| blob | 92f939ebe2142ca4f4c0fff3997f707381d0ff3c |
1 /* Copyright (C) 2016 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
94 };
99 {
106 { }
115 {
118 }
124 };
126 bool
128 {
129 /* Run the pass iff -Warn-format-length is specified and either
130 not optimizing and the pass is being invoked early, or when
131 optimizing and the pass is being invoked during optimization
132 (i.e., "late"). */
135 }
137 /* The result of a call to a formatted function. */
139 struct format_result
140 {
141 /* Number of characters written by the formatted function, exact,
142 minimum and maximum when an exact number cannot be determined.
143 Setting the minimum to HOST_WIDE_INT_MAX disables all length
144 tracking for the remainder of the format string.
145 Setting either of the other two members to HOST_WIDE_INT_MAX
146 disables the exact or maximum length tracking, respectively,
147 but continues to track the maximum. */
152 /* True when the range given by NUMBER_CHARS_MIN and NUMBER_CHARS_MAX
153 is the output of all directives determined to be bounded to some
154 subrange of their types or possible lengths, false otherwise.
155 Note that BOUNDED only implies that the length of a function's
156 output is known to be within some range, not that it's constant
157 and a candidate for folding. */
160 /* True when the output of the formatted call is constant (and
161 thus a candidate for string constant folding). This is rare
162 and typically requires that the arguments of all directives
163 are also constant. Constant implies bounded. */
166 /* True if no individual directive resulted in more than 4095 bytes
167 of output (the total NUMBER_CHARS might be greater). */
170 /* True when a floating point directive has been seen in the format
171 string. */
174 /* True when an intermediate result has caused a warning. Used to
175 avoid issuing duplicate warnings while finishing the processing
176 of a call. */
179 /* Preincrement the number of output characters by 1. */
181 {
183 }
185 /* Postincrement the number of output characters by 1. */
187 {
191 }
193 /* Increment the number of output characters by N. */
195 {
205 }
206 };
208 /* Return the value of INT_MIN for the target. */
210 static HOST_WIDE_INT
212 {
213 const unsigned HOST_WIDE_INT int_min
217 }
219 /* Return the value of INT_MAX for the target. */
221 static unsigned HOST_WIDE_INT
223 {
224 const unsigned HOST_WIDE_INT int_max
228 }
230 /* Return the constant initial value of DECL if available or DECL
231 otherwise. Same as the synonymous function in c/c-typeck.c. */
233 static tree
235 {
237 in a place where a variable is invalid. Note that DECL_INITIAL
238 isn't valid for a PARM_DECL. */
245 /* This is invalid if initial value is not constant.
246 If it has either a function call, a memory reference,
247 or a variable, then re-evaluating it could give different results. */
249 /* Check for cases where this is sub-optimal, even though valid. */
253 }
255 /* Given FORMAT, set *PLOC to the source location of the format string
256 and return the format string if it is known or null otherwise. */
260 {
262 {
263 /* Pull out a constant value if the front end didn't. */
266 }
269 {
270 /* FIXME: Diagnose null format string if it hasn't been diagnosed
271 by -Wformat (the latter diagnoses only nul pointer constants,
272 this pass can do better). */
274 }
279 {
290 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
295 }
312 tree array_init;
319 {
320 /* Extract the string constant initializer. Note that this may
321 include a trailing NUL character that is not in the array (e.g.
