| blob | b5e1a08a88b769b75c7a91479f234150117cec31 |
1 /* Copyright (C) 2016-2018 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
87 /* The likely worst case value of MB_LEN_MAX for the target, large enough
88 for UTF-8. Ideally, this would be obtained by a target hook if it were
89 to be used for optimization but it's good enough as is for warnings. */
90 #define target_mb_len_max() 6
92 /* The maximum number of bytes a single non-string directive can result
93 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
94 LDBL_MAX_10_EXP of 4932. */
95 #define IEEE_MAX_10_EXP 4932
96 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
110 };
112 /* Set to the warning level for the current function which is equal
113 either to warn_format_trunc for bounded functions or to
114 warn_format_overflow otherwise. */
121 {
133 };
136 {
143 { }
152 {
155 }
157 };
159 bool
161 {
162 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
163 is specified and either not optimizing and the pass is being invoked
164 early, or when optimizing and the pass is being invoked during
165 optimization (i.e., "late"). */
170 }
172 /* The minimum, maximum, likely, and unlikely maximum number of bytes
173 of output either a formatting function or an individual directive
174 can result in. */
176 struct result_range
177 {
178 /* The absolute minimum number of bytes. The result of a successful
179 conversion is guaranteed to be no less than this. (An erroneous
180 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
182 /* The likely maximum result that is used in diagnostics. In most
183 cases MAX is the same as the worst case UNLIKELY result. */
185 /* The likely result used to trigger diagnostics. For conversions
186 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
187 in that range. */
189 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
190 the worst cases maximum result of a directive. In most cases
191 UNLIKELY == MAX. UNLIKELY is used to control the return value
192 optimization but not in diagnostics. */
194 };
196 /* The result of a call to a formatted function. */
198 struct format_result
199 {
200 /* Range of characters written by the formatted function.
201 Setting the minimum to HOST_WIDE_INT_MAX disables all
202 length tracking for the remainder of the format string. */
203 result_range range;
205 /* True when the range above is obtained from known values of
206 directive arguments, or bounds on the amount of output such
207 as width and precision, and not the result of heuristics that
208 depend on warning levels. It's used to issue stricter diagnostics
209 in cases where strings of unknown lengths are bounded by the arrays
210 they are determined to refer to. KNOWNRANGE must not be used for
211 the return value optimization. */
214 /* True if no individual directive could fail or result in more than
215 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be
216 greater). Implementations are not required to handle directives
217 that produce more than 4K bytes (leading to undefined behavior)
218 and so when one is found it disables the return value optimization.
219 Similarly, directives that can fail (such as wide character
220 directives) disable the optimization. */
223 /* True when a floating point directive has been seen in the format
224 string. */
227 /* True when an intermediate result has caused a warning. Used to
228 avoid issuing duplicate warnings while finishing the processing
229 of a call. WARNED also disables the return value optimization. */
232 /* Preincrement the number of output characters by 1. */
234 {
236 }
238 /* Postincrement the number of output characters by 1. */
240 {
244 }
246 /* Increment the number of output characters by N. */
248 };
250 format_result&
252 {
268 }
270 /* Return the value of INT_MIN for the target. */
274 {
276 }
278 /* Return the value of INT_MAX for the target. */
282 {
284 }
286 /* Return the value of SIZE_MAX for the target. */
290 {
292 }
294 /* A straightforward mapping from the execution character set to the host
295 character set indexed by execution character. */
299 /* Initialize a mapping from the execution character set to the host
300 character set. */
302 static bool
304 {
305 /* If the percent sign is non-zero the mapping has already been
306 initialized. */
310 /* Initialize the target_percent character (done elsewhere). */
314 /* The subset of the source character set used by printf conversion
315 specifications (strictly speaking, not all letters are used but
316 they are included here for the sake of simplicity). The dollar
317 sign must be included even though it's not in the basic source
318 character set. */
322 /* Set the mapping for all characters to some ordinary value (i,e.,
323 not none used in printf conversion specifications) and overwrite
324 those that are used by conversion specifications with their
325 corresponding values. */
328 /* Are the two sets of characters the same? */
332 {
333 /* Slice off the high end bits in case target characters are
334 signed. All values are expected to be non-nul, otherwise
335 there's a problem. */
337 {
341 }
342 else
345 }
347 /* Set the first element to a non-zero value if the mapping
348 is 1-to-1, otherwise leave it clear (NUL is assumed to be
349 the same in both character sets). */
353 }
355 /* Return the host source character corresponding to the character
356 CH in the execution character set if one exists, or some innocuous
357 (non-special, non-nul) source character otherwise. */
361 {
363 }
365 /* Convert an initial substring of the string TARGSTR consisting of
366 characters in the execution character set into a string in the
367 source character set on the host and store up to HOSTSZ characters
368 in the buffer pointed to by HOSTR. Return HOSTR. */
372 {
373 /* Make sure the buffer is reasonably big. */
376 /* The interesting subset of source and execution characters are
377 the same so no conversion is necessary. However, truncate
378 overlong strings just like the translated strings are. */
380 {
385 }
387 /* Convert the initial substring of TARGSTR to the corresponding
388 characters in the host set, appending "..." if TARGSTR is too
389 long to fit. Using the static buffer assumes the function is
390 not called in between sequence points (which it isn't). */
392 {
398 {
402 }
403 }
406 }
408 /* Convert the sequence of decimal digits in the execution character
409 starting at S to a long, just like strtol does. Return the result
410 and set *END to one past the last converted character. On range
411 error set ERANGE to the digit that caused it. */
415 {
418 {
421 {
424 /* Check for overflow. */
426 {
430 /* Skip the remaining digits. */
431 do
435 }
436 else
438 }
439 else
441 }
444 }
446 /* Return the constant initial value of DECL if available or DECL
447 otherwise. Same as the synonymous function in c/c-typeck.c. */
449 static tree
451 {
453 in a place where a variable is invalid. Note that DECL_INITIAL
454 isn't valid for a PARM_DECL. */
461 /* This is invalid if initial value is not constant.
462 If it has either a function call, a memory reference,
463 or a variable, then re-evaluating it could give different results. */
465 /* Check for cases where this is sub-optimal, even though valid. */
469 }
471 /* Given FORMAT, set *PLOC to the source location of the format string
472 and return the format string if it is known or null otherwise. */
476 {
478 {
479 /* Pull out a constant value if the front end didn't. */
482 }
485 {
486 /* FIXME: Diagnose null format string if it hasn't been diagnosed
487 by -Wformat (the latter diagnoses only nul pointer constants,
488 this pass can do better). */
490 }
495 {
506 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
511 }
528 tree array_init;
535 {
536 /* Extract the string constant initializer. Note that this may
537 include a trailing NUL character that is not in the array (e.g.
538 const char a[3] = "foo";). */
541 }
548 scalar_int_mode char_mode;
551 {
552 /* Wide format string. */
554 }
560 {
561 /* Variable length arrays can't be initialized. */
565 {
571 }
572 }
574 {
580 }
583 {
584 /* FIXME: Diagnose an unterminated format string if it hasn't been
585 diagnosed by -Wformat. Similarly to a null format pointer,
586 -Wformay diagnoses only nul pointer constants, this pass can
587 do better). */
589 }
592 }
594 /* For convenience and brevity, shorter named entrypoints of
595 format_warning_at_substring and format_warning_at_substring_n.
