1 /* Copyright (C) 2016-2018 Free Software Foundation, Inc. 2 Contributed by Martin Sebor <msebor@redhat.com>. 3 4 This file is part of GCC. 5 6 GCC is free software; you can redistribute it and/or modify it under 7 the terms of the GNU General Public License as published by the Free 8 Software Foundation; either version 3, or (at your option) any later 9 version. 10 11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY 12 WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with GCC; see the file COPYING3. If not see 18 <http://www.gnu.org/licenses/>. */ 19 20 /* This file implements the printf-return-value pass. The pass does 21 two things: 1) it analyzes calls to formatted output functions like 22 sprintf looking for possible buffer overflows and calls to bounded 23 functions like snprintf for early truncation (and under the control 24 of the -Wformat-length option issues warnings), and 2) under the 25 control of the -fprintf-return-value option it folds the return 26 value of safe calls into constants, making it possible to eliminate 27 code that depends on the value of those constants. 28 29 For all functions (bounded or not) the pass uses the size of the 30 destination object. That means that it will diagnose calls to 31 snprintf not on the basis of the size specified by the function's 32 second argument but rathger on the basis of the size the first 33 argument points to (if possible). For bound-checking built-ins 34 like __builtin___snprintf_chk the pass uses the size typically 35 determined by __builtin_object_size and passed to the built-in 36 by the Glibc inline wrapper. 37 38 The pass handles all forms standard sprintf format directives, 39 including character, integer, floating point, pointer, and strings, 40 with the standard C flags, widths, and precisions. For integers 41 and strings it computes the length of output itself. For floating 42 point it uses MPFR to fornmat known constants with up and down 43 rounding and uses the resulting range of output lengths. For 44 strings it uses the length of string literals and the sizes of 45 character arrays that a character pointer may point to as a bound 46 on the longest string. */ 47 48 #include "config.h" 49 #include "system.h" 50 #include "coretypes.h" 51 #include "backend.h" 52 #include "tree.h" 53 #include "gimple.h" 54 #include "tree-pass.h" 55 #include "ssa.h" 56 #include "gimple-fold.h" 57 #include "gimple-pretty-print.h" 58 #include "diagnostic-core.h" 59 #include "fold-const.h" 60 #include "gimple-iterator.h" 61 #include "tree-ssa.h" 62 #include "tree-object-size.h" 63 #include "params.h" 64 #include "tree-cfg.h" 65 #include "tree-ssa-propagate.h" 66 #include "calls.h" 67 #include "cfgloop.h" 68 #include "intl.h" 69 #include "langhooks.h" 70 71 #include "builtins.h" 72 #include "stor-layout.h" 73 74 #include "realmpfr.h" 75 #include "target.h" 76 77 #include "cpplib.h" 78 #include "input.h" 79 #include "toplev.h" 80 #include "substring-locations.h" 81 #include "diagnostic.h" 82 #include "domwalk.h" 83 #include "alloc-pool.h" 84 #include "vr-values.h" 85 #include "gimple-ssa-evrp-analyze.h" 86 87 /* The likely worst case value of MB_LEN_MAX for the target, large enough 88 for UTF-8. Ideally, this would be obtained by a target hook if it were 89 to be used for optimization but it's good enough as is for warnings. */ 90 #define target_mb_len_max() 6 91 92 /* The maximum number of bytes a single non-string directive can result 93 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for 94 LDBL_MAX_10_EXP of 4932. */ 95 #define IEEE_MAX_10_EXP 4932 96 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2) 97 98 namespace { 99 100 const pass_data pass_data_sprintf_length = { 101 GIMPLE_PASS, // pass type 102 "printf-return-value", // pass name 103 OPTGROUP_NONE, // optinfo_flags 104 TV_NONE, // tv_id 105 PROP_cfg, // properties_required 106 0, // properties_provided 107 0, // properties_destroyed 108 0, // properties_start 109 0, // properties_finish 110 }; 111 112 /* Set to the warning level for the current function which is equal 113 either to warn_format_trunc for bounded functions or to 114 warn_format_overflow otherwise. */ 115 116 static int warn_level; 117 118 struct format_result; 119 120 class sprintf_dom_walker : public dom_walker 121 { 122 public: 123 sprintf_dom_walker () : dom_walker (CDI_DOMINATORS) {} 124 ~sprintf_dom_walker () {} 125 126 edge before_dom_children (basic_block) FINAL OVERRIDE; 127 void after_dom_children (basic_block) FINAL OVERRIDE; 128 bool handle_gimple_call (gimple_stmt_iterator *); 129 130 struct call_info; 131 bool compute_format_length (call_info &, format_result *); 132 class evrp_range_analyzer evrp_range_analyzer; 133 }; 134 135 class pass_sprintf_length : public gimple_opt_pass 136 { 137 bool fold_return_value; 138 139 public: 140 pass_sprintf_length (gcc::context *ctxt) 141 : gimple_opt_pass (pass_data_sprintf_length, ctxt), 142 fold_return_value (false) 143 { } 144 145 opt_pass * clone () { return new pass_sprintf_length (m_ctxt); } 146 147 virtual bool gate (function *); 148 149 virtual unsigned int execute (function *); 150 151 void set_pass_param (unsigned int n, bool param) 152 { 153 gcc_assert (n == 0); 154 fold_return_value = param; 155 } 156 157 }; 158 159 bool 160 pass_sprintf_length::gate (function *) 161 { 162 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation 163 is specified and either not optimizing and the pass is being invoked 164 early, or when optimizing and the pass is being invoked during 165 optimization (i.e., "late"). */ 166 return ((warn_format_overflow > 0 167 || warn_format_trunc > 0 168 || flag_printf_return_value) 169 && (optimize > 0) == fold_return_value); 170 } 171 172 /* The minimum, maximum, likely, and unlikely maximum number of bytes 173 of output either a formatting function or an individual directive 174 can result in. */ 175 176 struct result_range 177 { 178 /* The absolute minimum number of bytes. The result of a successful 179 conversion is guaranteed to be no less than this. (An erroneous 180 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */ 181 unsigned HOST_WIDE_INT min; 182 /* The likely maximum result that is used in diagnostics. In most 183 cases MAX is the same as the worst case UNLIKELY result. */ 184 unsigned HOST_WIDE_INT max; 185 /* The likely result used to trigger diagnostics. For conversions 186 that result in a range of bytes [MIN, MAX], LIKELY is somewhere 187 in that range. */ 188 unsigned HOST_WIDE_INT likely; 189 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives 190 the worst cases maximum result of a directive. In most cases 191 UNLIKELY == MAX. UNLIKELY is used to control the return value 192 optimization but not in diagnostics. */ 193 unsigned HOST_WIDE_INT unlikely; 194 }; 195 196 /* The result of a call to a formatted function. */ 197 198 struct format_result 199 { 200 /* Range of characters written by the formatted function. 201 Setting the minimum to HOST_WIDE_INT_MAX disables all 202 length tracking for the remainder of the format string. */ 203 result_range range; 204 205 /* True when the range above is obtained from known values of 206 directive arguments, or bounds on the amount of output such 207 as width and precision, and not the result of heuristics that 208 depend on warning levels. It's used to issue stricter diagnostics 209 in cases where strings of unknown lengths are bounded by the arrays 210 they are determined to refer to. KNOWNRANGE must not be used for 211 the return value optimization. */ 212 bool knownrange; 213 214 /* True if no individual directive resulted in more than 4095 bytes 215 of output (the total NUMBER_CHARS_{MIN,MAX} might be greater). 216 Implementations are not required to handle directives that produce 217 more than 4K bytes (leading to undefined behavior) and so when one 218 is found it disables the return value optimization. */ 219 bool under4k; 220 221 /* True when a floating point directive has been seen in the format 222 string. */ 223 bool floating; 224 225 /* True when an intermediate result has caused a warning. Used to 226 avoid issuing duplicate warnings while finishing the processing 227 of a call. WARNED also disables the return value optimization. */ 228 bool warned; 229 230 /* Preincrement the number of output characters by 1. */ 231 format_result& operator++ () 232 { 233 return *this += 1; 234 } 235 236 /* Postincrement the number of output characters by 1. */ 237 format_result operator++ (int) 238 { 239 format_result prev (*this); 240 *this += 1; 241 return prev; 242 } 243 244 /* Increment the number of output characters by N. */ 245 format_result& operator+= (unsigned HOST_WIDE_INT); 246 }; 247 248 format_result& 249 format_result::operator+= (unsigned HOST_WIDE_INT n) 250 { 251 gcc_assert (n < HOST_WIDE_INT_MAX); 252 253 if (range.min < HOST_WIDE_INT_MAX) 254 range.min += n; 255 256 if (range.max < HOST_WIDE_INT_MAX) 257 range.max += n; 258 259 if (range.likely < HOST_WIDE_INT_MAX) 260 range.likely += n; 261 262 if (range.unlikely < HOST_WIDE_INT_MAX) 263 range.unlikely += n; 264 265 return *this; 266 } 267 268 /* Return the value of INT_MIN for the target. */ 269 270 static inline HOST_WIDE_INT 271 target_int_min () 272 { 273 return tree_to_shwi (TYPE_MIN_VALUE (integer_type_node)); 274 } 275 276 /* Return the value of INT_MAX for the target. */ 277 278 static inline unsigned HOST_WIDE_INT 279 target_int_max () 280 { 281 return tree_to_uhwi (TYPE_MAX_VALUE (integer_type_node)); 282 } 283 284 /* Return the value of SIZE_MAX for the target. */ 285 286 static inline unsigned HOST_WIDE_INT 287 target_size_max () 288 { 289 return tree_to_uhwi (TYPE_MAX_VALUE (size_type_node)); 290 } 291 292 /* A straightforward mapping from the execution character set to the host 293 character set indexed by execution character. */ 294 295 static char target_to_host_charmap[256]; 296 297 /* Initialize a mapping from the execution character set to the host 298 character set. */ 299 300 static bool 301 init_target_to_host_charmap () 302 { 303 /* If the percent sign is non-zero the mapping has already been 304 initialized. */ 305 if (target_to_host_charmap['%']) 306 return true; 307 308 /* Initialize the target_percent character (done elsewhere). */ 309 if (!init_target_chars ()) 310 return false; 311 312 /* The subset of the source character set used by printf conversion 313 specifications (strictly speaking, not all letters are used but 314 they are included here for the sake of simplicity). The dollar 315 sign must be included even though it's not in the basic source 316 character set. */ 317 const char srcset[] = " 0123456789!\"#%&'()*+,-./:;<=>?[\\]^_{|}~$" 318 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 319 320 /* Set the mapping for all characters to some ordinary value (i,e., 321 not none used in printf conversion specifications) and overwrite 322 those that are used by conversion specifications with their 323 corresponding values. */ 324 memset (target_to_host_charmap + 1, '?', sizeof target_to_host_charmap - 1); 325 326 /* Are the two sets of characters the same? */ 327 bool all_same_p = true; 328 329 for (const char *pc = srcset; *pc; ++pc) 330 { 331 /* Slice off the high end bits in case target characters are 332 signed. All values are expected to be non-nul, otherwise 333 there's a problem. */ 334 if (unsigned char tc = lang_hooks.to_target_charset (*pc)) 335 { 336 target_to_host_charmap[tc] = *pc; 337 if (tc != *pc) 338 all_same_p = false; 339 } 340 else 341 return false; 342 343 } 344 345 /* Set the first element to a non-zero value if the mapping 346 is 1-to-1, otherwise leave it clear (NUL is assumed to be 347 the same in both character sets). */ 348 target_to_host_charmap[0] = all_same_p; 349 350 return true; 351 } 352 353 /* Return the host source character corresponding to the character 354 CH in the execution character set if one exists, or some innocuous 355 (non-special, non-nul) source character otherwise. */ 356 357 static inline unsigned char 358 target_to_host (unsigned char ch) 359 { 360 return target_to_host_charmap[ch]; 361 } 362 363 /* Convert an initial substring of the string TARGSTR consisting of 364 characters in the execution character set into a string in the 365 source character set on the host and store up to HOSTSZ characters 366 in the buffer pointed to by HOSTR. Return HOSTR. */ 367 368 static const char* 369 target_to_host (char *hostr, size_t hostsz, const char *targstr) 370 { 371 /* Make sure the buffer is reasonably big. */ 372 gcc_assert (hostsz > 4); 373 374 /* The interesting subset of source and execution characters are 375 the same so no conversion is necessary. However, truncate 376 overlong strings just like the translated strings are. */ 377 if (target_to_host_charmap['\0'] == 1) 378 { 379 strncpy (hostr, targstr, hostsz - 4); 380 if (strlen (targstr) >= hostsz) 381 strcpy (hostr + hostsz - 4, "..."); 382 return hostr; 383 } 384 385 /* Convert the initial substring of TARGSTR to the corresponding 386 characters in the host set, appending "..." if TARGSTR is too 387 long to fit. Using the static buffer assumes the function is 388 not called in between sequence points (which it isn't). */ 389 for (char *ph = hostr; ; ++targstr) 390 { 391 *ph++ = target_to_host (*targstr); 392 if (!