in the deriving class, as |
1222 | // modified by the base specifier? |
1223 | const CXXRecordDecl *derivingClass = i->Class->getCanonicalDecl(); |
1224 | const CXXBaseSpecifier *base = i->Base; |
1225 | |
1226 | // If the access to this base is worse than the access we have to |
1227 | // the declaration, remember it. |
1228 | AccessSpecifier baseAccess = base->getAccessSpecifier(); |
1229 | if (baseAccess > accessSoFar) { |
1230 | constrainingBase = i; |
1231 | accessSoFar = baseAccess; |
1232 | } |
1233 | |
1234 | switch (HasAccess(S, EC, NamingClass: derivingClass, Access: accessSoFar, Target: entity)) { |
1235 | case AR_inaccessible: break; |
1236 | case AR_accessible: |
1237 | accessSoFar = AS_public; |
1238 | entity.suppressInstanceContext(); |
1239 | constrainingBase = nullptr; |
1240 | break; |
1241 | case AR_dependent: |
1242 | llvm_unreachable("cannot diagnose dependent access" ); |
1243 | } |
1244 | |
1245 | // If this was private inheritance, but we don't have access to |
1246 | // the deriving class, we're done. |
1247 | if (accessSoFar == AS_private) { |
1248 | assert(baseAccess == AS_private); |
1249 | assert(constrainingBase == i); |
1250 | break; |
1251 | } |
1252 | } |
1253 | |
1254 | // If we don't have a constraining base, the access failure must be |
1255 | // due to the original declaration. |
1256 | if (constrainingBase == path.end()) |
1257 | return diagnoseBadDirectAccess(S, EC, entity); |
1258 | |
1259 | // We're constrained by inheritance, but we want to say |
1260 | // "declared private here" if we're diagnosing a hierarchy |
1261 | // conversion and this is the final step. |
1262 | unsigned diagnostic; |
1263 | if (entity.isMemberAccess() || |
1264 | constrainingBase + 1 != path.end()) { |
1265 | diagnostic = diag::note_access_constrained_by_path; |
1266 | } else { |
1267 | diagnostic = diag::note_access_natural; |
1268 | } |
1269 | |
1270 | const CXXBaseSpecifier *base = constrainingBase->Base; |
1271 | |
1272 | S.Diag(Loc: base->getSourceRange().getBegin(), DiagID: diagnostic) |
1273 | << base->getSourceRange() |
1274 | << (base->getAccessSpecifier() == AS_protected) |
1275 | << (base->getAccessSpecifierAsWritten() == AS_none); |
1276 | |
1277 | if (entity.isMemberAccess()) |
1278 | S.Diag(entity.getTargetDecl()->getLocation(), |
1279 | diag::note_member_declared_at); |
1280 | } |
1281 | |
1282 | static void DiagnoseBadAccess(Sema &S, SourceLocation Loc, |
1283 | const EffectiveContext &EC, |
1284 | AccessTarget &Entity) { |
1285 | const CXXRecordDecl *NamingClass = Entity.getNamingClass(); |
1286 | const CXXRecordDecl *DeclaringClass = Entity.getDeclaringClass(); |
1287 | NamedDecl *D = (Entity.isMemberAccess() ? Entity.getTargetDecl() : nullptr); |
1288 | |
1289 | S.Diag(Loc, Entity.getDiag()) |
1290 | << (Entity.getAccess() == AS_protected) |
1291 | << (D ? D->getDeclName() : DeclarationName()) |
1292 | << S.Context.getTypeDeclType(NamingClass) |
1293 | << S.Context.getTypeDeclType(DeclaringClass); |
1294 | DiagnoseAccessPath(S, EC, entity&: Entity); |
1295 | } |
1296 | |
1297 | /// MSVC has a bug where if during an using declaration name lookup, |
1298 | /// the declaration found is unaccessible (private) and that declaration |
1299 | /// was bring into scope via another using declaration whose target |
1300 | /// declaration is accessible (public) then no error is generated. |
1301 | /// Example: |
1302 | /// class A { |
1303 | /// public: |
1304 | /// int f(); |
1305 | /// }; |
1306 | /// class B : public A { |
1307 | /// private: |
1308 | /// using A::f; |
1309 | /// }; |
1310 | /// class C : public B { |
1311 | /// private: |
1312 | /// using B::f; |
1313 | /// }; |
1314 | /// |
1315 | /// Here, B::f is private so this should fail in Standard C++, but |
1316 | /// because B::f refers to A::f which is public MSVC accepts it. |
1317 | static bool IsMicrosoftUsingDeclarationAccessBug(Sema& S, |
1318 | SourceLocation AccessLoc, |
1319 | AccessTarget &Entity) { |
1320 | if (UsingShadowDecl *Shadow = |
1321 | dyn_cast<UsingShadowDecl>(Entity.getTargetDecl())) |