596 These have to be functions with the attribute so that exgettext
597 works properly. */
599 static bool
603 {
611 }
613 static bool
618 {
622 corrected_substring,
628 }
630 /* Format length modifiers. */
632 enum format_lengths
633 {
634 FMT_LEN_none,
642 FMT_LEN_j // intmax_t
643 };
646 /* Description of the result of conversion either of a single directive
647 or the whole format string. */
649 struct fmtresult
650 {
651 /* Construct a FMTRESULT object with all counters initialized
652 to MIN. KNOWNRANGE is set when MIN is valid. */
657 {
662 }
664 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
665 KNOWNRANGE is set when both MIN and MAX are valid. */
671 {
676 }
678 /* Adjust result upward to reflect the RANGE of values the specified
679 width or precision is known to be in. */
684 /* Return the maximum number of decimal digits a value of TYPE
685 formats as on output. */
688 /* The range a directive's argument is in. */
691 /* The minimum and maximum number of bytes that a directive
692 results in on output for an argument in the range above. */
693 result_range range;
695 /* True when the range above is obtained from a known value of
696 a directive's argument or its bounds and not the result of
697 heuristics that depend on warning levels. */
700 /* True for a directive that may fail (such as wide character
701 directives). */
704 /* True when the argument is a null pointer. */
706 };
708 /* Adjust result upward to reflect the range ADJUST of values the
709 specified width or precision is known to be in. When non-null,
710 TYPE denotes the type of the directive whose result is being
711 adjusted, BASE gives the base of the directive (octal, decimal,
712 or hex), and ADJ denotes the additional adjustment to the LIKELY
713 counter that may need to be added when ADJUST is a range. */
715 fmtresult&
720 {
723 /* Adjust the minimum and likely counters. */
725 {
727 {
730 }
732 /* Adjust the likely counter. */
735 }
740 /* Adjust the maximum counter. */
742 {
744 {
747 /* Set KNOWNRANGE if both the minimum and maximum have been
748 adjusted. Otherwise leave it at what it was before. */
750 }
751 }
754 {
755 /* For large non-constant width or precision whose range spans
756 the maximum number of digits produced by the directive for
757 any argument, set the likely number of bytes to be at most
758 the number digits plus other adjustment determined by the
759 caller (one for sign or two for the hexadecimal "0x"
760 prefix). */
765 }
767 {
768 /* Conservatively, set LIKELY to at least MIN but no less than
769 1 unless MAX is zero. */
774 }
776 /* Finally adjust the unlikely counter to be at least as large as
777 the maximum. */
782 }
784 /* Return the maximum number of digits a value of TYPE formats in
785 BASE on output, not counting base prefix . */
787 unsigned
789 {
792 {
796 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
797 of 8, 16, 32, and 64 bits. */
801 }
804 }
806 static bool
810 /* Description of a format directive. A directive is either a plain
811 string or a conversion specification that starts with '%'. */
813 struct directive
814 {
815 /* The 1-based directive number (for debugging). */
818 /* The first character of the directive and its length. */
822 /* A bitmap of flags, one for each character. */
825 /* The range of values of the specified width, or -1 if not specified. */
827 /* The range of values of the specified precision, or -1 if not
828 specified. */
831 /* Length modifier. */
832 format_lengths modifier;
834 /* Format specifier character. */
837 /* The argument of the directive or null when the directive doesn't
838 take one or when none is available (such as for vararg functions). */
839 tree arg;
841 /* Format conversion function that given a directive and an argument
842 returns the formatting result. */
845 /* Return True when a the format flag CHR has been used. */
847 {
851 }
853 /* Make a record of the format flag CHR having been used. */
855 {
859 }
861 /* Reset the format flag CHR. */
863 {
867 }
869 /* Set both bounds of the width range to VAL. */
871 {
873 }
875 /* Set the width range according to ARG, with both bounds being
876 no less than 0. For a constant ARG set both bounds to its value
877 or 0, whichever is greater. For a non-constant ARG in some range
878 set width to its range adjusting each bound to -1 if it's less.
879 For an indeterminate ARG set width to [0, INT_MAX]. */
881 {
883 }
885 /* Set both bounds of the precision range to VAL. */
887 {
889 }
891 /* Set the precision range according to ARG, with both bounds being
892 no less than -1. For a constant ARG set both bounds to its value
893 or -1 whichever is greater. For a non-constant ARG in some range
894 set precision to its range adjusting each bound to -1 if it's less.
895 For an indeterminate ARG set precision to [-1, INT_MAX]. */
897 {
899 }
901 /* Return true if both width and precision are known to be
902 either constant or in some range, false otherwise. */
904 {
909 }
910 };
912 /* Return the logarithm of X in BASE. */
914 static int
916 {
918 do
919 {
924 }
926 /* Return the number of bytes resulting from converting into a string
927 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
928 PLUS indicates whether 1 for a plus sign should be added for positive
929 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
930 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
931 be represented. */
933 static HOST_WIDE_INT
935 {
938 HOST_WIDE_INT res;
941 {
943 {
946 }
947 else
949 }
950 else
951 {
953 {
956 {
957 /* Avoid undefined behavior due to negating a minimum. */
960 }
962 {
965 }
966 else
967 {
970 }
971 }
972 else
974 }
980 /* Adjust a non-zero value for the base prefix, either hexadecimal,
981 or, unless precision has resulted in a leading zero, also octal. */
983 {
988 }
991 }
993 /* Given the formatting result described by RES and NAVAIL, the number
994 of available in the destination, return the range of bytes remaining
995 in the destination. */
999 {
1000 result_range range;
1003 {
1006 }
1008 /* The lower bound of the available range is the available size
1009 minus the maximum output size, and the upper bound is the size
1010 minus the minimum. */
1017 else
1024 }
1026 /* Description of a call to a formatted function. */
1029 {
1030 /* Function call statement. */
1033 /* Function called. */
1034 tree func;
1036 /* Called built-in function code. */
1037 built_in_function fncode;
1039 /* Format argument and format string extracted from it. */
1040 tree format;
1043 /* The location of the format argument. */
1044 location_t fmtloc;
1046 /* The destination object size for __builtin___xxx_chk functions
1047 typically determined by __builtin_object_size, or -1 if unknown. */
1050 /* Number of the first variable argument. */
1053 /* True for functions like snprintf that specify the size of
1054 the destination, false for others like sprintf that don't. */
1057 /* True for bounded functions like snprintf that specify a zero-size
1058 buffer as a request to compute the size of output without actually
1059 writing any. NOWRITE is cleared in response to the %n directive
1060 which has side-effects similar to writing output. */
1063 /* Return true if the called function's return value is used. */
1065 {
1067 }
1069 /* Return the warning option corresponding to the called function. */
1071 {
1073 }
1074 };
1076 /* Return the result of formatting a no-op directive (such as '%n'). */
1078 static fmtresult
1080 {
1083 }
1085 /* Return the result of formatting the '%%' directive. */
1087 static fmtresult
1089 {
1092 }
1095 /* Compute intmax_type_node and uintmax_type_node similarly to how
1096 tree.c builds size_type_node. */
1098 static void
1100 {
1102 {
1105 }
1107 {
1110 }
1112 {
1115 }
1116 else
1117 {
1120 {
1125 {
1129 }
1130 }
1132 }
1133 }
1135 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1136 in and that is representable in type int.