*targstr) 393 break; 394 395 if (size_t (ph - hostr) == hostsz - 4) 396 { 397 *ph = '\0'; 398 strcat (ph, "..."); 399 break; 400 } 401 } 402 403 return hostr; 404 } 405 406 /* Convert the sequence of decimal digits in the execution character 407 starting at S to a long, just like strtol does. Return the result 408 and set *END to one past the last converted character. On range 409 error set ERANGE to the digit that caused it. */ 410 411 static inline long 412 target_strtol10 (const char **ps, const char **erange) 413 { 414 unsigned HOST_WIDE_INT val = 0; 415 for ( ; ; ++*ps) 416 { 417 unsigned char c = target_to_host (**ps); 418 if (ISDIGIT (c)) 419 { 420 c -= '0'; 421 422 /* Check for overflow. */ 423 if (val > (LONG_MAX - c) / 10LU) 424 { 425 val = LONG_MAX; 426 *erange = *ps; 427 428 /* Skip the remaining digits. */ 429 do 430 c = target_to_host (*++*ps); 431 while (ISDIGIT (c)); 432 break; 433 } 434 else 435 val = val * 10 + c; 436 } 437 else 438 break; 439 } 440 441 return val; 442 } 443 444 /* Return the constant initial value of DECL if available or DECL 445 otherwise. Same as the synonymous function in c/c-typeck.c. */ 446 447 static tree 448 decl_constant_value (tree decl) 449 { 450 if (/* Don't change a variable array bound or initial value to a constant 451 in a place where a variable is invalid. Note that DECL_INITIAL 452 isn't valid for a PARM_DECL. */ 453 current_function_decl != 0 454 && TREE_CODE (decl) != PARM_DECL 455 && !TREE_THIS_VOLATILE (decl) 456 && TREE_READONLY (decl) 457 && DECL_INITIAL (decl) != 0 458 && TREE_CODE (DECL_INITIAL (decl)) != ERROR_MARK 459 /* This is invalid if initial value is not constant. 460 If it has either a function call, a memory reference, 461 or a variable, then re-evaluating it could give different results. */ 462 && TREE_CONSTANT (DECL_INITIAL (decl)) 463 /* Check for cases where this is sub-optimal, even though valid. */ 464 && TREE_CODE (DECL_INITIAL (decl)) != CONSTRUCTOR) 465 return DECL_INITIAL (decl); 466 return decl; 467 } 468 469 /* Given FORMAT, set *PLOC to the source location of the format string 470 and return the format string if it is known or null otherwise. */ 471 472 static const char* 473 get_format_string (tree format, location_t *ploc) 474 { 475 if (VAR_P (format)) 476 { 477 /* Pull out a constant value if the front end didn't. */ 478 format = decl_constant_value (format); 479 STRIP_NOPS (format); 480 } 481 482 if (integer_zerop (format)) 483 { 484 /* FIXME: Diagnose null format string if it hasn't been diagnosed 485 by -Wformat (the latter diagnoses only nul pointer constants, 486 this pass can do better). */ 487 return NULL; 488 } 489 490 HOST_WIDE_INT offset = 0; 491 492 if (TREE_CODE (format) == POINTER_PLUS_EXPR) 493 { 494 tree arg0 = TREE_OPERAND (format, 0); 495 tree arg1 = TREE_OPERAND (format, 1); 496 STRIP_NOPS (arg0); 497 STRIP_NOPS (arg1); 498 499 if (TREE_CODE (arg1) != INTEGER_CST) 500 return NULL; 501 502 format = arg0; 503 504 /* POINTER_PLUS_EXPR offsets are to be interpreted signed. */ 505 if (!cst_and_fits_in_hwi (arg1)) 506 return NULL; 507 508 offset = int_cst_value (arg1); 509 } 510 511 if (TREE_CODE (format) != ADDR_EXPR) 512 return NULL; 513 514 *ploc = EXPR_LOC_OR_LOC (format, input_location); 515 516 format = TREE_OPERAND (format, 0); 517 518 if (TREE_CODE (format) == ARRAY_REF 519 && tree_fits_shwi_p (TREE_OPERAND (format, 1)) 520 && (offset += tree_to_shwi (TREE_OPERAND (format, 1))) >= 0) 521 format = TREE_OPERAND (format, 0); 522 523 if (offset < 0) 524 return NULL; 525 526 tree array_init; 527 tree array_size = NULL_TREE; 528 529 if (VAR_P (format) 530 && TREE_CODE (TREE_TYPE (format)) == ARRAY_TYPE 531 && (array_init = decl_constant_value (format)) != format 532 && TREE_CODE (array_init) == STRING_CST) 533 { 534 /* Extract the string constant initializer. Note that this may 535 include a trailing NUL character that is not in the array (e.g. 536 const char a[3] = "foo";). */ 537 array_size = DECL_SIZE_UNIT (format); 538 format = array_init; 539 } 540 541 if (TREE_CODE (format) != STRING_CST) 542 return NULL; 543 544 tree type = TREE_TYPE (format); 545 546 scalar_int_mode char_mode; 547 if (!is_int_mode (TYPE_MODE (TREE_TYPE (type)), &char_mode) 548 || GET_MODE_SIZE (char_mode) != 1) 549 { 550 /* Wide format string. */ 551 return NULL; 552 } 553 554 const char *fmtstr = TREE_STRING_POINTER (format); 555 unsigned fmtlen = TREE_STRING_LENGTH (format); 556 557 if (array_size) 558 { 559 /* Variable length arrays can't be initialized. */ 560 gcc_assert (TREE_CODE (array_size) == INTEGER_CST); 561 562 if (tree_fits_shwi_p (array_size)) 563 { 564 HOST_WIDE_INT array_size_value = tree_to_shwi (array_size); 565 if (array_size_value > 0 566 && array_size_value == (int) array_size_value 567 && fmtlen > array_size_value) 568 fmtlen = array_size_value; 569 } 570 } 571 if (offset) 572 { 573 if (offset >= fmtlen) 574 return NULL; 575 576 fmtstr += offset; 577 fmtlen -= offset; 578 } 579 580 if (fmtlen < 1 || fmtstr[--fmtlen] != 0) 581 { 582 /* FIXME: Diagnose an unterminated format string if it hasn't been 583 diagnosed by -Wformat. Similarly to a null format pointer, 584 -Wformay diagnoses only nul pointer constants, this pass can 585 do better). */ 586 return NULL; 587 } 588 589 return fmtstr; 590 } 591 592 /* For convenience and brevity, shorter named entrypoints of 593 format_warning_at_substring and format_warning_at_substring_n. 594 These have to be functions with the attribute so that exgettext 595 works properly. */ 596 597 static bool 598 ATTRIBUTE_GCC_DIAG (5, 6) 599 fmtwarn (const substring_loc &fmt_loc, location_t param_loc, 600 const char *corrected_substring, int opt, const char *gmsgid, ...) 601 { 602 va_list ap; 603 va_start (ap, gmsgid); 604 bool warned = format_warning_va (fmt_loc, param_loc, corrected_substring, 605 opt, gmsgid, &ap); 606 va_end (ap); 607 608 return warned; 609 } 610 611 static bool 612 ATTRIBUTE_GCC_DIAG (6, 8) ATTRIBUTE_GCC_DIAG (7, 8) 613 fmtwarn_n (const substring_loc &fmt_loc, location_t param_loc, 614 const char *corrected_substring, int opt, unsigned HOST_WIDE_INT n, 615 const char *singular_gmsgid, const char *plural_gmsgid, ...) 616 { 617 va_list ap; 618 va_start (ap, plural_gmsgid); 619 bool warned = format_warning_n_va (fmt_loc, param_loc, corrected_substring, 620 opt, n, singular_gmsgid, plural_gmsgid, 621 &ap); 622 va_end (ap); 623 624 return warned; 625 } 626 627 /* Format length modifiers. */ 628 629 enum format_lengths 630 { 631 FMT_LEN_none, 632 FMT_LEN_hh, // char argument 633 FMT_LEN_h, // short 634 FMT_LEN_l, // long 635 FMT_LEN_ll, // long long 636 FMT_LEN_L, // long double (and GNU long long) 637 FMT_LEN_z, // size_t 638 FMT_LEN_t, // ptrdiff_t 639 FMT_LEN_j // intmax_t 640 }; 641 642 643 /* Description of the result of conversion either of a single directive 644 or the whole format string. */ 645 646 struct fmtresult 647 { 648 /* Construct a FMTRESULT object with all counters initialized 649 to MIN. KNOWNRANGE is set when MIN is valid. */ 650 fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX) 651 : argmin (), argmax (), 652 knownrange (min < HOST_WIDE_INT_MAX), 653 nullp () 654 { 655 range.min = min; 656 range.max = min; 657 range.likely = min; 658 range.unlikely = min; 659 } 660 661 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters. 662 KNOWNRANGE is set when both MIN and MAX are valid. */ 663 fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max, 664 unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX) 665 : argmin (), argmax (), 666 knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX), 667 nullp () 668 { 669 range.min = min; 670 range.max = max; 671 range.likely = max < likely ? min : likely; 672 range.unlikely = max; 673 } 674 675 /* Adjust result upward to reflect the RANGE of values the specified 676 width or precision is known to be in. */ 677 fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2], 678 tree = NULL_TREE, 679 unsigned = 0, unsigned = 0); 680 681 /* Return the maximum number of decimal digits a value of TYPE 682 formats as on output. */ 683 static unsigned type_max_digits (tree, int); 684 685 /* The range a directive's argument is in. */ 686 tree argmin, argmax; 687 688 /* The minimum and maximum number of bytes that a directive 689 results in on output for an argument in the range above. */ 690 result_range range; 691 692 /* True when the range above is obtained from a known value of 693 a directive's argument or its bounds and not the result of 694 heuristics that depend on warning levels. */ 695 bool knownrange; 696 697 /* True when the argument is a null pointer. */ 698 bool nullp; 699 }; 700 701 /* Adjust result upward to reflect the range ADJUST of values the 702 specified width or precision is known to be in. When non-null, 703 TYPE denotes the type of the directive whose result is being 704 adjusted, BASE gives the base of the directive (octal, decimal, 705 or hex), and ADJ denotes the additional adjustment to the LIKELY 706 counter that may need to be added when ADJUST is a range. */ 707 708 fmtresult& 709 fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2], 710 tree type /* = NULL_TREE */, 711 unsigned base /* = 0 */, 712 unsigned adj /* = 0 */) 713 { 714 bool minadjusted = false; 715 716 /* Adjust the minimum and likely counters. */ 717 if (adjust[0] >= 0) 718 { 719 if (range.min < (unsigned HOST_WIDE_INT)adjust[0]) 720 { 721 range.min = adjust[0]; 722 minadjusted = true; 723 } 724 725 /* Adjust the likely counter. */ 726 if (range.likely < range.min) 727 range.likely = range.min; 728 } 729 else if (adjust[0] == target_int_min () 730 && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ()) 731 knownrange = false; 732 733 /* Adjust the maximum counter. */ 734 if (adjust[1] > 0) 735 { 736 if (range.max < (unsigned HOST_WIDE_INT)adjust[1]) 737 { 738 range.max = adjust[1]; 739 740 /* Set KNOWNRANGE if both the minimum and maximum have been 741 adjusted. Otherwise leave it at what it was before. */ 742 knownrange = minadjusted; 743 } 744 } 745 746 if (warn_level > 1 && type) 747 { 748 /* For large non-constant width or precision whose range spans 749 the maximum number of digits produced by the directive for 750 any argument, set the likely number of bytes to be at most 751 the number digits plus other adjustment determined by the 752 caller (one for sign or two for the hexadecimal "0x" 753 prefix). */ 754 unsigned dirdigs = type_max_digits (type, base); 755 if (adjust[0] < dirdigs && dirdigs < adjust[1] 756 && range.likely < dirdigs) 757 range.likely = dirdigs + adj; 758 } 759 else if (range.likely < (range.min ? range.min : 1)) 760 { 761 /* Conservatively, set LIKELY to at least MIN but no less than 762 1 unless MAX is zero. */ 763 range.likely = (range.min 764 ? range.min 765 : range.max && (range.max < HOST_WIDE_INT_MAX 766 || warn_level > 1) ? 1 : 0); 767 } 768 769 /* Finally adjust the unlikely counter to be at least as large as 770 the maximum. */ 771 if (range.unlikely < range.max) 772 range.unlikely = range.max; 773 774 return *this; 775 } 776 777 /* Return the maximum number of digits a value of TYPE formats in 778 BASE on output, not counting base prefix . */ 779 780 unsigned 781 fmtresult::type_max_digits (tree type, int base) 782 { 783 unsigned prec = TYPE_PRECISION (type); 784 switch (base) 785 { 786 case 8: 787 return (prec + 2) / 3; 788 case 10: 789 /* Decimal approximation: yields 3, 5, 10, and 20 for precision 790 of 8, 16, 32, and 64 bits. */ 791 return prec * 301 / 1000 + 1; 792 case 16: 793 return prec / 4; 794 } 795 796 gcc_unreachable (); 797 } 798 799 static bool 800 get_int_range (tree, HOST_WIDE_INT *, HOST_WIDE_INT *, bool, HOST_WIDE_INT, 801 class vr_values *vr_values); 802 803 /* Description of a format directive. A directive is either a plain 804 string or a conversion specification that starts with '%'. */ 805 806 struct directive 807 { 808 /* The 1-based directive number (for debugging). */ 809 unsigned dirno; 810 811 /* The first character of the directive and its length. */ 812 const char *beg; 813 size_t len; 814 815 /* A bitmap of flags, one for each character. */ 816 unsigned flags[256 / sizeof (int)]; 817 818 /* The range of values of the specified width, or -1 if not specified. */ 819 HOST_WIDE_INT width[2]; 820 /* The range of values of the specified precision, or -1 if not 821 specified. */ 822 HOST_WIDE_INT prec[2]; 823 824 /* Length modifier. */ 825 format_lengths modifier; 826 827 /* Format specifier character. */ 828 char specifier; 829 830 /* The argument of the directive or null when the directive doesn't 831 take one or when none is available (such as for vararg functions). */ 832 tree arg; 833 834 /* Format conversion function that given a directive and an argument 835 returns the formatting result. */ 836 fmtresult (*fmtfunc) (const directive &, tree, vr_values *); 837 838 /* Return True when a the format flag CHR has been used. */ 839 bool get_flag (char chr) const 840 { 841 unsigned char c = chr & 0xff; 842 return (flags[c / (CHAR_BIT * sizeof *flags)] 843 & (1U << (c % (CHAR_BIT * sizeof *flags)))); 844 } 845 846 /* Make a record of the format flag CHR having been used. */ 847 void set_flag (char chr) 848 { 849 unsigned char c = chr & 0xff; 850 flags[c / (CHAR_BIT * sizeof *flags)] 