1 /* Copyright (C) 2016-2019 Free Software Foundation, Inc. 2 Contributed by Martin Sebor <msebor@redhat.com>. 3 4 This file is part of GCC. 5 6 GCC is free software; you can redistribute it and/or modify it under 7 the terms of the GNU General Public License as published by the Free 8 Software Foundation; either version 3, or (at your option) any later 9 version. 10 11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY 12 WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with GCC; see the file COPYING3. If not see 18 <http://www.gnu.org/licenses/>. */ 19 20 /* This file implements the printf-return-value pass. The pass does 21 two things: 1) it analyzes calls to formatted output functions like 22 sprintf looking for possible buffer overflows and calls to bounded 23 functions like snprintf for early truncation (and under the control 24 of the -Wformat-length option issues warnings), and 2) under the 25 control of the -fprintf-return-value option it folds the return 26 value of safe calls into constants, making it possible to eliminate 27 code that depends on the value of those constants. 28 29 For all functions (bounded or not) the pass uses the size of the 30 destination object. That means that it will diagnose calls to 31 snprintf not on the basis of the size specified by the function's 32 second argument but rathger on the basis of the size the first 33 argument points to (if possible). For bound-checking built-ins 34 like __builtin___snprintf_chk the pass uses the size typically 35 determined by __builtin_object_size and passed to the built-in 36 by the Glibc inline wrapper. 37 38 The pass handles all forms standard sprintf format directives, 39 including character, integer, floating point, pointer, and strings, 40 with the standard C flags, widths, and precisions. For integers 41 and strings it computes the length of output itself. For floating 42 point it uses MPFR to fornmat known constants with up and down 43 rounding and uses the resulting range of output lengths. For 44 strings it uses the length of string literals and the sizes of 45 character arrays that a character pointer may point to as a bound 46 on the longest string. */ 47 48 #include "config.h" 49 #include "system.h" 50 #include "coretypes.h" 51 #include "backend.h" 52 #include "tree.h" 53 #include "gimple.h" 54 #include "tree-pass.h" 55 #include "ssa.h" 56 #include "gimple-fold.h" 57 #include "gimple-pretty-print.h" 58 #include "diagnostic-core.h" 59 #include "fold-const.h" 60 #include "gimple-iterator.h" 61 #include "tree-ssa.h" 62 #include "tree-object-size.h" 63 #include "params.h" 64 #include "tree-cfg.h" 65 #include "tree-ssa-propagate.h" 66 #include "calls.h" 67 #include "cfgloop.h" 68 #include "tree-scalar-evolution.h" 69 #include "tree-ssa-loop.h" 70 #include "intl.h" 71 #include "langhooks.h" 72 73 #include "attribs.h" 74 #include "builtins.h" 75 #include "stor-layout.h" 76 77 #include "realmpfr.h" 78 #include "target.h" 79 80 #include "cpplib.h" 81 #include "input.h" 82 #include "toplev.h" 83 #include "substring-locations.h" 84 #include "diagnostic.h" 85 #include "domwalk.h" 86 #include "alloc-pool.h" 87 #include "vr-values.h" 88 #include "gimple-ssa-evrp-analyze.h" 89 90 /* The likely worst case value of MB_LEN_MAX for the target, large enough 91 for UTF-8. Ideally, this would be obtained by a target hook if it were 92 to be used for optimization but it's good enough as is for warnings. */ 93 #define target_mb_len_max() 6 94 95 /* The maximum number of bytes a single non-string directive can result 96 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for 97 LDBL_MAX_10_EXP of 4932. */ 98 #define IEEE_MAX_10_EXP 4932 99 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2) 100 101 namespace { 102 103 const pass_data pass_data_sprintf_length = { 104 GIMPLE_PASS, // pass type 105 "printf-return-value", // pass name 106 OPTGROUP_NONE, // optinfo_flags 107 TV_NONE, // tv_id 108 PROP_cfg, // properties_required 109 0, // properties_provided 110 0, // properties_destroyed 111 0, // properties_start 112 0, // properties_finish 113 }; 114 115 /* Set to the warning level for the current function which is equal 116 either to warn_format_trunc for bounded functions or to 117 warn_format_overflow otherwise. */ 118 119 static int warn_level; 120 121 struct format_result; 122 123 class sprintf_dom_walker : public dom_walker 124 { 125 public: 126 sprintf_dom_walker () 127 : dom_walker (CDI_DOMINATORS), 128 evrp_range_analyzer (false) {} 129 ~sprintf_dom_walker () {} 130 131 edge before_dom_children (basic_block) FINAL OVERRIDE; 132 void after_dom_children (basic_block) FINAL OVERRIDE; 133 bool handle_gimple_call (gimple_stmt_iterator *); 134 135 struct call_info; 136 bool compute_format_length (call_info &, format_result *); 137 class evrp_range_analyzer evrp_range_analyzer; 138 }; 139 140 class pass_sprintf_length : public gimple_opt_pass 141 { 142 bool fold_return_value; 143 144 public: 145 pass_sprintf_length (gcc::context *ctxt) 146 : gimple_opt_pass (pass_data_sprintf_length, ctxt), 147 fold_return_value (false) 148 { } 149 150 opt_pass * clone () { return new pass_sprintf_length (m_ctxt); } 151 152 virtual bool gate (function *); 153 154 virtual unsigned int execute (function *); 155 156 void set_pass_param (unsigned int n, bool param) 157 { 158 gcc_assert (n == 0); 159 fold_return_value = param; 160 } 161 162 }; 163 164 bool 165 pass_sprintf_length::gate (function *) 166 { 167 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation 168 is specified and either not optimizing and the pass is being invoked 169 early, or when optimizing and the pass is being invoked during 170 optimization (i.e., "late"). */ 171 return ((warn_format_overflow > 0 172 || warn_format_trunc > 0 173 || flag_printf_return_value) 174 && (optimize > 0) == fold_return_value); 175 } 176 177 /* The minimum, maximum, likely, and unlikely maximum number of bytes 178 of output either a formatting function or an individual directive 179 can result in. */ 180 181 struct result_range 182 { 183 /* The absolute minimum number of bytes. The result of a successful 184 conversion is guaranteed to be no less than this. (An erroneous 185 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */ 186 unsigned HOST_WIDE_INT min; 187 /* The likely maximum result that is used in diagnostics. In most 188 cases MAX is the same as the worst case UNLIKELY result. */ 189 unsigned HOST_WIDE_INT max; 190 /* The likely result used to trigger diagnostics. For conversions 191 that result in a range of bytes [MIN, MAX], LIKELY is somewhere 192 in that range. */ 193 unsigned HOST_WIDE_INT likely; 194 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives 195 the worst cases maximum result of a directive. In most cases 196 UNLIKELY == MAX. UNLIKELY is used to control the return value 197 optimization but not in diagnostics. */ 198 unsigned HOST_WIDE_INT unlikely; 199 }; 200 201 /* The result of a call to a formatted function. */ 202 203 struct format_result 204 { 205 /* Range of characters written by the formatted function. 206 Setting the minimum to HOST_WIDE_INT_MAX disables all 207 length tracking for the remainder of the format string. */ 208 result_range range; 209 210 /* True when the range above is obtained from known values of 211 directive arguments, or bounds on the amount of output such 212 as width and precision, and not the result of heuristics that 213 depend on warning levels. It's used to issue stricter diagnostics 214 in cases where strings of unknown lengths are bounded by the arrays 215 they are determined to refer to. KNOWNRANGE must not be used for 216 the return value optimization. */ 217 bool knownrange; 218 219 /* True if no individual directive could fail or result in more than 220 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be 221 greater). Implementations are not required to handle directives 222 that produce more than 4K bytes (leading to undefined behavior) 223 and so when one is found it disables the return value optimization. 224 Similarly, directives that can fail (such as wide character 225 directives) disable the optimization. */ 226 bool posunder4k; 227 228 /* True when a floating point directive has been seen in the format 229 string. */ 230 bool floating; 231 232 /* True when an intermediate result has caused a warning. Used to 233 avoid issuing duplicate warnings while finishing the processing 234 of a call. WARNED also disables the return value optimization. */ 235 bool warned; 236 237 /* Preincrement the number of output characters by 1. */ 238 format_result& operator++ () 239 { 240 return *this += 1; 241 } 242 243 /* Postincrement the number of output characters by 1. */ 244 format_result operator++ (int) 245 { 246 format_result prev (*this); 247 *this += 1; 248 return prev; 249 } 250 251 /* Increment the number of output characters by N. */ 252 format_result& operator+= (unsigned HOST_WIDE_INT); 253 }; 254 255 format_result& 256 format_result::operator+= (unsigned HOST_WIDE_INT n) 257 { 258 gcc_assert (n < HOST_WIDE_INT_MAX); 259 260 if (range.min < HOST_WIDE_INT_MAX) 261 range.min += n; 262 263 if (range.max < HOST_WIDE_INT_MAX) 264 range.max += n; 265 266 if (range.likely < HOST_WIDE_INT_MAX) 267 range.likely += n; 268 269 if (range.unlikely < HOST_WIDE_INT_MAX) 270 range.unlikely += n; 271 272 return *this; 273 } 274 275 /* Return the value of INT_MIN for the target. */ 276 277 static inline HOST_WIDE_INT 278 target_int_min () 279 { 280 return tree_to_shwi (TYPE_MIN_VALUE (integer_type_node)); 281 } 282 283 /* Return the value of INT_MAX for the target. */ 284 285 static inline unsigned HOST_WIDE_INT 286 target_int_max () 287 { 288 return tree_to_uhwi (TYPE_MAX_VALUE (integer_type_node)); 289 } 290 291 /* Return the value of SIZE_MAX for the target. */ 292 293 static inline unsigned HOST_WIDE_INT 294 target_size_max () 295 { 296 return tree_to_uhwi (TYPE_MAX_VALUE (size_type_node)); 297 } 298 299 /* A straightforward mapping from the execution character set to the host 300 character set indexed by execution character. */ 301 302 static char target_to_host_charmap[256]; 303 304 /* Initialize a mapping from the execution character set to the host 305 character set. */ 306 307 static bool 308 init_target_to_host_charmap () 309 { 310 /* If the percent sign is non-zero the mapping has already been 311 initialized. */ 312 if (target_to_host_charmap['%']) 313 return true; 314 315 /* Initialize the target_percent character (done elsewhere). */ 316 if (!init_target_chars ()) 317 return false; 318 319 /* The subset of the source character set used by printf conversion 320 specifications (strictly speaking, not all letters are used but 321 they are included here for the sake of simplicity). The dollar 322 sign must be included even though it's not in the basic source 323 character set. */ 324 const char srcset[] = " 0123456789!\"#%&'()*+,-./:;<=>?[\\]^_{|}~$" 325 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 326 327 /* Set the mapping for all characters to some ordinary value (i,e., 328 not none used in printf conversion specifications) and overwrite 329 those that are used by conversion specifications with their 330 corresponding values. */ 331 memset (target_to_host_charmap + 1, '?', sizeof target_to_host_charmap - 1); 332 333 /* Are the two sets of characters the same? */ 334 bool all_same_p = true; 335 336 for (const char *pc = srcset; *pc; ++pc) 337 { 338 /* Slice off the high end bits in case target characters are 339 signed. All values are expected to be non-nul, otherwise 340 there's a problem. */ 341 if (unsigned char tc = lang_hooks.to_target_charset (*pc)) 342 { 343 target_to_host_charmap[tc] = *pc; 344 if (tc != *pc) 345 all_same_p = false; 346 } 347 else 348 return false; 349 350 } 351 352 /* Set the first element to a non-zero value if the mapping 353 is 1-to-1, otherwise leave it clear (NUL is assumed to be 354 the same in both character sets). */ 355 target_to_host_charmap[0] = all_same_p; 356 357 return true; 358 } 359 360 /* Return the host source character corresponding to the character 361 CH in the execution character set if one exists, or some innocuous 362 (non-special, non-nul) source character otherwise. */ 363 364 static inline unsigned char 365 target_to_host (unsigned char ch) 366 { 367 return target_to_host_charmap[ch]; 368 } 369 370 /* Convert an initial substring of the string TARGSTR consisting of 371 characters in the execution character set into a string in the 372 source character set on the host and store up to HOSTSZ characters 373 in the buffer pointed to by HOSTR. Return HOSTR. */ 374 375 static const char* 376 target_to_host (char *hostr, size_t hostsz, const char *targstr) 377 { 378 /* Make sure the buffer is reasonably big. */ 379 gcc_assert (hostsz > 4); 380 381 /* The interesting subset of source and execution characters are 382 the same so no conversion is necessary. However, truncate 383 overlong strings just like the translated strings are. */ 384 if (target_to_host_charmap['\0'] == 1) 385 { 386 size_t len = strlen (targstr); 387 if (len >= hostsz) 388 { 389 memcpy (hostr, targstr, hostsz - 4); 390 strcpy (hostr + hostsz - 4, "..."); 391 } 392 else 393 memcpy (hostr, targstr, len + 1); 394 return hostr; 395 } 396 397 /* Convert the initial substring of TARGSTR to the corresponding 398 characters in the host set, appending "..." if TARGSTR is too 399 long to fit. Using the static buffer assumes the function is 400 not called in between sequence points (which it isn't). */ 401 for (char *ph = hostr; ; ++targstr) 402 { 403 *ph++ = target_to_host (*targstr); 404 if (!*targstr) 405 break; 406 407 if (size_t (ph - hostr) == hostsz) 408 { 409 strcpy (ph - 4, "..."); 410 break; 411 } 412 } 413 414 return hostr; 415 } 416 417 /* Convert the sequence of decimal digits in the execution character 418 starting at *PS to a HOST_WIDE_INT, analogously to strtol. Return 419 the result and set *PS to one past the last converted character. 420 On range error set ERANGE to the digit that caused it. */ 421 422 static inline HOST_WIDE_INT 423 target_strtowi (const char **ps, const char **erange) 424 { 425 unsigned HOST_WIDE_INT val = 0; 426 for ( ; ; ++*ps) 427 { 428 unsigned char c = target_to_host (**ps); 429 if (ISDIGIT (c)) 430 { 431 c -= '0'; 432 433 /* Check for overflow. */ 434 if (val > ((unsigned HOST_WIDE_INT) HOST_WIDE_INT_MAX - c) / 10LU) 435 { 436 val = HOST_WIDE_INT_MAX; 437 *erange = *ps; 438 439 /* Skip the remaining digits. */ 440 do 441 c = target_to_host (*++*ps); 442 while (ISDIGIT (c)); 443 break; 444 } 445 else 446 val = val * 10 + c; 447 } 448 else 449 break; 450 } 451 452 return val; 453 } 454 455 /* Given FORMAT, set *PLOC to the source location of the format string 456 and return the format string if it is known or null otherwise. */ 457 458 static const char* 459 get_format_string (tree format, location_t *ploc) 460 { 461 *ploc = EXPR_LOC_OR_LOC (format, input_location); 462 463 return c_getstr (format); 464 } 465 466 /* For convenience and brevity, shorter named entrypoints of 467 format_string_diagnostic_t::emit_warning_va and 468 format_string_diagnostic_t::emit_warning_n_va. 469 These have to be functions with the attribute so that exgettext 470 works properly. */ 471 472 static bool 473 ATTRIBUTE_GCC_DIAG (5, 6) 474 fmtwarn (const substring_loc &fmt_loc, location_t param_loc, 475 const char *corrected_substring, int opt, const char *gmsgid, ...) 476 { 477 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL, 478 corrected_substring); 479 va_list ap; 480 va_start (ap, gmsgid); 481 bool warned = diag.emit_warning_va (opt, gmsgid, &ap); 482 va_end (ap); 483 484 return warned; 485 } 486 487 static bool 488 ATTRIBUTE_GCC_DIAG (6, 8) ATTRIBUTE_GCC_DIAG (7, 8) 489 fmtwarn_n (const substring_loc &fmt_loc, location_t param_loc, 490 const char *corrected_substring, int opt, unsigned HOST_WIDE_INT n, 491 const char *singular_gmsgid, const char *plural_gmsgid, ...) 