1 /* Copyright (C) 2016 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
50 #include "coretypes.h"
54 #include "tree-pass.h"
56 #include "gimple-fold.h"
57 #include "gimple-pretty-print.h"
58 #include "diagnostic-core.h"
59 #include "fold-const.h"
60 #include "gimple-iterator.h"
62 #include "tree-object-size.h"
70 #include "stor-layout.h"
74 #include "targhooks.h"
79 #include "substring-locations.h"
80 #include "diagnostic.h"
84 const pass_data pass_data_sprintf_length
= {
85 GIMPLE_PASS
, // pass type
86 "printf-return-value", // pass name
87 OPTGROUP_NONE
, // optinfo_flags
89 PROP_cfg
, // properties_required
90 0, // properties_provided
91 0, // properties_destroyed
92 0, // properties_start
93 0, // properties_finish
98 class pass_sprintf_length
: public gimple_opt_pass
100 bool fold_return_value
;
103 pass_sprintf_length (gcc::context
*ctxt
)
104 : gimple_opt_pass (pass_data_sprintf_length
, ctxt
),
105 fold_return_value (false)
108 opt_pass
* clone () { return new pass_sprintf_length (m_ctxt
); }
110 virtual bool gate (function
*);
112 virtual unsigned int execute (function
*);
114 void set_pass_param (unsigned int n
, bool param
)
117 fold_return_value
= param
;
120 void handle_gimple_call (gimple_stmt_iterator
);
123 void compute_format_length (const call_info
&, format_result
*);
127 pass_sprintf_length::gate (function
*)
129 /* Run the pass iff -Warn-format-length is specified and either
130 not optimizing and the pass is being invoked early, or when
131 optimizing and the pass is being invoked during optimization
133 return ((warn_format_length
> 0 || flag_printf_return_value
)
134 && (optimize
> 0) == fold_return_value
);
137 /* The result of a call to a formatted function. */
141 /* Number of characters written by the formatted function, exact,
142 minimum and maximum when an exact number cannot be determined.
143 Setting the minimum to HOST_WIDE_INT_MAX disables all length
144 tracking for the remainder of the format string.
145 Setting either of the other two members to HOST_WIDE_INT_MAX
146 disables the exact or maximum length tracking, respectively,
147 but continues to track the maximum. */
148 unsigned HOST_WIDE_INT number_chars
;
149 unsigned HOST_WIDE_INT number_chars_min
;
150 unsigned HOST_WIDE_INT number_chars_max
;
152 /* True when the range given by NUMBER_CHARS_MIN and NUMBER_CHARS_MAX
153 is the output of all directives determined to be bounded to some
154 subrange of their types or possible lengths, false otherwise.
155 Note that BOUNDED only implies that the length of a function's
156 output is known to be within some range, not that it's constant
157 and a candidate for folding. */
160 /* True when the output of the formatted call is constant (and
161 thus a candidate for string constant folding). This is rare
162 and typically requires that the arguments of all directives
163 are also constant. Constant implies bounded. */
166 /* True if no individual directive resulted in more than 4095 bytes
167 of output (the total NUMBER_CHARS might be greater). */
170 /* True when a floating point directive has been seen in the format
174 /* True when an intermediate result has caused a warning. Used to
175 avoid issuing duplicate warnings while finishing the processing
179 /* Preincrement the number of output characters by 1. */
180 format_result
& operator++ ()
185 /* Postincrement the number of output characters by 1. */
186 format_result
operator++ (int)
188 format_result
prev (*this);
193 /* Increment the number of output characters by N. */
194 format_result
& operator+= (unsigned HOST_WIDE_INT n
)
196 gcc_assert (n
< HOST_WIDE_INT_MAX
);
198 if (number_chars
< HOST_WIDE_INT_MAX
)
200 if (number_chars_min
< HOST_WIDE_INT_MAX
)
201 number_chars_min
+= n
;
202 if (number_chars_max
< HOST_WIDE_INT_MAX
)
203 number_chars_max
+= n
;
208 /* Return the value of INT_MIN for the target. */
213 const unsigned HOST_WIDE_INT int_min
214 = HOST_WIDE_INT_M1U
<< (TYPE_PRECISION (integer_type_node
) - 1);
219 /* Return the value of INT_MAX for the target. */
221 static unsigned HOST_WIDE_INT
224 const unsigned HOST_WIDE_INT int_max
225 = HOST_WIDE_INT_M1U
>> (HOST_BITS_PER_WIDE_INT
226 - TYPE_PRECISION (integer_type_node
) + 1);
230 /* Return the constant initial value of DECL if available or DECL
231 otherwise. Same as the synonymous function in c/c-typeck.c. */
234 decl_constant_value (tree decl
)
236 if (/* Don't change a variable array bound or initial value to a constant
237 in a place where a variable is invalid. Note that DECL_INITIAL
238 isn't valid for a PARM_DECL. */
239 current_function_decl
!= 0
240 && TREE_CODE (decl
) != PARM_DECL
241 && !TREE_THIS_VOLATILE (decl
)
242 && TREE_READONLY (decl
)
243 && DECL_INITIAL (decl
) != 0
244 && TREE_CODE (DECL_INITIAL (decl
)) != ERROR_MARK
245 /* This is invalid if initial value is not constant.
246 If it has either a function call, a memory reference,
247 or a variable, then re-evaluating it could give different results. */
248 && TREE_CONSTANT (DECL_INITIAL (decl
))
249 /* Check for cases where this is sub-optimal, even though valid. */
250 && TREE_CODE (DECL_INITIAL (decl
)) != CONSTRUCTOR
)
251 return DECL_INITIAL (decl
);
255 /* Given FORMAT, set *PLOC to the source location of the format string
256 and return the format string if it is known or null otherwise. */
259 get_format_string (tree format
, location_t
*ploc
)
263 /* Pull out a constant value if the front end didn't. */
264 format
= decl_constant_value (format
);
268 if (integer_zerop (format
))
270 /* FIXME: Diagnose null format string if it hasn't been diagnosed
271 by -Wformat (the latter diagnoses only nul pointer constants,
272 this pass can do better). */
276 HOST_WIDE_INT offset
= 0;
278 if (TREE_CODE (format
) == POINTER_PLUS_EXPR
)
280 tree arg0
= TREE_OPERAND (format
, 0);
281 tree arg1
= TREE_OPERAND (format
, 1);
285 if (TREE_CODE (arg1
) != INTEGER_CST
)
290 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
291 if (!cst_and_fits_in_hwi (arg1
))
294 offset
= int_cst_value (arg1
);
297 if (TREE_CODE (format
) != ADDR_EXPR
)
300 *ploc
= EXPR_LOC_OR_LOC (format
, input_location
);
302 format
= TREE_OPERAND (format
, 0);
304 if (TREE_CODE (format
) == ARRAY_REF
305 && tree_fits_shwi_p (TREE_OPERAND (format
, 1))
306 && (offset
+= tree_to_shwi (TREE_OPERAND (format
, 1))) >= 0)
307 format
= TREE_OPERAND (format
, 0);
313 tree array_size
= NULL_TREE
;
316 && TREE_CODE (TREE_TYPE (format
)) == ARRAY_TYPE
317 && (array_init
= decl_constant_value (format
)) != format
318 && TREE_CODE (array_init
) == STRING_CST
)
320 /* Extract the string constant initializer. Note that this may
321 include a trailing NUL character that is not in the array (e.g.
322 const char a[3] = "foo";). */
323 array_size
= DECL_SIZE_UNIT (format
);
327 if (TREE_CODE (format
) != STRING_CST
)
330 if (TYPE_MAIN_VARIANT (TREE_TYPE (TREE_TYPE (format
))) != char_type_node
)
332 /* Wide format string. */
336 const char *fmtstr
= TREE_STRING_POINTER (format
);
337 unsigned fmtlen
= TREE_STRING_LENGTH (format
);
341 /* Variable length arrays can't be initialized. */
342 gcc_assert (TREE_CODE (array_size
) == INTEGER_CST
);
344 if (tree_fits_shwi_p (array_size
))
346 HOST_WIDE_INT array_size_value
= tree_to_shwi (array_size
);
347 if (array_size_value
> 0
348 && array_size_value
== (int) array_size_value
349 && fmtlen
> array_size_value
)
350 fmtlen
= array_size_value
;
355 if (offset
>= fmtlen
)
362 if (fmtlen
< 1 || fmtstr
[--fmtlen
] != 0)
364 /* FIXME: Diagnose an unterminated format string if it hasn't been
365 diagnosed by -Wformat. Similarly to a null format pointer,
366 -Wformay diagnoses only nul pointer constants, this pass can
374 /* The format_warning_at_substring function is not used here in a way
375 that makes using attribute format viable. Suppress the warning. */
377 #pragma GCC diagnostic push
378 #pragma GCC diagnostic ignored "-Wsuggest-attribute=format"
380 /* For convenience and brevity. */
383 (* const fmtwarn
) (const substring_loc
&, const source_range
*,
384 const char *, int, const char *, ...)
