| blob | f43778bbcfcd6ddf51ec9f8fc6c54f4fefe27bf4 |
1 /* Copyright (C) 2016-2017 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
83 /* The likely worst case value of MB_LEN_MAX for the target, large enough
84 for UTF-8. Ideally, this would be obtained by a target hook if it were
85 to be used for optimization but it's good enough as is for warnings. */
86 #define target_mb_len_max() 6
88 /* The maximum number of bytes a single non-string directive can result
89 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
90 LDBL_MAX_10_EXP of 4932. */
91 #define IEEE_MAX_10_EXP 4932
92 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
106 };
108 /* Set to the warning level for the current function which is equal
109 either to warn_format_trunc for bounded functions or to
110 warn_format_overflow otherwise. */
117 {
124 { }
133 {
136 }
142 };
144 bool
146 {
147 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
148 is specified and either not optimizing and the pass is being invoked
149 early, or when optimizing and the pass is being invoked during
150 optimization (i.e., "late"). */
155 }
157 /* The minimum, maximum, likely, and unlikely maximum number of bytes
158 of output either a formatting function or an individual directive
159 can result in. */
161 struct result_range
162 {
163 /* The absolute minimum number of bytes. The result of a successful
164 conversion is guaranteed to be no less than this. (An erroneous
165 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
167 /* The likely maximum result that is used in diagnostics. In most
168 cases MAX is the same as the worst case UNLIKELY result. */
170 /* The likely result used to trigger diagnostics. For conversions
171 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
172 in that range. */
174 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
175 the worst cases maximum result of a directive. In most cases
176 UNLIKELY == MAX. UNLIKELY is used to control the return value
177 optimization but not in diagnostics. */
179 };
181 /* The result of a call to a formatted function. */
183 struct format_result
184 {
185 /* Range of characters written by the formatted function.
186 Setting the minimum to HOST_WIDE_INT_MAX disables all
187 length tracking for the remainder of the format string. */
188 result_range range;
190 /* True when the range above is obtained from known values of
191 directive arguments, or bounds on the amount of output such
192 as width and precision, and not the result of heuristics that
193 depend on warning levels. It's used to issue stricter diagnostics
194 in cases where strings of unknown lengths are bounded by the arrays
195 they are determined to refer to. KNOWNRANGE must not be used for
196 the return value optimization. */
199 /* True if no individual directive resulted in more than 4095 bytes
200 of output (the total NUMBER_CHARS_{MIN,MAX} might be greater).
201 Implementations are not required to handle directives that produce
202 more than 4K bytes (leading to undefined behavior) and so when one
203 is found it disables the return value optimization. */
206 /* True when a floating point directive has been seen in the format
207 string. */
210 /* True when an intermediate result has caused a warning. Used to
211 avoid issuing duplicate warnings while finishing the processing
212 of a call. WARNED also disables the return value optimization. */
215 /* Preincrement the number of output characters by 1. */
217 {
219 }
221 /* Postincrement the number of output characters by 1. */
223 {
227 }
229 /* Increment the number of output characters by N. */
231 };
233 format_result&
235 {
251 }
253 /* Return the value of INT_MIN for the target. */
257 {
259 }
261 /* Return the value of INT_MAX for the target. */
265 {
267 }
269 /* Return the value of SIZE_MAX for the target. */
273 {
275 }
277 /* A straightforward mapping from the execution character set to the host
278 character set indexed by execution character. */
282 /* Initialize a mapping from the execution character set to the host
283 character set. */
285 static bool
287 {
288 /* If the percent sign is non-zero the mapping has already been
289 initialized. */
293 /* Initialize the target_percent character (done elsewhere). */
297 /* The subset of the source character set used by printf conversion
298 specifications (strictly speaking, not all letters are used but
299 they are included here for the sake of simplicity). The dollar
300 sign must be included even though it's not in the basic source
301 character set. */
305 /* Set the mapping for all characters to some ordinary value (i,e.,
306 not none used in printf conversion specifications) and overwrite
307 those that are used by conversion specifications with their
308 corresponding values. */
311 /* Are the two sets of characters the same? */
315 {
316 /* Slice off the high end bits in case target characters are
317 signed. All values are expected to be non-nul, otherwise
318 there's a problem. */
320 {
324 }
325 else
328 }
330 /* Set the first element to a non-zero value if the mapping
331 is 1-to-1, otherwise leave it clear (NUL is assumed to be
332 the same in both character sets). */
336 }
338 /* Return the host source character corresponding to the character
339 CH in the execution character set if one exists, or some innocuous
340 (non-special, non-nul) source character otherwise. */
344 {
346 }
348 /* Convert an initial substring of the string TARGSTR consisting of
349 characters in the execution character set into a string in the
350 source character set on the host and store up to HOSTSZ characters
351 in the buffer pointed to by HOSTR. Return HOSTR. */
355 {
356 /* Make sure the buffer is reasonably big. */
359 /* The interesting subset of source and execution characters are
360 the same so no conversion is necessary. However, truncate
361 overlong strings just like the translated strings are. */
363 {
368 }
370 /* Convert the initial substring of TARGSTR to the corresponding
371 characters in the host set, appending "..." if TARGSTR is too
372 long to fit. Using the static buffer assumes the function is
373 not called in between sequence points (which it isn't). */
375 {
381 {
385 }
386 }
389 }
391 /* Convert the sequence of decimal digits in the execution character
392 starting at S to a long, just like strtol does. Return the result
393 and set *END to one past the last converted character. On range
394 error set ERANGE to the digit that caused it. */
398 {
401 {
404 {
407 /* Check for overflow. */
409 {
413 /* Skip the remaining digits. */
414 do
418 }
419 else
421 }
422 else
424 }
427 }
429 /* Return the constant initial value of DECL if available or DECL
430 otherwise. Same as the synonymous function in c/c-typeck.c. */
432 static tree
434 {
436 in a place where a variable is invalid. Note that DECL_INITIAL
437 isn't valid for a PARM_DECL. */
444 /* This is invalid if initial value is not constant.
445 If it has either a function call, a memory reference,
446 or a variable, then re-evaluating it could give different results. */
448 /* Check for cases where this is sub-optimal, even though valid. */
452 }
454 /* Given FORMAT, set *PLOC to the source location of the format string
455 and return the format string if it is known or null otherwise. */
459 {
461 {
462 /* Pull out a constant value if the front end didn't. */
465 }
468 {
469 /* FIXME: Diagnose null format string if it hasn't been diagnosed
470 by -Wformat (the latter diagnoses only nul pointer constants,
471 this pass can do better). */
473 }
478 {
489 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
494 }
511 tree array_init;
518 {
519 /* Extract the string constant initializer. Note that this may
520 include a trailing NUL character that is not in the array (e.g.