492 { 493 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL, 494 corrected_substring); 495 va_list ap; 496 va_start (ap, plural_gmsgid); 497 bool warned = diag.emit_warning_n_va (opt, n, singular_gmsgid, plural_gmsgid, 498 &ap); 499 va_end (ap); 500 501 return warned; 502 } 503 504 /* Format length modifiers. */ 505 506 enum format_lengths 507 { 508 FMT_LEN_none, 509 FMT_LEN_hh, // char argument 510 FMT_LEN_h, // short 511 FMT_LEN_l, // long 512 FMT_LEN_ll, // long long 513 FMT_LEN_L, // long double (and GNU long long) 514 FMT_LEN_z, // size_t 515 FMT_LEN_t, // ptrdiff_t 516 FMT_LEN_j // intmax_t 517 }; 518 519 520 /* Description of the result of conversion either of a single directive 521 or the whole format string. */ 522 523 struct fmtresult 524 { 525 /* Construct a FMTRESULT object with all counters initialized 526 to MIN. KNOWNRANGE is set when MIN is valid. */ 527 fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX) 528 : argmin (), argmax (), nonstr (), 529 knownrange (min < HOST_WIDE_INT_MAX), 530 mayfail (), nullp () 531 { 532 range.min = min; 533 range.max = min; 534 range.likely = min; 535 range.unlikely = min; 536 } 537 538 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters. 539 KNOWNRANGE is set when both MIN and MAX are valid. */ 540 fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max, 541 unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX) 542 : argmin (), argmax (), nonstr (), 543 knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX), 544 mayfail (), nullp () 545 { 546 range.min = min; 547 range.max = max; 548 range.likely = max < likely ? min : likely; 549 range.unlikely = max; 550 } 551 552 /* Adjust result upward to reflect the RANGE of values the specified 553 width or precision is known to be in. */ 554 fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2], 555 tree = NULL_TREE, 556 unsigned = 0, unsigned = 0); 557 558 /* Return the maximum number of decimal digits a value of TYPE 559 formats as on output. */ 560 static unsigned type_max_digits (tree, int); 561 562 /* The range a directive's argument is in. */ 563 tree argmin, argmax; 564 565 /* The minimum and maximum number of bytes that a directive 566 results in on output for an argument in the range above. */ 567 result_range range; 568 569 /* Non-nul when the argument of a string directive is not a nul 570 terminated string. */ 571 tree nonstr; 572 573 /* True when the range above is obtained from a known value of 574 a directive's argument or its bounds and not the result of 575 heuristics that depend on warning levels. */ 576 bool knownrange; 577 578 /* True for a directive that may fail (such as wide character 579 directives). */ 580 bool mayfail; 581 582 /* True when the argument is a null pointer. */ 583 bool nullp; 584 }; 585 586 /* Adjust result upward to reflect the range ADJUST of values the 587 specified width or precision is known to be in. When non-null, 588 TYPE denotes the type of the directive whose result is being 589 adjusted, BASE gives the base of the directive (octal, decimal, 590 or hex), and ADJ denotes the additional adjustment to the LIKELY 591 counter that may need to be added when ADJUST is a range. */ 592 593 fmtresult& 594 fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2], 595 tree type /* = NULL_TREE */, 596 unsigned base /* = 0 */, 597 unsigned adj /* = 0 */) 598 { 599 bool minadjusted = false; 600 601 /* Adjust the minimum and likely counters. */ 602 if (adjust[0] >= 0) 603 { 604 if (range.min < (unsigned HOST_WIDE_INT)adjust[0]) 605 { 606 range.min = adjust[0]; 607 minadjusted = true; 608 } 609 610 /* Adjust the likely counter. */ 611 if (range.likely < range.min) 612 range.likely = range.min; 613 } 614 else if (adjust[0] == target_int_min () 615 && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ()) 616 knownrange = false; 617 618 /* Adjust the maximum counter. */ 619 if (adjust[1] > 0) 620 { 621 if (range.max < (unsigned HOST_WIDE_INT)adjust[1]) 622 { 623 range.max = adjust[1]; 624 625 /* Set KNOWNRANGE if both the minimum and maximum have been 626 adjusted. Otherwise leave it at what it was before. */ 627 knownrange = minadjusted; 628 } 629 } 630 631 if (warn_level > 1 && type) 632 { 633 /* For large non-constant width or precision whose range spans 634 the maximum number of digits produced by the directive for 635 any argument, set the likely number of bytes to be at most 636 the number digits plus other adjustment determined by the 637 caller (one for sign or two for the hexadecimal "0x" 638 prefix). */ 639 unsigned dirdigs = type_max_digits (type, base); 640 if (adjust[0] < dirdigs && dirdigs < adjust[1] 641 && range.likely < dirdigs) 642 range.likely = dirdigs + adj; 643 } 644 else if (range.likely < (range.min ? range.min : 1)) 645 { 646 /* Conservatively, set LIKELY to at least MIN but no less than 647 1 unless MAX is zero. */ 648 range.likely = (range.min 649 ? range.min 650 : range.max && (range.max < HOST_WIDE_INT_MAX 651 || warn_level > 1) ? 1 : 0); 652 } 653 654 /* Finally adjust the unlikely counter to be at least as large as 655 the maximum. */ 656 if (range.unlikely < range.max) 657 range.unlikely = range.max; 658 659 return *this; 660 } 661 662 /* Return the maximum number of digits a value of TYPE formats in 663 BASE on output, not counting base prefix . */ 664 665 unsigned 666 fmtresult::type_max_digits (tree type, int base) 667 { 668 unsigned prec = TYPE_PRECISION (type); 669 switch (base) 670 { 671 case 8: 672 return (prec + 2) / 3; 673 case 10: 674 /* Decimal approximation: yields 3, 5, 10, and 20 for precision 675 of 8, 16, 32, and 64 bits. */ 676 return prec * 301 / 1000 + 1; 677 case 16: 678 return prec / 4; 679 } 680 681 gcc_unreachable (); 682 } 683 684 static bool 685 get_int_range (tree, HOST_WIDE_INT *, HOST_WIDE_INT *, bool, HOST_WIDE_INT, 686 class vr_values *vr_values); 687 688 /* Description of a format directive. A directive is either a plain 689 string or a conversion specification that starts with '%'. */ 690 691 struct directive 692 { 693 /* The 1-based directive number (for debugging). */ 694 unsigned dirno; 695 696 /* The first character of the directive and its length. */ 697 const char *beg; 698 size_t len; 699 700 /* A bitmap of flags, one for each character. */ 701 unsigned flags[256 / sizeof (int)]; 702 703 /* The range of values of the specified width, or -1 if not specified. */ 704 HOST_WIDE_INT width[2]; 705 /* The range of values of the specified precision, or -1 if not 706 specified. */ 707 HOST_WIDE_INT prec[2]; 708 709 /* Length modifier. */ 710 format_lengths modifier; 711 712 /* Format specifier character. */ 713 char specifier; 714 715 /* The argument of the directive or null when the directive doesn't 716 take one or when none is available (such as for vararg functions). */ 717 tree arg; 718 719 /* Format conversion function that given a directive and an argument 720 returns the formatting result. */ 721 fmtresult (*fmtfunc) (const directive &, tree, vr_values *); 722 723 /* Return True when a the format flag CHR has been used. */ 724 bool get_flag (char chr) const 725 { 726 unsigned char c = chr & 0xff; 727 return (flags[c / (CHAR_BIT * sizeof *flags)] 728 & (1U << (c % (CHAR_BIT * sizeof *flags)))); 729 } 730 731 /* Make a record of the format flag CHR having been used. */ 732 void set_flag (char chr) 733 { 734 unsigned char c = chr & 0xff; 735 flags[c / (CHAR_BIT * sizeof *flags)] 736 |= (1U << (c % (CHAR_BIT * sizeof *flags))); 737 } 738 739 /* Reset the format flag CHR. */ 740 void clear_flag (char chr) 741 { 742 unsigned char c = chr & 0xff; 743 flags[c / (CHAR_BIT * sizeof *flags)] 744 &= ~(1U << (c % (CHAR_BIT * sizeof *flags))); 745 } 746 747 /* Set both bounds of the width range to VAL. */ 748 void set_width (HOST_WIDE_INT val) 749 { 750 width[0] = width[1] = val; 751 } 752 753 /* Set the width range according to ARG, with both bounds being 754 no less than 0. For a constant ARG set both bounds to its value 755 or 0, whichever is greater. For a non-constant ARG in some range 756 set width to its range adjusting each bound to -1 if it's less. 757 For an indeterminate ARG set width to [0, INT_MAX]. */ 758 void set_width (tree arg, vr_values *vr_values) 759 { 760 get_int_range (arg, width, width + 1, true, 0, vr_values); 761 } 762 763 /* Set both bounds of the precision range to VAL. */ 764 void set_precision (HOST_WIDE_INT val) 765 { 766 prec[0] = prec[1] = val; 767 } 768 769 /* Set the precision range according to ARG, with both bounds being 770 no less than -1. For a constant ARG set both bounds to its value 771 or -1 whichever is greater. For a non-constant ARG in some range 772 set precision to its range adjusting each bound to -1 if it's less. 773 For an indeterminate ARG set precision to [-1, INT_MAX]. */ 774 void set_precision (tree arg, vr_values *vr_values) 775 { 776 get_int_range (arg, prec, prec + 1, false, -1, vr_values); 777 } 778 779 /* Return true if both width and precision are known to be 780 either constant or in some range, false otherwise. */ 781 bool known_width_and_precision () const 782 { 783 return ((width[1] < 0 784 || (unsigned HOST_WIDE_INT)width[1] <= target_int_max ()) 785 && (prec[1] < 0 786 || (unsigned HOST_WIDE_INT)prec[1] < target_int_max ())); 787 } 788 }; 789 790 /* Return the logarithm of X in BASE. */ 791 792 static int 793 ilog (unsigned HOST_WIDE_INT x, int base) 794 { 795 int res = 0; 796 do 797 { 798 ++res; 799 x /= base; 800 } while (x); 801 return res; 802 } 803 804 /* Return the number of bytes resulting from converting into a string 805 the INTEGER_CST tree node X in BASE with a minimum of PREC digits. 806 PLUS indicates whether 1 for a plus sign should be added for positive 807 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal 808 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot 809 be represented. */ 810 811 static HOST_WIDE_INT 812 tree_digits (tree x, int base, HOST_WIDE_INT prec, bool plus, bool prefix) 813 { 814 unsigned HOST_WIDE_INT absval; 815 816 HOST_WIDE_INT res; 817 818 if (TYPE_UNSIGNED (TREE_TYPE (x))) 819 { 820 if (tree_fits_uhwi_p (x)) 821 { 822 absval = tree_to_uhwi (x); 823 res = plus; 824 } 825 else 826 return -1; 827 } 828 else 829 { 830 if (tree_fits_shwi_p (x)) 831 { 832 HOST_WIDE_INT i = tree_to_shwi (x); 833 if (HOST_WIDE_INT_MIN == i) 834 { 835 /* Avoid undefined behavior due to negating a minimum. */ 836 absval = HOST_WIDE_INT_MAX; 837 res = 1; 838 } 839 else if (i < 0) 840 { 841 absval = -i; 842 res = 1; 843 } 844 else 845 { 846 absval = i; 847 res = plus; 848 } 849 } 850 else 851 return -1; 852 } 853 854 int ndigs = ilog (absval, base); 855 856 res += prec < ndigs ? ndigs : prec; 857 858 /* Adjust a non-zero value for the base prefix, either hexadecimal, 859 or, unless precision has resulted in a leading zero, also octal. */ 860 if (prefix && absval && (base == 16 || prec <= ndigs)) 861 { 862 if (base == 8) 863 res += 1; 864 else if (base == 16) 865 res += 2; 866 } 867 868 return res; 869 } 870 871 /* Given the formatting result described by RES and NAVAIL, the number 872 of available in the destination, return the range of bytes remaining 873 in the destination. */ 874 875 static inline result_range 876 bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res) 877 { 878 result_range range; 879 880 if (HOST_WIDE_INT_MAX <= navail) 881 { 882 range.min = range.max = range.likely = range.unlikely = navail; 883 return range; 884 } 885 886 /* The lower bound of the available range is the available size 887 minus the maximum output size, and the upper bound is the size 888 minus the minimum. */ 889 range.max = res.range.min < navail ? navail - res.range.min : 0; 890 891 range.likely = res.range.likely < navail ? navail - res.range.likely : 0; 892 893 if (res.range.max < HOST_WIDE_INT_MAX) 894 range.min = res.range.max < navail ? navail - res.range.max : 0; 895 else 896 range.min = range.likely; 897 898 range.unlikely = (res.range.unlikely < navail 899 ? navail - res.range.unlikely : 0); 900 901 return range; 902 } 903 904 /* Description of a call to a formatted function. */ 905 906 struct sprintf_dom_walker::call_info 907 { 908 /* Function call statement. */ 909 gimple *callstmt; 910 911 /* Function called. */ 912 tree func; 913 914 /* Called built-in function code. */ 915 built_in_function fncode; 916 917 /* Format argument and format string extracted from it. */ 918 tree format; 919 const char *fmtstr; 920 921 /* The location of the format argument. */ 922 location_t fmtloc; 923 924 /* The destination object size for __builtin___xxx_chk functions 925 typically determined by __builtin_object_size, or -1 if unknown. */ 926 unsigned HOST_WIDE_INT objsize; 927 928 /* Number of the first variable argument. */ 929 unsigned HOST_WIDE_INT argidx; 930 931 /* True for functions like snprintf that specify the size of 932 the destination, false for others like sprintf that don't. */ 933 bool bounded; 934 935 /* True for bounded functions like snprintf that specify a zero-size 936 buffer as a request to compute the size of output without actually 937 writing any. NOWRITE is cleared in response to the %n directive 938 which has side-effects similar to writing output. */ 939 bool nowrite; 940 941 /* Return true if the called function's return value is used. */ 942 bool retval_used () const 943 { 944 return gimple_get_lhs (callstmt); 945 } 946 947 /* Return the warning option corresponding to the called function. */ 948 int warnopt () const 949 { 950 return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_; 951 } 952 953 /* Return true for calls to file formatted functions. */ 954 bool is_file_func () const 955 { 956 return (fncode == BUILT_IN_FPRINTF 957 || fncode == BUILT_IN_FPRINTF_CHK 958 || fncode == BUILT_IN_FPRINTF_UNLOCKED 959 || fncode == BUILT_IN_VFPRINTF 960 || fncode == BUILT_IN_VFPRINTF_CHK); 961 } 962 963 /* Return true for calls to string formatted functions. */ 964 bool is_string_func () const 965 { 966 return (fncode == BUILT_IN_SPRINTF 967 || fncode == BUILT_IN_SPRINTF_CHK 968 || fncode == BUILT_IN_SNPRINTF 969 || fncode == BUILT_IN_SNPRINTF_CHK 970 || fncode == BUILT_IN_VSPRINTF 971 || fncode == BUILT_IN_VSPRINTF_CHK 972 || fncode == BUILT_IN_VSNPRINTF 973 || fncode == BUILT_IN_VSNPRINTF_CHK); 974 } 975 }; 976 977 /* Return the result of formatting a no-op directive (such as '%n'). */ 978 979 static fmtresult 980 format_none (const directive &, tree, vr_values *) 981 { 982 fmtresult res (0); 983 return res; 984 } 985 986 /* Return the result of formatting the '%%' directive. */ 987 988 static fmtresult 989 format_percent (const directive &, tree, vr_values *) 990 { 991 fmtresult res (1); 992 return res; 993 } 994 995 996 /* Compute intmax_type_node and uintmax_type_node similarly to how 997 tree.c builds size_type_node. */ 998 999 static void 1000 build_intmax_type_nodes (tree *pintmax, tree *puintmax) 1001 { 1002 if (strcmp (UINTMAX_TYPE, "unsigned int") == 0) 1003 { 1004 *pintmax = integer_type_node; 1005 *puintmax = unsigned_type_node; 1006 } 1007 else if (strcmp (UINTMAX_TYPE, "long unsigned int") == 0) 1008 { 1009 *pintmax = long_integer_type_node; 1010 *puintmax = long_unsigned_type_node; 1011 } 1012 else if (strcmp (UINTMAX_TYPE, "long long unsigned int") == 0) 1013 { 1014 *pintmax = long_long_integer_type_node; 1015 *puintmax = long_long_unsigned_type_node; 1016 } 1017 else 1018 { 1019 for (int i = 0; i < NUM_INT_N_ENTS; i++) 1020 if (int_n_enabled_p[i]) 1021 { 1022 char name[50]; 1023 sprintf (name, "__int%d unsigned", int_n_data[i].bitsize); 1024 1025 if (strcmp (name, UINTMAX_TYPE) == 0) 1026 { 1027 *pintmax = int_n_trees[i].signed_type; 1028 *puintmax = int_n_trees[i].unsigned_type; 1029 return; 1030 } 1031 } 1032 gcc_unreachable (); 1033 } 1034 } 1035 1036 /* Determine the range [*PMIN, *PMAX] that the expression ARG is 1037 in and that is representable in type int. 1038 Return true when the range is a subrange of that of int. 1039 When ARG is null it is as if it had the full range of int. 1040 When ABSOLUTE is true the range reflects the absolute value of 1041 the argument. When ABSOLUTE is false, negative bounds of 1042 the determined range are replaced with NEGBOUND. */ 1043 1044 static bool 1045 get_int_range (tree arg, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax, 1046 bool absolute, HOST_WIDE_INT negbound, 1047 class vr_values *vr_values) 1048 { 1049 /* The type of the result. */ 1050 const_tree type = integer_type_node; 1051 1052 bool knownrange = false; 1053 1054 if (!arg) 1055 { 1056 *pmin = tree_to_shwi (TYPE_MIN_VALUE (type)); 1057 *pmax = tree_to_shwi (TYPE_MAX_VALUE (type)); 1058 } 1059 else if (TREE_CODE (arg) == INTEGER_CST 1060 && TYPE_PRECISION (TREE_TYPE (arg)) <= TYPE_PRECISION (type)) 1061 { 1062 /* For a constant argument return its value adjusted as specified 1063 by NEGATIVE and NEGBOUND and return true to indicate that the 1064 result is known. */ 1065 *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg); 1066 *pmax = *pmin; 1067 knownrange = true; 1068 } 1069 else 1070 { 1071 /* True if the argument's range cannot be determined. */ 1072 bool unknown = true; 1073 1074 tree argtype = TREE_TYPE (arg); 1075 1076 /* Ignore invalid arguments with greater precision that that 1077 of the expected type (e.g., in sprintf("%*i", 12LL, i)). 