1137 Return true when the range is a subrange of that of int.
1138 When ARG is null it is as if it had the full range of int.
1139 When ABSOLUTE is true the range reflects the absolute value of
1140 the argument. When ABSOLUTE is false, negative bounds of
1141 the determined range are replaced with NEGBOUND. */
1143 static bool
1147 {
1148 /* The type of the result. */
1154 {
1157 }
1160 {
1161 /* For a constant argument return its value adjusted as specified
1162 by NEGATIVE and NEGBOUND and return true to indicate that the
1163 result is known. */
1167 }
1168 else
1169 {
1170 /* True if the argument's range cannot be determined. */
1175 /* Ignore invalid arguments with greater precision that that
1176 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1177 They will have been detected and diagnosed by -Wformat and
1178 so it's not important to complicate this code to try to deal
1179 with them again. */
1183 {
1184 /* Try to determine the range of values of the integer argument. */
1189 {
1190 HOST_WIDE_INT type_min
1201 {
1202 /* Return true if the adjusted range is a subrange of
1203 the full range of the argument's type. *PMAX may
1204 be less than *PMIN when the argument is unsigned
1205 and its upper bound is in excess of TYPE_MAX. In
1206 that (invalid) case disregard the range and use that
1207 of the expected type instead. */
1211 }
1212 }
1213 }
1215 /* Handle an argument with an unknown range as if none had been
1216 provided. */
1220 }
1222 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1224 {
1226 {
1229 else
1230 {
1231 /* Make sure signed overlow is avoided. */
1238 }
1239 }
1240 }
1245 }
1247 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1248 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1249 the type of the directive's formal argument it's possible for both
1250 to result in the same number of bytes or a range of bytes that's
1251 less than the number of bytes that would result from formatting
1252 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1253 determined by checking for the actual argument being in the range
1254 of the type of the directive. If it isn't it must be assumed to
1255 take on the full range of the directive's type.
1256 Return true when the range has been adjusted to the full range
1257 of DIRTYPE, and false otherwise. */
1259 static bool
1261 {
1266 /* If the actual argument and the directive's argument have the same
1267 precision and sign there can be no overflow and so there is nothing
1268 to adjust. */
1272 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1273 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1283 {
1287 /* If *ARGMIN is still less than *ARGMAX the conversion above
1288 is safe. Otherwise, it has overflowed and would be unsafe. */
1291 }
1296 }
1298 /* Return a range representing the minimum and maximum number of bytes
1299 that the format directive DIR will output for any argument given
1300 the WIDTH and PRECISION (extracted from DIR). This function is
1301 used when the directive argument or its value isn't known. */
1303 static fmtresult
1305 {
1306 tree intmax_type_node;
1307 tree uintmax_type_node;
1309 /* Base to format the number in. */
1312 /* True when a conversion is preceded by a prefix indicating the base
1313 of the argument (octal or hexadecimal). */
1316 /* True when a signed conversion is preceded by a sign or space. */
1319 /* True for signed conversions (i.e., 'd' and 'i'). */
1323 {
1326 /* Space and '+' are only meaningful for signed conversions. */
1343 }
1345 /* The type of the "formal" argument expected by the directive. */
1348 /* Determine the expected type of the argument from the length
1349 modifier. */
1351 {
1355 else
1373 dirtype = (sign
1374 ? long_long_integer_type_node
1393 }
1395 /* The type of the argument to the directive, either deduced from
1396 the actual non-constant argument if one is known, or from
1397 the directive itself when none has been provided because it's
1398 a va_list. */
1402 {
1403 /* When the argument has not been provided, use the type of
1404 the directive's argument as an approximation. This will
1405 result in false positives for directives like %i with
1406 arguments with smaller precision (such as short or char). */
1408 }
1410 {
1411 /* When a constant argument has been provided use its value
1412 rather than type to determine the length of the output. */
1413 fmtresult res;
1416 {
1417 /* As a special case, a precision of zero with a zero argument
1418 results in zero bytes except in base 8 when the '#' flag is
1419 specified, and for signed conversions in base 8 and 10 when
1420 either the space or '+' flag has been specified and it results
1421 in just one byte (with width having the normal effect). This
1422 must extend to the case of a specified precision with
1423 an unknown value because it can be zero. */
1426 {
1429 }
1430 else
1431 {
1434 }
1435 }
1436 else
1437 {
1438 /* Convert the argument to the type of the directive. */
1445 else
1450 }
1454 /* Bump up the counters if WIDTH is greater than LEN. */
1457 /* Bump up the counters again if PRECision is greater still. */
1462 }
1465 /* Determine the type of the provided non-constant argument. */
1467 else
1468 /* Don't bother with invalid arguments since they likely would
1469 have already been diagnosed, and disable any further checking
1470 of the format string by returning [-1, -1]. */
1473 fmtresult res;
1475 /* Using either the range the non-constant argument is in, or its
1476 type (either "formal" or actual), create a range of values that
1477 constrain the length of output given the warning level. */
1484 {
1485 /* Try to determine the range of values of the integer argument
1486 (range information is not available for pointers). */
1491 {
1495 /* Set KNOWNRANGE if the argument is in a known subrange
1496 of the directive's type and neither width nor precision
1497 is unknown. (KNOWNRANGE may be reset below). */
1498 res.knownrange
1505 }
1507 {
1508 /* Handle anti-ranges if/when bug 71690 is resolved. */
1509 }
1512 {
1513 /* The argument here may be the result of promoting the actual
1514 argument to int. Try to determine the type of the actual
1515 argument before promotion and narrow down its range that
1516 way. */
1519 {
1522 {
1525 }
1528 {
1533 }
1534 }
1535 }
1536 }
1539 {
1541 {
1544 }
1545 else
1546 {
1549 }
1550 }
1552 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1553 of the directive. If it has been cleared then since ARGMIN and/or
1554 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1555 ARGMAX in the result to include in diagnostics. */
1557 {
1561 }
1563 /* Recursively compute the minimum and maximum from the known range. */
1565 {
1566 /* For unsigned conversions/directives or signed when
1567 the minimum is positive, use the minimum and maximum to compute
1568 the shortest and longest output, respectively. */
1571 }
1573 {
1574 /* For signed conversions/directives if maximum is negative,
1575 use the minimum as the longest output and maximum as the
1576 shortest output. */
1579 }
1580 else
1581 {
1582 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1583 as the shortest output and for the longest output compute the
1584 length of the output of both minimum and maximum and pick the
1585 longer. */
1586 unsigned HOST_WIDE_INT max1
1588 unsigned HOST_WIDE_INT max2
1593 }
1595 /* If the range is known, use the maximum as the likely length. */
1598 else
1599 {
1600 /* Otherwise, use the minimum. Except for the case where for %#x or
1601 %#o the minimum is just for a single value in the range (0) and
1602 for all other values it is something longer, like 0x1 or 01.
