| blob | c3c717d9060273594d9626611000cc35e4b89257 |
1 /* Copyright (C) 2016-2017 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
83 /* The likely worst case value of MB_LEN_MAX for the target, large enough
84 for UTF-8. Ideally, this would be obtained by a target hook if it were
85 to be used for optimization but it's good enough as is for warnings. */
86 #define target_mb_len_max() 6
88 /* The maximum number of bytes a single non-string directive can result
89 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
90 LDBL_MAX_10_EXP of 4932. */
91 #define IEEE_MAX_10_EXP 4932
92 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
106 };
108 /* Set to the warning level for the current function which is equal
109 either to warn_format_trunc for bounded functions or to
110 warn_format_overflow otherwise. */
117 {
124 { }
133 {
136 }
142 };
144 bool
146 {
147 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
148 is specified and either not optimizing and the pass is being invoked
149 early, or when optimizing and the pass is being invoked during
150 optimization (i.e., "late"). */
155 }
157 /* The minimum, maximum, likely, and unlikely maximum number of bytes
158 of output either a formatting function or an individual directive
159 can result in. */
161 struct result_range
162 {
163 /* The absolute minimum number of bytes. The result of a successful
164 conversion is guaranteed to be no less than this. (An erroneous
165 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
167 /* The likely maximum result that is used in diagnostics. In most
168 cases MAX is the same as the worst case UNLIKELY result. */
170 /* The likely result used to trigger diagnostics. For conversions
171 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
172 in that range. */
174 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
175 the worst cases maximum result of a directive. In most cases
176 UNLIKELY == MAX. UNLIKELY is used to control the return value
177 optimization but not in diagnostics. */
179 };
181 /* The result of a call to a formatted function. */
183 struct format_result
184 {
185 /* Range of characters written by the formatted function.
186 Setting the minimum to HOST_WIDE_INT_MAX disables all
187 length tracking for the remainder of the format string. */
188 result_range range;
190 /* True when the range above is obtained from known values of
191 directive arguments, or bounds on the amount of output such
192 as width and precision, and not the result of heuristics that
193 depend on warning levels. It's used to issue stricter diagnostics
194 in cases where strings of unknown lengths are bounded by the arrays
195 they are determined to refer to. KNOWNRANGE must not be used for
196 the return value optimization. */
199 /* True if no individual directive resulted in more than 4095 bytes
200 of output (the total NUMBER_CHARS_{MIN,MAX} might be greater).
201 Implementations are not required to handle directives that produce
202 more than 4K bytes (leading to undefined behavior) and so when one
203 is found it disables the return value optimization. */
206 /* True when a floating point directive has been seen in the format
207 string. */
210 /* True when an intermediate result has caused a warning. Used to
211 avoid issuing duplicate warnings while finishing the processing
212 of a call. WARNED also disables the return value optimization. */
215 /* Preincrement the number of output characters by 1. */
217 {
219 }
221 /* Postincrement the number of output characters by 1. */
223 {
227 }
229 /* Increment the number of output characters by N. */
231 };
233 format_result&
235 {
251 }
253 /* Return the value of INT_MIN for the target. */
257 {
259 }
261 /* Return the value of INT_MAX for the target. */
265 {
267 }
269 /* Return the value of SIZE_MAX for the target. */
273 {
275 }
277 /* A straightforward mapping from the execution character set to the host
278 character set indexed by execution character. */
282 /* Initialize a mapping from the execution character set to the host
283 character set. */
285 static bool
287 {
288 /* If the percent sign is non-zero the mapping has already been
289 initialized. */
293 /* Initialize the target_percent character (done elsewhere). */
297 /* The subset of the source character set used by printf conversion
298 specifications (strictly speaking, not all letters are used but
299 they are included here for the sake of simplicity). The dollar
300 sign must be included even though it's not in the basic source
301 character set. */
305 /* Set the mapping for all characters to some ordinary value (i,e.,
306 not none used in printf conversion specifications) and overwrite
307 those that are used by conversion specifications with their
308 corresponding values. */
311 /* Are the two sets of characters the same? */
315 {
316 /* Slice off the high end bits in case target characters are
317 signed. All values are expected to be non-nul, otherwise
318 there's a problem. */
320 {
324 }
325 else
328 }
330 /* Set the first element to a non-zero value if the mapping
331 is 1-to-1, otherwise leave it clear (NUL is assumed to be
332 the same in both character sets). */
336 }
338 /* Return the host source character corresponding to the character
339 CH in the execution character set if one exists, or some innocuous
340 (non-special, non-nul) source character otherwise. */
344 {
346 }
348 /* Convert an initial substring of the string TARGSTR consisting of
349 characters in the execution character set into a string in the
350 source character set on the host and store up to HOSTSZ characters
351 in the buffer pointed to by HOSTR. Return HOSTR. */
355 {
356 /* Make sure the buffer is reasonably big. */
359 /* The interesting subset of source and execution characters are
360 the same so no conversion is necessary. However, truncate
361 overlong strings just like the translated strings are. */
363 {
368 }
370 /* Convert the initial substring of TARGSTR to the corresponding
371 characters in the host set, appending "..." if TARGSTR is too
372 long to fit. Using the static buffer assumes the function is
373 not called in between sequence points (which it isn't). */
375 {
381 {
385 }
386 }
389 }
391 /* Convert the sequence of decimal digits in the execution character
392 starting at S to a long, just like strtol does. Return the result
393 and set *END to one past the last converted character. On range
394 error set ERANGE to the digit that caused it. */
398 {
401 {
404 {
407 /* Check for overflow. */
409 {
413 /* Skip the remaining digits. */
414 do
418 }
419 else
421 }
422 else
424 }
427 }
429 /* Return the constant initial value of DECL if available or DECL
430 otherwise. Same as the synonymous function in c/c-typeck.c. */
432 static tree
434 {
436 in a place where a variable is invalid. Note that DECL_INITIAL
437 isn't valid for a PARM_DECL. */
444 /* This is invalid if initial value is not constant.
445 If it has either a function call, a memory reference,
446 or a variable, then re-evaluating it could give different results. */
448 /* Check for cases where this is sub-optimal, even though valid. */
452 }
454 /* Given FORMAT, set *PLOC to the source location of the format string
455 and return the format string if it is known or null otherwise. */
459 {
461 {
462 /* Pull out a constant value if the front end didn't. */
465 }
468 {
469 /* FIXME: Diagnose null format string if it hasn't been diagnosed
470 by -Wformat (the latter diagnoses only nul pointer constants,
471 this pass can do better). */
473 }
478 {
489 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
494 }
511 tree array_init;
518 {
519 /* Extract the string constant initializer. Note that this may
520 include a trailing NUL character that is not in the array (e.g.
