| blob | ced1c4c577702e908add6c47f3862eebce0ce027 |
1 /* Copyright (C) 2016-2019 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
90 /* The likely worst case value of MB_LEN_MAX for the target, large enough
91 for UTF-8. Ideally, this would be obtained by a target hook if it were
92 to be used for optimization but it's good enough as is for warnings. */
93 #define target_mb_len_max() 6
95 /* The maximum number of bytes a single non-string directive can result
96 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
97 LDBL_MAX_10_EXP of 4932. */
98 #define IEEE_MAX_10_EXP 4932
99 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
113 };
115 /* Set to the warning level for the current function which is equal
116 either to warn_format_trunc for bounded functions or to
117 warn_format_overflow otherwise. */
124 {
138 };
141 {
148 { }
157 {
160 }
162 };
164 bool
166 {
167 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
168 is specified and either not optimizing and the pass is being invoked
169 early, or when optimizing and the pass is being invoked during
170 optimization (i.e., "late"). */
175 }
177 /* The minimum, maximum, likely, and unlikely maximum number of bytes
178 of output either a formatting function or an individual directive
179 can result in. */
181 struct result_range
182 {
183 /* The absolute minimum number of bytes. The result of a successful
184 conversion is guaranteed to be no less than this. (An erroneous
185 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
187 /* The likely maximum result that is used in diagnostics. In most
188 cases MAX is the same as the worst case UNLIKELY result. */
190 /* The likely result used to trigger diagnostics. For conversions
191 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
192 in that range. */
194 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
195 the worst cases maximum result of a directive. In most cases
196 UNLIKELY == MAX. UNLIKELY is used to control the return value
197 optimization but not in diagnostics. */
199 };
201 /* The result of a call to a formatted function. */
203 struct format_result
204 {
205 /* Range of characters written by the formatted function.
206 Setting the minimum to HOST_WIDE_INT_MAX disables all
207 length tracking for the remainder of the format string. */
208 result_range range;
210 /* True when the range above is obtained from known values of
211 directive arguments, or bounds on the amount of output such
212 as width and precision, and not the result of heuristics that
213 depend on warning levels. It's used to issue stricter diagnostics
214 in cases where strings of unknown lengths are bounded by the arrays
215 they are determined to refer to. KNOWNRANGE must not be used for
216 the return value optimization. */
219 /* True if no individual directive could fail or result in more than
220 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be
221 greater). Implementations are not required to handle directives
222 that produce more than 4K bytes (leading to undefined behavior)
223 and so when one is found it disables the return value optimization.
224 Similarly, directives that can fail (such as wide character
225 directives) disable the optimization. */
228 /* True when a floating point directive has been seen in the format
229 string. */
232 /* True when an intermediate result has caused a warning. Used to
233 avoid issuing duplicate warnings while finishing the processing
234 of a call. WARNED also disables the return value optimization. */
237 /* Preincrement the number of output characters by 1. */
239 {
241 }
243 /* Postincrement the number of output characters by 1. */
245 {
249 }
251 /* Increment the number of output characters by N. */
253 };
255 format_result&
257 {
273 }
275 /* Return the value of INT_MIN for the target. */
279 {
281 }
283 /* Return the value of INT_MAX for the target. */
287 {
289 }
291 /* Return the value of SIZE_MAX for the target. */
295 {
297 }
299 /* A straightforward mapping from the execution character set to the host
300 character set indexed by execution character. */
304 /* Initialize a mapping from the execution character set to the host
305 character set. */
307 static bool
309 {
310 /* If the percent sign is non-zero the mapping has already been
311 initialized. */
315 /* Initialize the target_percent character (done elsewhere). */
319 /* The subset of the source character set used by printf conversion
320 specifications (strictly speaking, not all letters are used but
321 they are included here for the sake of simplicity). The dollar
322 sign must be included even though it's not in the basic source
323 character set. */
327 /* Set the mapping for all characters to some ordinary value (i,e.,
328 not none used in printf conversion specifications) and overwrite
329 those that are used by conversion specifications with their
330 corresponding values. */
333 /* Are the two sets of characters the same? */
337 {
338 /* Slice off the high end bits in case target characters are
339 signed. All values are expected to be non-nul, otherwise
340 there's a problem. */
342 {
346 }
347 else
350 }
352 /* Set the first element to a non-zero value if the mapping
353 is 1-to-1, otherwise leave it clear (NUL is assumed to be
354 the same in both character sets). */
358 }
360 /* Return the host source character corresponding to the character
361 CH in the execution character set if one exists, or some innocuous
362 (non-special, non-nul) source character otherwise. */
366 {
368 }
370 /* Convert an initial substring of the string TARGSTR consisting of
371 characters in the execution character set into a string in the
372 source character set on the host and store up to HOSTSZ characters
373 in the buffer pointed to by HOSTR. Return HOSTR. */
377 {
378 /* Make sure the buffer is reasonably big. */
381 /* The interesting subset of source and execution characters are
382 the same so no conversion is necessary. However, truncate
383 overlong strings just like the translated strings are. */
385 {
390 }
392 /* Convert the initial substring of TARGSTR to the corresponding
393 characters in the host set, appending "..." if TARGSTR is too
394 long to fit. Using the static buffer assumes the function is
395 not called in between sequence points (which it isn't). */
397 {
403 {
407 }
408 }
411 }
413 /* Convert the sequence of decimal digits in the execution character
414 starting at *PS to a HOST_WIDE_INT, analogously to strtol. Return
415 the result and set *PS to one past the last converted character.
416 On range error set ERANGE to the digit that caused it. */
420 {
423 {
426 {
429 /* Check for overflow. */
431 {
435 /* Skip the remaining digits. */
436 do
440 }
441 else
443 }
444 else
446 }
449 }
451 /* Given FORMAT, set *PLOC to the source location of the format string
452 and return the format string if it is known or null otherwise. */
456 {
460 }
462 /* For convenience and brevity, shorter named entrypoints of
463 format_string_diagnostic_t::emit_warning_va and
464 format_string_diagnostic_t::emit_warning_n_va.