385 = format_warning_at_substring
;
387 /* Format length modifiers. */
392 FMT_LEN_hh
, // char argument
395 FMT_LEN_ll
, // long long
396 FMT_LEN_L
, // long double (and GNU long long)
398 FMT_LEN_t
, // ptrdiff_t
399 FMT_LEN_j
// intmax_t
403 /* A minimum and maximum number of bytes. */
407 unsigned HOST_WIDE_INT min
, max
;
410 /* Description of the result of conversion either of a single directive
411 or the whole format string. */
415 /* The range a directive's argument is in. */
418 /* The minimum and maximum number of bytes that a directive
419 results in on output for an argument in the range above. */
422 /* True when the range is the result of an argument determined
423 to be bounded to a subrange of its type or value (such as by
424 value range propagation or the width of the formt directive),
427 /* True when the output of a directive is constant. This is rare
428 and typically requires that the argument(s) of the directive
429 are also constant (such as determined by constant propagation,
430 though not value range propagation). */
434 /* Description of a conversion specification. */
436 struct conversion_spec
438 /* A bitmap of flags, one for each character. */
439 unsigned flags
[256 / sizeof (int)];
440 /* Numeric width as in "%8x". */
442 /* Numeric precision as in "%.32s". */
445 /* Width specified via the '*' character. */
447 /* Precision specified via the asterisk. */
450 /* Length modifier. */
451 format_lengths modifier
;
453 /* Format specifier character. */
456 /* Numeric width was given. */
457 unsigned have_width
: 1;
458 /* Numeric precision was given. */
459 unsigned have_precision
: 1;
460 /* Non-zero when certain flags should be interpreted even for a directive
461 that normally doesn't accept them (used when "%p" with flags such as
462 space or plus is interepreted as a "%x". */
463 unsigned force_flags
: 1;
465 /* Format conversion function that given a conversion specification
466 and an argument returns the formatting result. */
467 fmtresult (*fmtfunc
) (const conversion_spec
&, tree
);
469 /* Return True when a the format flag CHR has been used. */
470 bool get_flag (char chr
) const
472 unsigned char c
= chr
& 0xff;
473 return (flags
[c
/ (CHAR_BIT
* sizeof *flags
)]
474 & (1U << (c
% (CHAR_BIT
* sizeof *flags
))));
477 /* Make a record of the format flag CHR having been used. */
478 void set_flag (char chr
)
480 unsigned char c
= chr
& 0xff;
481 flags
[c
/ (CHAR_BIT
* sizeof *flags
)]
482 |= (1U << (c
% (CHAR_BIT
* sizeof *flags
)));
485 /* Reset the format flag CHR. */
486 void clear_flag (char chr
)
488 unsigned char c
= chr
& 0xff;
489 flags
[c
/ (CHAR_BIT
* sizeof *flags
)]
490 &= ~(1U << (c
% (CHAR_BIT
* sizeof *flags
)));
494 /* Return the logarithm of X in BASE. */
497 ilog (unsigned HOST_WIDE_INT x
, int base
)
508 /* Return the number of bytes resulting from converting into a string
509 the INTEGER_CST tree node X in BASE. PLUS indicates whether 1 for
510 a plus sign should be added for positive numbers, and PREFIX whether
511 the length of an octal ('O') or hexadecimal ('0x') prefix should be
512 added for nonzero numbers. Return -1 if X cannot be represented. */
515 tree_digits (tree x
, int base
, bool plus
, bool prefix
)
517 unsigned HOST_WIDE_INT absval
;
521 if (TYPE_UNSIGNED (TREE_TYPE (x
)))
523 if (tree_fits_uhwi_p (x
))
525 absval
= tree_to_uhwi (x
);
533 if (tree_fits_shwi_p (x
))
535 HOST_WIDE_INT i
= tree_to_shwi (x
);
551 res
+= ilog (absval
, base
);
553 if (prefix
&& absval
)
564 /* Given the formatting result described by RES and NAVAIL, the number
565 of available in the destination, return the number of bytes remaining
566 in the destination. */
568 static inline result_range
569 bytes_remaining (unsigned HOST_WIDE_INT navail
, const format_result
&res
)
573 if (HOST_WIDE_INT_MAX
<= navail
)
575 range
.min
= range
.max
= navail
;
579 if (res
.number_chars
< navail
)
581 range
.min
= range
.max
= navail
- res
.number_chars
;
583 else if (res
.number_chars_min
< navail
)
585 range
.max
= navail
- res
.number_chars_min
;
590 if (res
.number_chars_max
< navail
)
591 range
.min
= navail
- res
.number_chars_max
;
598 /* Given the formatting result described by RES and NAVAIL, the number
599 of available in the destination, return the minimum number of bytes
600 remaining in the destination. */
602 static inline unsigned HOST_WIDE_INT
603 min_bytes_remaining (unsigned HOST_WIDE_INT navail
, const format_result
&res
)
605 if (HOST_WIDE_INT_MAX
<= navail
)
608 if (1 < warn_format_length
|| res
.bounded
)
610 /* At level 2, or when all directives output an exact number
611 of bytes or when their arguments were bounded by known
612 ranges, use the greater of the two byte counters if it's
613 valid to compute the result. */
614 if (res
.number_chars_max
< HOST_WIDE_INT_MAX
)
615 navail
-= res
.number_chars_max
;
616 else if (res
.number_chars
< HOST_WIDE_INT_MAX
)
617 navail
-= res
.number_chars
;
618 else if (res
.number_chars_min
< HOST_WIDE_INT_MAX
)
619 navail
-= res
.number_chars_min
;
623 /* At level 1 use the smaller of the byte counters to compute
625 if (res
.number_chars
< HOST_WIDE_INT_MAX
)
626 navail
-= res
.number_chars
;
627 else if (res
.number_chars_min
< HOST_WIDE_INT_MAX
)
628 navail
-= res
.number_chars_min
;
629 else if (res
.number_chars_max
< HOST_WIDE_INT_MAX
)
630 navail
-= res
.number_chars_max
;
633 if (navail
> HOST_WIDE_INT_MAX
)
639 /* Description of a call to a formatted function. */
641 struct pass_sprintf_length::call_info
643 /* Function call statement. */
646 /* Function called. */
649 /* Called built-in function code. */
650 built_in_function fncode
;
652 /* Format argument and format string extracted from it. */
656 /* The location of the format argument. */
659 /* The destination object size for __builtin___xxx_chk functions
660 typically determined by __builtin_object_size, or -1 if unknown. */
661 unsigned HOST_WIDE_INT objsize
;
663 /* Number of the first variable argument. */
664 unsigned HOST_WIDE_INT argidx
;
666 /* True for functions like snprintf that specify the size of
667 the destination, false for others like sprintf that don't. */
671 /* Return the result of formatting the '%%' directive. */
674 format_percent (const conversion_spec
&, tree
)
677 res
.argmin
= res
.argmax
= NULL_TREE
;
678 res
.range
.min
= res
.range
.max
= 1;
679 res
.bounded
= res
.constant
= true;
684 /* Ugh. Compute intmax_type_node and uintmax_type_node the same way
685 lto/lto-lang.c does it. This should be available in tree.h. */
688 build_intmax_type_nodes (tree
*pintmax
, tree
*puintmax
)
690 if (strcmp (SIZE_TYPE
, "unsigned int") == 0)
692 *pintmax
= integer_type_node
;
693 *puintmax
= unsigned_type_node
;
695 else if (strcmp (SIZE_TYPE
, "long unsigned int") == 0)
697 *pintmax
= long_integer_type_node
;
698 *puintmax
= long_unsigned_type_node
;
700 else if (strcmp (SIZE_TYPE
, "long long unsigned int") == 0)
702 *pintmax
= long_long_integer_type_node
;
703 *puintmax
= long_long_unsigned_type_node
;
707 for (int i
= 0; i
< NUM_INT_N_ENTS
; i
++)
708 if (int_n_enabled_p
[i
])
711 sprintf (name
, "__int%d unsigned", int_n_data
[i
].bitsize
);
713 if (strcmp (name
, SIZE_TYPE
) == 0)
715 *pintmax
= int_n_trees
[i
].signed_type
;
716 *puintmax
= int_n_trees
[i
].unsigned_type
;
723 format_integer (const conversion_spec
&, tree
);
725 /* Return a range representing the minimum and maximum number of bytes
726 that the conversion specification SPEC will write on output for the
727 pointer argument ARG when non-null. ARG may be null (for vararg
731 format_pointer (const conversion_spec
&spec
, tree arg
)
733 fmtresult res
= fmtresult ();
735 /* Determine the target's integer format corresponding to "%p". */
737 const char *pfmt
= targetm
.printf_pointer_format (arg
, &flags
);
740 /* The format couldn't be determined. */
741 res
.range
.min
= res
.range
.max
= HOST_WIDE_INT_M1U
;
747 /* Format the pointer using the integer format string. */
748 conversion_spec pspec
= spec
;
750 /* Clear flags that are not listed as recognized. */
751 for (const char *pf
= "+ #0"; *pf
; ++pf
)
753 if (!strchr (flags
, *pf
))
754 pspec