851 |= (1U << (c % (CHAR_BIT * sizeof *flags))); 852 } 853 854 /* Reset the format flag CHR. */ 855 void clear_flag (char chr) 856 { 857 unsigned char c = chr & 0xff; 858 flags[c / (CHAR_BIT * sizeof *flags)] 859 &= ~(1U << (c % (CHAR_BIT * sizeof *flags))); 860 } 861 862 /* Set both bounds of the width range to VAL. */ 863 void set_width (HOST_WIDE_INT val) 864 { 865 width[0] = width[1] = val; 866 } 867 868 /* Set the width range according to ARG, with both bounds being 869 no less than 0. For a constant ARG set both bounds to its value 870 or 0, whichever is greater. For a non-constant ARG in some range 871 set width to its range adjusting each bound to -1 if it's less. 872 For an indeterminate ARG set width to [0, INT_MAX]. */ 873 void set_width (tree arg, vr_values *vr_values) 874 { 875 get_int_range (arg, width, width + 1, true, 0, vr_values); 876 } 877 878 /* Set both bounds of the precision range to VAL. */ 879 void set_precision (HOST_WIDE_INT val) 880 { 881 prec[0] = prec[1] = val; 882 } 883 884 /* Set the precision range according to ARG, with both bounds being 885 no less than -1. For a constant ARG set both bounds to its value 886 or -1 whichever is greater. For a non-constant ARG in some range 887 set precision to its range adjusting each bound to -1 if it's less. 888 For an indeterminate ARG set precision to [-1, INT_MAX]. */ 889 void set_precision (tree arg, vr_values *vr_values) 890 { 891 get_int_range (arg, prec, prec + 1, false, -1, vr_values); 892 } 893 894 /* Return true if both width and precision are known to be 895 either constant or in some range, false otherwise. */ 896 bool known_width_and_precision () const 897 { 898 return ((width[1] < 0 899 || (unsigned HOST_WIDE_INT)width[1] <= target_int_max ()) 900 && (prec[1] < 0 901 || (unsigned HOST_WIDE_INT)prec[1] < target_int_max ())); 902 } 903 }; 904 905 /* Return the logarithm of X in BASE. */ 906 907 static int 908 ilog (unsigned HOST_WIDE_INT x, int base) 909 { 910 int res = 0; 911 do 912 { 913 ++res; 914 x /= base; 915 } while (x); 916 return res; 917 } 918 919 /* Return the number of bytes resulting from converting into a string 920 the INTEGER_CST tree node X in BASE with a minimum of PREC digits. 921 PLUS indicates whether 1 for a plus sign should be added for positive 922 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal 923 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot 924 be represented. */ 925 926 static HOST_WIDE_INT 927 tree_digits (tree x, int base, HOST_WIDE_INT prec, bool plus, bool prefix) 928 { 929 unsigned HOST_WIDE_INT absval; 930 931 HOST_WIDE_INT res; 932 933 if (TYPE_UNSIGNED (TREE_TYPE (x))) 934 { 935 if (tree_fits_uhwi_p (x)) 936 { 937 absval = tree_to_uhwi (x); 938 res = plus; 939 } 940 else 941 return -1; 942 } 943 else 944 { 945 if (tree_fits_shwi_p (x)) 946 { 947 HOST_WIDE_INT i = tree_to_shwi (x); 948 if (HOST_WIDE_INT_MIN == i) 949 { 950 /* Avoid undefined behavior due to negating a minimum. */ 951 absval = HOST_WIDE_INT_MAX; 952 res = 1; 953 } 954 else if (i < 0) 955 { 956 absval = -i; 957 res = 1; 958 } 959 else 960 { 961 absval = i; 962 res = plus; 963 } 964 } 965 else 966 return -1; 967 } 968 969 int ndigs = ilog (absval, base); 970 971 res += prec < ndigs ? ndigs : prec; 972 973 /* Adjust a non-zero value for the base prefix, either hexadecimal, 974 or, unless precision has resulted in a leading zero, also octal. */ 975 if (prefix && absval && (base == 16 || prec <= ndigs)) 976 { 977 if (base == 8) 978 res += 1; 979 else if (base == 16) 980 res += 2; 981 } 982 983 return res; 984 } 985 986 /* Given the formatting result described by RES and NAVAIL, the number 987 of available in the destination, return the range of bytes remaining 988 in the destination. */ 989 990 static inline result_range 991 bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res) 992 { 993 result_range range; 994 995 if (HOST_WIDE_INT_MAX <= navail) 996 { 997 range.min = range.max = range.likely = range.unlikely = navail; 998 return range; 999 } 1000 1001 /* The lower bound of the available range is the available size 1002 minus the maximum output size, and the upper bound is the size 1003 minus the minimum. */ 1004 range.max = res.range.min < navail ? navail - res.range.min : 0; 1005 1006 range.likely = res.range.likely < navail ? navail - res.range.likely : 0; 1007 1008 if (res.range.max < HOST_WIDE_INT_MAX) 1009 range.min = res.range.max < navail ? navail - res.range.max : 0; 1010 else 1011 range.min = range.likely; 1012 1013 range.unlikely = (res.range.unlikely < navail 1014 ? navail - res.range.unlikely : 0); 1015 1016 return range; 1017 } 1018 1019 /* Description of a call to a formatted function. */ 1020 1021 struct sprintf_dom_walker::call_info 1022 { 1023 /* Function call statement. */ 1024 gimple *callstmt; 1025 1026 /* Function called. */ 1027 tree func; 1028 1029 /* Called built-in function code. */ 1030 built_in_function fncode; 1031 1032 /* Format argument and format string extracted from it. */ 1033 tree format; 1034 const char *fmtstr; 1035 1036 /* The location of the format argument. */ 1037 location_t fmtloc; 1038 1039 /* The destination object size for __builtin___xxx_chk functions 1040 typically determined by __builtin_object_size, or -1 if unknown. */ 1041 unsigned HOST_WIDE_INT objsize; 1042 1043 /* Number of the first variable argument. */ 1044 unsigned HOST_WIDE_INT argidx; 1045 1046 /* True for functions like snprintf that specify the size of 1047 the destination, false for others like sprintf that don't. */ 1048 bool bounded; 1049 1050 /* True for bounded functions like snprintf that specify a zero-size 1051 buffer as a request to compute the size of output without actually 1052 writing any. NOWRITE is cleared in response to the %n directive 1053 which has side-effects similar to writing output. */ 1054 bool nowrite; 1055 1056 /* Return true if the called function's return value is used. */ 1057 bool retval_used () const 1058 { 1059 return gimple_get_lhs (callstmt); 1060 } 1061 1062 /* Return the warning option corresponding to the called function. */ 1063 int warnopt () const 1064 { 1065 return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_; 1066 } 1067 }; 1068 1069 /* Return the result of formatting a no-op directive (such as '%n'). */ 1070 1071 static fmtresult 1072 format_none (const directive &, tree, vr_values *) 1073 { 1074 fmtresult res (0); 1075 return res; 1076 } 1077 1078 /* Return the result of formatting the '%%' directive. */ 1079 1080 static fmtresult 1081 format_percent (const directive &, tree, vr_values *) 1082 { 1083 fmtresult res (1); 1084 return res; 1085 } 1086 1087 1088 /* Compute intmax_type_node and uintmax_type_node similarly to how 1089 tree.c builds size_type_node. */ 1090 1091 static void 1092 build_intmax_type_nodes (tree *pintmax, tree *puintmax) 1093 { 1094 if (strcmp (UINTMAX_TYPE, "unsigned int") == 0) 1095 { 1096 *pintmax = integer_type_node; 1097 *puintmax = unsigned_type_node; 1098 } 1099 else if (strcmp (UINTMAX_TYPE, "long unsigned int") == 0) 1100 { 1101 *pintmax = long_integer_type_node; 1102 *puintmax = long_unsigned_type_node; 1103 } 1104 else if (strcmp (UINTMAX_TYPE, "long long unsigned int") == 0) 1105 { 1106 *pintmax = long_long_integer_type_node; 1107 *puintmax = long_long_unsigned_type_node; 1108 } 1109 else 1110 { 1111 for (int i = 0; i < NUM_INT_N_ENTS; i++) 1112 if (int_n_enabled_p[i]) 1113 { 1114 char name[50]; 1115 sprintf (name, "__int%d unsigned", int_n_data[i].bitsize); 1116 1117 if (strcmp (name, UINTMAX_TYPE) == 0) 1118 { 1119 *pintmax = int_n_trees[i].signed_type; 1120 *puintmax = int_n_trees[i].unsigned_type; 1121 return; 1122 } 1123 } 1124 gcc_unreachable (); 1125 } 1126 } 1127 1128 /* Determine the range [*PMIN, *PMAX] that the expression ARG is 1129 in and that is representable in type int. 1130 Return true when the range is a subrange of that of int. 1131 When ARG is null it is as if it had the full range of int. 1132 When ABSOLUTE is true the range reflects the absolute value of 1133 the argument. When ABSOLUTE is false, negative bounds of 1134 the determined range are replaced with NEGBOUND. */ 1135 1136 static bool 1137 get_int_range (tree arg, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax, 1138 bool absolute, HOST_WIDE_INT negbound, 1139 class vr_values *vr_values) 1140 { 1141 /* The type of the result. */ 1142 const_tree type = integer_type_node; 1143 1144 bool knownrange = false; 1145 1146 if (!arg) 1147 { 1148 *pmin = tree_to_shwi (TYPE_MIN_VALUE (type)); 1149 *pmax = tree_to_shwi (TYPE_MAX_VALUE (type)); 1150 } 1151 else if (TREE_CODE (arg) == INTEGER_CST 1152 && TYPE_PRECISION (TREE_TYPE (arg)) <= TYPE_PRECISION (type)) 1153 { 1154 /* For a constant argument return its value adjusted as specified 1155 by NEGATIVE and NEGBOUND and return true to indicate that the 1156 result is known. */ 1157 *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg); 1158 *pmax = *pmin; 1159 knownrange = true; 1160 } 1161 else 1162 { 1163 /* True if the argument's range cannot be determined. */ 1164 bool unknown = true; 1165 1166 tree argtype = TREE_TYPE (arg); 1167 1168 /* Ignore invalid arguments with greater precision that that 1169 of the expected type (e.g., in sprintf("%*i", 12LL, i)). 1170 They will have been detected and diagnosed by -Wformat and 1171 so it's not important to complicate this code to try to deal 1172 with them again. */ 1173 if (TREE_CODE (arg) == SSA_NAME 1174 && INTEGRAL_TYPE_P (argtype) 1175 && TYPE_PRECISION (argtype) <= TYPE_PRECISION (type)) 1176 { 1177 /* Try to determine the range of values of the integer argument. */ 1178 value_range *vr = vr_values->get_value_range (arg); 1179 if (vr->type == VR_RANGE 1180 && TREE_CODE (vr->min) == INTEGER_CST 1181 && TREE_CODE (vr->max) == INTEGER_CST) 1182 { 1183 HOST_WIDE_INT type_min 1184 = (TYPE_UNSIGNED (argtype) 1185 ? tree_to_uhwi (TYPE_MIN_VALUE (argtype)) 1186 : tree_to_shwi (TYPE_MIN_VALUE (argtype))); 1187 1188 HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (argtype)); 1189 1190 *pmin = TREE_INT_CST_LOW (vr->min); 1191 *pmax = TREE_INT_CST_LOW (vr->max); 1192 1193 if (*pmin < *pmax) 1194 { 1195 /* Return true if the adjusted range is a subrange of 1196 the full range of the argument's type. *PMAX may 1197 be less than *PMIN when the argument is unsigned 1198 and its upper bound is in excess of TYPE_MAX. In 1199 that (invalid) case disregard the range and use that 1200 of the expected type instead. */ 1201 knownrange = type_min < *pmin || *pmax < type_max; 1202 1203 unknown = false; 1204 } 1205 } 1206 } 1207 1208 /* Handle an argument with an unknown range as if none had been 1209 provided. */ 1210 if (unknown) 1211 return get_int_range (NULL_TREE, pmin, pmax, absolute, 1212 negbound, vr_values); 1213 } 1214 1215 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */ 1216 if (absolute) 1217 { 1218 if (*pmin < 0) 1219 { 1220 if (*pmin == *pmax) 1221 *pmin = *pmax = -*pmin; 1222 else 1223 { 1224 /* Make sure signed overlow is avoided. */ 1225 gcc_assert (*pmin != HOST_WIDE_INT_MIN); 1226 1227 HOST_WIDE_INT tmp = -*pmin; 1228 *pmin = 0; 1229 if (*pmax < tmp) 1230 *pmax = tmp; 1231 } 1232 } 1233 } 1234 else if (*pmin < negbound) 1235 *pmin = negbound; 1236 1237 return knownrange; 1238 } 1239 1240 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual 1241 argument, due to the conversion from either *ARGMIN or *ARGMAX to 1242 the type of the directive's formal argument it's possible for both 1243 to result in the same number of bytes or a range of bytes that's 1244 less than the number of bytes that would result from formatting 1245 some other value in the range [*ARGMIN, *ARGMAX]. This can be 1246 determined by checking for the actual argument being in the range 1247 of the type of the directive. If it isn't it must be assumed to 1248 take on the full range of the directive's type. 1249 Return true when the range has been adjusted to the full range 1250 of DIRTYPE, and false otherwise. */ 1251 1252 static bool 1253 adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax) 1254 { 1255 tree argtype = TREE_TYPE (*argmin); 1256 unsigned argprec = TYPE_PRECISION (argtype); 1257 unsigned dirprec = TYPE_PRECISION (dirtype); 1258 1259 /* If the actual argument and the directive's argument have the same 1260 precision and sign there can be no overflow and so there is nothing 1261 to adjust. */ 1262 if (argprec == dirprec && TYPE_SIGN (argtype) == TYPE_SIGN (dirtype)) 1263 return false; 1264 1265 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P 1266 branch in the extract_range_from_unary_expr function in tree-vrp.c. */ 1267 1268 if (TREE_CODE (*argmin) == INTEGER_CST 1269 && TREE_CODE (*argmax) == INTEGER_CST 1270 && (dirprec >= argprec 1271 || integer_zerop (int_const_binop (RSHIFT_EXPR, 1272 int_const_binop (MINUS_EXPR, 1273 *argmax, 1274 *argmin), 1275 size_int (dirprec))))) 1276 { 1277 *argmin = force_fit_type (dirtype, wi::to_widest (*argmin), 0, false); 1278 *argmax = force_fit_type (dirtype, wi::to_widest (*argmax), 0, false); 1279 1280 /* If *ARGMIN is still less than *ARGMAX the conversion above 1281 is safe. Otherwise, it has overflowed and would be unsafe. */ 1282 if (tree_int_cst_le (*argmin, *argmax)) 1283 return false; 1284 } 1285 1286 *argmin = TYPE_MIN_VALUE (dirtype); 1287 *argmax = TYPE_MAX_VALUE (dirtype); 1288 return true; 1289 } 1290 1291 /* Return a range representing the minimum and maximum number of bytes 1292 that the format directive DIR will output for any argument given 1293 the WIDTH and PRECISION (extracted from DIR). This function is 1294 used when the directive argument or its value isn't known. */ 1295 1296 static fmtresult 1297 format_integer (const directive &dir, tree arg, vr_values *vr_values) 1298 { 1299 tree intmax_type_node; 1300 tree uintmax_type_node; 1301 1302 /* Base to format the number in. */ 1303 int base; 1304 1305 /* True when a conversion is preceded by a prefix indicating the base 1306 of the argument (octal or hexadecimal). */ 1307 bool maybebase = dir.get_flag ('#'); 1308 1309 /* True when a signed conversion is preceded by a sign or space. */ 1310 bool maybesign = false; 1311 1312 /* True for signed conversions (i.e., 'd' and 'i'). */ 1313 bool sign = false; 1314 1315 switch (dir.specifier) 1316 { 1317 case 'd': 1318 case 'i': 1319 /* Space and '+' are only meaningful for signed conversions. */ 1320 maybesign = dir.get_flag (' ') | dir.get_flag ('+'); 1321 sign = true; 1322 base = 10; 1323 break; 1324 case 'u': 1325 base = 10; 1326 break; 1327 case 'o': 1328 base = 8; 1329 break; 1330 case 'X': 1331 case 'x': 1332 base = 16; 1333 break; 1334 default: 1335 gcc_unreachable (); 1336 } 1337 1338 /* The type of the "formal" argument expected by the directive. */ 1339 tree dirtype = NULL_TREE; 1340 1341 /* Determine the expected type of the argument from the length 1342 modifier. */ 1343 switch (dir.modifier) 1344 { 1345 case FMT_LEN_none: 1346 if (dir.specifier == 'p') 1347 dirtype = ptr_type_node; 1348 else 1349 dirtype = sign ? integer_type_node : unsigned_type_node; 1350 break; 1351 1352 case FMT_LEN_h: 1353 dirtype = sign ? short_integer_type_node : short_unsigned_type_node; 1354 break; 1355 1356 case FMT_LEN_hh: 1357 dirtype = sign ? signed_char_type_node : unsigned_char_type_node; 1358 break; 1359 1360 case FMT_LEN_l: 1361 dirtype = sign ? long_integer_type_node : long_unsigned_type_node; 1362 break; 1363 1364 case FMT_LEN_L: 1365 case FMT_LEN_ll: 1366 dirtype = (sign 1367 ? long_long_integer_type_node 1368 : long_long_unsigned_type_node); 1369 break; 1370 1371 case FMT_LEN_z: 1372 dirtype = signed_or_unsigned_type_for (!sign, size_type_node); 1373 break; 1374 1375 case FMT_LEN_t: 1376 dirtype = signed_or_unsigned_type_for (!sign, ptrdiff_type_node); 1377 break; 1378 1379 case FMT_LEN_j: 1380 build_intmax_type_nodes (&intmax_type_node, &uintmax_type_node); 1381 dirtype = sign ? intmax_type_node : uintmax_type_node; 1382 break; 1383 1384 default: 1385 return fmtresult (); 1386 } 1387 1388 /* The type of the argument to the directive, either deduced from 1389 the actual non-constant argument if one is known, or from 1390 the directive itself when none has been provided because it's 1391 a va_list. */ 1392 tree argtype = NULL_TREE; 1393 1394 if (!arg) 1395 { 1396 /* When the argument has not been provided, use the type of 1397 the directive's argument as an approximation. This will 1398 result in false positives for directives like %i with 1399 arguments with smaller precision (such as short or char). */ 1400 argtype = dirtype; 1401 } 1402 else if (TREE_CODE (arg) == INTEGER_CST) 1403 { 1404 /* When a constant argument has been provided use its value 1405 rather than type to determine the length of the output. */ 1406 fmtresult res; 1407 1408 if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg)) 1409 { 1410 /* As a special case, a precision of zero with a zero argument 1411 results in zero bytes except in base 8 when the '#' flag is 1412 specified, and for signed conversions in base 8 and 10 when 1413 either the space or '+' flag has been specified and it results 1414 in just one byte (with width having the normal effect). This 1415 must extend to the case of a specified precision with 1416 an unknown value because it can be zero. */ 1417 res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign); 1418 if (res.range.min == 0 && dir.prec[0] != dir.prec[1]) 1419 { 1420 res.range.max = 1; 1421 res.range.likely = 1; 1422 } 1423 else 1424 { 1425 res.range.max = res.range.min; 1426 res.range.likely = res.range.min; 1427 } 1428 } 1429 else 1430 { 1431 /* Convert the argument to the type of the directive. */ 1432 arg = fold_convert (dirtype, arg); 1433 1434 res.range.min = tree_digits (arg, base, dir.prec[0], 1435 maybesign, maybebase); 1436 if (dir.prec[0] == dir.prec[1]) 1437 res.range.max = res.range.min; 1438 else 1439 res.range.max = tree_digits (arg, base, dir.prec[1], 1440 maybesign, maybebase); 1441 res.range.likely = res.range.min; 1442 res.knownrange = true; 1443 } 1444 1445 res.range.unlikely = res.range.max; 1446 1447 /* Bump up the counters if WIDTH is greater than LEN. */ 1448 res.adjust_for_width_or_precision (dir.width, dirtype, base, 1449 (sign | maybebase) + (base == 16)); 1450 /* Bump up the counters again if PRECision is greater still. */ 1451 res.adjust_for_width_or_precision (dir.prec, dirtype, base, 1452 (sign | maybebase) + (base == 16)); 1453 1454 return res; 1455 } 1456 else if (INTEGRAL_TYPE_P (TREE_TYPE (arg)) 1457 || TREE_CODE (TREE_TYPE (arg)) == POINTER_TYPE) 1458 /* Determine the type of the provided non-constant argument. */ 1459 argtype = TREE_TYPE (arg); 1460 else 1461 /* Don't bother with invalid arguments since they likely would 1462 have already been diagnosed, and disable any further checking 1463 of the format string by returning [-1, -1]. */ 1464 return fmtresult (); 1465 1466 fmtresult res; 1467 1468 /* Using either the range the non-constant argument is in, or its 1469 type (either "formal" or actual), create a range of values that 1470 constrain the length of output given the warning level. */ 1471 tree argmin = NULL_TREE; 1472 tree argmax = NULL_TREE; 1473 1474 if (arg 1475 && TREE_CODE (arg) == SSA_NAME 1476 && INTEGRAL_TYPE_P (argtype)) 1477 { 1478 /* Try to determine the range of values of the integer argument 1479 (range information is not available for pointers). */ 1480 value_range *vr = vr_values->get_value_range (arg); 1481 if (vr->type == VR_RANGE 1482 && TREE_CODE (vr->min) == INTEGER_CST 1483 && TREE_CODE (vr->max) == INTEGER_CST) 1484 { 1485 argmin = vr->min; 1486 argmax = vr->max; 1487 1488 /* Set KNOWNRANGE if the argument is in a known subrange 1489 of the directive's type and neither width nor precision 1490 is unknown. (KNOWNRANGE may be reset below). */ 1491 res.knownrange 1492 = ((!tree_int_cst_equal (TYPE_MIN_VALUE (dirtype), argmin) 1493 || !tree_int_cst_equal (TYPE_MAX_VALUE (dirtype), argmax)) 1494 && dir.known_width_and_precision ()); 1495 1496 res.argmin = argmin; 1497 res.argmax = argmax; 1498 } 1499 else if (vr->type == VR_ANTI_RANGE) 1500 { 1501 /* Handle anti-ranges if/when bug 71690 is resolved. */ 1502 } 1503 else if (vr->type == VR_VARYING 1504 || vr->type == VR_UNDEFINED) 1505 { 1506 /* The argument here may be the result of promoting the actual 1507 argument to int. Try to determine the type of the actual 1508 argument before promotion and narrow down its range that 1509 way. */ 1510 gimple *def = SSA_NAME_DEF_STMT (arg); 1511 if (is_gimple_assign (def)) 1512 { 1513 tree_code code = gimple_assign_rhs_code (def); 1514 if (code == INTEGER_CST) 1515 { 1516 arg = gimple_assign_rhs1 (def); 1517 return format_integer (dir, arg, vr_values); 1518 } 1519 1520 if (code == NOP_EXPR) 1521 { 1522 tree type = TREE_TYPE (gimple_assign_rhs1 (def)); 1523 if (INTEGRAL_TYPE_P (type) 1524 || TREE_CODE (type) == POINTER_TYPE) 1525 argtype = type; 1526 } 1527 } 1528 } 1529 } 1530 1531 if (!argmin) 1532 { 1533 if (TREE_CODE (argtype) == POINTER_TYPE) 1534 { 1535 argmin = build_int_cst (pointer_sized_int_node, 0); 1536 argmax = build_all_ones_cst (pointer_sized_int_node); 1537 } 1538 else 1539 { 1540 argmin = TYPE_MIN_VALUE (argtype); 1541 argmax = TYPE_MAX_VALUE (argtype); 1542 } 1543 } 1544 1545 /* Clear KNOWNRANGE if the range has been adjusted to the maximum 1546 of the directive. If it has been cleared then since ARGMIN and/or 1547 ARGMAX have been adjusted also adjust the corresponding ARGMIN and 1548 ARGMAX in the result to include in diagnostics. */ 1549 if (adjust_range_for_overflow (dirtype, &argmin, &argmax)) 1550 { 1551 res.knownrange = false; 1552 res.argmin = argmin; 1553 res.argmax = argmax; 1554 } 1555 1556 /* Recursively compute the minimum and maximum from the known range. */ 1557 if (TYPE_UNSIGNED (dirtype) || tree_int_cst_sgn (argmin) >= 0) 1558 { 1559 /* For unsigned conversions/directives or signed when 1560 the minimum is positive, use the minimum and maximum to compute 1561 the shortest and longest output, respectively. */ 1562 res.range.min = format_integer (dir, argmin, vr_values).range.min; 1563 res.range.max = format_integer (dir, argmax, vr_values).range.max; 1564 } 1565 else if (tree_int_cst_sgn (argmax) < 0) 1566 { 1567 /* For signed conversions/directives if maximum is negative, 1568 use the minimum as the longest output and maximum as the 1569 shortest output. */ 1570 res.range.min = format_integer (dir, argmax, vr_values).range.min; 1571 res.range.max = format_integer (dir, argmin, vr_values).range.max; 1572 } 1573 else 1574 { 1575 /* Otherwise, 0 is inside of the range and minimum negative. Use 0 1576 as the shortest output and for the longest output compute the 1577 length of the output of both minimum and maximum and pick the 1578 longer. */ 1579 unsigned HOST_WIDE_INT max1 1580 = format_integer (dir, argmin, vr_values).range.max; 1581 unsigned HOST_WIDE_INT max2 1582 = format_integer (dir, argmax, vr_values).range.max; 1583 res.range.min 1584 = format_integer (dir, integer_zero_node, vr_values).range.min; 1585 res.range.max = MAX (max1, max2); 1586 } 1587 1588 /* If the range is known, use the maximum as the likely length. */ 1589 if (res.knownrange) 1590 res.range.likely = res.range.max; 1591 else 1592 { 1593 /* Otherwise, use the minimum. Except for the case where for %#x or 1594 %#o the minimum is just for a single value in the range (0) and 1595 for all other values it is something longer, like 0x1 or 01. 1596 Use the length for value 1 in that case instead as the likely 1597 length. */ 1598 res.range.likely = res.range.min; 1599 if (maybebase 1600 && base != 10 1601 && (tree_int_cst_sgn (argmin) < 0 || tree_int_cst_sgn (argmax) > 0)) 1602 { 1603 if (res.range.min == 1) 1604 res.range.likely += base == 8 ? 1 : 2; 1605 else if (res.range.min == 2 1606 && base == 16 1607 && (dir.width[0] == 2 || dir.prec[0] == 2)) 1608 ++res.range.likely; 1609 } 1610 } 1611 1612 res.range.unlikely = res.range.max; 1613 res.adjust_for_width_or_precision (dir.width, dirtype, base, 1614 (sign | maybebase) + (base == 16)); 1615 res.adjust_for_width_or_precision (dir.prec, dirtype, base, 1616 (sign | maybebase) + (base == 16)); 1617 1618 return res; 1619 } 1620 1621 /* Return the number of bytes that a format directive consisting of FLAGS, 1622 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC, 1623 would result for argument X under ideal conditions (i.e., if PREC 1624 weren't excessive). MPFR 3.1 allocates large amounts of memory for 1625 values of PREC with large magnitude and can fail (see MPFR bug #21056). 1626 This function works around those problems. */ 1627 1628 static unsigned HOST_WIDE_INT 1629 get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec, 1630 char spec, char rndspec) 1631 { 1632 char fmtstr[40]; 1633 1634 HOST_WIDE_INT len = strlen (flags); 1635 1636 fmtstr[0] = '%'; 1637 memcpy (fmtstr + 1, flags, len); 1638 memcpy (fmtstr + 1 + len, ".