| blob | 80b0bf825efcbdc0255f2abface89062c00a3d2e |
1 /* Copyright (C) 2016-2019 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
90 /* The likely worst case value of MB_LEN_MAX for the target, large enough
91 for UTF-8. Ideally, this would be obtained by a target hook if it were
92 to be used for optimization but it's good enough as is for warnings. */
93 #define target_mb_len_max() 6
95 /* The maximum number of bytes a single non-string directive can result
96 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
97 LDBL_MAX_10_EXP of 4932. */
98 #define IEEE_MAX_10_EXP 4932
99 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
113 };
115 /* Set to the warning level for the current function which is equal
116 either to warn_format_trunc for bounded functions or to
117 warn_format_overflow otherwise. */
124 {
138 };
141 {
148 { }
157 {
160 }
162 };
164 bool
166 {
167 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
168 is specified and either not optimizing and the pass is being invoked
169 early, or when optimizing and the pass is being invoked during
170 optimization (i.e., "late"). */
175 }
177 /* The minimum, maximum, likely, and unlikely maximum number of bytes
178 of output either a formatting function or an individual directive
179 can result in. */
181 struct result_range
182 {
183 /* The absolute minimum number of bytes. The result of a successful
184 conversion is guaranteed to be no less than this. (An erroneous
185 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
187 /* The likely maximum result that is used in diagnostics. In most
188 cases MAX is the same as the worst case UNLIKELY result. */
190 /* The likely result used to trigger diagnostics. For conversions
191 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
192 in that range. */
194 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
195 the worst cases maximum result of a directive. In most cases
196 UNLIKELY == MAX. UNLIKELY is used to control the return value
197 optimization but not in diagnostics. */
199 };
201 /* The result of a call to a formatted function. */
203 struct format_result
204 {
205 /* Range of characters written by the formatted function.
206 Setting the minimum to HOST_WIDE_INT_MAX disables all
207 length tracking for the remainder of the format string. */
208 result_range range;
210 /* True when the range above is obtained from known values of
211 directive arguments, or bounds on the amount of output such
212 as width and precision, and not the result of heuristics that
213 depend on warning levels. It's used to issue stricter diagnostics
214 in cases where strings of unknown lengths are bounded by the arrays
215 they are determined to refer to. KNOWNRANGE must not be used for
216 the return value optimization. */
219 /* True if no individual directive could fail or result in more than
220 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be
221 greater). Implementations are not required to handle directives
222 that produce more than 4K bytes (leading to undefined behavior)
223 and so when one is found it disables the return value optimization.
224 Similarly, directives that can fail (such as wide character
225 directives) disable the optimization. */
228 /* True when a floating point directive has been seen in the format
229 string. */
232 /* True when an intermediate result has caused a warning. Used to
233 avoid issuing duplicate warnings while finishing the processing
234 of a call. WARNED also disables the return value optimization. */
237 /* Preincrement the number of output characters by 1. */
239 {
241 }
243 /* Postincrement the number of output characters by 1. */
245 {
249 }
251 /* Increment the number of output characters by N. */
253 };
255 format_result&
257 {
273 }
275 /* Return the value of INT_MIN for the target. */
279 {
281 }
283 /* Return the value of INT_MAX for the target. */
287 {
289 }
291 /* Return the value of SIZE_MAX for the target. */
295 {
297 }
299 /* A straightforward mapping from the execution character set to the host
300 character set indexed by execution character. */
304 /* Initialize a mapping from the execution character set to the host
305 character set. */
307 static bool
309 {
310 /* If the percent sign is non-zero the mapping has already been
311 initialized. */
315 /* Initialize the target_percent character (done elsewhere). */
319 /* The subset of the source character set used by printf conversion
320 specifications (strictly speaking, not all letters are used but
321 they are included here for the sake of simplicity). The dollar
322 sign must be included even though it's not in the basic source
323 character set. */
327 /* Set the mapping for all characters to some ordinary value (i,e.,
328 not none used in printf conversion specifications) and overwrite
329 those that are used by conversion specifications with their
330 corresponding values. */
333 /* Are the two sets of characters the same? */
337 {
338 /* Slice off the high end bits in case target characters are
339 signed. All values are expected to be non-nul, otherwise
340 there's a problem. */
342 {
346 }
347 else
350 }
352 /* Set the first element to a non-zero value if the mapping
353 is 1-to-1, otherwise leave it clear (NUL is assumed to be
354 the same in both character sets). */
358 }
360 /* Return the host source character corresponding to the character
361 CH in the execution character set if one exists, or some innocuous
362 (non-special, non-nul) source character otherwise. */
366 {
368 }
370 /* Convert an initial substring of the string TARGSTR consisting of
371 characters in the execution character set into a string in the
372 source character set on the host and store up to HOSTSZ characters
373 in the buffer pointed to by HOSTR. Return HOSTR. */
377 {
378 /* Make sure the buffer is reasonably big. */
381 /* The interesting subset of source and execution characters are
382 the same so no conversion is necessary. However, truncate
383 overlong strings just like the translated strings are. */
385 {
388 {
391 }
392 else
395 }
397 /* Convert the initial substring of TARGSTR to the corresponding
398 characters in the host set, appending "..." if TARGSTR is too
399 long to fit. Using the static buffer assumes the function is
400 not called in between sequence points (which it isn't). */
402 {
408 {
411 }
412 }
415 }
417 /* Convert the sequence of decimal digits in the execution character
418 starting at *PS to a HOST_WIDE_INT, analogously to strtol. Return
419 the result and set *PS to one past the last converted character.
420 On range error set ERANGE to the digit that caused it. */
424 {
427 {
430 {
433 /* Check for overflow. */
435 {
439 /* Skip the remaining digits. */
440 do
444 }
445 else
447 }
448 else
450 }
453 }
455 /* Given FORMAT, set *PLOC to the source location of the format string
456 and return the format string if it is known or null otherwise. */
460 {
464 }
466 /* For convenience and brevity, shorter named entrypoints of
467 format_string_diagnostic_t::emit_warning_va and
468 format_string_diagnostic_t::emit_warning_n_va.
