| blob | 4a2dd9ade77d1fac9b3b53cd6844ec4bc274b194 |
1 /* Pass to detect and issue warnings for invalid accesses, including
2 invalid or mismatched allocation/deallocation calls.
4 Copyright (C) 2020-2021 Free Software Foundation, Inc.
5 Contributed by Martin Sebor <msebor@redhat.com>.
7 This file is part of GCC.
9 GCC is free software; you can redistribute it and/or modify it under
10 the terms of the GNU General Public License as published by the Free
11 Software Foundation; either version 3, or (at your option) any later
12 version.
14 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
15 WARRANTY; without even the implied warranty of MERCHANTABILITY or
16 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 for more details.
19 You should have received a copy of the GNU General Public License
20 along with GCC; see the file COPYING3. If not see
21 <http://www.gnu.org/licenses/>. */
23 #define INCLUDE_STRING
55 /* Return true if tree node X has an associated location. */
59 {
67 }
69 /* Return the associated location of STMT. */
73 {
75 }
77 /* Return the associated location of tree node X. */
81 {
89 }
91 /* Overload of the nascent tree function for GIMPLE STMT. */
95 {
97 }
101 {
103 }
107 {
109 }
114 {
116 }
120 {
122 }
124 /* For a call EXPR at LOC to a function FNAME that expects a string
125 in the argument ARG, issue a diagnostic due to it being a called
126 with an argument that is a character array with no terminating
127 NUL. SIZE is the EXACT size of the array, and BNDRNG the number
128 of characters in which the NUL is expected. Either EXPR or FNAME
129 may be null but noth both. SIZE may be null when BNDRNG is null. */
132 static void
136 {
145 /* Format the bound range as a string to keep the nuber of messages
146 from exploding. */
150 {
153 else
157 }
162 {
165 {
168 "%qD specified bound %s exceeds "
171 else
172 {
175 exact
178 : (maybe
180 "exceed the size of at most %E "
183 "the size of at most %E "
186 }
187 }
188 else
191 func);
192 }
193 else
194 {
196 {
199 "%qs specified bound %s exceeds "
202 else
203 {
206 exact
209 : (maybe
211 "exceed the size of at most %E "
214 "the size of at most %E "
217 }
218 }
219 else
222 fname);
223 }
226 {
232 }
233 }
235 void
240 {
243 }
245 void
250 {
253 }
255 /* If EXP refers to an unterminated constant character array return
256 the declaration of the object of which the array is a member or
257 element and if SIZE is not null, set *SIZE to the size of
258 the unterminated array and set *EXACT if the size is exact or
259 clear it otherwise. Otherwise return null. */
261 tree
263 {
264 /* C_STRLEN will return NULL and set DECL in the info
265 structure if EXP references a unterminated array. */
266 c_strlen_data lendata = { };
276 {
277 /* Constant offsets are already accounted for in LENDATA.MINLEN,
278 but not in a SSA_NAME + CST expression. */
283 {
284 /* Subtract the offset from the size of the array. */
289 }
290 else
292 }
293 else
298 }
300 /* For a call EXPR (which may be null) that expects a string argument
301 SRC as an argument, returns false if SRC is a character array with
302 no terminating NUL. When nonnull, BOUND is the number of characters
303 in which to expect the terminating NUL. When EXPR is nonnull also
304 issues a warning. */
307 static bool
309 {
310 /* The constant size of the array SRC points to. The actual size
311 may be less of EXACT is true, but not more. */
312 tree size;
313 /* True if SRC involves a non-constant offset into the array. */
315 /* The unterminated constant array SRC points to. */
320 /* NONSTR refers to the non-nul terminated constant array and SIZE
321 is the constant size of the array in bytes. EXACT is true when
322 SIZE is exact. */
326 {
327 value_range r;
338 {
341 }
344 }
351 }
353 bool
355 {
357 }
359 bool
361 {
363 }
365 /* Warn about passing a non-string array/pointer to a built-in function
366 that expects a nul-terminated string argument. Returns true if
367 a warning has been issued.*/
370 static bool
372 {
380 /* Avoid clearly invalid calls (more checking done below). */
385 /* The bound argument to a bounded string function like strncpy. */
388 /* The longest known or possible string argument to one of the comparison
389 functions. If the length is less than the bound it is used instead.