322 const char a[3] = "foo";). */
325 }
331 {
332 /* Wide format string. */
334 }
340 {
341 /* Variable length arrays can't be initialized. */
345 {
351 }
352 }
354 {
360 }
363 {
364 /* FIXME: Diagnose an unterminated format string if it hasn't been
365 diagnosed by -Wformat. Similarly to a null format pointer,
366 -Wformay diagnoses only nul pointer constants, this pass can
367 do better). */
369 }
372 }
374 /* The format_warning_at_substring function is not used here in a way
375 that makes using attribute format viable. Suppress the warning. */
377 #pragma GCC diagnostic push
380 /* For convenience and brevity. */
382 static bool
387 /* Format length modifiers. */
389 enum format_lengths
390 {
391 FMT_LEN_none,
399 FMT_LEN_j // intmax_t
400 };
403 /* A minimum and maximum number of bytes. */
405 struct result_range
406 {
408 };
410 /* Description of the result of conversion either of a single directive
411 or the whole format string. */
413 struct fmtresult
414 {
415 /* The range a directive's argument is in. */
418 /* The minimum and maximum number of bytes that a directive
419 results in on output for an argument in the range above. */
420 result_range range;
422 /* True when the range is the result of an argument determined
423 to be bounded to a subrange of its type or value (such as by
424 value range propagation or the width of the formt directive),
425 false otherwise. */
427 /* True when the output of a directive is constant. This is rare
428 and typically requires that the argument(s) of the directive
429 are also constant (such as determined by constant propagation,
430 though not value range propagation). */
432 };
434 /* Description of a conversion specification. */
436 struct conversion_spec
437 {
438 /* A bitmap of flags, one for each character. */
440 /* Numeric width as in "%8x". */
442 /* Numeric precision as in "%.32s". */
445 /* Width specified via the '*' character. */
446 tree star_width;
447 /* Precision specified via the asterisk. */
448 tree star_precision;
450 /* Length modifier. */
451 format_lengths modifier;
453 /* Format specifier character. */
456 /* Numeric width was given. */
458 /* Numeric precision was given. */
460 /* Non-zero when certain flags should be interpreted even for a directive
461 that normally doesn't accept them (used when "%p" with flags such as
462 space or plus is interepreted as a "%x". */
465 /* Format conversion function that given a conversion specification
466 and an argument returns the formatting result. */
469 /* Return True when a the format flag CHR has been used. */
471 {
475 }
477 /* Make a record of the format flag CHR having been used. */
479 {
483 }
485 /* Reset the format flag CHR. */
487 {
491 }
492 };
494 /* Return the logarithm of X in BASE. */
496 static int
498 {
500 do
501 {
506 }
508 /* Return the number of bytes resulting from converting into a string
509 the INTEGER_CST tree node X in BASE. PLUS indicates whether 1 for
510 a plus sign should be added for positive numbers, and PREFIX whether
511 the length of an octal ('O') or hexadecimal ('0x') prefix should be
512 added for nonzero numbers. Return -1 if X cannot be represented. */
514 static int
516 {
522 {
524 {
527 }
528 else
530 }
531 else
532 {
534 {
537 {
540 }
541 else
542 {
545 }
546 }
547 else
549 }
554 {
559 }
562 }
564 /* Given the formatting result described by RES and NAVAIL, the number
565 of available in the destination, return the number of bytes remaining
566 in the destination. */
570 {
571 result_range range;
574 {
577 }
580 {
582 }
584 {
586 }
587 else
592 else
596 }
598 /* Given the formatting result described by RES and NAVAIL, the number
599 of available in the destination, return the minimum number of bytes
600 remaining in the destination. */
604 {
609 {
610 /* At level 2, or when all directives output an exact number
611 of bytes or when their arguments were bounded by known
612 ranges, use the greater of the two byte counters if it's
613 valid to compute the result. */
620 }
621 else
622 {
623 /* At level 1 use the smaller of the byte counters to compute
624 the result. */
631 }
637 }
639 /* Description of a call to a formatted function. */
642 {
643 /* Function call statement. */
646 /* Function called. */
647 tree func;
649 /* Called built-in function code. */
650 built_in_function fncode;
652 /* Format argument and format string extracted from it. */