469 These have to be functions with the attribute so that exgettext
470 works properly. */
472 static bool
476 {
478 corrected_substring);
485 }
487 static bool
492 {
494 corrected_substring);
502 }
504 /* Format length modifiers. */
506 enum format_lengths
507 {
508 FMT_LEN_none,
516 FMT_LEN_j // intmax_t
517 };
520 /* Description of the result of conversion either of a single directive
521 or the whole format string. */
523 struct fmtresult
524 {
525 /* Construct a FMTRESULT object with all counters initialized
526 to MIN. KNOWNRANGE is set when MIN is valid. */
531 {
536 }
538 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
539 KNOWNRANGE is set when both MIN and MAX are valid. */
545 {
550 }
552 /* Adjust result upward to reflect the RANGE of values the specified
553 width or precision is known to be in. */
558 /* Return the maximum number of decimal digits a value of TYPE
559 formats as on output. */
562 /* The range a directive's argument is in. */
565 /* The minimum and maximum number of bytes that a directive
566 results in on output for an argument in the range above. */
567 result_range range;
569 /* Non-nul when the argument of a string directive is not a nul
570 terminated string. */
571 tree nonstr;
573 /* True when the range above is obtained from a known value of
574 a directive's argument or its bounds and not the result of
575 heuristics that depend on warning levels. */
578 /* True for a directive that may fail (such as wide character
579 directives). */
582 /* True when the argument is a null pointer. */
584 };
586 /* Adjust result upward to reflect the range ADJUST of values the
587 specified width or precision is known to be in. When non-null,
588 TYPE denotes the type of the directive whose result is being
589 adjusted, BASE gives the base of the directive (octal, decimal,
590 or hex), and ADJ denotes the additional adjustment to the LIKELY
591 counter that may need to be added when ADJUST is a range. */
593 fmtresult&
598 {
601 /* Adjust the minimum and likely counters. */
603 {
605 {
608 }
610 /* Adjust the likely counter. */
613 }
618 /* Adjust the maximum counter. */
620 {
622 {
625 /* Set KNOWNRANGE if both the minimum and maximum have been
626 adjusted. Otherwise leave it at what it was before. */
628 }
629 }
632 {
633 /* For large non-constant width or precision whose range spans
634 the maximum number of digits produced by the directive for
635 any argument, set the likely number of bytes to be at most
636 the number digits plus other adjustment determined by the
637 caller (one for sign or two for the hexadecimal "0x"
638 prefix). */
643 }
645 {
646 /* Conservatively, set LIKELY to at least MIN but no less than
647 1 unless MAX is zero. */
652 }
654 /* Finally adjust the unlikely counter to be at least as large as
655 the maximum. */
660 }
662 /* Return the maximum number of digits a value of TYPE formats in
663 BASE on output, not counting base prefix . */
665 unsigned
667 {
670 {
674 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
675 of 8, 16, 32, and 64 bits. */
679 }
682 }
684 static bool
688 /* Description of a format directive. A directive is either a plain
689 string or a conversion specification that starts with '%'. */
691 struct directive
692 {
693 /* The 1-based directive number (for debugging). */
696 /* The first character of the directive and its length. */
700 /* A bitmap of flags, one for each character. */
703 /* The range of values of the specified width, or -1 if not specified. */
705 /* The range of values of the specified precision, or -1 if not
706 specified. */
709 /* Length modifier. */
710 format_lengths modifier;
712 /* Format specifier character. */
715 /* The argument of the directive or null when the directive doesn't
716 take one or when none is available (such as for vararg functions). */
717 tree arg;
719 /* Format conversion function that given a directive and an argument
720 returns the formatting result. */
723 /* Return True when a the format flag CHR has been used. */
725 {
729 }
731 /* Make a record of the format flag CHR having been used. */
733 {
737 }
739 /* Reset the format flag CHR. */
741 {
745 }
747 /* Set both bounds of the width range to VAL. */
749 {
751 }
753 /* Set the width range according to ARG, with both bounds being
754 no less than 0. For a constant ARG set both bounds to its value
755 or 0, whichever is greater. For a non-constant ARG in some range
756 set width to its range adjusting each bound to -1 if it's less.
757 For an indeterminate ARG set width to [0, INT_MAX]. */
759 {
761 }
763 /* Set both bounds of the precision range to VAL. */
765 {
767 }
769 /* Set the precision range according to ARG, with both bounds being
770 no less than -1. For a constant ARG set both bounds to its value
771 or -1 whichever is greater. For a non-constant ARG in some range
772 set precision to its range adjusting each bound to -1 if it's less.
773 For an indeterminate ARG set precision to [-1, INT_MAX]. */
775 {
777 }
779 /* Return true if both width and precision are known to be
780 either constant or in some range, false otherwise. */
782 {
787 }
788 };
790 /* Return the logarithm of X in BASE. */
792 static int
794 {
796 do
797 {
802 }
804 /* Return the number of bytes resulting from converting into a string
805 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
806 PLUS indicates whether 1 for a plus sign should be added for positive
807 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
808 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
809 be represented. */
811 static HOST_WIDE_INT
813 {
816 HOST_WIDE_INT res;
819 {
821 {
824 }
825 else
827 }
828 else
829 {
831 {
834 {
835 /* Avoid undefined behavior due to negating a minimum. */
838 }
840 {
843 }
844 else
845 {
848 }
849 }
850 else
852 }
858 /* Adjust a non-zero value for the base prefix, either hexadecimal,
859 or, unless precision has resulted in a leading zero, also octal. */
861 {
866 }
869 }
871 /* Given the formatting result described by RES and NAVAIL, the number
872 of available in the destination, return the range of bytes remaining
873 in the destination. */
877 {
878 result_range range;
881 {
884 }
886 /* The lower bound of the available range is the available size
887 minus the maximum output size, and the upper bound is the size
888 minus the minimum. */
895 else
902 }
904 /* Description of a call to a formatted function. */
907 {
908 /* Function call statement. */
911 /* Function called. */
912 tree func;
914 /* Called built-in function code. */
915 built_in_function fncode;
917 /* Format argument and format string extracted from it. */
918 tree format;
921 /* The location of the format argument. */
922 location_t fmtloc;
924 /* The destination object size for __builtin___xxx_chk functions
925 typically determined by __builtin_object_size, or -1 if unknown. */
928 /* Number of the first variable argument. */
931 /* True for functions like snprintf that specify the size of
932 the destination, false for others like sprintf that don't. */
935 /* True for bounded functions like snprintf that specify a zero-size
936 buffer as a request to compute the size of output without actually
937 writing any. NOWRITE is cleared in response to the %n directive
938 which has side-effects similar to writing output. */
941 /* Return true if the called function's return value is used. */
943 {
945 }
947 /* Return the warning option corresponding to the called function. */
949 {
951 }
953 /* Return true for calls to file formatted functions. */
955 {
961 }
963 /* Return true for calls to string formatted functions. */
965 {
974 }
975 };
977 /* Return the result of formatting a no-op directive (such as '%n'). */
979 static fmtresult
981 {
984 }
986 /* Return the result of formatting the '%%' directive. */
988 static fmtresult
990 {
993 }
996 /* Compute intmax_type_node and uintmax_type_node similarly to how
997 tree.c builds size_type_node. */
999 static void
1001 {
1003 {
1006 }
1008 {
1011 }
1013 {
1016 }
1017 else
1018 {
1021 {
1026 {
1030 }
1031 }
1033 }
1034 }
1036 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1037 in and that is representable in type int.
1038 Return true when the range is a subrange of that of int.
1039 When ARG is null it is as if it had the full range of int.
1040 When ABSOLUTE is true the range reflects the absolute value of
1041 the argument. When ABSOLUTE is false, negative bounds of
1042 the determined range are replaced with NEGBOUND. */
1044 static bool
1048 {
1049 /* The type of the result. */
1055 {
1058 }
1061 {
1062 /* For a constant argument return its value adjusted as specified
1063 by NEGATIVE and NEGBOUND and return true to indicate that the
1064 result is known. */
1068 }
1069 else
1070 {
1071 /* True if the argument's range cannot be determined. */
1076 /* Ignore invalid arguments with greater precision that that
1077 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1078 They will have been detected and diagnosed by -Wformat and
1079 so it's not important to complicate this code to try to deal
1080 with them again. */
1084 {
1085 /* Try to determine the range of values of the integer argument. */
1088 {
1089 HOST_WIDE_INT type_min
1100 {
1101 /* Return true if the adjusted range is a subrange of
1102 the full range of the argument's type. *PMAX may
1103 be less than *PMIN when the argument is unsigned
1104 and its upper bound is in excess of TYPE_MAX. In
1105 that (invalid) case disregard the range and use that
1106 of the expected type instead. */
1110 }
1111 }
1112 }
1114 /* Handle an argument with an unknown range as if none had been
1115 provided. */
1119 }
1121 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1123 {
1125 {
1128 else
1129 {
1130 /* Make sure signed overlow is avoided. */
1137 }
1138 }
1139 }
1144 }
1146 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1147 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1148 the type of the directive's formal argument it's possible for both
1149 to result in the same number of bytes or a range of bytes that's
1150 less than the number of bytes that would result from formatting
1151 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1152 determined by checking for the actual argument being in the range
1153 of the type of the directive. If it isn't it must be assumed to
1154 take on the full range of the directive's type.
