1 /* Copyright (C) 2016-2018 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
4 This file is part of GCC.
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
50 #include "coretypes.h"
54 #include "tree-pass.h"
56 #include "gimple-fold.h"
57 #include "gimple-pretty-print.h"
58 #include "diagnostic-core.h"
59 #include "fold-const.h"
60 #include "gimple-iterator.h"
62 #include "tree-object-size.h"
65 #include "tree-ssa-propagate.h"
69 #include "langhooks.h"
72 #include "stor-layout.h"
80 #include "substring-locations.h"
81 #include "diagnostic.h"
83 #include "alloc-pool.h"
84 #include "vr-values.h"
85 #include "gimple-ssa-evrp-analyze.h"
87 /* The likely worst case value of MB_LEN_MAX for the target, large enough
88 for UTF-8. Ideally, this would be obtained by a target hook if it were
89 to be used for optimization but it's good enough as is for warnings. */
90 #define target_mb_len_max() 6
92 /* The maximum number of bytes a single non-string directive can result
93 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
94 LDBL_MAX_10_EXP of 4932. */
95 #define IEEE_MAX_10_EXP 4932
96 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
100 const pass_data pass_data_sprintf_length = {
101 GIMPLE_PASS, // pass type
102 "printf-return-value", // pass name
103 OPTGROUP_NONE, // optinfo_flags
105 PROP_cfg, // properties_required
106 0, // properties_provided
107 0, // properties_destroyed
108 0, // properties_start
109 0, // properties_finish
112 /* Set to the warning level for the current function which is equal
113 either to warn_format_trunc for bounded functions or to
114 warn_format_overflow otherwise. */
116 static int warn_level;
118 struct format_result;
120 class sprintf_dom_walker : public dom_walker
123 sprintf_dom_walker () : dom_walker (CDI_DOMINATORS) {}
124 ~sprintf_dom_walker () {}
126 edge before_dom_children (basic_block) FINAL OVERRIDE;
127 void after_dom_children (basic_block) FINAL OVERRIDE;
128 bool handle_gimple_call (gimple_stmt_iterator *);
131 bool compute_format_length (call_info &, format_result *);
132 class evrp_range_analyzer evrp_range_analyzer;
135 class pass_sprintf_length : public gimple_opt_pass
137 bool fold_return_value;
140 pass_sprintf_length (gcc::context *ctxt)
141 : gimple_opt_pass (pass_data_sprintf_length, ctxt),
142 fold_return_value (false)
145 opt_pass * clone () { return new pass_sprintf_length (m_ctxt); }
147 virtual bool gate (function *);
149 virtual unsigned int execute (function *);
151 void set_pass_param (unsigned int n, bool param)
154 fold_return_value = param;
160 pass_sprintf_length::gate (function *)
162 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
163 is specified and either not optimizing and the pass is being invoked
164 early, or when optimizing and the pass is being invoked during
165 optimization (i.e., "late"). */
166 return ((warn_format_overflow > 0
167 || warn_format_trunc > 0
168 || flag_printf_return_value)
169 && (optimize > 0) == fold_return_value);
172 /* The minimum, maximum, likely, and unlikely maximum number of bytes
173 of output either a formatting function or an individual directive
178 /* The absolute minimum number of bytes. The result of a successful
179 conversion is guaranteed to be no less than this. (An erroneous
180 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
181 unsigned HOST_WIDE_INT min;
182 /* The likely maximum result that is used in diagnostics. In most
183 cases MAX is the same as the worst case UNLIKELY result. */
184 unsigned HOST_WIDE_INT max;
185 /* The likely result used to trigger diagnostics. For conversions
186 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
188 unsigned HOST_WIDE_INT likely;
189 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
190 the worst cases maximum result of a directive. In most cases
191 UNLIKELY == MAX. UNLIKELY is used to control the return value
192 optimization but not in diagnostics. */
193 unsigned HOST_WIDE_INT unlikely;
196 /* The result of a call to a formatted function. */
200 /* Range of characters written by the formatted function.
201 Setting the minimum to HOST_WIDE_INT_MAX disables all
202 length tracking for the remainder of the format string. */
205 /* True when the range above is obtained from known values of
206 directive arguments, or bounds on the amount of output such
207 as width and precision, and not the result of heuristics that
208 depend on warning levels. It's used to issue stricter diagnostics
209 in cases where strings of unknown lengths are bounded by the arrays
210 they are determined to refer to. KNOWNRANGE must not be used for
211 the return value optimization. */
214 /* True if no individual directive resulted in more than 4095 bytes
215 of output (the total NUMBER_CHARS_{MIN,MAX} might be greater).
216 Implementations are not required to handle directives that produce
217 more than 4K bytes (leading to undefined behavior) and so when one
218 is found it disables the return value optimization. */
221 /* True when a floating point directive has been seen in the format
225 /* True when an intermediate result has caused a warning. Used to
226 avoid issuing duplicate warnings while finishing the processing
227 of a call. WARNED also disables the return value optimization. */
230 /* Preincrement the number of output characters by 1. */
231 format_result& operator++ ()
236 /* Postincrement the number of output characters by 1. */
237 format_result operator++ (int)
239 format_result prev (*this);
244 /* Increment the number of output characters by N. */
245 format_result& operator+= (unsigned HOST_WIDE_INT);
249 format_result::operator+= (unsigned HOST_WIDE_INT n)
251 gcc_assert (n < HOST_WIDE_INT_MAX);
253 if (range.min < HOST_WIDE_INT_MAX)
256 if (range.max < HOST_WIDE_INT_MAX)
259 if (range.likely < HOST_WIDE_INT_MAX)
262 if (range.unlikely < HOST_WIDE_INT_MAX)
268 /* Return the value of INT_MIN for the target. */
270 static inline HOST_WIDE_INT
273 return tree_to_shwi (TYPE_MIN_VALUE (integer_type_node));
276 /* Return the value of INT_MAX for the target. */
278 static inline unsigned HOST_WIDE_INT
281 return tree_to_uhwi (TYPE_MAX_VALUE (integer_type_node));
284 /* Return the value of SIZE_MAX for the target. */
286 static inline unsigned HOST_WIDE_INT
289 return tree_to_uhwi (TYPE_MAX_VALUE (size_type_node));
292 /* A straightforward mapping from the execution character set to the host
293 character set indexed by execution character. */
295 static char target_to_host_charmap[256];
297 /* Initialize a mapping from the execution character set to the host
301 init_target_to_host_charmap ()
303 /* If the percent sign is non-zero the mapping has already been
305 if (target_to_host_charmap['%'])
308 /* Initialize the target_percent character (done elsewhere). */
309 if (!init_target_chars ())
312 /* The subset of the source character set used by printf conversion
313 specifications (strictly speaking, not all letters are used but
314 they are included here for the sake of simplicity). The dollar
315 sign must be included even though it's not in the basic source
317 const char srcset[] = " 0123456789!\"#%&'()*+,-./:;<=>?[\\]^_{|}~$"
318 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
320 /* Set the mapping for all characters to some ordinary value (i,e.,
321 not none used in printf conversion specifications) and overwrite
322 those that are used by conversion specifications with their
323 corresponding values. */
324 memset (target_to_host_charmap + 1, '?', sizeof target_to_host_charmap - 1);
326 /* Are the two sets of characters the same? */
327 bool all_same_p = true;
329 for (const char *pc = srcset; *pc; ++pc)
331 /* Slice off the high end bits in case target characters are
332 signed. All values are expected to be non-nul, otherwise
333 there's a problem. */
334 if (unsigned char tc = lang_hooks.to_target_charset (*pc))
336 target_to_host_charmap[tc] = *pc;
345 /* Set the first element to a non-zero value if the mapping
346 is 1-to-1, otherwise leave it clear (NUL is assumed to be
347 the same in both character sets). */
348 target_to_host_charmap[0] = all_same_p;
353 /* Return the host source character corresponding to the character
354 CH in the execution character set if one exists, or some innocuous
355 (non-special, non-nul) source character otherwise. */
357 static inline unsigned char
358 target_to_host (unsigned char ch)
360 return target_to_host_charmap[ch];
363 /* Convert an initial substring of the string TARGSTR consisting of
364 characters in the execution character set into a string in the
365 source character set on the host and store up to HOSTSZ characters
366 in the buffer pointed to by HOSTR. Return HOSTR. */
369 target_to_host (char *hostr, size_t hostsz, const char *targstr)
371 /* Make sure the buffer is reasonably big. */
372 gcc_assert (hostsz > 4);
374 /* The interesting subset of source and execution characters are
375 the same so no conversion is necessary. However, truncate
376 overlong strings just like the translated strings are. */
377 if (target_to_host_charmap['\0'] == 1)
379 strncpy (hostr, targstr, hostsz - 4);
380 if (strlen (targstr) >= hostsz)
381 strcpy (hostr + hostsz - 4, "...");
385 /* Convert the initial substring of TARGSTR to the corresponding
386 characters in the host set, appending "..." if TARGSTR is too
387 long to fit. Using the static buffer assumes the function is
388 not called in between sequence points (which it isn't). */
389 for (char *ph = hostr; ; ++targstr)
391 *ph++ = target_to_host (*targstr);
395 if (size_t (ph - hostr) == hostsz - 4)
406 /* Convert the sequence of decimal digits in the execution character
407 starting at S to a long, just like strtol does. Return the result
408 and set *END to one past the last converted character. On range
409 error set ERANGE to the digit that caused it. */
412 target_strtol10 (const char **ps, const char **erange)
414 unsigned HOST_WIDE_INT val = 0;
417 unsigned char c = target_to_host (**ps);
422 /* Check for overflow. */
423 if (val > (LONG_MAX - c) / 10LU)
428 /* Skip the remaining digits. */
430 c = target_to_host (*++*ps);
444 /* Return the constant initial value of DECL if available or DECL
445 otherwise. Same as the synonymous function in c/c-typeck.c. */
448 decl_constant_value (tree decl)
450 if (/* Don't change a variable array bound or initial value to a constant
451 in a place where a variable is invalid. Note that DECL_INITIAL
452 isn't valid for a PARM_DECL. */
453 current_function_decl != 0
454 && TREE_CODE (decl) != PARM_DECL
455 && !TREE_THIS_VOLATILE (decl)
456 && TREE_READONLY (decl)
457 && DECL_INITIAL (decl) != 0
458 && TREE_CODE (DECL_INITIAL (decl)) != ERROR_MARK
459 /* This is invalid if initial value is not constant.
460 If it has either a function call, a memory reference,
461 or a variable, then re-evaluating it could give different results. */
462 && TREE_CONSTANT (DECL_INITIAL (decl))
463 /* Check for cases where this is sub-optimal, even though valid. */
464 && TREE_CODE (DECL_INITIAL (decl)) != CONSTRUCTOR)
465 return DECL_INITIAL (decl);
469 /* Given FORMAT, set *PLOC to the source location of the format string
470 and return the format string if it is known or null otherwise. */
473 get_format_string (tree format, location_t *ploc)
477 /* Pull out a constant value if the front end didn't. */
478 format = decl_constant_value (format);
482 if (integer_zerop (format))
484 /* FIXME: Diagnose null format string if it hasn't been diagnosed
485 by -Wformat (the latter diagnoses only nul pointer constants,
486 this pass can do better). */
490 HOST_WIDE_INT offset = 0;
492 if (TREE_CODE (format) == POINTER_PLUS_EXPR)
494 tree arg0 = TREE_OPERAND (format, 0);
495 tree arg1 = TREE_OPERAND (format, 1);
499 if (TREE_CODE (arg1) != INTEGER_CST)
504 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */
505 if (!cst_and_fits_in_hwi (arg1))
508 offset = int_cst_value (arg1);
511 if (TREE_CODE (format) != ADDR_EXPR)
514 *ploc = EXPR_LOC_OR_LOC (format, input_location);
516 format = TREE_OPERAND (format, 0);
518 if (TREE_CODE (format) == ARRAY_REF
519 && tree_fits_shwi_p (TREE_OPERAND (format, 1))
520 && (offset += tree_to_shwi (TREE_OPERAND (format, 1))) >= 0)
521 format = TREE_OPERAND (format, 0);
527 tree array_size = NULL_TREE;
530 && TREE_CODE (TREE_TYPE (format)) == ARRAY_TYPE
531 && (array_init = decl_constant_value (format)) != format
532 && TREE_CODE (array_init) == STRING_CST)
534 /* Extract the string constant initializer. Note that this may
535 include a trailing NUL character that is not in the array (e.g.
536 const char a[3] = "foo";). */
537 array_size = DECL_SIZE_UNIT (format);
541 if (TREE_CODE (format) != STRING_CST)
544 tree type = TREE_TYPE (format);
546 scalar_int_mode char_mode;
547 if (!is_int_mode (TYPE_MODE (TREE_TYPE (type)), &char_mode)
548 || GET_MODE_SIZE (char_mode) != 1)
550 /* Wide format string. */
554 const char *fmtstr = TREE_STRING_POINTER (format);
555 unsigned fmtlen = TREE_STRING_LENGTH (format);
559 /* Variable length arrays can't be initialized. */
560 gcc_assert (TREE_CODE (array_size) == INTEGER_CST);
562 if (tree_fits_shwi_p (array_size))
564 HOST_WIDE_INT array_size_value = tree_to_shwi (array_size);
565 if (array_size_value > 0
566 && array_size_value == (int) array_size_value
567 && fmtlen > array_size_value)
568 fmtlen = array_size_value;
573 if (offset >= fmtlen)
580 if (fmtlen < 1 || fmtstr[--fmtlen] != 0)
582 /* FIXME: Diagnose an unterminated format string if it hasn't been
583 diagnosed by -Wformat. Similarly to a null format pointer,
584 -Wformay diagnoses only nul pointer constants, this pass can
592 /* For convenience and brevity, shorter named entrypoints of
593 format_warning_at_substring and format_warning_at_substring_n.