1322 | if (UsingDecl *UD = dyn_cast<UsingDecl>(Val: Shadow->getIntroducer())) { |
1323 | const NamedDecl *OrigDecl = Entity.getTargetDecl()->getUnderlyingDecl(); |
1324 | if (Entity.getTargetDecl()->getAccess() == AS_private && |
1325 | (OrigDecl->getAccess() == AS_public || |
1326 | OrigDecl->getAccess() == AS_protected)) { |
1327 | S.Diag(AccessLoc, diag::ext_ms_using_declaration_inaccessible) |
1328 | << UD->getQualifiedNameAsString() |
1329 | << OrigDecl->getQualifiedNameAsString(); |
1330 | return true; |
1331 | } |
1332 | } |
1333 | return false; |
1334 | } |
1335 | |
1336 | /// Determines whether the accessed entity is accessible. Public members |
1337 | /// have been weeded out by this point. |
1338 | static AccessResult IsAccessible(Sema &S, |
1339 | const EffectiveContext &EC, |
1340 | AccessTarget &Entity) { |
1341 | // Determine the actual naming class. |
1342 | const CXXRecordDecl *NamingClass = Entity.getEffectiveNamingClass(); |
1343 | |
1344 | AccessSpecifier UnprivilegedAccess = Entity.getAccess(); |
1345 | assert(UnprivilegedAccess != AS_public && "public access not weeded out" ); |
1346 | |
1347 | // Before we try to recalculate access paths, try to white-list |
1348 | // accesses which just trade in on the final step, i.e. accesses |
1349 | // which don't require [M4] or [B4]. These are by far the most |
1350 | // common forms of privileged access. |
1351 | if (UnprivilegedAccess != AS_none) { |
1352 | switch (HasAccess(S, EC, NamingClass, Access: UnprivilegedAccess, Target: Entity)) { |
1353 | case AR_dependent: |
1354 | // This is actually an interesting policy decision. We don't |
1355 | // *have* to delay immediately here: we can do the full access |
1356 | // calculation in the hope that friendship on some intermediate |
1357 | // class will make the declaration accessible non-dependently. |
1358 | // But that's not cheap, and odds are very good (note: assertion |
1359 | // made without data) that the friend declaration will determine |
1360 | // access. |
1361 | return AR_dependent; |
1362 | |
1363 | case AR_accessible: return AR_accessible; |
1364 | case AR_inaccessible: break; |
1365 | } |
1366 | } |
1367 | |
1368 | AccessTarget::SavedInstanceContext _ = Entity.saveInstanceContext(); |
1369 | |
1370 | // We lower member accesses to base accesses by pretending that the |
1371 | // member is a base class of its declaring class. |
1372 | AccessSpecifier FinalAccess; |
1373 | |
1374 | if (Entity.isMemberAccess()) { |
1375 | // Determine if the declaration is accessible from EC when named |
1376 | // in its declaring class. |
1377 | NamedDecl *Target = Entity.getTargetDecl(); |
1378 | const CXXRecordDecl *DeclaringClass = Entity.getDeclaringClass(); |
1379 | |
1380 | FinalAccess = Target->getAccess(); |
1381 | switch (HasAccess(S, EC, NamingClass: DeclaringClass, Access: FinalAccess, Target: Entity)) { |
1382 | case AR_accessible: |
1383 | // Target is accessible at EC when named in its declaring class. |
1384 | // We can now hill-climb and simply check whether the declaring |
1385 | // class is accessible as a base of the naming class. This is |
1386 | // equivalent to checking the access of a notional public |
1387 | // member with no instance context. |
1388 | FinalAccess = AS_public; |
1389 | Entity.suppressInstanceContext(); |
1390 | break; |
1391 | case AR_inaccessible: break; |
1392 | case AR_dependent: return AR_dependent; // see above |
1393 | } |
1394 | |
1395 | if (DeclaringClass == NamingClass) |
1396 | return (FinalAccess == AS_public ? AR_accessible : AR_inaccessible); |
1397 | } else { |
1398 | FinalAccess = AS_public; |
1399 | } |
1400 | |
1401 | assert(Entity.getDeclaringClass() != NamingClass); |
1402 | |
1403 | // Append the declaration's access if applicable. |
1404 | CXXBasePaths Paths; |
1405 | CXXBasePath *Path = FindBestPath(S, EC, Target&: Entity, FinalAccess, Paths); |
1406 | if (!Path) |
1407 | return AR_dependent; |
1408 | |
1409 | assert(Path->Access <= UnprivilegedAccess && |
1410 | "access along best path worse than direct?" ); |
1411 | if (Path->Access == AS_public) |
1412 | return AR_accessible; |