1155 Return true when the range has been adjusted to the full range
1156 of DIRTYPE, and false otherwise. */
1158 static bool
1160 {
1165 /* If the actual argument and the directive's argument have the same
1166 precision and sign there can be no overflow and so there is nothing
1167 to adjust. */
1171 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1172 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1182 {
1186 /* If *ARGMIN is still less than *ARGMAX the conversion above
1187 is safe. Otherwise, it has overflowed and would be unsafe. */
1190 }
1195 }
1197 /* Return a range representing the minimum and maximum number of bytes
1198 that the format directive DIR will output for any argument given
1199 the WIDTH and PRECISION (extracted from DIR). This function is
1200 used when the directive argument or its value isn't known. */
1202 static fmtresult
1204 {
1205 tree intmax_type_node;
1206 tree uintmax_type_node;
1208 /* Base to format the number in. */
1211 /* True when a conversion is preceded by a prefix indicating the base
1212 of the argument (octal or hexadecimal). */
1215 /* True when a signed conversion is preceded by a sign or space. */
1218 /* True for signed conversions (i.e., 'd' and 'i'). */
1222 {
1225 /* Space and '+' are only meaningful for signed conversions. */
1242 }
1244 /* The type of the "formal" argument expected by the directive. */
1247 /* Determine the expected type of the argument from the length
1248 modifier. */
1250 {
1254 else
1272 dirtype = (sign
1273 ? long_long_integer_type_node
1292 }
1294 /* The type of the argument to the directive, either deduced from
1295 the actual non-constant argument if one is known, or from
1296 the directive itself when none has been provided because it's
1297 a va_list. */
1301 {
1302 /* When the argument has not been provided, use the type of
1303 the directive's argument as an approximation. This will
1304 result in false positives for directives like %i with
1305 arguments with smaller precision (such as short or char). */
1307 }
1309 {
1310 /* When a constant argument has been provided use its value
1311 rather than type to determine the length of the output. */
1312 fmtresult res;
1315 {
1316 /* As a special case, a precision of zero with a zero argument
1317 results in zero bytes except in base 8 when the '#' flag is
1318 specified, and for signed conversions in base 8 and 10 when
1319 either the space or '+' flag has been specified and it results
1320 in just one byte (with width having the normal effect). This
1321 must extend to the case of a specified precision with
1322 an unknown value because it can be zero. */
1325 {
1328 }
1329 else
1330 {
1333 }
1334 }
1335 else
1336 {
1337 /* Convert the argument to the type of the directive. */
1344 else
1349 }
1353 /* Bump up the counters if WIDTH is greater than LEN. */
1356 /* Bump up the counters again if PRECision is greater still. */
1361 }
1364 /* Determine the type of the provided non-constant argument. */
1366 else
1367 /* Don't bother with invalid arguments since they likely would
1368 have already been diagnosed, and disable any further checking
1369 of the format string by returning [-1, -1]. */
1372 fmtresult res;
1374 /* Using either the range the non-constant argument is in, or its
1375 type (either "formal" or actual), create a range of values that
1376 constrain the length of output given the warning level. */
1383 {
1384 /* Try to determine the range of values of the integer argument
1385 (range information is not available for pointers). */
1388 {
1392 /* Set KNOWNRANGE if the argument is in a known subrange
1393 of the directive's type and neither width nor precision
1394 is unknown. (KNOWNRANGE may be reset below). */
1395 res.knownrange
1402 }
1404 {
1405 /* Handle anti-ranges if/when bug 71690 is resolved. */
1406 }
1408 {
1409 /* The argument here may be the result of promoting the actual
1410 argument to int. Try to determine the type of the actual
1411 argument before promotion and narrow down its range that
1412 way. */
1415 {
1418 {
1421 }
1424 {
1429 }
1430 }
1431 }
1432 }
1435 {
1437 {
1440 }
1441 else
1442 {
1445 }
1446 }
1448 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1449 of the directive. If it has been cleared then since ARGMIN and/or
1450 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1451 ARGMAX in the result to include in diagnostics. */
1453 {
1457 }
1459 /* Recursively compute the minimum and maximum from the known range. */
1461 {
1462 /* For unsigned conversions/directives or signed when
1463 the minimum is positive, use the minimum and maximum to compute
1464 the shortest and longest output, respectively. */
1467 }
1469 {
1470 /* For signed conversions/directives if maximum is negative,
1471 use the minimum as the longest output and maximum as the
1472 shortest output. */
1475 }
1476 else
1477 {
1478 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1479 as the shortest output and for the longest output compute the
1480 length of the output of both minimum and maximum and pick the
1481 longer. */
1482 unsigned HOST_WIDE_INT max1
1484 unsigned HOST_WIDE_INT max2
1489 }
1491 /* If the range is known, use the maximum as the likely length. */
1494 else
1495 {
1496 /* Otherwise, use the minimum. Except for the case where for %#x or
1497 %#o the minimum is just for a single value in the range (0) and
1498 for all other values it is something longer, like 0x1 or 01.
1499 Use the length for value 1 in that case instead as the likely
1500 length. */
1505 {
1512 }
1513 }
1522 }
1524 /* Return the number of bytes that a format directive consisting of FLAGS,
1525 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1526 would result for argument X under ideal conditions (i.e., if PREC
1527 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1528 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1529 This function works around those problems. */
1531 static unsigned HOST_WIDE_INT
1534 {
1548 {
1549 /* For %e, specify the precision explicitly since mpfr_sprintf
1550 does its own thing just to be different (see MPFR bug 21088). */
1553 }
1554 else
1555 {
1556 /* Avoid passing negative precisions with larger magnitude to MPFR
1557 to avoid exposing its bugs. (A negative precision is supposed
1558 to be ignored.) */
1561 }
1566 {
1567 /* For G/g without the pound flag, precision gives the maximum number
1568 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1569 a 128 bit IEEE extended precision, 4932. Using twice as much here
1570 should be more than sufficient for any real format. */
1574 }
1575 else
1576 {
1577 /* Cap precision arbitrarily at 1KB and add the difference
1578 (if any) to the MPFR result. */
1581 }
1585 /* Handle the unlikely (impossible?) error by returning more than
1586 the maximum dictated by the function's return type. */
1590 /* Adjust the return value by the difference. */
1595 }
1597 /* Return the number of bytes to format using the format specifier
1598 SPEC and the precision PREC the largest value in the real floating
1599 TYPE. */
1601 static unsigned HOST_WIDE_INT
1603 {
1606 /* IBM Extended mode. */
1610 /* Get the real type format desription for the target. */
1612 REAL_VALUE_TYPE rv;
1616 /* Convert the GCC real value representation with the precision
1617 of the real type to the mpfr_t format with the GCC default
1618 round-to-nearest mode. */
1619 mpfr_t x;
1623 /* Return a value one greater to account for the leading minus sign. */
1624 unsigned HOST_WIDE_INT r
1628 }
1630 /* Return a range representing the minimum and maximum number of bytes
1631 that the directive DIR will output for any argument. PREC gives
1632 the adjusted precision range to account for negative precisions
1633 meaning the default 6. This function is used when the directive
1634 argument or its value isn't known. */
1636 static fmtresult
1638 {
1639 tree type;
1642 {
1658 }
1660 /* The minimum and maximum number of bytes produced by the directive. */
1661 fmtresult res;
1663 /* The minimum output as determined by flags. It's always at least 1.