521 const char a[3] = "foo";). */
524 }
533 {
534 /* Wide format string. */
536 }
542 {
543 /* Variable length arrays can't be initialized. */
547 {
553 }
554 }
556 {
562 }
565 {
566 /* FIXME: Diagnose an unterminated format string if it hasn't been
567 diagnosed by -Wformat. Similarly to a null format pointer,
568 -Wformay diagnoses only nul pointer constants, this pass can
569 do better). */
571 }
574 }
576 /* The format_warning_at_substring function is not used here in a way
577 that makes using attribute format viable. Suppress the warning. */
579 #pragma GCC diagnostic push
582 /* For convenience and brevity. */
584 static bool
589 /* Format length modifiers. */
591 enum format_lengths
592 {
593 FMT_LEN_none,
601 FMT_LEN_j // intmax_t
602 };
605 /* Description of the result of conversion either of a single directive
606 or the whole format string. */
608 struct fmtresult
609 {
610 /* Construct a FMTRESULT object with all counters initialized
611 to MIN. KNOWNRANGE is set when MIN is valid. */
616 {
621 }
623 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
624 KNOWNRANGE is set when both MIN and MAX are valid. */
630 {
635 }
637 /* Adjust result upward to reflect the RANGE of values the specified
638 width or precision is known to be in. */
643 /* Return the maximum number of decimal digits a value of TYPE
644 formats as on output. */
647 /* The range a directive's argument is in. */
650 /* The minimum and maximum number of bytes that a directive
651 results in on output for an argument in the range above. */
652 result_range range;
654 /* True when the range above is obtained from a known value of
655 a directive's argument or its bounds and not the result of
656 heuristics that depend on warning levels. */
659 /* True when the argument is a null pointer. */
661 };
663 /* Adjust result upward to reflect the range ADJUST of values the
664 specified width or precision is known to be in. When non-null,
665 TYPE denotes the type of the directive whose result is being
666 adjusted, BASE gives the base of the directive (octal, decimal,
667 or hex), and ADJ denotes the additional adjustment to the LIKELY
668 counter that may need to be added when ADJUST is a range. */
670 fmtresult&
675 {
678 /* Adjust the minimum and likely counters. */
680 {
682 {
685 }
687 /* Adjust the likely counter. */
690 }
695 /* Adjust the maximum counter. */
697 {
699 {
702 /* Set KNOWNRANGE if both the minimum and maximum have been
703 adjusted. Otherwise leave it at what it was before. */
705 }
706 }
709 {
710 /* For large non-constant width or precision whose range spans
711 the maximum number of digits produced by the directive for
712 any argument, set the likely number of bytes to be at most
713 the number digits plus other adjustment determined by the
714 caller (one for sign or two for the hexadecimal "0x"
715 prefix). */
720 }
722 {
723 /* Conservatively, set LIKELY to at least MIN but no less than
724 1 unless MAX is zero. */
729 }
731 /* Finally adjust the unlikely counter to be at least as large as
732 the maximum. */
737 }
739 /* Return the maximum number of digits a value of TYPE formats in
740 BASE on output, not counting base prefix . */
742 unsigned
744 {
752 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
753 of 8, 16, 32, and 64 bits. */
755 }
757 static bool
760 /* Description of a format directive. A directive is either a plain
761 string or a conversion specification that starts with '%'. */
763 struct directive
764 {
765 /* The 1-based directive number (for debugging). */
768 /* The first character of the directive and its length. */
772 /* A bitmap of flags, one for each character. */
775 /* The range of values of the specified width, or -1 if not specified. */
777 /* The range of values of the specified precision, or -1 if not
778 specified. */
781 /* Length modifier. */
782 format_lengths modifier;
784 /* Format specifier character. */
787 /* The argument of the directive or null when the directive doesn't
788 take one or when none is available (such as for vararg functions). */
789 tree arg;
791 /* Format conversion function that given a directive and an argument
792 returns the formatting result. */
795 /* Return True when a the format flag CHR has been used. */
797 {
801 }
803 /* Make a record of the format flag CHR having been used. */
805 {
809 }
811 /* Reset the format flag CHR. */
813 {
817 }
819 /* Set both bounds of the width range to VAL. */
821 {
823 }
825 /* Set the width range according to ARG, with both bounds being
826 no less than 0. For a constant ARG set both bounds to its value
827 or 0, whichever is greater. For a non-constant ARG in some range
828 set width to its range adjusting each bound to -1 if it's less.
829 For an indeterminate ARG set width to [0, INT_MAX]. */
831 {
833 }
835 /* Set both bounds of the precision range to VAL. */
837 {
839 }
841 /* Set the precision range according to ARG, with both bounds being
842 no less than -1. For a constant ARG set both bounds to its value
843 or -1 whichever is greater. For a non-constant ARG in some range
844 set precision to its range adjusting each bound to -1 if it's less.
845 For an indeterminate ARG set precision to [-1, INT_MAX]. */
847 {
849 }
851 /* Return true if both width and precision are known to be
852 either constant or in some range, false otherwise. */
854 {
859 }
860 };
862 /* Return the logarithm of X in BASE. */
864 static int
866 {
868 do
869 {
874 }
876 /* Return the number of bytes resulting from converting into a string
877 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
878 PLUS indicates whether 1 for a plus sign should be added for positive
879 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
880 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
881 be represented. */
883 static HOST_WIDE_INT
885 {
888 HOST_WIDE_INT res;
891 {
893 {
896 }
897 else
899 }
900 else
901 {
903 {
906 {
907 /* Avoid undefined behavior due to negating a minimum. */
910 }
912 {
915 }
916 else
917 {
920 }
921 }
922 else
924 }
930 /* Adjust a non-zero value for the base prefix, either hexadecimal,
931 or, unless precision has resulted in a leading zero, also octal. */
933 {
938 }
941 }
943 /* Given the formatting result described by RES and NAVAIL, the number
944 of available in the destination, return the range of bytes remaining
945 in the destination. */
949 {
950 result_range range;
953 {
956 }
958 /* The lower bound of the available range is the available size
959 minus the maximum output size, and the upper bound is the size
960 minus the minimum. */
967 else
974 }
976 /* Description of a call to a formatted function. */
979 {
980 /* Function call statement. */
983 /* Function called. */
984 tree func;
986 /* Called built-in function code. */
987 built_in_function fncode;
989 /* Format argument and format string extracted from it. */
990 tree format;
993 /* The location of the format argument. */
994 location_t fmtloc;
996 /* The destination object size for __builtin___xxx_chk functions
997 typically determined by __builtin_object_size, or -1 if unknown. */
1000 /* Number of the first variable argument. */
1003 /* True for functions like snprintf that specify the size of
1004 the destination, false for others like sprintf that don't. */
1007 /* True for bounded functions like snprintf that specify a zero-size
1008 buffer as a request to compute the size of output without actually
1009 writing any. NOWRITE is cleared in response to the %n directive
1010 which has side-effects similar to writing output. */
1013 /* Return true if the called function's return value is used. */
1015 {
1017 }
1019 /* Return the warning option corresponding to the called function. */
1021 {
1023 }
1024 };
1026 /* Return the result of formatting a no-op directive (such as '%n'). */
1028 static fmtresult
1030 {
1033 }
1035 /* Return the result of formatting the '%%' directive. */
1037 static fmtresult
1039 {
1042 }
1045 /* Compute intmax_type_node and uintmax_type_node similarly to how
1046 tree.c builds size_type_node. */
1048 static void
1050 {
1052 {
1055 }
1057 {
1060 }
1062 {
1065 }
1066 else
1067 {
1070 {
1075 {
1079 }
1080 }
1082 }
1083 }
1085 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1086 in and that is representable in type int.