390 Since the length is only used for warning and not for code generation
391 disable strict mode in the calls to get_range_strlen below. */
394 /* It's safe to call "bounded" string functions with a non-string
395 argument since the functions provide an explicit bound for this
396 purpose. The exception is strncat where the bound may refer to
397 either the destination or the source. */
400 {
404 {
405 /* For these, if one argument refers to one or more of a set
406 of string constants or arrays of known size, determine
407 the range of their known or possible lengths and use it
408 conservatively as the bound for the unbounded function,
409 and to adjust the range of the bound of the bounded ones. */
413 {
416 {
417 c_strlen_data lendata = { };
418 /* Set MAXBOUND to an arbitrary non-null non-integer
419 node as a request to have it set to the length of
420 the longest string in a PHI. */
424 }
425 }
426 }
427 /* Fall through. */
443 {
446 {
447 c_strlen_data lendata = { };
448 /* Set MAXBOUND to an arbitrary non-null non-integer
449 node as a request to have it set to the length of
450 the longest string in a PHI. */
454 }
458 }
462 }
464 /* Determine the range of the bound argument (if specified). */
467 {
470 }
475 {
476 /* Diagnose excessive bound prior to the adjustment below and
477 regardless of attribute nonstring. */
480 {
484 "%qD specified bound %E "
487 else
489 "%qD specified bound [%E, %E] "
492 maxobjsize);
497 }
498 }
501 {
502 /* Add one for the nul. */
504 size_one_node);
507 {
508 /* Conservatively use the upper bound of the lengths for
509 both the lower and the upper bound of the operation. */
513 }
515 {
516 /* Replace the bound on the operation with the upper bound
517 of the length of the string if the latter is smaller. */
522 }
523 }
526 /* Iterate over the built-in function's formal arguments and check
527 each const char* against the actual argument. If the actual
528 argument is declared attribute non-string issue a warning unless
529 the argument's maximum length is bounded. */
530 function_args_iterator it;
534 {
535 /* Avoid iterating past the declared argument in a call
536 to function declared without a prototype. */
561 /* See if the destination is declared with attribute "nonstring". */
566 /* The maximum number of array elements accessed. */
570 {
571 /* See if the bound in strncat is derived from the length
572 of the strlen of the destination (as it's expected to be).
573 If so, reset BOUND and FNCODE to trigger a warning. */
576 {
577 /* The bound applies to the destination, not to the source,
578 so reset these to trigger a warning without mentioning
579 the bound. */
582 }
584 /* Use the upper bound of the range for strncat. */
586 }
588 /* Use the lower bound of the range for functions other than
589 strncat. */
592 /* Determine the size of the argument array if it is one. */
597 /* Determine the array size. For arrays of unknown bound and
598 pointers reset BOUND to trigger the appropriate warning. */
600 {
602 {
604 {
607 }
608 }
611 }
615 /* In a call to strncat with a bound in a range whose lower but
616 not upper bound is less than the array size, reset ASIZE to
617 be the same as the bound and the other variable to trigger
618 the apprpriate warning below. */
622 && (!known_size
624 {
628 }
632 auto_diagnostic_group d;
634 {
637 "%qD argument %i declared attribute "
638 "%<nonstring%> is smaller than the specified "
643 "%qD argument %i declared attribute "
644 "%<nonstring%> is smaller than "
647 else
649 "%qD argument %i declared attribute "
650 "%<nonstring%> may be smaller than "
653 }
656 is equal to the size of the non-string argument. */
663 {
667 }
668 }
674 }
676 bool
678 {
680 }
683 bool
685 {
687 }
689 /* Issue a warning OPT for a bounded call EXP with a bound in RANGE
690 accessing an object with SIZE. */
693 static bool
696 {
705 {
709 {
711 warned = (func
713 (maybe
720 (maybe
726 else
727 warned = (func
729 (maybe
734 func,
737 (maybe
743 }
747 warned = (func
749 (maybe
756 (maybe
762 else
763 warned = (func
765 (maybe
772 (maybe
779 {
785 }
788 }
792 {
794 warned = (func
796 (maybe
803 (maybe
809 else
810 warned = (func
812 (maybe
819 (maybe
825 }
829 warned = (func
831 (maybe
838 (maybe
844 else
845 warned = (func
847 (maybe
854 (maybe
862 {
868 }
871 }
873 bool
877 {
879 pad);
880 }
882 bool
886 {
888 }
890 /* For an expression EXP issue an access warning controlled by option OPT
891 with access to a region SIZE bytes in size in the RANGE of sizes.
892 WRITE is true for a write access, READ for a read access, neither for
893 call that may or may not perform an access but for which the range
894 is expected to valid.