1413 | return AR_inaccessible; |
1414 | } |
1415 | |
1416 | static void DelayDependentAccess(Sema &S, |
1417 | const EffectiveContext &EC, |
1418 | SourceLocation Loc, |
1419 | const AccessTarget &Entity) { |
1420 | assert(EC.isDependent() && "delaying non-dependent access" ); |
1421 | DeclContext *DC = EC.getInnerContext(); |
1422 | assert(DC->isDependentContext() && "delaying non-dependent access" ); |
1423 | DependentDiagnostic::Create(S.Context, DC, DependentDiagnostic::Access, |
1424 | Loc, |
1425 | Entity.isMemberAccess(), |
1426 | Entity.getAccess(), |
1427 | Entity.getTargetDecl(), |
1428 | Entity.getNamingClass(), |
1429 | Entity.getBaseObjectType(), |
1430 | Entity.getDiag()); |
1431 | } |
1432 | |
1433 | /// Checks access to an entity from the given effective context. |
1434 | static AccessResult CheckEffectiveAccess(Sema &S, |
1435 | const EffectiveContext &EC, |
1436 | SourceLocation Loc, |
1437 | AccessTarget &Entity) { |
1438 | assert(Entity.getAccess() != AS_public && "called for public access!" ); |
1439 | |
1440 | switch (IsAccessible(S, EC, Entity)) { |
1441 | case AR_dependent: |
1442 | DelayDependentAccess(S, EC, Loc, Entity); |
1443 | return AR_dependent; |
1444 | |
1445 | case AR_inaccessible: |
1446 | if (S.getLangOpts().MSVCCompat && |
1447 | IsMicrosoftUsingDeclarationAccessBug(S, AccessLoc: Loc, Entity)) |
1448 | return AR_accessible; |
1449 | if (!Entity.isQuiet()) |
1450 | DiagnoseBadAccess(S, Loc, EC, Entity); |
1451 | return AR_inaccessible; |
1452 | |
1453 | case AR_accessible: |
1454 | return AR_accessible; |
1455 | } |
1456 | |
1457 | // silence unnecessary warning |
1458 | llvm_unreachable("invalid access result" ); |
1459 | } |
1460 | |
1461 | static Sema::AccessResult CheckAccess(Sema &S, SourceLocation Loc, |
1462 | AccessTarget &Entity) { |
1463 | // If the access path is public, it's accessible everywhere. |
1464 | if (Entity.getAccess() == AS_public) |
1465 | return Sema::AR_accessible; |
1466 | |
1467 | // If we're currently parsing a declaration, we may need to delay |
1468 | // access control checking, because our effective context might be |
1469 | // different based on what the declaration comes out as. |
1470 | // |
1471 | // For example, we might be parsing a declaration with a scope |
1472 | // specifier, like this: |
1473 | // A::private_type A::foo() { ... } |
1474 | // |
1475 | // Or we might be parsing something that will turn out to be a friend: |
1476 | // void foo(A::private_type); |
1477 | // void B::foo(A::private_type); |
1478 | if (S.DelayedDiagnostics.shouldDelayDiagnostics()) { |
1479 | S.DelayedDiagnostics.add(diag: DelayedDiagnostic::makeAccess(Loc, Entity)); |
1480 | return Sema::AR_delayed; |
1481 | } |
1482 | |
1483 | EffectiveContext EC(S.CurContext); |
1484 | switch (CheckEffectiveAccess(S, EC, Loc, Entity)) { |
1485 | case AR_accessible: return Sema::AR_accessible; |
1486 | case AR_inaccessible: return Sema::AR_inaccessible; |
1487 | case AR_dependent: return Sema::AR_dependent; |
1488 | } |
1489 | llvm_unreachable("invalid access result" ); |
1490 | } |
1491 | |
1492 | void Sema::HandleDelayedAccessCheck(DelayedDiagnostic &DD, Decl *D) { |
1493 | // Access control for names used in the declarations of functions |
1494 | // and function templates should normally be evaluated in the context |
1495 | // of the declaration, just in case it's a friend of something. |
1496 | // However, this does not apply to local extern declarations. |
1497 | |
1498 | DeclContext *DC = D->getDeclContext(); |
1499 | if (D->isLocalExternDecl()) { |
1500 | DC = D->getLexicalDeclContext(); |
1501 | } else if (FunctionDecl *FN = dyn_cast<FunctionDecl>(Val: D)) { |
1502 | DC = FN; |
1503 | } else if (TemplateDecl *TD = dyn_cast<TemplateDecl>(Val: D)) { |
1504 | if (isa<DeclContext>(Val: TD->getTemplatedDecl())) |
1505 | DC = cast<DeclContext>(Val: TD->getTemplatedDecl()); |
1506 | } else if (auto *RD = dyn_cast<RequiresExprBodyDecl>(Val: D)) { |
1507 | DC = RD; |
1508 | } |
1509 | |
1510 | EffectiveContext EC(DC); |
1511 | |
1512 | AccessTarget Target(DD.getAccessData()); |
1513 | |