1603 Use the length for value 1 in that case instead as the likely
1604 length. */
1609 {
1616 }
1617 }
1626 }
1628 /* Return the number of bytes that a format directive consisting of FLAGS,
1629 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1630 would result for argument X under ideal conditions (i.e., if PREC
1631 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1632 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1633 This function works around those problems. */
1635 static unsigned HOST_WIDE_INT
1638 {
1652 {
1653 /* For %e, specify the precision explicitly since mpfr_sprintf
1654 does its own thing just to be different (see MPFR bug 21088). */
1657 }
1658 else
1659 {
1660 /* Avoid passing negative precisions with larger magnitude to MPFR
1661 to avoid exposing its bugs. (A negative precision is supposed
1662 to be ignored.) */
1665 }
1670 {
1671 /* For G/g without the pound flag, precision gives the maximum number
1672 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1673 a 128 bit IEEE extended precision, 4932. Using twice as much here
1674 should be more than sufficient for any real format. */
1678 }
1679 else
1680 {
1681 /* Cap precision arbitrarily at 1KB and add the difference
1682 (if any) to the MPFR result. */
1685 }
1689 /* Handle the unlikely (impossible?) error by returning more than
1690 the maximum dictated by the function's return type. */
1694 /* Adjust the return value by the difference. */
1699 }
1701 /* Return the number of bytes to format using the format specifier
1702 SPEC and the precision PREC the largest value in the real floating
1703 TYPE. */
1705 static unsigned HOST_WIDE_INT
1707 {
1710 /* IBM Extended mode. */
1714 /* Get the real type format desription for the target. */
1716 REAL_VALUE_TYPE rv;
1720 /* Convert the GCC real value representation with the precision
1721 of the real type to the mpfr_t format with the GCC default
1722 round-to-nearest mode. */
1723 mpfr_t x;
1727 /* Return a value one greater to account for the leading minus sign. */
1728 unsigned HOST_WIDE_INT r
1732 }
1734 /* Return a range representing the minimum and maximum number of bytes
1735 that the directive DIR will output for any argument. PREC gives
1736 the adjusted precision range to account for negative precisions
1737 meaning the default 6. This function is used when the directive
1738 argument or its value isn't known. */
1740 static fmtresult
1742 {
1743 tree type;
1746 {
1762 }
1764 /* The minimum and maximum number of bytes produced by the directive. */
1765 fmtresult res;
1767 /* The minimum output as determined by flags. It's always at least 1.
1768 When plus or space are set the output is preceded by either a sign
1769 or a space. */
1773 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
1774 for the plus sign/space with the '+' and ' ' flags, respectively,
1775 unless reduced below. */
1778 /* When the pound flag is set the decimal point is included in output
1779 regardless of precision. Whether or not a decimal point is included
1780 otherwise depends on the specification and precision. */
1784 {
1787 {
1795 + flagmin
1796 + radix
1797 + minprec
1802 /* The unlikely maximum accounts for the longest multibyte
1803 decimal point character. */
1809 }
1813 {
1814 /* Minimum output attributable to precision and, when it's
1815 non-zero, decimal point. */
1818 /* The likely minimum output is "[-+]1.234567e+00" regardless
1819 of the value of the actual argument. */
1821 + radix
1822 + minprec
1827 /* The unlikely maximum accounts for the longest multibyte
1828 decimal point character. */
1832 else
1835 }
1839 {
1840 /* Minimum output attributable to precision and, when it's non-zero,
1841 decimal point. */
1844 /* For finite numbers (i.e., not infinity or NaN) the lower bound
1845 when precision isn't specified is 8 bytes ("1.23456" since
1846 precision is taken to be 6). When precision is zero, the lower
1847 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
1848 than zero, then the lower bound is 2 plus precision (plus flags).
1849 But in all cases, the lower bound is no greater than 3. */
1854 /* Compute the upper bound for -TYPE_MAX. */
1857 /* The minimum output with unknown precision is a single byte
1858 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1861 else
1864 /* The unlikely maximum accounts for the longest multibyte
1865 decimal point character. */
1870 }
1874 {
1875 /* The %g output depends on precision and the exponent of
1876 the argument. Since the value of the argument isn't known
1877 the lower bound on the range of bytes (not counting flags
1878 or width) is 1 plus radix (i.e., either "0" or "0." for
1879 "%g" and "%#g", respectively, with a zero argument). */
1887 {
1888 /* When the pound flag (radix) is set, trailing zeros aren't
1889 trimmed and so the longest output is the same as for %e,
1890 except with precision minus 1 (as specified in C11). */
1896 }
1897 else
1902 /* The likely output is either the maximum computed above
1903 minus 1 (assuming the maximum is positive) when precision
1904 is known (or unspecified), or the same minimum as for %e
1905 (which is computed for a non-negative argument). Unlike
1906 for the other specifiers above the likely output isn't
1907 the minimum because for %g that's 1 which is unlikely. */
1911 else
1912 {
1915 + radix
1916 + minprec
1918 }
1920 /* The unlikely maximum accounts for the longest multibyte
1921 decimal point character. */
1924 }
1928 }
1930 /* Bump up the byte counters if WIDTH is greater. */
1933 }
1935 /* Return a range representing the minimum and maximum number of bytes
1936 that the directive DIR will write on output for the floating argument
1937 ARG. */
1939 static fmtresult
1941 {
1946 /* For an indeterminate precision the lower bound must be assumed
1947 to be zero. */
1949 {
1950 /* Get the number of fractional decimal digits needed to represent
1951 the argument without a loss of accuracy. */
1952 unsigned fmtprec
1955 /* The precision of the IEEE 754 double format is 53.
1956 The precision of all other GCC binary double formats
1957 is 56 or less. */
1960 /* For %a, leave the minimum precision unspecified to let
1961 MFPR trim trailing zeros (as it and many other systems
1962 including Glibc happen to do) and set the maximum
1963 precision to reflect what it would be with trailing zeros
1964 present (as Solaris and derived systems do). */
1966 {
1967 /* Both bounds are negative implies that precision has
1968 not been specified. */
1971 }
1973 {
1974 /* With a negative lower bound and a non-negative upper
1975 bound set the minimum precision to zero and the maximum
1976 to the greater of the maximum precision (i.e., with
1977 trailing zeros present) and the specified upper bound. */
1980 }
1981 }
1983 {
1985 {
1986 /* A precision in a strictly negative range is ignored and
1987 the default of 6 is used instead. */
1989 }
1990 else
1991 {
1992 /* For a precision in a partly negative range, the lower bound
1993 must be assumed to be zero and the new upper bound is the
1994 greater of 6 (the default precision used when the specified
1995 precision is negative) and the upper bound of the specified
1996 range. */
1999 }
2000 }
2007 /* The minimum and maximum number of bytes produced by the directive. */
2008 fmtresult res;
2010 /* Get the real type format desription for the target. */
2015 {
2016 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
2017 and "[-]nan" with the choice being implementation-defined
2018 but not locale dependent. */
2024 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan".