*R", 3); 1639 fmtstr[len + 4] = rndspec; 1640 fmtstr[len + 5] = spec; 1641 fmtstr[len + 6] = '\0'; 1642 1643 spec = TOUPPER (spec); 1644 if (spec == 'E' || spec == 'F') 1645 { 1646 /* For %e, specify the precision explicitly since mpfr_sprintf 1647 does its own thing just to be different (see MPFR bug 21088). */ 1648 if (prec < 0) 1649 prec = 6; 1650 } 1651 else 1652 { 1653 /* Avoid passing negative precisions with larger magnitude to MPFR 1654 to avoid exposing its bugs. (A negative precision is supposed 1655 to be ignored.) */ 1656 if (prec < 0) 1657 prec = -1; 1658 } 1659 1660 HOST_WIDE_INT p = prec; 1661 1662 if (spec == 'G' && !strchr (flags, '#')) 1663 { 1664 /* For G/g without the pound flag, precision gives the maximum number 1665 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for 1666 a 128 bit IEEE extended precision, 4932. Using twice as much here 1667 should be more than sufficient for any real format. */ 1668 if ((IEEE_MAX_10_EXP * 2) < prec) 1669 prec = IEEE_MAX_10_EXP * 2; 1670 p = prec; 1671 } 1672 else 1673 { 1674 /* Cap precision arbitrarily at 1KB and add the difference 1675 (if any) to the MPFR result. */ 1676 if (prec > 1024) 1677 p = 1024; 1678 } 1679 1680 len = mpfr_snprintf (NULL, 0, fmtstr, (int)p, x); 1681 1682 /* Handle the unlikely (impossible?) error by returning more than 1683 the maximum dictated by the function's return type. */ 1684 if (len < 0) 1685 return target_dir_max () + 1; 1686 1687 /* Adjust the return value by the difference. */ 1688 if (p < prec) 1689 len += prec - p; 1690 1691 return len; 1692 } 1693 1694 /* Return the number of bytes to format using the format specifier 1695 SPEC and the precision PREC the largest value in the real floating 1696 TYPE. */ 1697 1698 static unsigned HOST_WIDE_INT 1699 format_floating_max (tree type, char spec, HOST_WIDE_INT prec) 1700 { 1701 machine_mode mode = TYPE_MODE (type); 1702 1703 /* IBM Extended mode. */ 1704 if (MODE_COMPOSITE_P (mode)) 1705 mode = DFmode; 1706 1707 /* Get the real type format desription for the target. */ 1708 const real_format *rfmt = REAL_MODE_FORMAT (mode); 1709 REAL_VALUE_TYPE rv; 1710 1711 real_maxval (&rv, 0, mode); 1712 1713 /* Convert the GCC real value representation with the precision 1714 of the real type to the mpfr_t format with the GCC default 1715 round-to-nearest mode. */ 1716 mpfr_t x; 1717 mpfr_init2 (x, rfmt->p); 1718 mpfr_from_real (x, &rv, GMP_RNDN); 1719 1720 /* Return a value one greater to account for the leading minus sign. */ 1721 unsigned HOST_WIDE_INT r 1722 = 1 + get_mpfr_format_length (x, "", prec, spec, 'D'); 1723 mpfr_clear (x); 1724 return r; 1725 } 1726 1727 /* Return a range representing the minimum and maximum number of bytes 1728 that the directive DIR will output for any argument. PREC gives 1729 the adjusted precision range to account for negative precisions 1730 meaning the default 6. This function is used when the directive 1731 argument or its value isn't known. */ 1732 1733 static fmtresult 1734 format_floating (const directive &dir, const HOST_WIDE_INT prec[2]) 1735 { 1736 tree type; 1737 1738 switch (dir.modifier) 1739 { 1740 case FMT_LEN_l: 1741 case FMT_LEN_none: 1742 type = double_type_node; 1743 break; 1744 1745 case FMT_LEN_L: 1746 type = long_double_type_node; 1747 break; 1748 1749 case FMT_LEN_ll: 1750 type = long_double_type_node; 1751 break; 1752 1753 default: 1754 return fmtresult (); 1755 } 1756 1757 /* The minimum and maximum number of bytes produced by the directive. */ 1758 fmtresult res; 1759 1760 /* The minimum output as determined by flags. It's always at least 1. 1761 When plus or space are set the output is preceded by either a sign 1762 or a space. */ 1763 unsigned flagmin = (1 /* for the first digit */ 1764 + (dir.get_flag ('+') | dir.get_flag (' '))); 1765 1766 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1 1767 for the plus sign/space with the '+' and ' ' flags, respectively, 1768 unless reduced below. */ 1769 res.range.min = 2 + flagmin; 1770 1771 /* When the pound flag is set the decimal point is included in output 1772 regardless of precision. Whether or not a decimal point is included 1773 otherwise depends on the specification and precision. */ 1774 bool radix = dir.get_flag ('#'); 1775 1776 switch (dir.specifier) 1777 { 1778 case 'A': 1779 case 'a': 1780 { 1781 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */; 1782 if (dir.prec[0] <= 0) 1783 minprec = 0; 1784 else if (dir.prec[0] > 0) 1785 minprec = dir.prec[0] + !radix /* decimal point */; 1786 1787 res.range.likely = (2 /* 0x */ 1788 + flagmin 1789 + radix 1790 + minprec 1791 + 3 /* p+0 */); 1792 1793 res.range.max = format_floating_max (type, 'a', prec[1]); 1794 1795 /* The unlikely maximum accounts for the longest multibyte 1796 decimal point character. */ 1797 res.range.unlikely = res.range.max; 1798 if (dir.prec[1] > 0) 1799 res.range.unlikely += target_mb_len_max () - 1; 1800 1801 break; 1802 } 1803 1804 case 'E': 1805 case 'e': 1806 { 1807 /* Minimum output attributable to precision and, when it's 1808 non-zero, decimal point. */ 1809 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0; 1810 1811 /* The likely minimum output is "[-+]1.234567e+00" regardless 1812 of the value of the actual argument. */ 1813 res.range.likely = (flagmin 1814 + radix 1815 + minprec 1816 + 2 /* e+ */ + 2); 1817 1818 res.range.max = format_floating_max (type, 'e', prec[1]); 1819 1820 /* The unlikely maximum accounts for the longest multibyte 1821 decimal point character. */ 1822 if (dir.prec[0] != dir.prec[1] 1823 || dir.prec[0] == -1 || dir.prec[0] > 0) 1824 res.range.unlikely = res.range.max + target_mb_len_max () -1; 1825 else 1826 res.range.unlikely = res.range.max; 1827 break; 1828 } 1829 1830 case 'F': 1831 case 'f': 1832 { 1833 /* Minimum output attributable to precision and, when it's non-zero, 1834 decimal point. */ 1835 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0; 1836 1837 /* For finite numbers (i.e., not infinity or NaN) the lower bound 1838 when precision isn't specified is 8 bytes ("1.23456" since 1839 precision is taken to be 6). When precision is zero, the lower 1840 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater 1841 than zero, then the lower bound is 2 plus precision (plus flags). 1842 But in all cases, the lower bound is no greater than 3. */ 1843 unsigned HOST_WIDE_INT min = flagmin + radix + minprec; 1844 if (min < res.range.min) 1845 res.range.min = min; 1846 1847 /* Compute the upper bound for -TYPE_MAX. */ 1848 res.range.max = format_floating_max (type, 'f', prec[1]); 1849 1850 /* The minimum output with unknown precision is a single byte 1851 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */ 1852 if (dir.prec[0] < 0 && dir.prec[1] > 0) 1853 res.range.likely = 3; 1854 else 1855 res.range.likely = min; 1856 1857 /* The unlikely maximum accounts for the longest multibyte 1858 decimal point character. */ 1859 if (dir.prec[0] != dir.prec[1] 1860 || dir.prec[0] == -1 || dir.prec[0] > 0) 1861 res.range.unlikely = res.range.max + target_mb_len_max () - 1; 1862 break; 1863 } 1864 1865 case 'G': 1866 case 'g': 1867 { 1868 /* The %g output depends on precision and the exponent of 1869 the argument. Since the value of the argument isn't known 1870 the lower bound on the range of bytes (not counting flags 1871 or width) is 1 plus radix (i.e., either "0" or "0." for 1872 "%g" and "%#g", respectively, with a zero argument). */ 1873 unsigned HOST_WIDE_INT min = flagmin + radix; 1874 if (min < res.range.min) 1875 res.range.min = min; 1876 1877 char spec = 'g'; 1878 HOST_WIDE_INT maxprec = dir.prec[1]; 1879 if (radix && maxprec) 1880 { 1881 /* When the pound flag (radix) is set, trailing zeros aren't 1882 trimmed and so the longest output is the same as for %e, 1883 except with precision minus 1 (as specified in C11). */ 1884 spec = 'e'; 1885 if (maxprec > 0) 1886 --maxprec; 1887 else if (maxprec < 0) 1888 maxprec = 5; 1889 } 1890 else 1891 maxprec = prec[1]; 1892 1893 res.range.max = format_floating_max (type, spec, maxprec); 1894 1895 /* The likely output is either the maximum computed above 1896 minus 1 (assuming the maximum is positive) when precision 1897 is known (or unspecified), or the same minimum as for %e 1898 (which is computed for a non-negative argument). Unlike 1899 for the other specifiers above the likely output isn't 1900 the minimum because for %g that's 1 which is unlikely. */ 1901 if (dir.prec[1] < 0 1902 || (unsigned HOST_WIDE_INT)dir.prec[1] < target_int_max ()) 1903 res.range.likely = res.range.max - 1; 1904 else 1905 { 1906 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */; 1907 res.range.likely = (flagmin 1908 + radix 1909 + minprec 1910 + 2 /* e+ */ + 2); 1911 } 1912 1913 /* The unlikely maximum accounts for the longest multibyte 1914 decimal point character. */ 1915 res.range.unlikely = res.range.max + target_mb_len_max () - 1; 1916 break; 1917 } 1918 1919 default: 1920 return fmtresult (); 1921 } 1922 1923 /* Bump up the byte counters if WIDTH is greater. */ 1924 res.adjust_for_width_or_precision (dir.width); 1925 return res; 1926 } 1927 1928 /* Return a range representing the minimum and maximum number of bytes 1929 that the directive DIR will write on output for the floating argument 1930 ARG. */ 1931 1932 static fmtresult 1933 format_floating (const directive &dir, tree arg, vr_values *) 1934 { 1935 HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] }; 1936 tree type = (dir.modifier == FMT_LEN_L || dir.modifier == FMT_LEN_ll 1937 ? long_double_type_node : double_type_node); 1938 1939 /* For an indeterminate precision the lower bound must be assumed 1940 to be zero. */ 1941 if (TOUPPER (dir.specifier) == 'A') 1942 { 1943 /* Get the number of fractional decimal digits needed to represent 1944 the argument without a loss of accuracy. */ 1945 unsigned fmtprec 1946 = REAL_MODE_FORMAT (TYPE_MODE (type))->p; 1947 1948 /* The precision of the IEEE 754 double format is 53. 1949 The precision of all other GCC binary double formats 1950 is 56 or less. */ 1951 unsigned maxprec = fmtprec <= 56 ? 13 : 15; 1952 1953 /* For %a, leave the minimum precision unspecified to let 1954 MFPR trim trailing zeros (as it and many other systems 1955 including Glibc happen to do) and set the maximum 1956 precision to reflect what it would be with trailing zeros 1957 present (as Solaris and derived systems do). */ 1958 if (dir.prec[1] < 0) 1959 { 1960 /* Both bounds are negative implies that precision has 1961 not been specified. */ 1962 prec[0] = maxprec; 1963 prec[1] = -1; 1964 } 1965 else if (dir.prec[0] < 0) 1966 { 1967 /* With a negative lower bound and a non-negative upper 1968 bound set the minimum precision to zero and the maximum 1969 to the greater of the maximum precision (i.e., with 1970 trailing zeros present) and the specified upper bound. */ 1971 prec[0] = 0; 1972 prec[1] = dir.prec[1] < maxprec ? maxprec : dir.prec[1]; 1973 } 1974 } 1975 else if (dir.prec[0] < 0) 1976 { 1977 if (dir.prec[1] < 0) 1978 { 1979 /* A precision in a strictly negative range is ignored and 1980 the default of 6 is used instead. */ 1981 prec[0] = prec[1] = 6; 1982 } 1983 else 1984 { 1985 /* For a precision in a partly negative range, the lower bound 1986 must be assumed to be zero and the new upper bound is the 1987 greater of 6 (the default precision used when the specified 1988 precision is negative) and the upper bound of the specified 1989 range. */ 1990 prec[0] = 0; 1991 prec[1] = dir.prec[1] < 6 ? 6 : dir.prec[1]; 1992 } 1993 } 1994 1995 if (!arg 1996 || TREE_CODE (arg) != REAL_CST 1997 || !useless_type_conversion_p (type, TREE_TYPE (arg))) 1998 return format_floating (dir, prec); 1999 2000 /* The minimum and maximum number of bytes produced by the directive. */ 2001 fmtresult res; 2002 2003 /* Get the real type format desription for the target. */ 2004 const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg); 2005 const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg))); 2006 2007 if (!real_isfinite (rvp)) 2008 { 2009 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity" 2010 and "[-]nan" with the choice being implementation-defined 2011 but not locale dependent. */ 2012 bool sign = dir.get_flag ('+') || real_isneg (rvp); 2013 res.range.min = 3 + sign; 2014 2015 res.range.likely = res.range.min; 2016 res.range.max = res.range.min; 2017 /* The inlikely maximum is "[-/+]infinity" or "[-/+]nan". */ 2018 res.range.unlikely = sign + (real_isinf (rvp) ? 8 : 3); 2019 2020 /* The range for infinity and NaN is known unless either width 2021 or precision is unknown. Width has the same effect regardless 2022 of whether the argument is finite. Precision is either ignored 2023 (e.g., Glibc) or can have an effect on the short vs long format 2024 such as inf/infinity (e.g., Solaris). */ 2025 res.knownrange = dir.known_width_and_precision (); 2026 2027 /* Adjust the range for width but ignore precision. */ 2028 res.adjust_for_width_or_precision (dir.width); 2029 2030 return res; 2031 } 2032 2033 char fmtstr [40]; 2034 char *pfmt = fmtstr; 2035 2036 /* Append flags. */ 2037 for (const char *pf = "-+ #0"; *pf; ++pf) 2038 if (dir.get_flag (*pf)) 2039 *pfmt++ = *pf; 2040 2041 *pfmt = '\0'; 2042 2043 { 2044 /* Set up an array to easily iterate over. */ 2045 unsigned HOST_WIDE_INT* const minmax[] = { 2046 &res.range.min, &res.range.max 2047 }; 2048 2049 for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i) 2050 { 2051 /* Convert the GCC real value representation with the precision 2052 of the real type to the mpfr_t format rounding down in the 2053 first iteration that computes the minimm and up in the second 2054 that computes the maximum. This order is arbibtrary because 2055 rounding in either direction can result in longer output. */ 2056 mpfr_t mpfrval; 2057 mpfr_init2 (mpfrval, rfmt->p); 2058 mpfr_from_real (mpfrval, rvp, i ? GMP_RNDU : GMP_RNDD); 2059 2060 /* Use the MPFR rounding specifier to round down in the first 2061 iteration and then up. In most but not all cases this will 2062 result in the same number of bytes. */ 2063 char rndspec = "DU"[i]; 2064 2065 /* Format it and store the result in the corresponding member 2066 of the result struct. */ 2067 *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i], 2068 dir.specifier, rndspec); 2069 mpfr_clear (mpfrval); 2070 } 2071 } 2072 2073 /* Make sure the minimum is less than the maximum (MPFR rounding 2074 in the call to mpfr_snprintf can result in the reverse. */ 2075 if (res.range.max < res.range.min) 2076 { 2077 unsigned HOST_WIDE_INT tmp = res.range.min; 2078 res.range.min = res.range.max; 2079 res.range.max = tmp; 2080 } 2081 2082 /* The range is known unless either width or precision is unknown. */ 2083 res.knownrange = dir.known_width_and_precision (); 2084 2085 /* For the same floating point constant, unless width or precision 2086 is unknown, use the longer output as the likely maximum since 2087 with round to nearest either is equally likely. Otheriwse, when 2088 precision is unknown, use the greater of the minimum and 3 as 2089 the likely output (for "0.0" since zero precision is unlikely). */ 2090 if (res.knownrange) 2091 res.range.likely = res.range.max; 2092 else if (res.range.min < 3 2093 && dir.prec[0] < 0 2094 && (unsigned HOST_WIDE_INT)dir.prec[1] == target_int_max ()) 2095 res.range.likely = 3; 2096 else 2097 res.range.likely = res.range.min; 2098 2099 res.range.unlikely = res.range.max; 2100 2101 if (res.range.max > 2 && (prec[0] != 0 || prec[1] != 0)) 2102 { 2103 /* Unless the precision is zero output longer than 2 bytes may 2104 include the decimal point which must be a single character 2105 up to MB_LEN_MAX in length. This is overly conservative 2106 since in some conversions some constants result in no decimal 2107 point (e.g., in %g). */ 2108 res.range.unlikely += target_mb_len_max () - 1; 2109 } 2110 2111 res.adjust_for_width_or_precision (dir.width); 2112 return res; 2113 } 2114 2115 /* Return a FMTRESULT struct set to the lengths of the shortest and longest 2116 strings referenced by the expression STR, or (-1, -1) when not known. 