653 tree format;
656 /* The location of the format argument. */
657 location_t fmtloc;
659 /* The destination object size for __builtin___xxx_chk functions
660 typically determined by __builtin_object_size, or -1 if unknown. */
663 /* Number of the first variable argument. */
666 /* True for functions like snprintf that specify the size of
667 the destination, false for others like sprintf that don't. */
669 };
671 /* Return the result of formatting the '%%' directive. */
673 static fmtresult
675 {
676 fmtresult res;
681 }
684 /* Ugh. Compute intmax_type_node and uintmax_type_node the same way
685 lto/lto-lang.c does it. This should be available in tree.h. */
687 static void
689 {
691 {
694 }
696 {
699 }
701 {
704 }
705 else
706 {
709 {
714 {
717 }
718 }
719 }
720 }
722 static fmtresult
725 /* Return a range representing the minimum and maximum number of bytes
726 that the conversion specification SPEC will write on output for the
727 pointer argument ARG when non-null. ARG may be null (for vararg
728 functions). */
730 static fmtresult
732 {
735 /* Determine the target's integer format corresponding to "%p". */
739 {
740 /* The format couldn't be determined. */
743 }
746 {
747 /* Format the pointer using the integer format string. */
750 /* Clear flags that are not listed as recognized. */
752 {
755 }
757 /* Set flags that are specified in the format string. */
759 do
760 {
762 {
768 }
769 }
772 /* Set the appropriate length modifier taking care to clear
773 the one that may be set (Glibc's %p accepts but ignores all
774 the integer length modifiers). */
776 {
781 }
787 }
789 /* The format is a plain string such as Glibc's "(nil)". */
792 }
794 /* Return a range representing the minimum and maximum number of bytes
795 that the conversion specification SPEC will write on output for the
796 integer argument ARG when non-null. ARG may be null (for vararg
797 functions). */
799 static fmtresult
801 {
802 /* These are available as macros in the C and C++ front ends but,
803 sadly, not here. */
807 /* Initialize the intmax nodes above the first time through here. */
811 /* Set WIDTH and PRECISION to either the values in the format
812 specification or to zero. */
826 /* The type of the "formal" argument expected by the directive. */
829 /* Determine the expected type of the argument from the length
830 modifier. */
832 {
836 else
854 dirtype = (sign
855 ? long_long_integer_type_node
872 {
879 }
880 }
882 /* The type of the argument to the directive, either deduced from
883 the actual non-constant argument if one is known, or from
884 the directive itself when none has been provided because it's
885 a va_list. */
889 {
890 /* When the argument has not been provided, use the type of
891 the directive's argument as an approximation. This will
892 result in false positives for directives like %i with
893 arguments with smaller precision (such as short or char). */
895 }
897 {
898 /* The minimum and maximum number of bytes produced by
899 the directive. */
902 /* When a constant argument has been provided use its value
903 rather than type to determine the length of the output. */
907 /* Base to format the number in. */
910 /* True when a signed conversion is preceded by a sign or space. */
914 {
917 /* Space is only effective for signed conversions. */
936 }
938 /* Convert the argument to the type of the directive. */
943 /* True when a conversion is preceded by a prefix indicating the base
944 of the argument (octal or hexadecimal). */
959 }
962 {
963 /* Determine the type of the provided non-constant argument. */
972 }
973 else
974 {
975 /* Don't bother with invalid arguments since they likely would
976 have already been diagnosed, and disable any further checking
977 of the format string by returning [-1, -1]. */
981 }
985 /* Using either the range the non-constant argument is in, or its
986 type (either "formal" or actual), create a range of values that
987 constrain the length of output given the warning level. */
993 {
994 /* Try to determine the range of values of the integer argument
995 (range information is not available for pointers). */
999 {
1005 /* For a range with a negative lower bound and a non-negative
1006 upper bound, use one to determine the minimum number of bytes
1007 on output and whichever of the two bounds that results in
1008 the greater number of bytes on output for the upper bound.