521 const char a[3] = "foo";). */
524 }
530 {
531 /* Wide format string. */
533 }
539 {
540 /* Variable length arrays can't be initialized. */
544 {
550 }
551 }
553 {
559 }
562 {
563 /* FIXME: Diagnose an unterminated format string if it hasn't been
564 diagnosed by -Wformat. Similarly to a null format pointer,
565 -Wformay diagnoses only nul pointer constants, this pass can
566 do better). */
568 }
571 }
573 /* The format_warning_at_substring function is not used here in a way
574 that makes using attribute format viable. Suppress the warning. */
576 #pragma GCC diagnostic push
579 /* For convenience and brevity. */
581 static bool
586 /* Format length modifiers. */
588 enum format_lengths
589 {
590 FMT_LEN_none,
598 FMT_LEN_j // intmax_t
599 };
602 /* Description of the result of conversion either of a single directive
603 or the whole format string. */
605 struct fmtresult
606 {
607 /* Construct a FMTRESULT object with all counters initialized
608 to MIN. KNOWNRANGE is set when MIN is valid. */
613 {
618 }
620 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
621 KNOWNRANGE is set when both MIN and MAX are valid. */
627 {
632 }
634 /* Adjust result upward to reflect the RANGE of values the specified
635 width or precision is known to be in. */
640 /* Return the maximum number of decimal digits a value of TYPE
641 formats as on output. */
644 /* The range a directive's argument is in. */
647 /* The minimum and maximum number of bytes that a directive
648 results in on output for an argument in the range above. */
649 result_range range;
651 /* True when the range above is obtained from a known value of
652 a directive's argument or its bounds and not the result of
653 heuristics that depend on warning levels. */
656 /* True when the argument is a null pointer. */
658 };
660 /* Adjust result upward to reflect the range ADJUST of values the
661 specified width or precision is known to be in. When non-null,
662 TYPE denotes the type of the directive whose result is being
663 adjusted, BASE gives the base of the directive (octal, decimal,
664 or hex), and ADJ denotes the additional adjustment to the LIKELY
665 counter that may need to be added when ADJUST is a range. */
667 fmtresult&
672 {
675 /* Adjust the minimum and likely counters. */
677 {
679 {
682 }
684 /* Adjust the likely counter. */
687 }
692 /* Adjust the maximum counter. */
694 {
696 {
699 /* Set KNOWNRANGE if both the minimum and maximum have been
700 adjusted. Otherwise leave it at what it was before. */
702 }
703 }
706 {
707 /* For large non-constant width or precision whose range spans
708 the maximum number of digits produced by the directive for
709 any argument, set the likely number of bytes to be at most
710 the number digits plus other adjustment determined by the
711 caller (one for sign or two for the hexadecimal "0x"
712 prefix). */
717 }
719 {
720 /* Conservatively, set LIKELY to at least MIN but no less than
721 1 unless MAX is zero. */
726 }
728 /* Finally adjust the unlikely counter to be at least as large as
729 the maximum. */
734 }
736 /* Return the maximum number of digits a value of TYPE formats in
737 BASE on output, not counting base prefix . */
739 unsigned
741 {
749 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
750 of 8, 16, 32, and 64 bits. */
752 }
754 static bool
757 /* Description of a format directive. A directive is either a plain
758 string or a conversion specification that starts with '%'. */
760 struct directive
761 {
762 /* The 1-based directive number (for debugging). */
765 /* The first character of the directive and its length. */
769 /* A bitmap of flags, one for each character. */
772 /* The range of values of the specified width, or -1 if not specified. */
774 /* The range of values of the specified precision, or -1 if not
775 specified. */
778 /* Length modifier. */
779 format_lengths modifier;
781 /* Format specifier character. */
784 /* The argument of the directive or null when the directive doesn't
785 take one or when none is available (such as for vararg functions). */
786 tree arg;
788 /* Format conversion function that given a directive and an argument
789 returns the formatting result. */
792 /* Return True when a the format flag CHR has been used. */
794 {
798 }
800 /* Make a record of the format flag CHR having been used. */
802 {
806 }
808 /* Reset the format flag CHR. */
810 {
814 }
816 /* Set both bounds of the width range to VAL. */
818 {
820 }
822 /* Set the width range according to ARG, with both bounds being
823 no less than 0. For a constant ARG set both bounds to its value
824 or 0, whichever is greater. For a non-constant ARG in some range
825 set width to its range adjusting each bound to -1 if it's less.
826 For an indeterminate ARG set width to [0, INT_MAX]. */
828 {
830 }
832 /* Set both bounds of the precision range to VAL. */
834 {
836 }
838 /* Set the precision range according to ARG, with both bounds being
839 no less than -1. For a constant ARG set both bounds to its value
840 or -1 whichever is greater. For a non-constant ARG in some range
841 set precision to its range adjusting each bound to -1 if it's less.
842 For an indeterminate ARG set precision to [-1, INT_MAX]. */
844 {
846 }
848 /* Return true if both width and precision are known to be
849 either constant or in some range, false otherwise. */
851 {
856 }
857 };
859 /* Return the logarithm of X in BASE. */
861 static int
863 {
865 do
866 {
871 }
873 /* Return the number of bytes resulting from converting into a string
874 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
875 PLUS indicates whether 1 for a plus sign should be added for positive
876 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
877 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
878 be represented. */
880 static HOST_WIDE_INT
882 {
885 HOST_WIDE_INT res;
888 {
890 {
893 }
894 else
896 }
897 else
898 {
900 {
903 {
904 /* Avoid undefined behavior due to negating a minimum. */
907 }
909 {
912 }
913 else
914 {
917 }
918 }
919 else
921 }
927 /* Adjust a non-zero value for the base prefix, either hexadecimal,
928 or, unless precision has resulted in a leading zero, also octal. */
930 {
935 }
938 }
940 /* Given the formatting result described by RES and NAVAIL, the number
941 of available in the destination, return the range of bytes remaining
942 in the destination. */
946 {
947 result_range range;
950 {
953 }
955 /* The lower bound of the available range is the available size
956 minus the maximum output size, and the upper bound is the size
957 minus the minimum. */
964 else
971 }
973 /* Description of a call to a formatted function. */
976 {
977 /* Function call statement. */
980 /* Function called. */
981 tree func;
983 /* Called built-in function code. */
984 built_in_function fncode;
986 /* Format argument and format string extracted from it. */
987 tree format;
990 /* The location of the format argument. */
991 location_t fmtloc;
993 /* The destination object size for __builtin___xxx_chk functions
994 typically determined by __builtin_object_size, or -1 if unknown. */
997 /* Number of the first variable argument. */
1000 /* True for functions like snprintf that specify the size of
1001 the destination, false for others like sprintf that don't. */
1004 /* True for bounded functions like snprintf that specify a zero-size
1005 buffer as a request to compute the size of output without actually
1006 writing any. NOWRITE is cleared in response to the %n directive
1007 which has side-effects similar to writing output. */
1010 /* Return true if the called function's return value is used. */
1012 {
1014 }
1016 /* Return the warning option corresponding to the called function. */
1018 {
1020 }
1021 };
1023 /* Return the result of formatting a no-op directive (such as '%n'). */
1025 static fmtresult
1027 {
1030 }
1032 /* Return the result of formatting the '%%' directive. */
1034 static fmtresult
1036 {
1039 }
1042 /* Compute intmax_type_node and uintmax_type_node similarly to how
1043 tree.c builds size_type_node. */
1045 static void
1047 {
1049 {
1052 }
1054 {
1057 }
1059 {
1062 }
1063 else
1064 {
1067 {
1072 {
1076 }
1077 }
1079 }
1080 }
1082 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1083 in and that is representable in type int.