1087 Return true when the range is a subrange of that of int.
1088 When ARG is null it is as if it had the full range of int.
1089 When ABSOLUTE is true the range reflects the absolute value of
1090 the argument. When ABSOLUTE is false, negative bounds of
1091 the determined range are replaced with NEGBOUND. */
1093 static bool
1096 {
1097 /* The type of the result. */
1103 {
1106 }
1109 {
1110 /* For a constant argument return its value adjusted as specified
1111 by NEGATIVE and NEGBOUND and return true to indicate that the
1112 result is known. */
1116 }
1117 else
1118 {
1119 /* True if the argument's range cannot be determined. */
1124 /* Ignore invalid arguments with greater precision that that
1125 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1126 They will have been detected and diagnosed by -Wformat and
1127 so it's not important to complicate this code to try to deal
1128 with them again. */
1132 {
1133 /* Try to determine the range of values of the integer argument. */
1137 {
1138 HOST_WIDE_INT type_min
1149 {
1150 /* Return true if the adjusted range is a subrange of
1151 the full range of the argument's type. *PMAX may
1152 be less than *PMIN when the argument is unsigned
1153 and its upper bound is in excess of TYPE_MAX. In
1154 that (invalid) case disregard the range and use that
1155 of the expected type instead. */
1159 }
1160 }
1161 }
1163 /* Handle an argument with an unknown range as if none had been
1164 provided. */
1167 }
1169 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1171 {
1173 {
1176 else
1177 {
1178 /* Make sure signed overlow is avoided. */
1185 }
1186 }
1187 }
1192 }
1194 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1195 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1196 the type of the directive's formal argument it's possible for both
1197 to result in the same number of bytes or a range of bytes that's
1198 less than the number of bytes that would result from formatting
1199 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1200 determined by checking for the actual argument being in the range
1201 of the type of the directive. If it isn't it must be assumed to
1202 take on the full range of the directive's type.
1203 Return true when the range has been adjusted to the full range
1204 of DIRTYPE, and false otherwise. */
1206 static bool
1208 {
1213 /* If the actual argument and the directive's argument have the same
1214 precision and sign there can be no overflow and so there is nothing
1215 to adjust. */
1219 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1220 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1230 {
1234 /* If *ARGMIN is still less than *ARGMAX the conversion above
1235 is safe. Otherwise, it has overflowed and would be unsafe. */
1238 }
1243 }
1245 /* Return a range representing the minimum and maximum number of bytes
1246 that the format directive DIR will output for any argument given
1247 the WIDTH and PRECISION (extracted from DIR). This function is
1248 used when the directive argument or its value isn't known. */
1250 static fmtresult
1252 {
1253 tree intmax_type_node;
1254 tree uintmax_type_node;
1256 /* Base to format the number in. */
1259 /* True when a conversion is preceded by a prefix indicating the base
1260 of the argument (octal or hexadecimal). */
1263 /* True when a signed conversion is preceded by a sign or space. */
1266 /* True for signed conversions (i.e., 'd' and 'i'). */
1270 {
1273 /* Space and '+' are only meaningful for signed conversions. */
1290 }
1292 /* The type of the "formal" argument expected by the directive. */
1295 /* Determine the expected type of the argument from the length
1296 modifier. */
1298 {
1302 else
1320 dirtype = (sign
1321 ? long_long_integer_type_node
1340 }
1342 /* The type of the argument to the directive, either deduced from
1343 the actual non-constant argument if one is known, or from
1344 the directive itself when none has been provided because it's
1345 a va_list. */
1349 {
1350 /* When the argument has not been provided, use the type of
1351 the directive's argument as an approximation. This will
1352 result in false positives for directives like %i with
1353 arguments with smaller precision (such as short or char). */
1355 }
1357 {
1358 /* When a constant argument has been provided use its value
1359 rather than type to determine the length of the output. */
1360 fmtresult res;
1363 {
1364 /* As a special case, a precision of zero with a zero argument
1365 results in zero bytes except in base 8 when the '#' flag is
1366 specified, and for signed conversions in base 8 and 10 when
1367 either the space or '+' flag has been specified and it results
1368 in just one byte (with width having the normal effect). This
1369 must extend to the case of a specified precision with
1370 an unknown value because it can be zero. */
1373 {
1376 }
1377 else
1378 {
1381 }
1382 }
1383 else
1384 {
1385 /* Convert the argument to the type of the directive. */
1392 else
1397 }
1401 /* Bump up the counters if WIDTH is greater than LEN. */
1404 /* Bump up the counters again if PRECision is greater still. */
1409 }
1412 /* Determine the type of the provided non-constant argument. */
1414 else
1415 /* Don't bother with invalid arguments since they likely would
1416 have already been diagnosed, and disable any further checking
1417 of the format string by returning [-1, -1]. */
1420 fmtresult res;
1422 /* Using either the range the non-constant argument is in, or its
1423 type (either "formal" or actual), create a range of values that
1424 constrain the length of output given the warning level. */
1431 {
1432 /* Try to determine the range of values of the integer argument
1433 (range information is not available for pointers). */
1437 {
1441 /* Set KNOWNRANGE if the argument is in a known subrange
1442 of the directive's type and neither width nor precision
1443 is unknown. (KNOWNRANGE may be reset below). */
1444 res.knownrange
1451 }
1453 {
1454 /* Handle anti-ranges if/when bug 71690 is resolved. */
1455 }
1457 {
1458 /* The argument here may be the result of promoting the actual
1459 argument to int. Try to determine the type of the actual
1460 argument before promotion and narrow down its range that
1461 way. */
1464 {
1467 {
1470 }
1473 {
1478 }
1479 }
1480 }
1481 }
1484 {
1486 {
1489 }
1490 else
1491 {
1494 }
1495 }
1497 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1498 of the directive. If it has been cleared then since ARGMIN and/or
1499 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1500 ARGMAX in the result to include in diagnostics. */
1502 {
1506 }
1508 /* Recursively compute the minimum and maximum from the known range. */
1510 {
1511 /* For unsigned conversions/directives or signed when
1512 the minimum is positive, use the minimum and maximum to compute
1513 the shortest and longest output, respectively. */
1516 }
1518 {
1519 /* For signed conversions/directives if maximum is negative,
1520 use the minimum as the longest output and maximum as the
1521 shortest output. */
1524 }
1525 else
1526 {
1527 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1528 as the shortest output and for the longest output compute the
1529 length of the output of both minimum and maximum and pick the
1530 longer. */
1535 }
1537 /* If the range is known, use the maximum as the likely length. */
1540 else
1541 {
1542 /* Otherwise, use the minimum. Except for the case where for %#x or
1543 %#o the minimum is just for a single value in the range (0) and
1544 for all other values it is something longer, like 0x1 or 01.