1514 | if (CheckEffectiveAccess(S&: *this, EC, Loc: DD.Loc, Entity&: Target) == ::AR_inaccessible) |
1515 | DD.Triggered = true; |
1516 | } |
1517 | |
1518 | void Sema::HandleDependentAccessCheck(const DependentDiagnostic &DD, |
1519 | const MultiLevelTemplateArgumentList &TemplateArgs) { |
1520 | SourceLocation Loc = DD.getAccessLoc(); |
1521 | AccessSpecifier Access = DD.getAccess(); |
1522 | |
1523 | Decl *NamingD = FindInstantiatedDecl(Loc, D: DD.getAccessNamingClass(), |
1524 | TemplateArgs); |
1525 | if (!NamingD) return; |
1526 | Decl *TargetD = FindInstantiatedDecl(Loc, D: DD.getAccessTarget(), |
1527 | TemplateArgs); |
1528 | if (!TargetD) return; |
1529 | |
1530 | if (DD.isAccessToMember()) { |
1531 | CXXRecordDecl *NamingClass = cast<CXXRecordDecl>(Val: NamingD); |
1532 | NamedDecl *TargetDecl = cast<NamedDecl>(Val: TargetD); |
1533 | QualType BaseObjectType = DD.getAccessBaseObjectType(); |
1534 | if (!BaseObjectType.isNull()) { |
1535 | BaseObjectType = SubstType(T: BaseObjectType, TemplateArgs, Loc, |
1536 | Entity: DeclarationName()); |
1537 | if (BaseObjectType.isNull()) return; |
1538 | } |
1539 | |
1540 | AccessTarget Entity(Context, |
1541 | AccessTarget::Member, |
1542 | NamingClass, |
1543 | DeclAccessPair::make(D: TargetDecl, AS: Access), |
1544 | BaseObjectType); |
1545 | Entity.setDiag(DD.getDiagnostic()); |
1546 | CheckAccess(S&: *this, Loc, Entity); |
1547 | } else { |
1548 | AccessTarget Entity(Context, |
1549 | AccessTarget::Base, |
1550 | cast<CXXRecordDecl>(Val: TargetD), |
1551 | cast<CXXRecordDecl>(Val: NamingD), |
1552 | Access); |
1553 | Entity.setDiag(DD.getDiagnostic()); |
1554 | CheckAccess(S&: *this, Loc, Entity); |
1555 | } |
1556 | } |
1557 | |
1558 | Sema::AccessResult Sema::CheckUnresolvedLookupAccess(UnresolvedLookupExpr *E, |
1559 | DeclAccessPair Found) { |
1560 | if (!getLangOpts().AccessControl || |
1561 | !E->getNamingClass() || |
1562 | Found.getAccess() == AS_public) |
1563 | return AR_accessible; |
1564 | |
1565 | AccessTarget Entity(Context, AccessTarget::Member, E->getNamingClass(), |
1566 | Found, QualType()); |
1567 | Entity.setDiag(diag::err_access) << E->getSourceRange(); |
1568 | |
1569 | return CheckAccess(*this, E->getNameLoc(), Entity); |
1570 | } |
1571 | |
1572 | /// Perform access-control checking on a previously-unresolved member |
1573 | /// access which has now been resolved to a member. |
1574 | Sema::AccessResult Sema::CheckUnresolvedMemberAccess(UnresolvedMemberExpr *E, |
1575 | DeclAccessPair Found) { |
1576 | if (!getLangOpts().AccessControl || |
1577 | Found.getAccess() == AS_public) |
1578 | return AR_accessible; |
1579 | |
1580 | QualType BaseType = E->getBaseType(); |
1581 | if (E->isArrow()) |
1582 | BaseType = BaseType->castAs<PointerType>()->getPointeeType(); |
1583 | |
1584 | AccessTarget Entity(Context, AccessTarget::Member, E->getNamingClass(), |
1585 | Found, BaseType); |
1586 | Entity.setDiag(diag::err_access) << E->getSourceRange(); |
1587 | |
1588 | return CheckAccess(S&: *this, Loc: E->getMemberLoc(), Entity); |
1589 | } |
1590 | |
1591 | /// Is the given member accessible for the purposes of deciding whether to |
1592 | /// define a special member function as deleted? |
1593 | bool Sema::isMemberAccessibleForDeletion(CXXRecordDecl *NamingClass, |
1594 | DeclAccessPair Found, |
1595 | QualType ObjectType, |
1596 | SourceLocation Loc, |
1597 | const PartialDiagnostic &Diag) { |
1598 | // Fast path. |
1599 | if (Found.getAccess() == AS_public || !getLangOpts().AccessControl) |
1600 | return true; |
1601 | |
1602 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, |
1603 | ObjectType); |
1604 | |
1605 | // Suppress diagnostics. |
1606 | Entity.setDiag(Diag); |
1607 | |
1608 | switch (CheckAccess(S&: *this, Loc, Entity)) { |
1609 | case AR_accessible: return true; |
1610 | case AR_inaccessible: return false; |
1611 | case AR_dependent: llvm_unreachable("dependent for =delete computation" ); |
1612 | case AR_delayed: llvm_unreachable("cannot delay =delete computation" ); |
1613 | } |
1614 | llvm_unreachable("bad access result" ); |
1615 | } |
1616 | |