1009 For example, for ARG in the range of [-3, 123], use 123 as
1010 the upper bound for %i but -3 for %u. */
1012 {
1025 }
1026 else
1027 {
1030 }
1032 /* The argument is bounded by the range of values determined
1033 by Value Range Propagation. */
1035 }
1037 {
1038 /* Handle anti-ranges if/when bug 71690 is resolved. */
1039 }
1041 {
1042 /* The argument here may be the result of promoting the actual
1043 argument to int. Try to determine the type of the actual
1044 argument before promotion and narrow down its range that
1045 way. */
1048 {
1052 }
1053 }
1054 }
1057 {
1058 /* For an unknown argument (e.g., one passed to a vararg function)
1059 or one whose value range cannot be determined, create a T_MIN
1060 constant if the argument's type is signed and T_MAX otherwise,
1061 and use those to compute the range of bytes that the directive
1062 can output. */
1069 {
1072 else
1076 }
1077 else
1078 {
1082 }
1085 }
1087 /* Recursively compute the minimum and maximum from the known range,
1088 taking care to swap them if the lower bound results in longer
1089 output than the upper bound (e.g., in the range [-1, 0]. */
1093 /* The result is bounded either when the argument is determined to be
1094 (e.g., when it's within some range) or when the minimum and maximum
1095 are the same. That can happen here for example when the specified
1096 width is as wide as the greater of MIN and MAX, as would be the case
1097 with sprintf (d, "%08x", x) with a 32-bit integer x. */
1101 {
1105 }
1108 }
1110 /* Return the number of bytes to format using the format specifier
1111 SPEC the largest value in the real floating TYPE. */
1113 static int
1115 {
1118 /* IBM Extended mode. */
1122 /* Get the real type format desription for the target. */
1124 REAL_VALUE_TYPE rv;
1126 {
1130 }
1132 /* Convert the GCC real value representation with the precision
1133 of the real type to the mpfr_t format with the GCC default
1134 round-to-nearest mode. */
1135 mpfr_t x;
1142 }
1144 /* Return a range representing the minimum and maximum number of bytes
1145 that the conversion specification SPEC will output for any argument
1146 given the WIDTH and PRECISION (extracted from SPEC). This function
1147 is used when the directive argument or its value isn't known. */
1149 static fmtresult
1151 {
1152 tree type;
1156 {
1173 {
1180 }
1181 }
1183 /* The minimum and maximum number of bytes produced by the directive. */
1187 /* Log10 of of the maximum number of exponent digits for the type. */
1191 {
1192 /* The base in which the exponent is represented should always
1193 be 2 in GCC. */
1197 /* Compute T_MAX_EXP for base 2. */
1200 }
1203 {
1206 {
1207 /* The minimum output is "0x.p+0". */
1210 /* Compute the maximum just once. */
1214 };
1217 }
1221 {
1223 /* The minimum output is "[-+]1.234567e+00" regardless
1224 of the value of the actual argument. */
1228 /* The maximum output is the minimum plus sign (unless already
1229 included), plus the difference between the minimum exponent
1230 of 2 and the maximum exponent for the type. */
1233 }
1237 {
1238 /* The minimum output is "1.234567" regardless of the value
1239 of the actual argument. */
1242 /* Compute the maximum just once. */
1246 };
1249 }
1252 {
1253 /* The minimum is the same as for '%F'. */
1256 /* Compute the maximum just once. */
1260 };
1263 }
1266 {
1273 }
1274 }
1277 {
1282 }
1284 /* The argument is only considered bounded when the range of output
1285 bytes is exact. */
1288 }
1290 /* Return a range representing the minimum and maximum number of bytes
1291 that the conversion specification SPEC will write on output for the
1292 floating argument ARG. */
1294 static fmtresult
1296 {
1300 /* The minimum and maximum number of bytes produced by the directive. */
1307 {
1310 else
1311 {
1314 }
1315 }
1320 {
1323 else
1324 {
1327 }
1328 }
1330 {
1331 /* Specify the precision explicitly since mpfr_sprintf defaults
1332 to zero. */
1334 }
1337 {
1338 /* Set up an array to easily iterate over. */
1341 };
1343 /* Get the real type format desription for the target. */
1347 /* Convert the GCC real value representation with the precision
1348 of the real type to the mpfr_t format with the GCC default
1349 round-to-nearest mode. */
1350 mpfr_t mpfrval;
1358 /* Append flags. */
1363 /* Append width when specified and precision. */
1369 /* Append the MPFR 'R' floating type specifier (no length modifier
1370 is necessary or allowed by MPFR for mpfr_t values). */
1373 /* Save the position of the MPFR rounding specifier and skip over
1374 it. It will be set in each iteration in the loop below. */
1377 /* Append the C type specifier and nul-terminate. */
1382 {
1383 /* Use the MPFR rounding specifier to round down in the first
1384 iteration and then up. In most but not all cases this will
1385 result in the same number of bytes. */
1388 /* Format it and store the result in the corresponding
1389 member of the result struct. */
1391 }
1395 }
1398 }
1400 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
1401 strings referenced by the expression STR, or (-1, -1) when not known.