465 These have to be functions with the attribute so that exgettext
466 works properly. */
468 static bool
472 {
474 corrected_substring);
481 }
483 static bool
488 {
490 corrected_substring);
498 }
500 /* Format length modifiers. */
502 enum format_lengths
503 {
504 FMT_LEN_none,
512 FMT_LEN_j // intmax_t
513 };
516 /* Description of the result of conversion either of a single directive
517 or the whole format string. */
519 struct fmtresult
520 {
521 /* Construct a FMTRESULT object with all counters initialized
522 to MIN. KNOWNRANGE is set when MIN is valid. */
527 {
532 }
534 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
535 KNOWNRANGE is set when both MIN and MAX are valid. */
541 {
546 }
548 /* Adjust result upward to reflect the RANGE of values the specified
549 width or precision is known to be in. */
554 /* Return the maximum number of decimal digits a value of TYPE
555 formats as on output. */
558 /* The range a directive's argument is in. */
561 /* The minimum and maximum number of bytes that a directive
562 results in on output for an argument in the range above. */
563 result_range range;
565 /* Non-nul when the argument of a string directive is not a nul
566 terminated string. */
567 tree nonstr;
569 /* True when the range above is obtained from a known value of
570 a directive's argument or its bounds and not the result of
571 heuristics that depend on warning levels. */
574 /* True for a directive that may fail (such as wide character
575 directives). */
578 /* True when the argument is a null pointer. */
580 };
582 /* Adjust result upward to reflect the range ADJUST of values the
583 specified width or precision is known to be in. When non-null,
584 TYPE denotes the type of the directive whose result is being
585 adjusted, BASE gives the base of the directive (octal, decimal,
586 or hex), and ADJ denotes the additional adjustment to the LIKELY
587 counter that may need to be added when ADJUST is a range. */
589 fmtresult&
594 {
597 /* Adjust the minimum and likely counters. */
599 {
601 {
604 }
606 /* Adjust the likely counter. */
609 }
614 /* Adjust the maximum counter. */
616 {
618 {
621 /* Set KNOWNRANGE if both the minimum and maximum have been
622 adjusted. Otherwise leave it at what it was before. */
624 }
625 }
628 {
629 /* For large non-constant width or precision whose range spans
630 the maximum number of digits produced by the directive for
631 any argument, set the likely number of bytes to be at most
632 the number digits plus other adjustment determined by the
633 caller (one for sign or two for the hexadecimal "0x"
634 prefix). */
639 }
641 {
642 /* Conservatively, set LIKELY to at least MIN but no less than
643 1 unless MAX is zero. */
648 }
650 /* Finally adjust the unlikely counter to be at least as large as
651 the maximum. */
656 }
658 /* Return the maximum number of digits a value of TYPE formats in
659 BASE on output, not counting base prefix . */
661 unsigned
663 {
666 {
670 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
671 of 8, 16, 32, and 64 bits. */
675 }
678 }
680 static bool
684 /* Description of a format directive. A directive is either a plain
685 string or a conversion specification that starts with '%'. */
687 struct directive
688 {
689 /* The 1-based directive number (for debugging). */
692 /* The first character of the directive and its length. */
696 /* A bitmap of flags, one for each character. */
699 /* The range of values of the specified width, or -1 if not specified. */
701 /* The range of values of the specified precision, or -1 if not
702 specified. */
705 /* Length modifier. */
706 format_lengths modifier;
708 /* Format specifier character. */
711 /* The argument of the directive or null when the directive doesn't
712 take one or when none is available (such as for vararg functions). */
713 tree arg;
715 /* Format conversion function that given a directive and an argument
716 returns the formatting result. */
719 /* Return True when a the format flag CHR has been used. */
721 {
725 }
727 /* Make a record of the format flag CHR having been used. */
729 {
733 }
735 /* Reset the format flag CHR. */
737 {
741 }
743 /* Set both bounds of the width range to VAL. */
745 {
747 }
749 /* Set the width range according to ARG, with both bounds being
750 no less than 0. For a constant ARG set both bounds to its value
751 or 0, whichever is greater. For a non-constant ARG in some range
752 set width to its range adjusting each bound to -1 if it's less.
753 For an indeterminate ARG set width to [0, INT_MAX]. */
755 {
757 }
759 /* Set both bounds of the precision range to VAL. */
761 {
763 }
765 /* Set the precision range according to ARG, with both bounds being
766 no less than -1. For a constant ARG set both bounds to its value
767 or -1 whichever is greater. For a non-constant ARG in some range
768 set precision to its range adjusting each bound to -1 if it's less.
769 For an indeterminate ARG set precision to [-1, INT_MAX]. */
771 {
773 }
775 /* Return true if both width and precision are known to be
776 either constant or in some range, false otherwise. */
778 {
783 }
784 };
786 /* Return the logarithm of X in BASE. */
788 static int
790 {
792 do
793 {
798 }
800 /* Return the number of bytes resulting from converting into a string
801 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
802 PLUS indicates whether 1 for a plus sign should be added for positive
803 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
804 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
805 be represented. */
807 static HOST_WIDE_INT
809 {
812 HOST_WIDE_INT res;
815 {
817 {
820 }
821 else
823 }
824 else
825 {
827 {
830 {
831 /* Avoid undefined behavior due to negating a minimum. */
834 }
836 {
839 }
840 else
841 {
844 }
845 }
846 else
848 }
854 /* Adjust a non-zero value for the base prefix, either hexadecimal,
855 or, unless precision has resulted in a leading zero, also octal. */
857 {
862 }
865 }
867 /* Given the formatting result described by RES and NAVAIL, the number
868 of available in the destination, return the range of bytes remaining
869 in the destination. */
873 {
874 result_range range;
877 {
880 }
882 /* The lower bound of the available range is the available size
883 minus the maximum output size, and the upper bound is the size
884 minus the minimum. */
891 else
898 }
900 /* Description of a call to a formatted function. */
903 {
904 /* Function call statement. */
907 /* Function called. */
908 tree func;
910 /* Called built-in function code. */
911 built_in_function fncode;
913 /* Format argument and format string extracted from it. */
914 tree format;
917 /* The location of the format argument. */
918 location_t fmtloc;
920 /* The destination object size for __builtin___xxx_chk functions
921 typically determined by __builtin_object_size, or -1 if unknown. */
924 /* Number of the first variable argument. */
927 /* True for functions like snprintf that specify the size of
928 the destination, false for others like sprintf that don't. */
931 /* True for bounded functions like snprintf that specify a zero-size
932 buffer as a request to compute the size of output without actually
933 writing any. NOWRITE is cleared in response to the %n directive
934 which has side-effects similar to writing output. */
937 /* Return true if the called function's return value is used. */
939 {
941 }
943 /* Return the warning option corresponding to the called function. */
945 {
947 }
949 /* Return true for calls to file formatted functions. */
951 {
957 }
959 /* Return true for calls to string formatted functions. */
961 {
970 }
971 };
973 /* Return the result of formatting a no-op directive (such as '%n'). */
975 static fmtresult
977 {
980 }
982 /* Return the result of formatting the '%%' directive. */
984 static fmtresult
986 {
989 }
992 /* Compute intmax_type_node and uintmax_type_node similarly to how
993 tree.c builds size_type_node. */
995 static void
997 {
999 {
1002 }
1004 {
1007 }
1009 {
1012 }
1013 else
1014 {
1017 {
1022 {
1026 }
1027 }
1029 }
1030 }
1032 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1033 in and that is representable in type int.
1034 Return true when the range is a subrange of that of int.
1035 When ARG is null it is as if it had the full range of int.
1036 When ABSOLUTE is true the range reflects the absolute value of
1037 the argument. When ABSOLUTE is false, negative bounds of
1038 the determined range are replaced with NEGBOUND. */
1040 static bool
1044 {
1045 /* The type of the result. */
1051 {
1054 }
1057 {
1058 /* For a constant argument return its value adjusted as specified
1059 by NEGATIVE and NEGBOUND and return true to indicate that the
1060 result is known. */
1064 }
1065 else
1066 {
1067 /* True if the argument's range cannot be determined. */
1072 /* Ignore invalid arguments with greater precision that that
1073 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1074 They will have been detected and diagnosed by -Wformat and
1075 so it's not important to complicate this code to try to deal
1076 with them again. */
1080 {
1081 /* Try to determine the range of values of the integer argument. */
1084 {
1085 HOST_WIDE_INT type_min
1096 {
1097 /* Return true if the adjusted range is a subrange of
1098 the full range of the argument's type. *PMAX may
1099 be less than *PMIN when the argument is unsigned
1100 and its upper bound is in excess of TYPE_MAX. In
1101 that (invalid) case disregard the range and use that
1102 of the expected type instead. */
1106 }
1107 }
1108 }
1110 /* Handle an argument with an unknown range as if none had been
1111 provided. */
1115 }
1117 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1119 {
1121 {
1124 else
1125 {
1126 /* Make sure signed overlow is avoided. */
1133 }
1134 }
1135 }
1140 }
1142 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1143 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1144 the type of the directive's formal argument it's possible for both
1145 to result in the same number of bytes or a range of bytes that's
1146 less than the number of bytes that would result from formatting
1147 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1148 determined by checking for the actual argument being in the range
1149 of the type of the directive. If it isn't it must be assumed to
1150 take on the full range of the directive's type.