1078 They will have been detected and diagnosed by -Wformat and 1079 so it's not important to complicate this code to try to deal 1080 with them again. */ 1081 if (TREE_CODE (arg) == SSA_NAME 1082 && INTEGRAL_TYPE_P (argtype) 1083 && TYPE_PRECISION (argtype) <= TYPE_PRECISION (type)) 1084 { 1085 /* Try to determine the range of values of the integer argument. */ 1086 value_range *vr = vr_values->get_value_range (arg); 1087 if (range_int_cst_p (vr)) 1088 { 1089 HOST_WIDE_INT type_min 1090 = (TYPE_UNSIGNED (argtype) 1091 ? tree_to_uhwi (TYPE_MIN_VALUE (argtype)) 1092 : tree_to_shwi (TYPE_MIN_VALUE (argtype))); 1093 1094 HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (argtype)); 1095 1096 *pmin = TREE_INT_CST_LOW (vr->min ()); 1097 *pmax = TREE_INT_CST_LOW (vr->max ()); 1098 1099 if (*pmin < *pmax) 1100 { 1101 /* Return true if the adjusted range is a subrange of 1102 the full range of the argument's type. *PMAX may 1103 be less than *PMIN when the argument is unsigned 1104 and its upper bound is in excess of TYPE_MAX. In 1105 that (invalid) case disregard the range and use that 1106 of the expected type instead. */ 1107 knownrange = type_min < *pmin || *pmax < type_max; 1108 1109 unknown = false; 1110 } 1111 } 1112 } 1113 1114 /* Handle an argument with an unknown range as if none had been 1115 provided. */ 1116 if (unknown) 1117 return get_int_range (NULL_TREE, pmin, pmax, absolute, 1118 negbound, vr_values); 1119 } 1120 1121 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */ 1122 if (absolute) 1123 { 1124 if (*pmin < 0) 1125 { 1126 if (*pmin == *pmax) 1127 *pmin = *pmax = -*pmin; 1128 else 1129 { 1130 /* Make sure signed overlow is avoided. */ 1131 gcc_assert (*pmin != HOST_WIDE_INT_MIN); 1132 1133 HOST_WIDE_INT tmp = -*pmin; 1134 *pmin = 0; 1135 if (*pmax < tmp) 1136 *pmax = tmp; 1137 } 1138 } 1139 } 1140 else if (*pmin < negbound) 1141 *pmin = negbound; 1142 1143 return knownrange; 1144 } 1145 1146 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual 1147 argument, due to the conversion from either *ARGMIN or *ARGMAX to 1148 the type of the directive's formal argument it's possible for both 1149 to result in the same number of bytes or a range of bytes that's 1150 less than the number of bytes that would result from formatting 1151 some other value in the range [*ARGMIN, *ARGMAX]. This can be 1152 determined by checking for the actual argument being in the range 1153 of the type of the directive. If it isn't it must be assumed to 1154 take on the full range of the directive's type. 1155 Return true when the range has been adjusted to the full range 1156 of DIRTYPE, and false otherwise. */ 1157 1158 static bool 1159 adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax) 1160 { 1161 tree argtype = TREE_TYPE (*argmin); 1162 unsigned argprec = TYPE_PRECISION (argtype); 1163 unsigned dirprec = TYPE_PRECISION (dirtype); 1164 1165 /* If the actual argument and the directive's argument have the same 1166 precision and sign there can be no overflow and so there is nothing 1167 to adjust. */ 1168 if (argprec == dirprec && TYPE_SIGN (argtype) == TYPE_SIGN (dirtype)) 1169 return false; 1170 1171 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P 1172 branch in the extract_range_from_unary_expr function in tree-vrp.c. */ 1173 1174 if (TREE_CODE (*argmin) == INTEGER_CST 1175 && TREE_CODE (*argmax) == INTEGER_CST 1176 && (dirprec >= argprec 1177 || integer_zerop (int_const_binop (RSHIFT_EXPR, 1178 int_const_binop (MINUS_EXPR, 1179 *argmax, 1180 *argmin), 1181 size_int (dirprec))))) 1182 { 1183 *argmin = force_fit_type (dirtype, wi::to_widest (*argmin), 0, false); 1184 *argmax = force_fit_type (dirtype, wi::to_widest (*argmax), 0, false); 1185 1186 /* If *ARGMIN is still less than *ARGMAX the conversion above 1187 is safe. Otherwise, it has overflowed and would be unsafe. */ 1188 if (tree_int_cst_le (*argmin, *argmax)) 1189 return false; 1190 } 1191 1192 *argmin = TYPE_MIN_VALUE (dirtype); 1193 *argmax = TYPE_MAX_VALUE (dirtype); 1194 return true; 1195 } 1196 1197 /* Return a range representing the minimum and maximum number of bytes 1198 that the format directive DIR will output for any argument given 1199 the WIDTH and PRECISION (extracted from DIR). This function is 1200 used when the directive argument or its value isn't known. */ 1201 1202 static fmtresult 1203 format_integer (const directive &dir, tree arg, vr_values *vr_values) 1204 { 1205 tree intmax_type_node; 1206 tree uintmax_type_node; 1207 1208 /* Base to format the number in. */ 1209 int base; 1210 1211 /* True when a conversion is preceded by a prefix indicating the base 1212 of the argument (octal or hexadecimal). */ 1213 bool maybebase = dir.get_flag ('#'); 1214 1215 /* True when a signed conversion is preceded by a sign or space. */ 1216 bool maybesign = false; 1217 1218 /* True for signed conversions (i.e., 'd' and 'i'). */ 1219 bool sign = false; 1220 1221 switch (dir.specifier) 1222 { 1223 case 'd': 1224 case 'i': 1225 /* Space and '+' are only meaningful for signed conversions. */ 1226 maybesign = dir.get_flag (' ') | dir.get_flag ('+'); 1227 sign = true; 1228 base = 10; 1229 break; 1230 case 'u': 1231 base = 10; 1232 break; 1233 case 'o': 1234 base = 8; 1235 break; 1236 case 'X': 1237 case 'x': 1238 base = 16; 1239 break; 1240 default: 1241 gcc_unreachable (); 1242 } 1243 1244 /* The type of the "formal" argument expected by the directive. */ 1245 tree dirtype = NULL_TREE; 1246 1247 /* Determine the expected type of the argument from the length 1248 modifier. */ 1249 switch (dir.modifier) 1250 { 1251 case FMT_LEN_none: 1252 if (dir.specifier == 'p') 1253 dirtype = ptr_type_node; 1254 else 1255 dirtype = sign ? integer_type_node : unsigned_type_node; 1256 break; 1257 1258 case FMT_LEN_h: 1259 dirtype = sign ? short_integer_type_node : short_unsigned_type_node; 1260 break; 1261 1262 case FMT_LEN_hh: 1263 dirtype = sign ? signed_char_type_node : unsigned_char_type_node; 1264 break; 1265 1266 case FMT_LEN_l: 1267 dirtype = sign ? long_integer_type_node : long_unsigned_type_node; 1268 break; 1269 1270 case FMT_LEN_L: 1271 case FMT_LEN_ll: 1272 dirtype = (sign 1273 ? long_long_integer_type_node 1274 : long_long_unsigned_type_node); 1275 break; 1276 1277 case FMT_LEN_z: 1278 dirtype = signed_or_unsigned_type_for (!sign, size_type_node); 1279 break; 1280 1281 case FMT_LEN_t: 1282 dirtype = signed_or_unsigned_type_for (!sign, ptrdiff_type_node); 1283 break; 1284 1285 case FMT_LEN_j: 1286 build_intmax_type_nodes (&intmax_type_node, &uintmax_type_node); 1287 dirtype = sign ? intmax_type_node : uintmax_type_node; 1288 break; 1289 1290 default: 1291 return fmtresult (); 1292 } 1293 1294 /* The type of the argument to the directive, either deduced from 1295 the actual non-constant argument if one is known, or from 1296 the directive itself when none has been provided because it's 1297 a va_list. */ 1298 tree argtype = NULL_TREE; 1299 1300 if (!arg) 1301 { 1302 /* When the argument has not been provided, use the type of 1303 the directive's argument as an approximation. This will 1304 result in false positives for directives like %i with 1305 arguments with smaller precision (such as short or char). */ 1306 argtype = dirtype; 1307 } 1308 else if (TREE_CODE (arg) == INTEGER_CST) 1309 { 1310 /* When a constant argument has been provided use its value 1311 rather than type to determine the length of the output. */ 1312 fmtresult res; 1313 1314 if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg)) 1315 { 1316 /* As a special case, a precision of zero with a zero argument 1317 results in zero bytes except in base 8 when the '#' flag is 1318 specified, and for signed conversions in base 8 and 10 when 1319 either the space or '+' flag has been specified and it results 1320 in just one byte (with width having the normal effect). This 1321 must extend to the case of a specified precision with 1322 an unknown value because it can be zero. */ 1323 res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign); 1324 if (res.range.min == 0 && dir.prec[0] != dir.prec[1]) 1325 { 1326 res.range.max = 1; 1327 res.range.likely = 1; 1328 } 1329 else 1330 { 1331 res.range.max = res.range.min; 1332 res.range.likely = res.range.min; 1333 } 1334 } 1335 else 1336 { 1337 /* Convert the argument to the type of the directive. */ 1338 arg = fold_convert (dirtype, arg); 1339 1340 res.range.min = tree_digits (arg, base, dir.prec[0], 1341 maybesign, maybebase); 1342 if (dir.prec[0] == dir.prec[1]) 1343 res.range.max = res.range.min; 1344 else 1345 res.range.max = tree_digits (arg, base, dir.prec[1], 1346 maybesign, maybebase); 1347 res.range.likely = res.range.min; 1348 res.knownrange = true; 1349 } 1350 1351 res.range.unlikely = res.range.max; 1352 1353 /* Bump up the counters if WIDTH is greater than LEN. */ 1354 res.adjust_for_width_or_precision (dir.width, dirtype, base, 1355 (sign | maybebase) + (base == 16)); 1356 /* Bump up the counters again if PRECision is greater still. */ 1357 res.adjust_for_width_or_precision (dir.prec, dirtype, base, 1358 (sign | maybebase) + (base == 16)); 1359 1360 return res; 1361 } 1362 else if (INTEGRAL_TYPE_P (TREE_TYPE (arg)) 1363 || TREE_CODE (TREE_TYPE (arg)) == POINTER_TYPE) 1364 /* Determine the type of the provided non-constant argument. */ 1365 argtype = TREE_TYPE (arg); 1366 else 1367 /* Don't bother with invalid arguments since they likely would 1368 have already been diagnosed, and disable any further checking 1369 of the format string by returning [-1, -1]. */ 1370 return fmtresult (); 1371 1372 fmtresult res; 1373 1374 /* Using either the range the non-constant argument is in, or its 1375 type (either "formal" or actual), create a range of values that 1376 constrain the length of output given the warning level. */ 1377 tree argmin = NULL_TREE; 1378 tree argmax = NULL_TREE; 1379 1380 if (arg 1381 && TREE_CODE (arg) == SSA_NAME 1382 && INTEGRAL_TYPE_P (argtype)) 1383 { 1384 /* Try to determine the range of values of the integer argument 1385 (range information is not available for pointers). */ 1386 value_range *vr = vr_values->get_value_range (arg); 1387 if (range_int_cst_p (vr)) 1388 { 1389 argmin = vr->min (); 1390 argmax = vr->max (); 1391 1392 /* Set KNOWNRANGE if the argument is in a known subrange 1393 of the directive's type and neither width nor precision 1394 is unknown. (KNOWNRANGE may be reset below). */ 1395 res.knownrange 1396 = ((!tree_int_cst_equal (TYPE_MIN_VALUE (dirtype), argmin) 1397 || !tree_int_cst_equal (TYPE_MAX_VALUE (dirtype), argmax)) 1398 && dir.known_width_and_precision ()); 1399 1400 res.argmin = argmin; 1401 res.argmax = argmax; 1402 } 1403 else if (vr->kind () == VR_ANTI_RANGE) 1404 { 1405 /* Handle anti-ranges if/when bug 71690 is resolved. */ 1406 } 1407 else if (vr->varying_p () || vr->undefined_p ()) 1408 { 1409 /* The argument here may be the result of promoting the actual 1410 argument to int. Try to determine the type of the actual 1411 argument before promotion and narrow down its range that 1412 way. */ 1413 gimple *def = SSA_NAME_DEF_STMT (arg); 1414 if (is_gimple_assign (def)) 1415 { 1416 tree_code code = gimple_assign_rhs_code (def); 1417 if (code == INTEGER_CST) 1418 { 1419 arg = gimple_assign_rhs1 (def); 1420 return format_integer (dir, arg, vr_values); 1421 } 1422 1423 if (code == NOP_EXPR) 1424 { 1425 tree type = TREE_TYPE (gimple_assign_rhs1 (def)); 1426 if (INTEGRAL_TYPE_P (type) 1427 || TREE_CODE (type) == POINTER_TYPE) 1428 argtype = type; 1429 } 1430 } 1431 } 1432 } 1433 1434 if (!argmin) 1435 { 1436 if (TREE_CODE (argtype) == POINTER_TYPE) 1437 { 1438 argmin = build_int_cst (pointer_sized_int_node, 0); 1439 argmax = build_all_ones_cst (pointer_sized_int_node); 1440 } 1441 else 1442 { 1443 argmin = TYPE_MIN_VALUE (argtype); 1444 argmax = TYPE_MAX_VALUE (argtype); 1445 } 1446 } 1447 1448 /* Clear KNOWNRANGE if the range has been adjusted to the maximum 1449 of the directive. If it has been cleared then since ARGMIN and/or 1450 ARGMAX have been adjusted also adjust the corresponding ARGMIN and 1451 ARGMAX in the result to include in diagnostics. */ 1452 if (adjust_range_for_overflow (dirtype, &argmin, &argmax)) 1453 { 1454 res.knownrange = false; 1455 res.argmin = argmin; 1456 res.argmax = argmax; 1457 } 1458 1459 /* Recursively compute the minimum and maximum from the known range. */ 1460 if (TYPE_UNSIGNED (dirtype) || tree_int_cst_sgn (argmin) >= 0) 1461 { 1462 /* For unsigned conversions/directives or signed when 1463 the minimum is positive, use the minimum and maximum to compute 1464 the shortest and longest output, respectively. */ 1465 res.range.min = format_integer (dir, argmin, vr_values).range.min; 1466 res.range.max = format_integer (dir, argmax, vr_values).range.max; 1467 } 1468 else if (tree_int_cst_sgn (argmax) < 0) 1469 { 1470 /* For signed conversions/directives if maximum is negative, 1471 use the minimum as the longest output and maximum as the 1472 shortest output. */ 1473 res.range.min = format_integer (dir, argmax, vr_values).range.min; 1474 res.range.max = format_integer (dir, argmin, vr_values).range.max; 1475 } 1476 else 1477 { 1478 /* Otherwise, 0 is inside of the range and minimum negative. Use 0 1479 as the shortest output and for the longest output compute the 1480 length of the output of both minimum and maximum and pick the 1481 longer. */ 1482 unsigned HOST_WIDE_INT max1 1483 = format_integer (dir, argmin, vr_values).range.max; 1484 unsigned HOST_WIDE_INT max2 1485 = format_integer (dir, argmax, vr_values).range.max; 1486 res.range.min 1487 = format_integer (dir, integer_zero_node, vr_values).range.min; 1488 res.range.max = MAX (max1, max2); 1489 } 1490 1491 /* If the range is known, use the maximum as the likely length. */ 1492 if (res.knownrange) 1493 res.range.likely = res.range.max; 1494 else 1495 { 1496 /* Otherwise, use the minimum. Except for the case where for %#x or 1497 %#o the minimum is just for a single value in the range (0) and 1498 for all other values it is something longer, like 0x1 or 01. 1499 Use the length for value 1 in that case instead as the likely 1500 length. */ 1501 res.range.likely = res.range.min; 1502 if (maybebase 1503 && base != 10 1504 && (tree_int_cst_sgn (argmin) < 0 || tree_int_cst_sgn (argmax) > 0)) 1505 { 1506 if (res.range.min == 1) 1507 res.range.likely += base == 8 ? 1 : 2; 1508 else if (res.range.min == 2 1509 && base == 16 1510 && (dir.width[0] == 2 || dir.prec[0] == 2)) 1511 ++res.range.likely; 1512 } 1513 } 1514 1515 res.range.unlikely = res.range.max; 1516 res.adjust_for_width_or_precision (dir.width, dirtype, base, 1517 (sign | maybebase) + (base == 16)); 1518 res.adjust_for_width_or_precision (dir.prec, dirtype, base, 1519 (sign | maybebase) + (base == 16)); 1520 1521 return res; 1522 } 1523 1524 /* Return the number of bytes that a format directive consisting of FLAGS, 1525 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC, 1526 would result for argument X under ideal conditions (i.e., if PREC 1527 weren't excessive). MPFR 3.1 allocates large amounts of memory for 1528 values of PREC with large magnitude and can fail (see MPFR bug #21056). 1529 This function works around those problems. */ 1530 1531 static unsigned HOST_WIDE_INT 1532 get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec, 1533 char spec, char rndspec) 1534 { 1535 char fmtstr[40]; 1536 1537 HOST_WIDE_INT len = strlen (flags); 1538 1539 fmtstr[0] = '%'; 1540 memcpy (fmtstr + 1, flags, len); 1541 memcpy (fmtstr + 1 + len, ".*R", 3); 1542 fmtstr[len + 4] = rndspec; 1543 fmtstr[len + 5] = spec; 1544 fmtstr[len + 6] = '\0'; 1545 1546 spec = TOUPPER (spec); 1547 if (spec == 'E' || spec == 'F') 1548 { 1549 /* For %e, specify the precision explicitly since mpfr_sprintf 1550 does its own thing just to be different (see MPFR bug 21088). */ 1551 if (prec < 0) 1552 prec = 6; 1553 } 1554 else 1555 { 1556 /* Avoid passing negative precisions with larger magnitude to MPFR 1557 to avoid exposing its bugs. (A negative precision is supposed 1558 to be ignored.) */ 1559 if (prec < 0) 1560 prec = -1; 1561 } 1562 1563 HOST_WIDE_INT p = prec; 1564 1565 if (spec == 'G' && !strchr (flags, '#')) 1566 { 1567 /* For G/g without the pound flag, precision gives the maximum number 1568 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for 1569 a 128 bit IEEE extended precision, 4932. Using twice as much here 1570 should be more than sufficient for any real format. */ 1571 if ((IEEE_MAX_10_EXP * 2) < prec) 1572 prec = IEEE_MAX_10_EXP * 2; 1573 p = prec; 1574 } 1575 else 1576 { 1577 /* Cap precision arbitrarily at 1KB and add the difference 1578 (if any) to the MPFR result. */ 1579 if (prec > 1024) 1580 p = 1024; 1581 } 1582 1583 len = mpfr_snprintf (NULL, 0, fmtstr, (int)p, x); 1584 1585 /* Handle the unlikely (impossible?) error by returning more than 1586 the maximum dictated by the function's return type. */ 1587 if (len < 0) 1588 return target_dir_max () + 1; 1589 1590 /* Adjust the return value by the difference. */ 1591 if (p < prec) 1592 len += prec - p; 1593 1594 return len; 1595 } 1596 1597 /* Return the number of bytes to format using the format specifier 1598 SPEC and the precision PREC the largest value in the real floating 1599 TYPE. */ 1600 1601 static unsigned HOST_WIDE_INT 1602 format_floating_max (tree type, char spec, HOST_WIDE_INT prec) 1603 { 1604 machine_mode mode = TYPE_MODE (type); 1605 1606 /* IBM Extended mode. */ 1607 if (MODE_COMPOSITE_P (mode)) 1608 mode = DFmode; 1609 1610 /* Get the real type format desription for the target. */ 1611 const real_format *rfmt = REAL_MODE_FORMAT (mode); 1612 REAL_VALUE_TYPE rv; 1613 1614 real_maxval (&rv, 0, mode); 1615 1616 /* Convert the GCC real value representation with the precision 1617 of the real type to the mpfr_t format with the GCC default 1618 round-to-nearest mode. */ 1619 mpfr_t x; 1620 mpfr_init2 (x, rfmt->p); 1621 mpfr_from_real (x, &rv, GMP_RNDN); 1622 1623 /* Return a value one greater to account for the leading minus sign. */ 1624 unsigned HOST_WIDE_INT r 1625 = 1 + get_mpfr_format_length (x, "", prec, spec, 'D'); 1626 mpfr_clear (x); 1627 return r; 1628 } 1629 1630 /* Return a range representing the minimum and maximum number of bytes 1631 that the directive DIR will output for any argument. PREC gives 1632 the adjusted precision range to account for negative precisions 1633 meaning the default 6. This function is used when the directive 1634 argument or its value isn't known. */ 1635 1636 static fmtresult 1637 format_floating (const directive &dir, const HOST_WIDE_INT prec[2]) 1638 { 1639 tree type; 1640 1641 switch (dir.modifier) 1642 { 1643 case FMT_LEN_l: 1644 case FMT_LEN_none: 1645 type = double_type_node; 1646 break; 1647 1648 case FMT_LEN_L: 1649 type = long_double_type_node; 1650 break; 1651 1652 case FMT_LEN_ll: 1653 type = long_double_type_node; 1654 break; 1655 1656 default: 1657 return fmtresult (); 1658 } 1659 1660 /* The minimum and maximum number of bytes produced by the directive. */ 1661 fmtresult res; 1662 1663 /* The minimum output as determined by flags. It's always at least 1. 