1617 | Sema::AccessResult Sema::CheckDestructorAccess(SourceLocation Loc, |
1618 | CXXDestructorDecl *Dtor, |
1619 | const PartialDiagnostic &PDiag, |
1620 | QualType ObjectTy) { |
1621 | if (!getLangOpts().AccessControl) |
1622 | return AR_accessible; |
1623 | |
1624 | // There's never a path involved when checking implicit destructor access. |
1625 | AccessSpecifier Access = Dtor->getAccess(); |
1626 | if (Access == AS_public) |
1627 | return AR_accessible; |
1628 | |
1629 | CXXRecordDecl *NamingClass = Dtor->getParent(); |
1630 | if (ObjectTy.isNull()) ObjectTy = Context.getTypeDeclType(NamingClass); |
1631 | |
1632 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, |
1633 | DeclAccessPair::make(Dtor, Access), |
1634 | ObjectTy); |
1635 | Entity.setDiag(PDiag); // TODO: avoid copy |
1636 | |
1637 | return CheckAccess(S&: *this, Loc, Entity); |
1638 | } |
1639 | |
1640 | /// Checks access to a constructor. |
1641 | Sema::AccessResult Sema::CheckConstructorAccess(SourceLocation UseLoc, |
1642 | CXXConstructorDecl *Constructor, |
1643 | DeclAccessPair Found, |
1644 | const InitializedEntity &Entity, |
1645 | bool IsCopyBindingRefToTemp) { |
1646 | if (!getLangOpts().AccessControl || Found.getAccess() == AS_public) |
1647 | return AR_accessible; |
1648 | |
1649 | PartialDiagnostic PD(PDiag()); |
1650 | switch (Entity.getKind()) { |
1651 | default: |
1652 | PD = PDiag(IsCopyBindingRefToTemp |
1653 | ? diag::ext_rvalue_to_reference_access_ctor |
1654 | : diag::err_access_ctor); |
1655 | |
1656 | break; |
1657 | |
1658 | case InitializedEntity::EK_Base: |
1659 | PD = PDiag(diag::err_access_base_ctor); |
1660 | PD << Entity.isInheritedVirtualBase() |
1661 | << Entity.getBaseSpecifier()->getType() << getSpecialMember(Constructor); |
1662 | break; |
1663 | |
1664 | case InitializedEntity::EK_Member: |
1665 | case InitializedEntity::EK_ParenAggInitMember: { |
1666 | const FieldDecl *Field = cast<FieldDecl>(Val: Entity.getDecl()); |
1667 | PD = PDiag(diag::err_access_field_ctor); |
1668 | PD << Field->getType() << getSpecialMember(Constructor); |
1669 | break; |
1670 | } |
1671 | |
1672 | case InitializedEntity::EK_LambdaCapture: { |
1673 | StringRef VarName = Entity.getCapturedVarName(); |
1674 | PD = PDiag(diag::err_access_lambda_capture); |
1675 | PD << VarName << Entity.getType() << getSpecialMember(Constructor); |
1676 | break; |
1677 | } |
1678 | |
1679 | } |
1680 | |
1681 | return CheckConstructorAccess(Loc: UseLoc, D: Constructor, FoundDecl: Found, Entity, PDiag: PD); |
1682 | } |
1683 | |
1684 | /// Checks access to a constructor. |
1685 | Sema::AccessResult Sema::CheckConstructorAccess(SourceLocation UseLoc, |
1686 | CXXConstructorDecl *Constructor, |
1687 | DeclAccessPair Found, |
1688 | const InitializedEntity &Entity, |
1689 | const PartialDiagnostic &PD) { |
1690 | if (!getLangOpts().AccessControl || |
1691 | Found.getAccess() == AS_public) |
1692 | return AR_accessible; |
1693 | |
1694 | CXXRecordDecl *NamingClass = Constructor->getParent(); |
1695 | |
1696 | // Initializing a base sub-object is an instance method call on an |
1697 | // object of the derived class. Otherwise, we have an instance method |
1698 | // call on an object of the constructed type. |
1699 | // |
1700 | // FIXME: If we have a parent, we're initializing the base class subobject |
1701 | // in aggregate initialization. It's not clear whether the object class |
1702 | // should be the base class or the derived class in that case. |
1703 | CXXRecordDecl *ObjectClass; |
1704 | if ((Entity.getKind() == InitializedEntity::EK_Base || |
1705 | Entity.getKind() == InitializedEntity::EK_Delegating) && |
1706 | !Entity.getParent()) { |
1707 | ObjectClass = cast<CXXConstructorDecl>(Val: CurContext)->getParent(); |
1708 | } else if (auto *Shadow = |
1709 | dyn_cast<ConstructorUsingShadowDecl>(Val: Found.getDecl())) { |
1710 | // If we're using an inheriting constructor to construct an object, |
1711 | // the object class is the derived class, not the base class. |
1712 | ObjectClass = Shadow->getParent(); |
1713 | } else { |
1714 | ObjectClass = NamingClass; |