1545 Use the length for value 1 in that case instead as the likely
1546 length. */
1551 {
1558 }
1559 }
1568 }
1570 /* Return the number of bytes that a format directive consisting of FLAGS,
1571 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1572 would result for argument X under ideal conditions (i.e., if PREC
1573 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1574 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1575 This function works around those problems. */
1577 static unsigned HOST_WIDE_INT
1580 {
1594 {
1595 /* For %e, specify the precision explicitly since mpfr_sprintf
1596 does its own thing just to be different (see MPFR bug 21088). */
1599 }
1600 else
1601 {
1602 /* Avoid passing negative precisions with larger magnitude to MPFR
1603 to avoid exposing its bugs. (A negative precision is supposed
1604 to be ignored.) */
1607 }
1612 {
1613 /* For G/g without the pound flag, precision gives the maximum number
1614 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1615 a 128 bit IEEE extended precision, 4932. Using twice as much here
1616 should be more than sufficient for any real format. */
1620 }
1621 else
1622 {
1623 /* Cap precision arbitrarily at 1KB and add the difference
1624 (if any) to the MPFR result. */
1627 }
1631 /* Handle the unlikely (impossible?) error by returning more than
1632 the maximum dictated by the function's return type. */
1636 /* Adjust the return value by the difference. */
1641 }
1643 /* Return the number of bytes to format using the format specifier
1644 SPEC and the precision PREC the largest value in the real floating
1645 TYPE. */
1647 static unsigned HOST_WIDE_INT
1649 {
1652 /* IBM Extended mode. */
1656 /* Get the real type format desription for the target. */
1658 REAL_VALUE_TYPE rv;
1662 /* Convert the GCC real value representation with the precision
1663 of the real type to the mpfr_t format with the GCC default
1664 round-to-nearest mode. */
1665 mpfr_t x;
1669 /* Return a value one greater to account for the leading minus sign. */
1670 unsigned HOST_WIDE_INT r
1674 }
1676 /* Return a range representing the minimum and maximum number of bytes
1677 that the directive DIR will output for any argument. PREC gives
1678 the adjusted precision range to account for negative precisions
1679 meaning the default 6. This function is used when the directive
1680 argument or its value isn't known. */
1682 static fmtresult
1684 {
1685 tree type;
1688 {
1704 }
1706 /* The minimum and maximum number of bytes produced by the directive. */
1707 fmtresult res;
1709 /* The minimum output as determined by flags. It's always at least 1.
1710 When plus or space are set the output is preceded by either a sign
1711 or a space. */
1715 /* When the pound flag is set the decimal point is included in output
1716 regardless of precision. Whether or not a decimal point is included
1717 otherwise depends on the specification and precision. */
1721 {
1724 {
1732 + flagmin
1733 + radix
1734 + minprec
1740 /* The unlikely maximum accounts for the longest multibyte
1741 decimal point character. */
1747 }
1751 {
1752 /* Minimum output attributable to precision and, when it's
1753 non-zero, decimal point. */
1756 /* The minimum output is "[-+]1.234567e+00" regardless
1757 of the value of the actual argument. */
1759 + radix
1760 + minprec
1766 /* The unlikely maximum accounts for the longest multibyte
1767 decimal point character. */
1771 else
1774 }
1778 {
1779 /* Minimum output attributable to precision and, when it's non-zero,
1780 decimal point. */
1783 /* The lower bound when precision isn't specified is 8 bytes
1784 ("1.23456" since precision is taken to be 6). When precision
1785 is zero, the lower bound is 1 byte (e.g., "1"). Otherwise,
1786 when precision is greater than zero, then the lower bound
1787 is 2 plus precision (plus flags). */
1790 /* Compute the upper bound for -TYPE_MAX. */
1793 /* The minimum output with unknown precision is a single byte
1794 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1797 else
1800 /* The unlikely maximum accounts for the longest multibyte
1801 decimal point character. */
1806 }
1810 {
1811 /* The %g output depends on precision and the exponent of
1812 the argument. Since the value of the argument isn't known
1813 the lower bound on the range of bytes (not counting flags
1814 or width) is 1 plus radix (i.e., either "0" or "0." for
1815 "%g" and "%#g", respectively, with a zero argument). */
1821 {
1822 /* When the pound flag (radix) is set, trailing zeros aren't
1823 trimmed and so the longest output is the same as for %e,
1824 except with precision minus 1 (as specified in C11). */
1830 }
1831 else
1836 /* The likely output is either the maximum computed above
1837 minus 1 (assuming the maximum is positive) when precision
1838 is known (or unspecified), or the same minimum as for %e
1839 (which is computed for a non-negative argument). Unlike
1840 for the other specifiers above the likely output isn't
1841 the minimum because for %g that's 1 which is unlikely. */
1845 else
1846 {
1849 + radix
1850 + minprec
1852 }
1854 /* The unlikely maximum accounts for the longest multibyte
1855 decimal point character. */
1858 }
1862 }
1864 /* Bump up the byte counters if WIDTH is greater. */
1867 }
1869 /* Return a range representing the minimum and maximum number of bytes
1870 that the directive DIR will write on output for the floating argument
1871 ARG. */
1873 static fmtresult
1875 {
1878 /* For an indeterminate precision the lower bound must be assumed
1879 to be zero. */
1881 {
1882 /* Get the number of fractional decimal digits needed to represent
1883 the argument without a loss of accuracy. */
1888 unsigned fmtprec
1891 /* The precision of the IEEE 754 double format is 53.