1664 When plus or space are set the output is preceded by either a sign
1665 or a space. */
1669 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
1670 for the plus sign/space with the '+' and ' ' flags, respectively,
1671 unless reduced below. */
1674 /* When the pound flag is set the decimal point is included in output
1675 regardless of precision. Whether or not a decimal point is included
1676 otherwise depends on the specification and precision. */
1680 {
1683 {
1691 + flagmin
1692 + radix
1693 + minprec
1698 /* The unlikely maximum accounts for the longest multibyte
1699 decimal point character. */
1705 }
1709 {
1710 /* Minimum output attributable to precision and, when it's
1711 non-zero, decimal point. */
1714 /* The likely minimum output is "[-+]1.234567e+00" regardless
1715 of the value of the actual argument. */
1717 + radix
1718 + minprec
1723 /* The unlikely maximum accounts for the longest multibyte
1724 decimal point character. */
1728 else
1731 }
1735 {
1736 /* Minimum output attributable to precision and, when it's non-zero,
1737 decimal point. */
1740 /* For finite numbers (i.e., not infinity or NaN) the lower bound
1741 when precision isn't specified is 8 bytes ("1.23456" since
1742 precision is taken to be 6). When precision is zero, the lower
1743 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
1744 than zero, then the lower bound is 2 plus precision (plus flags).
1745 But in all cases, the lower bound is no greater than 3. */
1750 /* Compute the upper bound for -TYPE_MAX. */
1753 /* The minimum output with unknown precision is a single byte
1754 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1757 else
1760 /* The unlikely maximum accounts for the longest multibyte
1761 decimal point character. */
1766 }
1770 {
1771 /* The %g output depends on precision and the exponent of
1772 the argument. Since the value of the argument isn't known
1773 the lower bound on the range of bytes (not counting flags
1774 or width) is 1 plus radix (i.e., either "0" or "0." for
1775 "%g" and "%#g", respectively, with a zero argument). */
1783 {
1784 /* When the pound flag (radix) is set, trailing zeros aren't
1785 trimmed and so the longest output is the same as for %e,
1786 except with precision minus 1 (as specified in C11). */
1792 }
1793 else
1798 /* The likely output is either the maximum computed above
1799 minus 1 (assuming the maximum is positive) when precision
1800 is known (or unspecified), or the same minimum as for %e
1801 (which is computed for a non-negative argument). Unlike
1802 for the other specifiers above the likely output isn't
1803 the minimum because for %g that's 1 which is unlikely. */
1807 else
1808 {
1811 + radix
1812 + minprec
1814 }
1816 /* The unlikely maximum accounts for the longest multibyte
1817 decimal point character. */
1820 }
1824 }
1826 /* Bump up the byte counters if WIDTH is greater. */
1829 }
1831 /* Return a range representing the minimum and maximum number of bytes
1832 that the directive DIR will write on output for the floating argument
1833 ARG. */
1835 static fmtresult
1837 {
1842 /* For an indeterminate precision the lower bound must be assumed
1843 to be zero. */
1845 {
1846 /* Get the number of fractional decimal digits needed to represent
1847 the argument without a loss of accuracy. */
1848 unsigned fmtprec
1851 /* The precision of the IEEE 754 double format is 53.
1852 The precision of all other GCC binary double formats
1853 is 56 or less. */
1856 /* For %a, leave the minimum precision unspecified to let
1857 MFPR trim trailing zeros (as it and many other systems
1858 including Glibc happen to do) and set the maximum
1859 precision to reflect what it would be with trailing zeros
1860 present (as Solaris and derived systems do). */
1862 {
1863 /* Both bounds are negative implies that precision has
1864 not been specified. */
1867 }
1869 {
1870 /* With a negative lower bound and a non-negative upper
1871 bound set the minimum precision to zero and the maximum
1872 to the greater of the maximum precision (i.e., with
1873 trailing zeros present) and the specified upper bound. */
1876 }
1877 }
1879 {
1881 {
1882 /* A precision in a strictly negative range is ignored and
1883 the default of 6 is used instead. */
1885 }
1886 else
1887 {
1888 /* For a precision in a partly negative range, the lower bound
1889 must be assumed to be zero and the new upper bound is the
1890 greater of 6 (the default precision used when the specified
1891 precision is negative) and the upper bound of the specified
1892 range. */
1895 }
1896 }
1903 /* The minimum and maximum number of bytes produced by the directive. */
1904 fmtresult res;
1906 /* Get the real type format desription for the target. */
1911 {
1912 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
1913 and "[-]nan" with the choice being implementation-defined
1914 but not locale dependent. */
1920 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan".
1921 For NaN, the C/POSIX standards specify two formats:
1922 "[-/+]nan"
1923 and
1924 "[-/+]nan(n-char-sequence)"
1925 No known printf implementation outputs the latter format but AIX
1926 outputs QNaN and SNaN for quiet and signalling NaN, respectively,
1927 so the unlikely maximum reflects that. */
1930 /* The range for infinity and NaN is known unless either width
1931 or precision is unknown. Width has the same effect regardless
1932 of whether the argument is finite. Precision is either ignored
1933 (e.g., Glibc) or can have an effect on the short vs long format
1934 such as inf/infinity (e.g., Solaris). */
1937 /* Adjust the range for width but ignore precision. */
1941 }
1946 /* Append flags. */
1953 {
1954 /* Set up an array to easily iterate over. */
1957 };
1960 {
1961 /* Convert the GCC real value representation with the precision
1962 of the real type to the mpfr_t format rounding down in the
1963 first iteration that computes the minimm and up in the second
1964 that computes the maximum. This order is arbibtrary because
1965 rounding in either direction can result in longer output. */
1966 mpfr_t mpfrval;
1970 /* Use the MPFR rounding specifier to round down in the first
1971 iteration and then up. In most but not all cases this will
1972 result in the same number of bytes. */
1975 /* Format it and store the result in the corresponding member
1976 of the result struct. */
1980 }
1981 }
1983 /* Make sure the minimum is less than the maximum (MPFR rounding
1984 in the call to mpfr_snprintf can result in the reverse. */
1986 {
1990 }
1992 /* The range is known unless either width or precision is unknown. */
1995 /* For the same floating point constant, unless width or precision
1996 is unknown, use the longer output as the likely maximum since
1997 with round to nearest either is equally likely. Otheriwse, when
1998 precision is unknown, use the greater of the minimum and 3 as
1999 the likely output (for "0.0" since zero precision is unlikely). */
2006 else
2012 {
2013 /* Unless the precision is zero output longer than 2 bytes may
2014 include the decimal point which must be a single character
2015 up to MB_LEN_MAX in length. This is overly conservative
2016 since in some conversions some constants result in no decimal
2017 point (e.g., in %g). */
2019 }
2023 }
2025 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2026 strings referenced by the expression STR, or (-1, -1) when not known.