.clear_flag (*pf
);
757 /* Set flags that are specified in the format string. */
763 case '+': case ' ': case '#': case '0':
764 pspec
.set_flag (*pfmt
);
772 /* Set the appropriate length modifier taking care to clear
773 the one that may be set (Glibc's %p accepts but ignores all
774 the integer length modifiers). */
777 case 'l': pspec
.modifier
= FMT_LEN_l
; ++pfmt
; break;
778 case 't': pspec
.modifier
= FMT_LEN_t
; ++pfmt
; break;
779 case 'z': pspec
.modifier
= FMT_LEN_z
; ++pfmt
; break;
780 default: pspec
.modifier
= FMT_LEN_none
;
783 pspec
.force_flags
= 1;
784 pspec
.specifier
= *pfmt
++;
785 gcc_assert (*pfmt
== '\0');
786 return format_integer (pspec
, arg
);
789 /* The format is a plain string such as Glibc's "(nil)". */
790 res
.range
.min
= res
.range
.max
= strlen (pfmt
);
794 /* Return a range representing the minimum and maximum number of bytes
795 that the conversion specification SPEC will write on output for the
796 integer argument ARG when non-null. ARG may be null (for vararg
800 format_integer (const conversion_spec
&spec
, tree arg
)
802 /* These are available as macros in the C and C++ front ends but,
804 static tree intmax_type_node
;
805 static tree uintmax_type_node
;
807 /* Initialize the intmax nodes above the first time through here. */
808 if (!intmax_type_node
)
809 build_intmax_type_nodes (&intmax_type_node
, &uintmax_type_node
);
811 /* Set WIDTH and PRECISION to either the values in the format
812 specification or to zero. */
813 int width
= spec
.have_width
? spec
.width
: 0;
814 int prec
= spec
.have_precision
? spec
.precision
: 0;
817 width
= (TREE_CODE (spec
.star_width
) == INTEGER_CST
818 ? tree_to_shwi (spec
.star_width
) : 0);
820 if (spec
.star_precision
)
821 prec
= (TREE_CODE (spec
.star_precision
) == INTEGER_CST
822 ? tree_to_shwi (spec
.star_precision
) : 0);
824 bool sign
= spec
.specifier
== 'd' || spec
.specifier
== 'i';
826 /* The type of the "formal" argument expected by the directive. */
827 tree dirtype
= NULL_TREE
;
829 /* Determine the expected type of the argument from the length
831 switch (spec
.modifier
)
834 if (spec
.specifier
== 'p')
835 dirtype
= ptr_type_node
;
837 dirtype
= sign
? integer_type_node
: unsigned_type_node
;
841 dirtype
= sign
? short_integer_type_node
: short_unsigned_type_node
;
845 dirtype
= sign
? signed_char_type_node
: unsigned_char_type_node
;
849 dirtype
= sign
? long_integer_type_node
: long_unsigned_type_node
;
855 ? long_long_integer_type_node
856 : long_long_unsigned_type_node
);
860 dirtype
= sign
? ptrdiff_type_node
: size_type_node
;
864 dirtype
= sign
? ptrdiff_type_node
: size_type_node
;
868 dirtype
= sign
? intmax_type_node
: uintmax_type_node
;
873 fmtresult res
= fmtresult ();
874 res
.range
.min
= HOST_WIDE_INT_MAX
;
875 res
.range
.max
= HOST_WIDE_INT_MAX
;
877 res
.constant
= false;
882 /* The type of the argument to the directive, either deduced from
883 the actual non-constant argument if one is known, or from
884 the directive itself when none has been provided because it's
886 tree argtype
= NULL_TREE
;
890 /* When the argument has not been provided, use the type of
891 the directive's argument as an approximation. This will
892 result in false positives for directives like %i with
893 arguments with smaller precision (such as short or char). */
896 else if (TREE_CODE (arg
) == INTEGER_CST
)
898 /* The minimum and maximum number of bytes produced by
900 fmtresult res
= fmtresult ();
902 /* When a constant argument has been provided use its value
903 rather than type to determine the length of the output. */
907 /* Base to format the number in. */
910 /* True when a signed conversion is preceded by a sign or space. */
913 switch (spec
.specifier
)
917 /* Space is only effective for signed conversions. */
918 maybesign
= spec
.get_flag (' ');
922 maybesign
= spec
.force_flags
? spec
.get_flag (' ') : false;
926 maybesign
= spec
.force_flags
? spec
.get_flag (' ') : false;
931 maybesign
= spec
.force_flags
? spec
.get_flag (' ') : false;
938 /* Convert the argument to the type of the directive. */
939 arg
= fold_convert (dirtype
, arg
);
941 maybesign
|= spec
.get_flag ('+');
943 /* True when a conversion is preceded by a prefix indicating the base
944 of the argument (octal or hexadecimal). */
945 bool maybebase
= spec
.get_flag ('#');
946 int len
= tree_digits (arg
, base
, maybesign
, maybebase
);
955 res
.range
.min
= res
.range
.max
;
960 else if (TREE_CODE (TREE_TYPE (arg
)) == INTEGER_TYPE
961 || TREE_CODE (TREE_TYPE (arg
)) == POINTER_TYPE
)
963 /* Determine the type of the provided non-constant argument. */
964 if (TREE_CODE (arg
) == NOP_EXPR
)
965 arg
= TREE_OPERAND (arg
, 0);
966 else if (TREE_CODE (arg
) == CONVERT_EXPR
)
967 arg
= TREE_OPERAND (arg
, 0);
968 if (TREE_CODE (arg
) == COMPONENT_REF
)
969 arg
= TREE_OPERAND (arg
, 1);
971 argtype
= TREE_TYPE (arg
);
975 /* Don't bother with invalid arguments since they likely would
976 have already been diagnosed, and disable any further checking
977 of the format string by returning [-1, -1]. */
978 fmtresult res
= fmtresult ();
979 res
.range
.min
= res
.range
.max
= HOST_WIDE_INT_M1U
;
983 fmtresult res
= fmtresult ();
985 /* Using either the range the non-constant argument is in, or its
986 type (either "formal" or actual), create a range of values that
987 constrain the length of output given the warning level. */
988 tree argmin
= NULL_TREE
;
989 tree argmax
= NULL_TREE
;
991 if (arg
&& TREE_CODE (arg
) == SSA_NAME
992 && TREE_CODE (argtype
) == INTEGER_TYPE
)
994 /* Try to determine the range of values of the integer argument
995 (range information is not available for pointers). */
997 enum value_range_type range_type
= get_range_info (arg
, &min
, &max
);
998 if (range_type
== VR_RANGE
)
1000 res
.argmin
= build_int_cst (argtype
, wi::fits_uhwi_p (min
)
1001 ? min
.to_uhwi () : min
.to_shwi ());
1002 res
.argmax
= build_int_cst (argtype
, wi::fits_uhwi_p (max
)
1003 ? max
.to_uhwi () : max
.to_shwi ());
1005 /* For a range with a negative lower bound and a non-negative
1006 upper bound, use one to determine the minimum number of bytes
1007 on output and whichever of the two bounds that results in
1008 the greater number of bytes on output for the upper bound.
1009 For example, for ARG in the range of [-3, 123], use 123 as
1010 the upper bound for %i but -3 for %u. */
1011 if (wi::neg_p (min
) && !wi::neg_p (max
))
1013 argmin
= build_int_cst (argtype
, wi::fits_uhwi_p (min
)
1014 ? min
.to_uhwi () : min
.to_shwi ());
1016 argmax
= build_int_cst (argtype
, wi::fits_uhwi_p (max
)
1017 ? max
.to_uhwi () : max
.to_shwi ());
1019 int minbytes
= format_integer (spec
, res
.argmin
).range
.min
;
1020 int maxbytes
= format_integer (spec
, res
.argmax
).range
.max
;
1021 if (maxbytes
< minbytes
)
1022 argmax
= res
.argmin
;
1024 argmin
= integer_zero_node
;
1028 argmin
= res
.argmin
;
1029 argmax
= res
.argmax
;
1032 /* The argument is bounded by the range of values determined
1033 by Value Range Propagation. */
1036 else if (range_type
== VR_ANTI_RANGE
)
1038 /* Handle anti-ranges if/when bug 71690 is resolved. */
1040 else if (range_type
== VR_VARYING
)
1042 /* The argument here may be the result of promoting the actual
1043 argument to int. Try to determine the type of the actual
1044 argument before promotion and narrow down its range that
1046 gimple
*def
= SSA_NAME_DEF_STMT (arg
);
1047 if (is_gimple_assign (def
))
1049 tree_code code
= gimple_assign_rhs_code (def
);
1050 if (code
== NOP_EXPR
)
1051 argtype
= TREE_TYPE (gimple_assign_rhs1 (def
));
1058 /* For an unknown argument (e.g., one passed to a vararg function)
1059 or one whose value range cannot be determined, create a T_MIN
1060 constant if the argument's type is signed and T_MAX otherwise,
1061 and use those to compute the range of bytes that the directive
1063 argmin
= build_int_cst (argtype
, 1);
1065 int typeprec
= TYPE_PRECISION (dirtype
);
1066 int argprec
= TYPE_PRECISION (argtype
);
1068 if (argprec
< typeprec
|| POINTER_TYPE_P (argtype
))
1070 if (TYPE_UNSIGNED (argtype
))
1071 argmax
= build_all_ones_cst (argtype
);
1073 argmax
= fold_build2 (LSHIFT_EXPR