1892 The precision of all other GCC binary double formats
1893 is 56 or less. */
1896 /* For %a, leave the minimum precision unspecified to let
1897 MFPR trim trailing zeros (as it and many other systems
1898 including Glibc happen to do) and set the maximum
1899 precision to reflect what it would be with trailing zeros
1900 present (as Solaris and derived systems do). */
1902 {
1903 /* Both bounds are negative implies that precision has
1904 not been specified. */
1907 }
1909 {
1910 /* With a negative lower bound and a non-negative upper
1911 bound set the minimum precision to zero and the maximum
1912 to the greater of the maximum precision (i.e., with
1913 trailing zeros present) and the specified upper bound. */
1916 }
1917 }
1919 {
1921 {
1922 /* A precision in a strictly negative range is ignored and
1923 the default of 6 is used instead. */
1925 }
1926 else
1927 {
1928 /* For a precision in a partly negative range, the lower bound
1929 must be assumed to be zero and the new upper bound is the
1930 greater of 6 (the default precision used when the specified
1931 precision is negative) and the upper bound of the specified
1932 range. */
1935 }
1936 }
1941 /* The minimum and maximum number of bytes produced by the directive. */
1942 fmtresult res;
1944 /* Get the real type format desription for the target. */
1951 /* Append flags. */
1958 {
1959 /* Set up an array to easily iterate over. */
1962 };
1965 {
1966 /* Convert the GCC real value representation with the precision
1967 of the real type to the mpfr_t format rounding down in the
1968 first iteration that computes the minimm and up in the second
1969 that computes the maximum. This order is arbibtrary because
1970 rounding in either direction can result in longer output. */
1971 mpfr_t mpfrval;
1975 /* Use the MPFR rounding specifier to round down in the first
1976 iteration and then up. In most but not all cases this will
1977 result in the same number of bytes. */
1980 /* Format it and store the result in the corresponding member
1981 of the result struct. */
1985 }
1986 }
1988 /* Make sure the minimum is less than the maximum (MPFR rounding
1989 in the call to mpfr_snprintf can result in the reverse. */
1991 {
1995 }
1997 /* The range is known unless either width or precision is unknown. */
2000 /* For the same floating point constant, unless width or precision
2001 is unknown, use the longer output as the likely maximum since
2002 with round to nearest either is equally likely. Otheriwse, when
2003 precision is unknown, use the greater of the minimum and 3 as
2004 the likely output (for "0.0" since zero precision is unlikely). */
2011 else
2017 {
2018 /* Unless the precision is zero output longer than 2 bytes may
2019 include the decimal point which must be a single character
2020 up to MB_LEN_MAX in length. This is overly conservative
2021 since in some conversions some constants result in no decimal
2022 point (e.g., in %g). */
2024 }
2028 }
2030 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2031 strings referenced by the expression STR, or (-1, -1) when not known.
2032 Used by the format_string function below. */
2034 static fmtresult
2036 {
2041 {
2042 /* Simply return the length of the string. */
2045 }
2047 /* Determine the length of the shortest and longest string referenced
2048 by STR. Strings of unknown lengths are bounded by the sizes of
2049 arrays that subexpressions of STR may refer to. Pointers that
2050 aren't known to point any such arrays result in LENRANGE[1] set
2051 to SIZE_MAX. */
2056 {
2057 HOST_WIDE_INT min
2062 HOST_WIDE_INT max
2067 /* get_range_strlen() returns the target value of SIZE_MAX for
2068 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2069 which may be bigger. */
2077 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2078 by STR are known to be bounded (though not necessarily by their
2079 actual length but perhaps by their maximum possible length). */
2081 {
2083 /* When the the length of the longest string is known and not
2084 excessive use it as the likely length of the string(s). */
2086 }
2087 else
2088 {
2089 /* When the upper bound is unknown (it can be zero or excessive)
2090 set the likely length to the greater of 1 and the length of
2091 the shortest string and reset the lower bound to zero. */
2094 }
2096 /* If the range of string length has been estimated from the size
2097 of an array at the end of a struct assume that it's longer than
2098 the array bound says it is in case it's used as a poor man's
2099 flexible array member, such as in struct S { char a[4]; }; */
2103 }
2106 }
2108 /* Return the minimum and maximum number of characters formatted
2109 by the '%c' format directives and its wide character form for
2110 the argument ARG. ARG can be null (for functions such as
2111 vsprinf). */
2113 static fmtresult
2115 {
2116 fmtresult res;
2121 {
2122 /* A wide character can result in as few as zero bytes. */
2127 {
2129 {
2130 /* The NUL wide character results in no bytes. */
2134 }
2136 {
2137 /* A wide character in the ASCII range most likely results
2138 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2142 }
2143 else
2144 {
2145 /* A wide character outside the ASCII range likely results
2146 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2150 }
2151 }
2152 else
2153 {
2154 /* An unknown wide character is treated the same as a wide
2155 character outside the ASCII range. */
2159 }
2160 }
2161 else
2162 {
2163 /* A plain '%c' directive. Its ouput is exactly 1. */
2167 }
2169 /* Bump up the byte counters if WIDTH is greater. */
2171 }
2173 /* Return the minimum and maximum number of characters formatted
2174 by the '%s' format directive and its wide character form for
2175 the argument ARG. ARG can be null (for functions such as
2176 vsprinf). */
2178 static fmtresult
2180 {
2181 fmtresult res;
2183 /* Compute the range the argument's length can be in. */
2187 {
2188 /* The argument is either a string constant or it refers
2189 to one of a number of strings of the same length. */
2191 /* A '%s' directive with a string argument with constant length. */
2195 {
2196 /* In the worst case the length of output of a wide string S
2197 is bounded by MB_LEN_MAX * wcslen (S). */
2200 /* It's likely that the the total length is not more that
2201 2 * wcslen (S).*/
2206 {
2210 }
2217 /* Even a non-empty wide character string need not convert into
2218 any bytes. */
2220 }
2221 else
2222 {
2231 {
2235 }
2236 }
2237 }
2239 {
2240 /* Handle null pointer argument. */
2245 }
2246 else
2247 {
2248 /* For a '%s' and '%ls' directive with a non-constant string (either
2249 one of a number of strings of known length or an unknown string)
2250 the minimum number of characters is lesser of PRECISION[0] and
2251 the length of the shortest known string or zero, and the maximum
2252 is the lessser of the length of the longest known string or
2253 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2254 the minimum at level 1 and the greater of the minimum and 1
2255 at level 2. This result is adjust upward for width (if it's
2256 specified). */
2259 {
2260 /* A wide character converts to as few as zero bytes. */
2270 }
2275 {
2276 /* Adjust the minimum to zero if the string length is unknown,
2277 or at most the lower bound of the precision otherwise. */
2283 /* Make both maxima no greater than the upper bound of precision. */
2286 {
2289 }
2291 /* If precision is constant, set the likely counter to the lesser
2292 of it and the maximum string length. Otherwise, if the lower
2293 bound of precision is greater than zero, set the likely counter
2294 to the minimum. Otherwise set it to zero or one based on
2295 the warning level. */
2302 else
2304 }
2306 {
2311 }
2313 {
2316 /* At level 1 strings of unknown length are assumed to be
2317 empty, while at level 1 they are assumed to be one byte
2318 long. */
2320 }
2321 else
2322 {
2323 /* A string of unknown length unconstrained by precision is
2324 assumed to be empty at level 1 and just one character long
2325 at higher levels. */
2328 }
2331 }
2333 /* Bump up the byte counters if WIDTH is greater. */
2335 }
2337 /* Format plain string (part of the format string itself). */
2339 static fmtresult
2341 {
2344 }
2346 /* Return true if the RESULT of a directive in a call describe by INFO
2347 should be diagnosed given the AVAILable space in the destination. */
2349 static bool
2352 {
2354 {
2355 /* The least amount of space remaining in the destination is big
2356 enough for the longest output. */
2358 }
2361 {
2364 {
2365 /* The likely amount of space remaining in the destination is big
2366 enough for the least output and the return value is used. */
2368 }
2372 {
2373 /* The likely amount of space remaining in the destination is big
2374 enough for the likely output and the return value is unused. */
2376 }
2382 {
2383 /* The minimum amount of space remaining in the destination is big
2384 enough for the longest output. */
2386 }
2387 }
2388 else
2389 {
2391 {
2392 /* The likely amount of space remaining in the destination is big
2393 enough for the likely output. */
2395 }
2401 {
2402 /* The minimum amount of space remaining in the destination is big
2403 enough for the longest output. */
2405 }
2406 }
2409 }
2411 /* At format string location describe by DIRLOC in a call described
2412 by INFO, issue a warning for a directive DIR whose output may be
2413 in excess of the available space AVAIL_RANGE in the destination
2414 given the formatting result FMTRES. This function does nothing
2415 except decide whether to issue a warning for a possible write
2416 past the end or truncation and, if so, format the warning.