2027 Used by the format_string function below. */
2029 static fmtresult
2031 {
2035 /* Determine the length of the shortest and longest string referenced
2036 by STR. Strings of unknown lengths are bounded by the sizes of
2037 arrays that subexpressions of STR may refer to. Pointers that
2038 aren't known to point any such arrays result in LENDATA.MAXLEN
2039 set to SIZE_MAX. */
2040 c_strlen_data lendata = { };
2043 /* Return the default result when nothing is known about the string. */
2048 HOST_WIDE_INT min
2053 HOST_WIDE_INT max
2060 /* Set the max/likely counters to unbounded when a minimum is known
2061 but the maximum length isn't bounded. This implies that STR is
2062 a conditional expression involving a string of known length and
2063 and an expression of unknown/unbounded length. */
2069 /* get_range_strlen() returns the target value of SIZE_MAX for
2070 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2071 which may be bigger. */
2080 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2081 by STR are known to be bounded (though not necessarily by their
2082 actual length but perhaps by their maximum possible length). */
2084 {
2086 /* When the the length of the longest string is known and not
2087 excessive use it as the likely length of the string(s). */
2089 }
2090 else
2091 {
2092 /* When the upper bound is unknown (it can be zero or excessive)
2093 set the likely length to the greater of 1 and the length of
2094 the shortest string and reset the lower bound to zero. */
2097 }
2102 }
2104 /* Return the minimum and maximum number of characters formatted
2105 by the '%c' format directives and its wide character form for
2106 the argument ARG. ARG can be null (for functions such as
2107 vsprinf). */
2109 static fmtresult
2111 {
2112 fmtresult res;
2118 {
2119 /* A wide character can result in as few as zero bytes. */
2124 {
2126 {
2127 /* The NUL wide character results in no bytes. */
2131 }
2133 {
2134 /* Be conservative if the target execution character set
2135 is not a 1-to-1 mapping to the source character set or
2136 if the source set is not ASCII. */
2137 bool one_2_one_ascii
2140 /* A wide character in the ASCII range most likely results
2141 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2146 }
2147 else
2148 {
2149 /* A wide character outside the ASCII range likely results
2150 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2154 /* Converting such a character may fail. */
2156 }
2157 }
2158 else
2159 {
2160 /* An unknown wide character is treated the same as a wide
2161 character outside the ASCII range. */
2166 }
2167 }
2168 else
2169 {
2170 /* A plain '%c' directive. Its ouput is exactly 1. */
2174 }
2176 /* Bump up the byte counters if WIDTH is greater. */
2178 }
2180 /* Return the minimum and maximum number of characters formatted
2181 by the '%s' format directive and its wide character form for
2182 the argument ARG. ARG can be null (for functions such as
2183 vsprinf). */
2185 static fmtresult
2187 {
2188 fmtresult res;
2190 /* Compute the range the argument's length can be in. */
2193 {
2194 /* Get a node for a C type that will be the same size
2195 as a wchar_t on the target. */
2198 /* Now that we have a suitable node, get the number of
2199 bytes it occupies. */
2202 }
2207 {
2208 /* The argument is either a string constant or it refers
2209 to one of a number of strings of the same length. */
2211 /* A '%s' directive with a string argument with constant length. */
2216 {
2217 /* In the worst case the length of output of a wide string S
2218 is bounded by MB_LEN_MAX * wcslen (S). */
2221 /* It's likely that the the total length is not more that
2222 2 * wcslen (S).*/
2227 {
2231 }
2238 /* Even a non-empty wide character string need not convert into
2239 any bytes. */
2242 /* A non-empty wide character conversion may fail. */
2245 }
2246 else
2247 {
2256 {
2260 }
2261 }
2262 }
2264 {
2265 /* Handle null pointer argument. */
2270 }
2271 else
2272 {
2273 /* For a '%s' and '%ls' directive with a non-constant string (either
2274 one of a number of strings of known length or an unknown string)
2275 the minimum number of characters is lesser of PRECISION[0] and
2276 the length of the shortest known string or zero, and the maximum
2277 is the lessser of the length of the longest known string or
2278 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2279 the minimum at level 1 and the greater of the minimum and 1
2280 at level 2. This result is adjust upward for width (if it's
2281 specified). */
2285 {
2286 /* A wide character converts to as few as zero bytes. */
2297 /* A non-empty wide character conversion may fail. */
2300 }
2305 {
2306 /* Adjust the minimum to zero if the string length is unknown,
2307 or at most the lower bound of the precision otherwise. */
2313 /* Make both maxima no greater than the upper bound of precision. */
2316 {
2319 }
2321 /* If precision is constant, set the likely counter to the lesser
2322 of it and the maximum string length. Otherwise, if the lower
2323 bound of precision is greater than zero, set the likely counter
2324 to the minimum. Otherwise set it to zero or one based on
2325 the warning level. */
2332 else
2334 }
2336 {
2343 }
2345 {
2348 /* At level 1 strings of unknown length are assumed to be
2349 empty, while at level 1 they are assumed to be one byte
2350 long. */
2353 }
2354 else
2355 {
2356 /* A string of unknown length unconstrained by precision is
2357 assumed to be empty at level 1 and just one character long
2358 at higher levels. */
2361 }
2362 }
2364 /* If the argument isn't a nul-terminated string and the number
2365 of bytes on output isn't bounded by precision, set NONSTR. */
2369 /* Bump up the byte counters if WIDTH is greater. */
2371 }
2373 /* Format plain string (part of the format string itself). */
2375 static fmtresult
2377 {
2380 }
2382 /* Return true if the RESULT of a directive in a call describe by INFO
2383 should be diagnosed given the AVAILable space in the destination. */
2385 static bool
2388 {
2390 {
2391 /* The least amount of space remaining in the destination is big
2392 enough for the longest output. */
2394 }
2397 {
2400 {
2401 /* The likely amount of space remaining in the destination is big
2402 enough for the least output and the return value is used. */
2404 }
2408 {
2409 /* The likely amount of space remaining in the destination is big
2410 enough for the likely output and the return value is unused. */
2412 }
2418 {
2419 /* The minimum amount of space remaining in the destination is big
2420 enough for the longest output. */
2422 }
2423 }
2424 else
2425 {
2427 {
2428 /* The likely amount of space remaining in the destination is big
2429 enough for the likely output. */
2431 }
2437 {
2438 /* The minimum amount of space remaining in the destination is big
2439 enough for the longest output. */
2441 }
2442 }
2445 }
2447 /* At format string location describe by DIRLOC in a call described
2448 by INFO, issue a warning for a directive DIR whose output may be
2449 in excess of the available space AVAIL_RANGE in the destination
2450 given the formatting result FMTRES. This function does nothing
2451 except decide whether to issue a warning for a possible write
2452 past the end or truncation and, if so, format the warning.