1151 Return true when the range has been adjusted to the full range
1152 of DIRTYPE, and false otherwise. */
1154 static bool
1156 {
1161 /* If the actual argument and the directive's argument have the same
1162 precision and sign there can be no overflow and so there is nothing
1163 to adjust. */
1167 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1168 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1178 {
1182 /* If *ARGMIN is still less than *ARGMAX the conversion above
1183 is safe. Otherwise, it has overflowed and would be unsafe. */
1186 }
1191 }
1193 /* Return a range representing the minimum and maximum number of bytes
1194 that the format directive DIR will output for any argument given
1195 the WIDTH and PRECISION (extracted from DIR). This function is
1196 used when the directive argument or its value isn't known. */
1198 static fmtresult
1200 {
1201 tree intmax_type_node;
1202 tree uintmax_type_node;
1204 /* Base to format the number in. */
1207 /* True when a conversion is preceded by a prefix indicating the base
1208 of the argument (octal or hexadecimal). */
1211 /* True when a signed conversion is preceded by a sign or space. */
1214 /* True for signed conversions (i.e., 'd' and 'i'). */
1218 {
1221 /* Space and '+' are only meaningful for signed conversions. */
1238 }
1240 /* The type of the "formal" argument expected by the directive. */
1243 /* Determine the expected type of the argument from the length
1244 modifier. */
1246 {
1250 else
1268 dirtype = (sign
1269 ? long_long_integer_type_node
1288 }
1290 /* The type of the argument to the directive, either deduced from
1291 the actual non-constant argument if one is known, or from
1292 the directive itself when none has been provided because it's
1293 a va_list. */
1297 {
1298 /* When the argument has not been provided, use the type of
1299 the directive's argument as an approximation. This will
1300 result in false positives for directives like %i with
1301 arguments with smaller precision (such as short or char). */
1303 }
1305 {
1306 /* When a constant argument has been provided use its value
1307 rather than type to determine the length of the output. */
1308 fmtresult res;
1311 {
1312 /* As a special case, a precision of zero with a zero argument
1313 results in zero bytes except in base 8 when the '#' flag is
1314 specified, and for signed conversions in base 8 and 10 when
1315 either the space or '+' flag has been specified and it results
1316 in just one byte (with width having the normal effect). This
1317 must extend to the case of a specified precision with
1318 an unknown value because it can be zero. */
1321 {
1324 }
1325 else
1326 {
1329 }
1330 }
1331 else
1332 {
1333 /* Convert the argument to the type of the directive. */
1340 else
1345 }
1349 /* Bump up the counters if WIDTH is greater than LEN. */
1352 /* Bump up the counters again if PRECision is greater still. */
1357 }
1360 /* Determine the type of the provided non-constant argument. */
1362 else
1363 /* Don't bother with invalid arguments since they likely would
1364 have already been diagnosed, and disable any further checking
1365 of the format string by returning [-1, -1]. */
1368 fmtresult res;
1370 /* Using either the range the non-constant argument is in, or its
1371 type (either "formal" or actual), create a range of values that
1372 constrain the length of output given the warning level. */
1379 {
1380 /* Try to determine the range of values of the integer argument
1381 (range information is not available for pointers). */
1384 {
1388 /* Set KNOWNRANGE if the argument is in a known subrange
1389 of the directive's type and neither width nor precision
1390 is unknown. (KNOWNRANGE may be reset below). */
1391 res.knownrange
1398 }
1400 {
1401 /* Handle anti-ranges if/when bug 71690 is resolved. */
1402 }
1404 {
1405 /* The argument here may be the result of promoting the actual
1406 argument to int. Try to determine the type of the actual
1407 argument before promotion and narrow down its range that
1408 way. */
1411 {
1414 {
1417 }
1420 {
1425 }
1426 }
1427 }
1428 }
1431 {
1433 {
1436 }
1437 else
1438 {
1441 }
1442 }
1444 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1445 of the directive. If it has been cleared then since ARGMIN and/or
1446 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1447 ARGMAX in the result to include in diagnostics. */
1449 {
1453 }
1455 /* Recursively compute the minimum and maximum from the known range. */
1457 {
1458 /* For unsigned conversions/directives or signed when
1459 the minimum is positive, use the minimum and maximum to compute
1460 the shortest and longest output, respectively. */
1463 }
1465 {
1466 /* For signed conversions/directives if maximum is negative,
1467 use the minimum as the longest output and maximum as the
1468 shortest output. */
1471 }
1472 else
1473 {
1474 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1475 as the shortest output and for the longest output compute the
1476 length of the output of both minimum and maximum and pick the
1477 longer. */
1478 unsigned HOST_WIDE_INT max1
1480 unsigned HOST_WIDE_INT max2
1485 }
1487 /* If the range is known, use the maximum as the likely length. */
1490 else
1491 {
1492 /* Otherwise, use the minimum. Except for the case where for %#x or
1493 %#o the minimum is just for a single value in the range (0) and
1494 for all other values it is something longer, like 0x1 or 01.
1495 Use the length for value 1 in that case instead as the likely
1496 length. */
1501 {
1508 }
1509 }
1518 }
1520 /* Return the number of bytes that a format directive consisting of FLAGS,
1521 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1522 would result for argument X under ideal conditions (i.e., if PREC
1523 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1524 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1525 This function works around those problems. */
1527 static unsigned HOST_WIDE_INT
1530 {
1544 {
1545 /* For %e, specify the precision explicitly since mpfr_sprintf
1546 does its own thing just to be different (see MPFR bug 21088). */
1549 }
1550 else
1551 {
1552 /* Avoid passing negative precisions with larger magnitude to MPFR
1553 to avoid exposing its bugs. (A negative precision is supposed
1554 to be ignored.) */
1557 }
1562 {
1563 /* For G/g without the pound flag, precision gives the maximum number
1564 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1565 a 128 bit IEEE extended precision, 4932. Using twice as much here
1566 should be more than sufficient for any real format. */
1570 }
1571 else
1572 {
1573 /* Cap precision arbitrarily at 1KB and add the difference
1574 (if any) to the MPFR result. */
1577 }
1581 /* Handle the unlikely (impossible?) error by returning more than
1582 the maximum dictated by the function's return type. */
1586 /* Adjust the return value by the difference. */
1591 }
1593 /* Return the number of bytes to format using the format specifier
1594 SPEC and the precision PREC the largest value in the real floating
1595 TYPE. */
1597 static unsigned HOST_WIDE_INT
1599 {
1602 /* IBM Extended mode. */
1606 /* Get the real type format desription for the target. */
1608 REAL_VALUE_TYPE rv;
1612 /* Convert the GCC real value representation with the precision
1613 of the real type to the mpfr_t format with the GCC default
1614 round-to-nearest mode. */
1615 mpfr_t x;
1619 /* Return a value one greater to account for the leading minus sign. */
1620 unsigned HOST_WIDE_INT r
1624 }
1626 /* Return a range representing the minimum and maximum number of bytes
1627 that the directive DIR will output for any argument. PREC gives
1628 the adjusted precision range to account for negative precisions
1629 meaning the default 6. This function is used when the directive
1630 argument or its value isn't known. */
1632 static fmtresult
1634 {
1635 tree type;
1638 {
1654 }
1656 /* The minimum and maximum number of bytes produced by the directive. */
1657 fmtresult res;
1659 /* The minimum output as determined by flags. It's always at least 1.