1715 | } |
1716 | |
1717 | AccessTarget AccessEntity( |
1718 | Context, AccessTarget::Member, NamingClass, |
1719 | DeclAccessPair::make(Constructor, Found.getAccess()), |
1720 | Context.getTypeDeclType(ObjectClass)); |
1721 | AccessEntity.setDiag(PD); |
1722 | |
1723 | return CheckAccess(S&: *this, Loc: UseLoc, Entity&: AccessEntity); |
1724 | } |
1725 | |
1726 | /// Checks access to an overloaded operator new or delete. |
1727 | Sema::AccessResult Sema::CheckAllocationAccess(SourceLocation OpLoc, |
1728 | SourceRange PlacementRange, |
1729 | CXXRecordDecl *NamingClass, |
1730 | DeclAccessPair Found, |
1731 | bool Diagnose) { |
1732 | if (!getLangOpts().AccessControl || |
1733 | !NamingClass || |
1734 | Found.getAccess() == AS_public) |
1735 | return AR_accessible; |
1736 | |
1737 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, |
1738 | QualType()); |
1739 | if (Diagnose) |
1740 | Entity.setDiag(diag::err_access) |
1741 | << PlacementRange; |
1742 | |
1743 | return CheckAccess(S&: *this, Loc: OpLoc, Entity); |
1744 | } |
1745 | |
1746 | /// Checks access to a member. |
1747 | Sema::AccessResult Sema::CheckMemberAccess(SourceLocation UseLoc, |
1748 | CXXRecordDecl *NamingClass, |
1749 | DeclAccessPair Found) { |
1750 | if (!getLangOpts().AccessControl || |
1751 | !NamingClass || |
1752 | Found.getAccess() == AS_public) |
1753 | return AR_accessible; |
1754 | |
1755 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, |
1756 | Found, QualType()); |
1757 | |
1758 | return CheckAccess(S&: *this, Loc: UseLoc, Entity); |
1759 | } |
1760 | |
1761 | /// Checks implicit access to a member in a structured binding. |
1762 | Sema::AccessResult |
1763 | Sema::CheckStructuredBindingMemberAccess(SourceLocation UseLoc, |
1764 | CXXRecordDecl *DecomposedClass, |
1765 | DeclAccessPair Field) { |
1766 | if (!getLangOpts().AccessControl || |
1767 | Field.getAccess() == AS_public) |
1768 | return AR_accessible; |
1769 | |
1770 | AccessTarget Entity(Context, AccessTarget::Member, DecomposedClass, Field, |
1771 | Context.getRecordType(DecomposedClass)); |
1772 | Entity.setDiag(diag::err_decomp_decl_inaccessible_field); |
1773 | |
1774 | return CheckAccess(S&: *this, Loc: UseLoc, Entity); |
1775 | } |
1776 | |
1777 | Sema::AccessResult Sema::CheckMemberOperatorAccess(SourceLocation OpLoc, |
1778 | Expr *ObjectExpr, |
1779 | const SourceRange &Range, |
1780 | DeclAccessPair Found) { |
1781 | if (!getLangOpts().AccessControl || Found.getAccess() == AS_public) |
1782 | return AR_accessible; |
1783 | |
1784 | const RecordType *RT = ObjectExpr->getType()->castAs<RecordType>(); |
1785 | CXXRecordDecl *NamingClass = cast<CXXRecordDecl>(Val: RT->getDecl()); |
1786 | |
1787 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, |
1788 | ObjectExpr->getType()); |
1789 | Entity.setDiag(diag::err_access) << ObjectExpr->getSourceRange() << Range; |
1790 | |
1791 | return CheckAccess(S&: *this, Loc: OpLoc, Entity); |
1792 | } |
1793 | |
1794 | /// Checks access to an overloaded member operator, including |
1795 | /// conversion operators. |
1796 | Sema::AccessResult Sema::CheckMemberOperatorAccess(SourceLocation OpLoc, |
1797 | Expr *ObjectExpr, |
1798 | Expr *ArgExpr, |
1799 | DeclAccessPair Found) { |
1800 | return CheckMemberOperatorAccess( |
1801 | OpLoc, ObjectExpr, ArgExpr ? ArgExpr->getSourceRange() : SourceRange(), |
1802 | Found); |
1803 | } |
1804 | |
1805 | Sema::AccessResult Sema::CheckMemberOperatorAccess(SourceLocation OpLoc, |
1806 | Expr *ObjectExpr, |
1807 | ArrayRef<Expr *> ArgExprs, |
1808 | DeclAccessPair FoundDecl) { |
1809 | SourceRange R; |
1810 | if (!ArgExprs.empty()) { |
1811 | R = SourceRange(ArgExprs.front()->getBeginLoc(), |
1812 | ArgExprs.back()->getEndLoc()); |
1813 | } |
1814 | |
1815 | return CheckMemberOperatorAccess(OpLoc, ObjectExpr, Range: R, Found: FoundDecl); |
1816 | } |
1817 | |
1818 | /// Checks access to the target of a friend declaration. |
1819 | Sema::AccessResult Sema::CheckFriendAccess(NamedDecl *target) { |
1820 | assert(isa<CXXMethodDecl>(target->getAsFunction())); |
1821 | |