895 Returns true when a warning has been issued. */
898 static bool
901 {
905 {
907 warned = (func
909 (maybe
914 (maybe
921 (maybe
926 (maybe
933 {
934 /* Avoid printing the upper bound if it's invalid. */
935 warned = (func
937 (maybe
944 (maybe
950 }
951 else
952 warned = (func
954 (maybe
961 (maybe
968 }
971 {
973 warned = (func
975 (maybe
980 (maybe
987 (maybe
992 (maybe
999 {
1000 /* Avoid printing the upper bound if it's invalid. */
1001 warned = (func
1003 (maybe
1007 "into a region of size %E overflows "
1011 (maybe
1015 "a region of size %E overflows "
1018 }
1019 else
1020 warned = (func
1022 (maybe
1026 "into a region of size %E overflows "
1030 (maybe
1034 "into a region of size %E overflows "
1038 }
1041 {
1043 warned = (func
1046 (maybe
1051 (maybe
1059 (maybe
1064 (maybe
1071 {
1072 /* Avoid printing the upper bound if it's invalid. */
1073 warned = (func
1075 (maybe
1082 (maybe
1088 }
1089 else
1090 warned = (func
1092 (maybe
1099 (maybe
1110 }
1114 warned = (func
1126 {
1127 /* Avoid printing the upper bound if it's invalid. */
1128 warned = (func
1130 "%qD expecting %E or more bytes in a region "
1134 "expecting %E or more bytes in a region "
1137 }
1138 else
1139 warned = (func
1141 "%qD expecting between %E and %E bytes in "
1145 "expecting between %E and %E bytes in "
1153 }
1155 static bool
1158 {
1161 }
1163 static bool
1166 {
1169 }
1171 /* Helper to set RANGE to the range of BOUND if it's nonnull, bounded
1172 by BNDRNG if nonnull and valid. */
1174 static void
1176 {
1184 {
1185 offset_int r[] =
1191 }
1192 else
1193 {
1196 }
1197 }
1199 /* Try to verify that the sizes and lengths of the arguments to a string
1200 manipulation function given by EXP are within valid bounds and that
1201 the operation does not lead to buffer overflow or read past the end.
1202 Arguments other than EXP may be null. When non-null, the arguments
1203 have the following meaning:
1204 DST is the destination of a copy call or NULL otherwise.
1205 SRC is the source of a copy call or NULL otherwise.
1206 DSTWRITE is the number of bytes written into the destination obtained
1207 from the user-supplied size argument to the function (such as in
1208 memcpy(DST, SRCs, DSTWRITE) or strncpy(DST, DRC, DSTWRITE).
1209 MAXREAD is the user-supplied bound on the length of the source sequence
1210 (such as in strncat(d, s, N). It specifies the upper limit on the number
1211 of bytes to write. If NULL, it's taken to be the same as DSTWRITE.
1212 SRCSTR is the source string (such as in strcpy(DST, SRC)) when the
1213 expression EXP is a string function call (as opposed to a memory call
1214 like memcpy). As an exception, SRCSTR can also be an integer denoting
1215 the precomputed size of the source string or object (for functions like
1216 memcpy).
1217 DSTSIZE is the size of the destination object.
1219 When DSTWRITE is null LEN is checked to verify that it doesn't exceed
1220 SIZE_MAX.
1222 WRITE is true for write accesses, READ is true for reads. Both are
1223 false for simple size checks in calls to functions that neither read
1224 from nor write to the region.