2117 Used by the format_string function below. */ 2118 2119 static fmtresult 2120 get_string_length (tree str) 2121 { 2122 if (!str) 2123 return fmtresult (); 2124 2125 if (tree slen = c_strlen (str, 1)) 2126 { 2127 /* Simply return the length of the string. */ 2128 fmtresult res (tree_to_shwi (slen)); 2129 return res; 2130 } 2131 2132 /* Determine the length of the shortest and longest string referenced 2133 by STR. Strings of unknown lengths are bounded by the sizes of 2134 arrays that subexpressions of STR may refer to. Pointers that 2135 aren't known to point any such arrays result in LENRANGE[1] set 2136 to SIZE_MAX. */ 2137 tree lenrange[2]; 2138 bool flexarray = get_range_strlen (str, lenrange); 2139 2140 if (lenrange [0] || lenrange [1]) 2141 { 2142 HOST_WIDE_INT min 2143 = (tree_fits_uhwi_p (lenrange[0]) 2144 ? tree_to_uhwi (lenrange[0]) 2145 : 0); 2146 2147 HOST_WIDE_INT max 2148 = (tree_fits_uhwi_p (lenrange[1]) 2149 ? tree_to_uhwi (lenrange[1]) 2150 : HOST_WIDE_INT_M1U); 2151 2152 /* get_range_strlen() returns the target value of SIZE_MAX for 2153 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U 2154 which may be bigger. */ 2155 if ((unsigned HOST_WIDE_INT)min == target_size_max ()) 2156 min = HOST_WIDE_INT_M1U; 2157 if ((unsigned HOST_WIDE_INT)max == target_size_max ()) 2158 max = HOST_WIDE_INT_M1U; 2159 2160 fmtresult res (min, max); 2161 2162 /* Set RES.KNOWNRANGE to true if and only if all strings referenced 2163 by STR are known to be bounded (though not necessarily by their 2164 actual length but perhaps by their maximum possible length). */ 2165 if (res.range.max < target_int_max ()) 2166 { 2167 res.knownrange = true; 2168 /* When the the length of the longest string is known and not 2169 excessive use it as the likely length of the string(s). */ 2170 res.range.likely = res.range.max; 2171 } 2172 else 2173 { 2174 /* When the upper bound is unknown (it can be zero or excessive) 2175 set the likely length to the greater of 1 and the length of 2176 the shortest string and reset the lower bound to zero. */ 2177 res.range.likely = res.range.min ? res.range.min : warn_level > 1; 2178 res.range.min = 0; 2179 } 2180 2181 /* If the range of string length has been estimated from the size 2182 of an array at the end of a struct assume that it's longer than 2183 the array bound says it is in case it's used as a poor man's 2184 flexible array member, such as in struct S { char a[4]; }; */ 2185 res.range.unlikely = flexarray ? HOST_WIDE_INT_MAX : res.range.max; 2186 2187 return res; 2188 } 2189 2190 return get_string_length (NULL_TREE); 2191 } 2192 2193 /* Return the minimum and maximum number of characters formatted 2194 by the '%c' format directives and its wide character form for 2195 the argument ARG. ARG can be null (for functions such as 2196 vsprinf). */ 2197 2198 static fmtresult 2199 format_character (const directive &dir, tree arg, vr_values *vr_values) 2200 { 2201 fmtresult res; 2202 2203 res.knownrange = true; 2204 2205 if (dir.modifier == FMT_LEN_l) 2206 { 2207 /* A wide character can result in as few as zero bytes. */ 2208 res.range.min = 0; 2209 2210 HOST_WIDE_INT min, max; 2211 if (get_int_range (arg, &min, &max, false, 0, vr_values)) 2212 { 2213 if (min == 0 && max == 0) 2214 { 2215 /* The NUL wide character results in no bytes. */ 2216 res.range.max = 0; 2217 res.range.likely = 0; 2218 res.range.unlikely = 0; 2219 } 2220 else if (min > 0 && min < 128) 2221 { 2222 /* A wide character in the ASCII range most likely results 2223 in a single byte, and only unlikely in up to MB_LEN_MAX. */ 2224 res.range.max = 1; 2225 res.range.likely = 1; 2226 res.range.unlikely = target_mb_len_max (); 2227 } 2228 else 2229 { 2230 /* A wide character outside the ASCII range likely results 2231 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */ 2232 res.range.max = target_mb_len_max (); 2233 res.range.likely = 2; 2234 res.range.unlikely = res.range.max; 2235 } 2236 } 2237 else 2238 { 2239 /* An unknown wide character is treated the same as a wide 2240 character outside the ASCII range. */ 2241 res.range.max = target_mb_len_max (); 2242 res.range.likely = 2; 2243 res.range.unlikely = res.range.max; 2244 } 2245 } 2246 else 2247 { 2248 /* A plain '%c' directive. Its ouput is exactly 1. */ 2249 res.range.min = res.range.max = 1; 2250 res.range.likely = res.range.unlikely = 1; 2251 res.knownrange = true; 2252 } 2253 2254 /* Bump up the byte counters if WIDTH is greater. */ 2255 return res.adjust_for_width_or_precision (dir.width); 2256 } 2257 2258 /* Return the minimum and maximum number of characters formatted 2259 by the '%s' format directive and its wide character form for 2260 the argument ARG. ARG can be null (for functions such as 2261 vsprinf). */ 2262 2263 static fmtresult 2264 format_string (const directive &dir, tree arg, vr_values *) 2265 { 2266 fmtresult res; 2267 2268 /* Compute the range the argument's length can be in. */ 2269 fmtresult slen = get_string_length (arg); 2270 if (slen.range.min == slen.range.max 2271 && slen.range.min < HOST_WIDE_INT_MAX) 2272 { 2273 /* The argument is either a string constant or it refers 2274 to one of a number of strings of the same length. */ 2275 2276 /* A '%s' directive with a string argument with constant length. */ 2277 res.range = slen.range; 2278 2279 if (dir.modifier == FMT_LEN_l) 2280 { 2281 /* In the worst case the length of output of a wide string S 2282 is bounded by MB_LEN_MAX * wcslen (S). */ 2283 res.range.max *= target_mb_len_max (); 2284 res.range.unlikely = res.range.max; 2285 /* It's likely that the the total length is not more that 2286 2 * wcslen (S).*/ 2287 res.range.likely = res.range.min * 2; 2288 2289 if (dir.prec[1] >= 0 2290 && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) 2291 { 2292 res.range.max = dir.prec[1]; 2293 res.range.likely = dir.prec[1]; 2294 res.range.unlikely = dir.prec[1]; 2295 } 2296 2297 if (dir.prec[0] < 0 && dir.prec[1] > -1) 2298 res.range.min = 0; 2299 else if (dir.prec[0] >= 0) 2300 res.range.likely = dir.prec[0]; 2301 2302 /* Even a non-empty wide character string need not convert into 2303 any bytes. */ 2304 res.range.min = 0; 2305 } 2306 else 2307 { 2308 res.knownrange = true; 2309 2310 if (dir.prec[0] < 0 && dir.prec[1] > -1) 2311 res.range.min = 0; 2312 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min) 2313 res.range.min = dir.prec[0]; 2314 2315 if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) 2316 { 2317 res.range.max = dir.prec[1]; 2318 res.range.likely = dir.prec[1]; 2319 res.range.unlikely = dir.prec[1]; 2320 } 2321 } 2322 } 2323 else if (arg && integer_zerop (arg)) 2324 { 2325 /* Handle null pointer argument. */ 2326 2327 fmtresult res (0); 2328 res.nullp = true; 2329 return res; 2330 } 2331 else 2332 { 2333 /* For a '%s' and '%ls' directive with a non-constant string (either 2334 one of a number of strings of known length or an unknown string) 2335 the minimum number of characters is lesser of PRECISION[0] and 2336 the length of the shortest known string or zero, and the maximum 2337 is the lessser of the length of the longest known string or 2338 PTRDIFF_MAX and PRECISION[1]. The likely length is either 2339 the minimum at level 1 and the greater of the minimum and 1 2340 at level 2. This result is adjust upward for width (if it's 2341 specified). */ 2342 2343 if (dir.modifier == FMT_LEN_l) 2344 { 2345 /* A wide character converts to as few as zero bytes. */ 2346 slen.range.min = 0; 2347 if (slen.range.max < target_int_max ()) 2348 slen.range.max *= target_mb_len_max (); 2349 2350 if (slen.range.likely < target_int_max ()) 2351 slen.range.likely *= 2; 2352 2353 if (slen.range.likely < target_int_max ()) 2354 slen.range.unlikely *= target_mb_len_max (); 2355 } 2356 2357 res.range = slen.range; 2358 2359 if (dir.prec[0] >= 0) 2360 { 2361 /* Adjust the minimum to zero if the string length is unknown, 2362 or at most the lower bound of the precision otherwise. */ 2363 if (slen.range.min >= target_int_max ()) 2364 res.range.min = 0; 2365 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min) 2366 res.range.min = dir.prec[0]; 2367 2368 /* Make both maxima no greater than the upper bound of precision. */ 2369 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max 2370 || slen.range.max >= target_int_max ()) 2371 { 2372 res.range.max = dir.prec[1]; 2373 res.range.unlikely = dir.prec[1]; 2374 } 2375 2376 /* If precision is constant, set the likely counter to the lesser 2377 of it and the maximum string length. Otherwise, if the lower 2378 bound of precision is greater than zero, set the likely counter 2379 to the minimum. Otherwise set it to zero or one based on 2380 the warning level. */ 2381 if (dir.prec[0] == dir.prec[1]) 2382 res.range.likely 2383 = ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.max 2384 ? dir.prec[0] : slen.range.max); 2385 else if (dir.prec[0] > 0) 2386 res.range.likely = res.range.min; 2387 else 2388 res.range.likely = warn_level > 1; 2389 } 2390 else if (dir.prec[1] >= 0) 2391 { 2392 res.range.min = 0; 2393 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max) 2394 res.range.max = dir.prec[1]; 2395 res.range.likely = dir.prec[1] ? warn_level > 1 : 0; 2396 } 2397 else if (slen.range.min >= target_int_max ()) 2398 { 2399 res.range.min = 0; 2400 res.range.max = HOST_WIDE_INT_MAX; 2401 /* At level 1 strings of unknown length are assumed to be 2402 empty, while at level 1 they are assumed to be one byte 2403 long. */ 2404 res.range.likely = warn_level > 1; 2405 } 2406 else 2407 { 2408 /* A string of unknown length unconstrained by precision is 2409 assumed to be empty at level 1 and just one character long 2410 at higher levels. */ 2411 if (res.range.likely >= target_int_max ()) 2412 res.range.likely = warn_level > 1; 2413 } 2414 2415 res.range.unlikely = res.range.max; 2416 } 2417 2418 /* Bump up the byte counters if WIDTH is greater. */ 2419 return res.adjust_for_width_or_precision (dir.width); 2420 } 2421 2422 /* Format plain string (part of the format string itself). */ 2423 2424 static fmtresult 2425 format_plain (const directive &dir, tree, vr_values *) 2426 { 2427 fmtresult res (dir.len); 2428 return res; 2429 } 2430 2431 /* Return true if the RESULT of a directive in a call describe by INFO 2432 should be diagnosed given the AVAILable space in the destination. */ 2433 2434 static bool 2435 should_warn_p (const sprintf_dom_walker::call_info &info, 2436 const result_range &avail, const result_range &result) 2437 { 2438 if (result.max <= avail.min) 2439 { 2440 /* The least amount of space remaining in the destination is big 2441 enough for the longest output. */ 2442 return false; 2443 } 2444 2445 if (info.bounded) 2446 { 2447 if (warn_format_trunc == 1 && result.min <= avail.max 2448 && info.retval_used ()) 2449 { 2450 /* The likely amount of space remaining in the destination is big 2451 enough for the least output and the return value is used. */ 2452 return false; 2453 } 2454 2455 if (warn_format_trunc == 1 && result.likely <= avail.likely 2456 && !info.retval_used ()) 2457 { 2458 /* The likely amount of space remaining in the destination is big 2459 enough for the likely output and the return value is unused. */ 2460 return false; 2461 } 2462 2463 if (warn_format_trunc == 2 2464 && result.likely <= avail.min 2465 && (result.max <= avail.min 2466 || result.max > HOST_WIDE_INT_MAX)) 2467 { 2468 /* The minimum amount of space remaining in the destination is big 2469 enough for the longest output. */ 2470 return false; 2471 } 2472 } 2473 else 2474 { 2475 if (warn_level == 1 && result.likely <= avail.likely) 2476 { 2477 /* The likely amount of space remaining in the destination is big 2478 enough for the likely output. */ 2479 return false; 2480 } 2481 2482 if (warn_level == 2 2483 && result.likely <= avail.min 2484 && (result.max <= avail.min 2485 || result.max > HOST_WIDE_INT_MAX)) 2486 { 2487 /* The minimum amount of space remaining in the destination is big 2488 enough for the longest output. */ 2489 return false; 2490 } 2491 } 2492 2493 return true; 2494 } 2495 2496 /* At format string location describe by DIRLOC in a call described 2497 by INFO, issue a warning for a directive DIR whose output may be 2498 in excess of the available space AVAIL_RANGE in the destination 2499 given the formatting result FMTRES. This function does nothing 2500 except decide whether to issue a warning for a possible write 2501 past the end or truncation and, if so, format the warning. 