1084 Return true when the range is a subrange of that of int.
1085 When ARG is null it is as if it had the full range of int.
1086 When ABSOLUTE is true the range reflects the absolute value of
1087 the argument. When ABSOLUTE is false, negative bounds of
1088 the determined range are replaced with NEGBOUND. */
1090 static bool
1093 {
1094 /* The type of the result. */
1100 {
1103 }
1106 {
1107 /* For a constant argument return its value adjusted as specified
1108 by NEGATIVE and NEGBOUND and return true to indicate that the
1109 result is known. */
1113 }
1114 else
1115 {
1116 /* True if the argument's range cannot be determined. */
1121 /* Ignore invalid arguments with greater precision that that
1122 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1123 They will have been detected and diagnosed by -Wformat and
1124 so it's not important to complicate this code to try to deal
1125 with them again. */
1129 {
1130 /* Try to determine the range of values of the integer argument. */
1134 {
1135 HOST_WIDE_INT type_min
1146 {
1147 /* Return true if the adjusted range is a subrange of
1148 the full range of the argument's type. *PMAX may
1149 be less than *PMIN when the argument is unsigned
1150 and its upper bound is in excess of TYPE_MAX. In
1151 that (invalid) case disregard the range and use that
1152 of the expected type instead. */
1156 }
1157 }
1158 }
1160 /* Handle an argument with an unknown range as if none had been
1161 provided. */
1164 }
1166 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1168 {
1170 {
1173 else
1174 {
1175 /* Make sure signed overlow is avoided. */
1182 }
1183 }
1184 }
1189 }
1191 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1192 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1193 the type of the directive's formal argument it's possible for both
1194 to result in the same number of bytes or a range of bytes that's
1195 less than the number of bytes that would result from formatting
1196 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1197 determined by checking for the actual argument being in the range
1198 of the type of the directive. If it isn't it must be assumed to
1199 take on the full range of the directive's type.
1200 Return true when the range has been adjusted to the full range
1201 of DIRTYPE, and false otherwise. */
1203 static bool
1205 {
1210 /* If the actual argument and the directive's argument have the same
1211 precision and sign there can be no overflow and so there is nothing
1212 to adjust. */
1216 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1217 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1227 {
1231 /* If *ARGMIN is still less than *ARGMAX the conversion above
1232 is safe. Otherwise, it has overflowed and would be unsafe. */
1235 }
1240 }
1242 /* Return a range representing the minimum and maximum number of bytes
1243 that the format directive DIR will output for any argument given
1244 the WIDTH and PRECISION (extracted from DIR). This function is
1245 used when the directive argument or its value isn't known. */
1247 static fmtresult
1249 {
1250 tree intmax_type_node;
1251 tree uintmax_type_node;
1253 /* Base to format the number in. */
1256 /* True when a conversion is preceded by a prefix indicating the base
1257 of the argument (octal or hexadecimal). */
1260 /* True when a signed conversion is preceded by a sign or space. */
1263 /* True for signed conversions (i.e., 'd' and 'i'). */
1267 {
1270 /* Space and '+' are only meaningful for signed conversions. */
1287 }
1289 /* The type of the "formal" argument expected by the directive. */
1292 /* Determine the expected type of the argument from the length
1293 modifier. */
1295 {
1299 else
1317 dirtype = (sign
1318 ? long_long_integer_type_node
1337 }
1339 /* The type of the argument to the directive, either deduced from
1340 the actual non-constant argument if one is known, or from
1341 the directive itself when none has been provided because it's
1342 a va_list. */
1346 {
1347 /* When the argument has not been provided, use the type of
1348 the directive's argument as an approximation. This will
1349 result in false positives for directives like %i with
1350 arguments with smaller precision (such as short or char). */
1352 }
1354 {
1355 /* When a constant argument has been provided use its value
1356 rather than type to determine the length of the output. */
1357 fmtresult res;
1360 {
1361 /* As a special case, a precision of zero with a zero argument
1362 results in zero bytes except in base 8 when the '#' flag is
1363 specified, and for signed conversions in base 8 and 10 when
1364 either the space or '+' flag has been specified and it results
1365 in just one byte (with width having the normal effect). This
1366 must extend to the case of a specified precision with
1367 an unknown value because it can be zero. */
1370 {
1373 }
1374 else
1375 {
1378 }
1379 }
1380 else
1381 {
1382 /* Convert the argument to the type of the directive. */
1389 else
1393 }
1397 /* Bump up the counters if WIDTH is greater than LEN. */
1400 /* Bump up the counters again if PRECision is greater still. */
1405 }
1408 /* Determine the type of the provided non-constant argument. */
1410 else
1411 /* Don't bother with invalid arguments since they likely would
1412 have already been diagnosed, and disable any further checking
1413 of the format string by returning [-1, -1]. */
1416 fmtresult res;
1418 /* Using either the range the non-constant argument is in, or its
1419 type (either "formal" or actual), create a range of values that
1420 constrain the length of output given the warning level. */
1427 {
1428 /* Try to determine the range of values of the integer argument
1429 (range information is not available for pointers). */
1433 {
1437 /* Set KNOWNRANGE if the argument is in a known subrange
1438 of the directive's type and neither width nor precision
1439 is unknown. (KNOWNRANGE may be reset below). */
1440 res.knownrange
1447 }
1449 {
1450 /* Handle anti-ranges if/when bug 71690 is resolved. */
1451 }
1453 {
1454 /* The argument here may be the result of promoting the actual
1455 argument to int. Try to determine the type of the actual
1456 argument before promotion and narrow down its range that
1457 way. */
1460 {
1463 {
1466 }
1469 {
1474 }
1475 }
1476 }
1477 }
1480 {
1482 {
1485 }
1486 else
1487 {
1490 }
1491 }
1493 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1494 of the directive. If it has been cleared then since ARGMIN and/or
1495 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1496 ARGMAX in the result to include in diagnostics. */
1498 {
1502 }
1504 /* Recursively compute the minimum and maximum from the known range. */
1506 {
1507 /* For unsigned conversions/directives or signed when
1508 the minimum is positive, use the minimum and maximum to compute
1509 the shortest and longest output, respectively. */
1512 }
1514 {
1515 /* For signed conversions/directives if maximum is negative,
1516 use the minimum as the longest output and maximum as the
1517 shortest output. */
1520 }
1521 else
1522 {
1523 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1524 as the shortest output and for the longest output compute the
1525 length of the output of both minimum and maximum and pick the
1526 longer. */
1531 }
1533 /* If the range is known, use the maximum as the likely length. */
1536 else
1537 {
1538 /* Otherwise, use the minimum. Except for the case where for %#x or
1539 %#o the minimum is just for a single value in the range (0) and
1540 for all other values it is something longer, like 0x1 or 01.