, argtype
, integer_one_node
,
1074 build_int_cst (integer_type_node
,
1079 argmax
= fold_build2 (LSHIFT_EXPR
, dirtype
, integer_one_node
,
1080 build_int_cst (integer_type_node
,
1083 res
.argmin
= argmin
;
1084 res
.argmax
= argmax
;
1087 /* Recursively compute the minimum and maximum from the known range,
1088 taking care to swap them if the lower bound results in longer
1089 output than the upper bound (e.g., in the range [-1, 0]. */
1090 res
.range
.min
= format_integer (spec
, argmin
).range
.min
;
1091 res
.range
.max
= format_integer (spec
, argmax
).range
.max
;
1093 /* The result is bounded either when the argument is determined to be
1094 (e.g., when it's within some range) or when the minimum and maximum
1095 are the same. That can happen here for example when the specified
1096 width is as wide as the greater of MIN and MAX, as would be the case
1097 with sprintf (d, "%08x", x) with a 32-bit integer x. */
1098 res
.bounded
|= res
.range
.min
== res
.range
.max
;
1100 if (res
.range
.max
< res
.range
.min
)
1102 unsigned HOST_WIDE_INT tmp
= res
.range
.max
;
1103 res
.range
.max
= res
.range
.min
;
1104 res
.range
.min
= tmp
;
1110 /* Return the number of bytes to format using the format specifier
1111 SPEC the largest value in the real floating TYPE. */
1114 format_floating_max (tree type
, char spec
)
1116 machine_mode mode
= TYPE_MODE (type
);
1118 /* IBM Extended mode. */
1119 if (MODE_COMPOSITE_P (mode
))
1122 /* Get the real type format desription for the target. */
1123 const real_format
*rfmt
= REAL_MODE_FORMAT (mode
);
1128 get_max_float (rfmt
, buf
, sizeof buf
);
1129 real_from_string (&rv
, buf
);
1132 /* Convert the GCC real value representation with the precision
1133 of the real type to the mpfr_t format with the GCC default
1134 round-to-nearest mode. */
1136 mpfr_init2 (x
, rfmt
->p
);
1137 mpfr_from_real (x
, &rv
, GMP_RNDN
);
1139 const char fmt
[] = { '%', 'R', spec
, '\0' };
1140 int n
= mpfr_snprintf (NULL
, 0, fmt
, x
);
1144 /* Return a range representing the minimum and maximum number of bytes
1145 that the conversion specification SPEC will output for any argument
1146 given the WIDTH and PRECISION (extracted from SPEC). This function
1147 is used when the directive argument or its value isn't known. */
1150 format_floating (const conversion_spec
&spec
, int width
, int prec
)
1155 switch (spec
.modifier
)
1159 type
= double_type_node
;
1163 type
= long_double_type_node
;
1168 type
= long_double_type_node
;
1174 fmtresult res
= fmtresult ();
1175 res
.range
.min
= HOST_WIDE_INT_MAX
;
1176 res
.range
.max
= HOST_WIDE_INT_MAX
;
1177 res
.bounded
= false;
1178 res
.constant
= false;
1183 /* The minimum and maximum number of bytes produced by the directive. */
1184 fmtresult res
= fmtresult ();
1185 res
.constant
= false;
1187 /* Log10 of of the maximum number of exponent digits for the type. */
1190 if (REAL_MODE_FORMAT (TYPE_MODE (type
))->b
== 2)
1192 /* The base in which the exponent is represented should always
1195 const double log10_2
= .30102999566398119521;
1197 /* Compute T_MAX_EXP for base 2. */
1198 int expdigs
= REAL_MODE_FORMAT (TYPE_MODE (type
))->emax
* log10_2
;
1199 logexpdigs
= ilog (expdigs
, 10);
1202 switch (spec
.specifier
)
1207 /* The minimum output is "0x.p+0". */
1208 res
.range
.min
= 6 + (prec
> 0 ? prec
: 0);
1210 /* Compute the maximum just once. */
1211 static const int a_max
[] = {
1212 format_floating_max (double_type_node
, 'a'),
1213 format_floating_max (long_double_type_node
, 'a')
1215 res
.range
.max
= a_max
[ldbl
];
1222 bool sign
= spec
.get_flag ('+') || spec
.get_flag (' ');
1223 /* The minimum output is "[-+]1.234567e+00" regardless
1224 of the value of the actual argument. */
1225 res
.range
.min
= (sign
1226 + 1 /* unit */ + (prec
< 0 ? 7 : prec
? prec
+ 1 : 0)
1228 /* The maximum output is the minimum plus sign (unless already
1229 included), plus the difference between the minimum exponent
1230 of 2 and the maximum exponent for the type. */
1231 res
.range
.max
= res
.range
.min
+ !sign
+ logexpdigs
- 2;
1238 /* The minimum output is "1.234567" regardless of the value
1239 of the actual argument. */
1240 res
.range
.min
= 2 + (prec
< 0 ? 6 : prec
);
1242 /* Compute the maximum just once. */
1243 static const int f_max
[] = {
1244 format_floating_max (double_type_node
, 'f'),
1245 format_floating_max (long_double_type_node
, 'f')
1247 res
.range
.max
= f_max
[ldbl
];
1253 /* The minimum is the same as for '%F'. */
1254 res
.range
.min
= 2 + (prec
< 0 ? 6 : prec
);
1256 /* Compute the maximum just once. */
1257 static const int g_max
[] = {
1258 format_floating_max (double_type_node
, 'g'),
1259 format_floating_max (long_double_type_node
, 'g')
1261 res
.range
.max
= g_max
[ldbl
];
1267 fmtresult res
= fmtresult ();
1268 res
.range
.min
= HOST_WIDE_INT_MAX
;
1269 res
.range
.max
= HOST_WIDE_INT_MAX
;
1270 res
.bounded
= false;
1271 res
.constant
= false;
1278 if (res
.range
.min
< (unsigned)width
)
1279 res
.range
.min
= width
;
1280 if (res
.range
.max
< (unsigned)width
)
1281 res
.range
.max
= width
;
1284 /* The argument is only considered bounded when the range of output
1286 res
.bounded
= res
.range
.min
== res
.range
.max
;
1290 /* Return a range representing the minimum and maximum number of bytes
1291 that the conversion specification SPEC will write on output for the
1292 floating argument ARG. */
1295 format_floating (const conversion_spec
&spec
, tree arg
)
1300 /* The minimum and maximum number of bytes produced by the directive. */
1301 fmtresult res
= fmtresult ();
1302 res
.constant
= arg
&& TREE_CODE (arg
) == REAL_CST
;
1304 if (spec
.have_width
)
1306 else if (spec
.star_width
)
1308 if (TREE_CODE (spec
.star_width
) == INTEGER_CST
)
1309 width
= tree_to_shwi (spec
.star_width
);
1312 res
.range
.min
= res
.range
.max
= HOST_WIDE_INT_M1U
;
1317 if (spec
.have_precision
)
1318 prec
= spec
.precision
;
1319 else if (spec
.star_precision
)
1321 if (TREE_CODE (spec
.star_precision
) == INTEGER_CST
)
1322 prec
= tree_to_shwi (spec
.star_precision
);
1325 res
.range
.min
= res
.range
.max
= HOST_WIDE_INT_M1U
;
1329 else if (res
.constant
&& TOUPPER (spec
.specifier
) != 'A')
1331 /* Specify the precision explicitly since mpfr_sprintf defaults
1338 /* Set up an array to easily iterate over. */
1339 unsigned HOST_WIDE_INT
* const minmax
[] = {
1340 &res
.range
.min
, &res
.range
.max
1343 /* Get the real type format desription for the target. */
1344 const REAL_VALUE_TYPE
*rvp
= TREE_REAL_CST_PTR (arg
);
1345 const real_format
*rfmt
= REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg
)));
1347 /* Convert the GCC real value representation with the precision
1348 of the real type to the mpfr_t format with the GCC default
1349 round-to-nearest mode. */
1351 mpfr_init2 (mpfrval
, rfmt
->p
);
1352 mpfr_from_real (mpfrval
, rvp
, GMP_RNDN
);
1355 char *pfmt
= fmtstr
;
1359 for (const char *pf
= "-+ #0"; *pf
; ++pf
)
1360 if (spec
.get_flag (*pf
))
1363 /* Append width when specified and precision. */
1365 pfmt
+= sprintf (pfmt
, "%i", width
);
1367 pfmt
+= sprintf (pfmt
, ".%i", prec
);
1369 /* Append the MPFR 'R' floating type specifier (no length modifier
1370 is necessary or allowed by MPFR for mpfr_t values). */
1373 /* Save the position of the MPFR rounding specifier and skip over
1374 it. It will be set in each iteration in the loop below. */
1375 char* const rndspec
= pfmt
++;
1377 /* Append the C type specifier and nul-terminate. */
1378 *pfmt
++ = spec
.specifier
;
1381 for (int i
= 0; i
!= sizeof minmax
/ sizeof *minmax
; ++i
)
1383 /* Use the MPFR rounding specifier to round down in the first
1384 iteration and then up. In most but not all cases this will
1385 result in the same number of bytes. */
1388 /* Format it and store the result in the corresponding
1389 member of the result struct. */
1390 *minmax
[i
] = mpfr_snprintf (NULL
, 0, fmtstr
, mpfrval
);
1393 res
.bounded
= res
.range
.min
< target_int_max ();
1397 return format_floating (spec
, width
, prec
);
1400 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
1401 strings referenced by the expression STR, or (-1, -1) when not known.