594 These have to be functions with the attribute so that exgettext
598 ATTRIBUTE_GCC_DIAG (5, 6)
599 fmtwarn (const substring_loc &fmt_loc, location_t param_loc,
600 const char *corrected_substring, int opt, const char *gmsgid, ...)
603 va_start (ap, gmsgid);
604 bool warned = format_warning_va (fmt_loc, param_loc, corrected_substring,
612 ATTRIBUTE_GCC_DIAG (6, 8) ATTRIBUTE_GCC_DIAG (7, 8)
613 fmtwarn_n (const substring_loc &fmt_loc, location_t param_loc,
614 const char *corrected_substring, int opt, unsigned HOST_WIDE_INT n,
615 const char *singular_gmsgid, const char *plural_gmsgid, ...)
618 va_start (ap, plural_gmsgid);
619 bool warned = format_warning_n_va (fmt_loc, param_loc, corrected_substring,
620 opt, n, singular_gmsgid, plural_gmsgid,
627 /* Format length modifiers. */
632 FMT_LEN_hh, // char argument
635 FMT_LEN_ll, // long long
636 FMT_LEN_L, // long double (and GNU long long)
638 FMT_LEN_t, // ptrdiff_t
639 FMT_LEN_j // intmax_t
643 /* Description of the result of conversion either of a single directive
644 or the whole format string. */
648 /* Construct a FMTRESULT object with all counters initialized
649 to MIN. KNOWNRANGE is set when MIN is valid. */
650 fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX)
651 : argmin (), argmax (),
652 knownrange (min < HOST_WIDE_INT_MAX),
658 range.unlikely = min;
661 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
662 KNOWNRANGE is set when both MIN and MAX are valid. */
663 fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max,
664 unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX)
665 : argmin (), argmax (),
666 knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX),
671 range.likely = max < likely ? min : likely;
672 range.unlikely = max;
675 /* Adjust result upward to reflect the RANGE of values the specified
676 width or precision is known to be in. */
677 fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2],
679 unsigned = 0, unsigned = 0);
681 /* Return the maximum number of decimal digits a value of TYPE
682 formats as on output. */
683 static unsigned type_max_digits (tree, int);
685 /* The range a directive's argument is in. */
688 /* The minimum and maximum number of bytes that a directive
689 results in on output for an argument in the range above. */
692 /* True when the range above is obtained from a known value of
693 a directive's argument or its bounds and not the result of
694 heuristics that depend on warning levels. */
697 /* True when the argument is a null pointer. */
701 /* Adjust result upward to reflect the range ADJUST of values the
702 specified width or precision is known to be in. When non-null,
703 TYPE denotes the type of the directive whose result is being
704 adjusted, BASE gives the base of the directive (octal, decimal,
705 or hex), and ADJ denotes the additional adjustment to the LIKELY
706 counter that may need to be added when ADJUST is a range. */
709 fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2],
710 tree type /* = NULL_TREE */,
711 unsigned base /* = 0 */,
712 unsigned adj /* = 0 */)
714 bool minadjusted = false;
716 /* Adjust the minimum and likely counters. */
719 if (range.min < (unsigned HOST_WIDE_INT)adjust[0])
721 range.min = adjust[0];
725 /* Adjust the likely counter. */
726 if (range.likely < range.min)
727 range.likely = range.min;
729 else if (adjust[0] == target_int_min ()
730 && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ())
733 /* Adjust the maximum counter. */
736 if (range.max < (unsigned HOST_WIDE_INT)adjust[1])
738 range.max = adjust[1];
740 /* Set KNOWNRANGE if both the minimum and maximum have been
741 adjusted. Otherwise leave it at what it was before. */
742 knownrange = minadjusted;
746 if (warn_level > 1 && type)
748 /* For large non-constant width or precision whose range spans
749 the maximum number of digits produced by the directive for
750 any argument, set the likely number of bytes to be at most
751 the number digits plus other adjustment determined by the
752 caller (one for sign or two for the hexadecimal "0x"
754 unsigned dirdigs = type_max_digits (type, base);
755 if (adjust[0] < dirdigs && dirdigs < adjust[1]
756 && range.likely < dirdigs)
757 range.likely = dirdigs + adj;
759 else if (range.likely < (range.min ? range.min : 1))
761 /* Conservatively, set LIKELY to at least MIN but no less than
762 1 unless MAX is zero. */
763 range.likely = (range.min
765 : range.max && (range.max < HOST_WIDE_INT_MAX
766 || warn_level > 1) ? 1 : 0);
769 /* Finally adjust the unlikely counter to be at least as large as
771 if (range.unlikely < range.max)
772 range.unlikely = range.max;
777 /* Return the maximum number of digits a value of TYPE formats in
778 BASE on output, not counting base prefix . */
781 fmtresult::type_max_digits (tree type, int base)
783 unsigned prec = TYPE_PRECISION (type);
787 return (prec + 2) / 3;
789 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
790 of 8, 16, 32, and 64 bits. */
791 return prec * 301 / 1000 + 1;
800 get_int_range (tree, HOST_WIDE_INT *, HOST_WIDE_INT *, bool, HOST_WIDE_INT,
801 class vr_values *vr_values);
803 /* Description of a format directive. A directive is either a plain
804 string or a conversion specification that starts with '%'. */
808 /* The 1-based directive number (for debugging). */
811 /* The first character of the directive and its length. */
815 /* A bitmap of flags, one for each character. */
816 unsigned flags[256 / sizeof (int)];
818 /* The range of values of the specified width, or -1 if not specified. */
819 HOST_WIDE_INT width[2];
820 /* The range of values of the specified precision, or -1 if not
822 HOST_WIDE_INT prec[2];
824 /* Length modifier. */
825 format_lengths modifier;
827 /* Format specifier character. */
830 /* The argument of the directive or null when the directive doesn't
831 take one or when none is available (such as for vararg functions). */
834 /* Format conversion function that given a directive and an argument
835 returns the formatting result. */
836 fmtresult (*fmtfunc) (const directive &, tree, vr_values *);
838 /* Return True when a the format flag CHR has been used. */
839 bool get_flag (char chr) const
841 unsigned char c = chr & 0xff;
842 return (flags[c / (CHAR_BIT * sizeof *flags)]
843 & (1U << (c % (CHAR_BIT * sizeof *flags))));
846 /* Make a record of the format flag CHR having been used. */
847 void set_flag (char chr)
849 unsigned char c = chr & 0xff;
850 flags[c / (CHAR_BIT * sizeof *flags)]
851 |= (1U << (c % (CHAR_BIT * sizeof *flags)));
854 /* Reset the format flag CHR. */
855 void clear_flag (char chr)
857 unsigned char c = chr & 0xff;
858 flags[c / (CHAR_BIT * sizeof *flags)]
859 &= ~(1U << (c % (CHAR_BIT * sizeof *flags)));
862 /* Set both bounds of the width range to VAL. */
863 void set_width (HOST_WIDE_INT val)
865 width[0] = width[1] = val;
868 /* Set the width range according to ARG, with both bounds being
869 no less than 0. For a constant ARG set both bounds to its value
870 or 0, whichever is greater. For a non-constant ARG in some range
871 set width to its range adjusting each bound to -1 if it's less.
872 For an indeterminate ARG set width to [0, INT_MAX]. */
873 void set_width (tree arg, vr_values *vr_values)
875 get_int_range (arg, width, width + 1, true, 0, vr_values);
878 /* Set both bounds of the precision range to VAL. */
879 void set_precision (HOST_WIDE_INT val)
881 prec[0] = prec[1] = val;
884 /* Set the precision range according to ARG, with both bounds being
885 no less than -1. For a constant ARG set both bounds to its value
886 or -1 whichever is greater. For a non-constant ARG in some range
887 set precision to its range adjusting each bound to -1 if it's less.
888 For an indeterminate ARG set precision to [-1, INT_MAX]. */
889 void set_precision (tree arg, vr_values *vr_values)
891 get_int_range (arg, prec, prec + 1, false, -1, vr_values);
894 /* Return true if both width and precision are known to be
895 either constant or in some range, false otherwise. */
896 bool known_width_and_precision () const
898 return ((width[1] < 0
899 || (unsigned HOST_WIDE_INT)width[1] <= target_int_max ())
901 || (unsigned HOST_WIDE_INT)prec[1] < target_int_max ()));
905 /* Return the logarithm of X in BASE. */
908 ilog (unsigned HOST_WIDE_INT x, int base)
919 /* Return the number of bytes resulting from converting into a string
920 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
921 PLUS indicates whether 1 for a plus sign should be added for positive
922 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
923 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
927 tree_digits (tree x, int base, HOST_WIDE_INT prec, bool plus, bool prefix)
929 unsigned HOST_WIDE_INT absval;
933 if (TYPE_UNSIGNED (TREE_TYPE (x)))
935 if (tree_fits_uhwi_p (x))
937 absval = tree_to_uhwi (x);
945 if (tree_fits_shwi_p (x))
947 HOST_WIDE_INT i = tree_to_shwi (x);
948 if (HOST_WIDE_INT_MIN == i)
950 /* Avoid undefined behavior due to negating a minimum. */
951 absval = HOST_WIDE_INT_MAX;
969 int ndigs = ilog (absval, base);
971 res += prec < ndigs ? ndigs : prec;
973 /* Adjust a non-zero value for the base prefix, either hexadecimal,
974 or, unless precision has resulted in a leading zero, also octal. */
975 if (prefix && absval && (base == 16 || prec <= ndigs))
986 /* Given the formatting result described by RES and NAVAIL, the number
987 of available in the destination, return the range of bytes remaining
988 in the destination. */
990 static inline result_range
991 bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res)
995 if (HOST_WIDE_INT_MAX <= navail)
997 range.min = range.max = range.likely = range.unlikely = navail;
1001 /* The lower bound of the available range is the available size
1002 minus the maximum output size, and the upper bound is the size
1003 minus the minimum. */
1004 range.max = res.range.min < navail ? navail - res.range.min : 0;
1006 range.likely = res.range.likely < navail ? navail - res.range.likely : 0;
1008 if (res.range.max < HOST_WIDE_INT_MAX)
1009 range.min = res.range.max < navail ? navail - res.range.max : 0;
1011 range.min = range.likely;
1013 range.unlikely = (res.range.unlikely < navail
1014 ? navail - res.range.unlikely : 0);
1019 /* Description of a call to a formatted function. */
1021 struct sprintf_dom_walker::call_info
1023 /* Function call statement. */
1026 /* Function called. */
1029 /* Called built-in function code. */
1030 built_in_function fncode;
1032 /* Format argument and format string extracted from it. */
1036 /* The location of the format argument. */
1039 /* The destination object size for __builtin___xxx_chk functions
1040 typically determined by __builtin_object_size, or -1 if unknown. */
1041 unsigned HOST_WIDE_INT objsize;
1043 /* Number of the first variable argument. */
1044 unsigned HOST_WIDE_INT argidx;
1046 /* True for functions like snprintf that specify the size of
1047 the destination, false for others like sprintf that don't. */
1050 /* True for bounded functions like snprintf that specify a zero-size
1051 buffer as a request to compute the size of output without actually
1052 writing any. NOWRITE is cleared in response to the %n directive
1053 which has side-effects similar to writing output. */
1056 /* Return true if the called function's return value is used. */
1057 bool retval_used () const
1059 return gimple_get_lhs (callstmt);
1062 /* Return the warning option corresponding to the called function. */
1063 int warnopt () const
1065 return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_;
1069 /* Return the result of formatting a no-op directive (such as '%n'). */
1072 format_none (const directive &, tree, vr_values *)
1078 /* Return the result of formatting the '%%' directive. */
1081 format_percent (const directive &, tree, vr_values *)
1088 /* Compute intmax_type_node and uintmax_type_node similarly to how
1089 tree.c builds size_type_node. */
1092 build_intmax_type_nodes (tree *pintmax, tree *puintmax)
1094 if (strcmp (UINTMAX_TYPE, "unsigned int") == 0)
1096 *pintmax = integer_type_node;
1097 *puintmax = unsigned_type_node;
1099 else if (strcmp (UINTMAX_TYPE, "long unsigned int") == 0)
1101 *pintmax = long_integer_type_node;
1102 *puintmax = long_unsigned_type_node;
1104 else if (strcmp (UINTMAX_TYPE, "long long unsigned int") == 0)
1106 *pintmax = long_long_integer_type_node;
1107 *puintmax = long_long_unsigned_type_node;
1111 for (int i = 0; i < NUM_INT_N_ENTS; i++)
1112 if (int_n_enabled_p[i])
1115 sprintf (name, "__int%d unsigned", int_n_data[i].bitsize);
1117 if (strcmp (name, UINTMAX_TYPE) == 0)
1119 *pintmax = int_n_trees[i].signed_type;
1120 *puintmax = int_n_trees[i].unsigned_type;
1128 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
1129 in and that is representable in type int.