2417 Return true if a warning has been issued. */
2419 static bool
2424 {
2428 /* A warning will definitely be issued below. */
2430 /* The maximum byte count to reference in the warning. Larger counts
2431 imply that the upper bound is unknown (and could be anywhere between
2432 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2433 than "between N and X" where X is some huge number. */
2436 /* True when there is enough room in the destination for the least
2437 amount of a directive's output but not enough for its likely or
2438 maximum output. */
2444 /* Buffer for the directive in the host character set (used when
2445 the source character set is different). */
2449 {
2450 /* The size of the destination region is exact. */
2454 {
2455 /* For plain character directives (i.e., the format string itself)
2456 but not others, point the caret at the first character that's
2457 past the end of the destination. */
2459 }
2462 {
2463 /* This is the terminating nul. */
2468 ? (maybe
2472 : (maybe
2480 }
2483 {
2487 ? (maybe
2495 ? (maybe
2506 }
2509 {
2512 ? (maybe
2523 }
2526 {
2527 /* This is a special case to avoid issuing the potentially
2528 confusing warning:
2529 writing 0 or more bytes into a region of size 0. */
2532 ? (maybe
2543 }
2546 {
2549 ? (maybe
2560 }
2564 ? (maybe
2575 }
2577 /* The size of the destination region is a range. */
2580 {
2583 /* For plain character directives (i.e., the format string itself)
2584 but not others, point the caret at the first character that's
2585 past the end of the destination. */
2587 }
2590 {
2595 ? (maybe
2599 : (maybe
2607 }
2610 {
2614 ? (maybe
2622 ? (maybe
2634 }
2637 {
2640 ? (maybe
2642 "up to %wu bytes into a region of size between "
2645 "up to %wu bytes into a region of size between "
2653 }
2656 {
2657 /* This is a special case to avoid issuing the potentially confusing
2658 warning:
2659 writing 0 or more bytes into a region of size between 0 and N. */
2662 ? (maybe
2664 "likely %wu or more bytes into a region of size between "
2667 "%wu or more bytes into a region of size between "
2675 }
2678 {
2681 ? (maybe
2683 "between %wu and %wu bytes into a region of size "
2686 "between %wu and %wu bytes into a region of size "
2694 }
2698 ? (maybe
2700 "%wu or more bytes into a region of size between "
2703 "%wu or more bytes into a region of size between "
2711 }
2713 /* Compute the length of the output resulting from the directive DIR
2714 in a call described by INFO and update the overall result of the call
2715 in *RES. Return true if the directive has been handled. */
2717 static bool
2720 {
2721 /* Offset of the beginning of the directive from the beginning
2722 of the format string. */
2727 /* Create a location for the whole directive from the % to the format
2728 specifier. */
2732 /* Also create a location range for the argument if possible.
2733 This doesn't work for integer literals or function calls. */
2734 source_range argrange;
2737 {
2740 }
2741 else
2744 /* Bail when there is no function to compute the output length,
2745 or when minimum length checking has been disabled. */
2749 /* Compute the range of lengths of the formatted output. */
2752 /* Record whether the output of all directives is known to be
2753 bounded by some maximum, implying that their arguments are
2754 either known exactly or determined to be in a known range
2755 or, for strings, limited by the upper bounds of the arrays
2756 they refer to. */
2760 {
2761 /* Only when the range is known, check it against the host value
2762 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2763 INT_MAX precision, which is the longest possible output of any
2764 single directive). That's the largest valid byte count (though
2765 not valid call to a printf-like function because it can never
2766 return such a count). Otherwise, the range doesn't correspond
2767 to known values of the argument. */
2769 {
2770 /* Normalize the MAX counter to avoid having to deal with it
2771 later. The counter can be less than HOST_WIDE_INT_M1U
2772 when compiling for an ILP32 target on an LP64 host. */
2774 /* Disable exact and maximum length checking after a failure
2775 to determine the maximum number of characters (for example
2776 for wide characters or wide character strings) but continue
2777 tracking the minimum number of characters. */
2779 }
2782 {
2783 /* Disable exact length checking after a failure to determine
2784 even the minimum number of characters (it shouldn't happen
2785 except in an error) but keep tracking the minimum and maximum
2786 number of characters. */
2788 }
2789 }
2791 /* Buffer for the directive in the host character set (used when
2792 the source character set is different). */
2798 {
2803 /* Don't bother processing the rest of the format string. */
2808 }
2810 /* Compute the number of available bytes in the destination. There
2811 must always be at least one byte of space for the terminating
2812 NUL that's appended after the format string has been processed. */
2821 /* Bump up the total maximum if it isn't too big. */
2826 /* Raise the total unlikely maximum by the larger of the maximum
2827 and the unlikely maximum. */
2831 else
2840 /* Has the minimum directive output length exceeded the maximum
2841 of 4095 bytes required to be supported? */
2844 /* Clear UNDER4K in the overall result if the maximum has exceeded
2845 the 4k (this is necessary to avoid the return valuye optimization
2846 that may not be safe in the maximum case). */
2851 /* Only warn at level 2. */
2853 && (!minunder4k
2855 {
2856 /* The directive output may be longer than the maximum required
2857 to be handled by an implementation according to 7.21.6.1, p15
2858 of C11. Warn on this only at level 2 but remember this and
2859 prevent folding the return value when done. This allows for
2860 the possibility of the actual libc call failing due to ENOMEM
2861 (like Glibc does under some conditions). */
2866 "%<%.*s%> directive output of %wu bytes exceeds "
2868 dirlen,
2871 else
2872 {
2874 = (minunder4k
2884 }
2885 }
2887 /* Has the likely and maximum directive output exceeded INT_MAX? */
2889 /* Don't consider the maximum to be in excess when it's the result
2890 of a string of unknown length (i.e., whose maximum has been set
2891 to be greater than or equal to HOST_WIDE_INT_MAX. */
2897 /* Warn for the likely output size at level 1. */
2898 && (likelyximax
2899 /* But only warn for the maximum at level 2. */
2901 && maxximax
2903 {
2904 /* The directive output causes the total length of output
2905 to exceed INT_MAX bytes. */
2909 "%<%.*s%> directive output of %wu bytes causes "
2911 dirlen,
2914 else
2915 {
2926 }
2927 }
2931 {
2937 }
2940 {
2946 else
2950 }
2955 {
2956 /* If a warning has been issued for buffer overflow or truncation
2957 (but not otherwise) help the user figure out how big a buffer
2958 they need. */
2973 "%qE output between %wu and %wu bytes into "
2978 "%qE output %wu or more bytes (assuming %wu) into "
2981 else
2985 }
2988 {
2999 }
3002 }
3004 #pragma GCC diagnostic pop
3006 /* Parse a format directive in function call described by INFO starting
3007 at STR and populate DIR structure. Bump up *ARGNO by the number of
3008 arguments extracted for the directive. Return the length of
3009 the directive. */
3011 static size_t
3015 {
3020 {
3021 /* This directive is either a plain string or the terminating nul
3022 (which isn't really a directive but it simplifies things to
3023 handle it as if it were). */
3028 {
3034 }
3037 }
3041 /* POSIX numbered argument index or zero when none. */
3044 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3045 when given by a va_list argument, and a non-negative value
3046 when specified in the format string itself. */
3050 /* Pointers to the beginning of the width and precision decimal
3051 string (if any) within the directive. */
3055 /* When the value of the decimal string that specifies width or
3056 precision is out of range, points to the digit that causes
3057 the value to exceed the limit. */
3061 /* Width specified via the asterisk. Need not be INTEGER_CST.