2502 Return true if a warning has been issued. */ 2503 2504 static bool 2505 maybe_warn (substring_loc &dirloc, location_t argloc, 2506 const sprintf_dom_walker::call_info &info, 2507 const result_range &avail_range, const result_range &res, 2508 const directive &dir) 2509 { 2510 if (!should_warn_p (info, avail_range, res)) 2511 return false; 2512 2513 /* A warning will definitely be issued below. */ 2514 2515 /* The maximum byte count to reference in the warning. Larger counts 2516 imply that the upper bound is unknown (and could be anywhere between 2517 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather 2518 than "between N and X" where X is some huge number. */ 2519 unsigned HOST_WIDE_INT maxbytes = target_dir_max (); 2520 2521 /* True when there is enough room in the destination for the least 2522 amount of a directive's output but not enough for its likely or 2523 maximum output. */ 2524 bool maybe = (res.min <= avail_range.max 2525 && (avail_range.min < res.likely 2526 || (res.max < HOST_WIDE_INT_MAX 2527 && avail_range.min < res.max))); 2528 2529 /* Buffer for the directive in the host character set (used when 2530 the source character set is different). */ 2531 char hostdir[32]; 2532 2533 if (avail_range.min == avail_range.max) 2534 { 2535 /* The size of the destination region is exact. */ 2536 unsigned HOST_WIDE_INT navail = avail_range.max; 2537 2538 if (target_to_host (*dir.beg) != '%') 2539 { 2540 /* For plain character directives (i.e., the format string itself) 2541 but not others, point the caret at the first character that's 2542 past the end of the destination. */ 2543 if (navail < dir.len) 2544 dirloc.set_caret_index (dirloc.get_caret_idx () + navail); 2545 } 2546 2547 if (*dir.beg == '\0') 2548 { 2549 /* This is the terminating nul. */ 2550 gcc_assert (res.min == 1 && res.min == res.max); 2551 2552 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 2553 info.bounded 2554 ? (maybe 2555 ? G_("%qE output may be truncated before the " 2556 "last format character") 2557 : G_("%qE output truncated before the last " 2558 "format character")) 2559 : (maybe 2560 ? G_("%qE may write a terminating nul past the " 2561 "end of the destination") 2562 : G_("%qE writing a terminating nul past the " 2563 "end of the destination")), 2564 info.func); 2565 } 2566 2567 if (res.min == res.max) 2568 { 2569 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg); 2570 if (!info.bounded) 2571 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2572 "%<%.*s%> directive writing %wu byte into a " 2573 "region of size %wu", 2574 "%<%.*s%> directive writing %wu bytes into a " 2575 "region of size %wu", 2576 (int) dir.len, d, res.min, navail); 2577 else if (maybe) 2578 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2579 "%<%.*s%> directive output may be truncated " 2580 "writing %wu byte into a region of size %wu", 2581 "%<%.*s%> directive output may be truncated " 2582 "writing %wu bytes into a region of size %wu", 2583 (int) dir.len, d, res.min, navail); 2584 else 2585 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2586 "%<%.*s%> directive output truncated writing " 2587 "%wu byte into a region of size %wu", 2588 "%<%.*s%> directive output truncated writing " 2589 "%wu bytes into a region of size %wu", 2590 (int) dir.len, d, res.min, navail); 2591 } 2592 if (res.min == 0 && res.max < maxbytes) 2593 return fmtwarn (dirloc, argloc, NULL, 2594 info.warnopt (), 2595 info.bounded 2596 ? (maybe 2597 ? G_("%<%.*s%> directive output may be truncated " 2598 "writing up to %wu bytes into a region of " 2599 "size %wu") 2600 : G_("%<%.*s%> directive output truncated writing " 2601 "up to %wu bytes into a region of size %wu")) 2602 : G_("%<%.*s%> directive writing up to %wu bytes " 2603 "into a region of size %wu"), (int) dir.len, 2604 target_to_host (hostdir, sizeof hostdir, dir.beg), 2605 res.max, navail); 2606 2607 if (res.min == 0 && maxbytes <= res.max) 2608 /* This is a special case to avoid issuing the potentially 2609 confusing warning: 2610 writing 0 or more bytes into a region of size 0. */ 2611 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2612 info.bounded 2613 ? (maybe 2614 ? G_("%<%.*s%> directive output may be truncated " 2615 "writing likely %wu or more bytes into a " 2616 "region of size %wu") 2617 : G_("%<%.*s%> directive output truncated writing " 2618 "likely %wu or more bytes into a region of " 2619 "size %wu")) 2620 : G_("%<%.*s%> directive writing likely %wu or more " 2621 "bytes into a region of size %wu"), (int) dir.len, 2622 target_to_host (hostdir, sizeof hostdir, dir.beg), 2623 res.likely, navail); 2624 2625 if (res.max < maxbytes) 2626 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2627 info.bounded 2628 ? (maybe 2629 ? G_("%<%.*s%> directive output may be truncated " 2630 "writing between %wu and %wu bytes into a " 2631 "region of size %wu") 2632 : G_("%<%.*s%> directive output truncated " 2633 "writing between %wu and %wu bytes into a " 2634 "region of size %wu")) 2635 : G_("%<%.*s%> directive writing between %wu and " 2636 "%wu bytes into a region of size %wu"), 2637 (int) dir.len, 2638 target_to_host (hostdir, sizeof hostdir, dir.beg), 2639 res.min, res.max, navail); 2640 2641 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2642 info.bounded 2643 ? (maybe 2644 ? G_("%<%.*s%> directive output may be truncated " 2645 "writing %wu or more bytes into a region of " 2646 "size %wu") 2647 : G_("%<%.*s%> directive output truncated writing " 2648 "%wu or more bytes into a region of size %wu")) 2649 : G_("%<%.*s%> directive writing %wu or more bytes " 2650 "into a region of size %wu"), (int) dir.len, 2651 target_to_host (hostdir, sizeof hostdir, dir.beg), 2652 res.min, navail); 2653 } 2654 2655 /* The size of the destination region is a range. */ 2656 2657 if (target_to_host (*dir.beg) != '%') 2658 { 2659 unsigned HOST_WIDE_INT navail = avail_range.max; 2660 2661 /* For plain character directives (i.e., the format string itself) 2662 but not others, point the caret at the first character that's 2663 past the end of the destination. */ 2664 if (navail < dir.len) 2665 dirloc.set_caret_index (dirloc.get_caret_idx () + navail); 2666 } 2667 2668 if (*dir.beg == '\0') 2669 { 2670 gcc_assert (res.min == 1 && res.min == res.max); 2671 2672 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 2673 info.bounded 2674 ? (maybe 2675 ? G_("%qE output may be truncated before the last " 2676 "format character") 2677 : G_("%qE output truncated before the last format " 2678 "character")) 2679 : (maybe 2680 ? G_("%qE may write a terminating nul past the end " 2681 "of the destination") 2682 : G_("%qE writing a terminating nul past the end " 2683 "of the destination")), info.func); 2684 } 2685 2686 if (res.min == res.max) 2687 { 2688 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg); 2689 if (!info.bounded) 2690 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2691 "%<%.*s%> directive writing %wu byte into a region " 2692 "of size between %wu and %wu", 2693 "%<%.*s%> directive writing %wu bytes into a region " 2694 "of size between %wu and %wu", (int) dir.len, d, 2695 res.min, avail_range.min, avail_range.max); 2696 else if (maybe) 2697 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2698 "%<%.*s%> directive output may be truncated writing " 2699 "%wu byte into a region of size between %wu and %wu", 2700 "%<%.*s%> directive output may be truncated writing " 2701 "%wu bytes into a region of size between %wu and " 2702 "%wu", (int) dir.len, d, res.min, avail_range.min, 2703 avail_range.max); 2704 else 2705 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min, 2706 "%<%.*s%> directive output truncated writing %wu " 2707 "byte into a region of size between %wu and %wu", 2708 "%<%.*s%> directive output truncated writing %wu " 2709 "bytes into a region of size between %wu and %wu", 2710 (int) dir.len, d, res.min, avail_range.min, 2711 avail_range.max); 2712 } 2713 2714 if (res.min == 0 && res.max < maxbytes) 2715 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2716 info.bounded 2717 ? (maybe 2718 ? G_("%<%.*s%> directive output may be truncated " 2719 "writing up to %wu bytes into a region of size " 2720 "between %wu and %wu") 2721 : G_("%<%.*s%> directive output truncated writing " 2722 "up to %wu bytes into a region of size between " 2723 "%wu and %wu")) 2724 : G_("%<%.*s%> directive writing up to %wu bytes " 2725 "into a region of size between %wu and %wu"), 2726 (int) dir.len, 2727 target_to_host (hostdir, sizeof hostdir, dir.beg), 2728 res.max, avail_range.min, avail_range.max); 2729 2730 if (res.min == 0 && maxbytes <= res.max) 2731 /* This is a special case to avoid issuing the potentially confusing 2732 warning: 2733 writing 0 or more bytes into a region of size between 0 and N. */ 2734 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2735 info.bounded 2736 ? (maybe 2737 ? G_("%<%.*s%> directive output may be truncated " 2738 "writing likely %wu or more bytes into a region " 2739 "of size between %wu and %wu") 2740 : G_("%<%.*s%> directive output truncated writing " 2741 "likely %wu or more bytes into a region of size " 2742 "between %wu and %wu")) 2743 : G_("%<%.*s%> directive writing likely %wu or more bytes " 2744 "into a region of size between %wu and %wu"), 2745 (int) dir.len, 2746 target_to_host (hostdir, sizeof hostdir, dir.beg), 2747 res.likely, avail_range.min, avail_range.max); 2748 2749 if (res.max < maxbytes) 2750 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2751 info.bounded 2752 ? (maybe 2753 ? G_("%<%.*s%> directive output may be truncated " 2754 "writing between %wu and %wu bytes into a region " 2755 "of size between %wu and %wu") 2756 : G_("%<%.*s%> directive output truncated writing " 2757 "between %wu and %wu bytes into a region of size " 2758 "between %wu and %wu")) 2759 : G_("%<%.*s%> directive writing between %wu and " 2760 "%wu bytes into a region of size between %wu and " 2761 "%wu"), (int) dir.len, 2762 target_to_host (hostdir, sizeof hostdir, dir.beg), 2763 res.min, res.max, avail_range.min, avail_range.max); 2764 2765 return fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2766 info.bounded 2767 ? (maybe 2768 ? G_("%<%.*s%> directive output may be truncated writing " 2769 "%wu or more bytes into a region of size between " 2770 "%wu and %wu") 2771 : G_("%<%.*s%> directive output truncated writing " 2772 "%wu or more bytes into a region of size between " 2773 "%wu and %wu")) 2774 : G_("%<%.*s%> directive writing %wu or more bytes " 2775 "into a region of size between %wu and %wu"), 2776 (int) dir.len, 2777 target_to_host (hostdir, sizeof hostdir, dir.beg), 2778 res.min, avail_range.min, avail_range.max); 2779 } 2780 2781 /* Compute the length of the output resulting from the directive DIR 2782 in a call described by INFO and update the overall result of the call 2783 in *RES. Return true if the directive has been handled. */ 2784 2785 static bool 2786 format_directive (const sprintf_dom_walker::call_info &info, 2787 format_result *res, const directive &dir, 2788 class vr_values *vr_values) 2789 { 2790 /* Offset of the beginning of the directive from the beginning 2791 of the format string. */ 2792 size_t offset = dir.beg - info.fmtstr; 2793 size_t start = offset; 2794 size_t length = offset + dir.len - !!dir.len; 2795 2796 /* Create a location for the whole directive from the % to the format 2797 specifier. */ 2798 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 2799 offset, start, length); 2800 2801 /* Also get the location of the argument if possible. 2802 This doesn't work for integer literals or function calls. */ 2803 location_t argloc = UNKNOWN_LOCATION; 2804 if (dir.arg) 2805 argloc = EXPR_LOCATION (dir.arg); 2806 2807 /* Bail when there is no function to compute the output length, 2808 or when minimum length checking has been disabled. */ 2809 if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX) 2810 return false; 2811 2812 /* Compute the range of lengths of the formatted output. */ 2813 fmtresult fmtres = dir.fmtfunc (dir, dir.arg, vr_values); 2814 2815 /* Record whether the output of all directives is known to be 2816 bounded by some maximum, implying that their arguments are 2817 either known exactly or determined to be in a known range 2818 or, for strings, limited by the upper bounds of the arrays 2819 they refer to. */ 2820 res->knownrange &= fmtres.knownrange; 2821 2822 if (!fmtres.knownrange) 2823 { 2824 /* Only when the range is known, check it against the host value 2825 of INT_MAX + (the number of bytes of the "%.