1402 Used by the format_string function below. */
1405 get_string_length (tree str
)
1410 res
.range
.min
= HOST_WIDE_INT_MAX
;
1411 res
.range
.max
= HOST_WIDE_INT_MAX
;
1412 res
.bounded
= false;
1413 res
.constant
= false;
1417 if (tree slen
= c_strlen (str
, 1))
1419 /* Simply return the length of the string. */
1421 res
.range
.min
= res
.range
.max
= tree_to_shwi (slen
);
1423 res
.constant
= true;
1427 /* Determine the length of the shortest and longest string referenced
1428 by STR. Strings of unknown lengths are bounded by the sizes of
1429 arrays that subexpressions of STR may refer to. Pointers that
1430 aren't known to point any such arrays result in LENRANGE[1] set
1433 get_range_strlen (str
, lenrange
);
1435 if (lenrange
[0] || lenrange
[1])
1437 fmtresult res
= fmtresult ();
1439 res
.range
.min
= (tree_fits_uhwi_p (lenrange
[0])
1440 ? tree_to_uhwi (lenrange
[0]) : 1 < warn_format_length
);
1441 res
.range
.max
= (tree_fits_uhwi_p (lenrange
[1])
1442 ? tree_to_uhwi (lenrange
[1]) : HOST_WIDE_INT_M1U
);
1444 /* Set RES.BOUNDED to true if and only if all strings referenced
1445 by STR are known to be bounded (though not necessarily by their
1446 actual length but perhaps by their maximum possible length). */
1447 res
.bounded
= res
.range
.max
< target_int_max ();
1449 /* Set RES.CONSTANT to false even though that may be overly
1450 conservative in rare cases like: 'x ? a : b' where a and
1451 b have the same lengths and consist of the same characters. */
1452 res
.constant
= false;
1456 return get_string_length (NULL_TREE
);
1459 /* Return the minimum and maximum number of characters formatted
1460 by the '%c' and '%s' format directives and ther wide character
1461 forms for the argument ARG. ARG can be null (for functions
1462 such as vsprinf). */
1465 format_string (const conversion_spec
&spec
, tree arg
)
1467 unsigned width
= spec
.have_width
&& spec
.width
> 0 ? spec
.width
: 0;
1468 int prec
= spec
.have_precision
? spec
.precision
: -1;
1470 if (spec
.star_width
)
1472 width
= (TREE_CODE (spec
.star_width
) == INTEGER_CST
1473 ? tree_to_shwi (spec
.star_width
) : 0);
1474 if (width
> INT_MAX
)
1478 if (spec
.star_precision
)
1479 prec
= (TREE_CODE (spec
.star_precision
) == INTEGER_CST
1480 ? tree_to_shwi (spec
.star_precision
) : -1);
1482 fmtresult res
= fmtresult ();
1484 /* The maximum number of bytes for an unknown wide character argument
1485 to a "%lc" directive adjusted for precision but not field width. */
1486 const unsigned HOST_WIDE_INT max_bytes_for_unknown_wc
1487 = (1 == warn_format_length
? 0 <= prec
? prec
: 0
1488 : 2 == warn_format_length
? 0 <= prec
? prec
: 1
1489 : 0 <= prec
? prec
: 6 /* Longest UTF-8 sequence. */);
1491 /* The maximum number of bytes for an unknown string argument to either
1492 a "%s" or "%ls" directive adjusted for precision but not field width. */
1493 const unsigned HOST_WIDE_INT max_bytes_for_unknown_str
1494 = (1 == warn_format_length
? 0 <= prec
? prec
: 0
1495 : 2 == warn_format_length
? 0 <= prec
? prec
: 1
1496 : HOST_WIDE_INT_MAX
);
1498 /* The result is bounded unless overriddden for a non-constant string
1499 of an unknown length. */
1500 bool bounded
= true;
1502 if (spec
.specifier
== 'c')
1504 if (spec
.modifier
== FMT_LEN_l
)
1506 /* Positive if the argument is a wide NUL character? */
1507 int nul
= (arg
&& TREE_CODE (arg
) == INTEGER_CST
1508 ? integer_zerop (arg
) : -1);
1510 /* A '%lc' directive is the same as '%ls' for a two element
1511 wide string character with the second element of NUL, so
1512 when the character is unknown the minimum number of bytes
1513 is the smaller of either 0 (at level 1) or 1 (at level 2)
1514 and WIDTH, and the maximum is MB_CUR_MAX in the selected
1515 locale, which is unfortunately, unknown. */
1516 res
.range
.min
= 1 == warn_format_length
? !nul
: nul
< 1;
1517 res
.range
.max
= max_bytes_for_unknown_wc
;
1522 /* A plain '%c' directive. */
1523 res
.range
.min
= res
.range
.max
= 1;
1525 res
.constant
= arg
&& TREE_CODE (arg
) == INTEGER_CST
;
1528 else /* spec.specifier == 's' */
1530 /* Compute the range the argument's length can be in. */
1531 fmtresult slen
= get_string_length (arg
);
1534 gcc_checking_assert (slen
.range
.min
== slen
.range
.max
);
1538 /* A '%s' directive with a string argument with constant length. */
1539 res
.range
= slen
.range
;
1541 if (spec
.modifier
== FMT_LEN_l
)
1543 if (warn_format_length
> 2)
1547 /* It's possible to be smarter about computing the maximum
1548 by scanning the wide string for any 8-bit characters and
1549 if it contains none, using its length for the maximum.
1550 Even though this would be simple to do it's unlikely to
1551 be worth it when dealing with wide characters. */
1554 /* For a wide character string, use precision as the maximum
1555 even if precision is greater than the string length since
1556 the number of bytes the string converts to may be greater
1557 (due to MB_CUR_MAX). */
1559 res
.range
.max
= prec
;
1562 res
.constant
= true;
1564 if (0 <= prec
&& (unsigned)prec
< res
.range
.min
)
1566 res
.range
.min
= prec
;
1567 res
.range
.max
= prec
;
1572 /* For a '%s' and '%ls' directive with a non-constant string,
1573 the minimum number of characters is the greater of WIDTH
1574 and either 0 in mode 1 or the smaller of PRECISION and 1
1575 in mode 2, and the maximum is PRECISION or -1 to disable
1580 if ((unsigned)prec
< slen
.range
.min
1581 || slen
.range
.min
>= target_int_max ())
1582 slen
.range
.min
= prec
;
1583 if ((unsigned)prec
< slen
.range
.max
1584 || slen
.range
.max
>= target_int_max ())
1585 slen
.range
.max
= prec
;
1587 else if (slen
.range
.min
>= target_int_max ())
1589 slen
.range
.min
= max_bytes_for_unknown_str
;
1590 slen
.range
.max
= max_bytes_for_unknown_str
;
1594 res
.range
= slen
.range
;
1596 /* The output is considered bounded when a precision has been
1597 specified to limit the number of bytes or when the number
1598 of bytes is known or contrained to some range. */
1599 res
.bounded
= 0 <= prec
|| slen
.bounded
;
1600 res
.constant
= false;
1604 /* Adjust the lengths for field width. */
1605 if (res
.range
.min
< width
)
1606 res
.range
.min
= width
;
1608 if (res
.range
.max
< width
)
1609 res
.range
.max
= width
;
1611 /* Adjust BOUNDED if width happens to make them equal. */
1612 if (res
.range
.min
== res
.range
.max
&& res
.range
.min
< target_int_max ()
1619 /* Compute the length of the output resulting from the conversion
1620 specification SPEC with the argument ARG in a call described by INFO
1621 and update the overall result of the call in *RES. The format directive
1622 corresponding to SPEC starts at CVTBEG and is CVTLEN characters long. */
1625 format_directive (const pass_sprintf_length::call_info
&info
,
1626 format_result
*res
, const char *cvtbeg
, size_t cvtlen
,
1627 const conversion_spec
&spec
, tree arg
)
1629 /* Offset of the beginning of the directive from the beginning
1630 of the format string. */
1631 size_t offset
= cvtbeg
- info
.fmtstr
;
1633 /* Create a location for the whole directive from the % to the format
1635 substring_loc
dirloc (info
.fmtloc
, TREE_TYPE (info
.format
),
1636 offset
, offset
, offset
+ cvtlen
- 1);
1638 /* Also create a location range for the argument if possible.
1639 This doesn't work for integer literals or function calls. */
1640 source_range argrange
;
1641 source_range
*pargrange
;
1642 if (arg
&& CAN_HAVE_LOCATION_P (arg
))
1644 argrange
= EXPR_LOCATION_RANGE (arg
);
1645 pargrange
= &argrange
;
1650 /* Bail when there is no function to compute the output length,
1651 or when minimum length checking has been disabled. */
1652 if (!spec
.fmtfunc
|| res
->number_chars_min
>= HOST_WIDE_INT_MAX
)
1655 /* Compute the (approximate) length of the formatted output. */
1656 fmtresult fmtres
= spec
.fmtfunc (spec
, arg
);
1658 /* The overall result is bounded only if the output of every
1659 directive is exact or bounded. */
1660 res
->bounded
= res
->bounded
&& fmtres
.bounded
;
1661 res
->constant
= res
->constant
&& fmtres
.constant
;
1663 if (fmtres
.range
.max
>= HOST_WIDE_INT_MAX
)
1665 /* Disable exact and maximum length checking after a failure
1666 to determine the maximum number of characters (for example
1667 for wide characters or wide character strings) but continue
1668 tracking the minimum number of characters. */
1669 res
->number_chars_max
= HOST_WIDE_INT_M1U
;
1670 res
->number_chars
= HOST_WIDE_INT_M1U
;
1673 if (fmtres
.range
.min
>= HOST_WIDE_INT_MAX
)
1675 /* Disable exact length checking after a failure to determine
1676 even the minimum number of characters (it shouldn't happen
1677 except in an error) but keep tracking the minimum and maximum
1678 number of characters. */
1679 res
->number_chars
= HOST_WIDE_INT_M1U
;
1683 /* Compute the number of available bytes in the destination. There
1684 must always be at least one byte of space for the terminating
1685 NUL that's appended after the format string has been processed. */
1686 unsigned HOST_WIDE_INT navail
= min_bytes_remaining (info
.objsize
, *res
);
1688 if (fmtres
.range
.min
< fmtres
.range
.max
)
1690 /* The result is a range (i.e., it's inexact). */
1693 bool warned
= false;
1695 if (navail
< fmtres
.range
.min
)