3062 For vararg functions set to void_node. */
3065 /* Width specified via the asterisk. Need not be INTEGER_CST.
3066 For vararg functions set to void_node. */
3070 {
3071 /* This could be either a POSIX positional argument, the '0'
3072 flag, or a width, depending on what follows. Store it as
3073 width and sort it out later after the next character has
3074 been seen. */
3077 }
3079 {
3080 /* Similarly to the block above, this could be either a POSIX
3081 positional argument or a width, depending on what follows. */
3084 else
3087 }
3090 {
3091 /* Handle the POSIX dollar sign which references the 1-based
3092 positional argument number. */
3101 /* Bail when the numbered argument is out of range (it will
3102 have already been diagnosed by -Wformat). */
3113 }
3116 {
3118 {
3120 {
3121 /* The '0' that has been interpreted as a width above is
3122 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3123 and continue processing other flags. */
3126 }
3128 {
3129 /* (Non-zero) width has been seen. The next character
3130 is either a period or a digit. */
3132 }
3133 }
3134 /* When either '$' has been seen, or width has not been seen,
3135 the next field is the optional flags followed by an optional
3136 width. */
3139 {
3150 }
3151 }
3153 start_width:
3155 {
3159 }
3161 {
3164 else
3165 {
3166 /* This is (likely) a va_list. It could also be an invalid
3167 call with insufficient arguments. */
3169 }
3171 }
3173 {
3174 /* The POSIX apostrophe indicating a numeric grouping
3175 in the current locale. Even though it's possible to
3176 estimate the upper bound on the size of the output
3177 based on the number of digits it probably isn't worth
3178 continuing. */
3180 }
3181 }
3183 start_precision:
3185 {
3189 {
3192 }
3194 {
3197 else
3198 {
3199 /* This is (likely) a va_list. It could also be an invalid
3200 call with insufficient arguments. */
3202 }
3204 }
3205 else
3206 {
3207 /* The decimal precision or the asterisk are optional.
3208 When neither is dirified it's taken to be zero. */
3210 }
3211 }
3214 {
3217 {
3220 }
3221 else
3238 {
3241 }
3242 else
3256 }
3259 {
3260 /* Handle a sole '%' character the same as "%%" but since it's
3261 undefined prevent the result from being folded. */
3265 /* FALLTHRU */
3292 /* The %p output is implementation-defined. It's possible
3293 to determine this format but due to extensions (edirially
3294 those of the Linux kernel -- see bug 78512) the first %p
3295 in the format string disables any further processing. */
3299 /* %n has side-effects even when nothing is actually printed to
3300 any buffer. */
3315 /* Unknown conversion specification. */
3317 }
3321 /* Store the length of the format directive. */
3324 /* Buffer for the directive in the host character set (used when
3325 the source character set is different). */
3329 {
3332 else
3333 {
3334 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3335 (width is the absolute value of that specified). */
3338 }
3339 }
3340 else
3341 {
3343 {
3348 /* Create a location for the width part of the directive,
3349 pointing the caret at the first out-of-range digit. */
3356 }
3359 }
3362 {
3365 else
3366 {
3367 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3368 (unlike width, negative precision is ignored). */
3371 }
3372 }
3373 else
3374 {
3376 {
3381 /* Create a location for the precision part of the directive,
3382 including the leading period, pointing the caret at the first
3383 out-of-range digit . */
3390 }
3393 }
3395 /* Extract the argument if the directive takes one and if it's
3396 available (e.g., the function doesn't take a va_list). Treat
3397 missing arguments the same as va_list, even though they will
3398 have likely already been diagnosed by -Wformat. */
3404 {
3409 {
3412 else
3415 }
3418 {
3421 else
3424 }
3426 }
3429 }
3431 /* Compute the length of the output resulting from the call to a formatted
3432 output function described by INFO and store the result of the call in
3433 *RES. Issue warnings for detected past the end writes. Return true
3434 if the complete format string has been processed and *RES can be relied
3435 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3436 that caused the processing to be terminated early). */
3438 bool
3441 {
3443 {
3451 }
3453 /* Reset the minimum and maximum byte counters. */
3456 /* No directive has been seen yet so the length of output is bounded
3457 by the known range [0, 0] (with no conversion producing more than
3458 4K bytes) until determined otherwise. */
3464 /* 1-based directive counter. */
3467 /* The variadic argument counter. */
3471 {
3477 /* Return failure if the format function fails. */
3481 /* Return success the directive is zero bytes long and it's
3482 the last think in the format string (i.e., it's the terminating
3483 nul, which isn't really a directive but handling it as one makes
3484 things simpler). */
3489 }
3491 /* The complete format string was processed (with or without warnings). */
3493 }
3495 /* Return the size of the object referenced by the expression DEST if
3496 available, or -1 otherwise. */
3498 static unsigned HOST_WIDE_INT
3500 {
3501 /* Initialize object size info before trying to compute it. */
3504 /* Use __builtin_object_size to determine the size of the destination
3505 object. When optimizing, determine the smallest object (such as
3506 a member array as opposed to the whole enclosing object), otherwise
3507 use type-zero object size to determine the size of the enclosing
3508 object (the function fails without optimization in this type). */
3515 }
3517 /* Return true if the call described by INFO with result RES safe to
3518 optimize (i.e., no undefined behavior), and set RETVAL to the range
3519 of its return values. */
3521 static bool
3525 {
3529 /* The minimum return value. */
3532 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3533 but in cases involving multibyte characters could be as large as
3534 RES.RANGE.UNLIKELY. */
3538 /* Adjust the number of bytes which includes the terminating nul
3539 to reflect the return value of the function which does not.