1541 Use the length for value 1 in that case instead as the likely
1542 length. */
1547 {
1554 }
1555 }
1564 }
1566 /* Return the number of bytes that a format directive consisting of FLAGS,
1567 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1568 would result for argument X under ideal conditions (i.e., if PREC
1569 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1570 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1571 This function works around those problems. */
1573 static unsigned HOST_WIDE_INT
1576 {
1590 {
1591 /* For %e, specify the precision explicitly since mpfr_sprintf
1592 does its own thing just to be different (see MPFR bug 21088). */
1595 }
1596 else
1597 {
1598 /* Avoid passing negative precisions with larger magnitude to MPFR
1599 to avoid exposing its bugs. (A negative precision is supposed
1600 to be ignored.) */
1603 }
1608 {
1609 /* For G/g without the pound flag, precision gives the maximum number
1610 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1611 a 128 bit IEEE extended precision, 4932. Using twice as much here
1612 should be more than sufficient for any real format. */
1616 }
1617 else
1618 {
1619 /* Cap precision arbitrarily at 1KB and add the difference
1620 (if any) to the MPFR result. */
1623 }
1627 /* Handle the unlikely (impossible?) error by returning more than
1628 the maximum dictated by the function's return type. */
1632 /* Adjust the return value by the difference. */
1637 }
1639 /* Return the number of bytes to format using the format specifier
1640 SPEC and the precision PREC the largest value in the real floating
1641 TYPE. */
1643 static unsigned HOST_WIDE_INT
1645 {
1648 /* IBM Extended mode. */
1652 /* Get the real type format desription for the target. */
1654 REAL_VALUE_TYPE rv;
1658 /* Convert the GCC real value representation with the precision
1659 of the real type to the mpfr_t format with the GCC default
1660 round-to-nearest mode. */
1661 mpfr_t x;
1665 /* Return a value one greater to account for the leading minus sign. */
1666 unsigned HOST_WIDE_INT r
1670 }
1672 /* Return a range representing the minimum and maximum number of bytes
1673 that the directive DIR will output for any argument. PREC gives
1674 the adjusted precision range to account for negative precisions
1675 meaning the default 6. This function is used when the directive
1676 argument or its value isn't known. */
1678 static fmtresult
1680 {
1681 tree type;
1684 {
1700 }
1702 /* The minimum and maximum number of bytes produced by the directive. */
1703 fmtresult res;
1705 /* The minimum output as determined by flags. It's always at least 1.
1706 When plus or space are set the output is preceded by either a sign
1707 or a space. */
1711 /* When the pound flag is set the decimal point is included in output
1712 regardless of precision. Whether or not a decimal point is included
1713 otherwise depends on the specification and precision. */
1717 {
1720 {
1728 + flagmin
1729 + radix
1730 + minprec
1736 /* The unlikely maximum accounts for the longest multibyte
1737 decimal point character. */
1743 }
1747 {
1748 /* Minimum output attributable to precision and, when it's
1749 non-zero, decimal point. */
1752 /* The minimum output is "[-+]1.234567e+00" regardless
1753 of the value of the actual argument. */
1755 + radix
1756 + minprec
1762 /* The unlikely maximum accounts for the longest multibyte
1763 decimal point character. */
1767 else
1770 }
1774 {
1775 /* Minimum output attributable to precision and, when it's non-zero,
1776 decimal point. */
1779 /* The lower bound when precision isn't specified is 8 bytes
1780 ("1.23456" since precision is taken to be 6). When precision
1781 is zero, the lower bound is 1 byte (e.g., "1"). Otherwise,
1782 when precision is greater than zero, then the lower bound
1783 is 2 plus precision (plus flags). */
1786 /* Compute the upper bound for -TYPE_MAX. */
1789 /* The minimum output with unknown precision is a single byte
1790 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1793 else
1796 /* The unlikely maximum accounts for the longest multibyte
1797 decimal point character. */
1802 }
1806 {
1807 /* The %g output depends on precision and the exponent of
1808 the argument. Since the value of the argument isn't known
1809 the lower bound on the range of bytes (not counting flags
1810 or width) is 1 plus radix (i.e., either "0" or "0." for
1811 "%g" and "%#g", respectively, with a zero argument). */
1817 {
1818 /* When the pound flag (radix) is set, trailing zeros aren't
1819 trimmed and so the longest output is the same as for %e,
1820 except with precision minus 1 (as specified in C11). */
1826 }
1827 else
1832 /* The likely output is either the maximum computed above
1833 minus 1 (assuming the maximum is positive) when precision
1834 is known (or unspecified), or the same minimum as for %e
1835 (which is computed for a non-negative argument). Unlike
1836 for the other specifiers above the likely output isn't
1837 the minimum because for %g that's 1 which is unlikely. */
1841 else
1842 {
1845 + radix
1846 + minprec
1848 }
1850 /* The unlikely maximum accounts for the longest multibyte
1851 decimal point character. */
1854 }
1858 }
1860 /* Bump up the byte counters if WIDTH is greater. */
1863 }
1865 /* Return a range representing the minimum and maximum number of bytes
1866 that the directive DIR will write on output for the floating argument
1867 ARG. */
1869 static fmtresult
1871 {
1874 /* For an indeterminate precision the lower bound must be assumed
1875 to be zero. */
1877 {
1878 /* Get the number of fractional decimal digits needed to represent
1879 the argument without a loss of accuracy. */
1884 unsigned fmtprec
1887 /* The precision of the IEEE 754 double format is 53.