1226 When nonnull, PAD points to a more detailed description of the access.
1228 If the call is successfully verified as safe return true, otherwise
1229 return false. */
1232 static bool
1236 {
1237 /* The size of the largest object is half the address space, or
1238 PTRDIFF_MAX. (This is way too permissive.) */
1241 /* Either an approximate/minimum the length of the source string for
1242 string functions or the size of the source object for raw memory
1243 functions. */
1246 /* The range of the access in bytes; first set to the write access
1247 for functions that write and then read for those that also (or
1248 just) read. */
1251 /* Set to true when the exact number of bytes written by a string
1252 function like strcpy is not known and the only thing that is
1253 known is that it must be at least one (for the terminating nul). */
1256 {
1257 /* SRCSTR is normally a pointer to string but as a special case
1258 it can be an integer denoting the length of a string. */
1260 {
1262 /* Return if the array is not nul-terminated and a warning
1263 has been issued. */
1266 /* Try to determine the range of lengths the source string
1267 refers to. If it can be determined and is less than
1268 the upper bound given by MAXREAD add one to it for
1269 the terminating nul. Otherwise, set it to one for
1270 the same reason, or to MAXREAD as appropriate. */
1271 c_strlen_data lendata = { };
1279 {
1282 else
1293 }
1294 else
1295 {
1298 }
1299 }
1300 else
1302 }
1305 {
1306 /* When the only available piece of data is the object size
1307 there is nothing to do. */
1311 /* Otherwise, when the length of the source sequence is known
1312 (as with strlen), set DSTWRITE to it. */
1315 }
1320 /* Set RANGE to that of DSTWRITE if non-null, bounded by PAD->DST.BNDRNG
1321 if valid. */
1325 /* Read vs write access by built-ins can be determined from the const
1326 qualifiers on the pointer argument. In the absence of attribute
1327 access, non-const qualified pointer arguments to user-defined
1328 functions are assumed to both read and write the objects. */
1331 /* First check the number of bytes to be written against the maximum
1332 object size. */
1336 {
1341 }
1343 /* The number of bytes to write is "exact" if DSTWRITE is non-null,
1344 constant, and in range of unsigned HOST_WIDE_INT. */
1347 /* Next check the number of bytes to be written against the destination
1348 object size. */
1350 {
1355 || (dstwrite
1358 {
1368 {
1369 /* This is a call to strcpy with a destination of 0 size
1370 and a source of unknown length. The call will write
1371 at least one byte past the end of the destination. */
1372 warned = (func
1374 "%qD writing %E or more bytes into "
1375 "a region of size %E overflows "
1379 "writing %E or more bytes into "
1380 "a region of size %E overflows "
1383 }
1384 else
1385 {
1386 const bool read
1388 const bool write
1392 OPT_Wstringop_overflow_,
1395 }
1398 {
1402 }
1404 /* Return error when an overflow has been detected. */
1406 }
1407 }
1409 /* Check the maximum length of the source sequence against the size
1410 of the destination object if known, or against the maximum size
1411 of an object. */
1413 {
1414 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC.BNDRNG if
1415 PAD is nonnull and BNDRNG is valid. */
1424 {
1426 {
1430 }
1433 {
1435 ? OPT_Wstringop_overflow_
1439 }
1440 }
1443 }
1445 /* Check for reading past the end of SRC. */
1448 && dstwrite
1452 /* If none is determined try to get a better answer based on the details
1453 in PAD. */
1455 && pad
1460 {
1461 /* Set RANGE to that of MAXREAD, bounded by PAD->SRC.BNDRNG if
1462 PAD is nonnull and BNDRNG is valid. */
1464 /* Set OVERREAD for reads starting just past the end of an object. */
1468 }
1471 {
1480 const bool read
1484 maybe))
1485 {
1489 }
1491 }
1494 }
1496 bool
1500 {
1503 }
1505 bool
1509 {
1512 }
1514 /* Helper to determine and check the sizes of the source and the destination
1515 of calls to __builtin_{bzero,memcpy,mempcpy,memset} calls. EXP is the
1516 call expression, DEST is the destination argument, SRC is the source
1517 argument or null, and LEN is the number of bytes. Use Object Size type-0
1518 regardless of the OPT_Wstringop_overflow_ setting. Return true on success
1519 (no overflow or invalid sizes), false otherwise. */
1522 static bool
1524 {
1525 /* For functions like memset and memcpy that operate on raw memory
1526 try to determine the size of the largest source and destination
1527 object using type-0 Object Size regardless of the object size
1528 type specified by the option. */
1535 }
1537 bool
1539 {
1541 }
1543 bool
1545 {
1547 }
1549 /* A convenience wrapper for check_access above to check access
1550 by a read-only function like puts. */
1553 static bool
1555 {
1570 }
1572 bool
1575 {
1577 }
1579 bool