1664 When plus or space are set the output is preceded by either a sign 1665 or a space. */ 1666 unsigned flagmin = (1 /* for the first digit */ 1667 + (dir.get_flag ('+') | dir.get_flag (' '))); 1668 1669 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1 1670 for the plus sign/space with the '+' and ' ' flags, respectively, 1671 unless reduced below. */ 1672 res.range.min = 2 + flagmin; 1673 1674 /* When the pound flag is set the decimal point is included in output 1675 regardless of precision. Whether or not a decimal point is included 1676 otherwise depends on the specification and precision. */ 1677 bool radix = dir.get_flag ('#'); 1678 1679 switch (dir.specifier) 1680 { 1681 case 'A': 1682 case 'a': 1683 { 1684 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */; 1685 if (dir.prec[0] <= 0) 1686 minprec = 0; 1687 else if (dir.prec[0] > 0) 1688 minprec = dir.prec[0] + !radix /* decimal point */; 1689 1690 res.range.likely = (2 /* 0x */ 1691 + flagmin 1692 + radix 1693 + minprec 1694 + 3 /* p+0 */); 1695 1696 res.range.max = format_floating_max (type, 'a', prec[1]); 1697 1698 /* The unlikely maximum accounts for the longest multibyte 1699 decimal point character. */ 1700 res.range.unlikely = res.range.max; 1701 if (dir.prec[1] > 0) 1702 res.range.unlikely += target_mb_len_max () - 1; 1703 1704 break; 1705 } 1706 1707 case 'E': 1708 case 'e': 1709 { 1710 /* Minimum output attributable to precision and, when it's 1711 non-zero, decimal point. */ 1712 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0; 1713 1714 /* The likely minimum output is "[-+]1.234567e+00" regardless 1715 of the value of the actual argument. */ 1716 res.range.likely = (flagmin 1717 + radix 1718 + minprec 1719 + 2 /* e+ */ + 2); 1720 1721 res.range.max = format_floating_max (type, 'e', prec[1]); 1722 1723 /* The unlikely maximum accounts for the longest multibyte 1724 decimal point character. */ 1725 if (dir.prec[0] != dir.prec[1] 1726 || dir.prec[0] == -1 || dir.prec[0] > 0) 1727 res.range.unlikely = res.range.max + target_mb_len_max () -1; 1728 else 1729 res.range.unlikely = res.range.max; 1730 break; 1731 } 1732 1733 case 'F': 1734 case 'f': 1735 { 1736 /* Minimum output attributable to precision and, when it's non-zero, 1737 decimal point. */ 1738 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0; 1739 1740 /* For finite numbers (i.e., not infinity or NaN) the lower bound 1741 when precision isn't specified is 8 bytes ("1.23456" since 1742 precision is taken to be 6). When precision is zero, the lower 1743 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater 1744 than zero, then the lower bound is 2 plus precision (plus flags). 1745 But in all cases, the lower bound is no greater than 3. */ 1746 unsigned HOST_WIDE_INT min = flagmin + radix + minprec; 1747 if (min < res.range.min) 1748 res.range.min = min; 1749 1750 /* Compute the upper bound for -TYPE_MAX. */ 1751 res.range.max = format_floating_max (type, 'f', prec[1]); 1752 1753 /* The minimum output with unknown precision is a single byte 1754 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */ 1755 if (dir.prec[0] < 0 && dir.prec[1] > 0) 1756 res.range.likely = 3; 1757 else 1758 res.range.likely = min; 1759 1760 /* The unlikely maximum accounts for the longest multibyte 1761 decimal point character. */ 1762 if (dir.prec[0] != dir.prec[1] 1763 || dir.prec[0] == -1 || dir.prec[0] > 0) 1764 res.range.unlikely = res.range.max + target_mb_len_max () - 1; 1765 break; 1766 } 1767 1768 case 'G': 1769 case 'g': 1770 { 1771 /* The %g output depends on precision and the exponent of 1772 the argument. Since the value of the argument isn't known 1773 the lower bound on the range of bytes (not counting flags 1774 or width) is 1 plus radix (i.e., either "0" or "0." for 1775 "%g" and "%#g", respectively, with a zero argument). */ 1776 unsigned HOST_WIDE_INT min = flagmin + radix; 1777 if (min < res.range.min) 1778 res.range.min = min; 1779 1780 char spec = 'g'; 1781 HOST_WIDE_INT maxprec = dir.prec[1]; 1782 if (radix && maxprec) 1783 { 1784 /* When the pound flag (radix) is set, trailing zeros aren't 1785 trimmed and so the longest output is the same as for %e, 1786 except with precision minus 1 (as specified in C11). */ 1787 spec = 'e'; 1788 if (maxprec > 0) 1789 --maxprec; 1790 else if (maxprec < 0) 1791 maxprec = 5; 1792 } 1793 else 1794 maxprec = prec[1]; 1795 1796 res.range.max = format_floating_max (type, spec, maxprec); 1797 1798 /* The likely output is either the maximum computed above 1799 minus 1 (assuming the maximum is positive) when precision 1800 is known (or unspecified), or the same minimum as for %e 1801 (which is computed for a non-negative argument). Unlike 1802 for the other specifiers above the likely output isn't 1803 the minimum because for %g that's 1 which is unlikely. */ 1804 if (dir.prec[1] < 0 1805 || (unsigned HOST_WIDE_INT)dir.prec[1] < target_int_max ()) 1806 res.range.likely = res.range.max - 1; 1807 else 1808 { 1809 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */; 1810 res.range.likely = (flagmin 1811 + radix 1812 + minprec 1813 + 2 /* e+ */ + 2); 1814 } 1815 1816 /* The unlikely maximum accounts for the longest multibyte 1817 decimal point character. */ 1818 res.range.unlikely = res.range.max + target_mb_len_max () - 1; 1819 break; 1820 } 1821 1822 default: 1823 return fmtresult (); 1824 } 1825 1826 /* Bump up the byte counters if WIDTH is greater. */ 1827 res.adjust_for_width_or_precision (dir.width); 1828 return res; 1829 } 1830 1831 /* Return a range representing the minimum and maximum number of bytes 1832 that the directive DIR will write on output for the floating argument 1833 ARG. */ 1834 1835 static fmtresult 1836 format_floating (const directive &dir, tree arg, vr_values *) 1837 { 1838 HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] }; 1839 tree type = (dir.modifier == FMT_LEN_L || dir.modifier == FMT_LEN_ll 1840 ? long_double_type_node : double_type_node); 1841 1842 /* For an indeterminate precision the lower bound must be assumed 1843 to be zero. */ 1844 if (TOUPPER (dir.specifier) == 'A') 1845 { 1846 /* Get the number of fractional decimal digits needed to represent 1847 the argument without a loss of accuracy. */ 1848 unsigned fmtprec 1849 = REAL_MODE_FORMAT (TYPE_MODE (type))->p; 1850 1851 /* The precision of the IEEE 754 double format is 53. 1852 The precision of all other GCC binary double formats 1853 is 56 or less. */ 1854 unsigned maxprec = fmtprec <= 56 ? 13 : 15; 1855 1856 /* For %a, leave the minimum precision unspecified to let 1857 MFPR trim trailing zeros (as it and many other systems 1858 including Glibc happen to do) and set the maximum 1859 precision to reflect what it would be with trailing zeros 1860 present (as Solaris and derived systems do). */ 1861 if (dir.prec[1] < 0) 1862 { 1863 /* Both bounds are negative implies that precision has 1864 not been specified. */ 1865 prec[0] = maxprec; 1866 prec[1] = -1; 1867 } 1868 else if (dir.prec[0] < 0) 1869 { 1870 /* With a negative lower bound and a non-negative upper 1871 bound set the minimum precision to zero and the maximum 1872 to the greater of the maximum precision (i.e., with 1873 trailing zeros present) and the specified upper bound. */ 1874 prec[0] = 0; 1875 prec[1] = dir.prec[1] < maxprec ? maxprec : dir.prec[1]; 1876 } 1877 } 1878 else if (dir.prec[0] < 0) 1879 { 1880 if (dir.prec[1] < 0) 1881 { 1882 /* A precision in a strictly negative range is ignored and 1883 the default of 6 is used instead. */ 1884 prec[0] = prec[1] = 6; 1885 } 1886 else 1887 { 1888 /* For a precision in a partly negative range, the lower bound 1889 must be assumed to be zero and the new upper bound is the 1890 greater of 6 (the default precision used when the specified 1891 precision is negative) and the upper bound of the specified 1892 range. */ 1893 prec[0] = 0; 1894 prec[1] = dir.prec[1] < 6 ? 6 : dir.prec[1]; 1895 } 1896 } 1897 1898 if (!arg 1899 || TREE_CODE (arg) != REAL_CST 1900 || !useless_type_conversion_p (type, TREE_TYPE (arg))) 1901 return format_floating (dir, prec); 1902 1903 /* The minimum and maximum number of bytes produced by the directive. */ 1904 fmtresult res; 1905 1906 /* Get the real type format desription for the target. */ 1907 const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg); 1908 const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg))); 1909 1910 if (!real_isfinite (rvp)) 1911 { 1912 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity" 1913 and "[-]nan" with the choice being implementation-defined 1914 but not locale dependent. */ 1915 bool sign = dir.get_flag ('+') || real_isneg (rvp); 1916 res.range.min = 3 + sign; 1917 1918 res.range.likely = res.range.min; 1919 res.range.max = res.range.min; 1920 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan". 1921 For NaN, the C/POSIX standards specify two formats: 1922 "[-/+]nan" 1923 and 1924 "[-/+]nan(n-char-sequence)" 1925 No known printf implementation outputs the latter format but AIX 1926 outputs QNaN and SNaN for quiet and signalling NaN, respectively, 1927 so the unlikely maximum reflects that. */ 1928 res.range.unlikely = sign + (real_isinf (rvp) ? 8 : 4); 1929 1930 /* The range for infinity and NaN is known unless either width 1931 or precision is unknown. Width has the same effect regardless 1932 of whether the argument is finite. Precision is either ignored 1933 (e.g., Glibc) or can have an effect on the short vs long format 1934 such as inf/infinity (e.g., Solaris). */ 1935 res.knownrange = dir.known_width_and_precision (); 1936 1937 /* Adjust the range for width but ignore precision. */ 1938 res.adjust_for_width_or_precision (dir.width); 1939 1940 return res; 1941 } 1942 1943 char fmtstr [40]; 1944 char *pfmt = fmtstr; 1945 1946 /* Append flags. */ 1947 for (const char *pf = "-+ #0"; *pf; ++pf) 1948 if (dir.get_flag (*pf)) 1949 *pfmt++ = *pf; 1950 1951 *pfmt = '\0'; 1952 1953 { 1954 /* Set up an array to easily iterate over. */ 1955 unsigned HOST_WIDE_INT* const minmax[] = { 1956 &res.range.min, &res.range.max 1957 }; 1958 1959 for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i) 1960 { 1961 /* Convert the GCC real value representation with the precision 1962 of the real type to the mpfr_t format rounding down in the 1963 first iteration that computes the minimm and up in the second 1964 that computes the maximum. This order is arbibtrary because 1965 rounding in either direction can result in longer output. */ 1966 mpfr_t mpfrval; 1967 mpfr_init2 (mpfrval, rfmt->p); 1968 mpfr_from_real (mpfrval, rvp, i ? GMP_RNDU : GMP_RNDD); 1969 1970 /* Use the MPFR rounding specifier to round down in the first 1971 iteration and then up. In most but not all cases this will 1972 result in the same number of bytes. */ 1973 char rndspec = "DU"[i]; 1974 1975 /* Format it and store the result in the corresponding member 1976 of the result struct. */ 1977 *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i], 1978 dir.specifier, rndspec); 1979 mpfr_clear (mpfrval); 1980 } 1981 } 1982 1983 /* Make sure the minimum is less than the maximum (MPFR rounding 1984 in the call to mpfr_snprintf can result in the reverse. */ 1985 if (res.range.max < res.range.min) 1986 { 1987 unsigned HOST_WIDE_INT tmp = res.range.min; 1988 res.range.min = res.range.max; 1989 res.range.max = tmp; 1990 } 1991 1992 /* The range is known unless either width or precision is unknown. */ 1993 res.knownrange = dir.known_width_and_precision (); 1994 1995 /* For the same floating point constant, unless width or precision 1996 is unknown, use the longer output as the likely maximum since 1997 with round to nearest either is equally likely. Otheriwse, when 1998 precision is unknown, use the greater of the minimum and 3 as 1999 the likely output (for "0.0" since zero precision is unlikely). */ 2000 if (res.knownrange) 2001 res.range.likely = res.range.max; 2002 else if (res.range.min < 3 2003 && dir.prec[0] < 0 2004 && (unsigned HOST_WIDE_INT)dir.prec[1] == target_int_max ()) 2005 res.range.likely = 3; 2006 else 2007 res.range.likely = res.range.min; 2008 2009 res.range.unlikely = res.range.max; 2010 2011 if (res.range.max > 2 && (prec[0] != 0 || prec[1] != 0)) 2012 { 2013 /* Unless the precision is zero output longer than 2 bytes may 2014 include the decimal point which must be a single character 2015 up to MB_LEN_MAX in length. This is overly conservative 2016 since in some conversions some constants result in no decimal 2017 point (e.g., in %g). */ 2018 res.range.unlikely += target_mb_len_max () - 1; 2019 } 2020 2021 res.adjust_for_width_or_precision (dir.width); 2022 return res; 2023 } 2024 2025 /* Return a FMTRESULT struct set to the lengths of the shortest and longest 2026 strings referenced by the expression STR, or (-1, -1) when not known. 2027 Used by the format_string function below. */ 2028 2029 static fmtresult 2030 get_string_length (tree str, unsigned eltsize) 2031 { 2032 if (!str) 2033 return fmtresult (); 2034 2035 /* Determine the length of the shortest and longest string referenced 2036 by STR. Strings of unknown lengths are bounded by the sizes of 2037 arrays that subexpressions of STR may refer to. Pointers that 2038 aren't known to point any such arrays result in LENDATA.MAXLEN 2039 set to SIZE_MAX. */ 2040 c_strlen_data lendata = { }; 2041 get_range_strlen (str, &lendata, eltsize); 2042 2043 /* Return the default result when nothing is known about the string. */ 2044 if (integer_all_onesp (lendata.maxbound) 2045 && integer_all_onesp (lendata.maxlen)) 2046 return fmtresult (); 2047 2048 HOST_WIDE_INT min 2049 = (tree_fits_uhwi_p (lendata.minlen) 2050 ? tree_to_uhwi (lendata.minlen) 2051 : 0); 2052 2053 HOST_WIDE_INT max 2054 = (tree_fits_uhwi_p (lendata.maxbound) 2055 ? tree_to_uhwi (lendata.maxbound) 2056 : HOST_WIDE_INT_M1U); 2057 2058 const bool unbounded = integer_all_onesp (lendata.maxlen); 2059 2060 /* Set the max/likely counters to unbounded when a minimum is known 2061 but the maximum length isn't bounded. This implies that STR is 2062 a conditional expression involving a string of known length and 2063 and an expression of unknown/unbounded length. */ 2064 if (min 2065 && (unsigned HOST_WIDE_INT)min < HOST_WIDE_INT_M1U 2066 && unbounded) 2067 max = HOST_WIDE_INT_M1U; 2068 2069 /* get_range_strlen() returns the target value of SIZE_MAX for 2070 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U 2071 which may be bigger. */ 2072 if ((unsigned HOST_WIDE_INT)min == target_size_max ()) 2073 min = HOST_WIDE_INT_M1U; 2074 if ((unsigned HOST_WIDE_INT)max == target_size_max ()) 2075 max = HOST_WIDE_INT_M1U; 2076 2077 fmtresult res (min, max); 2078 res.nonstr = lendata.decl; 2079 2080 /* Set RES.KNOWNRANGE to true if and only if all strings referenced 2081 by STR are known to be bounded (though not necessarily by their 2082 actual length but perhaps by their maximum possible length). */ 2083 if (res.range.max < target_int_max ()) 2084 { 2085 res.knownrange = true; 2086 /* When the the length of the longest string is known and not 2087 excessive use it as the likely length of the string(s). */ 2088 res.range.likely = res.range.max; 2089 } 2090 else 2091 { 2092 /* When the upper bound is unknown (it can be zero or excessive) 2093 set the likely length to the greater of 1 and the length of 2094 the shortest string and reset the lower bound to zero. */ 2095 res.range.likely = res.range.min ? res.range.min : warn_level > 1; 2096 res.range.min = 0; 2097 } 2098 2099 res.range.unlikely = unbounded ? HOST_WIDE_INT_MAX : res.range.max; 2100 2101 return res; 2102 } 2103 2104 /* Return the minimum and maximum number of characters formatted 2105 by the '%c' format directives and its wide character form for 2106 the argument ARG. ARG can be null (for functions such as 2107 vsprinf). */ 2108 2109 static fmtresult 2110 format_character (const directive &dir, tree arg, vr_values *vr_values) 2111 { 2112 fmtresult res; 2113 2114 res.knownrange = true; 2115 2116 if (dir.specifier == 'C' 2117 || dir.modifier == FMT_LEN_l) 2118 { 2119 /* A wide character can result in as few as zero bytes. */ 2120 res.range.min = 0; 2121 2122 HOST_WIDE_INT min, max; 2123 if (get_int_range (arg, &min, &max, false, 0, vr_values)) 2124 { 2125 if (min == 0 && max == 0) 2126 { 2127 /* The NUL wide character results in no bytes. */ 2128 res.range.max = 0; 2129 res.range.likely = 0; 2130 res.range.unlikely = 0; 2131 } 2132 else if (min >= 0 && min < 128) 2133 { 2134 /* Be conservative if the target execution character set 2135 is not a 1-to-1 mapping to the source character set or 2136 if the source set is not ASCII. */ 2137 bool one_2_one_ascii 2138 = (target_to_host_charmap[0] == 1 && target_to_host ('a') == 97); 2139 2140 /* A wide character in the ASCII range most likely results 2141 in a single byte, and only unlikely in up to MB_LEN_MAX. */ 2142 res.range.max = one_2_one_ascii ? 1 : target_mb_len_max ();; 2143 res.range.likely = 1; 2144 res.range.unlikely = target_mb_len_max (); 2145 res.mayfail = !one_2_one_ascii; 2146 } 2147 else 2148 { 2149 /* A wide character outside the ASCII range likely results 2150 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */ 2151 res.range.max = target_mb_len_max (); 2152 res.range.likely = 2; 2153 res.range.unlikely = res.range.max; 2154 /* Converting such a character may fail. */ 2155 res.mayfail = true; 2156 } 2157 } 2158 else 2159 { 2160 /* An unknown wide character is treated the same as a wide 2161 character outside the ASCII range. */ 2162 res.range.max = target_mb_len_max (); 2163 res.range.likely = 2; 2164 res.range.unlikely = res.range.max; 2165 res.mayfail = true; 2166 } 2167 } 2168 else 2169 { 2170 /* A plain '%c' directive. Its ouput is exactly 1. */ 2171 res.range.min = res.range.max = 1; 2172 res.range.likely = res.range.unlikely = 1; 2173 res.knownrange = true; 2174 } 2175 2176 /* Bump up the byte counters if WIDTH is greater. */ 2177 return res.adjust_for_width_or_precision (dir.width); 2178 } 2179 2180 /* Return the minimum and maximum number of characters formatted 2181 by the '%s' format directive and its wide character form for 2182 the argument ARG. ARG can be null (for functions such as 2183 vsprinf). */ 2184 2185 static fmtresult 2186 format_string (const directive &dir, tree arg, vr_values *) 2187 { 2188 fmtresult res; 2189 2190 /* Compute the range the argument's length can be in. */ 2191 int count_by = 1; 2192 if (dir.specifier == 'S' || dir.modifier == FMT_LEN_l) 2193 { 2194 /* Get a node for a C type that will be the same size 2195 as a wchar_t on the target. */ 2196 tree node = get_typenode_from_name (MODIFIED_WCHAR_TYPE); 2197 2198 /* Now that we have a suitable node, get the number of 2199 bytes it occupies. */ 2200 count_by = int_size_in_bytes (node); 2201 gcc_checking_assert (count_by == 2 || count_by == 4); 2202 } 2203 2204 fmtresult slen = get_string_length (arg, count_by); 2205 if (slen.range.min == slen.range.max 2206 && slen.range.min < HOST_WIDE_INT_MAX) 2207 { 2208 /* The argument is either a string constant or it refers 2209 to one of a number of strings of the same length. */ 2210 2211 /* A '%s' directive with a string argument with constant length. */ 2212 res.range = slen.range; 2213 2214 if (dir.specifier == 'S' 2215 || dir.modifier == FMT_LEN_l) 2216 { 2217 /* In the worst case the length of output of a wide string S 2218 is bounded by MB_LEN_MAX * wcslen (S). */ 2219 res.range.max *= target_mb_len_max (); 2220 res.range.unlikely = res.range.max; 2221 /* It's likely that the the total length is not more that 2222 2 * wcslen (S).