1697 /* The minimum directive output is longer than there is
1698 room in the destination. */
1699 if (fmtres
.range
.min
== fmtres
.range
.max
)
1703 ? G_("%<%.*s%> directive output truncated writing "
1704 "%wu bytes into a region of size %wu")
1705 : G_("%<%.*s%> directive writing %wu bytes "
1706 "into a region of size %wu"));
1707 warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1708 OPT_Wformat_length_
, fmtstr
,
1709 (int)cvtlen
, cvtbeg
, fmtres
.range
.min
,
1716 ? G_("%<%.*s%> directive output truncated writing "
1717 "between %wu and %wu bytes into a region of "
1719 : G_("%<%.*s%> directive writing between %wu and "
1720 "%wu bytes into a region of size %wu"));
1721 warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1722 OPT_Wformat_length_
, fmtstr
,
1723 (int)cvtlen
, cvtbeg
,
1724 fmtres
.range
.min
, fmtres
.range
.max
, navail
);
1727 else if (navail
< fmtres
.range
.max
1728 && (fmtres
.bounded
|| 1 < warn_format_length
))
1730 /* The maximum directive output is longer than there is
1731 room in the destination and the output is either bounded
1732 or the warning level is greater than 1. */
1733 if (fmtres
.range
.max
>= HOST_WIDE_INT_MAX
)
1737 ? G_("%<%.*s%> directive output may be truncated "
1738 "writing %wu or more bytes a region of size %wu")
1739 : G_("%<%.*s%> directive writing %wu or more bytes "
1740 "into a region of size %wu"));
1741 warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1742 OPT_Wformat_length_
, fmtstr
,
1743 (int)cvtlen
, cvtbeg
,
1744 fmtres
.range
.min
, navail
);
1750 ? G_("%<%.*s%> directive output may be truncated "
1751 "writing between %wu and %wu bytes into a region "
1753 : G_("%<%.*s%> directive writing between %wu and %wu "
1754 "bytes into a region of size %wu"));
1755 warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1756 OPT_Wformat_length_
, fmtstr
,
1757 (int)cvtlen
, cvtbeg
,
1758 fmtres
.range
.min
, fmtres
.range
.max
,
1763 res
->warned
|= warned
;
1765 if (warned
&& fmtres
.argmin
)
1767 if (fmtres
.argmin
== fmtres
.argmax
)
1768 inform (info
.fmtloc
, "directive argument %qE", fmtres
.argmin
);
1769 else if (fmtres
.bounded
)
1770 inform (info
.fmtloc
, "directive argument in the range [%E, %E]",
1771 fmtres
.argmin
, fmtres
.argmax
);
1773 inform (info
.fmtloc
,
1774 "using the range [%qE, %qE] for directive argument",
1775 fmtres
.argmin
, fmtres
.argmax
);
1779 /* Disable exact length checking but adjust the minimum and maximum. */
1780 res
->number_chars
= HOST_WIDE_INT_M1U
;
1781 if (res
->number_chars_max
< HOST_WIDE_INT_MAX
1782 && fmtres
.range
.max
< HOST_WIDE_INT_MAX
)
1783 res
->number_chars_max
+= fmtres
.range
.max
;
1785 res
->number_chars_min
+= fmtres
.range
.min
;
1789 if (!res
->warned
&& fmtres
.range
.min
> 0 && navail
< fmtres
.range
.min
)
1793 ? (1 < fmtres
.range
.min
1794 ? G_("%<%.*s%> directive output truncated while writing "
1795 "%wu bytes into a region of size %wu")
1796 : G_("%<%.*s%> directive output truncated while writing "
1797 "%wu byte into a region of size %wu"))
1798 : (1 < fmtres
.range
.min
1799 ? G_("%<%.*s%> directive writing %wu bytes "
1800 "into a region of size %wu")
1801 : G_("%<%.*s%> directive writing %wu byte "
1802 "into a region of size %wu")));
1804 res
->warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1805 OPT_Wformat_length_
, fmtstr
,
1806 (int)cvtlen
, cvtbeg
, fmtres
.range
.min
,
1809 *res
+= fmtres
.range
.min
;
1812 /* Has the minimum directive output length exceeded the maximum
1813 of 4095 bytes required to be supported? */
1814 bool minunder4k
= fmtres
.range
.min
< 4096;
1815 if (!minunder4k
|| fmtres
.range
.max
> 4095)
1816 res
->under4k
= false;
1818 if (!res
->warned
&& 1 < warn_format_length
1819 && (!minunder4k
|| fmtres
.range
.max
> 4095))
1821 /* The directive output may be longer than the maximum required
1822 to be handled by an implementation according to 7.21.6.1, p15
1823 of C11. Warn on this only at level 2 but remember this and
1824 prevent folding the return value when done. This allows for
1825 the possibility of the actual libc call failing due to ENOMEM
1826 (like Glibc does under some conditions). */
1828 if (fmtres
.range
.min
== fmtres
.range
.max
)
1829 res
->warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1830 OPT_Wformat_length_
,
1831 "%<%.*s%> directive output of %wu bytes exceeds "
1832 "minimum required size of 4095",
1833 (int)cvtlen
, cvtbeg
, fmtres
.range
.min
);
1838 ? G_("%<%.*s%> directive output between %qu and %wu "
1839 "bytes may exceed minimum required size of 4095")
1840 : G_("%<%.*s%> directive output between %qu and %wu "
1841 "bytes exceeds minimum required size of 4095"));
1843 res
->warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1844 OPT_Wformat_length_
, fmtstr
,
1845 (int)cvtlen
, cvtbeg
,
1846 fmtres
.range
.min
, fmtres
.range
.max
);
1850 /* Has the minimum directive output length exceeded INT_MAX? */
1851 bool exceedmin
= res
->number_chars_min
> target_int_max ();
1855 || (1 < warn_format_length
1856 && res
->number_chars_max
> target_int_max ())))
1858 /* The directive output causes the total length of output
1859 to exceed INT_MAX bytes. */
1861 if (fmtres
.range
.min
== fmtres
.range
.max
)
1862 res
->warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1863 OPT_Wformat_length_
,
1864 "%<%.*s%> directive output of %wu bytes causes "
1865 "result to exceed %<INT_MAX%>",
1866 (int)cvtlen
, cvtbeg
, fmtres
.range
.min
);
1871 ? G_ ("%<%.*s%> directive output between %wu and %wu "
1872 "bytes causes result to exceed %<INT_MAX%>")
1873 : G_ ("%<%.*s%> directive output between %wu and %wu "
1874 "bytes may cause result to exceed %<INT_MAX%>"));
1875 res
->warned
= fmtwarn (dirloc
, pargrange
, NULL
,
1876 OPT_Wformat_length_
, fmtstr
,
1877 (int)cvtlen
, cvtbeg
,
1878 fmtres
.range
.min
, fmtres
.range
.max
);
1883 /* Account for the number of bytes between BEG and END (or between
1884 BEG + strlen (BEG) when END is null) in the format string in a call
1885 to a formatted output function described by INFO. Reflect the count
1886 in RES and issue warnings as appropriate. */
1889 add_bytes (const pass_sprintf_length::call_info
&info
,
1890 const char *beg
, const char *end
, format_result
*res
)
1892 if (res
->number_chars_min
>= HOST_WIDE_INT_MAX
)
1895 /* The number of bytes to output is the number of bytes between
1896 the end of the last directive and the beginning of the next
1897 one if it exists, otherwise the number of characters remaining
1898 in the format string plus 1 for the terminating NUL. */
1899 size_t nbytes
= end
? end
- beg
: strlen (beg
) + 1;
1901 /* Return if there are no bytes to add at this time but there are
1902 directives remaining in the format string. */
1906 /* Compute the range of available bytes in the destination. There
1907 must always be at least one byte left for the terminating NUL
1908 that's appended after the format string has been processed. */
1909 result_range avail_range
= bytes_remaining (info
.objsize
, *res
);
1911 /* If issuing a diagnostic (only when one hasn't already been issued),
1912 distinguish between a possible overflow ("may write") and a certain
1913 overflow somewhere "past the end." (Ditto for truncation.) */
1915 && (avail_range
.max
< nbytes
1916 || ((res
->bounded
|| 1 < warn_format_length
)
1917 && avail_range
.min
< nbytes
)))
1919 /* Set NAVAIL to the number of available bytes used to decide
1920 whether or not to issue a warning below. The exact kind of
1921 warning will depend on AVAIL_RANGE. */
1922 unsigned HOST_WIDE_INT navail
= avail_range
.max
;
1923 if (nbytes
<= navail
&& avail_range
.min
< HOST_WIDE_INT_MAX
1924 && (res
->bounded
|| 1 < warn_format_length
))
1925 navail
= avail_range
.min
;
1927 /* Compute the offset of the first format character that is beyond
1928 the end of the destination region and the length of the rest of
1929 the format string from that point on. */
1930 unsigned HOST_WIDE_INT off
1931 = (unsigned HOST_WIDE_INT
)(beg
- info
.fmtstr
) + navail
;
1933 size_t len
= strlen (info
.fmtstr
+ off
);
1936 (info
.fmtloc
, TREE_TYPE (info
.format
), off
- !len
, len
? off
: 0,
1939 /* Is the output of the last directive the result of the argument
1940 being within a range whose lower bound would fit in the buffer
1941 but the upper bound would not? If so, use the word "may" to
1942 indicate that the overflow/truncation may (but need not) happen. */
1944 = (res
->number_chars_min
< res
->number_chars_max
1945 && res
->number_chars_min
< info
.objsize
);
1947 if (!end
&& (nbytes
- navail
) == 1)
1949 /* There is room for the rest of the format string but none
1950 for the terminating nul. */
1952 = (info
.bounded
// Snprintf and the like.
1954 ? G_("output may be truncated before the last format character"
1955 : "output truncated before the last format character"))
1957 ? G_("may write a terminating nul past the end "
1958 "of the destination")
1959 : G_("writing a terminating nul past the end "
1960 "of the destination")));
1962 res
->warned
= fmtwarn (loc
, NULL
, NULL
, OPT_Wformat_length_
, text
);
1966 /* There isn't enough room for 1 or more characters that remain
1967 to copy from the format string. */
1969 = (info
.bounded
// Snprintf and the like.