1582 {
1584 }
1586 /* Return true if STMT is a call to an allocation function. Unless
1587 ALL_ALLOC is set, consider only functions that return dynmamically
1588 allocated objects. Otherwise return true even for all forms of
1589 alloca (including VLA). */
1591 static bool
1593 {
1597 /* A call to operator new isn't recognized as one to a built-in. */
1602 {
1604 {
1618 }
1619 }
1621 /* A function is considered an allocation function if it's declared
1622 with attribute malloc with an argument naming its associated
1623 deallocation function. */
1631 {
1638 }
1641 }
1643 /* Return true if STMT is a call to an allocation function. A wrapper
1644 around fndecl_alloc_p. */
1646 static bool
1648 {
1650 }
1652 /* Return true if DELC doesn't refer to an operator delete that's
1653 suitable to call with a pointer returned from the operator new
1654 described by NEWC. */
1656 static bool
1659 {
1664 {
1666 {
1674 {
1679 }
1681 }
1684 /* Operator mismatches are handled above. */
1713 {
1714 /* The demangler API provides no better way to compare built-in
1715 types except to by comparing their demangled names. */
1727 }
1750 }
1766 }
1768 /* Return true if DELETE_DECL is an operator delete that's not suitable
1769 to call with a pointer returned fron NEW_DECL. */
1771 static bool
1773 {
1777 /* valid_new_delete_pair_p() returns a conservative result (currently
1778 it only handles global operators). A true result is reliable but
1779 a false result doesn't necessarily mean the operators don't match
1780 unless CERTAIN is set. */
1784 /* CERTAIN is set when the negative result is certain. */
1788 /* For anything not handled by valid_new_delete_pair_p() such as member
1789 operators compare the individual demangled components of the mangled
1790 name. */
1801 }
1803 /* ALLOC_DECL and DEALLOC_DECL are pair of allocation and deallocation
1804 functions. Return true if the latter is suitable to deallocate objects
1805 allocated by calls to the former. */
1807 static bool
1809 {
1810 /* Set to alloc_kind_t::builtin if ALLOC_DECL is associated with
1811 a built-in deallocator. */
1816 {
1818 /* Return true iff both functions are of the same array or
1819 singleton form and false otherwise. */
1822 /* Return false for deallocation functions that are known not
1823 to match. */
1827 /* Otherwise proceed below to check the deallocation function's
1828 "*dealloc" attributes to look for one that mentions this operator
1829 new. */
1830 }
1832 {
1834 {
1858 }
1859 }
1861 /* Set if DEALLOC_DECL both allocates and deallocates. */
1865 {
1873 {
1885 }
1886 }
1891 /* If DEALLOC_DECL has an internal "*dealloc" attribute scan the list
1892 of its associated allocation functions for ALLOC_DECL.
1893 If the corresponding ALLOC_DECL is found they're a matching pair,
1894 otherwise they're not.
1895 With DDATS set to the Deallocator's *Dealloc ATtributes... */
1899 {
1912 {
1916 {
1928 }
1937 }
1941 }
1947 /* Special handling for deallocators. Iterate over both the allocator's
1948 and the reallocator's associated deallocator functions looking for
1949 the first one in common. If one is found, the de/reallocator is
1950 a match for the allocator even though the latter isn't directly
1951 associated with the former. This simplifies declarations in system
1952 headers.
1953 With AMATS set to the Allocator's Malloc ATtributes,
1954 and RMATS set to Reallocator's Malloc ATtributes... */
1961 {
1964 {
1967 {
1970 {
1974 }
1976 }
1979 }
1983 {
1986 {
1989 {
1993 }
1995 }
1999 }
2000 }
2002 /* Succeed only if ALLOC_DECL and the reallocator DEALLOC_DECL share
2003 a built-in deallocator. */
2006 }
2008 /* Return true if DEALLOC_DECL is a function suitable to deallocate
2009 objectes allocated by the ALLOC call. */
2011 static bool
2013 {
2019 }
2021 /* Diagnose a call EXP to deallocate a pointer referenced by AREF if it
2022 includes a nonzero offset. Such a pointer cannot refer to the beginning
2023 of an allocated object. A negative offset may refer to it only if
2024 the target pointer is unknown. */
2026 static bool
2028 {
2038 {
2039 /* A call to a user-defined operator delete with a pointer plus offset
2040 may be valid if it's returned from an unknown function (i.e., one
2041 that's not operator new). */
2043 {
2046 {
2050 }
2051 }
2052 }
2057 {
2062 else
2066 }
2076 {
2079 {
2088 else
2090 }
2091 }
2094 }
2096 /* Issue a warning if a deallocation function such as free, realloc,
2097 or C++ operator delete is called with an argument not returned by
2098 a matching allocation function such as malloc or the corresponding
2099 form of C++ operatorn new. */
2101 static void
2103 {
2116 access_ref aref;
2128 {
2129 /* Diagnose freeing a declared object. */
2134 {
2137 }
2139 /* Diagnose freeing a pointer that includes a positive offset.