1888 The precision of all other GCC binary double formats
1889 is 56 or less. */
1892 /* For %a, leave the minimum precision unspecified to let
1893 MFPR trim trailing zeros (as it and many other systems
1894 including Glibc happen to do) and set the maximum
1895 precision to reflect what it would be with trailing zeros
1896 present (as Solaris and derived systems do). */
1898 {
1899 /* Both bounds are negative implies that precision has
1900 not been specified. */
1903 }
1905 {
1906 /* With a negative lower bound and a non-negative upper
1907 bound set the minimum precision to zero and the maximum
1908 to the greater of the maximum precision (i.e., with
1909 trailing zeros present) and the specified upper bound. */
1912 }
1913 }
1915 {
1917 {
1918 /* A precision in a strictly negative range is ignored and
1919 the default of 6 is used instead. */
1921 }
1922 else
1923 {
1924 /* For a precision in a partly negative range, the lower bound
1925 must be assumed to be zero and the new upper bound is the
1926 greater of 6 (the default precision used when the specified
1927 precision is negative) and the upper bound of the specified
1928 range. */
1931 }
1932 }
1937 /* The minimum and maximum number of bytes produced by the directive. */
1938 fmtresult res;
1940 /* Get the real type format desription for the target. */
1947 /* Append flags. */
1954 {
1955 /* Set up an array to easily iterate over. */
1958 };
1961 {
1962 /* Convert the GCC real value representation with the precision
1963 of the real type to the mpfr_t format rounding down in the
1964 first iteration that computes the minimm and up in the second
1965 that computes the maximum. This order is arbibtrary because
1966 rounding in either direction can result in longer output. */
1967 mpfr_t mpfrval;
1971 /* Use the MPFR rounding specifier to round down in the first
1972 iteration and then up. In most but not all cases this will
1973 result in the same number of bytes. */
1976 /* Format it and store the result in the corresponding member
1977 of the result struct. */
1981 }
1982 }
1984 /* Make sure the minimum is less than the maximum (MPFR rounding
1985 in the call to mpfr_snprintf can result in the reverse. */
1987 {
1991 }
1993 /* The range is known unless either width or precision is unknown. */
1996 /* For the same floating point constant, unless width or precision
1997 is unknown, use the longer output as the likely maximum since
1998 with round to nearest either is equally likely. Otheriwse, when
1999 precision is unknown, use the greater of the minimum and 3 as
2000 the likely output (for "0.0" since zero precision is unlikely). */
2007 else
2013 {
2014 /* Unless the precision is zero output longer than 2 bytes may
2015 include the decimal point which must be a single character
2016 up to MB_LEN_MAX in length. This is overly conservative
2017 since in some conversions some constants result in no decimal
2018 point (e.g., in %g). */
2020 }
2024 }
2026 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2027 strings referenced by the expression STR, or (-1, -1) when not known.
2028 Used by the format_string function below. */
2030 static fmtresult
2032 {
2037 {
2038 /* Simply return the length of the string. */
2041 }
2043 /* Determine the length of the shortest and longest string referenced
2044 by STR. Strings of unknown lengths are bounded by the sizes of
2045 arrays that subexpressions of STR may refer to. Pointers that
2046 aren't known to point any such arrays result in LENRANGE[1] set
2047 to SIZE_MAX. */
2052 {
2053 HOST_WIDE_INT min
2058 HOST_WIDE_INT max
2063 /* get_range_strlen() returns the target value of SIZE_MAX for
2064 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2065 which may be bigger. */
2073 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2074 by STR are known to be bounded (though not necessarily by their
2075 actual length but perhaps by their maximum possible length). */
2077 {
2079 /* When the the length of the longest string is known and not
2080 excessive use it as the likely length of the string(s). */
2082 }
2083 else
2084 {
2085 /* When the upper bound is unknown (it can be zero or excessive)
2086 set the likely length to the greater of 1 and the length of
2087 the shortest string and reset the lower bound to zero. */
2090 }
2092 /* If the range of string length has been estimated from the size
2093 of an array at the end of a struct assume that it's longer than
2094 the array bound says it is in case it's used as a poor man's
2095 flexible array member, such as in struct S { char a[4]; }; */
2099 }
2102 }
2104 /* Return the minimum and maximum number of characters formatted
2105 by the '%c' format directives and its wide character form for
2106 the argument ARG. ARG can be null (for functions such as
2107 vsprinf). */
2109 static fmtresult
2111 {
2112 fmtresult res;
2117 {
2118 /* A wide character can result in as few as zero bytes. */
2123 {
2125 {
2126 /* The NUL wide character results in no bytes. */
2130 }
2132 {
2133 /* A wide character in the ASCII range most likely results
2134 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2138 }
2139 else
2140 {
2141 /* A wide character outside the ASCII range likely results
2142 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2146 }
2147 }
2148 else
2149 {
2150 /* An unknown wide character is treated the same as a wide
2151 character outside the ASCII range. */
2155 }
2156 }
2157 else
2158 {
2159 /* A plain '%c' directive. Its ouput is exactly 1. */
2163 }
2165 /* Bump up the byte counters if WIDTH is greater. */
2167 }
2169 /* Return the minimum and maximum number of characters formatted
2170 by the '%s' format directive and its wide character form for
2171 the argument ARG. ARG can be null (for functions such as
2172 vsprinf). */
2174 static fmtresult
2176 {
2177 fmtresult res;
2179 /* Compute the range the argument's length can be in. */
2183 {
2184 /* The argument is either a string constant or it refers
2185 to one of a number of strings of the same length. */
2187 /* A '%s' directive with a string argument with constant length. */
2191 {
2192 /* In the worst case the length of output of a wide string S
2193 is bounded by MB_LEN_MAX * wcslen (S). */
2196 /* It's likely that the the total length is not more that
2197 2 * wcslen (S).*/
2202 {
2206 }
2213 /* Even a non-empty wide character string need not convert into
2214 any bytes. */
2216 }
2217 else
2218 {
2227 {
2231 }
2232 }
2233 }
2235 {
2236 /* Handle null pointer argument. */
2241 }
2242 else
2243 {
2244 /* For a '%s' and '%ls' directive with a non-constant string (either
2245 one of a number of strings of known length or an unknown string)
2246 the minimum number of characters is lesser of PRECISION[0] and
2247 the length of the shortest known string or zero, and the maximum
2248 is the lessser of the length of the longest known string or
2249 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2250 the minimum at level 1 and the greater of the minimum and 1
2251 at level 2. This result is adjust upward for width (if it's
2252 specified). */
2255 {
2256 /* A wide character converts to as few as zero bytes. */
2266 }
2271 {
2272 /* Adjust the minimum to zero if the string length is unknown,
2273 or at most the lower bound of the precision otherwise. */
2279 /* Make both maxima no greater than the upper bound of precision. */
2282 {
2285 }
2287 /* If precision is constant, set the likely counter to the lesser
2288 of it and the maximum string length. Otherwise, if the lower
2289 bound of precision is greater than zero, set the likely counter
2290 to the minimum. Otherwise set it to zero or one based on
2291 the warning level. */
2298 else
2300 }
2302 {
2307 }
2309 {
2312 /* At level 1 strings of unknown length are assumed to be
2313 empty, while at level 1 they are assumed to be one byte
2314 long. */
2316 }
2317 else
2318 {
2319 /* A string of unknown length unconstrained by precision is
2320 assumed to be empty at level 1 and just one character long
2321 at higher levels. */
2324 }
2327 }
2329 /* Bump up the byte counters if WIDTH is greater. */
2331 }
2333 /* Format plain string (part of the format string itself). */
2335 static fmtresult
2337 {
2340 }
2342 /* Return true if the RESULT of a directive in a call describe by INFO
2343 should be diagnosed given the AVAILable space in the destination. */
2345 static bool
2348 {
2350 {
2351 /* The least amount of space remaining in the destination is big
2352 enough for the longest output. */
2354 }
2357 {
2360 {
2361 /* The likely amount of space remaining in the destination is big
2362 enough for the least output and the return value is used. */
2364 }
2368 {
2369 /* The likely amount of space remaining in the destination is big
2370 enough for the likely output and the return value is unused. */
2372 }
2378 {
2379 /* The minimum amount of space remaining in the destination is big
2380 enough for the longest output. */
2382 }
2383 }
2384 else
2385 {
2387 {
2388 /* The likely amount of space remaining in the destination is big
2389 enough for the likely output. */
2391 }
2397 {
2398 /* The minimum amount of space remaining in the destination is big
2399 enough for the longest output. */
2401 }
2402 }
2405 }
2407 /* At format string location describe by DIRLOC in a call described
2408 by INFO, issue a warning for a directive DIR whose output may be
2409 in excess of the available space AVAIL_RANGE in the destination
2410 given the formatting result FMTRES. This function does nothing
2411 except decide whether to issue a warning for a possible write
2412 past the end or truncation and, if so, format the warning.