1130 Return true when the range is a subrange of that of int.
1131 When ARG is null it is as if it had the full range of int.
1132 When ABSOLUTE is true the range reflects the absolute value of
1133 the argument. When ABSOLUTE is false, negative bounds of
1134 the determined range are replaced with NEGBOUND. */
1137 get_int_range (tree arg, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax,
1138 bool absolute, HOST_WIDE_INT negbound,
1139 class vr_values *vr_values)
1141 /* The type of the result. */
1142 const_tree type = integer_type_node;
1144 bool knownrange = false;
1148 *pmin = tree_to_shwi (TYPE_MIN_VALUE (type));
1149 *pmax = tree_to_shwi (TYPE_MAX_VALUE (type));
1151 else if (TREE_CODE (arg) == INTEGER_CST
1152 && TYPE_PRECISION (TREE_TYPE (arg)) <= TYPE_PRECISION (type))
1154 /* For a constant argument return its value adjusted as specified
1155 by NEGATIVE and NEGBOUND and return true to indicate that the
1157 *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg);
1163 /* True if the argument's range cannot be determined. */
1164 bool unknown = true;
1166 tree argtype = TREE_TYPE (arg);
1168 /* Ignore invalid arguments with greater precision that that
1169 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1170 They will have been detected and diagnosed by -Wformat and
1171 so it's not important to complicate this code to try to deal
1173 if (TREE_CODE (arg) == SSA_NAME
1174 && INTEGRAL_TYPE_P (argtype)
1175 && TYPE_PRECISION (argtype) <= TYPE_PRECISION (type))
1177 /* Try to determine the range of values of the integer argument. */
1178 value_range *vr = vr_values->get_value_range (arg);
1179 if (vr->type == VR_RANGE
1180 && TREE_CODE (vr->min) == INTEGER_CST
1181 && TREE_CODE (vr->max) == INTEGER_CST)
1183 HOST_WIDE_INT type_min
1184 = (TYPE_UNSIGNED (argtype)
1185 ? tree_to_uhwi (TYPE_MIN_VALUE (argtype))
1186 : tree_to_shwi (TYPE_MIN_VALUE (argtype)));
1188 HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (argtype));
1190 *pmin = TREE_INT_CST_LOW (vr->min);
1191 *pmax = TREE_INT_CST_LOW (vr->max);
1195 /* Return true if the adjusted range is a subrange of
1196 the full range of the argument's type. *PMAX may
1197 be less than *PMIN when the argument is unsigned
1198 and its upper bound is in excess of TYPE_MAX. In
1199 that (invalid) case disregard the range and use that
1200 of the expected type instead. */
1201 knownrange = type_min < *pmin || *pmax < type_max;
1208 /* Handle an argument with an unknown range as if none had been
1211 return get_int_range (NULL_TREE, pmin, pmax, absolute,
1212 negbound, vr_values);
1215 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1221 *pmin = *pmax = -*pmin;
1224 /* Make sure signed overlow is avoided. */
1225 gcc_assert (*pmin != HOST_WIDE_INT_MIN);
1227 HOST_WIDE_INT tmp = -*pmin;
1234 else if (*pmin < negbound)
1240 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1241 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1242 the type of the directive's formal argument it's possible for both
1243 to result in the same number of bytes or a range of bytes that's
1244 less than the number of bytes that would result from formatting
1245 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1246 determined by checking for the actual argument being in the range
1247 of the type of the directive. If it isn't it must be assumed to
1248 take on the full range of the directive's type.
1249 Return true when the range has been adjusted to the full range
1250 of DIRTYPE, and false otherwise. */
1253 adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax)
1255 tree argtype = TREE_TYPE (*argmin);
1256 unsigned argprec = TYPE_PRECISION (argtype);
1257 unsigned dirprec = TYPE_PRECISION (dirtype);
1259 /* If the actual argument and the directive's argument have the same
1260 precision and sign there can be no overflow and so there is nothing
1262 if (argprec == dirprec && TYPE_SIGN (argtype) == TYPE_SIGN (dirtype))
1265 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1266 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1268 if (TREE_CODE (*argmin) == INTEGER_CST
1269 && TREE_CODE (*argmax) == INTEGER_CST
1270 && (dirprec >= argprec
1271 || integer_zerop (int_const_binop (RSHIFT_EXPR,
1272 int_const_binop (MINUS_EXPR,
1275 size_int (dirprec)))))
1277 *argmin = force_fit_type (dirtype, wi::to_widest (*argmin), 0, false);
1278 *argmax = force_fit_type (dirtype, wi::to_widest (*argmax), 0, false);
1280 /* If *ARGMIN is still less than *ARGMAX the conversion above
1281 is safe. Otherwise, it has overflowed and would be unsafe. */
1282 if (tree_int_cst_le (*argmin, *argmax))
1286 *argmin = TYPE_MIN_VALUE (dirtype);
1287 *argmax = TYPE_MAX_VALUE (dirtype);
1291 /* Return a range representing the minimum and maximum number of bytes
1292 that the format directive DIR will output for any argument given
1293 the WIDTH and PRECISION (extracted from DIR). This function is
1294 used when the directive argument or its value isn't known. */
1297 format_integer (const directive &dir, tree arg, vr_values *vr_values)
1299 tree intmax_type_node;
1300 tree uintmax_type_node;
1302 /* Base to format the number in. */
1305 /* True when a conversion is preceded by a prefix indicating the base
1306 of the argument (octal or hexadecimal). */
1307 bool maybebase = dir.get_flag ('#');
1309 /* True when a signed conversion is preceded by a sign or space. */
1310 bool maybesign = false;
1312 /* True for signed conversions (i.e., 'd' and 'i'). */
1315 switch (dir.specifier)
1319 /* Space and '+' are only meaningful for signed conversions. */
1320 maybesign = dir.get_flag (' ') | dir.get_flag ('+');
1338 /* The type of the "formal" argument expected by the directive. */
1339 tree dirtype = NULL_TREE;
1341 /* Determine the expected type of the argument from the length
1343 switch (dir.modifier)
1346 if (dir.specifier == 'p')
1347 dirtype = ptr_type_node;
1349 dirtype = sign ? integer_type_node : unsigned_type_node;
1353 dirtype = sign ? short_integer_type_node : short_unsigned_type_node;
1357 dirtype = sign ? signed_char_type_node : unsigned_char_type_node;
1361 dirtype = sign ? long_integer_type_node : long_unsigned_type_node;
1367 ? long_long_integer_type_node
1368 : long_long_unsigned_type_node);
1372 dirtype = signed_or_unsigned_type_for (!sign, size_type_node);
1376 dirtype = signed_or_unsigned_type_for (!sign, ptrdiff_type_node);
1380 build_intmax_type_nodes (&intmax_type_node, &uintmax_type_node);
1381 dirtype = sign ? intmax_type_node : uintmax_type_node;
1385 return fmtresult ();
1388 /* The type of the argument to the directive, either deduced from
1389 the actual non-constant argument if one is known, or from
1390 the directive itself when none has been provided because it's
1392 tree argtype = NULL_TREE;
1396 /* When the argument has not been provided, use the type of
1397 the directive's argument as an approximation. This will
1398 result in false positives for directives like %i with
1399 arguments with smaller precision (such as short or char). */
1402 else if (TREE_CODE (arg) == INTEGER_CST)
1404 /* When a constant argument has been provided use its value
1405 rather than type to determine the length of the output. */
1408 if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg))
1410 /* As a special case, a precision of zero with a zero argument
1411 results in zero bytes except in base 8 when the '#' flag is
1412 specified, and for signed conversions in base 8 and 10 when
1413 either the space or '+' flag has been specified and it results
1414 in just one byte (with width having the normal effect). This
1415 must extend to the case of a specified precision with
1416 an unknown value because it can be zero. */
1417 res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign);
1418 if (res.range.min == 0 && dir.prec[0] != dir.prec[1])
1421 res.range.likely = 1;
1425 res.range.max = res.range.min;
1426 res.range.likely = res.range.min;
1431 /* Convert the argument to the type of the directive. */
1432 arg = fold_convert (dirtype, arg);
1434 res.range.min = tree_digits (arg, base, dir.prec[0],
1435 maybesign, maybebase);
1436 if (dir.prec[0] == dir.prec[1])
1437 res.range.max = res.range.min;
1439 res.range.max = tree_digits (arg, base, dir.prec[1],
1440 maybesign, maybebase);
1441 res.range.likely = res.range.min;
1442 res.knownrange = true;
1445 res.range.unlikely = res.range.max;
1447 /* Bump up the counters if WIDTH is greater than LEN. */
1448 res.adjust_for_width_or_precision (dir.width, dirtype, base,
1449 (sign | maybebase) + (base == 16));
1450 /* Bump up the counters again if PRECision is greater still. */
1451 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
1452 (sign | maybebase) + (base == 16));
1456 else if (INTEGRAL_TYPE_P (TREE_TYPE (arg))
1457 || TREE_CODE (TREE_TYPE (arg)) == POINTER_TYPE)
1458 /* Determine the type of the provided non-constant argument. */
1459 argtype = TREE_TYPE (arg);
1461 /* Don't bother with invalid arguments since they likely would
1462 have already been diagnosed, and disable any further checking
1463 of the format string by returning [-1, -1]. */
1464 return fmtresult ();
1468 /* Using either the range the non-constant argument is in, or its
1469 type (either "formal" or actual), create a range of values that
1470 constrain the length of output given the warning level. */
1471 tree argmin = NULL_TREE;
1472 tree argmax = NULL_TREE;
1475 && TREE_CODE (arg) == SSA_NAME
1476 && INTEGRAL_TYPE_P (argtype))
1478 /* Try to determine the range of values of the integer argument
1479 (range information is not available for pointers). */
1480 value_range *vr = vr_values->get_value_range (arg);
1481 if (vr->type == VR_RANGE
1482 && TREE_CODE (vr->min) == INTEGER_CST
1483 && TREE_CODE (vr->max) == INTEGER_CST)
1488 /* Set KNOWNRANGE if the argument is in a known subrange
1489 of the directive's type and neither width nor precision
1490 is unknown. (KNOWNRANGE may be reset below). */
1492 = ((!tree_int_cst_equal (TYPE_MIN_VALUE (dirtype), argmin)
1493 || !tree_int_cst_equal (TYPE_MAX_VALUE (dirtype), argmax))
1494 && dir.known_width_and_precision ());
1496 res.argmin = argmin;
1497 res.argmax = argmax;
1499 else if (vr->type == VR_ANTI_RANGE)
1501 /* Handle anti-ranges if/when bug 71690 is resolved. */
1503 else if (vr->type == VR_VARYING
1504 || vr->type == VR_UNDEFINED)
1506 /* The argument here may be the result of promoting the actual
1507 argument to int. Try to determine the type of the actual
1508 argument before promotion and narrow down its range that
1510 gimple *def = SSA_NAME_DEF_STMT (arg);
1511 if (is_gimple_assign (def))
1513 tree_code code = gimple_assign_rhs_code (def);
1514 if (code == INTEGER_CST)
1516 arg = gimple_assign_rhs1 (def);
1517 return format_integer (dir, arg, vr_values);
1520 if (code == NOP_EXPR)
1522 tree type = TREE_TYPE (gimple_assign_rhs1 (def));
1523 if (INTEGRAL_TYPE_P (type)
1524 || TREE_CODE (type) == POINTER_TYPE)
1533 if (TREE_CODE (argtype) == POINTER_TYPE)
1535 argmin = build_int_cst (pointer_sized_int_node, 0);
1536 argmax = build_all_ones_cst (pointer_sized_int_node);
1540 argmin = TYPE_MIN_VALUE (argtype);
1541 argmax = TYPE_MAX_VALUE (argtype);
1545 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1546 of the directive. If it has been cleared then since ARGMIN and/or
1547 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1548 ARGMAX in the result to include in diagnostics. */
1549 if (adjust_range_for_overflow (dirtype, &argmin, &argmax))
1551 res.knownrange = false;
1552 res.argmin = argmin;
1553 res.argmax = argmax;
1556 /* Recursively compute the minimum and maximum from the known range. */
1557 if (TYPE_UNSIGNED (dirtype) || tree_int_cst_sgn (argmin) >= 0)
1559 /* For unsigned conversions/directives or signed when
1560 the minimum is positive, use the minimum and maximum to compute
1561 the shortest and longest output, respectively. */
1562 res.range.min = format_integer (dir, argmin, vr_values).range.min;
1563 res.range.max = format_integer (dir, argmax, vr_values).range.max;
1565 else if (tree_int_cst_sgn (argmax) < 0)
1567 /* For signed conversions/directives if maximum is negative,
1568 use the minimum as the longest output and maximum as the
1570 res.range.min = format_integer (dir, argmax, vr_values).range.min;
1571 res.range.max = format_integer (dir, argmin, vr_values).range.max;
1575 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1576 as the shortest output and for the longest output compute the
1577 length of the output of both minimum and maximum and pick the
1579 unsigned HOST_WIDE_INT max1
1580 = format_integer (dir, argmin, vr_values).range.max;
1581 unsigned HOST_WIDE_INT max2
1582 = format_integer (dir, argmax, vr_values).range.max;
1584 = format_integer (dir, integer_zero_node, vr_values).range.min;
1585 res.range.max = MAX (max1, max2);
1588 /* If the range is known, use the maximum as the likely length. */
1590 res.range.likely = res.range.max;
1593 /* Otherwise, use the minimum. Except for the case where for %#x or
1594 %#o the minimum is just for a single value in the range (0) and
1595 for all other values it is something longer, like 0x1 or 01.