2140 Such a pointer cannot refer to the beginning of an allocated
2141 object. A negative offset may refer to it. */
2145 }
2147 {
2149 "%qD called on a pointer to an unallocated "
2151 {
2153 {
2156 {
2159 }
2160 }
2162 }
2163 }
2165 {
2166 /* Also warn if the pointer argument refers to the result
2167 of an allocation call like alloca or VLA. */
2170 {
2173 {
2175 {
2178 }
2179 else
2180 {
2185 ? OPT_Wmismatched_new_delete
2188 "%qD called on pointer returned "
2189 "from a mismatched allocation "
2191 }
2192 }
2195 BUILT_IN_ALLOCA_WITH_ALIGN))
2197 "%qD called on pointer to "
2199 dealloc_decl);
2204 {
2209 }
2210 }
2212 {
2214 /* Diagnose freeing a pointer that includes a positive offset. */
2221 }
2222 }
2223 }
2228 GIMPLE_PASS,
2230 OPTGROUP_NONE,
2231 TV_NONE,
2237 };
2239 /* Pass to detect invalid accesses. */
2241 {
2252 /* Check a call to a built-in function. */
2255 /* Check a call to an ordinary function. */
2258 /* Check statements in a basic block. */
2261 /* Check a call to a function. */
2265 /* Not copyable or assignable. */
2269 /* A pointer_query object and its cache to store information about
2270 pointers and their targets in. */
2271 pointer_query ptr_qry;
2275 };
2277 /* Construct the pass. */
2284 {
2285 }
2287 /* Release pointer_query cache. */
2290 {
2292 }
2294 /* Return true when any checks performed by the pass are enabled. */
2296 bool
2298 {
2300 || warn_mismatched_alloc
2302 }
2304 /* Initialize ALLOC_OBJECT_SIZE_LIMIT based on the -Walloc-size-larger-than=
2305 setting if the option is specified, or to the maximum object size if it
2306 is not. Return the initialized value. */
2308 static tree
2310 {
2316 }
2318 /* Diagnose a call EXP to function FN decorated with attribute alloc_size
2319 whose argument numbers given by IDX with values given by ARGS exceed
2320 the maximum object size or cause an unsigned oveflow (wrapping) when
2321 multiplied. FN is null when EXP is a call via a function pointer.
2322 When ARGS[0] is null the function does nothing. ARGS[1] may be null
2323 for functions like malloc, and non-null for those like calloc that
2324 are decorated with a two-argument attribute alloc_size. */
2326 void
2329 {
2330 /* The range each of the (up to) two arguments is known to be in. */
2333 /* Maximum object size set by -Walloc-size-larger-than= or SIZE_MAX / 2. */
2342 /* Validate each argument individually. */
2344 {
2346 {
2351 {
2355 }
2357 {
2358 /* Avoid issuing -Walloc-zero for allocation functions other
2359 than __builtin_alloca that are declared with attribute
2360 returns_nonnull because there's no portability risk. This
2361 avoids warning for such calls to libiberty's xmalloc and
2362 friends.
2363 Also avoid issuing the warning for calls to function named
2364 "alloca". */
2372 }
2374 {
2375 /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
2376 mode and with -fno-exceptions as a way to indicate array
2377 size overflow. There's no good way to detect C++98 here
2378 so avoid diagnosing these calls for all C++ modes. */
2380 && fn
2388 "argument %i value %qE exceeds "
2391 }
2392 }
2395 {
2396 /* Verify that the argument's range is not negative (including
2397 upper bound of zero). */
2400 {
2405 }
2407 {
2409 "argument %i range [%E, %E] exceeds "
2413 maxobjsize);
2414 }
2415 }
2416 }
2421 /* For a two-argument alloc_size, validate the product of the two
2422 arguments if both of their values or ranges are known. */
2427 {
2428 /* Check for overflow in the product of a function decorated with
2429 attribute alloc_size (X, Y). */
2439 "product %<%E * %E%> of arguments %i and %i "
2445 "product %<%E * %E%> of arguments %i and %i "
2449 maxobjsize);
2452 {
2453 /* Print the full range of each of the two arguments to make
2454 it clear when it is, in fact, in a range and not constant. */
2461 }
2462 }
2465 {
2471 else
2474 }
2475 }
2477 /* Check a call to an alloca function for an excessive size. */
2479 static void
2481 {
2486 {
2487 /* -Walloca-larger-than and -Wvla-larger-than settings of less
2488 than HWI_MAX override the more general -Walloc-size-larger-than
2489 so unless either of the former options is smaller than the last
2490 one (wchich would imply that the call was already checked), check
2491 the alloca arguments for overflow. */
2495 }
2496 }
2498 /* Check a call to an allocation function for an excessive size. */
2500 static void
2502 {
2504 /* Avoid invalid calls to functions without a prototype. */
2509 {
2510 /* Alloca is handled separately. */
2512 {
2519 }
2520 }
2529 /* Extract attribute alloc_size from the type of the called expression
2530 (which could be a function or a function pointer) and if set, store
2531 the indices of the corresponding arguments in ALLOC_IDX, and then