*/ 2223 res.range.likely = res.range.min * 2; 2224 2225 if (dir.prec[1] >= 0 2226 && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) 2227 { 2228 res.range.max = dir.prec[1]; 2229 res.range.likely = dir.prec[1]; 2230 res.range.unlikely = dir.prec[1]; 2231 } 2232 2233 if (dir.prec[0] < 0 && dir.prec[1] > -1) 2234 res.range.min = 0; 2235 else if (dir.prec[0] >= 0) 2236 res.range.likely = dir.prec[0]; 2237 2238 /* Even a non-empty wide character string need not convert into 2239 any bytes. */ 2240 res.range.min = 0; 2241 2242 /* A non-empty wide character conversion may fail. */ 2243 if (slen.range.max > 0) 2244 res.mayfail = true; 2245 } 2246 else 2247 { 2248 res.knownrange = true; 2249 2250 if (dir.prec[0] < 0 && dir.prec[1] > -1) 2251 res.range.min = 0; 2252 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min) 2253 res.range.min = dir.prec[0]; 2254 2255 if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) 2256 { 2257 res.range.max = dir.prec[1]; 2258 res.range.likely = dir.prec[1]; 2259 res.range.unlikely = dir.prec[1]; 2260 } 2261 } 2262 } 2263 else if (arg && integer_zerop (arg)) 2264 { 2265 /* Handle null pointer argument. */ 2266 2267 fmtresult res (0); 2268 res.nullp = true; 2269 return res; 2270 } 2271 else 2272 { 2273 /* For a '%s' and '%ls' directive with a non-constant string (either 2274 one of a number of strings of known length or an unknown string) 2275 the minimum number of characters is lesser of PRECISION[0] and 2276 the length of the shortest known string or zero, and the maximum 2277 is the lessser of the length of the longest known string or 2278 PTRDIFF_MAX and PRECISION[1]. The likely length is either 2279 the minimum at level 1 and the greater of the minimum and 1 2280 at level 2. This result is adjust upward for width (if it's 2281 specified). */ 2282 2283 if (dir.specifier == 'S' 2284 || dir.modifier == FMT_LEN_l) 2285 { 2286 /* A wide character converts to as few as zero bytes. */ 2287 slen.range.min = 0; 2288 if (slen.range.max < target_int_max ()) 2289 slen.range.max *= target_mb_len_max (); 2290 2291 if (slen.range.likely < target_int_max ()) 2292 slen.range.likely *= 2; 2293 2294 if (slen.range.likely < target_int_max ()) 2295 slen.range.unlikely *= target_mb_len_max (); 2296 2297 /* A non-empty wide character conversion may fail. */ 2298 if (slen.range.max > 0) 2299 res.mayfail = true; 2300 } 2301 2302 res.range = slen.range; 2303 2304 if (dir.prec[0] >= 0) 2305 { 2306 /* Adjust the minimum to zero if the string length is unknown, 2307 or at most the lower bound of the precision otherwise. */ 2308 if (slen.range.min >= target_int_max ()) 2309 res.range.min = 0; 2310 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min) 2311 res.range.min = dir.prec[0]; 2312 2313 /* Make both maxima no greater than the upper bound of precision. */ 2314 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max 2315 || slen.range.max >= target_int_max ()) 2316 { 2317 res.range.max = dir.prec[1]; 2318 res.range.unlikely = dir.prec[1]; 2319 } 2320 2321 /* If precision is constant, set the likely counter to the lesser 2322 of it and the maximum string length. Otherwise, if the lower 2323 bound of precision is greater than zero, set the likely counter 2324 to the minimum. Otherwise set it to zero or one based on 2325 the warning level. */ 2326 if (dir.prec[0] == dir.prec[1]) 2327 res.range.likely 2328 = ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.max 2329 ? dir.prec[0] : slen.range.max); 2330 else if (dir.prec[0] > 0) 2331 res.range.likely = res.range.min; 2332 else 2333 res.range.likely = warn_level > 1; 2334 } 2335 else if (dir.prec[1] >= 0) 2336 { 2337 res.range.min = 0; 2338 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max) 2339 res.range.max = dir.prec[1]; 2340 res.range.likely = dir.prec[1] ? warn_level > 1 : 0; 2341 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.unlikely) 2342 res.range.unlikely = dir.prec[1]; 2343 } 2344 else if (slen.range.min >= target_int_max ()) 2345 { 2346 res.range.min = 0; 2347 res.range.max = HOST_WIDE_INT_MAX; 2348 /* At level 1 strings of unknown length are assumed to be 2349 empty, while at level 1 they are assumed to be one byte 2350 long. */ 2351 res.range.likely = warn_level > 1; 2352 res.range.unlikely = HOST_WIDE_INT_MAX; 2353 } 2354 else 2355 { 2356 /* A string of unknown length unconstrained by precision is 2357 assumed to be empty at level 1 and just one character long 2358 at higher levels. */ 2359 if (res.range.likely >= target_int_max ()) 2360 res.range.likely = warn_level > 1; 2361 } 2362 } 2363 2364 /* If the argument isn't a nul-terminated string and the number 2365 of bytes on output isn't bounded by precision, set NONSTR. */ 2366 if (slen.nonstr && slen.range.min < (unsigned HOST_WIDE_INT)dir.prec[0]) 2367 res.nonstr = slen.nonstr; 2368 2369 /* Bump up the byte counters if WIDTH is greater. */ 2370 return res.adjust_for_width_or_precision (dir.width); 2371 } 2372 2373 /* Format plain string (part of the format string itself). */ 2374 2375 static fmtresult 2376 format_plain (const directive &dir, tree, vr_values *) 2377 { 2378 fmtresult res (dir.len); 2379 return res; 2380 } 2381 2382 /* Return true if the RESULT of a directive in a call describe by INFO 2383 should be diagnosed given the AVAILable space in the destination. */ 2384 2385 static bool 2386 should_warn_p (const sprintf_dom_walker::call_info &info, 2387 const result_range &avail, const result_range &result) 2388 { 2389 if (result.max <= avail.min) 2390 { 2391 /* The least amount of space remaining in the destination is big 2392 enough for the longest output. */ 2393 return false; 2394 } 2395 2396 if (info.bounded) 2397 { 2398 if (warn_format_trunc == 1 && result.min <= avail.max 2399 && info.retval_used ()) 2400 { 2401 /* The likely amount of space remaining in the destination is big 2402 enough for the least output and the return value is used. */ 2403 return false; 2404 } 2405 2406 if (warn_format_trunc == 1 && result.likely <= avail.likely 2407 && !info.retval_used ()) 2408 { 2409 /* The likely amount of space remaining in the destination is big 2410 enough for the likely output and the return value is unused. */ 2411 return false; 2412 } 2413 2414 if (warn_format_trunc == 2 2415 && result.likely <= avail.min 2416 && (result.max <= avail.min 2417 || result.max > HOST_WIDE_INT_MAX)) 2418 { 2419 /* The minimum amount of space remaining in the destination is big 2420 enough for the longest output. */ 2421 return false; 2422 } 2423 } 2424 else 2425 { 2426 if (warn_level == 1 && result.likely <= avail.likely) 2427 { 2428 /* The likely amount of space remaining in the destination is big 2429 enough for the likely output. */ 2430 return false; 2431 } 2432 2433 if (warn_level == 2 2434 && result.likely <= avail.min 2435 && (result.max <= avail.min 2436 || result.max > HOST_WIDE_INT_MAX)) 2437 { 2438 /* The minimum amount of space remaining in the destination is big 2439 enough for the longest output. */ 2440 return false; 2441 } 2442 } 2443 2444 return true; 2445 } 2446 2447 /* At format string location describe by DIRLOC in a call described 2448 by INFO, issue a warning for a directive DIR whose output may be 2449 in excess of the available space AVAIL_RANGE in the destination 2450 given the formatting result FMTRES. This function does nothing 2451 except decide whether to issue a warning for a possible write 2452 past the end or truncation and, if so, format the warning. 2453 Return true if a warning has been issued. */ 2454 2455 static bool 2456 maybe_warn (substring_loc &dirloc, location_t argloc, 2457 const sprintf_dom_walker::call_info &info, 2458 const result_range &avail_range, const result_range &res, 2459 const directive &dir) 2460 { 2461 if (!should_warn_p (info, avail_range, res)) 2462 return false; 2463 2464 /* A warning will definitely be issued below. */ 2465 2466 /* The maximum byte count to reference in the warning. Larger counts 2467 imply that the upper bound is unknown (and could be anywhere between 2468 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather 2469 than "between N and X" where X is some huge number. */ 2470 unsigned HOST_WIDE_INT maxbytes = target_dir_max (); 2471 2472 /* True when there is enough room in the destination for the least 2473 amount of a directive's output but not enough for its likely or 2474 maximum output. */ 2475 bool maybe = (res.min <= avail_range.max 2476 && (avail_range.min < res.likely 2477 || (res.max < HOST_WIDE_INT_MAX 2478 && avail_range.min < res.max))); 2479 2480 /* Buffer for the directive in the host character set (used when 2481 the source character set is different). */ 2482 char hostdir[32]; 2483 2484 if (avail_range.min == avail_range.max) 2485 { 2486 /* The size of the destination region is exact. */ 2487 unsigned HOST_WIDE_INT navail = avail_range.max; 2488 2489 if (target_to_host (*dir.beg) != '%') 2490 { 2491 /* For plain character directives (i.e., the format string itself) 2492 but not others, point the caret at the first character that's 2493 past the end of the destination. */ 2494 if (navail < dir.len) 2495 dirloc.set_caret_index (dirloc.get_caret_idx () + navail); 2496 } 2497 2498 if (*dir.beg == '\0') 2499 { 2500 /* This is the terminating nul. */ 2501 gcc_assert (res.min == 1 && res.min == res.max); 2502 2503 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 2504 info.bounded 2505 ? (maybe 2506 ? G_("%qE output may be truncated before the " 2507 "last format character") 2508 : G_("%qE output truncated before the last " 2509 "format character")) 2510 : (maybe 2511 ? G_("%qE may write a terminating nul past the " 2512 "end of the destination") 2513 : G_("%qE writing a terminating nul past the " 2514 "end of the destination")), 2515 info.func); 2516 } 2517 2518 if (res.min == res.max) 2519 { 2520 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg); 2521 if (!info.bounded) 2522 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2523 "%<%.*s%> directive writing %wu byte into a " 2524 "region of size %wu", 2525 "%<%.*s%> directive writing %wu bytes into a " 2526 "region of size %wu", 2527 (int) dir.len, d, res.min, navail); 2528 else if (maybe) 2529 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2530 "%<%.*s%> directive output may be truncated " 2531 "writing %wu byte into a region of size %wu", 2532 "%<%.*s%> directive output may be truncated " 2533 "writing %wu bytes into a region of size %wu", 2534 (int) dir.len, d, res.min, navail); 2535 else 2536 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2537 "%<%.*s%> directive output truncated writing " 2538 "%wu byte into a region of size %wu", 2539 "%<%.*s%> directive output truncated writing " 2540 "%wu bytes into a region of size %wu", 2541 (int) dir.len, d, res.min, navail); 2542 } 2543 if (res.min == 0 && res.max < maxbytes) 2544 return fmtwarn (dirloc, argloc, NULL, 2545 info.warnopt (), 2546 info.bounded 2547 ? (maybe 2548 ? G_("%<%.*s%> directive output may be truncated " 2549 "writing up to %wu bytes into a region of " 2550 "size %wu") 2551 : G_("%<%.*s%> directive output truncated writing " 2552 "up to %wu bytes into a region of size %wu")) 2553 : G_("%<%.*s%> directive writing up to %wu bytes " 2554 "into a region of size %wu"), (int) dir.len, 2555 target_to_host (hostdir, sizeof hostdir, dir.beg), 2556 res.max, navail); 2557 2558 if (res.min == 0 && maxbytes <= res.max) 2559 /* This is a special case to avoid issuing the potentially 2560 confusing warning: 2561 writing 0 or more bytes into a region of size 0. */ 2562 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2563 info.bounded 2564 ? (maybe 2565 ? G_("%<%.*s%> directive output may be truncated " 2566 "writing likely %wu or more bytes into a " 2567 "region of size %wu") 2568 : G_("%<%.*s%> directive output truncated writing " 2569 "likely %wu or more bytes into a region of " 2570 "size %wu")) 2571 : G_("%<%.*s%> directive writing likely %wu or more " 2572 "bytes into a region of size %wu"), (int) dir.len, 2573 target_to_host (hostdir, sizeof hostdir, dir.beg), 2574 res.likely, navail); 2575 2576 if (res.max < maxbytes) 2577 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2578 info.bounded 2579 ? (maybe 2580 ? G_("%<%.*s%> directive output may be truncated " 2581 "writing between %wu and %wu bytes into a " 2582 "region of size %wu") 2583 : G_("%<%.*s%> directive output truncated " 2584 "writing between %wu and %wu bytes into a " 2585 "region of size %wu")) 2586 : G_("%<%.*s%> directive writing between %wu and " 2587 "%wu bytes into a region of size %wu"), 2588 (int) dir.len, 2589 target_to_host (hostdir, sizeof hostdir, dir.beg), 2590 res.min, res.max, navail); 2591 2592 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2593 info.bounded 2594 ? (maybe 2595 ? G_("%<%.*s%> directive output may be truncated " 2596 "writing %wu or more bytes into a region of " 2597 "size %wu") 2598 : G_("%<%.*s%> directive output truncated writing " 2599 "%wu or more bytes into a region of size %wu")) 2600 : G_("%<%.*s%> directive writing %wu or more bytes " 2601 "into a region of size %wu"), (int) dir.len, 2602 target_to_host (hostdir, sizeof hostdir, dir.beg), 2603 res.min, navail); 2604 } 2605 2606 /* The size of the destination region is a range. */ 2607 2608 if (target_to_host (*dir.beg) != '%') 2609 { 2610 unsigned HOST_WIDE_INT navail = avail_range.max; 2611 2612 /* For plain character directives (i.e., the format string itself) 2613 but not others, point the caret at the first character that's 2614 past the end of the destination. */ 2615 if (navail < dir.len) 2616 dirloc.set_caret_index (dirloc.get_caret_idx () + navail); 2617 } 2618 2619 if (*dir.beg == '\0') 2620 { 2621 gcc_assert (res.min == 1 && res.min == res.max); 2622 2623 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 2624 info.bounded 2625 ? (maybe 2626 ? G_("%qE output may be truncated before the last " 2627 "format character") 2628 : G_("%qE output truncated before the last format " 2629 "character")) 2630 : (maybe 2631 ? G_("%qE may write a terminating nul past the end " 2632 "of the destination") 2633 : G_("%qE writing a terminating nul past the end " 2634 "of the destination")), info.func); 2635 } 2636 2637 if (res.min == res.max) 2638 { 2639 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg); 2640 if (!info.bounded) 2641 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2642 "%<%.*s%> directive writing %wu byte into a region " 2643 "of size between %wu and %wu", 2644 "%<%.*s%> directive writing %wu bytes into a region " 2645 "of size between %wu and %wu", (int) dir.len, d, 2646 res.min, avail_range.min, avail_range.max); 2647 else if (maybe) 2648 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2649 "%<%.*s%> directive output may be truncated writing " 2650 "%wu byte into a region of size between %wu and %wu", 2651 "%<%.*s%> directive output may be truncated writing " 2652 "%wu bytes into a region of size between %wu and " 2653 "%wu", (int) dir.len, d, res.min, avail_range.min, 2654 avail_range.max); 2655 else 2656 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2657 "%<%.*s%> directive output truncated writing %wu " 2658 "byte into a region of size between %wu and %wu", 2659 "%<%.*s%> directive output truncated writing %wu " 2660 "bytes into a region of size between %wu and %wu", 2661 (int) dir.len, d, res.min, avail_range.min, 2662 avail_range.max); 2663 } 2664 2665 if (res.min == 0 && res.max < maxbytes) 2666 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2667 info.bounded 2668 ? (maybe 2669 ? G_("%<%.*s%> directive output may be truncated " 2670 "writing up to %wu bytes into a region of size " 2671 "between %wu and %wu") 2672 : G_("%<%.*s%> directive output truncated writing " 2673 "up to %wu bytes into a region of size between " 2674 "%wu and %wu")) 2675 : G_("%<%.*s%> directive writing up to %wu bytes " 2676 "into a region of size between %wu and %wu"), 2677 (int) dir.len, 2678 target_to_host (hostdir, sizeof hostdir, dir.beg), 2679 res.max, avail_range.min, avail_range.max); 2680 2681 if (res.min == 0 && maxbytes <= res.max) 2682 /* This is a special case to avoid issuing the potentially confusing 2683 warning: 2684 writing 0 or more bytes into a region of size between 0 and N. */ 2685 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2686 info.bounded 2687 ? (maybe 2688 ? G_("%<%.*s%> directive output may be truncated " 2689 "writing likely %wu or more bytes into a region " 2690 "of size between %wu and %wu") 2691 : G_("%<%.