3540 Because the valid range of the function is [INT_MIN, INT_MAX],
3541 a valid range before the adjustment below is [0, INT_MAX + 1]
3542 (the functions only return negative values on error or undefined
3543 behavior). */
3549 /* Avoid the return value optimization when the behavior of the call
3550 is undefined either because any directive may have produced 4K or
3551 more of output, or the return value exceeds INT_MAX, or because
3552 the output overflows the destination object (but leave it enabled
3553 when the function is bounded because then the behavior is well-
3554 defined). */
3569 }
3571 /* Given a suitable result RES of a call to a formatted output function
3572 described by INFO, substitute the result for the return value of
3573 the call. The result is suitable if the number of bytes it represents
3574 is known and exact. A result that isn't suitable for substitution may
3575 have its range set to the range of return values, if that is known.
3576 Return true if the call is removed and gsi_next should not be performed
3577 in the caller. */
3579 static bool
3583 {
3586 /* Set to true when the entire call has been removed. */
3589 /* The minimum and maximum return value. */
3595 /* Not prepared to handle possibly throwing calls here; they shouldn't
3596 appear in non-artificial testcases, except when the __*_chk routines
3597 are badly declared. */
3599 {
3604 {
3605 /* Remove the call to the bounded function with a zero size
3606 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3610 }
3612 {
3613 /* Replace the call to the bounded function with a zero size
3614 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3615 of the function. */
3620 }
3622 {
3623 /* Replace the left-hand side of the call with the constant
3624 result of the formatted function. */
3629 }
3632 {
3635 else
3636 {
3641 }
3642 }
3643 }
3645 {
3652 {
3653 /* If the result is in a valid range bounded by the size of
3654 the destination set it so that it can be used for subsequent
3655 optimizations. */
3663 }
3666 {
3680 else
3683 }
3684 }
3690 }
3692 /* Try to simplify a s{,n}printf call described by INFO with result
3693 RES by replacing it with a simpler and presumably more efficient
3694 call (such as strcpy). */
3696 static bool
3700 {
3706 {
3714 ;
3715 }
3718 }
3720 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3721 functions and if so, handle it. Return true if the call is removed
3722 and gsi_next should not be performed in the caller. */
3724 bool
3726 {
3736 /* The size of the destination as in snprintf(dest, size, ...). */
3739 /* The size of the destination determined by __builtin_object_size. */
3742 /* Buffer size argument number (snprintf and vsnprintf). */
3745 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3748 /* Format string argument number (valid for all functions). */
3752 {
3754 // Signature:
3755 // __builtin_sprintf (dst, format, ...)
3761 // Signature:
3762 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3769 // Signature:
3770 // __builtin_snprintf (dst, size, format, ...)
3778 // Signature:
3779 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3788 // Signature:
3789 // __builtin_vsprintf (dst, size, format, va)
3797 // Signature:
3798 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
3807 // Signature:
3808 // __builtin_vsprintf (dst, format, va)
3814 // Signature:
3815 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
3823 }
3825 /* Set the global warning level for this function. */
3828 /* The first argument is a pointer to the destination. */
3833 /* True when the destination size is constant as opposed to the lower
3834 or upper bound of a range. */
3838 {
3839 /* For non-bounded functions like sprintf, determine the size
3840 of the destination from the object or pointer passed to it
3841 as the first argument. */
3843 }
3845 {
3846 /* For bounded functions try to get the size argument. */
3849 {
3851 /* No object can be larger than SIZE_MAX bytes (half the address
3852 space) on the target.
3853 The functions are defined only for output of at most INT_MAX
3854 bytes. Specifying a bound in excess of that limit effectively
3855 defeats the bounds checking (and on some implementations such
3856 as Solaris cause the function to fail with EINVAL). */
3858 {
3859 /* Avoid warning if -Wstringop-overflow is specified since
3860 it also warns for the same thing though only for the
3861 checking built-ins. */
3865 "specified bound %wu exceeds maximum object size "
3868 }
3872 dstsize);
3873 }
3875 {
3876 /* Try to determine the range of values of the argument
3877 and use the greater of the two at level 1 and the smaller
3878 of them at level 2. */
3880 enum value_range_type range_type
3883 {
3884 dstsize
3888 }
3890 /* The destination size is not constant. If the function is
3891 bounded (e.g., snprintf) a lower bound of zero doesn't
3892 necessarily imply it can be eliminated. */
3894 }
3895 }
3903 {
3904 /* As a special case, when the explicitly specified destination
3905 size argument (to a bounded function like snprintf) is zero
3906 it is a request to determine the number of bytes on output
3907 without actually producing any. Pretend the size is
3908 unlimited in this case. */
3911 }
3912 else
3913 {
3914 /* For calls to non-bounded functions or to those of bounded
3915 functions with a non-zero size, warn if the destination
3916 pointer is null. */
3918 {
3919 /* This is diagnosed with -Wformat only when the null is a constant
3920 pointer. The warning here diagnoses instances where the pointer
3921 is not constant. */
3926 }
3928 /* Set the object size to the smaller of the two arguments
3929 of both have been specified and they're not equal. */
3934 /* Avoid warning if -Wstringop-overflow is specified since
3935 it also warns for the same thing though only for the
3936 checking built-ins. */
3939 {
3941 "specified bound %wu exceeds the size %wu "
3943 }
3944 }
3947 {
3948 /* This is diagnosed with -Wformat only when the null is a constant
3949 pointer. The warning here diagnoses instances where the pointer
3950 is not constant. */
3955 }
3961 /* The result is the number of bytes output by the formatted function,
3962 including the terminating NUL. */
3967 /* When optimizing and the printf return value optimization is enabled,
3968 attempt to substitute the computed result for the return value of
3969 the call. Avoid this optimization when -frounding-math is in effect
3970 and the format string contains a floating point directive. */
3973 {
3974 /* Save a copy of the iterator pointing at the call. The iterator
3975 may change to point past the call in try_substitute_return_value
3976 but the original value is needed in try_simplify_call. */
3985 }
3988 }
3990 /* Execute the pass for function FUN. */
3992 unsigned int
3994 {
3997 basic_block bb;
3999 {
4001 {
4002 /* Iterate over statements, looking for function calls. */
4006 /* If handle_gimple_call returns true, the iterator is
4007 already pointing to the next statement. */
4011 }
4012 }
4014 /* Clean up object size info. */
4018 }
4022 /* Return a pointer to a pass object newly constructed from the context
4023 CTXT. */
4025 gimple_opt_pass *
4027 {
4029 }