2532 the actual argument(s) at those indices in ALLOC_ARGS. */
2540 {
2543 }
2546 }
2548 /* Check a call STMT to strcat() for overflow and warn if it does. */
2550 static void
2552 {
2559 /* There is no way here to determine the length of the string in
2560 the destination to which the SRC string is being appended so
2561 just diagnose cases when the souce string is longer than
2562 the destination object. */
2571 }
2573 /* Check a call STMT to strcat() for overflow and warn if it does. */
2575 static void
2577 {
2583 /* The upper bound on the number of bytes to write. */
2586 /* Detect unterminated source (only). */
2590 /* The length of the source sequence. */
2593 /* Try to determine the range of lengths that the source expression
2594 refers to. Since the lengths are only used for warning and not
2595 for code generation disable strict mode below. */
2598 {
2599 c_strlen_data lendata = { };
2602 }
2605 /* Try to verify that the destination is big enough for the shortest
2606 string. First try to determine the size of the destination object
2607 into which the source is being copied. */
2610 /* Add one for the terminating nul. */
2611 tree srclen = (maxlen
2613 size_one_node)
2616 /* The strncat function copies at most MAXREAD bytes and always appends
2617 the terminating nul so the specified upper bound should never be equal
2618 to (or greater than) the size of the destination. */
2621 {
2628 }
2638 }
2640 /* Check a call STMT to stpcpy() or strcpy() for overflow and warn
2641 if it does. */
2643 static void
2645 {
2649 tree size;
2652 {
2653 /* NONSTR refers to the non-nul terminated constant array. */
2657 }
2660 {
2669 }
2671 /* Check to see if the argument was declared attribute nonstring
2672 and if so, issue a warning since at this point it's not known
2673 to be nul-terminated. */
2676 }
2678 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2679 if it does. */
2681 static void
2683 {
2689 /* The number of bytes to write (not the maximum). */
2699 }
2701 /* Check a call STMT to stpncpy() or strncpy() for overflow and warn
2702 if it does. */
2704 static void
2706 {
2714 /* First check each argument separately, considering the bound. */
2719 /* A strncmp read from each argument is constrained not just by
2720 the bound but also by the length of the shorter string. Specifying
2721 a bound that's larger than the size of either array makes no sense
2722 and is likely a bug. When the length of neither of the two strings
2723 is known but the sizes of both of the arrays they are stored in is,
2724 issue a warning if the bound is larger than than the size of
2725 the larger of the two arrays. */
2732 /* If the length of both arguments was computed they must both be
2733 nul-terminated and no further checking is necessary regardless
2734 of the bound. */
2737 /* Check to see if the argument was declared with attribute nonstring
2738 and if so, issue a warning since at this point it's not known to be
2739 nul-terminated. */
2746 /* Determine the range of the bound first and bail if it fails; it's
2747 cheaper than computing the size of the objects. */
2758 /* compute_objsize almost never fails (and ultimately should never
2759 fail). Don't bother to handle the rare case when it does. */
2764 /* Compute the size of the remaining space in each array after
2765 subtracting any offset into it. */
2769 /* Cap REM1 and REM2 at the other if the other's argument is known
2770 to be an unterminated array, either because there's no space
2771 left in it after adding its offset or because it's constant and
2772 has no nul. */
2778 /* Point PAD at the array to reference in the note if a warning
2779 is issued. */
2784 {
2785 /* Warn when either argument isn't nul-terminated or the maximum
2786 remaining space in the two arrays is less than the bound. */
2791 pad);
2792 }
2793 }
2795 /* Check call STMT to a built-in function for invalid accesses. Return
2796 true if a call has been handled. */
2798 bool
2800 {
2806 {
2872 {
2879 }
2884 {
2890 }
2893 {
2898 }
2901 {
2906 }
2910 }
2913 }
2915 /* Returns the type of the argument ARGNO to function with type FNTYPE
2916 or null when the typoe cannot be determined or no such argument exists. */
2918 static tree
2920 {
2924 tree argtype;
2925 function_args_iterator it;
2931 }
2933 /* Helper to append the "human readable" attribute access specification
2934 described by ACCESS to the array ATTRSTR with size STRSIZE. Used in
2935 diagnostics. */
2940 {
2947 }
2949 /* Iterate over attribute access read-only, read-write, and write-only
2950 arguments and diagnose past-the-end accesses and related problems
2951 in the function call EXP. */
2953 static void
2955 {
2956 auto_diagnostic_group adg;
2958 /* Set if a warning has been issued for any argument (used to decide