2453 Return true if a warning has been issued. */
2455 static bool
2460 {
2464 /* A warning will definitely be issued below. */
2466 /* The maximum byte count to reference in the warning. Larger counts
2467 imply that the upper bound is unknown (and could be anywhere between
2468 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2469 than "between N and X" where X is some huge number. */
2472 /* True when there is enough room in the destination for the least
2473 amount of a directive's output but not enough for its likely or
2474 maximum output. */
2480 /* Buffer for the directive in the host character set (used when
2481 the source character set is different). */
2485 {
2486 /* The size of the destination region is exact. */
2490 {
2491 /* For plain character directives (i.e., the format string itself)
2492 but not others, point the caret at the first character that's
2493 past the end of the destination. */
2496 }
2499 {
2500 /* This is the terminating nul. */
2504 info.bounded
2505 ? (maybe
2510 : (maybe
2516 }
2519 {
2523 "%<%.*s%> directive writing %wu byte into a "
2525 "%<%.*s%> directive writing %wu bytes into a "
2530 "%<%.*s%> directive output may be truncated "
2532 "%<%.*s%> directive output may be truncated "
2535 else
2537 "%<%.*s%> directive output truncated writing "
2539 "%<%.*s%> directive output truncated writing "
2542 }
2546 info.bounded
2547 ? (maybe
2549 "writing up to %wu bytes into a region of "
2559 /* This is a special case to avoid issuing the potentially
2560 confusing warning:
2561 writing 0 or more bytes into a region of size 0. */
2563 info.bounded
2564 ? (maybe
2566 "writing likely %wu or more bytes into a "
2569 "likely %wu or more bytes into a region of "
2578 info.bounded
2579 ? (maybe
2581 "writing between %wu and %wu bytes into a "
2584 "writing between %wu and %wu bytes into a "
2593 info.bounded
2594 ? (maybe
2596 "writing %wu or more bytes into a region of "
2604 }
2606 /* The size of the destination region is a range. */
2609 {
2612 /* For plain character directives (i.e., the format string itself)
2613 but not others, point the caret at the first character that's
2614 past the end of the destination. */
2617 }
2620 {
2624 info.bounded
2625 ? (maybe
2630 : (maybe
2635 }
2638 {
2642 "%<%.*s%> directive writing %wu byte into a region "
2644 "%<%.*s%> directive writing %wu bytes into a region "
2649 "%<%.*s%> directive output may be truncated writing "
2651 "%<%.*s%> directive output may be truncated writing "
2652 "%wu bytes into a region of size between %wu and "
2655 else
2657 "%<%.*s%> directive output truncated writing %wu "
2659 "%<%.*s%> directive output truncated writing %wu "
2663 }
2667 info.bounded
2668 ? (maybe
2670 "writing up to %wu bytes into a region of size "
2673 "up to %wu bytes into a region of size between "
2682 /* This is a special case to avoid issuing the potentially confusing
2683 warning:
2684 writing 0 or more bytes into a region of size between 0 and N. */
2686 info.bounded
2687 ? (maybe
2689 "writing likely %wu or more bytes into a region "
2692 "likely %wu or more bytes into a region of size "
2702 info.bounded
2703 ? (maybe
2705 "writing between %wu and %wu bytes into a region "
2708 "between %wu and %wu bytes into a region of size "
2711 "%wu bytes into a region of size between %wu and "
2717 info.bounded
2718 ? (maybe
2720 "%wu or more bytes into a region of size between "
2723 "%wu or more bytes into a region of size between "
2730 }
2732 /* Compute the length of the output resulting from the directive DIR
2733 in a call described by INFO and update the overall result of the call
2734 in *RES. Return true if the directive has been handled. */
2736 static bool
2740 {
2741 /* Offset of the beginning of the directive from the beginning
2742 of the format string. */
2747 /* Create a location for the whole directive from the % to the format
2748 specifier. */
2752 /* Also get the location of the argument if possible.
2753 This doesn't work for integer literals or function calls. */
2758 /* Bail when there is no function to compute the output length,
2759 or when minimum length checking has been disabled. */
2763 /* Compute the range of lengths of the formatted output. */
2766 /* Record whether the output of all directives is known to be
2767 bounded by some maximum, implying that their arguments are
2768 either known exactly or determined to be in a known range
2769 or, for strings, limited by the upper bounds of the arrays
2770 they refer to. */
2774 {
2775 /* Only when the range is known, check it against the host value
2776 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2777 INT_MAX precision, which is the longest possible output of any
2778 single directive). That's the largest valid byte count (though
2779 not valid call to a printf-like function because it can never
2780 return such a count). Otherwise, the range doesn't correspond
2781 to known values of the argument. */
2783 {
2784 /* Normalize the MAX counter to avoid having to deal with it
2785 later. The counter can be less than HOST_WIDE_INT_M1U
2786 when compiling for an ILP32 target on an LP64 host. */
2788 /* Disable exact and maximum length checking after a failure
2789 to determine the maximum number of characters (for example
2790 for wide characters or wide character strings) but continue
2791 tracking the minimum number of characters. */
2793 }
2796 {
2797 /* Disable exact length checking after a failure to determine
2798 even the minimum number of characters (it shouldn't happen
2799 except in an error) but keep tracking the minimum and maximum
2800 number of characters. */
2802 }
2803 }
2805 /* Buffer for the directive in the host character set (used when
2806 the source character set is different). */
2812 {
2818 /* Don't bother processing the rest of the format string. */
2823 }
2825 /* Compute the number of available bytes in the destination. There
2826 must always be at least one byte of space for the terminating
2827 NUL that's appended after the format string has been processed. */
2836 /* Bump up the total maximum if it isn't too big. */
2841 /* Raise the total unlikely maximum by the larger of the maximum
2842 and the unlikely maximum. */
2846 else
2855 /* Has the minimum directive output length exceeded the maximum
2856 of 4095 bytes required to be supported? */
2859 /* Clear POSUNDER4K in the overall result if the maximum has exceeded
2860 the 4k (this is necessary to avoid the return value optimization
2861 that may not be safe in the maximum case). */
2864 /* Also clear POSUNDER4K if the directive may fail. */
2869 /* Only warn at level 2. */
2871 /* Only warn for string functions. */
2873 && (!minunder4k
2875 {
2876 /* The directive output may be longer than the maximum required
2877 to be handled by an implementation according to 7.21.6.1, p15
2878 of C11. Warn on this only at level 2 but remember this and
2879 prevent folding the return value when done. This allows for
2880 the possibility of the actual libc call failing due to ENOMEM
2881 (like Glibc does with very large precision or width).
2882 Issue the "may exceed" warning only for string functions and
2883 not for fprintf or printf. */
2887 "%<%.*s%> directive output of %wu bytes exceeds "
2893 "%<%.*s%> directive output between %wu and %wu "
2895 dirlen,
2900 "%<%.*s%> directive output between %wu and %wu "
2901 "bytes may exceed minimum required size of "
2903 dirlen,
2906 }
2908 /* Has the likely and maximum directive output exceeded INT_MAX? */
2910 /* Don't consider the maximum to be in excess when it's the result
2911 of a string of unknown length (i.e., whose maximum has been set
2912 to be greater than or equal to HOST_WIDE_INT_MAX. */
2918 /* Warn for the likely output size at level 1. */
2919 && (likelyximax
2920 /* But only warn for the maximum at level 2. */
2922 && maxximax
2924 {
2926 {
2927 /* The directive output exceeds INT_MAX bytes. */
2930 "%<%.*s%> directive output of %wu bytes exceeds "
2934 else
2936 "%<%.*s%> directive output between %wu and "
2940 }
2942 {
2943 /* The directive output is under INT_MAX but causes the result
2944 to exceed INT_MAX bytes. */
2947 "%<%.*s%> directive output of %wu bytes causes "
2951 else
2953 "%<%.*s%> directive output between %wu and "
2955 dirlen,
2958 }
2961 /* Warn for calls to string functions that either aren't bounded
2962 (sprintf) or whose return value isn't used. */
2964 "%<%.*s%> directive output between %wu and "
2965 "%wu bytes may cause result to exceed "
2969 }
2972 {
2974 "%<%.*s%> directive argument is not a nul-terminated "
2976 dirlen,
2982 }
2992 {
2998 else
3002 }
3007 {
3014 {
3015 /* If a warning has been issued for buffer overflow or truncation
3016 help the user figure out how big a buffer they need. */
3025 "%qE output between %wu and %wu bytes into "
3030 "%qE output %wu or more bytes (assuming %wu) into "
3033 else
3035 "%qE output %wu or more bytes into a destination of size "
3038 }
3040 {
3041 /* If the warning is for a file function function like fprintf
3042 of printf with no destination size just print the computed
3043 result. */
3056 else
3060 }
3061 }
3064 {
3066 " Result: "
3075 }
3078 }
3080 /* Parse a format directive in function call described by INFO starting
3081 at STR and populate DIR structure. Bump up *ARGNO by the number of
3082 arguments extracted for the directive. Return the length of
3083 the directive. */
3085 static size_t
3090 {
3095 {
3096 /* This directive is either a plain string or the terminating nul
3097 (which isn't really a directive but it simplifies things to
3098 handle it as if it were). */
3103 {
3110 }
3113 }
3117 /* POSIX numbered argument index or zero when none. */
3120 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3121 when given by a va_list argument, and a non-negative value
3122 when specified in the format string itself. */
3126 /* Pointers to the beginning of the width and precision decimal
3127 string (if any) within the directive. */
3131 /* When the value of the decimal string that specifies width or
3132 precision is out of range, points to the digit that causes
3133 the value to exceed the limit. */
3137 /* Width specified via the asterisk. Need not be INTEGER_CST.