1660 When plus or space are set the output is preceded by either a sign
1661 or a space. */
1665 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
1666 for the plus sign/space with the '+' and ' ' flags, respectively,
1667 unless reduced below. */
1670 /* When the pound flag is set the decimal point is included in output
1671 regardless of precision. Whether or not a decimal point is included
1672 otherwise depends on the specification and precision. */
1676 {
1679 {
1687 + flagmin
1688 + radix
1689 + minprec
1694 /* The unlikely maximum accounts for the longest multibyte
1695 decimal point character. */
1701 }
1705 {
1706 /* Minimum output attributable to precision and, when it's
1707 non-zero, decimal point. */
1710 /* The likely minimum output is "[-+]1.234567e+00" regardless
1711 of the value of the actual argument. */
1713 + radix
1714 + minprec
1719 /* The unlikely maximum accounts for the longest multibyte
1720 decimal point character. */
1724 else
1727 }
1731 {
1732 /* Minimum output attributable to precision and, when it's non-zero,
1733 decimal point. */
1736 /* For finite numbers (i.e., not infinity or NaN) the lower bound
1737 when precision isn't specified is 8 bytes ("1.23456" since
1738 precision is taken to be 6). When precision is zero, the lower
1739 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
1740 than zero, then the lower bound is 2 plus precision (plus flags).
1741 But in all cases, the lower bound is no greater than 3. */
1746 /* Compute the upper bound for -TYPE_MAX. */
1749 /* The minimum output with unknown precision is a single byte
1750 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1753 else
1756 /* The unlikely maximum accounts for the longest multibyte
1757 decimal point character. */
1762 }
1766 {
1767 /* The %g output depends on precision and the exponent of
1768 the argument. Since the value of the argument isn't known
1769 the lower bound on the range of bytes (not counting flags
1770 or width) is 1 plus radix (i.e., either "0" or "0." for
1771 "%g" and "%#g", respectively, with a zero argument). */
1779 {
1780 /* When the pound flag (radix) is set, trailing zeros aren't
1781 trimmed and so the longest output is the same as for %e,
1782 except with precision minus 1 (as specified in C11). */
1788 }
1789 else
1794 /* The likely output is either the maximum computed above
1795 minus 1 (assuming the maximum is positive) when precision
1796 is known (or unspecified), or the same minimum as for %e
1797 (which is computed for a non-negative argument). Unlike
1798 for the other specifiers above the likely output isn't
1799 the minimum because for %g that's 1 which is unlikely. */
1803 else
1804 {
1807 + radix
1808 + minprec
1810 }
1812 /* The unlikely maximum accounts for the longest multibyte
1813 decimal point character. */
1816 }
1820 }
1822 /* Bump up the byte counters if WIDTH is greater. */
1825 }
1827 /* Return a range representing the minimum and maximum number of bytes
1828 that the directive DIR will write on output for the floating argument
1829 ARG. */
1831 static fmtresult
1833 {
1838 /* For an indeterminate precision the lower bound must be assumed
1839 to be zero. */
1841 {
1842 /* Get the number of fractional decimal digits needed to represent
1843 the argument without a loss of accuracy. */
1844 unsigned fmtprec
1847 /* The precision of the IEEE 754 double format is 53.
1848 The precision of all other GCC binary double formats
1849 is 56 or less. */
1852 /* For %a, leave the minimum precision unspecified to let
1853 MFPR trim trailing zeros (as it and many other systems
1854 including Glibc happen to do) and set the maximum
1855 precision to reflect what it would be with trailing zeros
1856 present (as Solaris and derived systems do). */
1858 {
1859 /* Both bounds are negative implies that precision has
1860 not been specified. */
1863 }
1865 {
1866 /* With a negative lower bound and a non-negative upper
1867 bound set the minimum precision to zero and the maximum
1868 to the greater of the maximum precision (i.e., with
1869 trailing zeros present) and the specified upper bound. */
1872 }
1873 }
1875 {
1877 {
1878 /* A precision in a strictly negative range is ignored and
1879 the default of 6 is used instead. */
1881 }
1882 else
1883 {
1884 /* For a precision in a partly negative range, the lower bound
1885 must be assumed to be zero and the new upper bound is the
1886 greater of 6 (the default precision used when the specified
1887 precision is negative) and the upper bound of the specified
1888 range. */
1891 }
1892 }
1899 /* The minimum and maximum number of bytes produced by the directive. */
1900 fmtresult res;
1902 /* Get the real type format desription for the target. */
1907 {
1908 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
1909 and "[-]nan" with the choice being implementation-defined
1910 but not locale dependent. */
1916 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan".
1917 For NaN, the C/POSIX standards specify two formats:
1918 "[-/+]nan"
1919 and
1920 "[-/+]nan(n-char-sequence)"
1921 No known printf implementation outputs the latter format but AIX
1922 outputs QNaN and SNaN for quiet and signalling NaN, respectively,
1923 so the unlikely maximum reflects that. */
1926 /* The range for infinity and NaN is known unless either width
1927 or precision is unknown. Width has the same effect regardless
1928 of whether the argument is finite. Precision is either ignored
1929 (e.g., Glibc) or can have an effect on the short vs long format
1930 such as inf/infinity (e.g., Solaris). */
1933 /* Adjust the range for width but ignore precision. */
1937 }
1942 /* Append flags. */
1949 {
1950 /* Set up an array to easily iterate over. */
1953 };
1956 {
1957 /* Convert the GCC real value representation with the precision
1958 of the real type to the mpfr_t format rounding down in the
1959 first iteration that computes the minimm and up in the second
1960 that computes the maximum. This order is arbibtrary because
1961 rounding in either direction can result in longer output. */
1962 mpfr_t mpfrval;
1966 /* Use the MPFR rounding specifier to round down in the first
1967 iteration and then up. In most but not all cases this will
1968 result in the same number of bytes. */
1971 /* Format it and store the result in the corresponding member
1972 of the result struct. */
1976 }
1977 }
1979 /* Make sure the minimum is less than the maximum (MPFR rounding
1980 in the call to mpfr_snprintf can result in the reverse. */
1982 {
1986 }
1988 /* The range is known unless either width or precision is unknown. */
1991 /* For the same floating point constant, unless width or precision
1992 is unknown, use the longer output as the likely maximum since
1993 with round to nearest either is equally likely. Otheriwse, when
1994 precision is unknown, use the greater of the minimum and 3 as
1995 the likely output (for "0.0" since zero precision is unlikely). */
2002 else
2008 {
2009 /* Unless the precision is zero output longer than 2 bytes may
2010 include the decimal point which must be a single character
2011 up to MB_LEN_MAX in length. This is overly conservative
2012 since in some conversions some constants result in no decimal
2013 point (e.g., in %g). */
2015 }
2019 }
2021 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2022 strings referenced by the expression STR, or (-1, -1) when not known.