2959 whether to emit an informational note at the end). */
2962 /* A string describing the attributes that the warnings issued by this
2963 function apply to. Used to print one informational note per function
2964 call, rather than one per warning. That reduces clutter. */
2969 {
2972 /* Get the function call arguments corresponding to the attribute's
2973 positional arguments. When both arguments have been specified
2974 there will be two entries in *RWM, one for each. They are
2975 cross-referenced by their respective argument numbers in
2976 ACCESS.PTRARG and ACCESS.SIZARG. */
2983 /* The pointer is set to null for the entry corresponding to
2984 the size argument. Skip it. It's handled when the entry
2985 corresponding to the pointer argument comes up. */
2992 /* The size of the access by the call. */
2993 tree access_size;
2995 {
2996 /* If only the pointer attribute operand was specified and
2997 not size, set SIZE to the greater of MINSIZE or size of
2998 one element of the pointed to type to detect smaller
2999 objects (null pointers are diagnosed in this case only
3000 if the pointer is also declared with attribute nonnull. */
3004 else
3006 }
3007 else
3010 /* Format the value or range to avoid an explosion of messages. */
3014 {
3017 {
3020 }
3021 else
3022 {
3028 }
3030 }
3031 else
3034 /* Set if a warning has been issued for the current argument. */
3041 {
3042 /* Warn about negative sizes. */
3044 {
3049 "bound argument %i value %s is "
3050 "negative for a variable length array "
3055 }
3062 {
3064 /* Remember a warning has been issued and avoid warning
3065 again below for the same attribute. */
3068 }
3069 }
3072 {
3074 {
3075 /* Multiply ACCESS_SIZE by the size of the type the pointer
3076 argument points to. If it's incomplete the size is used
3077 as is. */
3080 {
3085 }
3086 }
3087 }
3088 else
3092 {
3094 {
3095 /* Warn about null pointers with positive sizes. This is
3096 different from also declaring the pointer argument with
3097 attribute nonnull when the function accepts null pointers
3098 only when the corresponding size is zero. */
3100 {
3105 "argument %i of variable length "
3106 "array %s is null but "
3107 "the corresponding bound argument "
3112 }
3114 "argument %i is null but "
3115 "the corresponding size argument "
3119 }
3121 {
3122 /* Warn about null pointers for [static N] array arguments
3123 but do not warn for ordinary (i.e., nonstatic) arrays. */
3125 "argument %i to %<%T[static %E]%> "
3129 }
3132 {
3134 /* Remember a warning has been issued and avoid warning
3135 again below for the same attribute. */
3138 }
3139 }
3147 /* The size of the destination or source object. */
3151 {
3152 /* For a read-only argument there is no destination. For
3153 no access, set the source as well and differentiate via
3154 the access flag below. */
3158 {
3159 /* For a read-only attribute there is no destination so
3160 clear OBJSIZE. This emits "reading N bytes" kind of
3161 diagnostics instead of the "writing N bytes" kind,
3162 unless MODE is none. */
3164 }
3165 }
3166 else
3169 /* Clear the no-warning bit in case it was set by check_access
3170 in a prior iteration so that accesses via different arguments
3171 are diagnosed. */
3182 {
3186 else
3187 /* If check_access issued a warning above, append the relevant
3188 attribute to the string. */
3190 }
3191 }
3194 {
3199 else
3203 }
3205 {
3209 else
3212 }
3214 /* Set the bit in case if was cleared and not set above. */
3217 }
3219 /* Check call STMT to an ordinary (non-built-in) function for invalid
3220 accesses. Return true if a call has been handled. */
3222 bool
3224 {
3233 /* Map of attribute accewss specifications for function arguments. */
3234 rdwr_map rdwr_idx;
3239 {
3242 /* Save the actual argument that corresponds to the access attribute
3243 operand for later processing. */
3245 {
3247 {
3249 // A nonnull ACCESS->SIZE contains VLA bounds. */
3250 }
3251 else
3252 {
3255 }
3256 }
3257 }
3259 /* Check attribute access arguments. */
3265 }
3267 /* Check arguments in a call STMT for attribute nonstring. */
3269 static void
3271 {
3274 /* Detect passing non-string arguments to functions expecting
3275 nul-terminated strings. */
3277 }
3279 /* Check call STMT for invalid accesses. */
3281 void
3283 {
3293 }
3295 /* Check basic block BB for invalid accesses. */
3297 void
3299 {
3300 /* Iterate over statements, looking for function calls. */
3302 {
3305 }
3306 }
3308 /* Check function FUN for invalid accesses. */
3310 unsigned
3312 {
3313 /* Create a new ranger instance and associate it with FUN. */
3316 basic_block bb;
3320 /* Release the ranger instance and replace it with a global ranger. */
3324 }
3328 /* Return a new instance of the pass. */
3330 gimple_opt_pass *
3332 {
3334 }