2413 Return true if a warning has been issued. */
2415 static bool
2420 {
2424 /* A warning will definitely be issued below. */
2426 /* The maximum byte count to reference in the warning. Larger counts
2427 imply that the upper bound is unknown (and could be anywhere between
2428 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2429 than "between N and X" where X is some huge number. */
2432 /* True when there is enough room in the destination for the least
2433 amount of a directive's output but not enough for its likely or
2434 maximum output. */
2440 /* Buffer for the directive in the host character set (used when
2441 the source character set is different). */
2445 {
2446 /* The size of the destination region is exact. */
2450 {
2451 /* For plain character directives (i.e., the format string itself)
2452 but not others, point the caret at the first character that's
2453 past the end of the destination. */
2455 }
2458 {
2459 /* This is the terminating nul. */
2464 ? (maybe
2468 : (maybe
2476 }
2479 {
2483 ? (maybe
2491 ? (maybe
2502 }
2505 {
2508 ? (maybe
2519 }
2522 {
2523 /* This is a special case to avoid issuing the potentially
2524 confusing warning:
2525 writing 0 or more bytes into a region of size 0. */
2528 ? (maybe
2539 }
2542 {
2545 ? (maybe
2556 }
2560 ? (maybe
2571 }
2573 /* The size of the destination region is a range. */
2576 {
2579 /* For plain character directives (i.e., the format string itself)
2580 but not others, point the caret at the first character that's
2581 past the end of the destination. */
2583 }
2586 {
2591 ? (maybe
2595 : (maybe
2603 }
2606 {
2610 ? (maybe
2618 ? (maybe
2630 }
2633 {
2636 ? (maybe
2638 "up to %wu bytes into a region of size between "
2641 "up to %wu bytes into a region of size between "
2649 }
2652 {
2653 /* This is a special case to avoid issuing the potentially confusing
2654 warning:
2655 writing 0 or more bytes into a region of size between 0 and N. */
2658 ? (maybe
2660 "likely %wu or more bytes into a region of size between "
2663 "%wu or more bytes into a region of size between "
2671 }
2674 {
2677 ? (maybe
2679 "between %wu and %wu bytes into a region of size "
2682 "between %wu and %wu bytes into a region of size "
2690 }
2694 ? (maybe
2696 "%wu or more bytes into a region of size between "
2699 "%wu or more bytes into a region of size between "
2707 }
2709 /* Compute the length of the output resulting from the directive DIR
2710 in a call described by INFO and update the overall result of the call
2711 in *RES. Return true if the directive has been handled. */
2713 static bool
2716 {
2717 /* Offset of the beginning of the directive from the beginning
2718 of the format string. */
2723 /* Create a location for the whole directive from the % to the format
2724 specifier. */
2728 /* Also create a location range for the argument if possible.
2729 This doesn't work for integer literals or function calls. */
2730 source_range argrange;
2733 {
2736 }
2737 else
2740 /* Bail when there is no function to compute the output length,
2741 or when minimum length checking has been disabled. */
2745 /* Compute the range of lengths of the formatted output. */
2748 /* Record whether the output of all directives is known to be
2749 bounded by some maximum, implying that their arguments are
2750 either known exactly or determined to be in a known range
2751 or, for strings, limited by the upper bounds of the arrays
2752 they refer to. */
2756 {
2757 /* Only when the range is known, check it against the host value
2758 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2759 INT_MAX precision, which is the longest possible output of any
2760 single directive). That's the largest valid byte count (though
2761 not valid call to a printf-like function because it can never
2762 return such a count). Otherwise, the range doesn't correspond
2763 to known values of the argument. */
2765 {
2766 /* Normalize the MAX counter to avoid having to deal with it
2767 later. The counter can be less than HOST_WIDE_INT_M1U
2768 when compiling for an ILP32 target on an LP64 host. */
2770 /* Disable exact and maximum length checking after a failure
2771 to determine the maximum number of characters (for example
2772 for wide characters or wide character strings) but continue
2773 tracking the minimum number of characters. */
2775 }
2778 {
2779 /* Disable exact length checking after a failure to determine
2780 even the minimum number of characters (it shouldn't happen
2781 except in an error) but keep tracking the minimum and maximum
2782 number of characters. */
2784 }
2785 }
2787 /* Buffer for the directive in the host character set (used when
2788 the source character set is different). */
2794 {
2799 /* Don't bother processing the rest of the format string. */
2804 }
2806 /* Compute the number of available bytes in the destination. There
2807 must always be at least one byte of space for the terminating
2808 NUL that's appended after the format string has been processed. */
2817 /* Bump up the total maximum if it isn't too big. */
2822 /* Raise the total unlikely maximum by the larger of the maximum
2823 and the unlikely maximum. */
2827 else
2836 /* Has the minimum directive output length exceeded the maximum
2837 of 4095 bytes required to be supported? */
2840 /* Clear UNDER4K in the overall result if the maximum has exceeded
2841 the 4k (this is necessary to avoid the return valuye optimization
2842 that may not be safe in the maximum case). */
2847 /* Only warn at level 2. */
2849 && (!minunder4k
2851 {
2852 /* The directive output may be longer than the maximum required
2853 to be handled by an implementation according to 7.21.6.1, p15
2854 of C11. Warn on this only at level 2 but remember this and
2855 prevent folding the return value when done. This allows for
2856 the possibility of the actual libc call failing due to ENOMEM
2857 (like Glibc does under some conditions). */
2862 "%<%.*s%> directive output of %wu bytes exceeds "
2864 dirlen,
2867 else
2868 {
2870 = (minunder4k
2880 }
2881 }
2883 /* Has the likely and maximum directive output exceeded INT_MAX? */
2885 /* Don't consider the maximum to be in excess when it's the result
2886 of a string of unknown length (i.e., whose maximum has been set
2887 to be greater than or equal to HOST_WIDE_INT_MAX. */
2893 /* Warn for the likely output size at level 1. */
2894 && (likelyximax
2895 /* But only warn for the maximum at level 2. */
2897 && maxximax
2899 {
2900 /* The directive output causes the total length of output
2901 to exceed INT_MAX bytes. */
2905 "%<%.*s%> directive output of %wu bytes causes "
2907 dirlen,
2910 else
2911 {
2922 }
2923 }
2927 {
2933 }
2936 {
2942 else
2946 }
2951 {
2952 /* If a warning has been issued for buffer overflow or truncation
2953 (but not otherwise) help the user figure out how big a buffer
2954 they need. */
2969 "%qE output between %wu and %wu bytes into "
2974 "%qE output %wu or more bytes (assuming %wu) into "
2977 else
2981 }
2984 {
2995 }
2998 }