3138 For vararg functions set to void_node. */
3141 /* Width specified via the asterisk. Need not be INTEGER_CST.
3142 For vararg functions set to void_node. */
3146 {
3147 /* This could be either a POSIX positional argument, the '0'
3148 flag, or a width, depending on what follows. Store it as
3149 width and sort it out later after the next character has
3150 been seen. */
3153 }
3155 {
3156 /* Similarly to the block above, this could be either a POSIX
3157 positional argument or a width, depending on what follows. */
3160 else
3163 }
3166 {
3167 /* Handle the POSIX dollar sign which references the 1-based
3168 positional argument number. */
3177 /* Bail when the numbered argument is out of range (it will
3178 have already been diagnosed by -Wformat). */
3189 }
3192 {
3194 {
3196 {
3197 /* The '0' that has been interpreted as a width above is
3198 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3199 and continue processing other flags. */
3202 }
3204 {
3205 /* (Non-zero) width has been seen. The next character
3206 is either a period or a digit. */
3208 }
3209 }
3210 /* When either '$' has been seen, or width has not been seen,
3211 the next field is the optional flags followed by an optional
3212 width. */
3215 {
3226 }
3227 }
3229 start_width:
3231 {
3235 }
3237 {
3240 else
3241 {
3242 /* This is (likely) a va_list. It could also be an invalid
3243 call with insufficient arguments. */
3245 }
3247 }
3249 {
3250 /* The POSIX apostrophe indicating a numeric grouping
3251 in the current locale. Even though it's possible to
3252 estimate the upper bound on the size of the output
3253 based on the number of digits it probably isn't worth
3254 continuing. */
3256 }
3257 }
3259 start_precision:
3261 {
3265 {
3268 }
3270 {
3273 else
3274 {
3275 /* This is (likely) a va_list. It could also be an invalid
3276 call with insufficient arguments. */
3278 }
3280 }
3281 else
3282 {
3283 /* The decimal precision or the asterisk are optional.
3284 When neither is dirified it's taken to be zero. */
3286 }
3287 }
3290 {
3293 {
3296 }
3297 else
3314 {
3317 }
3318 else
3332 }
3335 {
3336 /* Handle a sole '%' character the same as "%%" but since it's
3337 undefined prevent the result from being folded. */
3341 /* FALLTHRU */
3368 /* The %p output is implementation-defined. It's possible
3369 to determine this format but due to extensions (edirially
3370 those of the Linux kernel -- see bug 78512) the first %p
3371 in the format string disables any further processing. */
3375 /* %n has side-effects even when nothing is actually printed to
3376 any buffer. */
3383 /* POSIX wide character and C/POSIX narrow character. */
3389 /* POSIX wide string and C/POSIX narrow character string. */
3394 /* Unknown conversion specification. */
3396 }
3400 /* Store the length of the format directive. */
3403 /* Buffer for the directive in the host character set (used when
3404 the source character set is different). */
3408 {
3411 else
3412 {
3413 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3414 (width is the absolute value of that specified). */
3417 }
3418 }
3419 else
3420 {
3422 {
3427 /* Create a location for the width part of the directive,
3428 pointing the caret at the first out-of-range digit. */
3435 }
3438 }
3441 {
3444 else
3445 {
3446 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3447 (unlike width, negative precision is ignored). */
3450 }
3451 }
3452 else
3453 {
3455 {
3460 /* Create a location for the precision part of the directive,
3461 including the leading period, pointing the caret at the first
3462 out-of-range digit . */
3469 }
3472 }
3474 /* Extract the argument if the directive takes one and if it's
3475 available (e.g., the function doesn't take a va_list). Treat
3476 missing arguments the same as va_list, even though they will
3477 have likely already been diagnosed by -Wformat. */
3483 {
3485 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
3491 {
3495 else
3497 ", width in range [" HOST_WIDE_INT_PRINT_DEC
3500 }
3503 {
3507 else
3509 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
3512 }
3514 }
3517 }
3519 /* Compute the length of the output resulting from the call to a formatted
3520 output function described by INFO and store the result of the call in
3521 *RES. Issue warnings for detected past the end writes. Return true
3522 if the complete format string has been processed and *RES can be relied
3523 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3524 that caused the processing to be terminated early). */
3526 bool
3529 {
3531 {
3538 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
3541 }
3543 /* Reset the minimum and maximum byte counters. */
3546 /* No directive has been seen yet so the length of output is bounded
3547 by the known range [0, 0] (with no conversion resulting in a failure
3548 or producing more than 4K bytes) until determined otherwise. */
3553 /* 1-based directive counter. */
3556 /* The variadic argument counter. */
3560 {
3567 /* Return failure if the format function fails. */
3572 /* Return success the directive is zero bytes long and it's
3573 the last think in the format string (i.e., it's the terminating
3574 nul, which isn't really a directive but handling it as one makes
3575 things simpler). */
3580 }
3582 /* The complete format string was processed (with or without warnings). */
3584 }
3586 /* Return the size of the object referenced by the expression DEST if
3587 available, or the maximum possible size otherwise. */
3589 static unsigned HOST_WIDE_INT
3591 {
3592 /* When there is no destination return the maximum. */
3596 /* Initialize object size info before trying to compute it. */
3599 /* Use __builtin_object_size to determine the size of the destination
3600 object. When optimizing, determine the smallest object (such as
3601 a member array as opposed to the whole enclosing object), otherwise
3602 use type-zero object size to determine the size of the enclosing
3603 object (the function fails without optimization in this type). */
3610 }
3612 /* Return true if the call described by INFO with result RES safe to
3613 optimize (i.e., no undefined behavior), and set RETVAL to the range
3614 of its return values. */
3616 static bool
3620 {
3624 /* The minimum return value. */
3627 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3628 but in cases involving multibyte characters could be as large as
3629 RES.RANGE.UNLIKELY. */
3633 /* Adjust the number of bytes which includes the terminating nul
3634 to reflect the return value of the function which does not.
3635 Because the valid range of the function is [INT_MIN, INT_MAX],
3636 a valid range before the adjustment below is [0, INT_MAX + 1]
3637 (the functions only return negative values on error or undefined
3638 behavior). */
3644 /* Avoid the return value optimization when the behavior of the call
3645 is undefined either because any directive may have produced 4K or
3646 more of output, or the return value exceeds INT_MAX, or because
3647 the output overflows the destination object (but leave it enabled
3648 when the function is bounded because then the behavior is well-
3649 defined). */
3664 }
3666 /* Given a suitable result RES of a call to a formatted output function
3667 described by INFO, substitute the result for the return value of
3668 the call. The result is suitable if the number of bytes it represents
3669 is known and exact. A result that isn't suitable for substitution may
3670 have its range set to the range of return values, if that is known.