2025 For NaN, the C/POSIX standards specify two formats:
2026 "[-/+]nan"
2027 and
2028 "[-/+]nan(n-char-sequence)"
2029 No known printf implementation outputs the latter format but AIX
2030 outputs QNaN and SNaN for quiet and signalling NaN, respectively,
2031 so the unlikely maximum reflects that. */
2034 /* The range for infinity and NaN is known unless either width
2035 or precision is unknown. Width has the same effect regardless
2036 of whether the argument is finite. Precision is either ignored
2037 (e.g., Glibc) or can have an effect on the short vs long format
2038 such as inf/infinity (e.g., Solaris). */
2041 /* Adjust the range for width but ignore precision. */
2045 }
2050 /* Append flags. */
2057 {
2058 /* Set up an array to easily iterate over. */
2061 };
2064 {
2065 /* Convert the GCC real value representation with the precision
2066 of the real type to the mpfr_t format rounding down in the
2067 first iteration that computes the minimm and up in the second
2068 that computes the maximum. This order is arbibtrary because
2069 rounding in either direction can result in longer output. */
2070 mpfr_t mpfrval;
2074 /* Use the MPFR rounding specifier to round down in the first
2075 iteration and then up. In most but not all cases this will
2076 result in the same number of bytes. */
2079 /* Format it and store the result in the corresponding member
2080 of the result struct. */
2084 }
2085 }
2087 /* Make sure the minimum is less than the maximum (MPFR rounding
2088 in the call to mpfr_snprintf can result in the reverse. */
2090 {
2094 }
2096 /* The range is known unless either width or precision is unknown. */
2099 /* For the same floating point constant, unless width or precision
2100 is unknown, use the longer output as the likely maximum since
2101 with round to nearest either is equally likely. Otheriwse, when
2102 precision is unknown, use the greater of the minimum and 3 as
2103 the likely output (for "0.0" since zero precision is unlikely). */
2110 else
2116 {
2117 /* Unless the precision is zero output longer than 2 bytes may
2118 include the decimal point which must be a single character
2119 up to MB_LEN_MAX in length. This is overly conservative
2120 since in some conversions some constants result in no decimal
2121 point (e.g., in %g). */
2123 }
2127 }
2129 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2130 strings referenced by the expression STR, or (-1, -1) when not known.
2131 Used by the format_string function below. */
2133 static fmtresult
2135 {
2140 {
2141 /* Simply return the length of the string. */
2144 }
2146 /* Determine the length of the shortest and longest string referenced
2147 by STR. Strings of unknown lengths are bounded by the sizes of
2148 arrays that subexpressions of STR may refer to. Pointers that
2149 aren't known to point any such arrays result in LENRANGE[1] set
2150 to SIZE_MAX. */
2155 {
2156 HOST_WIDE_INT min
2161 HOST_WIDE_INT max
2166 /* get_range_strlen() returns the target value of SIZE_MAX for
2167 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2168 which may be bigger. */
2176 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2177 by STR are known to be bounded (though not necessarily by their
2178 actual length but perhaps by their maximum possible length). */
2180 {
2182 /* When the the length of the longest string is known and not
2183 excessive use it as the likely length of the string(s). */
2185 }
2186 else
2187 {
2188 /* When the upper bound is unknown (it can be zero or excessive)
2189 set the likely length to the greater of 1 and the length of
2190 the shortest string and reset the lower bound to zero. */
2193 }
2195 /* If the range of string length has been estimated from the size
2196 of an array at the end of a struct assume that it's longer than
2197 the array bound says it is in case it's used as a poor man's
2198 flexible array member, such as in struct S { char a[4]; }; */
2202 }
2205 }
2207 /* Return the minimum and maximum number of characters formatted
2208 by the '%c' format directives and its wide character form for
2209 the argument ARG. ARG can be null (for functions such as
2210 vsprinf). */
2212 static fmtresult
2214 {
2215 fmtresult res;
2221 {
2222 /* A wide character can result in as few as zero bytes. */
2227 {
2229 {
2230 /* The NUL wide character results in no bytes. */
2234 }
2236 {
2237 /* Be conservative if the target execution character set
2238 is not a 1-to-1 mapping to the source character set or
2239 if the source set is not ASCII. */
2240 bool one_2_one_ascii
2243 /* A wide character in the ASCII range most likely results
2244 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2249 }
2250 else
2251 {
2252 /* A wide character outside the ASCII range likely results
2253 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2257 /* Converting such a character may fail. */
2259 }
2260 }
2261 else
2262 {
2263 /* An unknown wide character is treated the same as a wide
2264 character outside the ASCII range. */
2269 }
2270 }
2271 else
2272 {
2273 /* A plain '%c' directive. Its ouput is exactly 1. */
2277 }
2279 /* Bump up the byte counters if WIDTH is greater. */
2281 }
2283 /* Return the minimum and maximum number of characters formatted
2284 by the '%s' format directive and its wide character form for
2285 the argument ARG. ARG can be null (for functions such as
2286 vsprinf). */
2288 static fmtresult
2290 {
2291 fmtresult res;
2293 /* Compute the range the argument's length can be in. */
2298 {
2299 /* The argument is either a string constant or it refers
2300 to one of a number of strings of the same length. */
2302 /* A '%s' directive with a string argument with constant length. */
2307 {
2308 /* In the worst case the length of output of a wide string S
2309 is bounded by MB_LEN_MAX * wcslen (S). */
2312 /* It's likely that the the total length is not more that
2313 2 * wcslen (S).*/
2318 {
2322 }
2329 /* Even a non-empty wide character string need not convert into
2330 any bytes. */
2333 /* A non-empty wide character conversion may fail. */
2336 }
2337 else
2338 {
2347 {
2351 }
2352 }
2353 }
2355 {
2356 /* Handle null pointer argument. */
2361 }
2362 else
2363 {
2364 /* For a '%s' and '%ls' directive with a non-constant string (either
2365 one of a number of strings of known length or an unknown string)
2366 the minimum number of characters is lesser of PRECISION[0] and
2367 the length of the shortest known string or zero, and the maximum
2368 is the lessser of the length of the longest known string or
2369 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2370 the minimum at level 1 and the greater of the minimum and 1
2371 at level 2. This result is adjust upward for width (if it's
2372 specified). */
2376 {
2377 /* A wide character converts to as few as zero bytes. */
2388 /* A non-empty wide character conversion may fail. */
2391 }
2396 {
2397 /* Adjust the minimum to zero if the string length is unknown,
2398 or at most the lower bound of the precision otherwise. */
2404 /* Make both maxima no greater than the upper bound of precision. */
2407 {
2410 }
2412 /* If precision is constant, set the likely counter to the lesser
2413 of it and the maximum string length. Otherwise, if the lower
2414 bound of precision is greater than zero, set the likely counter
2415 to the minimum. Otherwise set it to zero or one based on
2416 the warning level. */
2423 else
2425 }
2427 {
2432 }
2434 {
2437 /* At level 1 strings of unknown length are assumed to be
2438 empty, while at level 1 they are assumed to be one byte
2439 long. */
2441 }
2442 else
2443 {
2444 /* A string of unknown length unconstrained by precision is
2445 assumed to be empty at level 1 and just one character long
2446 at higher levels. */
2449 }
2452 }
2454 /* Bump up the byte counters if WIDTH is greater. */
2456 }
2458 /* Format plain string (part of the format string itself). */
2460 static fmtresult
2462 {
2465 }
2467 /* Return true if the RESULT of a directive in a call describe by INFO
2468 should be diagnosed given the AVAILable space in the destination. */
2470 static bool
2473 {
2475 {
2476 /* The least amount of space remaining in the destination is big
2477 enough for the longest output. */
2479 }
2482 {
2485 {
2486 /* The likely amount of space remaining in the destination is big
2487 enough for the least output and the return value is used. */
2489 }
2493 {
2494 /* The likely amount of space remaining in the destination is big
2495 enough for the likely output and the return value is unused. */
2497 }
2503 {
2504 /* The minimum amount of space remaining in the destination is big
2505 enough for the longest output. */
2507 }
2508 }
2509 else
2510 {
2512 {
2513 /* The likely amount of space remaining in the destination is big
2514 enough for the likely output. */
2516 }
2522 {
2523 /* The minimum amount of space remaining in the destination is big
2524 enough for the longest output. */
2526 }
2527 }
2530 }
2532 /* At format string location describe by DIRLOC in a call described
2533 by INFO, issue a warning for a directive DIR whose output may be
2534 in excess of the available space AVAIL_RANGE in the destination
2535 given the formatting result FMTRES. This function does nothing
2536 except decide whether to issue a warning for a possible write
2537 past the end or truncation and, if so, format the warning.