1596 Use the length for value 1 in that case instead as the likely
1598 res.range.likely = res.range.min;
1601 && (tree_int_cst_sgn (argmin) < 0 || tree_int_cst_sgn (argmax) > 0))
1603 if (res.range.min == 1)
1604 res.range.likely += base == 8 ? 1 : 2;
1605 else if (res.range.min == 2
1607 && (dir.width[0] == 2 || dir.prec[0] == 2))
1612 res.range.unlikely = res.range.max;
1613 res.adjust_for_width_or_precision (dir.width, dirtype, base,
1614 (sign | maybebase) + (base == 16));
1615 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
1616 (sign | maybebase) + (base == 16));
1621 /* Return the number of bytes that a format directive consisting of FLAGS,
1622 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1623 would result for argument X under ideal conditions (i.e., if PREC
1624 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1625 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1626 This function works around those problems. */
1628 static unsigned HOST_WIDE_INT
1629 get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec,
1630 char spec, char rndspec)
1634 HOST_WIDE_INT len = strlen (flags);
1637 memcpy (fmtstr + 1, flags, len);
1638 memcpy (fmtstr + 1 + len, ".*R", 3);
1639 fmtstr[len + 4] = rndspec;
1640 fmtstr[len + 5] = spec;
1641 fmtstr[len + 6] = '\0';
1643 spec = TOUPPER (spec);
1644 if (spec == 'E' || spec == 'F')
1646 /* For %e, specify the precision explicitly since mpfr_sprintf
1647 does its own thing just to be different (see MPFR bug 21088). */
1653 /* Avoid passing negative precisions with larger magnitude to MPFR
1654 to avoid exposing its bugs. (A negative precision is supposed
1660 HOST_WIDE_INT p = prec;
1662 if (spec == 'G' && !strchr (flags, '#'))
1664 /* For G/g without the pound flag, precision gives the maximum number
1665 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1666 a 128 bit IEEE extended precision, 4932. Using twice as much here
1667 should be more than sufficient for any real format. */
1668 if ((IEEE_MAX_10_EXP * 2) < prec)
1669 prec = IEEE_MAX_10_EXP * 2;
1674 /* Cap precision arbitrarily at 1KB and add the difference
1675 (if any) to the MPFR result. */
1680 len = mpfr_snprintf (NULL, 0, fmtstr, (int)p, x);
1682 /* Handle the unlikely (impossible?) error by returning more than
1683 the maximum dictated by the function's return type. */
1685 return target_dir_max () + 1;
1687 /* Adjust the return value by the difference. */
1694 /* Return the number of bytes to format using the format specifier
1695 SPEC and the precision PREC the largest value in the real floating
1698 static unsigned HOST_WIDE_INT
1699 format_floating_max (tree type, char spec, HOST_WIDE_INT prec)
1701 machine_mode mode = TYPE_MODE (type);
1703 /* IBM Extended mode. */
1704 if (MODE_COMPOSITE_P (mode))
1707 /* Get the real type format desription for the target. */
1708 const real_format *rfmt = REAL_MODE_FORMAT (mode);
1711 real_maxval (&rv, 0, mode);
1713 /* Convert the GCC real value representation with the precision
1714 of the real type to the mpfr_t format with the GCC default
1715 round-to-nearest mode. */
1717 mpfr_init2 (x, rfmt->p);
1718 mpfr_from_real (x, &rv, GMP_RNDN);
1720 /* Return a value one greater to account for the leading minus sign. */
1721 unsigned HOST_WIDE_INT r
1722 = 1 + get_mpfr_format_length (x, "", prec, spec, 'D');
1727 /* Return a range representing the minimum and maximum number of bytes
1728 that the directive DIR will output for any argument. PREC gives
1729 the adjusted precision range to account for negative precisions
1730 meaning the default 6. This function is used when the directive
1731 argument or its value isn't known. */
1734 format_floating (const directive &dir, const HOST_WIDE_INT prec[2])
1738 switch (dir.modifier)
1742 type = double_type_node;
1746 type = long_double_type_node;
1750 type = long_double_type_node;
1754 return fmtresult ();
1757 /* The minimum and maximum number of bytes produced by the directive. */
1760 /* The minimum output as determined by flags. It's always at least 1.
1761 When plus or space are set the output is preceded by either a sign
1763 unsigned flagmin = (1 /* for the first digit */
1764 + (dir.get_flag ('+') | dir.get_flag (' ')));
1766 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
1767 for the plus sign/space with the '+' and ' ' flags, respectively,
1768 unless reduced below. */
1769 res.range.min = 2 + flagmin;
1771 /* When the pound flag is set the decimal point is included in output
1772 regardless of precision. Whether or not a decimal point is included
1773 otherwise depends on the specification and precision. */
1774 bool radix = dir.get_flag ('#');
1776 switch (dir.specifier)
1781 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
1782 if (dir.prec[0] <= 0)
1784 else if (dir.prec[0] > 0)
1785 minprec = dir.prec[0] + !radix /* decimal point */;
1787 res.range.likely = (2 /* 0x */
1793 res.range.max = format_floating_max (type, 'a', prec[1]);
1795 /* The unlikely maximum accounts for the longest multibyte
1796 decimal point character. */
1797 res.range.unlikely = res.range.max;
1798 if (dir.prec[1] > 0)
1799 res.range.unlikely += target_mb_len_max () - 1;
1807 /* Minimum output attributable to precision and, when it's
1808 non-zero, decimal point. */
1809 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
1811 /* The likely minimum output is "[-+]1.234567e+00" regardless
1812 of the value of the actual argument. */
1813 res.range.likely = (flagmin
1818 res.range.max = format_floating_max (type, 'e', prec[1]);
1820 /* The unlikely maximum accounts for the longest multibyte
1821 decimal point character. */
1822 if (dir.prec[0] != dir.prec[1]
1823 || dir.prec[0] == -1 || dir.prec[0] > 0)
1824 res.range.unlikely = res.range.max + target_mb_len_max () -1;
1826 res.range.unlikely = res.range.max;
1833 /* Minimum output attributable to precision and, when it's non-zero,
1835 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
1837 /* For finite numbers (i.e., not infinity or NaN) the lower bound
1838 when precision isn't specified is 8 bytes ("1.23456" since
1839 precision is taken to be 6). When precision is zero, the lower
1840 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
1841 than zero, then the lower bound is 2 plus precision (plus flags).
1842 But in all cases, the lower bound is no greater than 3. */
1843 unsigned HOST_WIDE_INT min = flagmin + radix + minprec;
1844 if (min < res.range.min)
1845 res.range.min = min;
1847 /* Compute the upper bound for -TYPE_MAX. */
1848 res.range.max = format_floating_max (type, 'f', prec[1]);
1850 /* The minimum output with unknown precision is a single byte
1851 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1852 if (dir.prec[0] < 0 && dir.prec[1] > 0)
1853 res.range.likely = 3;
1855 res.range.likely = min;
1857 /* The unlikely maximum accounts for the longest multibyte
1858 decimal point character. */
1859 if (dir.prec[0] != dir.prec[1]
1860 || dir.prec[0] == -1 || dir.prec[0] > 0)
1861 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
1868 /* The %g output depends on precision and the exponent of
1869 the argument. Since the value of the argument isn't known
1870 the lower bound on the range of bytes (not counting flags
1871 or width) is 1 plus radix (i.e., either "0" or "0." for
1872 "%g" and "%#g", respectively, with a zero argument). */
1873 unsigned HOST_WIDE_INT min = flagmin + radix;
1874 if (min < res.range.min)
1875 res.range.min = min;
1878 HOST_WIDE_INT maxprec = dir.prec[1];
1879 if (radix && maxprec)
1881 /* When the pound flag (radix) is set, trailing zeros aren't
1882 trimmed and so the longest output is the same as for %e,
1883 except with precision minus 1 (as specified in C11). */
1887 else if (maxprec < 0)
1893 res.range.max = format_floating_max (type, spec, maxprec);
1895 /* The likely output is either the maximum computed above
1896 minus 1 (assuming the maximum is positive) when precision
1897 is known (or unspecified), or the same minimum as for %e
1898 (which is computed for a non-negative argument). Unlike
1899 for the other specifiers above the likely output isn't
1900 the minimum because for %g that's 1 which is unlikely. */
1902 || (unsigned HOST_WIDE_INT)dir.prec[1] < target_int_max ())
1903 res.range.likely = res.range.max - 1;
1906 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
1907 res.range.likely = (flagmin
1913 /* The unlikely maximum accounts for the longest multibyte
1914 decimal point character. */
1915 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
1920 return fmtresult ();
1923 /* Bump up the byte counters if WIDTH is greater. */
1924 res.adjust_for_width_or_precision (dir.width);
1928 /* Return a range representing the minimum and maximum number of bytes
1929 that the directive DIR will write on output for the floating argument
1933 format_floating (const directive &dir, tree arg, vr_values *)
1935 HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] };
1936 tree type = (dir.modifier == FMT_LEN_L || dir.modifier == FMT_LEN_ll
1937 ? long_double_type_node : double_type_node);
1939 /* For an indeterminate precision the lower bound must be assumed
1941 if (TOUPPER (dir.specifier) == 'A')
1943 /* Get the number of fractional decimal digits needed to represent
1944 the argument without a loss of accuracy. */
1946 = REAL_MODE_FORMAT (TYPE_MODE (type))->p;
1948 /* The precision of the IEEE 754 double format is 53.
1949 The precision of all other GCC binary double formats
1951 unsigned maxprec = fmtprec <= 56 ? 13 : 15;
1953 /* For %a, leave the minimum precision unspecified to let
1954 MFPR trim trailing zeros (as it and many other systems
1955 including Glibc happen to do) and set the maximum
1956 precision to reflect what it would be with trailing zeros
1957 present (as Solaris and derived systems do). */
1958 if (dir.prec[1] < 0)
1960 /* Both bounds are negative implies that precision has
1961 not been specified. */
1965 else if (dir.prec[0] < 0)
1967 /* With a negative lower bound and a non-negative upper
1968 bound set the minimum precision to zero and the maximum
1969 to the greater of the maximum precision (i.e., with
1970 trailing zeros present) and the specified upper bound. */
1972 prec[1] = dir.prec[1] < maxprec ? maxprec : dir.prec[1];
1975 else if (dir.prec[0] < 0)
1977 if (dir.prec[1] < 0)
1979 /* A precision in a strictly negative range is ignored and
1980 the default of 6 is used instead. */
1981 prec[0] = prec[1] = 6;
1985 /* For a precision in a partly negative range, the lower bound
1986 must be assumed to be zero and the new upper bound is the
1987 greater of 6 (the default precision used when the specified
1988 precision is negative) and the upper bound of the specified
1991 prec[1] = dir.prec[1] < 6 ? 6 : dir.prec[1];
1996 || TREE_CODE (arg) != REAL_CST
1997 || !useless_type_conversion_p (type, TREE_TYPE (arg)))
1998 return format_floating (dir, prec);
2000 /* The minimum and maximum number of bytes produced by the directive. */
2003 /* Get the real type format desription for the target. */
2004 const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg);
2005 const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg)));
2007 if (!real_isfinite (rvp))
2009 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
2010 and "[-]nan" with the choice being implementation-defined
2011 but not locale dependent. */
2012 bool sign = dir.get_flag ('+') || real_isneg (rvp);
2013 res.range.min = 3 + sign;
2015 res.range.likely = res.range.min;
2016 res.range.max = res.range.min;
2017 /* The inlikely maximum is "[-/+]infinity" or "[-/+]nan". */
2018 res.range.unlikely = sign + (real_isinf (rvp) ? 8 : 3);
2020 /* The range for infinity and NaN is known unless either width
2021 or precision is unknown. Width has the same effect regardless
2022 of whether the argument is finite. Precision is either ignored
2023 (e.g., Glibc) or can have an effect on the short vs long format
2024 such as inf/infinity (e.g., Solaris). */
2025 res.knownrange = dir.known_width_and_precision ();
2027 /* Adjust the range for width but ignore precision. */
2028 res.adjust_for_width_or_precision (dir.width);
2034 char *pfmt = fmtstr;
2037 for (const char *pf = "-+ #0"; *pf; ++pf)
2038 if (dir.get_flag (*pf))
2044 /* Set up an array to easily iterate over. */
2045 unsigned HOST_WIDE_INT* const minmax[] = {
2046 &res.range.min, &res.range.max
2049 for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i)
2051 /* Convert the GCC real value representation with the precision
2052 of the real type to the mpfr_t format rounding down in the
2053 first iteration that computes the minimm and up in the second
2054 that computes the maximum. This order is arbibtrary because
2055 rounding in either direction can result in longer output. */
2057 mpfr_init2 (mpfrval, rfmt->p);
2058 mpfr_from_real (mpfrval, rvp, i ? GMP_RNDU : GMP_RNDD);
2060 /* Use the MPFR rounding specifier to round down in the first
2061 iteration and then up. In most but not all cases this will
2062 result in the same number of bytes. */
2063 char rndspec = "DU"[i];
2065 /* Format it and store the result in the corresponding member
2066 of the result struct. */
2067 *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i],
2068 dir.specifier, rndspec);
2069 mpfr_clear (mpfrval);
2073 /* Make sure the minimum is less than the maximum (MPFR rounding
2074 in the call to mpfr_snprintf can result in the reverse. */
2075 if (res.range.max < res.range.min)
2077 unsigned HOST_WIDE_INT tmp = res.range.min;
2078 res.range.min = res.range.max;
2079 res.range.max = tmp;
2082 /* The range is known unless either width or precision is unknown. */
2083 res.knownrange = dir.known_width_and_precision ();
2085 /* For the same floating point constant, unless width or precision
2086 is unknown, use the longer output as the likely maximum since
2087 with round to nearest either is equally likely. Otheriwse, when
2088 precision is unknown, use the greater of the minimum and 3 as
2089 the likely output (for "0.0" since zero precision is unlikely). */
2091 res.range.likely = res.range.max;
2092 else if (res.range.min < 3
2094 && (unsigned HOST_WIDE_INT)dir.prec[1] == target_int_max ())
2095 res.range.likely = 3;
2097 res.range.likely = res.range.min;
2099 res.range.unlikely = res.range.max;
2101 if (res.range.max > 2 && (prec[0] != 0 || prec[1] != 0))
2103 /* Unless the precision is zero output longer than 2 bytes may
2104 include the decimal point which must be a single character
2105 up to MB_LEN_MAX in length. This is overly conservative
2106 since in some conversions some constants result in no decimal
2107 point (e.g., in %g). */
2108 res.range.unlikely += target_mb_len_max () - 1;
2111 res.adjust_for_width_or_precision (dir.width);
2115 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
2116 strings referenced by the expression STR, or (-1, -1) when not known.