1402 Used by the format_string function below. */
1404 static fmtresult
1406 {
1408 {
1409 fmtresult res;
1415 }
1418 {
1419 /* Simply return the length of the string. */
1420 fmtresult res;
1425 }
1427 /* Determine the length of the shortest and longest string referenced
1428 by STR. Strings of unknown lengths are bounded by the sizes of
1429 arrays that subexpressions of STR may refer to. Pointers that
1430 aren't known to point any such arrays result in LENRANGE[1] set
1431 to SIZE_MAX. */
1436 {
1444 /* Set RES.BOUNDED to true if and only if all strings referenced
1445 by STR are known to be bounded (though not necessarily by their
1446 actual length but perhaps by their maximum possible length). */
1449 /* Set RES.CONSTANT to false even though that may be overly
1450 conservative in rare cases like: 'x ? a : b' where a and
1451 b have the same lengths and consist of the same characters. */
1454 }
1457 }
1459 /* Return the minimum and maximum number of characters formatted
1460 by the '%c' and '%s' format directives and ther wide character
1461 forms for the argument ARG. ARG can be null (for functions
1462 such as vsprinf). */
1464 static fmtresult
1466 {
1471 {
1476 }
1484 /* The maximum number of bytes for an unknown wide character argument
1485 to a "%lc" directive adjusted for precision but not field width. */
1486 const unsigned HOST_WIDE_INT max_bytes_for_unknown_wc
1491 /* The maximum number of bytes for an unknown string argument to either
1492 a "%s" or "%ls" directive adjusted for precision but not field width. */
1493 const unsigned HOST_WIDE_INT max_bytes_for_unknown_str
1498 /* The result is bounded unless overriddden for a non-constant string
1499 of an unknown length. */
1503 {
1505 {
1506 /* Positive if the argument is a wide NUL character? */
1510 /* A '%lc' directive is the same as '%ls' for a two element
1511 wide string character with the second element of NUL, so
1512 when the character is unknown the minimum number of bytes
1513 is the smaller of either 0 (at level 1) or 1 (at level 2)
1514 and WIDTH, and the maximum is MB_CUR_MAX in the selected
1515 locale, which is unfortunately, unknown. */
1519 }
1520 else
1521 {
1522 /* A plain '%c' directive. */
1526 }
1527 }
1529 {
1530 /* Compute the range the argument's length can be in. */
1533 {
1538 /* A '%s' directive with a string argument with constant length. */
1542 {
1544 {
1547 /* It's possible to be smarter about computing the maximum
1548 by scanning the wide string for any 8-bit characters and
1549 if it contains none, using its length for the maximum.
1550 Even though this would be simple to do it's unlikely to
1551 be worth it when dealing with wide characters. */
1553 }
1554 /* For a wide character string, use precision as the maximum
1555 even if precision is greater than the string length since
1556 the number of bytes the string converts to may be greater
1557 (due to MB_CUR_MAX). */
1560 }
1561 else
1565 {
1568 }
1569 }
1570 else
1571 {
1572 /* For a '%s' and '%ls' directive with a non-constant string,
1573 the minimum number of characters is the greater of WIDTH
1574 and either 0 in mode 1 or the smaller of PRECISION and 1
1575 in mode 2, and the maximum is PRECISION or -1 to disable
1576 tracking. */
1579 {
1586 }
1588 {
1592 }
1596 /* The output is considered bounded when a precision has been
1597 specified to limit the number of bytes or when the number
1598 of bytes is known or contrained to some range. */
1601 }
1602 }
1604 /* Adjust the lengths for field width. */
1611 /* Adjust BOUNDED if width happens to make them equal. */
1617 }
1619 /* Compute the length of the output resulting from the conversion
1620 specification SPEC with the argument ARG in a call described by INFO
1621 and update the overall result of the call in *RES. The format directive
1622 corresponding to SPEC starts at CVTBEG and is CVTLEN characters long. */
1624 static void
1628 {
1629 /* Offset of the beginning of the directive from the beginning
1630 of the format string. */
1633 /* Create a location for the whole directive from the % to the format
1634 specifier. */
1638 /* Also create a location range for the argument if possible.