3000 #pragma GCC diagnostic pop
3002 /* Parse a format directive in function call described by INFO starting
3003 at STR and populate DIR structure. Bump up *ARGNO by the number of
3004 arguments extracted for the directive. Return the length of
3005 the directive. */
3007 static size_t
3011 {
3016 {
3017 /* This directive is either a plain string or the terminating nul
3018 (which isn't really a directive but it simplifies things to
3019 handle it as if it were). */
3024 {
3030 }
3033 }
3037 /* POSIX numbered argument index or zero when none. */
3040 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3041 when given by a va_list argument, and a non-negative value
3042 when specified in the format string itself. */
3046 /* Pointers to the beginning of the width and precision decimal
3047 string (if any) within the directive. */
3051 /* When the value of the decimal string that specifies width or
3052 precision is out of range, points to the digit that causes
3053 the value to exceed the limit. */
3057 /* Width specified via the asterisk. Need not be INTEGER_CST.
3058 For vararg functions set to void_node. */
3061 /* Width specified via the asterisk. Need not be INTEGER_CST.
3062 For vararg functions set to void_node. */
3066 {
3067 /* This could be either a POSIX positional argument, the '0'
3068 flag, or a width, depending on what follows. Store it as
3069 width and sort it out later after the next character has
3070 been seen. */
3073 }
3075 {
3076 /* Similarly to the block above, this could be either a POSIX
3077 positional argument or a width, depending on what follows. */
3080 else
3083 }
3086 {
3087 /* Handle the POSIX dollar sign which references the 1-based
3088 positional argument number. */
3097 /* Bail when the numbered argument is out of range (it will
3098 have already been diagnosed by -Wformat). */
3109 }
3112 {
3114 {
3116 {
3117 /* The '0' that has been interpreted as a width above is
3118 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3119 and continue processing other flags. */
3122 }
3124 {
3125 /* (Non-zero) width has been seen. The next character
3126 is either a period or a digit. */
3128 }
3129 }
3130 /* When either '$' has been seen, or width has not been seen,
3131 the next field is the optional flags followed by an optional
3132 width. */
3135 {
3146 }
3147 }
3149 start_width:
3151 {
3155 }
3157 {
3160 else
3161 {
3162 /* This is (likely) a va_list. It could also be an invalid
3163 call with insufficient arguments. */
3165 }
3167 }
3169 {
3170 /* The POSIX apostrophe indicating a numeric grouping
3171 in the current locale. Even though it's possible to
3172 estimate the upper bound on the size of the output
3173 based on the number of digits it probably isn't worth
3174 continuing. */
3176 }
3177 }
3179 start_precision:
3181 {
3185 {
3188 }
3190 {
3193 else
3194 {
3195 /* This is (likely) a va_list. It could also be an invalid
3196 call with insufficient arguments. */
3198 }
3200 }
3201 else
3202 {
3203 /* The decimal precision or the asterisk are optional.
3204 When neither is dirified it's taken to be zero. */
3206 }
3207 }
3210 {
3213 {
3216 }
3217 else
3234 {
3237 }
3238 else
3252 }
3255 {
3256 /* Handle a sole '%' character the same as "%%" but since it's
3257 undefined prevent the result from being folded. */
3261 /* FALLTHRU */
3288 /* The %p output is implementation-defined. It's possible
3289 to determine this format but due to extensions (edirially
3290 those of the Linux kernel -- see bug 78512) the first %p
3291 in the format string disables any further processing. */
3295 /* %n has side-effects even when nothing is actually printed to
3296 any buffer. */
3311 /* Unknown conversion specification. */
3313 }
3317 /* Store the length of the format directive. */
3320 /* Buffer for the directive in the host character set (used when
3321 the source character set is different). */
3325 {
3328 else
3329 {
3330 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3331 (width is the absolute value of that specified). */
3334 }
3335 }
3336 else
3337 {
3339 {
3344 /* Create a location for the width part of the directive,
3345 pointing the caret at the first out-of-range digit. */
3352 }
3355 }
3358 {
3361 else
3362 {
3363 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3364 (unlike width, negative precision is ignored). */
3367 }
3368 }
3369 else
3370 {
3372 {
3377 /* Create a location for the precision part of the directive,
3378 including the leading period, pointing the caret at the first
3379 out-of-range digit . */
3386 }
3389 }
3391 /* Extract the argument if the directive takes one and if it's
3392 available (e.g., the function doesn't take a va_list). Treat
3393 missing arguments the same as va_list, even though they will
3394 have likely already been diagnosed by -Wformat. */
3400 {
3405 {
3408 else
3411 }
3414 {
3417 else
3420 }
3422 }
3425 }
3427 /* Compute the length of the output resulting from the call to a formatted
3428 output function described by INFO and store the result of the call in
3429 *RES. Issue warnings for detected past the end writes. Return true
3430 if the complete format string has been processed and *RES can be relied
3431 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3432 that caused the processing to be terminated early). */
3434 bool
3437 {
3439 {
3447 }
3449 /* Reset the minimum and maximum byte counters. */
3452 /* No directive has been seen yet so the length of output is bounded
3453 by the known range [0, 0] (with no conversion producing more than
3454 4K bytes) until determined otherwise. */
3460 /* 1-based directive counter. */
3463 /* The variadic argument counter. */
3467 {
3473 /* Return failure if the format function fails. */
3477 /* Return success the directive is zero bytes long and it's
3478 the last think in the format string (i.e., it's the terminating
3479 nul, which isn't really a directive but handling it as one makes
3480 things simpler). */
3485 }
3487 /* The complete format string was processed (with or without warnings). */
3489 }
3491 /* Return the size of the object referenced by the expression DEST if
3492 available, or -1 otherwise. */
3494 static unsigned HOST_WIDE_INT
3496 {
3497 /* Initialize object size info before trying to compute it. */
3500 /* Use __builtin_object_size to determine the size of the destination
3501 object. When optimizing, determine the smallest object (such as
3502 a member array as opposed to the whole enclosing object), otherwise
3503 use type-zero object size to determine the size of the enclosing
3504 object (the function fails without optimization in this type). */
3511 }
3513 /* Given a suitable result RES of a call to a formatted output function
3514 described by INFO, substitute the result for the return value of
3515 the call. The result is suitable if the number of bytes it represents
3516 is known and exact. A result that isn't suitable for substitution may
3517 have its range set to the range of return values, if that is known.