*s%> directive output truncated writing " 2692 "likely %wu or more bytes into a region of size " 2693 "between %wu and %wu")) 2694 : G_("%<%.*s%> directive writing likely %wu or more bytes " 2695 "into a region of size between %wu and %wu"), 2696 (int) dir.len, 2697 target_to_host (hostdir, sizeof hostdir, dir.beg), 2698 res.likely, avail_range.min, avail_range.max); 2699 2700 if (res.max < maxbytes) 2701 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2702 info.bounded 2703 ? (maybe 2704 ? G_("%<%.*s%> directive output may be truncated " 2705 "writing between %wu and %wu bytes into a region " 2706 "of size between %wu and %wu") 2707 : G_("%<%.*s%> directive output truncated writing " 2708 "between %wu and %wu bytes into a region of size " 2709 "between %wu and %wu")) 2710 : G_("%<%.*s%> directive writing between %wu and " 2711 "%wu bytes into a region of size between %wu and " 2712 "%wu"), (int) dir.len, 2713 target_to_host (hostdir, sizeof hostdir, dir.beg), 2714 res.min, res.max, avail_range.min, avail_range.max); 2715 2716 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2717 info.bounded 2718 ? (maybe 2719 ? G_("%<%.*s%> directive output may be truncated writing " 2720 "%wu or more bytes into a region of size between " 2721 "%wu and %wu") 2722 : G_("%<%.*s%> directive output truncated writing " 2723 "%wu or more bytes into a region of size between " 2724 "%wu and %wu")) 2725 : G_("%<%.*s%> directive writing %wu or more bytes " 2726 "into a region of size between %wu and %wu"), 2727 (int) dir.len, 2728 target_to_host (hostdir, sizeof hostdir, dir.beg), 2729 res.min, avail_range.min, avail_range.max); 2730 } 2731 2732 /* Compute the length of the output resulting from the directive DIR 2733 in a call described by INFO and update the overall result of the call 2734 in *RES. Return true if the directive has been handled. */ 2735 2736 static bool 2737 format_directive (const sprintf_dom_walker::call_info &info, 2738 format_result *res, const directive &dir, 2739 class vr_values *vr_values) 2740 { 2741 /* Offset of the beginning of the directive from the beginning 2742 of the format string. */ 2743 size_t offset = dir.beg - info.fmtstr; 2744 size_t start = offset; 2745 size_t length = offset + dir.len - !!dir.len; 2746 2747 /* Create a location for the whole directive from the % to the format 2748 specifier. */ 2749 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 2750 offset, start, length); 2751 2752 /* Also get the location of the argument if possible. 2753 This doesn't work for integer literals or function calls. */ 2754 location_t argloc = UNKNOWN_LOCATION; 2755 if (dir.arg) 2756 argloc = EXPR_LOCATION (dir.arg); 2757 2758 /* Bail when there is no function to compute the output length, 2759 or when minimum length checking has been disabled. */ 2760 if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX) 2761 return false; 2762 2763 /* Compute the range of lengths of the formatted output. */ 2764 fmtresult fmtres = dir.fmtfunc (dir, dir.arg, vr_values); 2765 2766 /* Record whether the output of all directives is known to be 2767 bounded by some maximum, implying that their arguments are 2768 either known exactly or determined to be in a known range 2769 or, for strings, limited by the upper bounds of the arrays 2770 they refer to. */ 2771 res->knownrange &= fmtres.knownrange; 2772 2773 if (!fmtres.knownrange) 2774 { 2775 /* Only when the range is known, check it against the host value 2776 of INT_MAX + (the number of bytes of the "%.*Lf" directive with 2777 INT_MAX precision, which is the longest possible output of any 2778 single directive). That's the largest valid byte count (though 2779 not valid call to a printf-like function because it can never 2780 return such a count). Otherwise, the range doesn't correspond 2781 to known values of the argument. */ 2782 if (fmtres.range.max > target_dir_max ()) 2783 { 2784 /* Normalize the MAX counter to avoid having to deal with it 2785 later. The counter can be less than HOST_WIDE_INT_M1U 2786 when compiling for an ILP32 target on an LP64 host. */ 2787 fmtres.range.max = HOST_WIDE_INT_M1U; 2788 /* Disable exact and maximum length checking after a failure 2789 to determine the maximum number of characters (for example 2790 for wide characters or wide character strings) but continue 2791 tracking the minimum number of characters. */ 2792 res->range.max = HOST_WIDE_INT_M1U; 2793 } 2794 2795 if (fmtres.range.min > target_dir_max ()) 2796 { 2797 /* Disable exact length checking after a failure to determine 2798 even the minimum number of characters (it shouldn't happen 2799 except in an error) but keep tracking the minimum and maximum 2800 number of characters. */ 2801 return true; 2802 } 2803 } 2804 2805 /* Buffer for the directive in the host character set (used when 2806 the source character set is different). */ 2807 char hostdir[32]; 2808 2809 int dirlen = dir.len; 2810 2811 if (fmtres.nullp) 2812 { 2813 fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2814 "%G%<%.*s%> directive argument is null", 2815 info.callstmt, dirlen, 2816 target_to_host (hostdir, sizeof hostdir, dir.beg)); 2817 2818 /* Don't bother processing the rest of the format string. */ 2819 res->warned = true; 2820 res->range.min = HOST_WIDE_INT_M1U; 2821 res->range.max = HOST_WIDE_INT_M1U; 2822 return false; 2823 } 2824 2825 /* Compute the number of available bytes in the destination. There 2826 must always be at least one byte of space for the terminating 2827 NUL that's appended after the format string has been processed. */ 2828 result_range avail_range = bytes_remaining (info.objsize, *res); 2829 2830 bool warned = res->warned; 2831 2832 if (!warned) 2833 warned = maybe_warn (dirloc, argloc, info, avail_range, 2834 fmtres.range, dir); 2835 2836 /* Bump up the total maximum if it isn't too big. */ 2837 if (res->range.max < HOST_WIDE_INT_MAX 2838 && fmtres.range.max < HOST_WIDE_INT_MAX) 2839 res->range.max += fmtres.range.max; 2840 2841 /* Raise the total unlikely maximum by the larger of the maximum 2842 and the unlikely maximum. */ 2843 unsigned HOST_WIDE_INT save = res->range.unlikely; 2844 if (fmtres.range.max < fmtres.range.unlikely) 2845 res->range.unlikely += fmtres.range.unlikely; 2846 else 2847 res->range.unlikely += fmtres.range.max; 2848 2849 if (res->range.unlikely < save) 2850 res->range.unlikely = HOST_WIDE_INT_M1U; 2851 2852 res->range.min += fmtres.range.min; 2853 res->range.likely += fmtres.range.likely; 2854 2855 /* Has the minimum directive output length exceeded the maximum 2856 of 4095 bytes required to be supported? */ 2857 bool minunder4k = fmtres.range.min < 4096; 2858 bool maxunder4k = fmtres.range.max < 4096; 2859 /* Clear POSUNDER4K in the overall result if the maximum has exceeded 2860 the 4k (this is necessary to avoid the return value optimization 2861 that may not be safe in the maximum case). */ 2862 if (!maxunder4k) 2863 res->posunder4k = false; 2864 /* Also clear POSUNDER4K if the directive may fail. */ 2865 if (fmtres.mayfail) 2866 res->posunder4k = false; 2867 2868 if (!warned 2869 /* Only warn at level 2. */ 2870 && warn_level > 1 2871 /* Only warn for string functions. */ 2872 && info.is_string_func () 2873 && (!minunder4k 2874 || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX))) 2875 { 2876 /* The directive output may be longer than the maximum required 2877 to be handled by an implementation according to 7.21.6.1, p15 2878 of C11. Warn on this only at level 2 but remember this and 2879 prevent folding the return value when done. This allows for 2880 the possibility of the actual libc call failing due to ENOMEM 2881 (like Glibc does with very large precision or width). 2882 Issue the "may exceed" warning only for string functions and 2883 not for fprintf or printf. */ 2884 2885 if (fmtres.range.min == fmtres.range.max) 2886 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2887 "%<%.*s%> directive output of %wu bytes exceeds " 2888 "minimum required size of 4095", dirlen, 2889 target_to_host (hostdir, sizeof hostdir, dir.beg), 2890 fmtres.range.min); 2891 else if (!minunder4k) 2892 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2893 "%<%.*s%> directive output between %wu and %wu " 2894 "bytes exceeds minimum required size of 4095", 2895 dirlen, 2896 target_to_host (hostdir, sizeof hostdir, dir.beg), 2897 fmtres.range.min, fmtres.range.max); 2898 else if (!info.retval_used () && info.is_string_func ()) 2899 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2900 "%<%.*s%> directive output between %wu and %wu " 2901 "bytes may exceed minimum required size of " 2902 "4095", 2903 dirlen, 2904 target_to_host (hostdir, sizeof hostdir, dir.beg), 2905 fmtres.range.min, fmtres.range.max); 2906 } 2907 2908 /* Has the likely and maximum directive output exceeded INT_MAX? */ 2909 bool likelyximax = *dir.beg && res->range.likely > target_int_max (); 2910 /* Don't consider the maximum to be in excess when it's the result 2911 of a string of unknown length (i.e., whose maximum has been set 2912 to be greater than or equal to HOST_WIDE_INT_MAX. */ 2913 bool maxximax = (*dir.beg 2914 && res->range.max > target_int_max () 2915 && res->range.max < HOST_WIDE_INT_MAX); 2916 2917 if (!warned 2918 /* Warn for the likely output size at level 1. */ 2919 && (likelyximax 2920 /* But only warn for the maximum at level 2. */ 2921 || (warn_level > 1 2922 && maxximax 2923 && fmtres.range.max < HOST_WIDE_INT_MAX))) 2924 { 2925 if (fmtres.range.min > target_int_max ()) 2926 { 2927 /* The directive output exceeds INT_MAX bytes. */ 2928 if (fmtres.range.min == fmtres.range.max) 2929 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2930 "%<%.*s%> directive output of %wu bytes exceeds " 2931 "%<INT_MAX%>", dirlen, 2932 target_to_host (hostdir, sizeof hostdir, dir.beg), 2933 fmtres.range.min); 2934 else 2935 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2936 "%<%.*s%> directive output between %wu and " 2937 "%wu bytes exceeds %<INT_MAX%>", dirlen, 2938 target_to_host (hostdir, sizeof hostdir, dir.beg), 2939 fmtres.range.min, fmtres.range.max); 2940 } 2941 else if (res->range.min > target_int_max ()) 2942 { 2943 /* The directive output is under INT_MAX but causes the result 2944 to exceed INT_MAX bytes. */ 2945 if (fmtres.range.min == fmtres.range.max) 2946 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2947 "%<%.*s%> directive output of %wu bytes causes " 2948 "result to exceed %<INT_MAX%>", dirlen, 2949 target_to_host (hostdir, sizeof hostdir, dir.beg), 2950 fmtres.range.min); 2951 else 2952 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2953 "%<%.*s%> directive output between %wu and " 2954 "%wu bytes causes result to exceed %<INT_MAX%>", 2955 dirlen, 2956 target_to_host (hostdir, sizeof hostdir, dir.beg), 2957 fmtres.range.min, fmtres.range.max); 2958 } 2959 else if ((!info.retval_used () || !info.bounded) 2960 && (info.is_string_func ())) 2961 /* Warn for calls to string functions that either aren't bounded 2962 (sprintf) or whose return value isn't used. */ 2963 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2964 "%<%.*s%> directive output between %wu and " 2965 "%wu bytes may cause result to exceed " 2966 "%<INT_MAX%>", dirlen, 2967 target_to_host (hostdir, sizeof hostdir, dir.beg), 2968 fmtres.range.min, fmtres.range.max); 2969 } 2970 2971 if (!warned && fmtres.nonstr) 2972 { 2973 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2974 "%<%.*s%> directive argument is not a nul-terminated " 2975 "string", 2976 dirlen, 2977 target_to_host (hostdir, sizeof hostdir, dir.beg)); 2978 if (warned && DECL_P (fmtres.nonstr)) 2979 inform (DECL_SOURCE_LOCATION (fmtres.nonstr), 2980 "referenced argument declared here"); 2981 return false; 2982 } 2983 2984 if (warned && fmtres.range.min < fmtres.range.likely 2985 && fmtres.range.likely < fmtres.range.max) 2986 inform_n (info.fmtloc, fmtres.range.likely, 2987 "assuming directive output of %wu byte", 2988 "assuming directive output of %wu bytes", 2989 fmtres.range.likely); 2990 2991 if (warned && fmtres.argmin) 2992 { 2993 if (fmtres.argmin == fmtres.argmax) 2994 inform (info.fmtloc, "directive argument %qE", fmtres.argmin); 2995 else if (fmtres.knownrange) 2996 inform (info.fmtloc, "directive argument in the range [%E, %E]", 2997 fmtres.argmin, fmtres.argmax); 2998 else 2999 inform (info.fmtloc, 3000 "using the range [%E, %E] for directive argument", 3001 fmtres.argmin, fmtres.argmax); 3002 } 3003 3004 res->warned |= warned; 3005 3006 if (!dir.beg[0] && res->warned) 3007 { 3008 location_t callloc = gimple_location (info.callstmt); 3009 3010 unsigned HOST_WIDE_INT min = res->range.min; 3011 unsigned HOST_WIDE_INT max = res->range.max; 3012 3013 if (info.objsize < HOST_WIDE_INT_MAX) 3014 { 3015 /* If a warning has been issued for buffer overflow or truncation 3016 help the user figure out how big a buffer they need. */ 3017 3018 if (min == max) 3019 inform_n (callloc, min, 3020 "%qE output %wu byte into a destination of size %wu", 3021 "%qE output %wu bytes into a destination of size %wu", 3022 info.func, min, info.objsize); 3023 else if (max < HOST_WIDE_INT_MAX) 3024 inform (callloc, 3025 "%qE output between %wu and %wu bytes into " 3026 "a destination of size %wu", 3027 info.func, min, max, info.objsize); 3028 else if (min < res->range.likely && res->range.likely < max) 3029 inform (callloc, 3030 "%qE output %wu or more bytes (assuming %wu) into " 3031 "a destination of size %wu", 3032 info.func, min, res->range.likely, info.objsize); 3033 else 3034 inform (callloc, 3035 "%qE output %wu or more bytes into a destination of size " 3036 "%wu", 3037 info.func, min, info.objsize); 3038 } 3039 else if (!info.is_string_func ()) 3040 { 3041 /* If the warning is for a file function function like fprintf 3042 of printf with no destination size just print the computed 3043 result. */ 3044 if (min == max) 3045 inform_n (callloc, min, 3046 "%qE output %wu byte", "%qE output %wu bytes", 3047 info.func, min); 3048 else if (max < HOST_WIDE_INT_MAX) 3049 inform (callloc, 3050 "%qE output between %wu and %wu bytes", 3051 info.func, min, max); 3052 else if (min < res->range.likely && res->range.likely < max) 3053 inform (callloc, 3054 "%qE output %wu or more bytes (assuming %wu)", 3055 info.func, min, res->range.likely); 3056 else 3057 inform (callloc, 3058 "%qE output %wu or more bytes", 3059 info.func, min); 3060 } 3061 } 3062 3063 if (dump_file && *dir.beg) 3064 { 3065 fprintf (dump_file, 3066 " Result: " 3067 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", " 3068 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC " (" 3069 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", " 3070 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ")\n", 3071 fmtres.range.min, fmtres.range.likely, 3072 fmtres.range.max, fmtres.range.unlikely, 3073 res->range.min, res->range.likely, 3074 res->range.max, res->range.unlikely); 3075 } 3076 3077 return true; 3078 } 3079 3080 /* Parse a format directive in function call described by INFO starting 3081 at STR and populate DIR structure. Bump up *ARGNO by the number of 3082 arguments extracted for the directive. Return the length of 3083 the directive. */ 3084 3085 static size_t 3086 parse_directive (sprintf_dom_walker::call_info &info, 3087 directive &dir, format_result *res, 3088 const char *str, unsigned *argno, 3089 vr_values *vr_values) 3090 { 3091 const char *pcnt = strchr (str, target_percent); 3092 dir.beg = str; 3093 3094 if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1) 3095 { 3096 /* This directive is either a plain string or the terminating nul 3097 (which isn't really a directive but it simplifies things to 3098 handle it as if it were). */ 3099 dir.len = len; 3100 dir.fmtfunc = format_plain; 3101 3102 if (dump_file) 3103 { 3104 fprintf (dump_file, " Directive %u at offset " 3105 HOST_WIDE_INT_PRINT_UNSIGNED ": \"%.*s\", " 3106 "length = " HOST_WIDE_INT_PRINT_UNSIGNED "\n", 3107 dir.dirno, 3108 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr), 3109 (int)dir.len, dir.beg, (unsigned HOST_WIDE_INT) dir.len); 3110 } 3111 3112 return len - !