1639 This doesn't work for integer literals or function calls. */
1640 source_range argrange;
1643 {
1646 }
1647 else
1650 /* Bail when there is no function to compute the output length,
1651 or when minimum length checking has been disabled. */
1655 /* Compute the (approximate) length of the formatted output. */
1658 /* The overall result is bounded only if the output of every
1659 directive is exact or bounded. */
1664 {
1665 /* Disable exact and maximum length checking after a failure
1666 to determine the maximum number of characters (for example
1667 for wide characters or wide character strings) but continue
1668 tracking the minimum number of characters. */
1671 }
1674 {
1675 /* Disable exact length checking after a failure to determine
1676 even the minimum number of characters (it shouldn't happen
1677 except in an error) but keep tracking the minimum and maximum
1678 number of characters. */
1681 }
1683 /* Compute the number of available bytes in the destination. There
1684 must always be at least one byte of space for the terminating
1685 NUL that's appended after the format string has been processed. */
1689 {
1690 /* The result is a range (i.e., it's inexact). */
1692 {
1696 {
1697 /* The minimum directive output is longer than there is
1698 room in the destination. */
1700 {
1710 navail);
1711 }
1712 else
1713 {
1717 "between %wu and %wu bytes into a region of "
1725 }
1726 }
1729 {
1730 /* The maximum directive output is longer than there is
1731 room in the destination and the output is either bounded
1732 or the warning level is greater than 1. */
1734 {
1745 }
1746 else
1747 {
1751 "writing between %wu and %wu bytes into a region "
1759 navail);
1760 }
1761 }
1766 {
1772 else
1776 }
1777 }
1779 /* Disable exact length checking but adjust the minimum and maximum. */
1786 }
1787 else
1788 {
1790 {
1807 navail);
1808 }
1810 }
1812 /* Has the minimum directive output length exceeded the maximum
1813 of 4095 bytes required to be supported? */
1820 {
1821 /* The directive output may be longer than the maximum required
1822 to be handled by an implementation according to 7.21.6.1, p15
1823 of C11. Warn on this only at level 2 but remember this and
1824 prevent folding the return value when done. This allows for
1825 the possibility of the actual libc call failing due to ENOMEM
1826 (like Glibc does under some conditions). */
1830 OPT_Wformat_length_,
1831 "%<%.*s%> directive output of %wu bytes exceeds "
1834 else
1835 {
1837 = (minunder4k
1847 }
1848 }
1850 /* Has the minimum directive output length exceeded INT_MAX? */
1854 && (exceedmin
1857 {
1858 /* The directive output causes the total length of output
1859 to exceed INT_MAX bytes. */
1863 OPT_Wformat_length_,
1864 "%<%.*s%> directive output of %wu bytes causes "
1867 else
1868 {
1870 = (exceedmin
1879 }
1880 }
1881 }
1883 /* Account for the number of bytes between BEG and END (or between
1884 BEG + strlen (BEG) when END is null) in the format string in a call
1885 to a formatted output function described by INFO. Reflect the count
1886 in RES and issue warnings as appropriate. */
1888 static void
1891 {
1895 /* The number of bytes to output is the number of bytes between
1896 the end of the last directive and the beginning of the next
1897 one if it exists, otherwise the number of characters remaining
1898 in the format string plus 1 for the terminating NUL. */
1901 /* Return if there are no bytes to add at this time but there are
1902 directives remaining in the format string. */
1906 /* Compute the range of available bytes in the destination. There
1907 must always be at least one byte left for the terminating NUL
1908 that's appended after the format string has been processed. */
1911 /* If issuing a diagnostic (only when one hasn't already been issued),
1912 distinguish between a possible overflow ("may write") and a certain
1913 overflow somewhere "past the end." (Ditto for truncation.) */
1918 {
1919 /* Set NAVAIL to the number of available bytes used to decide
1920 whether or not to issue a warning below. The exact kind of
1921 warning will depend on AVAIL_RANGE. */
1927 /* Compute the offset of the first format character that is beyond
1928 the end of the destination region and the length of the rest of
1929 the format string from that point on. */
1930 unsigned HOST_WIDE_INT off
1935 substring_loc loc
1939 /* Is the output of the last directive the result of the argument
1940 being within a range whose lower bound would fit in the buffer
1941 but the upper bound would not? If so, use the word "may" to