3518 Return true if the call is removed and gsi_next should not be performed
3519 in the caller. */
3521 static bool
3525 {
3528 /* Set to true when the entire call has been removed. */
3531 /* The minimum return value. */
3534 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3535 but in cases involving multibyte characters could be as large as
3536 RES.RANGE.UNLIKELY. */
3537 unsigned HOST_WIDE_INT maxretval
3540 /* Adjust the number of bytes which includes the terminating nul
3541 to reflect the return value of the function which does not.
3542 Because the valid range of the function is [INT_MIN, INT_MAX],
3543 a valid range before the adjustment below is [0, INT_MAX + 1]
3544 (the functions only return negative values on error or undefined
3545 behavior). */
3551 /* Avoid the return value optimization when the behavior of the call
3552 is undefined either because any directive may have produced 4K or
3553 more of output, or the return value exceeds INT_MAX, or because
3554 the output overflows the destination object (but leave it enabled
3555 when the function is bounded because then the behavior is well-
3556 defined). */
3561 /* Not prepared to handle possibly throwing calls here; they shouldn't
3562 appear in non-artificial testcases, except when the __*_chk routines
3563 are badly declared. */
3565 {
3570 {
3571 /* Remove the call to the bounded function with a zero size
3572 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3576 }
3578 {
3579 /* Replace the call to the bounded function with a zero size
3580 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3581 of the function. */
3586 }
3588 {
3589 /* Replace the left-hand side of the call with the constant
3590 result of the formatted function. */
3595 }
3598 {
3601 else
3602 {
3607 }
3608 }
3609 }
3611 {
3618 {
3619 /* If the result is in a valid range bounded by the size of
3620 the destination set it so that it can be used for subsequent
3621 optimizations. */
3629 }
3632 {
3646 else
3649 }
3650 }
3656 }
3658 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3659 functions and if so, handle it. Return true if the call is removed
3660 and gsi_next should not be performed in the caller. */
3662 bool
3664 {
3674 /* The size of the destination as in snprintf(dest, size, ...). */
3677 /* The size of the destination determined by __builtin_object_size. */
3680 /* Buffer size argument number (snprintf and vsnprintf). */
3683 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3686 /* Format string argument number (valid for all functions). */
3690 {
3692 // Signature:
3693 // __builtin_sprintf (dst, format, ...)
3699 // Signature:
3700 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3707 // Signature:
3708 // __builtin_snprintf (dst, size, format, ...)
3716 // Signature:
3717 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3726 // Signature:
3727 // __builtin_vsprintf (dst, size, format, va)
3735 // Signature:
3736 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
3745 // Signature:
3746 // __builtin_vsprintf (dst, format, va)
3752 // Signature:
3753 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
3761 }
3763 /* Set the global warning level for this function. */
3766 /* The first argument is a pointer to the destination. */
3771 /* True when the destination size is constant as opposed to the lower
3772 or upper bound of a range. */
3776 {
3777 /* For non-bounded functions like sprintf, determine the size
3778 of the destination from the object or pointer passed to it
3779 as the first argument. */
3781 }
3783 {
3784 /* For bounded functions try to get the size argument. */
3787 {
3789 /* No object can be larger than SIZE_MAX bytes (half the address
3790 space) on the target.
3791 The functions are defined only for output of at most INT_MAX
3792 bytes. Specifying a bound in excess of that limit effectively
3793 defeats the bounds checking (and on some implementations such
3794 as Solaris cause the function to fail with EINVAL). */
3796 {
3797 /* Avoid warning if -Wstringop-overflow is specified since
3798 it also warns for the same thing though only for the
3799 checking built-ins. */
3803 "specified bound %wu exceeds maximum object size "
3806 }
3810 dstsize);
3811 }
3813 {
3814 /* Try to determine the range of values of the argument
3815 and use the greater of the two at level 1 and the smaller
3816 of them at level 2. */
3818 enum value_range_type range_type
3821 {
3822 dstsize
3826 }
3828 /* The destination size is not constant. If the function is
3829 bounded (e.g., snprintf) a lower bound of zero doesn't
3830 necessarily imply it can be eliminated. */
3832 }
3833 }
3841 {
3842 /* As a special case, when the explicitly specified destination
3843 size argument (to a bounded function like snprintf) is zero
3844 it is a request to determine the number of bytes on output
3845 without actually producing any. Pretend the size is
3846 unlimited in this case. */
3849 }
3850 else
3851 {
3852 /* For calls to non-bounded functions or to those of bounded
3853 functions with a non-zero size, warn if the destination
3854 pointer is null. */
3856 {
3857 /* This is diagnosed with -Wformat only when the null is a constant
3858 pointer. The warning here diagnoses instances where the pointer
3859 is not constant. */
3864 }
3866 /* Set the object size to the smaller of the two arguments
3867 of both have been specified and they're not equal. */
3872 /* Avoid warning if -Wstringop-overflow is specified since
3873 it also warns for the same thing though only for the
3874 checking built-ins. */
3877 {
3879 "specified bound %wu exceeds the size %wu "
3881 }
3882 }
3885 {
3886 /* This is diagnosed with -Wformat only when the null is a constant
3887 pointer. The warning here diagnoses instances where the pointer
3888 is not constant. */
3893 }
3899 /* The result is the number of bytes output by the formatted function,
3900 including the terminating NUL. */
3905 /* When optimizing and the printf return value optimization is enabled,
3906 attempt to substitute the computed result for the return value of
3907 the call. Avoid this optimization when -frounding-math is in effect
3908 and the format string contains a floating point directive. */
3911 && flag_printf_return_value
3916 }
3918 /* Execute the pass for function FUN. */
3920 unsigned int
3922 {
3925 basic_block bb;
3927 {
3929 {
3930 /* Iterate over statements, looking for function calls. */
3934 /* If handle_gimple_call returns true, the iterator is
3935 already pointing to the next statement. */
3939 }
3940 }
3942 /* Clean up object size info. */
3946 }
3950 /* Return a pointer to a pass object newly constructed from the context
3951 CTXT. */
3953 gimple_opt_pass *
3955 {
3957 }