1971 ? G_("output may be truncated at or before format character "
1972 "%qc at offset %wu")
1973 : G_("output truncated at format character %qc at offset %wu"))
1974 : (res
->number_chars
>= HOST_WIDE_INT_MAX
1975 ? G_("may write format character %#qc at offset %wu past "
1976 "the end of the destination")
1977 : G_("writing format character %#qc at offset %wu past "
1978 "the end of the destination")));
1980 res
->warned
= fmtwarn (loc
, NULL
, NULL
, OPT_Wformat_length_
,
1981 text
, info
.fmtstr
[off
], off
);
1985 if (res
->warned
&& !end
&& info
.objsize
< HOST_WIDE_INT_MAX
)
1987 /* If a warning has been issued for buffer overflow or truncation
1988 (but not otherwise) help the user figure out how big a buffer
1991 location_t callloc
= gimple_location (info
.callstmt
);
1993 unsigned HOST_WIDE_INT min
= res
->number_chars_min
;
1994 unsigned HOST_WIDE_INT max
= res
->number_chars_max
;
1995 unsigned HOST_WIDE_INT exact
1996 = (res
->number_chars
< HOST_WIDE_INT_MAX
1997 ? res
->number_chars
: res
->number_chars_min
);
1999 if (min
< max
&& max
< HOST_WIDE_INT_MAX
)
2001 "format output between %wu and %wu bytes into "
2002 "a destination of size %wu",
2003 min
+ nbytes
, max
+ nbytes
, info
.objsize
);
2006 (nbytes
+ exact
== 1
2007 ? G_("format output %wu byte into a destination of size %wu")
2008 : G_("format output %wu bytes into a destination of size %wu")),
2009 nbytes
+ exact
, info
.objsize
);
2012 /* Add the number of bytes and then check for INT_MAX overflow. */
2015 /* Has the minimum output length minus the terminating nul exceeded
2017 bool exceedmin
= (res
->number_chars_min
- !end
) > target_int_max ();
2021 || (1 < warn_format_length
2022 && (res
->number_chars_max
- !end
) > target_int_max ())))
2024 /* The function's output exceeds INT_MAX bytes. */
2026 /* Set NAVAIL to the number of available bytes used to decide
2027 whether or not to issue a warning below. The exact kind of
2028 warning will depend on AVAIL_RANGE. */
2029 unsigned HOST_WIDE_INT navail
= avail_range
.max
;
2030 if (nbytes
<= navail
&& avail_range
.min
< HOST_WIDE_INT_MAX
2031 && (res
->bounded
|| 1 < warn_format_length
))
2032 navail
= avail_range
.min
;
2034 /* Compute the offset of the first format character that is beyond
2035 the end of the destination region and the length of the rest of
2036 the format string from that point on. */
2037 unsigned HOST_WIDE_INT off
= (unsigned HOST_WIDE_INT
)(beg
- info
.fmtstr
);
2038 if (navail
< HOST_WIDE_INT_MAX
)
2041 size_t len
= strlen (info
.fmtstr
+ off
);
2044 (info
.fmtloc
, TREE_TYPE (info
.format
), off
- !len
, len
? off
: 0,
2047 if (res
->number_chars_min
== res
->number_chars_max
)
2048 res
->warned
= fmtwarn (loc
, NULL
, NULL
,
2049 OPT_Wformat_length_
,
2050 "output of %wu bytes causes "
2051 "result to exceed %<INT_MAX%>",
2052 res
->number_chars_min
- !end
);
2057 ? G_ ("output between %wu and %wu bytes causes "
2058 "result to exceed %<INT_MAX%>")
2059 : G_ ("output between %wu and %wu bytes may cause "
2060 "result to exceed %<INT_MAX%>"));
2061 res
->warned
= fmtwarn (loc
, NULL
, NULL
, OPT_Wformat_length_
,
2063 res
->number_chars_min
- !end
,
2064 res
->number_chars_max
- !end
);
2069 #pragma GCC diagnostic pop
2071 /* Compute the length of the output resulting from the call to a formatted
2072 output function described by INFO and store the result of the call in
2073 *RES. Issue warnings for detected past the end writes. */
2076 pass_sprintf_length::compute_format_length (const call_info
&info
,
2079 /* The variadic argument counter. */
2080 unsigned argno
= info
.argidx
;
2082 /* Reset exact, minimum, and maximum character counters. */
2083 res
->number_chars
= res
->number_chars_min
= res
->number_chars_max
= 0;
2085 /* No directive has been seen yet so the output is bounded and constant
2086 (with no conversion producing more than 4K bytes) until determined
2088 res
->bounded
= true;
2089 res
->constant
= true;
2090 res
->under4k
= true;
2091 res
->floating
= false;
2092 res
->warned
= false;
2094 const char *pf
= info
.fmtstr
;
2098 /* The beginning of the next format directive. */
2099 const char *dir
= strchr (pf
, '%');
2101 /* Add the number of bytes between the end of the last directive
2102 and either the next if one exists, or the end of the format
2104 add_bytes (info
, pf
, dir
, res
);
2113 /* Incomplete directive. */
2117 conversion_spec spec
= conversion_spec ();
2119 /* POSIX numbered argument index or zero when none. */
2120 unsigned dollar
= 0;
2124 /* This could be either a POSIX positional argument, the '0'
2125 flag, or a width, depending on what follows. Store it as
2126 width and sort it out later after the next character has
2129 spec
.width
= strtol (pf
, &end
, 10);
2130 spec
.have_width
= true;
2133 else if ('*' == *pf
)
2135 /* Similarly to the block above, this could be either a POSIX
2136 positional argument or a width, depending on what follows. */
2137 if (argno
< gimple_call_num_args (info
.callstmt
))
2138 spec
.star_width
= gimple_call_arg (info
.callstmt
, argno
++);
2146 /* Handle the POSIX dollar sign which references the 1-based
2147 positional argument number. */
2148 if (spec
.have_width
)
2149 dollar
= spec
.width
+ info
.argidx
;
2150 else if (spec
.star_width
2151 && TREE_CODE (spec
.star_width
) == INTEGER_CST
)
2152 dollar
= spec
.width
+ tree_to_shwi (spec
.star_width
);
2154 /* Bail when the numbered argument is out of range (it will
2155 have already been diagnosed by -Wformat). */
2157 || dollar
== info
.argidx
2158 || dollar
> gimple_call_num_args (info
.callstmt
))
2163 spec
.star_width
= NULL_TREE
;
2164 spec
.have_width
= false;
2168 if (dollar
|| !spec
.star_width
)
2170 if (spec
.have_width
&& spec
.width
== 0)
2172 /* The '0' that has been interpreted as a width above is
2173 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
2174 and continue processing other flags. */
2175 spec
.have_width
= false;
2176 spec
.set_flag ('0');
2178 /* When either '$' has been seen, or width has not been seen,
2179 the next field is the optional flags followed by an optional
2189 spec
.set_flag (*pf
++);
2201 spec
.width
= strtol (pf
, &end
, 10);
2202 spec
.have_width
= true;
2205 else if ('*' == *pf
)
2207 spec
.star_width
= gimple_call_arg (info
.callstmt
, argno
++);
2210 else if ('\'' == *pf
)
2212 /* The POSIX apostrophe indicating a numeric grouping
2213 in the current locale. Even though it's possible to
2214 estimate the upper bound on the size of the output
2215 based on the number of digits it probably isn't worth
2228 spec
.precision
= strtol (pf
, &end
, 10);
2229 spec
.have_precision
= true;
2232 else if ('*' == *pf
)
2234 spec
.star_precision
= gimple_call_arg (info
.callstmt
, argno
++);
2247 spec
.modifier
= FMT_LEN_hh
;
2250 spec
.modifier
= FMT_LEN_h
;
2255 spec
.modifier
= FMT_LEN_j
;
2260 spec
.modifier
= FMT_LEN_L
;
2268 spec
.modifier
= FMT_LEN_ll
;
2271 spec
.modifier
= FMT_LEN_l
;
2276 spec
.modifier
= FMT_LEN_t
;
2281 spec
.modifier
= FMT_LEN_z
;
2288 /* Handle a sole '%' character the same as "%%" but since it's
2289 undefined prevent the result from being folded. */
2292 res
->bounded
= false;
2295 spec
.fmtfunc
= format_percent
;
2306 res
->floating
= true;
2307 spec
.fmtfunc
= format_floating
;
2316 spec
.fmtfunc
= format_integer
;
2320 spec
.fmtfunc
= format_pointer
;
2329 spec
.fmtfunc
= format_string
;
2336 spec
.specifier
= *pf
++;
2338 /* Compute the length of the format directive. */
2339 size_t dirlen
= pf
- dir
;
2341 /* Extract the argument if the directive takes one and if it's
2342 available (e.g., the function doesn't take a va_list). Treat
2343 missing arguments the same as va_list, even though they will
2344 have likely already been diagnosed by -Wformat. */
2345 tree arg
= NULL_TREE
;
2346 if (spec
.specifier
!= '%'
2347 && argno
< gimple_call_num_args (info
.callstmt
))
2348 arg
= gimple_call_arg (info
.callstmt
, dollar
? dollar
: argno
++);
2350 ::format_directive (info
, res
, dir
, dirlen
, spec
, arg
);
2354 /* Return the size of the object referenced by the expression DEST if
2355 available, or -1 otherwise. */
2357 static unsigned HOST_WIDE_INT
2358 get_destination_size (tree dest
)
2360 /* Use __builtin_object_size to determine the size of the destination
2361 object. When optimizing, determine the smallest object (such as
2362 a member array as opposed to the whole enclosing object), otherwise
2363 use type-zero object size to determine the size of the enclosing
2364 object (the function fails without optimization in this type). */
2365 int ost
= optimize
> 0;
2366 unsigned HOST_WIDE_INT size
;
2367 if (compute_builtin_object_size (dest
, ost
, &size
))
2370 return HOST_WIDE_INT_M1U
;
2373 /* Given a suitable result RES of a call to a formatted output function
2374 described by INFO, substitute the result for the return value of
2375 the call. The result is suitable if the number of bytes it represents
2376 is known and exact. A result that isn't suitable for substitution may
2377 have its range set to the range of return values, if that is known. */