2023 Used by the format_string function below. */
2025 static fmtresult
2027 {
2031 /* Determine the length of the shortest and longest string referenced
2032 by STR. Strings of unknown lengths are bounded by the sizes of
2033 arrays that subexpressions of STR may refer to. Pointers that
2034 aren't known to point any such arrays result in LENDATA.MAXLEN
2035 set to SIZE_MAX. */
2036 c_strlen_data lendata = { };
2039 /* Return the default result when nothing is known about the string. */
2044 HOST_WIDE_INT min
2049 HOST_WIDE_INT max
2056 /* Set the max/likely counters to unbounded when a minimum is known
2057 but the maximum length isn't bounded. This implies that STR is
2058 a conditional expression involving a string of known length and
2059 and an expression of unknown/unbounded length. */
2065 /* get_range_strlen() returns the target value of SIZE_MAX for
2066 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2067 which may be bigger. */
2076 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2077 by STR are known to be bounded (though not necessarily by their
2078 actual length but perhaps by their maximum possible length). */
2080 {
2082 /* When the the length of the longest string is known and not
2083 excessive use it as the likely length of the string(s). */
2085 }
2086 else
2087 {
2088 /* When the upper bound is unknown (it can be zero or excessive)
2089 set the likely length to the greater of 1 and the length of
2090 the shortest string and reset the lower bound to zero. */
2093 }
2098 }
2100 /* Return the minimum and maximum number of characters formatted
2101 by the '%c' format directives and its wide character form for
2102 the argument ARG. ARG can be null (for functions such as
2103 vsprinf). */
2105 static fmtresult
2107 {
2108 fmtresult res;
2114 {
2115 /* A wide character can result in as few as zero bytes. */
2120 {
2122 {
2123 /* The NUL wide character results in no bytes. */
2127 }
2129 {
2130 /* Be conservative if the target execution character set
2131 is not a 1-to-1 mapping to the source character set or
2132 if the source set is not ASCII. */
2133 bool one_2_one_ascii
2136 /* A wide character in the ASCII range most likely results
2137 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2142 }
2143 else
2144 {
2145 /* A wide character outside the ASCII range likely results
2146 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2150 /* Converting such a character may fail. */
2152 }
2153 }
2154 else
2155 {
2156 /* An unknown wide character is treated the same as a wide
2157 character outside the ASCII range. */
2162 }
2163 }
2164 else
2165 {
2166 /* A plain '%c' directive. Its ouput is exactly 1. */
2170 }
2172 /* Bump up the byte counters if WIDTH is greater. */
2174 }
2176 /* Return the minimum and maximum number of characters formatted
2177 by the '%s' format directive and its wide character form for
2178 the argument ARG. ARG can be null (for functions such as
2179 vsprinf). */
2181 static fmtresult
2183 {
2184 fmtresult res;
2186 /* Compute the range the argument's length can be in. */
2189 {
2190 /* Get a node for a C type that will be the same size
2191 as a wchar_t on the target. */
2194 /* Now that we have a suitable node, get the number of
2195 bytes it occupies. */
2198 }
2203 {
2204 /* The argument is either a string constant or it refers
2205 to one of a number of strings of the same length. */
2207 /* A '%s' directive with a string argument with constant length. */
2212 {
2213 /* In the worst case the length of output of a wide string S
2214 is bounded by MB_LEN_MAX * wcslen (S). */
2217 /* It's likely that the the total length is not more that
2218 2 * wcslen (S).*/
2223 {
2227 }
2234 /* Even a non-empty wide character string need not convert into
2235 any bytes. */
2238 /* A non-empty wide character conversion may fail. */
2241 }
2242 else
2243 {
2252 {
2256 }
2257 }
2258 }
2260 {
2261 /* Handle null pointer argument. */
2266 }
2267 else
2268 {
2269 /* For a '%s' and '%ls' directive with a non-constant string (either
2270 one of a number of strings of known length or an unknown string)
2271 the minimum number of characters is lesser of PRECISION[0] and
2272 the length of the shortest known string or zero, and the maximum
2273 is the lessser of the length of the longest known string or
2274 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2275 the minimum at level 1 and the greater of the minimum and 1
2276 at level 2. This result is adjust upward for width (if it's
2277 specified). */
2281 {
2282 /* A wide character converts to as few as zero bytes. */
2293 /* A non-empty wide character conversion may fail. */
2296 }
2301 {
2302 /* Adjust the minimum to zero if the string length is unknown,
2303 or at most the lower bound of the precision otherwise. */
2309 /* Make both maxima no greater than the upper bound of precision. */
2312 {
2315 }
2317 /* If precision is constant, set the likely counter to the lesser
2318 of it and the maximum string length. Otherwise, if the lower
2319 bound of precision is greater than zero, set the likely counter
2320 to the minimum. Otherwise set it to zero or one based on
2321 the warning level. */
2328 else
2330 }
2332 {
2339 }
2341 {
2344 /* At level 1 strings of unknown length are assumed to be
2345 empty, while at level 1 they are assumed to be one byte
2346 long. */
2349 }
2350 else
2351 {
2352 /* A string of unknown length unconstrained by precision is
2353 assumed to be empty at level 1 and just one character long
2354 at higher levels. */
2357 }
2358 }
2360 /* If the argument isn't a nul-terminated string and the number
2361 of bytes on output isn't bounded by precision, set NONSTR. */
2365 /* Bump up the byte counters if WIDTH is greater. */
2367 }
2369 /* Format plain string (part of the format string itself). */
2371 static fmtresult
2373 {
2376 }
2378 /* Return true if the RESULT of a directive in a call describe by INFO
2379 should be diagnosed given the AVAILable space in the destination. */
2381 static bool
2384 {
2386 {
2387 /* The least amount of space remaining in the destination is big
2388 enough for the longest output. */
2390 }
2393 {
2396 {
2397 /* The likely amount of space remaining in the destination is big
2398 enough for the least output and the return value is used. */
2400 }
2404 {
2405 /* The likely amount of space remaining in the destination is big
2406 enough for the likely output and the return value is unused. */
2408 }
2414 {
2415 /* The minimum amount of space remaining in the destination is big
2416 enough for the longest output. */
2418 }
2419 }
2420 else
2421 {
2423 {
2424 /* The likely amount of space remaining in the destination is big
2425 enough for the likely output. */
2427 }
2433 {
2434 /* The minimum amount of space remaining in the destination is big
2435 enough for the longest output. */
2437 }
2438 }
2441 }
2443 /* At format string location describe by DIRLOC in a call described
2444 by INFO, issue a warning for a directive DIR whose output may be
2445 in excess of the available space AVAIL_RANGE in the destination
2446 given the formatting result FMTRES. This function does nothing
2447 except decide whether to issue a warning for a possible write
2448 past the end or truncation and, if so, format the warning.