2117 Used by the format_string function below. */
2120 get_string_length (tree str)
2123 return fmtresult ();
2125 if (tree slen = c_strlen (str, 1))
2127 /* Simply return the length of the string. */
2128 fmtresult res (tree_to_shwi (slen));
2132 /* Determine the length of the shortest and longest string referenced
2133 by STR. Strings of unknown lengths are bounded by the sizes of
2134 arrays that subexpressions of STR may refer to. Pointers that
2135 aren't known to point any such arrays result in LENRANGE[1] set
2138 bool flexarray = get_range_strlen (str, lenrange);
2140 if (lenrange [0] || lenrange [1])
2143 = (tree_fits_uhwi_p (lenrange[0])
2144 ? tree_to_uhwi (lenrange[0])
2148 = (tree_fits_uhwi_p (lenrange[1])
2149 ? tree_to_uhwi (lenrange[1])
2150 : HOST_WIDE_INT_M1U);
2152 /* get_range_strlen() returns the target value of SIZE_MAX for
2153 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2154 which may be bigger. */
2155 if ((unsigned HOST_WIDE_INT)min == target_size_max ())
2156 min = HOST_WIDE_INT_M1U;
2157 if ((unsigned HOST_WIDE_INT)max == target_size_max ())
2158 max = HOST_WIDE_INT_M1U;
2160 fmtresult res (min, max);
2162 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2163 by STR are known to be bounded (though not necessarily by their
2164 actual length but perhaps by their maximum possible length). */
2165 if (res.range.max < target_int_max ())
2167 res.knownrange = true;
2168 /* When the the length of the longest string is known and not
2169 excessive use it as the likely length of the string(s). */
2170 res.range.likely = res.range.max;
2174 /* When the upper bound is unknown (it can be zero or excessive)
2175 set the likely length to the greater of 1 and the length of
2176 the shortest string and reset the lower bound to zero. */
2177 res.range.likely = res.range.min ? res.range.min : warn_level > 1;
2181 /* If the range of string length has been estimated from the size
2182 of an array at the end of a struct assume that it's longer than
2183 the array bound says it is in case it's used as a poor man's
2184 flexible array member, such as in struct S { char a[4]; }; */
2185 res.range.unlikely = flexarray ? HOST_WIDE_INT_MAX : res.range.max;
2190 return get_string_length (NULL_TREE);
2193 /* Return the minimum and maximum number of characters formatted
2194 by the '%c' format directives and its wide character form for
2195 the argument ARG. ARG can be null (for functions such as
2199 format_character (const directive &dir, tree arg, vr_values *vr_values)
2203 res.knownrange = true;
2205 if (dir.modifier == FMT_LEN_l)
2207 /* A wide character can result in as few as zero bytes. */
2210 HOST_WIDE_INT min, max;
2211 if (get_int_range (arg, &min, &max, false, 0, vr_values))
2213 if (min == 0 && max == 0)
2215 /* The NUL wide character results in no bytes. */
2217 res.range.likely = 0;
2218 res.range.unlikely = 0;
2220 else if (min > 0 && min < 128)
2222 /* A wide character in the ASCII range most likely results
2223 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2225 res.range.likely = 1;
2226 res.range.unlikely = target_mb_len_max ();
2230 /* A wide character outside the ASCII range likely results
2231 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2232 res.range.max = target_mb_len_max ();
2233 res.range.likely = 2;
2234 res.range.unlikely = res.range.max;
2239 /* An unknown wide character is treated the same as a wide
2240 character outside the ASCII range. */
2241 res.range.max = target_mb_len_max ();
2242 res.range.likely = 2;
2243 res.range.unlikely = res.range.max;
2248 /* A plain '%c' directive. Its ouput is exactly 1. */
2249 res.range.min = res.range.max = 1;
2250 res.range.likely = res.range.unlikely = 1;
2251 res.knownrange = true;
2254 /* Bump up the byte counters if WIDTH is greater. */
2255 return res.adjust_for_width_or_precision (dir.width);
2258 /* Return the minimum and maximum number of characters formatted
2259 by the '%s' format directive and its wide character form for
2260 the argument ARG. ARG can be null (for functions such as
2264 format_string (const directive &dir, tree arg, vr_values *)
2268 /* Compute the range the argument's length can be in. */
2269 fmtresult slen = get_string_length (arg);
2270 if (slen.range.min == slen.range.max
2271 && slen.range.min < HOST_WIDE_INT_MAX)
2273 /* The argument is either a string constant or it refers
2274 to one of a number of strings of the same length. */
2276 /* A '%s' directive with a string argument with constant length. */
2277 res.range = slen.range;
2279 if (dir.modifier == FMT_LEN_l)
2281 /* In the worst case the length of output of a wide string S
2282 is bounded by MB_LEN_MAX * wcslen (S). */
2283 res.range.max *= target_mb_len_max ();
2284 res.range.unlikely = res.range.max;
2285 /* It's likely that the the total length is not more that
2287 res.range.likely = res.range.min * 2;
2289 if (dir.prec[1] >= 0
2290 && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
2292 res.range.max = dir.prec[1];
2293 res.range.likely = dir.prec[1];
2294 res.range.unlikely = dir.prec[1];
2297 if (dir.prec[0] < 0 && dir.prec[1] > -1)
2299 else if (dir.prec[0] >= 0)
2300 res.range.likely = dir.prec[0];
2302 /* Even a non-empty wide character string need not convert into
2308 res.knownrange = true;
2310 if (dir.prec[0] < 0 && dir.prec[1] > -1)
2312 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min)
2313 res.range.min = dir.prec[0];
2315 if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
2317 res.range.max = dir.prec[1];
2318 res.range.likely = dir.prec[1];
2319 res.range.unlikely = dir.prec[1];
2323 else if (arg && integer_zerop (arg))
2325 /* Handle null pointer argument. */
2333 /* For a '%s' and '%ls' directive with a non-constant string (either
2334 one of a number of strings of known length or an unknown string)
2335 the minimum number of characters is lesser of PRECISION[0] and
2336 the length of the shortest known string or zero, and the maximum
2337 is the lessser of the length of the longest known string or
2338 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2339 the minimum at level 1 and the greater of the minimum and 1
2340 at level 2. This result is adjust upward for width (if it's
2343 if (dir.modifier == FMT_LEN_l)
2345 /* A wide character converts to as few as zero bytes. */
2347 if (slen.range.max < target_int_max ())
2348 slen.range.max *= target_mb_len_max ();
2350 if (slen.range.likely < target_int_max ())
2351 slen.range.likely *= 2;
2353 if (slen.range.likely < target_int_max ())
2354 slen.range.unlikely *= target_mb_len_max ();
2357 res.range = slen.range;
2359 if (dir.prec[0] >= 0)
2361 /* Adjust the minimum to zero if the string length is unknown,
2362 or at most the lower bound of the precision otherwise. */
2363 if (slen.range.min >= target_int_max ())
2365 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min)
2366 res.range.min = dir.prec[0];
2368 /* Make both maxima no greater than the upper bound of precision. */
2369 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max
2370 || slen.range.max >= target_int_max ())
2372 res.range.max = dir.prec[1];
2373 res.range.unlikely = dir.prec[1];
2376 /* If precision is constant, set the likely counter to the lesser
2377 of it and the maximum string length. Otherwise, if the lower
2378 bound of precision is greater than zero, set the likely counter
2379 to the minimum. Otherwise set it to zero or one based on
2380 the warning level. */
2381 if (dir.prec[0] == dir.prec[1])
2383 = ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.max
2384 ? dir.prec[0] : slen.range.max);
2385 else if (dir.prec[0] > 0)
2386 res.range.likely = res.range.min;
2388 res.range.likely = warn_level > 1;
2390 else if (dir.prec[1] >= 0)
2393 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max)
2394 res.range.max = dir.prec[1];
2395 res.range.likely = dir.prec[1] ? warn_level > 1 : 0;
2397 else if (slen.range.min >= target_int_max ())
2400 res.range.max = HOST_WIDE_INT_MAX;
2401 /* At level 1 strings of unknown length are assumed to be
2402 empty, while at level 1 they are assumed to be one byte
2404 res.range.likely = warn_level > 1;
2408 /* A string of unknown length unconstrained by precision is
2409 assumed to be empty at level 1 and just one character long
2410 at higher levels. */
2411 if (res.range.likely >= target_int_max ())
2412 res.range.likely = warn_level > 1;
2415 res.range.unlikely = res.range.max;
2418 /* Bump up the byte counters if WIDTH is greater. */
2419 return res.adjust_for_width_or_precision (dir.width);
2422 /* Format plain string (part of the format string itself). */
2425 format_plain (const directive &dir, tree, vr_values *)
2427 fmtresult res (dir.len);
2431 /* Return true if the RESULT of a directive in a call describe by INFO
2432 should be diagnosed given the AVAILable space in the destination. */
2435 should_warn_p (const sprintf_dom_walker::call_info &info,
2436 const result_range &avail, const result_range &result)
2438 if (result.max <= avail.min)
2440 /* The least amount of space remaining in the destination is big
2441 enough for the longest output. */
2447 if (warn_format_trunc == 1 && result.min <= avail.max
2448 && info.retval_used ())
2450 /* The likely amount of space remaining in the destination is big
2451 enough for the least output and the return value is used. */
2455 if (warn_format_trunc == 1 && result.likely <= avail.likely
2456 && !info.retval_used ())
2458 /* The likely amount of space remaining in the destination is big
2459 enough for the likely output and the return value is unused. */
2463 if (warn_format_trunc == 2
2464 && result.likely <= avail.min
2465 && (result.max <= avail.min
2466 || result.max > HOST_WIDE_INT_MAX))
2468 /* The minimum amount of space remaining in the destination is big
2469 enough for the longest output. */
2475 if (warn_level == 1 && result.likely <= avail.likely)
2477 /* The likely amount of space remaining in the destination is big
2478 enough for the likely output. */
2483 && result.likely <= avail.min
2484 && (result.max <= avail.min
2485 || result.max > HOST_WIDE_INT_MAX))
2487 /* The minimum amount of space remaining in the destination is big
2488 enough for the longest output. */
2496 /* At format string location describe by DIRLOC in a call described
2497 by INFO, issue a warning for a directive DIR whose output may be
2498 in excess of the available space AVAIL_RANGE in the destination
2499 given the formatting result FMTRES. This function does nothing
2500 except decide whether to issue a warning for a possible write
2501 past the end or truncation and, if so, format the warning.