2380 try_substitute_return_value (gimple_stmt_iterator gsi
,
2381 const pass_sprintf_length::call_info
&info
,
2382 const format_result
&res
)
2384 tree lhs
= gimple_get_lhs (info
.callstmt
);
2386 /* Avoid the return value optimization when the behavior of the call
2387 is undefined either because any directive may have produced 4K or
2388 more of output, or the return value exceeds INT_MAX, or because
2389 the output overflows the destination object (but leave it enabled
2390 when the function is bounded because then the behavior is well-
2392 if (lhs
&& res
.bounded
&& res
.under4k
2393 && (info
.bounded
|| res
.number_chars
<= info
.objsize
)
2394 && res
.number_chars
- 1 <= target_int_max ())
2396 /* Replace the left-hand side of the call with the constant
2397 result of the formatted function minus 1 for the terminating
2398 NUL which the functions' return value does not include. */
2399 gimple_call_set_lhs (info
.callstmt
, NULL_TREE
);
2400 tree cst
= build_int_cst (integer_type_node
, res
.number_chars
- 1);
2401 gimple
*g
= gimple_build_assign (lhs
, cst
);
2402 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
2403 update_stmt (info
.callstmt
);
2407 location_t callloc
= gimple_location (info
.callstmt
);
2408 fprintf (dump_file
, "On line %i substituting ",
2409 LOCATION_LINE (callloc
));
2410 print_generic_expr (dump_file
, cst
, dump_flags
);
2411 fprintf (dump_file
, " for ");
2412 print_generic_expr (dump_file
, info
.func
, dump_flags
);
2413 fprintf (dump_file
, " return value (output %s).\n",
2414 res
.constant
? "constant" : "variable");
2419 unsigned HOST_WIDE_INT maxbytes
;
2423 && ((maxbytes
= res
.number_chars
- 1) <= target_int_max ()
2424 || (res
.number_chars_min
- 1 <= target_int_max ()
2425 && (maxbytes
= res
.number_chars_max
- 1) <= target_int_max ()))
2426 && (info
.bounded
|| maxbytes
< info
.objsize
))
2428 /* If the result is in a valid range bounded by the size of
2429 the destination set it so that it can be used for subsequent
2431 int prec
= TYPE_PRECISION (integer_type_node
);
2433 if (res
.number_chars
< target_int_max () && res
.under4k
)
2435 wide_int num
= wi::shwi (res
.number_chars
- 1, prec
);
2436 set_range_info (lhs
, VR_RANGE
, num
, num
);
2438 else if (res
.number_chars_min
< target_int_max ()
2439 && res
.number_chars_max
< target_int_max ())
2441 wide_int min
= wi::shwi (res
.under4k
? res
.number_chars_min
- 1
2442 : target_int_min (), prec
);
2443 wide_int max
= wi::shwi (res
.number_chars_max
- 1, prec
);
2444 set_range_info (lhs
, VR_RANGE
, min
, max
);
2450 const char *inbounds
2451 = (res
.number_chars_min
<= info
.objsize
2452 ? (res
.number_chars_max
<= info
.objsize
2453 ? "in" : "potentially out-of")
2456 location_t callloc
= gimple_location (info
.callstmt
);
2457 fprintf (dump_file
, "On line %i ", LOCATION_LINE (callloc
));
2458 print_generic_expr (dump_file
, info
.func
, dump_flags
);
2460 const char *ign
= lhs
? "" : " ignored";
2461 if (res
.number_chars
>= HOST_WIDE_INT_MAX
)
2463 " %s-bounds return value in range [%lu, %lu]%s.\n",
2465 (unsigned long)res
.number_chars_min
,
2466 (unsigned long)res
.number_chars_max
, ign
);
2468 fprintf (dump_file
, " %s-bounds return value %lu%s.\n",
2469 inbounds
, (unsigned long)res
.number_chars
, ign
);
2474 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
2475 functions and if so, handle it. */
2478 pass_sprintf_length::handle_gimple_call (gimple_stmt_iterator gsi
)
2480 call_info info
= call_info ();
2482 info
.callstmt
= gsi_stmt (gsi
);
2483 if (!gimple_call_builtin_p (info
.callstmt
, BUILT_IN_NORMAL
))
2486 info
.func
= gimple_call_fndecl (info
.callstmt
);
2487 info
.fncode
= DECL_FUNCTION_CODE (info
.func
);
2489 /* The size of the destination as in snprintf(dest, size, ...). */
2490 unsigned HOST_WIDE_INT dstsize
= HOST_WIDE_INT_M1U
;
2492 /* The size of the destination determined by __builtin_object_size. */
2493 unsigned HOST_WIDE_INT objsize
= HOST_WIDE_INT_M1U
;
2495 /* Buffer size argument number (snprintf and vsnprintf). */
2496 unsigned HOST_WIDE_INT idx_dstsize
= HOST_WIDE_INT_M1U
;
2498 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
2499 unsigned HOST_WIDE_INT idx_objsize
= HOST_WIDE_INT_M1U
;
2501 /* Format string argument number (valid for all functions). */
2502 unsigned idx_format
;
2504 switch (info
.fncode
)
2506 case BUILT_IN_SPRINTF
:
2508 // __builtin_sprintf (dst, format, ...)
2513 case BUILT_IN_SPRINTF_CHK
:
2515 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
2521 case BUILT_IN_SNPRINTF
:
2523 // __builtin_snprintf (dst, size, format, ...)
2527 info
.bounded
= true;
2530 case BUILT_IN_SNPRINTF_CHK
:
2532 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
2537 info
.bounded
= true;
2540 case BUILT_IN_VSNPRINTF
:
2542 // __builtin_vsprintf (dst, size, format, va)
2546 info
.bounded
= true;
2549 case BUILT_IN_VSNPRINTF_CHK
:
2551 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
2556 info
.bounded
= true;
2559 case BUILT_IN_VSPRINTF
:
2561 // __builtin_vsprintf (dst, format, va)
2566 case BUILT_IN_VSPRINTF_CHK
:
2568 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
2578 info
.format
= gimple_call_arg (info
.callstmt
, idx_format
);
2580 if (idx_dstsize
== HOST_WIDE_INT_M1U
)
2582 // For non-bounded functions like sprintf, to determine
2583 // the size of the destination from the object or pointer
2584 // passed to it as the first argument.
2585 dstsize
= get_destination_size (gimple_call_arg (info
.callstmt
, 0));
2587 else if (tree size
= gimple_call_arg (info
.callstmt
, idx_dstsize
))
2589 /* For bounded functions try to get the size argument. */
2591 if (TREE_CODE (size
) == INTEGER_CST
)
2593 dstsize
= tree_to_uhwi (size
);
2594 /* No object can be larger than HOST_WIDE_INT_MAX bytes
2595 (half the address space). This imposes a limit that's
2596 one byte less than that. */
2597 if (dstsize
>= HOST_WIDE_INT_MAX
)
2598 warning_at (gimple_location (info
.callstmt
), OPT_Wformat_length_
,
2599 "specified destination size %wu too large",
2602 else if (TREE_CODE (size
) == SSA_NAME
)
2604 /* Try to determine the range of values of the argument
2605 and use the greater of the two at -Wformat-level 1 and
2606 the smaller of them at level 2. */
2608 enum value_range_type range_type
2609 = get_range_info (size
, &min
, &max
);
2610 if (range_type
== VR_RANGE
)
2613 = (warn_format_length
< 2
2614 ? wi::fits_uhwi_p (max
) ? max
.to_uhwi () : max
.to_shwi ()
2615 : wi::fits_uhwi_p (min
) ? min
.to_uhwi () : min
.to_shwi ());
2620 if (idx_objsize
!= HOST_WIDE_INT_M1U
)
2622 if (tree size
= gimple_call_arg (info
.callstmt
, idx_objsize
))
2623 if (tree_fits_uhwi_p (size
))
2624 objsize
= tree_to_uhwi (size
);
2627 if (info
.bounded
&& !dstsize
)
2629 /* As a special case, when the explicitly specified destination
2630 size argument (to a bounded function like snprintf) is zero
2631 it is a request to determine the number of bytes on output
2632 without actually producing any. Pretend the size is
2633 unlimited in this case. */
2634 info
.objsize
= HOST_WIDE_INT_MAX
;
2638 /* Set the object size to the smaller of the two arguments
2639 of both have been specified and they're not equal. */
2640 info
.objsize
= dstsize
< objsize
? dstsize
: objsize
;
2643 && dstsize
!= HOST_WIDE_INT_M1U
&& objsize
< dstsize
)
2645 warning_at (gimple_location (info
.callstmt
), OPT_Wformat_length_
,
2646 "specified size %wu exceeds the size %wu "
2647 "of the destination object", dstsize
, objsize
);
2651 if (integer_zerop (info
.format
))
2653 /* This is diagnosed with -Wformat only when the null is a constant
2654 pointer. The warning here diagnoses instances where the pointer
2656 warning_at (EXPR_LOC_OR_LOC (info
.format
, input_location
),
2657 OPT_Wformat_length_
, "null format string");
2661 info
.fmtstr
= get_format_string (info
.format
, &info
.fmtloc
);
2665 /* The result is the number of bytes output by the formatted function,
2666 including the terminating NUL. */
2667 format_result res
= format_result ();
2668 compute_format_length (info
, &res
);
2670 /* When optimizing and the printf return value optimization is enabled,
2671 attempt to substitute the computed result for the return value of
2672 the call. Avoid this optimization when -frounding-math is in effect
2673 and the format string contains a floating point directive. */
2675 && flag_printf_return_value
2676 && (!flag_rounding_math
|| !res
.floating
))
2677 try_substitute_return_value (gsi
, info
, res
);
2680 /* Execute the pass for function FUN. */
2683 pass_sprintf_length::execute (function
*fun
)
2686 FOR_EACH_BB_FN (bb
, fun
)
2688 for (gimple_stmt_iterator si
= gsi_start_bb (bb
); !gsi_end_p (si
);
2691 /* Iterate over statements, looking for function calls. */
2692 gimple
*stmt
= gsi_stmt (si
);
2694 if (is_gimple_call (stmt
))
2695 handle_gimple_call (si
);
2702 } /* Unnamed namespace. */
2704 /* Return a pointer to a pass object newly constructed from the context
2708 make_pass_sprintf_length (gcc::context
*ctxt
)
2710 return new pass_sprintf_length (ctxt
);