*str; 3113 } 3114 3115 const char *pf = pcnt + 1; 3116 3117 /* POSIX numbered argument index or zero when none. */ 3118 HOST_WIDE_INT dollar = 0; 3119 3120 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN 3121 when given by a va_list argument, and a non-negative value 3122 when specified in the format string itself. */ 3123 HOST_WIDE_INT width = -1; 3124 HOST_WIDE_INT precision = -1; 3125 3126 /* Pointers to the beginning of the width and precision decimal 3127 string (if any) within the directive. */ 3128 const char *pwidth = 0; 3129 const char *pprec = 0; 3130 3131 /* When the value of the decimal string that specifies width or 3132 precision is out of range, points to the digit that causes 3133 the value to exceed the limit. */ 3134 const char *werange = NULL; 3135 const char *perange = NULL; 3136 3137 /* Width specified via the asterisk. Need not be INTEGER_CST. 3138 For vararg functions set to void_node. */ 3139 tree star_width = NULL_TREE; 3140 3141 /* Width specified via the asterisk. Need not be INTEGER_CST. 3142 For vararg functions set to void_node. */ 3143 tree star_precision = NULL_TREE; 3144 3145 if (ISDIGIT (target_to_host (*pf))) 3146 { 3147 /* This could be either a POSIX positional argument, the '0' 3148 flag, or a width, depending on what follows. Store it as 3149 width and sort it out later after the next character has 3150 been seen. */ 3151 pwidth = pf; 3152 width = target_strtowi (&pf, &werange); 3153 } 3154 else if (target_to_host (*pf) == '*') 3155 { 3156 /* Similarly to the block above, this could be either a POSIX 3157 positional argument or a width, depending on what follows. */ 3158 if (*argno < gimple_call_num_args (info.callstmt)) 3159 star_width = gimple_call_arg (info.callstmt, (*argno)++); 3160 else 3161 star_width = void_node; 3162 ++pf; 3163 } 3164 3165 if (target_to_host (*pf) == '$') 3166 { 3167 /* Handle the POSIX dollar sign which references the 1-based 3168 positional argument number. */ 3169 if (width != -1) 3170 dollar = width + info.argidx; 3171 else if (star_width 3172 && TREE_CODE (star_width) == INTEGER_CST 3173 && (TYPE_PRECISION (TREE_TYPE (star_width)) 3174 <= TYPE_PRECISION (integer_type_node))) 3175 dollar = width + tree_to_shwi (star_width); 3176 3177 /* Bail when the numbered argument is out of range (it will 3178 have already been diagnosed by -Wformat). */ 3179 if (dollar == 0 3180 || dollar == (int)info.argidx 3181 || dollar > gimple_call_num_args (info.callstmt)) 3182 return false; 3183 3184 --dollar; 3185 3186 star_width = NULL_TREE; 3187 width = -1; 3188 ++pf; 3189 } 3190 3191 if (dollar || !star_width) 3192 { 3193 if (width != -1) 3194 { 3195 if (width == 0) 3196 { 3197 /* The '0' that has been interpreted as a width above is 3198 actually a flag. Reset HAVE_WIDTH, set the '0' flag, 3199 and continue processing other flags. */ 3200 width = -1; 3201 dir.set_flag ('0'); 3202 } 3203 else if (!dollar) 3204 { 3205 /* (Non-zero) width has been seen. The next character 3206 is either a period or a digit. */ 3207 goto start_precision; 3208 } 3209 } 3210 /* When either '$' has been seen, or width has not been seen, 3211 the next field is the optional flags followed by an optional 3212 width. */ 3213 for ( ; ; ) { 3214 switch (target_to_host (*pf)) 3215 { 3216 case ' ': 3217 case '0': 3218 case '+': 3219 case '-': 3220 case '#': 3221 dir.set_flag (target_to_host (*pf++)); 3222 break; 3223 3224 default: 3225 goto start_width; 3226 } 3227 } 3228 3229 start_width: 3230 if (ISDIGIT (target_to_host (*pf))) 3231 { 3232 werange = 0; 3233 pwidth = pf; 3234 width = target_strtowi (&pf, &werange); 3235 } 3236 else if (target_to_host (*pf) == '*') 3237 { 3238 if (*argno < gimple_call_num_args (info.callstmt)) 3239 star_width = gimple_call_arg (info.callstmt, (*argno)++); 3240 else 3241 { 3242 /* This is (likely) a va_list. It could also be an invalid 3243 call with insufficient arguments. */ 3244 star_width = void_node; 3245 } 3246 ++pf; 3247 } 3248 else if (target_to_host (*pf) == '\'') 3249 { 3250 /* The POSIX apostrophe indicating a numeric grouping 3251 in the current locale. Even though it's possible to 3252 estimate the upper bound on the size of the output 3253 based on the number of digits it probably isn't worth 3254 continuing. */ 3255 return 0; 3256 } 3257 } 3258 3259 start_precision: 3260 if (target_to_host (*pf) == '.') 3261 { 3262 ++pf; 3263 3264 if (ISDIGIT (target_to_host (*pf))) 3265 { 3266 pprec = pf; 3267 precision = target_strtowi (&pf, &perange); 3268 } 3269 else if (target_to_host (*pf) == '*') 3270 { 3271 if (*argno < gimple_call_num_args (info.callstmt)) 3272 star_precision = gimple_call_arg (info.callstmt, (*argno)++); 3273 else 3274 { 3275 /* This is (likely) a va_list. It could also be an invalid 3276 call with insufficient arguments. */ 3277 star_precision = void_node; 3278 } 3279 ++pf; 3280 } 3281 else 3282 { 3283 /* The decimal precision or the asterisk are optional. 3284 When neither is dirified it's taken to be zero. */ 3285 precision = 0; 3286 } 3287 } 3288 3289 switch (target_to_host (*pf)) 3290 { 3291 case 'h': 3292 if (target_to_host (pf[1]) == 'h') 3293 { 3294 ++pf; 3295 dir.modifier = FMT_LEN_hh; 3296 } 3297 else 3298 dir.modifier = FMT_LEN_h; 3299 ++pf; 3300 break; 3301 3302 case 'j': 3303 dir.modifier = FMT_LEN_j; 3304 ++pf; 3305 break; 3306 3307 case 'L': 3308 dir.modifier = FMT_LEN_L; 3309 ++pf; 3310 break; 3311 3312 case 'l': 3313 if (target_to_host (pf[1]) == 'l') 3314 { 3315 ++pf; 3316 dir.modifier = FMT_LEN_ll; 3317 } 3318 else 3319 dir.modifier = FMT_LEN_l; 3320 ++pf; 3321 break; 3322 3323 case 't': 3324 dir.modifier = FMT_LEN_t; 3325 ++pf; 3326 break; 3327 3328 case 'z': 3329 dir.modifier = FMT_LEN_z; 3330 ++pf; 3331 break; 3332 } 3333 3334 switch (target_to_host (*pf)) 3335 { 3336 /* Handle a sole '%' character the same as "%%" but since it's 3337 undefined prevent the result from being folded. */ 3338 case '\0': 3339 --pf; 3340 res->range.min = res->range.max = HOST_WIDE_INT_M1U; 3341 /* FALLTHRU */ 3342 case '%': 3343 dir.fmtfunc = format_percent; 3344 break; 3345 3346 case 'a': 3347 case 'A': 3348 case 'e': 3349 case 'E': 3350 case 'f': 3351 case 'F': 3352 case 'g': 3353 case 'G': 3354 res->floating = true; 3355 dir.fmtfunc = format_floating; 3356 break; 3357 3358 case 'd': 3359 case 'i': 3360 case 'o': 3361 case 'u': 3362 case 'x': 3363 case 'X': 3364 dir.fmtfunc = format_integer; 3365 break; 3366 3367 case 'p': 3368 /* The %p output is implementation-defined. It's possible 3369 to determine this format but due to extensions (edirially 3370 those of the Linux kernel -- see bug 78512) the first %p 3371 in the format string disables any further processing. */ 3372 return false; 3373 3374 case 'n': 3375 /* %n has side-effects even when nothing is actually printed to 3376 any buffer. */ 3377 info.nowrite = false; 3378 dir.fmtfunc = format_none; 3379 break; 3380 3381 case 'C': 3382 case 'c': 3383 /* POSIX wide character and C/POSIX narrow character. */ 3384 dir.fmtfunc = format_character; 3385 break; 3386 3387 case 'S': 3388 case 's': 3389 /* POSIX wide string and C/POSIX narrow character string. */ 3390 dir.fmtfunc = format_string; 3391 break; 3392 3393 default: 3394 /* Unknown conversion specification. */ 3395 return 0; 3396 } 3397 3398 dir.specifier = target_to_host (*pf++); 3399 3400 /* Store the length of the format directive. */ 3401 dir.len = pf - pcnt; 3402 3403 /* Buffer for the directive in the host character set (used when 3404 the source character set is different). */ 3405 char hostdir[32]; 3406 3407 if (star_width) 3408 { 3409 if (INTEGRAL_TYPE_P (TREE_TYPE (star_width))) 3410 dir.set_width (star_width, vr_values); 3411 else 3412 { 3413 /* Width specified by a va_list takes on the range [0, -INT_MIN] 3414 (width is the absolute value of that specified). */ 3415 dir.width[0] = 0; 3416 dir.width[1] = target_int_max () + 1; 3417 } 3418 } 3419 else 3420 { 3421 if (width == HOST_WIDE_INT_MAX && werange) 3422 { 3423 size_t begin = dir.beg - info.fmtstr + (pwidth - pcnt); 3424 size_t caret = begin + (werange - pcnt); 3425 size_t end = pf - info.fmtstr - 1; 3426 3427 /* Create a location for the width part of the directive, 3428 pointing the caret at the first out-of-range digit. */ 3429 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 3430 caret, begin, end); 3431 3432 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 3433 "%<%.*s%> directive width out of range", (int) dir.len, 3434 target_to_host (hostdir, sizeof hostdir, dir.beg)); 3435 } 3436 3437 dir.set_width (width); 3438 } 3439 3440 if (star_precision) 3441 { 3442 if (INTEGRAL_TYPE_P (TREE_TYPE (star_precision))) 3443 dir.set_precision (star_precision, vr_values); 3444 else 3445 { 3446 /* Precision specified by a va_list takes on the range [-1, INT_MAX] 3447 (unlike width, negative precision is ignored). */ 3448 dir.prec[0] = -1; 3449 dir.prec[1] = target_int_max (); 3450 } 3451 } 3452 else 3453 { 3454 if (precision == HOST_WIDE_INT_MAX && perange) 3455 { 3456 size_t begin = dir.beg - info.fmtstr + (pprec - pcnt) - 1; 3457 size_t caret = dir.beg - info.fmtstr + (perange - pcnt) - 1; 3458 size_t end = pf - info.fmtstr - 2; 3459 3460 /* Create a location for the precision part of the directive, 3461 including the leading period, pointing the caret at the first 3462 out-of-range digit . */ 3463 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 3464 caret, begin, end); 3465 3466 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 3467 "%<%.*s%> directive precision out of range", (int) dir.len, 3468 target_to_host (hostdir, sizeof hostdir, dir.beg)); 3469 } 3470 3471 dir.set_precision (precision); 3472 } 3473 3474 /* Extract the argument if the directive takes one and if it's 3475 available (e.g., the function doesn't take a va_list). Treat 3476 missing arguments the same as va_list, even though they will 3477 have likely already been diagnosed by -Wformat. */ 3478 if (dir.specifier != '%' 3479 && *argno < gimple_call_num_args (info.callstmt)) 3480 dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++); 3481 3482 if (dump_file) 3483 { 3484 fprintf (dump_file, 3485 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED 3486 ": \"%.*s\"", 3487 dir.dirno, 3488 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr), 3489 (int)dir.len, dir.beg); 3490 if (star_width) 3491 { 3492 if (dir.width[0] == dir.width[1]) 3493 fprintf (dump_file, ", width = " HOST_WIDE_INT_PRINT_DEC, 3494 dir.width[0]); 3495 else 3496 fprintf (dump_file, 3497 ", width in range [" HOST_WIDE_INT_PRINT_DEC 3498 ", " HOST_WIDE_INT_PRINT_DEC "]", 3499 dir.width[0], dir.width[1]); 3500 } 3501 3502 if (star_precision) 3503 { 3504 if (dir.prec[0] == dir.prec[1]) 3505 fprintf (dump_file, ", precision = " HOST_WIDE_INT_PRINT_DEC, 3506 dir.prec[0]); 3507 else 3508 fprintf (dump_file, 3509 ", precision in range [" HOST_WIDE_INT_PRINT_DEC 3510 HOST_WIDE_INT_PRINT_DEC "]", 3511 dir.prec[0], dir.prec[1]); 3512 } 3513 fputc ('\n', dump_file); 3514 } 3515 3516 return dir.len; 3517 } 3518 3519 /* Compute the length of the output resulting from the call to a formatted 3520 output function described by INFO and store the result of the call in 3521 *RES. Issue warnings for detected past the end writes. Return true 3522 if the complete format string has been processed and *RES can be relied 3523 on, false otherwise (e.g., when a unknown or unhandled directive was seen 3524 that caused the processing to be terminated early). */ 3525 3526 bool 3527 sprintf_dom_walker::compute_format_length (call_info &info, 3528 format_result *res) 3529 { 3530 if (dump_file) 3531 { 3532 location_t callloc = gimple_location (info.callstmt); 3533 fprintf (dump_file, "%s:%i: ", 3534 LOCATION_FILE (callloc), LOCATION_LINE (callloc)); 3535 print_generic_expr (dump_file, info.func, dump_flags); 3536 3537 fprintf (dump_file, 3538 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED 3539 ", fmtstr = \"%s\"\n", 3540 info.objsize, info.fmtstr); 3541 } 3542 3543 /* Reset the minimum and maximum byte counters. */ 3544 res->range.min = res->range.max = 0; 3545 3546 /* No directive has been seen yet so the length of output is bounded 3547 by the known range [0, 0] (with no conversion resulting in a failure 3548 or producing more than 4K bytes) until determined otherwise. */ 3549 res->knownrange = true; 3550 res->floating = false; 3551 res->warned = false; 3552 3553 /* 1-based directive counter. */ 3554 unsigned dirno = 1; 3555 3556 /* The variadic argument counter. */ 3557 unsigned argno = info.argidx; 3558 3559 for (const char *pf = info.fmtstr; ; ++dirno) 3560 { 3561 directive dir = directive (); 3562 dir.dirno = dirno; 3563 3564 size_t n = parse_directive (info, dir, res, pf, &argno, 3565 evrp_range_analyzer.get_vr_values ()); 3566 3567 /* Return failure if the format function fails. */ 3568 if (!format_directive (info, res, dir, 3569 evrp_range_analyzer.get_vr_values ())) 3570 return false; 3571 3572 /* Return success the directive is zero bytes long and it's 3573 the last think in the format string (i.e., it's the terminating 3574 nul, which isn't really a directive but handling it as one makes 3575 things simpler). */ 3576 if (!n) 3577 return *pf == '\0'; 3578 3579 pf += n; 3580 } 3581 3582 /* The complete format string was processed (with or without warnings). */ 3583 return true; 3584 } 3585 3586 /* Return the size of the object referenced by the expression DEST if 3587 available, or the maximum possible size otherwise. */ 3588 3589 static unsigned HOST_WIDE_INT 3590 get_destination_size (tree dest) 3591 { 3592 /* When there is no destination return the maximum. */ 3593 if (!dest) 3594 return HOST_WIDE_INT_MAX; 3595 3596 /* Initialize object size info before trying to compute it. */ 3597 init_object_sizes (); 3598 3599 /* Use __builtin_object_size to determine the size of the destination 3600 object. When optimizing, determine the smallest object (such as 3601 a member array as opposed to the whole enclosing object), otherwise 3602 use type-zero object size to determine the size of the enclosing 3603 object (the function fails without optimization in this type). */ 3604 int ost = optimize > 0; 3605 unsigned HOST_WIDE_INT size; 3606 if (compute_builtin_object_size (dest, ost, &size)) 3607 return size; 3608 3609 return HOST_WIDE_INT_MAX; 3610 } 3611 3612 /* Return true if the call described by INFO with result RES safe to 3613 optimize (i.e., no undefined behavior), and set RETVAL to the range 3614 of its return values. */ 3615 3616 static bool 3617 is_call_safe (const sprintf_dom_walker::call_info &info, 3618 const format_result &res, bool under4k, 3619 unsigned HOST_WIDE_INT retval[2]) 3620 { 3621 if (under4k && !res.posunder4k) 3622 return false; 3623 3624 /* The minimum return value. */ 3625 retval[0] = res.range.min; 3626 3627 /* The maximum return value is in most cases bounded by RES.RANGE.MAX 3628 but in cases involving multibyte characters could be as large as 3629 RES.RANGE.UNLIKELY. */ 3630 retval[1] 3631 = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely; 3632 3633 /* Adjust the number of bytes which includes the terminating nul 3634 to reflect the return value of the function which does not. 3635 Because the valid range of the function is [INT_MIN, INT_MAX], 3636 a valid range before the adjustment below is [0, INT_MAX + 1] 3637 (the functions only return negative values on error or undefined 3638 behavior). */ 3639 if (retval[0] <= target_int_max () + 1) 3640 --retval[0]; 3641 if (retval[1] <= target_int_max () + 1) 3642 --retval[1]; 3643 3644 /* Avoid the return value optimization when the behavior of the call 3645 is undefined either because any directive may have produced 4K or 3646 more of output, or the return value exceeds INT_MAX, or because 3647 the output overflows the destination object (but leave it enabled 3648 when the function is bounded because then the behavior is well- 3649 defined). */ 3650 if (retval[0] == retval[1] 3651 && (info.bounded || retval[0] < info.objsize) 3652 && retval[0] <= target_int_max ()) 3653 return true; 3654 3655 if ((info.bounded || retval[1] < info.objsize) 3656 && (retval[0] < target_int_max () 3657 && retval[1] < target_int_max ())) 3658 return true; 3659 3660 if (!under4k && (info.bounded || retval[0] < info.objsize)) 3661 return true; 3662 3663 return false; 3664 } 3665 3666 /* Given a suitable result RES of a call to a formatted output function 3667 described by INFO, substitute the result for the return value of 3668 the call. The result is suitable if the number of bytes it represents 3669 is known and exact. A result that isn't suitable for substitution may 3670 have its range set to the range of return values, if that is known. 3671 Return true if the call is removed and gsi_next should not be performed 3672 in the caller. */ 3673 3674 static bool 3675 try_substitute_return_value (gimple_stmt_iterator *gsi, 3676 const sprintf_dom_walker::call_info &info, 3677 const format_result &res) 3678 { 3679 tree lhs = gimple_get_lhs (info.callstmt); 3680 3681 /* Set to true when the entire call has been removed. */ 3682 bool removed = false; 3683 3684 /* The minimum and maximum return value. */ 3685 unsigned HOST_WIDE_INT retval[2]; 3686 bool safe = is_call_safe (info, res, true, retval); 3687 3688 if (safe 3689 && retval[0] == retval[1] 3690 /* Not prepared to handle possibly throwing calls here; they shouldn't 3691 appear in non-artificial testcases, except when the __*_chk routines 3692 are badly declared. */ 3693 && !stmt_ends_bb_p (info.callstmt)) 3694 { 3695 tree cst = build_int_cst (lhs ? TREE_TYPE (lhs) : integer_type_node, 3696 retval[0]); 3697 3698 if (lhs == NULL_TREE && info.nowrite) 3699 { 3700 /* Remove the call to the bounded function with a zero size 3701 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */ 3702 unlink_stmt_vdef (info.callstmt); 3703 gsi_remove (gsi, true); 3704 removed = true; 3705 } 3706 else if (info.nowrite) 3707 { 3708 /* Replace the call to the bounded function with a zero size 3709 (e.g., snprintf(0, 0, "%i", 123) with the constant result 3710 of the function. */ 3711 if (!update_call_from_tree (gsi, cst)) 3712 gimplify_and_update_call_from_tree (gsi, cst); 3713 gimple *callstmt = gsi_stmt (*gsi); 3714 update_stmt (callstmt); 3715 } 3716 else if (lhs) 3717 { 3718 /* Replace the left-hand side of the call with the constant 3719 result of the formatted function. */ 3720 gimple_call_set_lhs (info.callstmt, NULL_TREE); 3721 gimple *g = gimple_build_assign (lhs, cst); 3722 gsi_insert_after (gsi, g, GSI_NEW_STMT); 3723 update_stmt (info.callstmt); 3724 } 3725 3726 if (dump_file) 3727 { 3728 if (removed) 3729 fprintf (dump_file, " Removing call statement."); 3730 else 3731 { 3732 fprintf (dump_file, " Substituting "); 3733 print_generic_expr (dump_file, cst, dump_flags); 3734 fprintf (dump_file, " for %s.