2502 Return true if a warning has been issued. */
2505 maybe_warn (substring_loc &dirloc, location_t argloc,
2506 const sprintf_dom_walker::call_info &info,
2507 const result_range &avail_range, const result_range &res,
2508 const directive &dir)
2510 if (!should_warn_p (info, avail_range, res))
2513 /* A warning will definitely be issued below. */
2515 /* The maximum byte count to reference in the warning. Larger counts
2516 imply that the upper bound is unknown (and could be anywhere between
2517 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2518 than "between N and X" where X is some huge number. */
2519 unsigned HOST_WIDE_INT maxbytes = target_dir_max ();
2521 /* True when there is enough room in the destination for the least
2522 amount of a directive's output but not enough for its likely or
2524 bool maybe = (res.min <= avail_range.max
2525 && (avail_range.min < res.likely
2526 || (res.max < HOST_WIDE_INT_MAX
2527 && avail_range.min < res.max)));
2529 /* Buffer for the directive in the host character set (used when
2530 the source character set is different). */
2533 if (avail_range.min == avail_range.max)
2535 /* The size of the destination region is exact. */
2536 unsigned HOST_WIDE_INT navail = avail_range.max;
2538 if (target_to_host (*dir.beg) != '%')
2540 /* For plain character directives (i.e., the format string itself)
2541 but not others, point the caret at the first character that's
2542 past the end of the destination. */
2543 if (navail < dir.len)
2544 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
2547 if (*dir.beg == '\0')
2549 /* This is the terminating nul. */
2550 gcc_assert (res.min == 1 && res.min == res.max);
2552 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
2555 ? G_("%qE output may be truncated before the "
2556 "last format character")
2557 : G_("%qE output truncated before the last "
2558 "format character"))
2560 ? G_("%qE may write a terminating nul past the "
2561 "end of the destination")
2562 : G_("%qE writing a terminating nul past the "
2563 "end of the destination")),
2567 if (res.min == res.max)
2569 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
2571 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2572 "%<%.*s%> directive writing %wu byte into a "
2573 "region of size %wu",
2574 "%<%.*s%> directive writing %wu bytes into a "
2575 "region of size %wu",
2576 (int) dir.len, d, res.min, navail);
2578 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2579 "%<%.*s%> directive output may be truncated "
2580 "writing %wu byte into a region of size %wu",
2581 "%<%.*s%> directive output may be truncated "
2582 "writing %wu bytes into a region of size %wu",
2583 (int) dir.len, d, res.min, navail);
2585 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2586 "%<%.*s%> directive output truncated writing "
2587 "%wu byte into a region of size %wu",
2588 "%<%.*s%> directive output truncated writing "
2589 "%wu bytes into a region of size %wu",
2590 (int) dir.len, d, res.min, navail);
2592 if (res.min == 0 && res.max < maxbytes)
2593 return fmtwarn (dirloc, argloc, NULL,
2597 ? G_("%<%.*s%> directive output may be truncated "
2598 "writing up to %wu bytes into a region of "
2600 : G_("%<%.*s%> directive output truncated writing "
2601 "up to %wu bytes into a region of size %wu"))
2602 : G_("%<%.*s%> directive writing up to %wu bytes "
2603 "into a region of size %wu"), (int) dir.len,
2604 target_to_host (hostdir, sizeof hostdir, dir.beg),
2607 if (res.min == 0 && maxbytes <= res.max)
2608 /* This is a special case to avoid issuing the potentially
2610 writing 0 or more bytes into a region of size 0. */
2611 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2614 ? G_("%<%.*s%> directive output may be truncated "
2615 "writing likely %wu or more bytes into a "
2616 "region of size %wu")
2617 : G_("%<%.*s%> directive output truncated writing "
2618 "likely %wu or more bytes into a region of "
2620 : G_("%<%.*s%> directive writing likely %wu or more "
2621 "bytes into a region of size %wu"), (int) dir.len,
2622 target_to_host (hostdir, sizeof hostdir, dir.beg),
2623 res.likely, navail);
2625 if (res.max < maxbytes)
2626 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2629 ? G_("%<%.*s%> directive output may be truncated "
2630 "writing between %wu and %wu bytes into a "
2631 "region of size %wu")
2632 : G_("%<%.*s%> directive output truncated "
2633 "writing between %wu and %wu bytes into a "
2634 "region of size %wu"))
2635 : G_("%<%.*s%> directive writing between %wu and "
2636 "%wu bytes into a region of size %wu"),
2638 target_to_host (hostdir, sizeof hostdir, dir.beg),
2639 res.min, res.max, navail);
2641 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2644 ? G_("%<%.*s%> directive output may be truncated "
2645 "writing %wu or more bytes into a region of "
2647 : G_("%<%.*s%> directive output truncated writing "
2648 "%wu or more bytes into a region of size %wu"))
2649 : G_("%<%.*s%> directive writing %wu or more bytes "
2650 "into a region of size %wu"), (int) dir.len,
2651 target_to_host (hostdir, sizeof hostdir, dir.beg),
2655 /* The size of the destination region is a range. */
2657 if (target_to_host (*dir.beg) != '%')
2659 unsigned HOST_WIDE_INT navail = avail_range.max;
2661 /* For plain character directives (i.e., the format string itself)
2662 but not others, point the caret at the first character that's
2663 past the end of the destination. */
2664 if (navail < dir.len)
2665 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
2668 if (*dir.beg == '\0')
2670 gcc_assert (res.min == 1 && res.min == res.max);
2672 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
2675 ? G_("%qE output may be truncated before the last "
2677 : G_("%qE output truncated before the last format "
2680 ? G_("%qE may write a terminating nul past the end "
2681 "of the destination")
2682 : G_("%qE writing a terminating nul past the end "
2683 "of the destination")), info.func);
2686 if (res.min == res.max)
2688 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
2690 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2691 "%<%.*s%> directive writing %wu byte into a region "
2692 "of size between %wu and %wu",
2693 "%<%.*s%> directive writing %wu bytes into a region "
2694 "of size between %wu and %wu", (int) dir.len, d,
2695 res.min, avail_range.min, avail_range.max);
2697 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2698 "%<%.*s%> directive output may be truncated writing "
2699 "%wu byte into a region of size between %wu and %wu",
2700 "%<%.*s%> directive output may be truncated writing "
2701 "%wu bytes into a region of size between %wu and "
2702 "%wu", (int) dir.len, d, res.min, avail_range.min,
2705 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2706 "%<%.*s%> directive output truncated writing %wu "
2707 "byte into a region of size between %wu and %wu",
2708 "%<%.*s%> directive output truncated writing %wu "
2709 "bytes into a region of size between %wu and %wu",
2710 (int) dir.len, d, res.min, avail_range.min,
2714 if (res.min == 0 && res.max < maxbytes)
2715 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2718 ? G_("%<%.*s%> directive output may be truncated "
2719 "writing up to %wu bytes into a region of size "
2720 "between %wu and %wu")
2721 : G_("%<%.*s%> directive output truncated writing "
2722 "up to %wu bytes into a region of size between "
2724 : G_("%<%.*s%> directive writing up to %wu bytes "
2725 "into a region of size between %wu and %wu"),
2727 target_to_host (hostdir, sizeof hostdir, dir.beg),
2728 res.max, avail_range.min, avail_range.max);
2730 if (res.min == 0 && maxbytes <= res.max)
2731 /* This is a special case to avoid issuing the potentially confusing
2733 writing 0 or more bytes into a region of size between 0 and N. */
2734 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2737 ? G_("%<%.*s%> directive output may be truncated "
2738 "writing likely %wu or more bytes into a region "
2739 "of size between %wu and %wu")
2740 : G_("%<%.*s%> directive output truncated writing "
2741 "likely %wu or more bytes into a region of size "
2742 "between %wu and %wu"))
2743 : G_("%<%.*s%> directive writing likely %wu or more bytes "
2744 "into a region of size between %wu and %wu"),
2746 target_to_host (hostdir, sizeof hostdir, dir.beg),
2747 res.likely, avail_range.min, avail_range.max);
2749 if (res.max < maxbytes)
2750 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2753 ? G_("%<%.*s%> directive output may be truncated "
2754 "writing between %wu and %wu bytes into a region "
2755 "of size between %wu and %wu")
2756 : G_("%<%.*s%> directive output truncated writing "
2757 "between %wu and %wu bytes into a region of size "
2758 "between %wu and %wu"))
2759 : G_("%<%.*s%> directive writing between %wu and "
2760 "%wu bytes into a region of size between %wu and "
2761 "%wu"), (int) dir.len,
2762 target_to_host (hostdir, sizeof hostdir, dir.beg),
2763 res.min, res.max, avail_range.min, avail_range.max);
2765 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2768 ? G_("%<%.*s%> directive output may be truncated writing "
2769 "%wu or more bytes into a region of size between "
2771 : G_("%<%.*s%> directive output truncated writing "
2772 "%wu or more bytes into a region of size between "
2774 : G_("%<%.*s%> directive writing %wu or more bytes "
2775 "into a region of size between %wu and %wu"),
2777 target_to_host (hostdir, sizeof hostdir, dir.beg),
2778 res.min, avail_range.min, avail_range.max);
2781 /* Compute the length of the output resulting from the directive DIR
2782 in a call described by INFO and update the overall result of the call
2783 in *RES. Return true if the directive has been handled. */
2786 format_directive (const sprintf_dom_walker::call_info &info,
2787 format_result *res, const directive &dir,
2788 class vr_values *vr_values)
2790 /* Offset of the beginning of the directive from the beginning
2791 of the format string. */
2792 size_t offset = dir.beg - info.fmtstr;
2793 size_t start = offset;
2794 size_t length = offset + dir.len - !!dir.len;
2796 /* Create a location for the whole directive from the % to the format
2798 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
2799 offset, start, length);
2801 /* Also get the location of the argument if possible.
2802 This doesn't work for integer literals or function calls. */
2803 location_t argloc = UNKNOWN_LOCATION;
2805 argloc = EXPR_LOCATION (dir.arg);
2807 /* Bail when there is no function to compute the output length,
2808 or when minimum length checking has been disabled. */
2809 if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX)
2812 /* Compute the range of lengths of the formatted output. */
2813 fmtresult fmtres = dir.fmtfunc (dir, dir.arg, vr_values);
2815 /* Record whether the output of all directives is known to be
2816 bounded by some maximum, implying that their arguments are
2817 either known exactly or determined to be in a known range
2818 or, for strings, limited by the upper bounds of the arrays
2820 res->knownrange &= fmtres.knownrange;
2822 if (!fmtres.knownrange)
2824 /* Only when the range is known, check it against the host value
2825 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2826 INT_MAX precision, which is the longest possible output of any
2827 single directive). That's the largest valid byte count (though
2828 not valid call to a printf-like function because it can never
2829 return such a count). Otherwise, the range doesn't correspond
2830 to known values of the argument. */
2831 if (fmtres.range.max > target_dir_max ())
2833 /* Normalize the MAX counter to avoid having to deal with it
2834 later. The counter can be less than HOST_WIDE_INT_M1U
2835 when compiling for an ILP32 target on an LP64 host. */
2836 fmtres.range.max = HOST_WIDE_INT_M1U;
2837 /* Disable exact and maximum length checking after a failure
2838 to determine the maximum number of characters (for example
2839 for wide characters or wide character strings) but continue
2840 tracking the minimum number of characters. */
2841 res->range.max = HOST_WIDE_INT_M1U;
2844 if (fmtres.range.min > target_dir_max ())
2846 /* Disable exact length checking after a failure to determine
2847 even the minimum number of characters (it shouldn't happen
2848 except in an error) but keep tracking the minimum and maximum
2849 number of characters. */
2854 /* Buffer for the directive in the host character set (used when
2855 the source character set is different). */
2858 int dirlen = dir.len;
2862 fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2863 "%<%.*s%> directive argument is null",
2864 dirlen, target_to_host (hostdir, sizeof hostdir, dir.beg));
2866 /* Don't bother processing the rest of the format string. */
2868 res->range.min = HOST_WIDE_INT_M1U;
2869 res->range.max = HOST_WIDE_INT_M1U;
2873 /* Compute the number of available bytes in the destination. There
2874 must always be at least one byte of space for the terminating
2875 NUL that's appended after the format string has been processed. */
2876 result_range avail_range = bytes_remaining (info.objsize, *res);
2878 bool warned = res->warned;
2881 warned = maybe_warn (dirloc, argloc, info, avail_range,
2884 /* Bump up the total maximum if it isn't too big. */
2885 if (res->range.max < HOST_WIDE_INT_MAX
2886 && fmtres.range.max < HOST_WIDE_INT_MAX)
2887 res->range.max += fmtres.range.max;
2889 /* Raise the total unlikely maximum by the larger of the maximum
2890 and the unlikely maximum. */
2891 unsigned HOST_WIDE_INT save = res->range.unlikely;
2892 if (fmtres.range.max < fmtres.range.unlikely)
2893 res->range.unlikely += fmtres.range.unlikely;
2895 res->range.unlikely += fmtres.range.max;
2897 if (res->range.unlikely < save)
2898 res->range.unlikely = HOST_WIDE_INT_M1U;
2900 res->range.min += fmtres.range.min;
2901 res->range.likely += fmtres.range.likely;
2903 /* Has the minimum directive output length exceeded the maximum
2904 of 4095 bytes required to be supported? */
2905 bool minunder4k = fmtres.range.min < 4096;
2906 bool maxunder4k = fmtres.range.max < 4096;
2907 /* Clear UNDER4K in the overall result if the maximum has exceeded
2908 the 4k (this is necessary to avoid the return valuye optimization
2909 that may not be safe in the maximum case). */
2911 res->under4k = false;
2914 /* Only warn at level 2. */
2917 || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX)))
2919 /* The directive output may be longer than the maximum required
2920 to be handled by an implementation according to 7.21.6.1, p15
2921 of C11. Warn on this only at level 2 but remember this and
2922 prevent folding the return value when done. This allows for
2923 the possibility of the actual libc call failing due to ENOMEM
2924 (like Glibc does under some conditions). */
2926 if (fmtres.range.min == fmtres.range.max)
2927 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2928 "%<%.*s%> directive output of %wu bytes exceeds "
2929 "minimum required size of 4095", dirlen,
2930 target_to_host (hostdir, sizeof hostdir, dir.beg),
2933 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2935 ? G_("%<%.*s%> directive output between %wu and %wu "
2936 "bytes may exceed minimum required size of "
2938 : G_("%<%.*s%> directive output between %wu and %wu "
2939 "bytes exceeds minimum required size of 4095"),
2941 target_to_host (hostdir, sizeof hostdir, dir.beg),
2942 fmtres.range.min, fmtres.range.max);
2945 /* Has the likely and maximum directive output exceeded INT_MAX? */
2946 bool likelyximax = *dir.beg && res->range.likely > target_int_max ();
2947 /* Don't consider the maximum to be in excess when it's the result
2948 of a string of unknown length (i.e., whose maximum has been set
2949 to be greater than or equal to HOST_WIDE_INT_MAX. */
2950 bool maxximax = (*dir.beg
2951 && res->range.max > target_int_max ()
2952 && res->range.max < HOST_WIDE_INT_MAX);
2955 /* Warn for the likely output size at level 1. */
2957 /* But only warn for the maximum at level 2. */
2960 && fmtres.range.max < HOST_WIDE_INT_MAX)))
2962 /* The directive output causes the total length of output
2963 to exceed INT_MAX bytes. */
2965 if (fmtres.range.min == fmtres.range.max)
2966 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2967 "%<%.*s%> directive output of %wu bytes causes "
2968 "result to exceed %<INT_MAX%>", dirlen,
2969 target_to_host (hostdir, sizeof hostdir, dir.beg),
2972 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2973 fmtres.range.min > target_int_max ()
2974 ? G_ ("%<%.*s%> directive output between %wu and "
2975 "%wu bytes causes result to exceed "
2977 : G_ ("%<%.*s%> directive output between %wu and "
2978 "%wu bytes may cause result to exceed "
2979 "%<INT_MAX%>"), dirlen,
2980 target_to_host (hostdir, sizeof hostdir, dir.beg),
2981 fmtres.range.min, fmtres.range.max);
2984 if (warned && fmtres.range.min < fmtres.range.likely
2985 && fmtres.range.likely < fmtres.range.max)
2986 inform_n (info.fmtloc, fmtres.range.likely,
2987 "assuming directive output of %wu byte",
2988 "assuming directive output of %wu bytes",
2989 fmtres.range.likely);
2991 if (warned && fmtres.argmin)
2993 if (fmtres.argmin == fmtres.argmax)
2994 inform (info.fmtloc, "directive argument %qE", fmtres.argmin);
2995 else if (fmtres.knownrange)
2996 inform (info.fmtloc, "directive argument in the range [%E, %E]",
2997 fmtres.argmin, fmtres.argmax);
2999 inform (info.fmtloc,
3000 "using the range [%E, %E] for directive argument",
3001 fmtres.argmin, fmtres.argmax);
3004 res->warned |= warned;
3006 if (!dir.beg[0] && res->warned && info.objsize < HOST_WIDE_INT_MAX)
3008 /* If a warning has been issued for buffer overflow or truncation
3009 (but not otherwise) help the user figure out how big a buffer
3012 location_t callloc = gimple_location (info.callstmt);
3014 unsigned HOST_WIDE_INT min = res->range.min;
3015 unsigned HOST_WIDE_INT max = res->range.max;
3020 ? G_("%qE output %wu byte into a destination of size %wu")
3021 : G_("%qE output %wu bytes into a destination of size %wu")),
3022 info.func, min, info.objsize);
3023 else if (max < HOST_WIDE_INT_MAX)
3025 "%qE output between %wu and %wu bytes into "
3026 "a destination of size %wu",
3027 info.func, min, max, info.objsize);
3028 else if (min < res->range.likely && res->range.likely < max)
3030 "%qE output %wu or more bytes (assuming %wu) into "
3031 "a destination of size %wu",
3032 info.func, min, res->range.likely, info.objsize);
3035 "%qE output %wu or more bytes into a destination of size %wu",
3036 info.func, min, info.objsize);
3039 if (dump_file && *dir.beg)
3043 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
3044 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC " ("
3045 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
3046 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ")\n",
3047 fmtres.range.min, fmtres.range.likely,
3048 fmtres.range.max, fmtres.range.unlikely,
3049 res->range.min, res->range.likely,
3050 res->range.max, res->range.unlikely);
3056 /* Parse a format directive in function call described by INFO starting
3057 at STR and populate DIR structure. Bump up *ARGNO by the number of
3058 arguments extracted for the directive. Return the length of
3062 parse_directive (sprintf_dom_walker::call_info &info,
3063 directive &dir, format_result *res,
3064 const char *str, unsigned *argno,
3065 vr_values *vr_values)
3067 const char *pcnt = strchr (str, target_percent);
3070 if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1)
3072 /* This directive is either a plain string or the terminating nul
3073 (which isn't really a directive but it simplifies things to
3074 handle it as if it were). */
3076 dir.fmtfunc = format_plain;
3080 fprintf (dump_file, " Directive %u at offset "
3081 HOST_WIDE_INT_PRINT_UNSIGNED ": \"%.*s\", "
3082 "length = " HOST_WIDE_INT_PRINT_UNSIGNED "\n",
3084 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
3085 (int)dir.len, dir.beg, (unsigned HOST_WIDE_INT) dir.len);
3091 const char *pf = pcnt + 1;
3093 /* POSIX numbered argument index or zero when none. */
3094 HOST_WIDE_INT dollar = 0;
3096 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3097 when given by a va_list argument, and a non-negative value
3098 when specified in the format string itself. */
3099 HOST_WIDE_INT width = -1;
3100 HOST_WIDE_INT precision = -1;
3102 /* Pointers to the beginning of the width and precision decimal
3103 string (if any) within the directive. */
3104 const char *pwidth = 0;
3105 const char *pprec = 0;
3107 /* When the value of the decimal string that specifies width or
3108 precision is out of range, points to the digit that causes
3109 the value to exceed the limit. */
3110 const char *werange = NULL;
3111 const char *perange = NULL;
3113 /* Width specified via the asterisk. Need not be INTEGER_CST.