2538 Return true if a warning has been issued. */
2540 static bool
2545 {
2549 /* A warning will definitely be issued below. */
2551 /* The maximum byte count to reference in the warning. Larger counts
2552 imply that the upper bound is unknown (and could be anywhere between
2553 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2554 than "between N and X" where X is some huge number. */
2557 /* True when there is enough room in the destination for the least
2558 amount of a directive's output but not enough for its likely or
2559 maximum output. */
2565 /* Buffer for the directive in the host character set (used when
2566 the source character set is different). */
2570 {
2571 /* The size of the destination region is exact. */
2575 {
2576 /* For plain character directives (i.e., the format string itself)
2577 but not others, point the caret at the first character that's
2578 past the end of the destination. */
2581 }
2584 {
2585 /* This is the terminating nul. */
2589 info.bounded
2590 ? (maybe
2595 : (maybe
2601 }
2604 {
2608 "%<%.*s%> directive writing %wu byte into a "
2610 "%<%.*s%> directive writing %wu bytes into a "
2615 "%<%.*s%> directive output may be truncated "
2617 "%<%.*s%> directive output may be truncated "
2620 else
2622 "%<%.*s%> directive output truncated writing "
2624 "%<%.*s%> directive output truncated writing "
2627 }
2631 info.bounded
2632 ? (maybe
2634 "writing up to %wu bytes into a region of "
2644 /* This is a special case to avoid issuing the potentially
2645 confusing warning:
2646 writing 0 or more bytes into a region of size 0. */
2648 info.bounded
2649 ? (maybe
2651 "writing likely %wu or more bytes into a "
2654 "likely %wu or more bytes into a region of "
2663 info.bounded
2664 ? (maybe
2666 "writing between %wu and %wu bytes into a "
2669 "writing between %wu and %wu bytes into a "
2678 info.bounded
2679 ? (maybe
2681 "writing %wu or more bytes into a region of "
2689 }
2691 /* The size of the destination region is a range. */
2694 {
2697 /* For plain character directives (i.e., the format string itself)
2698 but not others, point the caret at the first character that's
2699 past the end of the destination. */
2702 }
2705 {
2709 info.bounded
2710 ? (maybe
2715 : (maybe
2720 }
2723 {
2727 "%<%.*s%> directive writing %wu byte into a region "
2729 "%<%.*s%> directive writing %wu bytes into a region "
2734 "%<%.*s%> directive output may be truncated writing "
2736 "%<%.*s%> directive output may be truncated writing "
2737 "%wu bytes into a region of size between %wu and "
2740 else
2742 "%<%.*s%> directive output truncated writing %wu "
2744 "%<%.*s%> directive output truncated writing %wu "
2748 }
2752 info.bounded
2753 ? (maybe
2755 "writing up to %wu bytes into a region of size "
2758 "up to %wu bytes into a region of size between "
2767 /* This is a special case to avoid issuing the potentially confusing
2768 warning:
2769 writing 0 or more bytes into a region of size between 0 and N. */
2771 info.bounded
2772 ? (maybe
2774 "writing likely %wu or more bytes into a region "
2777 "likely %wu or more bytes into a region of size "
2787 info.bounded
2788 ? (maybe
2790 "writing between %wu and %wu bytes into a region "
2793 "between %wu and %wu bytes into a region of size "
2796 "%wu bytes into a region of size between %wu and "
2802 info.bounded
2803 ? (maybe
2805 "%wu or more bytes into a region of size between "
2808 "%wu or more bytes into a region of size between "
2815 }
2817 /* Compute the length of the output resulting from the directive DIR
2818 in a call described by INFO and update the overall result of the call
2819 in *RES. Return true if the directive has been handled. */
2821 static bool
2825 {
2826 /* Offset of the beginning of the directive from the beginning
2827 of the format string. */
2832 /* Create a location for the whole directive from the % to the format
2833 specifier. */
2837 /* Also get the location of the argument if possible.
2838 This doesn't work for integer literals or function calls. */
2843 /* Bail when there is no function to compute the output length,
2844 or when minimum length checking has been disabled. */
2848 /* Compute the range of lengths of the formatted output. */
2851 /* Record whether the output of all directives is known to be
2852 bounded by some maximum, implying that their arguments are
2853 either known exactly or determined to be in a known range
2854 or, for strings, limited by the upper bounds of the arrays
2855 they refer to. */
2859 {
2860 /* Only when the range is known, check it against the host value
2861 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2862 INT_MAX precision, which is the longest possible output of any
2863 single directive). That's the largest valid byte count (though
2864 not valid call to a printf-like function because it can never
2865 return such a count). Otherwise, the range doesn't correspond
2866 to known values of the argument. */
2868 {
2869 /* Normalize the MAX counter to avoid having to deal with it
2870 later. The counter can be less than HOST_WIDE_INT_M1U
2871 when compiling for an ILP32 target on an LP64 host. */
2873 /* Disable exact and maximum length checking after a failure
2874 to determine the maximum number of characters (for example
2875 for wide characters or wide character strings) but continue
2876 tracking the minimum number of characters. */
2878 }
2881 {
2882 /* Disable exact length checking after a failure to determine
2883 even the minimum number of characters (it shouldn't happen
2884 except in an error) but keep tracking the minimum and maximum
2885 number of characters. */
2887 }
2888 }
2890 /* Buffer for the directive in the host character set (used when
2891 the source character set is different). */
2897 {
2902 /* Don't bother processing the rest of the format string. */
2907 }
2909 /* Compute the number of available bytes in the destination. There
2910 must always be at least one byte of space for the terminating
2911 NUL that's appended after the format string has been processed. */
2920 /* Bump up the total maximum if it isn't too big. */
2925 /* Raise the total unlikely maximum by the larger of the maximum
2926 and the unlikely maximum. */
2930 else
2939 /* Has the minimum directive output length exceeded the maximum
2940 of 4095 bytes required to be supported? */
2943 /* Clear POSUNDER4K in the overall result if the maximum has exceeded
2944 the 4k (this is necessary to avoid the return value optimization
2945 that may not be safe in the maximum case). */
2948 /* Also clear POSUNDER4K if the directive may fail. */
2953 /* Only warn at level 2. */
2955 && (!minunder4k
2957 {
2958 /* The directive output may be longer than the maximum required
2959 to be handled by an implementation according to 7.21.6.1, p15
2960 of C11. Warn on this only at level 2 but remember this and
2961 prevent folding the return value when done. This allows for
2962 the possibility of the actual libc call failing due to ENOMEM
2963 (like Glibc does under some conditions). */
2967 "%<%.*s%> directive output of %wu bytes exceeds "
2971 else
2973 minunder4k
2975 "bytes may exceed minimum required size of "
2979 dirlen,
2982 }
2984 /* Has the likely and maximum directive output exceeded INT_MAX? */
2986 /* Don't consider the maximum to be in excess when it's the result
2987 of a string of unknown length (i.e., whose maximum has been set
2988 to be greater than or equal to HOST_WIDE_INT_MAX. */
2994 /* Warn for the likely output size at level 1. */
2995 && (likelyximax
2996 /* But only warn for the maximum at level 2. */
2998 && maxximax
3000 {
3001 /* The directive output causes the total length of output
3002 to exceed INT_MAX bytes. */
3006 "%<%.*s%> directive output of %wu bytes causes "
3010 else
3014 "%wu bytes causes result to exceed "
3017 "%wu bytes may cause result to exceed "
3021 }
3031 {
3037 else
3041 }
3046 {
3047 /* If a warning has been issued for buffer overflow or truncation
3048 (but not otherwise) help the user figure out how big a buffer
3049 they need. */
3064 "%qE output between %wu and %wu bytes into "
3069 "%qE output %wu or more bytes (assuming %wu) into "
3072 else
3076 }
3079 {
3081 " Result: "
3090 }
3093 }
3095 /* Parse a format directive in function call described by INFO starting
3096 at STR and populate DIR structure. Bump up *ARGNO by the number of
3097 arguments extracted for the directive. Return the length of
3098 the directive. */
3100 static size_t
3105 {
3110 {
3111 /* This directive is either a plain string or the terminating nul
3112 (which isn't really a directive but it simplifies things to
3113 handle it as if it were). */
3118 {
3125 }
3128 }
3132 /* POSIX numbered argument index or zero when none. */
3135 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3136 when given by a va_list argument, and a non-negative value
3137 when specified in the format string itself. */
3141 /* Pointers to the beginning of the width and precision decimal
3142 string (if any) within the directive. */
3146 /* When the value of the decimal string that specifies width or
3147 precision is out of range, points to the digit that causes
3148 the value to exceed the limit. */
3152 /* Width specified via the asterisk. Need not be INTEGER_CST.