1822 | // Friendship lookup is a redeclaration lookup, so there's never an |
1823 | // inheritance path modifying access. |
1824 | AccessSpecifier access = target->getAccess(); |
1825 | |
1826 | if (!getLangOpts().AccessControl || access == AS_public) |
1827 | return AR_accessible; |
1828 | |
1829 | CXXMethodDecl *method = cast<CXXMethodDecl>(target->getAsFunction()); |
1830 | |
1831 | AccessTarget entity(Context, AccessTarget::Member, |
1832 | cast<CXXRecordDecl>(target->getDeclContext()), |
1833 | DeclAccessPair::make(D: target, AS: access), |
1834 | /*no instance context*/ QualType()); |
1835 | entity.setDiag(diag::err_access_friend_function) |
1836 | << (method->getQualifier() ? method->getQualifierLoc().getSourceRange() |
1837 | : method->getNameInfo().getSourceRange()); |
1838 | |
1839 | // We need to bypass delayed-diagnostics because we might be called |
1840 | // while the ParsingDeclarator is active. |
1841 | EffectiveContext EC(CurContext); |
1842 | switch (CheckEffectiveAccess(*this, EC, target->getLocation(), entity)) { |
1843 | case ::AR_accessible: return Sema::AR_accessible; |
1844 | case ::AR_inaccessible: return Sema::AR_inaccessible; |
1845 | case ::AR_dependent: return Sema::AR_dependent; |
1846 | } |
1847 | llvm_unreachable("invalid access result" ); |
1848 | } |
1849 | |
1850 | Sema::AccessResult Sema::CheckAddressOfMemberAccess(Expr *OvlExpr, |
1851 | DeclAccessPair Found) { |
1852 | if (!getLangOpts().AccessControl || |
1853 | Found.getAccess() == AS_none || |
1854 | Found.getAccess() == AS_public) |
1855 | return AR_accessible; |
1856 | |
1857 | OverloadExpr *Ovl = OverloadExpr::find(E: OvlExpr).Expression; |
1858 | CXXRecordDecl *NamingClass = Ovl->getNamingClass(); |
1859 | |
1860 | AccessTarget Entity(Context, AccessTarget::Member, NamingClass, Found, |
1861 | /*no instance context*/ QualType()); |
1862 | Entity.setDiag(diag::err_access) |
1863 | << Ovl->getSourceRange(); |
1864 | |
1865 | return CheckAccess(S&: *this, Loc: Ovl->getNameLoc(), Entity); |
1866 | } |
1867 | |
1868 | /// Checks access for a hierarchy conversion. |
1869 | /// |
1870 | /// \param ForceCheck true if this check should be performed even if access |
1871 | /// control is disabled; some things rely on this for semantics |
1872 | /// \param ForceUnprivileged true if this check should proceed as if the |
1873 | /// context had no special privileges |
1874 | Sema::AccessResult Sema::CheckBaseClassAccess(SourceLocation AccessLoc, |
1875 | QualType Base, |
1876 | QualType Derived, |
1877 | const CXXBasePath &Path, |
1878 | unsigned DiagID, |
1879 | bool ForceCheck, |
1880 | bool ForceUnprivileged) { |
1881 | if (!ForceCheck && !getLangOpts().AccessControl) |
1882 | return AR_accessible; |
1883 | |
1884 | if (Path.Access == AS_public) |
1885 | return AR_accessible; |
1886 | |
1887 | CXXRecordDecl *BaseD, *DerivedD; |
1888 | BaseD = cast<CXXRecordDecl>(Val: Base->castAs<RecordType>()->getDecl()); |
1889 | DerivedD = cast<CXXRecordDecl>(Val: Derived->castAs<RecordType>()->getDecl()); |
1890 | |
1891 | AccessTarget Entity(Context, AccessTarget::Base, BaseD, DerivedD, |
1892 | Path.Access); |
1893 | if (DiagID) |
1894 | Entity.setDiag(DiagID) << Derived << Base; |
1895 | |
1896 | if (ForceUnprivileged) { |
1897 | switch (CheckEffectiveAccess(S&: *this, EC: EffectiveContext(), |
1898 | Loc: AccessLoc, Entity)) { |
1899 | case ::AR_accessible: return Sema::AR_accessible; |
1900 | case ::AR_inaccessible: return Sema::AR_inaccessible; |
1901 | case ::AR_dependent: return Sema::AR_dependent; |
1902 | } |
1903 | llvm_unreachable("unexpected result from CheckEffectiveAccess" ); |
1904 | } |
1905 | return CheckAccess(S&: *this, Loc: AccessLoc, Entity); |
1906 | } |
1907 | |
1908 | /// Checks access to all the declarations in the given result set. |
1909 | void Sema::CheckLookupAccess(const LookupResult &R) { |
1910 | assert(getLangOpts().AccessControl |
1911 | && "performing access check without access control" ); |
1912 | assert(R.getNamingClass() && "performing access check without naming class" ); |
1913 | |
1914 | for (LookupResult::iterator I = R.begin(), E = R.end(); I != E; ++I) { |