3114 For vararg functions set to void_node. */
3115 tree star_width = NULL_TREE;
3117 /* Width specified via the asterisk. Need not be INTEGER_CST.
3118 For vararg functions set to void_node. */
3119 tree star_precision = NULL_TREE;
3121 if (ISDIGIT (target_to_host (*pf)))
3123 /* This could be either a POSIX positional argument, the '0'
3124 flag, or a width, depending on what follows. Store it as
3125 width and sort it out later after the next character has
3128 width = target_strtol10 (&pf, &werange);
3130 else if (target_to_host (*pf) == '*')
3132 /* Similarly to the block above, this could be either a POSIX
3133 positional argument or a width, depending on what follows. */
3134 if (*argno < gimple_call_num_args (info.callstmt))
3135 star_width = gimple_call_arg (info.callstmt, (*argno)++);
3137 star_width = void_node;
3141 if (target_to_host (*pf) == '$')
3143 /* Handle the POSIX dollar sign which references the 1-based
3144 positional argument number. */
3146 dollar = width + info.argidx;
3148 && TREE_CODE (star_width) == INTEGER_CST
3149 && (TYPE_PRECISION (TREE_TYPE (star_width))
3150 <= TYPE_PRECISION (integer_type_node)))
3151 dollar = width + tree_to_shwi (star_width);
3153 /* Bail when the numbered argument is out of range (it will
3154 have already been diagnosed by -Wformat). */
3156 || dollar == (int)info.argidx
3157 || dollar > gimple_call_num_args (info.callstmt))
3162 star_width = NULL_TREE;
3167 if (dollar || !star_width)
3173 /* The '0' that has been interpreted as a width above is
3174 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3175 and continue processing other flags. */
3181 /* (Non-zero) width has been seen. The next character
3182 is either a period or a digit. */
3183 goto start_precision;
3186 /* When either '$' has been seen, or width has not been seen,
3187 the next field is the optional flags followed by an optional
3190 switch (target_to_host (*pf))
3197 dir.set_flag (target_to_host (*pf++));
3206 if (ISDIGIT (target_to_host (*pf)))
3210 width = target_strtol10 (&pf, &werange);
3212 else if (target_to_host (*pf) == '*')
3214 if (*argno < gimple_call_num_args (info.callstmt))
3215 star_width = gimple_call_arg (info.callstmt, (*argno)++);
3218 /* This is (likely) a va_list. It could also be an invalid
3219 call with insufficient arguments. */
3220 star_width = void_node;
3224 else if (target_to_host (*pf) == '\'')
3226 /* The POSIX apostrophe indicating a numeric grouping
3227 in the current locale. Even though it's possible to
3228 estimate the upper bound on the size of the output
3229 based on the number of digits it probably isn't worth
3236 if (target_to_host (*pf) == '.')
3240 if (ISDIGIT (target_to_host (*pf)))
3243 precision = target_strtol10 (&pf, &perange);
3245 else if (target_to_host (*pf) == '*')
3247 if (*argno < gimple_call_num_args (info.callstmt))
3248 star_precision = gimple_call_arg (info.callstmt, (*argno)++);
3251 /* This is (likely) a va_list. It could also be an invalid
3252 call with insufficient arguments. */
3253 star_precision = void_node;
3259 /* The decimal precision or the asterisk are optional.
3260 When neither is dirified it's taken to be zero. */
3265 switch (target_to_host (*pf))
3268 if (target_to_host (pf[1]) == 'h')
3271 dir.modifier = FMT_LEN_hh;
3274 dir.modifier = FMT_LEN_h;
3279 dir.modifier = FMT_LEN_j;
3284 dir.modifier = FMT_LEN_L;
3289 if (target_to_host (pf[1]) == 'l')
3292 dir.modifier = FMT_LEN_ll;
3295 dir.modifier = FMT_LEN_l;
3300 dir.modifier = FMT_LEN_t;
3305 dir.modifier = FMT_LEN_z;
3310 switch (target_to_host (*pf))
3312 /* Handle a sole '%' character the same as "%%" but since it's
3313 undefined prevent the result from being folded. */
3316 res->range.min = res->range.max = HOST_WIDE_INT_M1U;
3319 dir.fmtfunc = format_percent;
3330 res->floating = true;
3331 dir.fmtfunc = format_floating;
3340 dir.fmtfunc = format_integer;
3344 /* The %p output is implementation-defined. It's possible
3345 to determine this format but due to extensions (edirially
3346 those of the Linux kernel -- see bug 78512) the first %p
3347 in the format string disables any further processing. */
3351 /* %n has side-effects even when nothing is actually printed to
3353 info.nowrite = false;
3354 dir.fmtfunc = format_none;
3358 dir.fmtfunc = format_character;
3363 dir.fmtfunc = format_string;
3367 /* Unknown conversion specification. */
3371 dir.specifier = target_to_host (*pf++);
3373 /* Store the length of the format directive. */
3374 dir.len = pf - pcnt;
3376 /* Buffer for the directive in the host character set (used when
3377 the source character set is different). */
3382 if (INTEGRAL_TYPE_P (TREE_TYPE (star_width)))
3383 dir.set_width (star_width, vr_values);
3386 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3387 (width is the absolute value of that specified). */
3389 dir.width[1] = target_int_max () + 1;
3394 if (width == LONG_MAX && werange)
3396 size_t begin = dir.beg - info.fmtstr + (pwidth - pcnt);
3397 size_t caret = begin + (werange - pcnt);
3398 size_t end = pf - info.fmtstr - 1;
3400 /* Create a location for the width part of the directive,
3401 pointing the caret at the first out-of-range digit. */
3402 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
3405 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
3406 "%<%.*s%> directive width out of range", (int) dir.len,
3407 target_to_host (hostdir, sizeof hostdir, dir.beg));
3410 dir.set_width (width);
3415 if (INTEGRAL_TYPE_P (TREE_TYPE (star_precision)))
3416 dir.set_precision (star_precision, vr_values);
3419 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3420 (unlike width, negative precision is ignored). */
3422 dir.prec[1] = target_int_max ();
3427 if (precision == LONG_MAX && perange)
3429 size_t begin = dir.beg - info.fmtstr + (pprec - pcnt) - 1;
3430 size_t caret = dir.beg - info.fmtstr + (perange - pcnt) - 1;
3431 size_t end = pf - info.fmtstr - 2;
3433 /* Create a location for the precision part of the directive,
3434 including the leading period, pointing the caret at the first
3435 out-of-range digit . */
3436 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
3439 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
3440 "%<%.*s%> directive precision out of range", (int) dir.len,
3441 target_to_host (hostdir, sizeof hostdir, dir.beg));
3444 dir.set_precision (precision);
3447 /* Extract the argument if the directive takes one and if it's
3448 available (e.g., the function doesn't take a va_list). Treat
3449 missing arguments the same as va_list, even though they will
3450 have likely already been diagnosed by -Wformat. */
3451 if (dir.specifier != '%'
3452 && *argno < gimple_call_num_args (info.callstmt))
3453 dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++);
3458 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
3461 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
3462 (int)dir.len, dir.beg);
3465 if (dir.width[0] == dir.width[1])
3466 fprintf (dump_file, ", width = " HOST_WIDE_INT_PRINT_DEC,
3470 ", width in range [" HOST_WIDE_INT_PRINT_DEC
3471 ", " HOST_WIDE_INT_PRINT_DEC "]",
3472 dir.width[0], dir.width[1]);
3477 if (dir.prec[0] == dir.prec[1])
3478 fprintf (dump_file, ", precision = " HOST_WIDE_INT_PRINT_DEC,
3482 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
3483 HOST_WIDE_INT_PRINT_DEC "]",
3484 dir.prec[0], dir.prec[1]);
3486 fputc ('\n', dump_file);
3492 /* Compute the length of the output resulting from the call to a formatted
3493 output function described by INFO and store the result of the call in
3494 *RES. Issue warnings for detected past the end writes. Return true
3495 if the complete format string has been processed and *RES can be relied
3496 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3497 that caused the processing to be terminated early). */
3500 sprintf_dom_walker::compute_format_length (call_info &info,
3505 location_t callloc = gimple_location (info.callstmt);
3506 fprintf (dump_file, "%s:%i: ",
3507 LOCATION_FILE (callloc), LOCATION_LINE (callloc));
3508 print_generic_expr (dump_file, info.func, dump_flags);
3511 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
3512 ", fmtstr = \"%s\"\n",
3513 info.objsize, info.fmtstr);
3516 /* Reset the minimum and maximum byte counters. */
3517 res->range.min = res->range.max = 0;
3519 /* No directive has been seen yet so the length of output is bounded
3520 by the known range [0, 0] (with no conversion producing more than
3521 4K bytes) until determined otherwise. */
3522 res->knownrange = true;
3523 res->under4k = true;
3524 res->floating = false;
3525 res->warned = false;
3527 /* 1-based directive counter. */
3530 /* The variadic argument counter. */
3531 unsigned argno = info.argidx;
3533 for (const char *pf = info.fmtstr; ; ++dirno)
3535 directive dir = directive ();
3538 size_t n = parse_directive (info, dir, res, pf, &argno,
3539 evrp_range_analyzer.get_vr_values ());
3541 /* Return failure if the format function fails. */
3542 if (!format_directive (info, res, dir,
3543 evrp_range_analyzer.get_vr_values ()))
3546 /* Return success the directive is zero bytes long and it's
3547 the last think in the format string (i.e., it's the terminating
3548 nul, which isn't really a directive but handling it as one makes
3556 /* The complete format string was processed (with or without warnings). */
3560 /* Return the size of the object referenced by the expression DEST if
3561 available, or -1 otherwise. */
3563 static unsigned HOST_WIDE_INT
3564 get_destination_size (tree dest)
3566 /* Initialize object size info before trying to compute it. */
3567 init_object_sizes ();
3569 /* Use __builtin_object_size to determine the size of the destination
3570 object. When optimizing, determine the smallest object (such as
3571 a member array as opposed to the whole enclosing object), otherwise
3572 use type-zero object size to determine the size of the enclosing
3573 object (the function fails without optimization in this type). */
3574 int ost = optimize > 0;
3575 unsigned HOST_WIDE_INT size;
3576 if (compute_builtin_object_size (dest, ost, &size))
3579 return HOST_WIDE_INT_M1U;
3582 /* Return true if the call described by INFO with result RES safe to
3583 optimize (i.e., no undefined behavior), and set RETVAL to the range
3584 of its return values. */
3587 is_call_safe (const sprintf_dom_walker::call_info &info,
3588 const format_result &res, bool under4k,
3589 unsigned HOST_WIDE_INT retval[2])
3591 if (under4k && !res.under4k)
3594 /* The minimum return value. */
3595 retval[0] = res.range.min;
3597 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3598 but in cases involving multibyte characters could be as large as
3599 RES.RANGE.UNLIKELY. */
3601 = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely;
3603 /* Adjust the number of bytes which includes the terminating nul
3604 to reflect the return value of the function which does not.
3605 Because the valid range of the function is [INT_MIN, INT_MAX],
3606 a valid range before the adjustment below is [0, INT_MAX + 1]
3607 (the functions only return negative values on error or undefined
3609 if (retval[0] <= target_int_max () + 1)
3611 if (retval[1] <= target_int_max () + 1)
3614 /* Avoid the return value optimization when the behavior of the call
3615 is undefined either because any directive may have produced 4K or
3616 more of output, or the return value exceeds INT_MAX, or because
3617 the output overflows the destination object (but leave it enabled
3618 when the function is bounded because then the behavior is well-
3620 if (retval[0] == retval[1]
3621 && (info.bounded || retval[0] < info.objsize)
3622 && retval[0] <= target_int_max ())
3625 if ((info.bounded || retval[1] < info.objsize)
3626 && (retval[0] < target_int_max ()
3627 && retval[1] < target_int_max ()))
3630 if (!under4k && (info.bounded || retval[0] < info.objsize))
3636 /* Given a suitable result RES of a call to a formatted output function
3637 described by INFO, substitute the result for the return value of
3638 the call. The result is suitable if the number of bytes it represents
3639 is known and exact. A result that isn't suitable for substitution may
3640 have its range set to the range of return values, if that is known.