1942 indicate that the overflow/truncation may (but need not) happen. */
1943 bool boundrange
1948 {
1949 /* There is room for the rest of the format string but none
1950 for the terminating nul. */
1953 ? (boundrange
1956 : (boundrange
1963 }
1964 else
1965 {
1966 /* There isn't enough room for 1 or more characters that remain
1967 to copy from the format string. */
1970 ? (boundrange
1982 }
1983 }
1986 {
1987 /* If a warning has been issued for buffer overflow or truncation
1988 (but not otherwise) help the user figure out how big a buffer
1989 they need. */
1995 unsigned HOST_WIDE_INT exact
2001 "format output between %wu and %wu bytes into "
2004 else
2010 }
2012 /* Add the number of bytes and then check for INT_MAX overflow. */
2015 /* Has the minimum output length minus the terminating nul exceeded
2016 INT_MAX? */
2020 && (exceedmin
2023 {
2024 /* The function's output exceeds INT_MAX bytes. */
2026 /* Set NAVAIL to the number of available bytes used to decide
2027 whether or not to issue a warning below. The exact kind of
2028 warning will depend on AVAIL_RANGE. */
2034 /* Compute the offset of the first format character that is beyond
2035 the end of the destination region and the length of the rest of
2036 the format string from that point on. */
2043 substring_loc loc
2049 OPT_Wformat_length_,
2050 "output of %wu bytes causes "
2053 else
2054 {
2056 = (exceedmin
2062 text,
2065 }
2066 }
2067 }
2069 #pragma GCC diagnostic pop
2071 /* Compute the length of the output resulting from the call to a formatted
2072 output function described by INFO and store the result of the call in
2073 *RES. Issue warnings for detected past the end writes. */
2075 void
2078 {
2079 /* The variadic argument counter. */
2082 /* Reset exact, minimum, and maximum character counters. */
2085 /* No directive has been seen yet so the output is bounded and constant
2086 (with no conversion producing more than 4K bytes) until determined
2087 otherwise. */
2097 {
2098 /* The beginning of the next format directive. */
2101 /* Add the number of bytes between the end of the last directive
2102 and either the next if one exists, or the end of the format
2103 string. */
2112 {
2113 /* Incomplete directive. */
2115 }
2119 /* POSIX numbered argument index or zero when none. */
2123 {
2124 /* This could be either a POSIX positional argument, the '0'
2125 flag, or a width, depending on what follows. Store it as
2126 width and sort it out later after the next character has
2127 been seen. */
2132 }
2134 {
2135 /* Similarly to the block above, this could be either a POSIX
2136 positional argument or a width, depending on what follows. */
2139 else
2142 }
2145 {
2146 /* Handle the POSIX dollar sign which references the 1-based
2147 positional argument number. */
2154 /* Bail when the numbered argument is out of range (it will
2155 have already been diagnosed by -Wformat). */
2166 }
2169 {
2171 {
2172 /* The '0' that has been interpreted as a width above is
2173 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
2174 and continue processing other flags. */
2177 }
2178 /* When either '$' has been seen, or width has not been seen,
2179 the next field is the optional flags followed by an optional
2180 width. */
2183 {
2194 }
2195 }
2197 start_width:
2199 {
2204 }
2206 {
2209 }
2211 {
2212 /* The POSIX apostrophe indicating a numeric grouping
2213 in the current locale. Even though it's possible to
2214 estimate the upper bound on the size of the output
2215 based on the number of digits it probably isn't worth
2216 continuing. */
2218 }
2219 }
2222 {
2226 {
2231 }
2233 {
2236 }
2237 else
2239 }
2242 {
2245 {
2248 }
2249 else
2266 {
2269 }
2270 else
2284 }
2287 {
2288 /* Handle a sole '%' character the same as "%%" but since it's
2289 undefined prevent the result from being folded. */
2293 /* FALLTHRU */
2334 }
2338 /* Compute the length of the format directive. */
2341 /* Extract the argument if the directive takes one and if it's
2342 available (e.g., the function doesn't take a va_list). Treat
2343 missing arguments the same as va_list, even though they will
2344 have likely already been diagnosed by -Wformat. */
2351 }
2352 }
2354 /* Return the size of the object referenced by the expression DEST if
2355 available, or -1 otherwise. */
2357 static unsigned HOST_WIDE_INT
2359 {
2360 /* Use __builtin_object_size to determine the size of the destination
2361 object. When optimizing, determine the smallest object (such as
2362 a member array as opposed to the whole enclosing object), otherwise