3153 For vararg functions set to void_node. */
3156 /* Width specified via the asterisk. Need not be INTEGER_CST.
3157 For vararg functions set to void_node. */
3161 {
3162 /* This could be either a POSIX positional argument, the '0'
3163 flag, or a width, depending on what follows. Store it as
3164 width and sort it out later after the next character has
3165 been seen. */
3168 }
3170 {
3171 /* Similarly to the block above, this could be either a POSIX
3172 positional argument or a width, depending on what follows. */
3175 else
3178 }
3181 {
3182 /* Handle the POSIX dollar sign which references the 1-based
3183 positional argument number. */
3192 /* Bail when the numbered argument is out of range (it will
3193 have already been diagnosed by -Wformat). */
3204 }
3207 {
3209 {
3211 {
3212 /* The '0' that has been interpreted as a width above is
3213 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3214 and continue processing other flags. */
3217 }
3219 {
3220 /* (Non-zero) width has been seen. The next character
3221 is either a period or a digit. */
3223 }
3224 }
3225 /* When either '$' has been seen, or width has not been seen,
3226 the next field is the optional flags followed by an optional
3227 width. */
3230 {
3241 }
3242 }
3244 start_width:
3246 {
3250 }
3252 {
3255 else
3256 {
3257 /* This is (likely) a va_list. It could also be an invalid
3258 call with insufficient arguments. */
3260 }
3262 }
3264 {
3265 /* The POSIX apostrophe indicating a numeric grouping
3266 in the current locale. Even though it's possible to
3267 estimate the upper bound on the size of the output
3268 based on the number of digits it probably isn't worth
3269 continuing. */
3271 }
3272 }
3274 start_precision:
3276 {
3280 {
3283 }
3285 {
3288 else
3289 {
3290 /* This is (likely) a va_list. It could also be an invalid
3291 call with insufficient arguments. */
3293 }
3295 }
3296 else
3297 {
3298 /* The decimal precision or the asterisk are optional.
3299 When neither is dirified it's taken to be zero. */
3301 }
3302 }
3305 {
3308 {
3311 }
3312 else
3329 {
3332 }
3333 else
3347 }
3350 {
3351 /* Handle a sole '%' character the same as "%%" but since it's
3352 undefined prevent the result from being folded. */
3356 /* FALLTHRU */
3383 /* The %p output is implementation-defined. It's possible
3384 to determine this format but due to extensions (edirially
3385 those of the Linux kernel -- see bug 78512) the first %p
3386 in the format string disables any further processing. */
3390 /* %n has side-effects even when nothing is actually printed to
3391 any buffer. */
3398 /* POSIX wide character and C/POSIX narrow character. */
3404 /* POSIX wide string and C/POSIX narrow character string. */
3409 /* Unknown conversion specification. */
3411 }
3415 /* Store the length of the format directive. */
3418 /* Buffer for the directive in the host character set (used when
3419 the source character set is different). */
3423 {
3426 else
3427 {
3428 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3429 (width is the absolute value of that specified). */
3432 }
3433 }
3434 else
3435 {
3437 {
3442 /* Create a location for the width part of the directive,
3443 pointing the caret at the first out-of-range digit. */
3450 }
3453 }
3456 {
3459 else
3460 {
3461 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3462 (unlike width, negative precision is ignored). */
3465 }
3466 }
3467 else
3468 {
3470 {
3475 /* Create a location for the precision part of the directive,
3476 including the leading period, pointing the caret at the first
3477 out-of-range digit . */
3484 }
3487 }
3489 /* Extract the argument if the directive takes one and if it's
3490 available (e.g., the function doesn't take a va_list). Treat
3491 missing arguments the same as va_list, even though they will
3492 have likely already been diagnosed by -Wformat. */
3498 {
3500 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
3506 {
3510 else
3512 ", width in range [" HOST_WIDE_INT_PRINT_DEC
3515 }
3518 {
3522 else
3524 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
3527 }
3529 }
3532 }
3534 /* Compute the length of the output resulting from the call to a formatted
3535 output function described by INFO and store the result of the call in
3536 *RES. Issue warnings for detected past the end writes. Return true
3537 if the complete format string has been processed and *RES can be relied
3538 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3539 that caused the processing to be terminated early). */
3541 bool
3544 {
3546 {
3553 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
3556 }
3558 /* Reset the minimum and maximum byte counters. */
3561 /* No directive has been seen yet so the length of output is bounded
3562 by the known range [0, 0] (with no conversion resulting in a failure
3563 or producing more than 4K bytes) until determined otherwise. */
3569 /* 1-based directive counter. */
3572 /* The variadic argument counter. */
3576 {
3583 /* Return failure if the format function fails. */
3588 /* Return success the directive is zero bytes long and it's
3589 the last think in the format string (i.e., it's the terminating
3590 nul, which isn't really a directive but handling it as one makes
3591 things simpler). */
3596 }
3598 /* The complete format string was processed (with or without warnings). */
3600 }
3602 /* Return the size of the object referenced by the expression DEST if
3603 available, or -1 otherwise. */
3605 static unsigned HOST_WIDE_INT
3607 {
3608 /* Initialize object size info before trying to compute it. */
3611 /* Use __builtin_object_size to determine the size of the destination
3612 object. When optimizing, determine the smallest object (such as
3613 a member array as opposed to the whole enclosing object), otherwise
3614 use type-zero object size to determine the size of the enclosing
3615 object (the function fails without optimization in this type). */
3622 }
3624 /* Return true if the call described by INFO with result RES safe to
3625 optimize (i.e., no undefined behavior), and set RETVAL to the range
3626 of its return values. */
3628 static bool
3632 {
3636 /* The minimum return value. */
3639 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3640 but in cases involving multibyte characters could be as large as
3641 RES.RANGE.UNLIKELY. */
3645 /* Adjust the number of bytes which includes the terminating nul
3646 to reflect the return value of the function which does not.