\n", 3735 info.nowrite ? "statement" : "return value"); 3736 } 3737 } 3738 } 3739 else if (lhs && types_compatible_p (TREE_TYPE (lhs), integer_type_node)) 3740 { 3741 bool setrange = false; 3742 3743 if (safe 3744 && (info.bounded || retval[1] < info.objsize) 3745 && (retval[0] < target_int_max () 3746 && retval[1] < target_int_max ())) 3747 { 3748 /* If the result is in a valid range bounded by the size of 3749 the destination set it so that it can be used for subsequent 3750 optimizations. */ 3751 int prec = TYPE_PRECISION (integer_type_node); 3752 3753 wide_int min = wi::shwi (retval[0], prec); 3754 wide_int max = wi::shwi (retval[1], prec); 3755 set_range_info (lhs, VR_RANGE, min, max); 3756 3757 setrange = true; 3758 } 3759 3760 if (dump_file) 3761 { 3762 const char *inbounds 3763 = (retval[0] < info.objsize 3764 ? (retval[1] < info.objsize 3765 ? "in" : "potentially out-of") 3766 : "out-of"); 3767 3768 const char *what = setrange ? "Setting" : "Discarding"; 3769 if (retval[0] != retval[1]) 3770 fprintf (dump_file, 3771 " %s %s-bounds return value range [" 3772 HOST_WIDE_INT_PRINT_UNSIGNED ", " 3773 HOST_WIDE_INT_PRINT_UNSIGNED "].\n", 3774 what, inbounds, retval[0], retval[1]); 3775 else 3776 fprintf (dump_file, " %s %s-bounds return value " 3777 HOST_WIDE_INT_PRINT_UNSIGNED ".\n", 3778 what, inbounds, retval[0]); 3779 } 3780 } 3781 3782 if (dump_file) 3783 fputc ('\n', dump_file); 3784 3785 return removed; 3786 } 3787 3788 /* Try to simplify a s{,n}printf call described by INFO with result 3789 RES by replacing it with a simpler and presumably more efficient 3790 call (such as strcpy). */ 3791 3792 static bool 3793 try_simplify_call (gimple_stmt_iterator *gsi, 3794 const sprintf_dom_walker::call_info &info, 3795 const format_result &res) 3796 { 3797 unsigned HOST_WIDE_INT dummy[2]; 3798 if (!is_call_safe (info, res, info.retval_used (), dummy)) 3799 return false; 3800 3801 switch (info.fncode) 3802 { 3803 case BUILT_IN_SNPRINTF: 3804 return gimple_fold_builtin_snprintf (gsi); 3805 3806 case BUILT_IN_SPRINTF: 3807 return gimple_fold_builtin_sprintf (gsi); 3808 3809 default: 3810 ; 3811 } 3812 3813 return false; 3814 } 3815 3816 /* Return the zero-based index of the format string argument of a printf 3817 like function and set *IDX_ARGS to the first format argument. When 3818 no such index exists return UINT_MAX. */ 3819 3820 static unsigned 3821 get_user_idx_format (tree fndecl, unsigned *idx_args) 3822 { 3823 tree attrs = lookup_attribute ("format", DECL_ATTRIBUTES (fndecl)); 3824 if (!attrs) 3825 attrs = lookup_attribute ("format", TYPE_ATTRIBUTES (TREE_TYPE (fndecl))); 3826 3827 if (!attrs) 3828 return UINT_MAX; 3829 3830 attrs = TREE_VALUE (attrs); 3831 3832 tree archetype = TREE_VALUE (attrs); 3833 if (strcmp ("printf", IDENTIFIER_POINTER (archetype))) 3834 return UINT_MAX; 3835 3836 attrs = TREE_CHAIN (attrs); 3837 tree fmtarg = TREE_VALUE (attrs); 3838 3839 attrs = TREE_CHAIN (attrs); 3840 tree elliparg = TREE_VALUE (attrs); 3841 3842 /* Attribute argument indices are 1-based but we use zero-based. */ 3843 *idx_args = tree_to_uhwi (elliparg) - 1; 3844 return tree_to_uhwi (fmtarg) - 1; 3845 } 3846 3847 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in 3848 functions and if so, handle it. Return true if the call is removed 3849 and gsi_next should not be performed in the caller. */ 3850 3851 bool 3852 sprintf_dom_walker::handle_gimple_call (gimple_stmt_iterator *gsi) 3853 { 3854 call_info info = call_info (); 3855 3856 info.callstmt = gsi_stmt (*gsi); 3857 info.func = gimple_call_fndecl (info.callstmt); 3858 if (!info.func) 3859 return false; 3860 3861 /* Format string argument number (valid for all functions). */ 3862 unsigned idx_format = UINT_MAX; 3863 if (gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL)) 3864 info.fncode = DECL_FUNCTION_CODE (info.func); 3865 else 3866 { 3867 unsigned idx_args; 3868 idx_format = get_user_idx_format (info.func, &idx_args); 3869 if (idx_format == UINT_MAX 3870 || idx_format >= gimple_call_num_args (info.callstmt) 3871 || idx_args > gimple_call_num_args (info.callstmt) 3872 || !POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (info.callstmt, 3873 idx_format)))) 3874 return false; 3875 info.fncode = BUILT_IN_NONE; 3876 info.argidx = idx_args; 3877 } 3878 3879 /* The size of the destination as in snprintf(dest, size, ...). */ 3880 unsigned HOST_WIDE_INT dstsize = HOST_WIDE_INT_M1U; 3881 3882 /* The size of the destination determined by __builtin_object_size. */ 3883 unsigned HOST_WIDE_INT objsize = HOST_WIDE_INT_M1U; 3884 3885 /* Zero-based buffer size argument number (snprintf and vsnprintf). */ 3886 unsigned idx_dstsize = UINT_MAX; 3887 3888 /* Object size argument number (snprintf_chk and vsnprintf_chk). */ 3889 unsigned idx_objsize = UINT_MAX; 3890 3891 /* Destinaton argument number (valid for sprintf functions only). */ 3892 unsigned idx_dstptr = 0; 3893 3894 switch (info.fncode) 3895 { 3896 case BUILT_IN_NONE: 3897 // User-defined function with attribute format (printf). 3898 idx_dstptr = -1; 3899 break; 3900 3901 case BUILT_IN_FPRINTF: 3902 // Signature: 3903 // __builtin_fprintf (FILE*, format, ...) 3904 idx_format = 1; 3905 info.argidx = 2; 3906 idx_dstptr = -1; 3907 break; 3908 3909 case BUILT_IN_FPRINTF_CHK: 3910 // Signature: 3911 // __builtin_fprintf_chk (FILE*, ost, format, ...) 3912 idx_format = 2; 3913 info.argidx = 3; 3914 idx_dstptr = -1; 3915 break; 3916 3917 case BUILT_IN_FPRINTF_UNLOCKED: 3918 // Signature: 3919 // __builtin_fprintf_unnlocked (FILE*, format, ...) 3920 idx_format = 1; 3921 info.argidx = 2; 3922 idx_dstptr = -1; 3923 break; 3924 3925 case BUILT_IN_PRINTF: 3926 // Signature: 3927 // __builtin_printf (format, ...) 3928 idx_format = 0; 3929 info.argidx = 1; 3930 idx_dstptr = -1; 3931 break; 3932 3933 case BUILT_IN_PRINTF_CHK: 3934 // Signature: 3935 // __builtin_printf_chk (ost, format, ...) 3936 idx_format = 1; 3937 info.argidx = 2; 3938 idx_dstptr = -1; 3939 break; 3940 3941 case BUILT_IN_PRINTF_UNLOCKED: 3942 // Signature: 3943 // __builtin_printf (format, ...) 3944 idx_format = 0; 3945 info.argidx = 1; 3946 idx_dstptr = -1; 3947 break; 3948 3949 case BUILT_IN_SPRINTF: 3950 // Signature: 3951 // __builtin_sprintf (dst, format, ...) 3952 idx_format = 1; 3953 info.argidx = 2; 3954 break; 3955 3956 case BUILT_IN_SPRINTF_CHK: 3957 // Signature: 3958 // __builtin___sprintf_chk (dst, ost, objsize, format, ...) 3959 idx_objsize = 2; 3960 idx_format = 3; 3961 info.argidx = 4; 3962 break; 3963 3964 case BUILT_IN_SNPRINTF: 3965 // Signature: 3966 // __builtin_snprintf (dst, size, format, ...) 3967 idx_dstsize = 1; 3968 idx_format = 2; 3969 info.argidx = 3; 3970 info.bounded = true; 3971 break; 3972 3973 case BUILT_IN_SNPRINTF_CHK: 3974 // Signature: 3975 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...) 3976 idx_dstsize = 1; 3977 idx_objsize = 3; 3978 idx_format = 4; 3979 info.argidx = 5; 3980 info.bounded = true; 3981 break; 3982 3983 case BUILT_IN_VFPRINTF: 3984 // Signature: 3985 // __builtin_vprintf (FILE*, format, va_list) 3986 idx_format = 1; 3987 info.argidx = -1; 3988 idx_dstptr = -1; 3989 break; 3990 3991 case BUILT_IN_VFPRINTF_CHK: 3992 // Signature: 3993 // __builtin___vfprintf_chk (FILE*, ost, format, va_list) 3994 idx_format = 2; 3995 info.argidx = -1; 3996 idx_dstptr = -1; 3997 break; 3998 3999 case BUILT_IN_VPRINTF: 4000 // Signature: 4001 // __builtin_vprintf (format, va_list) 4002 idx_format = 0; 4003 info.argidx = -1; 4004 idx_dstptr = -1; 4005 break; 4006 4007 case BUILT_IN_VPRINTF_CHK: 4008 // Signature: 4009 // __builtin___vprintf_chk (ost, format, va_list) 4010 idx_format = 1; 4011 info.argidx = -1; 4012 idx_dstptr = -1; 4013 break; 4014 4015 case BUILT_IN_VSNPRINTF: 4016 // Signature: 4017 // __builtin_vsprintf (dst, size, format, va) 4018 idx_dstsize = 1; 4019 idx_format = 2; 4020 info.argidx = -1; 4021 info.bounded = true; 4022 break; 4023 4024 case BUILT_IN_VSNPRINTF_CHK: 4025 // Signature: 4026 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va) 4027 idx_dstsize = 1; 4028 idx_objsize = 3; 4029 idx_format = 4; 4030 info.argidx = -1; 4031 info.bounded = true; 4032 break; 4033 4034 case BUILT_IN_VSPRINTF: 4035 // Signature: 4036 // __builtin_vsprintf (dst, format, va) 4037 idx_format = 1; 4038 info.argidx = -1; 4039 break; 4040 4041 case BUILT_IN_VSPRINTF_CHK: 4042 // Signature: 4043 // __builtin___vsprintf_chk (dst, ost, objsize, format, va) 4044 idx_format = 3; 4045 idx_objsize = 2; 4046 info.argidx = -1; 4047 break; 4048 4049 default: 4050 return false; 4051 } 4052 4053 /* Set the global warning level for this function. */ 4054 warn_level = info.bounded ? warn_format_trunc : warn_format_overflow; 4055 4056 /* For all string functions the first argument is a pointer to 4057 the destination. */ 4058 tree dstptr = (idx_dstptr < gimple_call_num_args (info.callstmt) 4059 ? gimple_call_arg (info.callstmt, 0) : NULL_TREE); 4060 4061 info.format = gimple_call_arg (info.callstmt, idx_format); 4062 4063 /* True when the destination size is constant as opposed to the lower 4064 or upper bound of a range. */ 4065 bool dstsize_cst_p = true; 4066 bool posunder4k = true; 4067 4068 if (idx_dstsize == UINT_MAX) 4069 { 4070 /* For non-bounded functions like sprintf, determine the size 4071 of the destination from the object or pointer passed to it 4072 as the first argument. */ 4073 dstsize = get_destination_size (dstptr); 4074 } 4075 else if (tree size = gimple_call_arg (info.callstmt, idx_dstsize)) 4076 { 4077 /* For bounded functions try to get the size argument. */ 4078 4079 if (TREE_CODE (size) == INTEGER_CST) 4080 { 4081 dstsize = tree_to_uhwi (size); 4082 /* No object can be larger than SIZE_MAX bytes (half the address 4083 space) on the target. 4084 The functions are defined only for output of at most INT_MAX 4085 bytes. Specifying a bound in excess of that limit effectively 4086 defeats the bounds checking (and on some implementations such 4087 as Solaris cause the function to fail with EINVAL). */ 4088 if (dstsize > target_size_max () / 2) 4089 { 4090 /* Avoid warning if -Wstringop-overflow is specified since 4091 it also warns for the same thing though only for the 4092 checking built-ins. */ 4093 if ((idx_objsize == UINT_MAX 4094 || !warn_stringop_overflow)) 4095 warning_at (gimple_location (info.callstmt), info.warnopt (), 4096 "specified bound %wu exceeds maximum object size " 4097 "%wu", 4098 dstsize, target_size_max () / 2); 4099 /* POSIX requires snprintf to fail if DSTSIZE is greater 4100 than INT_MAX. Even though not all POSIX implementations 4101 conform to the requirement, avoid folding in this case. */ 4102 posunder4k = false; 4103 } 4104 else if (dstsize > target_int_max ()) 4105 { 4106 warning_at (gimple_location (info.callstmt), info.warnopt (), 4107 "specified bound %wu exceeds %<INT_MAX%>", 4108 dstsize); 4109 /* POSIX requires snprintf to fail if DSTSIZE is greater 4110 than INT_MAX. Avoid folding in that case. */ 4111 posunder4k = false; 4112 } 4113 } 4114 else if (TREE_CODE (size) == SSA_NAME) 4115 { 4116 /* Try to determine the range of values of the argument 4117 and use the greater of the two at level 1 and the smaller 4118 of them at level 2. */ 4119 value_range *vr = evrp_range_analyzer.get_value_range (size); 4120 if (range_int_cst_p (vr)) 4121 { 4122 unsigned HOST_WIDE_INT minsize = TREE_INT_CST_LOW (vr->min ()); 4123 unsigned HOST_WIDE_INT maxsize = TREE_INT_CST_LOW (vr->max ()); 4124 dstsize = warn_level < 2 ? maxsize : minsize; 4125 4126 if (minsize > target_int_max ()) 4127 warning_at (gimple_location (info.callstmt), info.warnopt (), 4128 "specified bound range [%wu, %wu] exceeds " 4129 "%<INT_MAX%>", 4130 minsize, maxsize); 4131 4132 /* POSIX requires snprintf to fail if DSTSIZE is greater 4133 than INT_MAX. Avoid folding if that's possible. */ 4134 if (maxsize > target_int_max ()) 4135 posunder4k = false; 4136 } 4137 else if (vr->varying_p ()) 4138 { 4139 /* POSIX requires snprintf to fail if DSTSIZE is greater 4140 than INT_MAX. Since SIZE's range is unknown, avoid 4141 folding. */ 4142 posunder4k = false; 4143 } 4144 4145 /* The destination size is not constant. If the function is 4146 bounded (e.g., snprintf) a lower bound of zero doesn't 4147 necessarily imply it can be eliminated. */ 4148 dstsize_cst_p = false; 4149 } 4150 } 4151 4152 if (idx_objsize != UINT_MAX) 4153 if (tree size = gimple_call_arg (info.callstmt, idx_objsize)) 4154 if (tree_fits_uhwi_p (size)) 4155 objsize = tree_to_uhwi (size); 4156 4157 if (info.bounded && !dstsize) 4158 { 4159 /* As a special case, when the explicitly specified destination 4160 size argument (to a bounded function like snprintf) is zero 4161 it is a request to determine the number of bytes on output 4162 without actually producing any. Pretend the size is 4163 unlimited in this case. */ 4164 info.objsize = HOST_WIDE_INT_MAX; 4165 info.nowrite = dstsize_cst_p; 4166 } 4167 else 4168 { 4169 /* For calls to non-bounded functions or to those of bounded 4170 functions with a non-zero size, warn if the destination 4171 pointer is null. */ 4172 if (dstptr && integer_zerop (dstptr)) 4173 { 4174 /* This is diagnosed with -Wformat only when the null is a constant 4175 pointer. The warning here diagnoses instances where the pointer 4176 is not constant. */ 4177 location_t loc = gimple_location (info.callstmt); 4178 warning_at (EXPR_LOC_OR_LOC (dstptr, loc), 4179 info.warnopt (), "%Gnull destination pointer", 4180 info.callstmt); 4181 return false; 4182 } 4183 4184 /* Set the object size to the smaller of the two arguments 4185 of both have been specified and they're not equal. */ 4186 info.objsize = dstsize < objsize ? dstsize : objsize; 4187 4188 if (info.bounded 4189 && dstsize < target_size_max () / 2 && objsize < dstsize 4190 /* Avoid warning if -Wstringop-overflow is specified since 4191 it also warns for the same thing though only for the 4192 checking built-ins. */ 4193 && (idx_objsize == UINT_MAX 4194 || !warn_stringop_overflow)) 4195 { 4196 warning_at (gimple_location (info.callstmt), info.warnopt (), 4197 "specified bound %wu exceeds the size %wu " 4198 "of the destination object", dstsize, objsize); 4199 } 4200 } 4201 4202 /* Determine if the format argument may be null and warn if not 4203 and if the argument is null. */ 4204 if (integer_zerop (info.format) 4205 && gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL)) 4206 { 4207 location_t loc = gimple_location (info.callstmt); 4208 warning_at (EXPR_LOC_OR_LOC (info.format, loc), 4209 info.warnopt (), "%Gnull format string", 4210 info.callstmt); 4211 return false; 4212 } 4213 4214 info.fmtstr = get_format_string (info.format, &info.fmtloc); 4215 if (!info.fmtstr) 4216 return false; 4217 4218 /* The result is the number of bytes output by the formatted function, 4219 including the terminating NUL. */ 4220 format_result res = format_result (); 4221 4222 /* I/O functions with no destination argument (i.e., all forms of fprintf 4223 and printf) may fail under any conditions. Others (i.e., all forms of 4224 sprintf) may only fail under specific conditions determined for each 4225 directive. Clear POSUNDER4K for the former set of functions and set 4226 it to true for the latter (it can only be cleared later, but it is 4227 never set to true again). */ 4228 res.posunder4k = posunder4k && dstptr; 4229 4230 bool success = compute_format_length (info, &res); 4231 if (res.warned) 4232 gimple_set_no_warning (info.callstmt, true); 4233 4234 /* When optimizing and the printf return value optimization is enabled, 4235 attempt to substitute the computed result for the return value of 4236 the call. Avoid this optimization when -frounding-math is in effect 4237 and the format string contains a floating point directive. */ 4238 bool call_removed = false; 4239 if (success && optimize > 0) 4240 { 4241 /* Save a copy of the iterator pointing at the call. The iterator 4242 may change to point past the call in try_substitute_return_value 4243 but the original value is needed in try_simplify_call. */ 4244 gimple_stmt_iterator gsi_call = *gsi; 4245 4246 if (flag_printf_return_value 4247 && (!flag_rounding_math || !res.floating)) 4248 call_removed = try_substitute_return_value (gsi, info, res); 4249 4250 if (!call_removed) 4251 try_simplify_call (&gsi_call, info, res); 4252 } 4253 4254 return call_removed; 4255 } 4256 4257 edge 4258 sprintf_dom_walker::before_dom_children (basic_block bb) 4259 { 4260 evrp_range_analyzer.enter (bb); 4261 for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si); ) 4262 { 4263 /* Iterate over statements, looking for function calls. */ 4264 gimple *stmt = gsi_stmt (si); 4265 4266 /* First record ranges generated by this statement. */ 4267 evrp_range_analyzer.record_ranges_from_stmt (stmt, false); 4268 4269 if (is_gimple_call (stmt) && handle_gimple_call (&si)) 4270 /* If handle_gimple_call returns true, the iterator is 4271 already pointing to the next statement. */ 4272 continue; 4273 4274 gsi_next (&si); 4275 } 4276 return NULL; 4277 } 4278 4279 void 4280 sprintf_dom_walker::after_dom_children (basic_block bb) 4281 { 4282 evrp_range_analyzer.leave (bb); 4283 } 4284 4285 /* Execute the pass for function FUN. */ 4286 4287 unsigned int 4288 pass_sprintf_length::execute (function *fun) 4289 { 4290 init_target_to_host_charmap (); 4291 4292 calculate_dominance_info (CDI_DOMINATORS); 4293 bool use_scev = optimize > 0 && flag_printf_return_value; 4294 if (use_scev) 4295 { 4296 loop_optimizer_init (LOOPS_NORMAL); 4297 scev_initialize (); 4298 } 4299 4300 sprintf_dom_walker sprintf_dom_walker; 4301 sprintf_dom_walker.walk (ENTRY_BLOCK_PTR_FOR_FN (fun)); 4302 4303 if (use_scev) 4304 { 4305 scev_finalize (); 4306 loop_optimizer_finalize (); 4307 } 4308 4309 /* Clean up object size info. */ 4310 fini_object_sizes (); 4311 return 0; 4312 } 4313 4314 } /* Unnamed namespace. */ 4315 4316 /* Return a pointer to a pass object newly constructed from the context 4317 CTXT. */ 4318 4319 gimple_opt_pass * 4320 make_pass_sprintf_length (gcc::context *ctxt) 4321 { 4322 return new pass_sprintf_length (ctxt); 4323 } 4324