3641 Return true if the call is removed and gsi_next should not be performed
3645 try_substitute_return_value (gimple_stmt_iterator *gsi,
3646 const sprintf_dom_walker::call_info &info,
3647 const format_result &res)
3649 tree lhs = gimple_get_lhs (info.callstmt);
3651 /* Set to true when the entire call has been removed. */
3652 bool removed = false;
3654 /* The minimum and maximum return value. */
3655 unsigned HOST_WIDE_INT retval[2];
3656 bool safe = is_call_safe (info, res, true, retval);
3659 && retval[0] == retval[1]
3660 /* Not prepared to handle possibly throwing calls here; they shouldn't
3661 appear in non-artificial testcases, except when the __*_chk routines
3662 are badly declared. */
3663 && !stmt_ends_bb_p (info.callstmt))
3665 tree cst = build_int_cst (integer_type_node, retval[0]);
3667 if (lhs == NULL_TREE
3670 /* Remove the call to the bounded function with a zero size
3671 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3672 unlink_stmt_vdef (info.callstmt);
3673 gsi_remove (gsi, true);
3676 else if (info.nowrite)
3678 /* Replace the call to the bounded function with a zero size
3679 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3681 if (!update_call_from_tree (gsi, cst))
3682 gimplify_and_update_call_from_tree (gsi, cst);
3683 gimple *callstmt = gsi_stmt (*gsi);
3684 update_stmt (callstmt);
3688 /* Replace the left-hand side of the call with the constant
3689 result of the formatted function. */
3690 gimple_call_set_lhs (info.callstmt, NULL_TREE);
3691 gimple *g = gimple_build_assign (lhs, cst);
3692 gsi_insert_after (gsi, g, GSI_NEW_STMT);
3693 update_stmt (info.callstmt);
3699 fprintf (dump_file, " Removing call statement.");
3702 fprintf (dump_file, " Substituting ");
3703 print_generic_expr (dump_file, cst, dump_flags);
3704 fprintf (dump_file, " for %s.\n",
3705 info.nowrite ? "statement" : "return value");
3711 bool setrange = false;
3714 && (info.bounded || retval[1] < info.objsize)
3715 && (retval[0] < target_int_max ()
3716 && retval[1] < target_int_max ()))
3718 /* If the result is in a valid range bounded by the size of
3719 the destination set it so that it can be used for subsequent
3721 int prec = TYPE_PRECISION (integer_type_node);
3723 wide_int min = wi::shwi (retval[0], prec);
3724 wide_int max = wi::shwi (retval[1], prec);
3725 set_range_info (lhs, VR_RANGE, min, max);
3732 const char *inbounds
3733 = (retval[0] < info.objsize
3734 ? (retval[1] < info.objsize
3735 ? "in" : "potentially out-of")
3738 const char *what = setrange ? "Setting" : "Discarding";
3739 if (retval[0] != retval[1])
3741 " %s %s-bounds return value range ["
3742 HOST_WIDE_INT_PRINT_UNSIGNED ", "
3743 HOST_WIDE_INT_PRINT_UNSIGNED "].\n",
3744 what, inbounds, retval[0], retval[1]);
3746 fprintf (dump_file, " %s %s-bounds return value "
3747 HOST_WIDE_INT_PRINT_UNSIGNED ".\n",
3748 what, inbounds, retval[0]);
3753 fputc ('\n', dump_file);
3758 /* Try to simplify a s{,n}printf call described by INFO with result
3759 RES by replacing it with a simpler and presumably more efficient
3760 call (such as strcpy). */
3763 try_simplify_call (gimple_stmt_iterator *gsi,
3764 const sprintf_dom_walker::call_info &info,
3765 const format_result &res)
3767 unsigned HOST_WIDE_INT dummy[2];
3768 if (!is_call_safe (info, res, info.retval_used (), dummy))
3771 switch (info.fncode)
3773 case BUILT_IN_SNPRINTF:
3774 return gimple_fold_builtin_snprintf (gsi);
3776 case BUILT_IN_SPRINTF:
3777 return gimple_fold_builtin_sprintf (gsi);
3786 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
3787 functions and if so, handle it. Return true if the call is removed
3788 and gsi_next should not be performed in the caller. */
3791 sprintf_dom_walker::handle_gimple_call (gimple_stmt_iterator *gsi)
3793 call_info info = call_info ();
3795 info.callstmt = gsi_stmt (*gsi);
3796 if (!gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL))
3799 info.func = gimple_call_fndecl (info.callstmt);
3800 info.fncode = DECL_FUNCTION_CODE (info.func);
3802 /* The size of the destination as in snprintf(dest, size, ...). */
3803 unsigned HOST_WIDE_INT dstsize = HOST_WIDE_INT_M1U;
3805 /* The size of the destination determined by __builtin_object_size. */
3806 unsigned HOST_WIDE_INT objsize = HOST_WIDE_INT_M1U;
3808 /* Buffer size argument number (snprintf and vsnprintf). */
3809 unsigned HOST_WIDE_INT idx_dstsize = HOST_WIDE_INT_M1U;
3811 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3812 unsigned HOST_WIDE_INT idx_objsize = HOST_WIDE_INT_M1U;
3814 /* Format string argument number (valid for all functions). */
3815 unsigned idx_format;
3817 switch (info.fncode)
3819 case BUILT_IN_SPRINTF:
3821 // __builtin_sprintf (dst, format, ...)
3826 case BUILT_IN_SPRINTF_CHK:
3828 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3834 case BUILT_IN_SNPRINTF:
3836 // __builtin_snprintf (dst, size, format, ...)
3840 info.bounded = true;
3843 case BUILT_IN_SNPRINTF_CHK:
3845 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3850 info.bounded = true;
3853 case BUILT_IN_VSNPRINTF:
3855 // __builtin_vsprintf (dst, size, format, va)
3859 info.bounded = true;
3862 case BUILT_IN_VSNPRINTF_CHK:
3864 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
3869 info.bounded = true;
3872 case BUILT_IN_VSPRINTF:
3874 // __builtin_vsprintf (dst, format, va)
3879 case BUILT_IN_VSPRINTF_CHK:
3881 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
3891 /* Set the global warning level for this function. */
3892 warn_level = info.bounded ? warn_format_trunc : warn_format_overflow;
3894 /* The first argument is a pointer to the destination. */
3895 tree dstptr = gimple_call_arg (info.callstmt, 0);
3897 info.format = gimple_call_arg (info.callstmt, idx_format);
3899 /* True when the destination size is constant as opposed to the lower
3900 or upper bound of a range. */
3901 bool dstsize_cst_p = true;
3903 if (idx_dstsize == HOST_WIDE_INT_M1U)
3905 /* For non-bounded functions like sprintf, determine the size
3906 of the destination from the object or pointer passed to it
3907 as the first argument. */
3908 dstsize = get_destination_size (dstptr);
3910 else if (tree size = gimple_call_arg (info.callstmt, idx_dstsize))
3912 /* For bounded functions try to get the size argument. */
3914 if (TREE_CODE (size) == INTEGER_CST)
3916 dstsize = tree_to_uhwi (size);
3917 /* No object can be larger than SIZE_MAX bytes (half the address
3918 space) on the target.
3919 The functions are defined only for output of at most INT_MAX
3920 bytes. Specifying a bound in excess of that limit effectively
3921 defeats the bounds checking (and on some implementations such
3922 as Solaris cause the function to fail with EINVAL). */
3923 if (dstsize > target_size_max () / 2)
3925 /* Avoid warning if -Wstringop-overflow is specified since
3926 it also warns for the same thing though only for the
3927 checking built-ins. */
3928 if ((idx_objsize == HOST_WIDE_INT_M1U
3929 || !warn_stringop_overflow))
3930 warning_at (gimple_location (info.callstmt), info.warnopt (),
3931 "specified bound %wu exceeds maximum object size "
3933 dstsize, target_size_max () / 2);
3935 else if (dstsize > target_int_max ())
3936 warning_at (gimple_location (info.callstmt), info.warnopt (),
3937 "specified bound %wu exceeds %<INT_MAX%>",
3940 else if (TREE_CODE (size) == SSA_NAME)
3942 /* Try to determine the range of values of the argument
3943 and use the greater of the two at level 1 and the smaller
3944 of them at level 2. */
3945 value_range *vr = evrp_range_analyzer.get_value_range (size);
3946 if (vr->type == VR_RANGE
3947 && TREE_CODE (vr->min) == INTEGER_CST
3948 && TREE_CODE (vr->max) == INTEGER_CST)
3949 dstsize = (warn_level < 2
3950 ? TREE_INT_CST_LOW (vr->max)
3951 : TREE_INT_CST_LOW (vr->min));
3953 /* The destination size is not constant. If the function is
3954 bounded (e.g., snprintf) a lower bound of zero doesn't
3955 necessarily imply it can be eliminated. */
3956 dstsize_cst_p = false;
3960 if (idx_objsize != HOST_WIDE_INT_M1U)
3961 if (tree size = gimple_call_arg (info.callstmt, idx_objsize))
3962 if (tree_fits_uhwi_p (size))
3963 objsize = tree_to_uhwi (size);
3965 if (info.bounded && !dstsize)
3967 /* As a special case, when the explicitly specified destination
3968 size argument (to a bounded function like snprintf) is zero
3969 it is a request to determine the number of bytes on output
3970 without actually producing any. Pretend the size is
3971 unlimited in this case. */
3972 info.objsize = HOST_WIDE_INT_MAX;
3973 info.nowrite = dstsize_cst_p;
3977 /* For calls to non-bounded functions or to those of bounded
3978 functions with a non-zero size, warn if the destination
3980 if (integer_zerop (dstptr))
3982 /* This is diagnosed with -Wformat only when the null is a constant
3983 pointer. The warning here diagnoses instances where the pointer
3985 location_t loc = gimple_location (info.callstmt);
3986 warning_at (EXPR_LOC_OR_LOC (dstptr, loc),
3987 info.warnopt (), "null destination pointer");
3991 /* Set the object size to the smaller of the two arguments
3992 of both have been specified and they're not equal. */
3993 info.objsize = dstsize < objsize ? dstsize : objsize;
3996 && dstsize < target_size_max () / 2 && objsize < dstsize
3997 /* Avoid warning if -Wstringop-overflow is specified since
3998 it also warns for the same thing though only for the
3999 checking built-ins. */
4000 && (idx_objsize == HOST_WIDE_INT_M1U
4001 || !warn_stringop_overflow))
4003 warning_at (gimple_location (info.callstmt), info.warnopt (),
4004 "specified bound %wu exceeds the size %wu "
4005 "of the destination object", dstsize, objsize);
4009 if (integer_zerop (info.format))
4011 /* This is diagnosed with -Wformat only when the null is a constant
4012 pointer. The warning here diagnoses instances where the pointer
4014 location_t loc = gimple_location (info.callstmt);
4015 warning_at (EXPR_LOC_OR_LOC (info.format, loc),
4016 info.warnopt (), "null format string");
4020 info.fmtstr = get_format_string (info.format, &info.fmtloc);
4024 /* The result is the number of bytes output by the formatted function,
4025 including the terminating NUL. */
4026 format_result res = format_result ();
4028 bool success = compute_format_length (info, &res);
4030 /* When optimizing and the printf return value optimization is enabled,
4031 attempt to substitute the computed result for the return value of
4032 the call. Avoid this optimization when -frounding-math is in effect
4033 and the format string contains a floating point directive. */
4034 bool call_removed = false;
4035 if (success && optimize > 0)
4037 /* Save a copy of the iterator pointing at the call. The iterator
4038 may change to point past the call in try_substitute_return_value
4039 but the original value is needed in try_simplify_call. */
4040 gimple_stmt_iterator gsi_call = *gsi;
4042 if (flag_printf_return_value
4043 && (!flag_rounding_math || !res.floating))
4044 call_removed = try_substitute_return_value (gsi, info, res);
4047 try_simplify_call (&gsi_call, info, res);
4050 return call_removed;
4054 sprintf_dom_walker::before_dom_children (basic_block bb)
4056 evrp_range_analyzer.enter (bb);
4057 for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si); )
4059 /* Iterate over statements, looking for function calls. */
4060 gimple *stmt = gsi_stmt (si);
4062 /* First record ranges generated by this statement. */
4063 evrp_range_analyzer.record_ranges_from_stmt (stmt, false);
4065 if (is_gimple_call (stmt) && handle_gimple_call (&si))
4066 /* If handle_gimple_call returns true, the iterator is
4067 already pointing to the next statement. */
4076 sprintf_dom_walker::after_dom_children (basic_block bb)
4078 evrp_range_analyzer.leave (bb);
4081 /* Execute the pass for function FUN. */
4084 pass_sprintf_length::execute (function *fun)
4086 init_target_to_host_charmap ();
4088 calculate_dominance_info (CDI_DOMINATORS);
4090 sprintf_dom_walker sprintf_dom_walker;
4091 sprintf_dom_walker.walk (ENTRY_BLOCK_PTR_FOR_FN (fun));
4093 /* Clean up object size info. */
4094 fini_object_sizes ();
4098 } /* Unnamed namespace. */
4100 /* Return a pointer to a pass object newly constructed from the context
4104 make_pass_sprintf_length (gcc::context *ctxt)
4106 return new pass_sprintf_length (ctxt);
projects / dragonfly.git / blob