2449 Return true if a warning has been issued. */
2451 static bool
2456 {
2460 /* A warning will definitely be issued below. */
2462 /* The maximum byte count to reference in the warning. Larger counts
2463 imply that the upper bound is unknown (and could be anywhere between
2464 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2465 than "between N and X" where X is some huge number. */
2468 /* True when there is enough room in the destination for the least
2469 amount of a directive's output but not enough for its likely or
2470 maximum output. */
2476 /* Buffer for the directive in the host character set (used when
2477 the source character set is different). */
2481 {
2482 /* The size of the destination region is exact. */
2486 {
2487 /* For plain character directives (i.e., the format string itself)
2488 but not others, point the caret at the first character that's
2489 past the end of the destination. */
2492 }
2495 {
2496 /* This is the terminating nul. */
2500 info.bounded
2501 ? (maybe
2506 : (maybe
2512 }
2515 {
2519 "%<%.*s%> directive writing %wu byte into a "
2521 "%<%.*s%> directive writing %wu bytes into a "
2526 "%<%.*s%> directive output may be truncated "
2528 "%<%.*s%> directive output may be truncated "
2531 else
2533 "%<%.*s%> directive output truncated writing "
2535 "%<%.*s%> directive output truncated writing "
2538 }
2542 info.bounded
2543 ? (maybe
2545 "writing up to %wu bytes into a region of "
2555 /* This is a special case to avoid issuing the potentially
2556 confusing warning:
2557 writing 0 or more bytes into a region of size 0. */
2559 info.bounded
2560 ? (maybe
2562 "writing likely %wu or more bytes into a "
2565 "likely %wu or more bytes into a region of "
2574 info.bounded
2575 ? (maybe
2577 "writing between %wu and %wu bytes into a "
2580 "writing between %wu and %wu bytes into a "
2589 info.bounded
2590 ? (maybe
2592 "writing %wu or more bytes into a region of "
2600 }
2602 /* The size of the destination region is a range. */
2605 {
2608 /* For plain character directives (i.e., the format string itself)
2609 but not others, point the caret at the first character that's
2610 past the end of the destination. */
2613 }
2616 {
2620 info.bounded
2621 ? (maybe
2626 : (maybe
2631 }
2634 {
2638 "%<%.*s%> directive writing %wu byte into a region "
2640 "%<%.*s%> directive writing %wu bytes into a region "
2645 "%<%.*s%> directive output may be truncated writing "
2647 "%<%.*s%> directive output may be truncated writing "
2648 "%wu bytes into a region of size between %wu and "
2651 else
2653 "%<%.*s%> directive output truncated writing %wu "
2655 "%<%.*s%> directive output truncated writing %wu "
2659 }
2663 info.bounded
2664 ? (maybe
2666 "writing up to %wu bytes into a region of size "
2669 "up to %wu bytes into a region of size between "
2678 /* This is a special case to avoid issuing the potentially confusing
2679 warning:
2680 writing 0 or more bytes into a region of size between 0 and N. */
2682 info.bounded
2683 ? (maybe
2685 "writing likely %wu or more bytes into a region "
2688 "likely %wu or more bytes into a region of size "
2698 info.bounded
2699 ? (maybe
2701 "writing between %wu and %wu bytes into a region "
2704 "between %wu and %wu bytes into a region of size "
2707 "%wu bytes into a region of size between %wu and "
2713 info.bounded
2714 ? (maybe
2716 "%wu or more bytes into a region of size between "
2719 "%wu or more bytes into a region of size between "
2726 }
2728 /* Compute the length of the output resulting from the directive DIR
2729 in a call described by INFO and update the overall result of the call
2730 in *RES. Return true if the directive has been handled. */
2732 static bool
2736 {
2737 /* Offset of the beginning of the directive from the beginning
2738 of the format string. */
2743 /* Create a location for the whole directive from the % to the format
2744 specifier. */
2748 /* Also get the location of the argument if possible.
2749 This doesn't work for integer literals or function calls. */
2754 /* Bail when there is no function to compute the output length,
2755 or when minimum length checking has been disabled. */
2759 /* Compute the range of lengths of the formatted output. */
2762 /* Record whether the output of all directives is known to be
2763 bounded by some maximum, implying that their arguments are
2764 either known exactly or determined to be in a known range
2765 or, for strings, limited by the upper bounds of the arrays
2766 they refer to. */
2770 {
2771 /* Only when the range is known, check it against the host value
2772 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2773 INT_MAX precision, which is the longest possible output of any
2774 single directive). That's the largest valid byte count (though
2775 not valid call to a printf-like function because it can never
2776 return such a count). Otherwise, the range doesn't correspond
2777 to known values of the argument. */
2779 {
2780 /* Normalize the MAX counter to avoid having to deal with it
2781 later. The counter can be less than HOST_WIDE_INT_M1U
2782 when compiling for an ILP32 target on an LP64 host. */
2784 /* Disable exact and maximum length checking after a failure
2785 to determine the maximum number of characters (for example
2786 for wide characters or wide character strings) but continue
2787 tracking the minimum number of characters. */
2789 }
2792 {
2793 /* Disable exact length checking after a failure to determine
2794 even the minimum number of characters (it shouldn't happen
2795 except in an error) but keep tracking the minimum and maximum
2796 number of characters. */
2798 }
2799 }
2801 /* Buffer for the directive in the host character set (used when
2802 the source character set is different). */
2808 {
2814 /* Don't bother processing the rest of the format string. */
2819 }
2821 /* Compute the number of available bytes in the destination. There
2822 must always be at least one byte of space for the terminating
2823 NUL that's appended after the format string has been processed. */
2832 /* Bump up the total maximum if it isn't too big. */
2837 /* Raise the total unlikely maximum by the larger of the maximum
2838 and the unlikely maximum. */
2842 else
2851 /* Has the minimum directive output length exceeded the maximum
2852 of 4095 bytes required to be supported? */
2855 /* Clear POSUNDER4K in the overall result if the maximum has exceeded
2856 the 4k (this is necessary to avoid the return value optimization
2857 that may not be safe in the maximum case). */
2860 /* Also clear POSUNDER4K if the directive may fail. */
2865 /* Only warn at level 2. */
2867 /* Only warn for string functions. */
2869 && (!minunder4k
2871 {
2872 /* The directive output may be longer than the maximum required
2873 to be handled by an implementation according to 7.21.6.1, p15
2874 of C11. Warn on this only at level 2 but remember this and
2875 prevent folding the return value when done. This allows for
2876 the possibility of the actual libc call failing due to ENOMEM
2877 (like Glibc does with very large precision or width).
2878 Issue the "may exceed" warning only for string functions and
2879 not for fprintf or printf. */
2883 "%<%.*s%> directive output of %wu bytes exceeds "
2889 "%<%.*s%> directive output between %wu and %wu "
2891 dirlen,
2896 "%<%.*s%> directive output between %wu and %wu "
2897 "bytes may exceed minimum required size of "
2899 dirlen,
2902 }
2904 /* Has the likely and maximum directive output exceeded INT_MAX? */
2906 /* Don't consider the maximum to be in excess when it's the result
2907 of a string of unknown length (i.e., whose maximum has been set
2908 to be greater than or equal to HOST_WIDE_INT_MAX. */
2914 /* Warn for the likely output size at level 1. */
2915 && (likelyximax
2916 /* But only warn for the maximum at level 2. */
2918 && maxximax
2920 {
2922 {
2923 /* The directive output exceeds INT_MAX bytes. */
2926 "%<%.*s%> directive output of %wu bytes exceeds "
2930 else
2932 "%<%.*s%> directive output between %wu and "
2936 }
2938 {
2939 /* The directive output is under INT_MAX but causes the result
2940 to exceed INT_MAX bytes. */
2943 "%<%.*s%> directive output of %wu bytes causes "
2947 else
2949 "%<%.*s%> directive output between %wu and "
2951 dirlen,
2954 }
2957 /* Warn for calls to string functions that either aren't bounded
2958 (sprintf) or whose return value isn't used. */
2960 "%<%.*s%> directive output between %wu and "
2961 "%wu bytes may cause result to exceed "
2965 }
2968 {
2970 "%<%.*s%> directive argument is not a nul-terminated "
2972 dirlen,
2978 }
2988 {
2994 else
2998 }
3003 {
3010 {
3011 /* If a warning has been issued for buffer overflow or truncation
3012 help the user figure out how big a buffer they need. */
3023 "%qE output between %wu and %wu bytes into "
3028 "%qE output %wu or more bytes (assuming %wu) into "
3031 else
3033 "%qE output %wu or more bytes into a destination of size "
3036 }
3038 {
3039 /* If the warning is for a file function function like fprintf
3040 of printf with no destination size just print the computed
3041 result. */
3056 else
3060 }
3061 }
3064 {
3066 " Result: "
3075 }
3078 }
3080 /* Parse a format directive in function call described by INFO starting
3081 at STR and populate DIR structure. Bump up *ARGNO by the number of
3082 arguments extracted for the directive. Return the length of
3083 the directive. */
3085 static size_t
3090 {
3095 {
3096 /* This directive is either a plain string or the terminating nul
3097 (which isn't really a directive but it simplifies things to
3098 handle it as if it were). */
3103 {
3110 }
3113 }
3117 /* POSIX numbered argument index or zero when none. */
3120 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3121 when given by a va_list argument, and a non-negative value
3122 when specified in the format string itself. */
3126 /* Pointers to the beginning of the width and precision decimal
3127 string (if any) within the directive. */
3131 /* When the value of the decimal string that specifies width or
3132 precision is out of range, points to the digit that causes
3133 the value to exceed the limit. */
3137 /* Width specified via the asterisk. Need not be INTEGER_CST.