1915 | if (I.getAccess() != AS_public) { |
1916 | AccessTarget Entity(Context, AccessedEntity::Member, |
1917 | R.getNamingClass(), I.getPair(), |
1918 | R.getBaseObjectType()); |
1919 | Entity.setDiag(diag::err_access); |
1920 | CheckAccess(S&: *this, Loc: R.getNameLoc(), Entity); |
1921 | } |
1922 | } |
1923 | } |
1924 | |
1925 | /// Checks access to Target from the given class. The check will take access |
1926 | /// specifiers into account, but no member access expressions and such. |
1927 | /// |
1928 | /// \param Target the declaration to check if it can be accessed |
1929 | /// \param NamingClass the class in which the lookup was started. |
1930 | /// \param BaseType type of the left side of member access expression. |
1931 | /// \p BaseType and \p NamingClass are used for C++ access control. |
1932 | /// Depending on the lookup case, they should be set to the following: |
1933 | /// - lhs.target (member access without a qualifier): |
1934 | /// \p BaseType and \p NamingClass are both the type of 'lhs'. |
1935 | /// - lhs.X::target (member access with a qualifier): |
1936 | /// BaseType is the type of 'lhs', NamingClass is 'X' |
1937 | /// - X::target (qualified lookup without member access): |
1938 | /// BaseType is null, NamingClass is 'X'. |
1939 | /// - target (unqualified lookup). |
1940 | /// BaseType is null, NamingClass is the parent class of 'target'. |
1941 | /// \return true if the Target is accessible from the Class, false otherwise. |
1942 | bool Sema::IsSimplyAccessible(NamedDecl *Target, CXXRecordDecl *NamingClass, |
1943 | QualType BaseType) { |
1944 | // Perform the C++ accessibility checks first. |
1945 | if (Target->isCXXClassMember() && NamingClass) { |
1946 | if (!getLangOpts().CPlusPlus) |
1947 | return false; |
1948 | // The unprivileged access is AS_none as we don't know how the member was |
1949 | // accessed, which is described by the access in DeclAccessPair. |
1950 | // `IsAccessible` will examine the actual access of Target (i.e. |
1951 | // Decl->getAccess()) when calculating the access. |
1952 | AccessTarget Entity(Context, AccessedEntity::Member, NamingClass, |
1953 | DeclAccessPair::make(D: Target, AS: AS_none), BaseType); |
1954 | EffectiveContext EC(CurContext); |
1955 | return ::IsAccessible(S&: *this, EC, Entity) != ::AR_inaccessible; |
1956 | } |
1957 | |
1958 | if (ObjCIvarDecl *Ivar = dyn_cast<ObjCIvarDecl>(Val: Target)) { |
1959 | // @public and @package ivars are always accessible. |
1960 | if (Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Public || |
1961 | Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Package) |
1962 | return true; |
1963 | |
1964 | // If we are inside a class or category implementation, determine the |
1965 | // interface we're in. |
1966 | ObjCInterfaceDecl *ClassOfMethodDecl = nullptr; |
1967 | if (ObjCMethodDecl *MD = getCurMethodDecl()) |
1968 | ClassOfMethodDecl = MD->getClassInterface(); |
1969 | else if (FunctionDecl *FD = getCurFunctionDecl()) { |
1970 | if (ObjCImplDecl *Impl |
1971 | = dyn_cast<ObjCImplDecl>(FD->getLexicalDeclContext())) { |
1972 | if (ObjCImplementationDecl *IMPD |
1973 | = dyn_cast<ObjCImplementationDecl>(Val: Impl)) |
1974 | ClassOfMethodDecl = IMPD->getClassInterface(); |
1975 | else if (ObjCCategoryImplDecl* CatImplClass |
1976 | = dyn_cast<ObjCCategoryImplDecl>(Val: Impl)) |
1977 | ClassOfMethodDecl = CatImplClass->getClassInterface(); |
1978 | } |
1979 | } |
1980 | |
1981 | // If we're not in an interface, this ivar is inaccessible. |
1982 | if (!ClassOfMethodDecl) |
1983 | return false; |
1984 | |
1985 | // If we're inside the same interface that owns the ivar, we're fine. |
1986 | if (declaresSameEntity(ClassOfMethodDecl, Ivar->getContainingInterface())) |
1987 | return true; |
1988 | |
1989 | // If the ivar is private, it's inaccessible. |
1990 | if (Ivar->getCanonicalAccessControl() == ObjCIvarDecl::Private) |
1991 | return false; |
1992 | |
1993 | return Ivar->getContainingInterface()->isSuperClassOf(I: ClassOfMethodDecl); |
1994 | } |
1995 | |
1996 | return true; |
1997 | } |
1998 | |