2363 use type-zero object size to determine the size of the enclosing
2364 object (the function fails without optimization in this type). */
2371 }
2373 /* Given a suitable result RES of a call to a formatted output function
2374 described by INFO, substitute the result for the return value of
2375 the call. The result is suitable if the number of bytes it represents
2376 is known and exact. A result that isn't suitable for substitution may
2377 have its range set to the range of return values, if that is known. */
2379 static void
2383 {
2386 /* Avoid the return value optimization when the behavior of the call
2387 is undefined either because any directive may have produced 4K or
2388 more of output, or the return value exceeds INT_MAX, or because
2389 the output overflows the destination object (but leave it enabled
2390 when the function is bounded because then the behavior is well-
2391 defined). */
2395 {
2396 /* Replace the left-hand side of the call with the constant
2397 result of the formatted function minus 1 for the terminating
2398 NUL which the functions' return value does not include. */
2406 {
2415 }
2416 }
2417 else
2418 {
2427 {
2428 /* If the result is in a valid range bounded by the size of
2429 the destination set it so that it can be used for subsequent
2430 optimizations. */
2434 {
2437 }
2440 {
2445 }
2446 }
2449 {
2464 inbounds,
2467 else
2470 }
2471 }
2472 }
2474 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
2475 functions and if so, handle it. */
2477 void
2479 {
2489 /* The size of the destination as in snprintf(dest, size, ...). */
2492 /* The size of the destination determined by __builtin_object_size. */
2495 /* Buffer size argument number (snprintf and vsnprintf). */
2498 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
2501 /* Format string argument number (valid for all functions). */
2505 {
2507 // Signature:
2508 // __builtin_sprintf (dst, format, ...)
2514 // Signature:
2515 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
2522 // Signature:
2523 // __builtin_snprintf (dst, size, format, ...)
2531 // Signature:
2532 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
2541 // Signature:
2542 // __builtin_vsprintf (dst, size, format, va)
2550 // Signature:
2551 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
2560 // Signature:
2561 // __builtin_vsprintf (dst, format, va)
2567 // Signature:
2568 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
2576 }
2581 {
2582 // For non-bounded functions like sprintf, to determine
2583 // the size of the destination from the object or pointer
2584 // passed to it as the first argument.
2586 }
2588 {
2589 /* For bounded functions try to get the size argument. */
2592 {
2594 /* No object can be larger than HOST_WIDE_INT_MAX bytes
2595 (half the address space). This imposes a limit that's
2596 one byte less than that. */
2600 dstsize);
2601 }
2603 {
2604 /* Try to determine the range of values of the argument
2605 and use the greater of the two at -Wformat-level 1 and
2606 the smaller of them at level 2. */
2608 enum value_range_type range_type
2611 {
2612 dstsize
2616 }
2617 }
2618 }
2621 {
2625 }
2628 {
2629 /* As a special case, when the explicitly specified destination
2630 size argument (to a bounded function like snprintf) is zero
2631 it is a request to determine the number of bytes on output
2632 without actually producing any. Pretend the size is
2633 unlimited in this case. */
2635 }
2636 else
2637 {
2638 /* Set the object size to the smaller of the two arguments
2639 of both have been specified and they're not equal. */
2644 {
2646 "specified size %wu exceeds the size %wu "
2648 }
2649 }
2652 {
2653 /* This is diagnosed with -Wformat only when the null is a constant
2654 pointer. The warning here diagnoses instances where the pointer
2655 is not constant. */
2659 }
2665 /* The result is the number of bytes output by the formatted function,
2666 including the terminating NUL. */
2670 /* When optimizing and the printf return value optimization is enabled,
2671 attempt to substitute the computed result for the return value of
2672 the call. Avoid this optimization when -frounding-math is in effect
2673 and the format string contains a floating point directive. */
2675 && flag_printf_return_value
2678 }
2680 /* Execute the pass for function FUN. */
2682 unsigned int
2684 {
2685 basic_block bb;
2687 {
2690 {
2691 /* Iterate over statements, looking for function calls. */
2696 }
2697 }
2700 }
2704 /* Return a pointer to a pass object newly constructed from the context
2705 CTXT. */
2707 gimple_opt_pass *
2709 {
2711 }