3138 For vararg functions set to void_node. */
3141 /* Width specified via the asterisk. Need not be INTEGER_CST.
3142 For vararg functions set to void_node. */
3146 {
3147 /* This could be either a POSIX positional argument, the '0'
3148 flag, or a width, depending on what follows. Store it as
3149 width and sort it out later after the next character has
3150 been seen. */
3153 }
3155 {
3156 /* Similarly to the block above, this could be either a POSIX
3157 positional argument or a width, depending on what follows. */
3160 else
3163 }
3166 {
3167 /* Handle the POSIX dollar sign which references the 1-based
3168 positional argument number. */
3177 /* Bail when the numbered argument is out of range (it will
3178 have already been diagnosed by -Wformat). */
3189 }
3192 {
3194 {
3196 {
3197 /* The '0' that has been interpreted as a width above is
3198 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3199 and continue processing other flags. */
3202 }
3204 {
3205 /* (Non-zero) width has been seen. The next character
3206 is either a period or a digit. */
3208 }
3209 }
3210 /* When either '$' has been seen, or width has not been seen,
3211 the next field is the optional flags followed by an optional
3212 width. */
3215 {
3226 }
3227 }
3229 start_width:
3231 {
3235 }
3237 {
3240 else
3241 {
3242 /* This is (likely) a va_list. It could also be an invalid
3243 call with insufficient arguments. */
3245 }
3247 }
3249 {
3250 /* The POSIX apostrophe indicating a numeric grouping
3251 in the current locale. Even though it's possible to
3252 estimate the upper bound on the size of the output
3253 based on the number of digits it probably isn't worth
3254 continuing. */
3256 }
3257 }
3259 start_precision:
3261 {
3265 {
3268 }
3270 {
3273 else
3274 {
3275 /* This is (likely) a va_list. It could also be an invalid
3276 call with insufficient arguments. */
3278 }
3280 }
3281 else
3282 {
3283 /* The decimal precision or the asterisk are optional.
3284 When neither is dirified it's taken to be zero. */
3286 }
3287 }
3290 {
3293 {
3296 }
3297 else
3314 {
3317 }
3318 else
3332 }
3335 {
3336 /* Handle a sole '%' character the same as "%%" but since it's
3337 undefined prevent the result from being folded. */
3341 /* FALLTHRU */
3368 /* The %p output is implementation-defined. It's possible
3369 to determine this format but due to extensions (edirially
3370 those of the Linux kernel -- see bug 78512) the first %p
3371 in the format string disables any further processing. */
3375 /* %n has side-effects even when nothing is actually printed to
3376 any buffer. */
3383 /* POSIX wide character and C/POSIX narrow character. */
3389 /* POSIX wide string and C/POSIX narrow character string. */
3394 /* Unknown conversion specification. */
3396 }
3400 /* Store the length of the format directive. */
3403 /* Buffer for the directive in the host character set (used when
3404 the source character set is different). */
3408 {
3411 else
3412 {
3413 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3414 (width is the absolute value of that specified). */
3417 }
3418 }
3419 else
3420 {
3422 {
3427 /* Create a location for the width part of the directive,
3428 pointing the caret at the first out-of-range digit. */
3435 }
3438 }
3441 {
3444 else
3445 {
3446 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3447 (unlike width, negative precision is ignored). */
3450 }
3451 }
3452 else
3453 {
3455 {
3460 /* Create a location for the precision part of the directive,
3461 including the leading period, pointing the caret at the first
3462 out-of-range digit . */
3469 }
3472 }
3474 /* Extract the argument if the directive takes one and if it's
3475 available (e.g., the function doesn't take a va_list). Treat
3476 missing arguments the same as va_list, even though they will
3477 have likely already been diagnosed by -Wformat. */
3483 {
3485 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
3491 {
3495 else
3497 ", width in range [" HOST_WIDE_INT_PRINT_DEC
3500 }
3503 {
3507 else
3509 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
3512 }
3514 }
3517 }
3519 /* Compute the length of the output resulting from the call to a formatted
3520 output function described by INFO and store the result of the call in
3521 *RES. Issue warnings for detected past the end writes. Return true
3522 if the complete format string has been processed and *RES can be relied
3523 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3524 that caused the processing to be terminated early). */
3526 bool
3529 {
3531 {
3538 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
3541 }
3543 /* Reset the minimum and maximum byte counters. */
3546 /* No directive has been seen yet so the length of output is bounded
3547 by the known range [0, 0] (with no conversion resulting in a failure
3548 or producing more than 4K bytes) until determined otherwise. */
3553 /* 1-based directive counter. */
3556 /* The variadic argument counter. */
3560 {
3567 /* Return failure if the format function fails. */
3572 /* Return success the directive is zero bytes long and it's
3573 the last think in the format string (i.e., it's the terminating
3574 nul, which isn't really a directive but handling it as one makes
3575 things simpler). */
3580 }
3582 /* The complete format string was processed (with or without warnings). */
3584 }
3586 /* Return the size of the object referenced by the expression DEST if
3587 available, or the maximum possible size otherwise. */
3589 static unsigned HOST_WIDE_INT
3591 {
3592 /* When there is no destination return the maximum. */
3596 /* Initialize object size info before trying to compute it. */
3599 /* Use __builtin_object_size to determine the size of the destination
3600 object. When optimizing, determine the smallest object (such as
3601 a member array as opposed to the whole enclosing object), otherwise
3602 use type-zero object size to determine the size of the enclosing
3603 object (the function fails without optimization in this type). */
3610 }
3612 /* Return true if the call described by INFO with result RES safe to
3613 optimize (i.e., no undefined behavior), and set RETVAL to the range
3614 of its return values. */
3616 static bool
3620 {
3624 /* The minimum return value. */
3627 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3628 but in cases involving multibyte characters could be as large as
3629 RES.RANGE.UNLIKELY. */
3633 /* Adjust the number of bytes which includes the terminating nul
3634 to reflect the return value of the function which does not.
3635 Because the valid range of the function is [INT_MIN, INT_MAX],
3636 a valid range before the adjustment below is [0, INT_MAX + 1]
3637 (the functions only return negative values on error or undefined
3638 behavior). */
3644 /* Avoid the return value optimization when the behavior of the call
3645 is undefined either because any directive may have produced 4K or
3646 more of output, or the return value exceeds INT_MAX, or because
3647 the output overflows the destination object (but leave it enabled
3648 when the function is bounded because then the behavior is well-
3649 defined). */
3664 }
3666 /* Given a suitable result RES of a call to a formatted output function
3667 described by INFO, substitute the result for the return value of
3668 the call. The result is suitable if the number of bytes it represents
3669 is known and exact. A result that isn't suitable for substitution may
3670 have its range set to the range of return values, if that is known.