3647 Because the valid range of the function is [INT_MIN, INT_MAX],
3648 a valid range before the adjustment below is [0, INT_MAX + 1]
3649 (the functions only return negative values on error or undefined
3650 behavior). */
3656 /* Avoid the return value optimization when the behavior of the call
3657 is undefined either because any directive may have produced 4K or
3658 more of output, or the return value exceeds INT_MAX, or because
3659 the output overflows the destination object (but leave it enabled
3660 when the function is bounded because then the behavior is well-
3661 defined). */
3676 }
3678 /* Given a suitable result RES of a call to a formatted output function
3679 described by INFO, substitute the result for the return value of
3680 the call. The result is suitable if the number of bytes it represents
3681 is known and exact. A result that isn't suitable for substitution may
3682 have its range set to the range of return values, if that is known.
3683 Return true if the call is removed and gsi_next should not be performed
3684 in the caller. */
3686 static bool
3690 {
3693 /* Set to true when the entire call has been removed. */
3696 /* The minimum and maximum return value. */
3702 /* Not prepared to handle possibly throwing calls here; they shouldn't
3703 appear in non-artificial testcases, except when the __*_chk routines
3704 are badly declared. */
3706 {
3711 {
3712 /* Remove the call to the bounded function with a zero size
3713 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3717 }
3719 {
3720 /* Replace the call to the bounded function with a zero size
3721 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3722 of the function. */
3727 }
3729 {
3730 /* Replace the left-hand side of the call with the constant
3731 result of the formatted function. */
3736 }
3739 {
3742 else
3743 {
3748 }
3749 }
3750 }
3752 {
3759 {
3760 /* If the result is in a valid range bounded by the size of
3761 the destination set it so that it can be used for subsequent
3762 optimizations. */
3770 }
3773 {
3783 " %s %s-bounds return value range ["
3784 HOST_WIDE_INT_PRINT_UNSIGNED ", "
3787 else
3791 }
3792 }
3798 }
3800 /* Try to simplify a s{,n}printf call described by INFO with result
3801 RES by replacing it with a simpler and presumably more efficient
3802 call (such as strcpy). */
3804 static bool
3808 {
3814 {
3822 ;
3823 }
3826 }
3828 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3829 functions and if so, handle it. Return true if the call is removed
3830 and gsi_next should not be performed in the caller. */
3832 bool
3834 {
3844 /* The size of the destination as in snprintf(dest, size, ...). */
3847 /* The size of the destination determined by __builtin_object_size. */
3850 /* Buffer size argument number (snprintf and vsnprintf). */
3853 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3856 /* Format string argument number (valid for all functions). */
3860 {
3862 // Signature:
3863 // __builtin_sprintf (dst, format, ...)
3869 // Signature:
3870 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3877 // Signature:
3878 // __builtin_snprintf (dst, size, format, ...)
3886 // Signature:
3887 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3896 // Signature:
3897 // __builtin_vsprintf (dst, size, format, va)
3905 // Signature:
3906 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
3915 // Signature:
3916 // __builtin_vsprintf (dst, format, va)
3922 // Signature:
3923 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
3931 }
3933 /* Set the global warning level for this function. */
3936 /* The first argument is a pointer to the destination. */
3941 /* True when the destination size is constant as opposed to the lower
3942 or upper bound of a range. */
3946 {
3947 /* For non-bounded functions like sprintf, determine the size
3948 of the destination from the object or pointer passed to it
3949 as the first argument. */
3951 }
3953 {
3954 /* For bounded functions try to get the size argument. */
3957 {
3959 /* No object can be larger than SIZE_MAX bytes (half the address
3960 space) on the target.
3961 The functions are defined only for output of at most INT_MAX
3962 bytes. Specifying a bound in excess of that limit effectively
3963 defeats the bounds checking (and on some implementations such
3964 as Solaris cause the function to fail with EINVAL). */
3966 {
3967 /* Avoid warning if -Wstringop-overflow is specified since
3968 it also warns for the same thing though only for the
3969 checking built-ins. */
3973 "specified bound %wu exceeds maximum object size "
3976 }
3980 dstsize);
3981 }
3983 {
3984 /* Try to determine the range of values of the argument
3985 and use the greater of the two at level 1 and the smaller
3986 of them at level 2. */
3995 /* The destination size is not constant. If the function is
3996 bounded (e.g., snprintf) a lower bound of zero doesn't
3997 necessarily imply it can be eliminated. */
3999 }
4000 }
4008 {
4009 /* As a special case, when the explicitly specified destination
4010 size argument (to a bounded function like snprintf) is zero
4011 it is a request to determine the number of bytes on output
4012 without actually producing any. Pretend the size is
4013 unlimited in this case. */
4016 }
4017 else
4018 {
4019 /* For calls to non-bounded functions or to those of bounded
4020 functions with a non-zero size, warn if the destination
4021 pointer is null. */
4023 {
4024 /* This is diagnosed with -Wformat only when the null is a constant
4025 pointer. The warning here diagnoses instances where the pointer
4026 is not constant. */
4031 }
4033 /* Set the object size to the smaller of the two arguments
4034 of both have been specified and they're not equal. */
4039 /* Avoid warning if -Wstringop-overflow is specified since
4040 it also warns for the same thing though only for the
4041 checking built-ins. */
4044 {
4046 "specified bound %wu exceeds the size %wu "
4048 }
4049 }
4052 {
4053 /* This is diagnosed with -Wformat only when the null is a constant
4054 pointer. The warning here diagnoses instances where the pointer
4055 is not constant. */
4060 }
4066 /* The result is the number of bytes output by the formatted function,
4067 including the terminating NUL. */
4072 /* When optimizing and the printf return value optimization is enabled,
4073 attempt to substitute the computed result for the return value of
4074 the call. Avoid this optimization when -frounding-math is in effect
4075 and the format string contains a floating point directive. */
4078 {
4079 /* Save a copy of the iterator pointing at the call. The iterator
4080 may change to point past the call in try_substitute_return_value
4081 but the original value is needed in try_simplify_call. */
4090 }
4093 }
4095 edge
4097 {
4100 {
4101 /* Iterate over statements, looking for function calls. */
4104 /* First record ranges generated by this statement. */
4108 /* If handle_gimple_call returns true, the iterator is
4109 already pointing to the next statement. */
4113 }
4115 }
4117 void
4119 {
4121 }
4123 /* Execute the pass for function FUN. */
4125 unsigned int
4127 {
4132 sprintf_dom_walker sprintf_dom_walker;
4135 /* Clean up object size info. */
4138 }
4142 /* Return a pointer to a pass object newly constructed from the context
4143 CTXT. */
4145 gimple_opt_pass *
4147 {
4149 }