3671 Return true if the call is removed and gsi_next should not be performed
3672 in the caller. */
3674 static bool
3678 {
3681 /* Set to true when the entire call has been removed. */
3684 /* The minimum and maximum return value. */
3690 /* Not prepared to handle possibly throwing calls here; they shouldn't
3691 appear in non-artificial testcases, except when the __*_chk routines
3692 are badly declared. */
3694 {
3699 {
3700 /* Remove the call to the bounded function with a zero size
3701 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3705 }
3707 {
3708 /* Replace the call to the bounded function with a zero size
3709 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3710 of the function. */
3715 }
3717 {
3718 /* Replace the left-hand side of the call with the constant
3719 result of the formatted function. */
3724 }
3727 {
3730 else
3731 {
3736 }
3737 }
3738 }
3740 {
3747 {
3748 /* If the result is in a valid range bounded by the size of
3749 the destination set it so that it can be used for subsequent
3750 optimizations. */
3758 }
3761 {
3771 " %s %s-bounds return value range ["
3772 HOST_WIDE_INT_PRINT_UNSIGNED ", "
3775 else
3779 }
3780 }
3786 }
3788 /* Try to simplify a s{,n}printf call described by INFO with result
3789 RES by replacing it with a simpler and presumably more efficient
3790 call (such as strcpy). */
3792 static bool
3796 {
3802 {
3810 ;
3811 }
3814 }
3816 /* Return the zero-based index of the format string argument of a printf
3817 like function and set *IDX_ARGS to the first format argument. When
3818 no such index exists return UINT_MAX. */
3820 static unsigned
3822 {
3842 /* Attribute argument indices are 1-based but we use zero-based. */
3845 }
3847 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3848 functions and if so, handle it. Return true if the call is removed
3849 and gsi_next should not be performed in the caller. */
3851 bool
3853 {
3861 /* Format string argument number (valid for all functions). */
3865 else
3866 {
3873 idx_format))))
3877 }
3879 /* The size of the destination as in snprintf(dest, size, ...). */
3882 /* The size of the destination determined by __builtin_object_size. */
3885 /* Zero-based buffer size argument number (snprintf and vsnprintf). */
3888 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3891 /* Destinaton argument number (valid for sprintf functions only). */
3895 {
3897 // User-defined function with attribute format (printf).
3902 // Signature:
3903 // __builtin_fprintf (FILE*, format, ...)
3910 // Signature:
3911 // __builtin_fprintf_chk (FILE*, ost, format, ...)
3918 // Signature:
3919 // __builtin_fprintf_unnlocked (FILE*, format, ...)
3926 // Signature:
3927 // __builtin_printf (format, ...)
3934 // Signature:
3935 // __builtin_printf_chk (ost, format, ...)
3942 // Signature:
3943 // __builtin_printf (format, ...)
3950 // Signature:
3951 // __builtin_sprintf (dst, format, ...)
3957 // Signature:
3958 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3965 // Signature:
3966 // __builtin_snprintf (dst, size, format, ...)
3974 // Signature:
3975 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3984 // Signature:
3985 // __builtin_vprintf (FILE*, format, va_list)
3992 // Signature:
3993 // __builtin___vfprintf_chk (FILE*, ost, format, va_list)
4000 // Signature:
4001 // __builtin_vprintf (format, va_list)
4008 // Signature:
4009 // __builtin___vprintf_chk (ost, format, va_list)
4016 // Signature:
4017 // __builtin_vsprintf (dst, size, format, va)
4025 // Signature:
4026 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
4035 // Signature:
4036 // __builtin_vsprintf (dst, format, va)
4042 // Signature:
4043 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
4051 }
4053 /* Set the global warning level for this function. */
4056 /* For all string functions the first argument is a pointer to
4057 the destination. */
4063 /* True when the destination size is constant as opposed to the lower
4064 or upper bound of a range. */
4069 {
4070 /* For non-bounded functions like sprintf, determine the size
4071 of the destination from the object or pointer passed to it
4072 as the first argument. */
4074 }
4076 {
4077 /* For bounded functions try to get the size argument. */
4080 {
4082 /* No object can be larger than SIZE_MAX bytes (half the address
4083 space) on the target.
4084 The functions are defined only for output of at most INT_MAX
4085 bytes. Specifying a bound in excess of that limit effectively
4086 defeats the bounds checking (and on some implementations such
4087 as Solaris cause the function to fail with EINVAL). */
4089 {
4090 /* Avoid warning if -Wstringop-overflow is specified since
4091 it also warns for the same thing though only for the
4092 checking built-ins. */
4096 "specified bound %wu exceeds maximum object size "
4099 /* POSIX requires snprintf to fail if DSTSIZE is greater
4100 than INT_MAX. Even though not all POSIX implementations
4101 conform to the requirement, avoid folding in this case. */
4103 }
4105 {
4108 dstsize);
4109 /* POSIX requires snprintf to fail if DSTSIZE is greater
4110 than INT_MAX. Avoid folding in that case. */
4112 }
4113 }
4115 {
4116 /* Try to determine the range of values of the argument
4117 and use the greater of the two at level 1 and the smaller
4118 of them at level 2. */
4121 {
4128 "specified bound range [%wu, %wu] exceeds "
4132 /* POSIX requires snprintf to fail if DSTSIZE is greater
4133 than INT_MAX. Avoid folding if that's possible. */
4136 }
4138 {
4139 /* POSIX requires snprintf to fail if DSTSIZE is greater
4140 than INT_MAX. Since SIZE's range is unknown, avoid
4141 folding. */
4143 }
4145 /* The destination size is not constant. If the function is
4146 bounded (e.g., snprintf) a lower bound of zero doesn't
4147 necessarily imply it can be eliminated. */
4149 }
4150 }
4158 {
4159 /* As a special case, when the explicitly specified destination
4160 size argument (to a bounded function like snprintf) is zero
4161 it is a request to determine the number of bytes on output
4162 without actually producing any. Pretend the size is
4163 unlimited in this case. */
4166 }
4167 else
4168 {
4169 /* For calls to non-bounded functions or to those of bounded
4170 functions with a non-zero size, warn if the destination
4171 pointer is null. */
4173 {
4174 /* This is diagnosed with -Wformat only when the null is a constant
4175 pointer. The warning here diagnoses instances where the pointer
4176 is not constant. */
4182 }
4184 /* Set the object size to the smaller of the two arguments
4185 of both have been specified and they're not equal. */
4190 /* Avoid warning if -Wstringop-overflow is specified since
4191 it also warns for the same thing though only for the
4192 checking built-ins. */
4195 {
4197 "specified bound %wu exceeds the size %wu "
4199 }
4200 }
4202 /* Determine if the format argument may be null and warn if not
4203 and if the argument is null. */
4206 {
4212 }
4218 /* The result is the number of bytes output by the formatted function,
4219 including the terminating NUL. */
4222 /* I/O functions with no destination argument (i.e., all forms of fprintf
4223 and printf) may fail under any conditions. Others (i.e., all forms of
4224 sprintf) may only fail under specific conditions determined for each
4225 directive. Clear POSUNDER4K for the former set of functions and set
4226 it to true for the latter (it can only be cleared later, but it is
4227 never set to true again). */
4234 /* When optimizing and the printf return value optimization is enabled,
4235 attempt to substitute the computed result for the return value of
4236 the call. Avoid this optimization when -frounding-math is in effect
4237 and the format string contains a floating point directive. */
4240 {
4241 /* Save a copy of the iterator pointing at the call. The iterator
4242 may change to point past the call in try_substitute_return_value
4243 but the original value is needed in try_simplify_call. */
4252 }
4255 }
4257 edge
4259 {
4262 {
4263 /* Iterate over statements, looking for function calls. */
4266 /* First record ranges generated by this statement. */
4270 /* If handle_gimple_call returns true, the iterator is
4271 already pointing to the next statement. */
4275 }
4277 }
4279 void
4281 {
4283 }
4285 /* Execute the pass for function FUN. */
4287 unsigned int
4289 {
4295 {
4298 }
4300 sprintf_dom_walker sprintf_dom_walker;
4304 {
4307 }
4309 /* Clean up object size info. */
4312 }
4316 /* Return a pointer to a pass object newly constructed from the context
4317 CTXT. */
4319 gimple_opt_pass *
4321 {
4323 }