3671 Return true if the call is removed and gsi_next should not be performed
3672 in the caller. */
3674 static bool
3678 {
3681 /* Set to true when the entire call has been removed. */
3684 /* The minimum and maximum return value. */
3690 /* Not prepared to handle possibly throwing calls here; they shouldn't
3691 appear in non-artificial testcases, except when the __*_chk routines
3692 are badly declared. */
3694 {
3699 {
3700 /* Remove the call to the bounded function with a zero size
3701 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3705 }
3707 {
3708 /* Replace the call to the bounded function with a zero size
3709 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3710 of the function. */
3715 }
3717 {
3718 /* Replace the left-hand side of the call with the constant
3719 result of the formatted function. */
3724 }
3727 {
3730 else
3731 {
3736 }
3737 }
3738 }
3740 {
3747 {
3748 /* If the result is in a valid range bounded by the size of
3749 the destination set it so that it can be used for subsequent
3750 optimizations. */
3758 }
3761 {
3771 " %s %s-bounds return value range ["
3772 HOST_WIDE_INT_PRINT_UNSIGNED ", "
3775 else
3779 }
3780 }
3786 }
3788 /* Try to simplify a s{,n}printf call described by INFO with result
3789 RES by replacing it with a simpler and presumably more efficient
3790 call (such as strcpy). */
3792 static bool
3796 {
3802 {
3810 ;
3811 }
3814 }
3816 /* Return the zero-based index of the format string argument of a printf
3817 like function and set *IDX_ARGS to the first format argument. When
3818 no such index exists return UINT_MAX. */
3820 static unsigned
3822 {
3842 /* Attribute argument indices are 1-based but we use zero-based. */
3845 }
3847 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3848 functions and if so, handle it. Return true if the call is removed
3849 and gsi_next should not be performed in the caller. */
3851 bool
3853 {
3861 /* Format string argument number (valid for all functions). */
3865 else
3866 {
3873 idx_format))))
3877 }
3879 /* The size of the destination as in snprintf(dest, size, ...). */
3882 /* The size of the destination determined by __builtin_object_size. */
3885 /* Zero-based buffer size argument number (snprintf and vsnprintf). */
3888 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3891 /* Destinaton argument number (valid for sprintf functions only). */
3895 {
3897 // User-defined function with attribute format (printf).
3902 // Signature:
3903 // __builtin_fprintf (FILE*, format, ...)
3910 // Signature:
3911 // __builtin_fprintf_chk (FILE*, ost, format, ...)
3918 // Signature:
3919 // __builtin_fprintf_unnlocked (FILE*, format, ...)
3926 // Signature:
3927 // __builtin_printf (format, ...)
3934 // Signature:
3935 // __builtin_printf_chk (ost, format, ...)
3942 // Signature:
3943 // __builtin_printf (format, ...)
3950 // Signature:
3951 // __builtin_sprintf (dst, format, ...)
3957 // Signature:
3958 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3965 // Signature:
3966 // __builtin_snprintf (dst, size, format, ...)
3974 // Signature:
3975 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3984 // Signature:
3985 // __builtin_vprintf (FILE*, format, va_list)
3992 // Signature:
3993 // __builtin___vfprintf_chk (FILE*, ost, format, va_list)
4000 // Signature:
4001 // __builtin_vprintf (format, va_list)
4008 // Signature:
4009 // __builtin___vprintf_chk (ost, format, va_list)
4016 // Signature:
4017 // __builtin_vsprintf (dst, size, format, va)
4025 // Signature:
4026 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
4035 // Signature:
4036 // __builtin_vsprintf (dst, format, va)
4042 // Signature:
4043 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
4051 }
4053 /* Set the global warning level for this function. */
4056 /* For all string functions the first argument is a pointer to
4057 the destination. */
4063 /* True when the destination size is constant as opposed to the lower
4064 or upper bound of a range. */
4069 {
4070 /* For non-bounded functions like sprintf, determine the size
4071 of the destination from the object or pointer passed to it
4072 as the first argument. */
4074 }
4076 {
4077 /* For bounded functions try to get the size argument. */
4080 {
4082 /* No object can be larger than SIZE_MAX bytes (half the address
4083 space) on the target.
4084 The functions are defined only for output of at most INT_MAX
4085 bytes. Specifying a bound in excess of that limit effectively
4086 defeats the bounds checking (and on some implementations such
4087 as Solaris cause the function to fail with EINVAL). */
4089 {
4090 /* Avoid warning if -Wstringop-overflow is specified since
4091 it also warns for the same thing though only for the
4092 checking built-ins. */
4096 "specified bound %wu exceeds maximum object size "
4099 /* POSIX requires snprintf to fail if DSTSIZE is greater
4100 than INT_MAX. Even though not all POSIX implementations
4101 conform to the requirement, avoid folding in this case. */
4103 }
4105 {
4108 dstsize);
4109 /* POSIX requires snprintf to fail if DSTSIZE is greater
4110 than INT_MAX. Avoid folding in that case. */
4112 }
4113 }
4115 {
4116 /* Try to determine the range of values of the argument
4117 and use the greater of the two at level 1 and the smaller
4118 of them at level 2. */
4121 {
4128 "specified bound range [%wu, %wu] exceeds "
4132 /* POSIX requires snprintf to fail if DSTSIZE is greater
4133 than INT_MAX. Avoid folding if that's possible. */
4136 }
4138 {
4139 /* POSIX requires snprintf to fail if DSTSIZE is greater
4140 than INT_MAX. Since SIZE's range is unknown, avoid
4141 folding. */
4143 }
4145 /* The destination size is not constant. If the function is
4146 bounded (e.g., snprintf) a lower bound of zero doesn't
4147 necessarily imply it can be eliminated. */
4149 }
4150 }
4158 {
4159 /* As a special case, when the explicitly specified destination
4160 size argument (to a bounded function like snprintf) is zero
4161 it is a request to determine the number of bytes on output
4162 without actually producing any. Pretend the size is
4163 unlimited in this case. */
4166 }
4167 else
4168 {
4169 /* For calls to non-bounded functions or to those of bounded
4170 functions with a non-zero size, warn if the destination
4171 pointer is null. */
4173 {
4174 /* This is diagnosed with -Wformat only when the null is a constant
4175 pointer. The warning here diagnoses instances where the pointer
4176 is not constant. */
4182 }
4184 /* Set the object size to the smaller of the two arguments
4185 of both have been specified and they're not equal. */
4190 /* Avoid warning if -Wstringop-overflow is specified since
4191 it also warns for the same thing though only for the
4192 checking built-ins. */
4195 {
4197 "specified bound %wu exceeds the size %wu "
4199 }
4200 }
4202 /* Determine if the format argument may be null and warn if not
4203 and if the argument is null. */
4206 {
4212 }
4218 /* The result is the number of bytes output by the formatted function,
4219 including the terminating NUL. */
4222 /* I/O functions with no destination argument (i.e., all forms of fprintf
4223 and printf) may fail under any conditions. Others (i.e., all forms of
4224 sprintf) may only fail under specific conditions determined for each
4225 directive. Clear POSUNDER4K for the former set of functions and set
4226 it to true for the latter (it can only be cleared later, but it is
4227 never set to true again). */
4234 /* When optimizing and the printf return value optimization is enabled,
4235 attempt to substitute the computed result for the return value of
4236 the call. Avoid this optimization when -frounding-math is in effect
4237 and the format string contains a floating point directive. */
4240 {
4241 /* Save a copy of the iterator pointing at the call. The iterator
4242 may change to point past the call in try_substitute_return_value
4243 but the original value is needed in try_simplify_call. */
4252 }
4255 }
4257 edge
4259 {
4262 {
4263 /* Iterate over statements, looking for function calls. */
4266 /* First record ranges generated by this statement. */
4270 /* If handle_gimple_call returns true, the iterator is
4271 already pointing to the next statement. */
4275 }
4277 }
4279 void
4281 {
4283 }
4285 /* Execute the pass for function FUN. */
4287 unsigned int
4289 {
4295 {
4298 }
4300 sprintf_dom_walker sprintf_dom_walker;
4304 {
4307 }
4309 /* Clean up object size info. */
4312 }
4316 /* Return a pointer to a pass object newly constructed from the context
4317 CTXT. */
4319 gimple_opt_pass *
4321 {
4323 }