*Lf" directive with 2826 INT_MAX precision, which is the longest possible output of any 2827 single directive). That's the largest valid byte count (though 2828 not valid call to a printf-like function because it can never 2829 return such a count). Otherwise, the range doesn't correspond 2830 to known values of the argument. */ 2831 if (fmtres.range.max > target_dir_max ()) 2832 { 2833 /* Normalize the MAX counter to avoid having to deal with it 2834 later. The counter can be less than HOST_WIDE_INT_M1U 2835 when compiling for an ILP32 target on an LP64 host. */ 2836 fmtres.range.max = HOST_WIDE_INT_M1U; 2837 /* Disable exact and maximum length checking after a failure 2838 to determine the maximum number of characters (for example 2839 for wide characters or wide character strings) but continue 2840 tracking the minimum number of characters. */ 2841 res->range.max = HOST_WIDE_INT_M1U; 2842 } 2843 2844 if (fmtres.range.min > target_dir_max ()) 2845 { 2846 /* Disable exact length checking after a failure to determine 2847 even the minimum number of characters (it shouldn't happen 2848 except in an error) but keep tracking the minimum and maximum 2849 number of characters. */ 2850 return true; 2851 } 2852 } 2853 2854 /* Buffer for the directive in the host character set (used when 2855 the source character set is different). */ 2856 char hostdir[32]; 2857 2858 int dirlen = dir.len; 2859 2860 if (fmtres.nullp) 2861 { 2862 fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2863 "%<%.*s%> directive argument is null", 2864 dirlen, target_to_host (hostdir, sizeof hostdir, dir.beg)); 2865 2866 /* Don't bother processing the rest of the format string. */ 2867 res->warned = true; 2868 res->range.min = HOST_WIDE_INT_M1U; 2869 res->range.max = HOST_WIDE_INT_M1U; 2870 return false; 2871 } 2872 2873 /* Compute the number of available bytes in the destination. There 2874 must always be at least one byte of space for the terminating 2875 NUL that's appended after the format string has been processed. */ 2876 result_range avail_range = bytes_remaining (info.objsize, *res); 2877 2878 bool warned = res->warned; 2879 2880 if (!warned) 2881 warned = maybe_warn (dirloc, argloc, info, avail_range, 2882 fmtres.range, dir); 2883 2884 /* Bump up the total maximum if it isn't too big. */ 2885 if (res->range.max < HOST_WIDE_INT_MAX 2886 && fmtres.range.max < HOST_WIDE_INT_MAX) 2887 res->range.max += fmtres.range.max; 2888 2889 /* Raise the total unlikely maximum by the larger of the maximum 2890 and the unlikely maximum. */ 2891 unsigned HOST_WIDE_INT save = res->range.unlikely; 2892 if (fmtres.range.max < fmtres.range.unlikely) 2893 res->range.unlikely += fmtres.range.unlikely; 2894 else 2895 res->range.unlikely += fmtres.range.max; 2896 2897 if (res->range.unlikely < save) 2898 res->range.unlikely = HOST_WIDE_INT_M1U; 2899 2900 res->range.min += fmtres.range.min; 2901 res->range.likely += fmtres.range.likely; 2902 2903 /* Has the minimum directive output length exceeded the maximum 2904 of 4095 bytes required to be supported? */ 2905 bool minunder4k = fmtres.range.min < 4096; 2906 bool maxunder4k = fmtres.range.max < 4096; 2907 /* Clear UNDER4K in the overall result if the maximum has exceeded 2908 the 4k (this is necessary to avoid the return valuye optimization 2909 that may not be safe in the maximum case). */ 2910 if (!maxunder4k) 2911 res->under4k = false; 2912 2913 if (!warned 2914 /* Only warn at level 2. */ 2915 && warn_level > 1 2916 && (!minunder4k 2917 || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX))) 2918 { 2919 /* The directive output may be longer than the maximum required 2920 to be handled by an implementation according to 7.21.6.1, p15 2921 of C11. Warn on this only at level 2 but remember this and 2922 prevent folding the return value when done. This allows for 2923 the possibility of the actual libc call failing due to ENOMEM 2924 (like Glibc does under some conditions). */ 2925 2926 if (fmtres.range.min == fmtres.range.max) 2927 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2928 "%<%.*s%> directive output of %wu bytes exceeds " 2929 "minimum required size of 4095", dirlen, 2930 target_to_host (hostdir, sizeof hostdir, dir.beg), 2931 fmtres.range.min); 2932 else 2933 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2934 minunder4k 2935 ? G_("%<%.*s%> directive output between %wu and %wu " 2936 "bytes may exceed minimum required size of " 2937 "4095") 2938 : G_("%<%.*s%> directive output between %wu and %wu " 2939 "bytes exceeds minimum required size of 4095"), 2940 dirlen, 2941 target_to_host (hostdir, sizeof hostdir, dir.beg), 2942 fmtres.range.min, fmtres.range.max); 2943 } 2944 2945 /* Has the likely and maximum directive output exceeded INT_MAX? */ 2946 bool likelyximax = *dir.beg && res->range.likely > target_int_max (); 2947 /* Don't consider the maximum to be in excess when it's the result 2948 of a string of unknown length (i.e., whose maximum has been set 2949 to be greater than or equal to HOST_WIDE_INT_MAX. */ 2950 bool maxximax = (*dir.beg 2951 && res->range.max > target_int_max () 2952 && res->range.max < HOST_WIDE_INT_MAX); 2953 2954 if (!warned 2955 /* Warn for the likely output size at level 1. */ 2956 && (likelyximax 2957 /* But only warn for the maximum at level 2. */ 2958 || (warn_level > 1 2959 && maxximax 2960 && fmtres.range.max < HOST_WIDE_INT_MAX))) 2961 { 2962 /* The directive output causes the total length of output 2963 to exceed INT_MAX bytes. */ 2964 2965 if (fmtres.range.min == fmtres.range.max) 2966 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2967 "%<%.*s%> directive output of %wu bytes causes " 2968 "result to exceed %<INT_MAX%>", dirlen, 2969 target_to_host (hostdir, sizeof hostdir, dir.beg), 2970 fmtres.range.min); 2971 else 2972 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (), 2973 fmtres.range.min > target_int_max () 2974 ? G_ ("%<%.*s%> directive output between %wu and " 2975 "%wu bytes causes result to exceed " 2976 "%<INT_MAX%>") 2977 : G_ ("%<%.*s%> directive output between %wu and " 2978 "%wu bytes may cause result to exceed " 2979 "%<INT_MAX%>"), dirlen, 2980 target_to_host (hostdir, sizeof hostdir, dir.beg), 2981 fmtres.range.min, fmtres.range.max); 2982 } 2983 2984 if (warned && fmtres.range.min < fmtres.range.likely 2985 && fmtres.range.likely < fmtres.range.max) 2986 inform_n (info.fmtloc, fmtres.range.likely, 2987 "assuming directive output of %wu byte", 2988 "assuming directive output of %wu bytes", 2989 fmtres.range.likely); 2990 2991 if (warned && fmtres.argmin) 2992 { 2993 if (fmtres.argmin == fmtres.argmax) 2994 inform (info.fmtloc, "directive argument %qE", fmtres.argmin); 2995 else if (fmtres.knownrange) 2996 inform (info.fmtloc, "directive argument in the range [%E, %E]", 2997 fmtres.argmin, fmtres.argmax); 2998 else 2999 inform (info.fmtloc, 3000 "using the range [%E, %E] for directive argument", 3001 fmtres.argmin, fmtres.argmax); 3002 } 3003 3004 res->warned |= warned; 3005 3006 if (!dir.beg[0] && res->warned && info.objsize < HOST_WIDE_INT_MAX) 3007 { 3008 /* If a warning has been issued for buffer overflow or truncation 3009 (but not otherwise) help the user figure out how big a buffer 3010 they need. */ 3011 3012 location_t callloc = gimple_location (info.callstmt); 3013 3014 unsigned HOST_WIDE_INT min = res->range.min; 3015 unsigned HOST_WIDE_INT max = res->range.max; 3016 3017 if (min == max) 3018 inform (callloc, 3019 (min == 1 3020 ? G_("%qE output %wu byte into a destination of size %wu") 3021 : G_("%qE output %wu bytes into a destination of size %wu")), 3022 info.func, min, info.objsize); 3023 else if (max < HOST_WIDE_INT_MAX) 3024 inform (callloc, 3025 "%qE output between %wu and %wu bytes into " 3026 "a destination of size %wu", 3027 info.func, min, max, info.objsize); 3028 else if (min < res->range.likely && res->range.likely < max) 3029 inform (callloc, 3030 "%qE output %wu or more bytes (assuming %wu) into " 3031 "a destination of size %wu", 3032 info.func, min, res->range.likely, info.objsize); 3033 else 3034 inform (callloc, 3035 "%qE output %wu or more bytes into a destination of size %wu", 3036 info.func, min, info.objsize); 3037 } 3038 3039 if (dump_file && *dir.beg) 3040 { 3041 fprintf (dump_file, 3042 " Result: " 3043 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", " 3044 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC " (" 3045 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", " 3046 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ")\n", 3047 fmtres.range.min, fmtres.range.likely, 3048 fmtres.range.max, fmtres.range.unlikely, 3049 res->range.min, res->range.likely, 3050 res->range.max, res->range.unlikely); 3051 } 3052 3053 return true; 3054 } 3055 3056 /* Parse a format directive in function call described by INFO starting 3057 at STR and populate DIR structure. Bump up *ARGNO by the number of 3058 arguments extracted for the directive. Return the length of 3059 the directive. */ 3060 3061 static size_t 3062 parse_directive (sprintf_dom_walker::call_info &info, 3063 directive &dir, format_result *res, 3064 const char *str, unsigned *argno, 3065 vr_values *vr_values) 3066 { 3067 const char *pcnt = strchr (str, target_percent); 3068 dir.beg = str; 3069 3070 if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1) 3071 { 3072 /* This directive is either a plain string or the terminating nul 3073 (which isn't really a directive but it simplifies things to 3074 handle it as if it were). */ 3075 dir.len = len; 3076 dir.fmtfunc = format_plain; 3077 3078 if (dump_file) 3079 { 3080 fprintf (dump_file, " Directive %u at offset " 3081 HOST_WIDE_INT_PRINT_UNSIGNED ": \"%.*s\", " 3082 "length = " HOST_WIDE_INT_PRINT_UNSIGNED "\n", 3083 dir.dirno, 3084 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr), 3085 (int)dir.len, dir.beg, (unsigned HOST_WIDE_INT) dir.len); 3086 } 3087 3088 return len - !*str; 3089 } 3090 3091 const char *pf = pcnt + 1; 3092 3093 /* POSIX numbered argument index or zero when none. */ 3094 HOST_WIDE_INT dollar = 0; 3095 3096 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN 3097 when given by a va_list argument, and a non-negative value 3098 when specified in the format string itself. */ 3099 HOST_WIDE_INT width = -1; 3100 HOST_WIDE_INT precision = -1; 3101 3102 /* Pointers to the beginning of the width and precision decimal 3103 string (if any) within the directive. */ 3104 const char *pwidth = 0; 3105 const char *pprec = 0; 3106 3107 /* When the value of the decimal string that specifies width or 3108 precision is out of range, points to the digit that causes 3109 the value to exceed the limit. */ 3110 const char *werange = NULL; 3111 const char *perange = NULL; 3112 3113 /* Width specified via the asterisk. Need not be INTEGER_CST. 3114 For vararg functions set to void_node. */ 3115 tree star_width = NULL_TREE; 3116 3117 /* Width specified via the asterisk. Need not be INTEGER_CST. 3118 For vararg functions set to void_node. */ 3119 tree star_precision = NULL_TREE; 3120 3121 if (ISDIGIT (target_to_host (*pf))) 3122 { 3123 /* This could be either a POSIX positional argument, the '0' 3124 flag, or a width, depending on what follows. Store it as 3125 width and sort it out later after the next character has 3126 been seen. */ 3127 pwidth = pf; 3128 width = target_strtol10 (&pf, &werange); 3129 } 3130 else if (target_to_host (*pf) == '*') 3131 { 3132 /* Similarly to the block above, this could be either a POSIX 3133 positional argument or a width, depending on what follows. */ 3134 if (*argno < gimple_call_num_args (info.callstmt)) 3135 star_width = gimple_call_arg (info.callstmt, (*argno)++); 3136 else 3137 star_width = void_node; 3138 ++pf; 3139 } 3140 3141 if (target_to_host (*pf) == '$') 3142 { 3143 /* Handle the POSIX dollar sign which references the 1-based 3144 positional argument number. */ 3145 if (width != -1) 3146 dollar = width + info.argidx; 3147 else if (star_width 3148 && TREE_CODE (star_width) == INTEGER_CST 3149 && (TYPE_PRECISION (TREE_TYPE (star_width)) 3150 <= TYPE_PRECISION (integer_type_node))) 3151 dollar = width + tree_to_shwi (star_width); 3152 3153 /* Bail when the numbered argument is out of range (it will 3154 have already been diagnosed by -Wformat). */ 3155 if (dollar == 0 3156 || dollar == (int)info.argidx 3157 || dollar > gimple_call_num_args (info.callstmt)) 3158 return false; 3159 3160 --dollar; 3161 3162 star_width = NULL_TREE; 3163 width = -1; 3164 ++pf; 3165 } 3166 3167 if (dollar || !star_width) 3168 { 3169 if (width != -1) 3170 { 3171 if (width == 0) 3172 { 3173 /* The '0' that has been interpreted as a width above is 3174 actually a flag. Reset HAVE_WIDTH, set the '0' flag, 3175 and continue processing other flags. */ 3176 width = -1; 3177 dir.set_flag ('0'); 3178 } 3179 else if (!dollar) 3180 { 3181 /* (Non-zero) width has been seen. The next character 3182 is either a period or a digit. */ 3183 goto start_precision; 3184 } 3185 } 3186 /* When either '$' has been seen, or width has not been seen, 3187 the next field is the optional flags followed by an optional 3188 width. */ 3189 for ( ; ; ) { 3190 switch (target_to_host (*pf)) 3191 { 3192 case ' ': 3193 case '0': 3194 case '+': 3195 case '-': 3196 case '#': 3197 dir.set_flag (target_to_host (*pf++)); 3198 break; 3199 3200 default: 3201 goto start_width; 3202 } 3203 } 3204 3205 start_width: 3206 if (ISDIGIT (target_to_host (*pf))) 3207 { 3208 werange = 0; 3209 pwidth = pf; 3210 width = target_strtol10 (&pf, &werange); 3211 } 3212 else if (target_to_host (*pf) == '*') 3213 { 3214 if (*argno < gimple_call_num_args (info.callstmt)) 3215 star_width = gimple_call_arg (info.callstmt, (*argno)++); 3216 else 3217 { 3218 /* This is (likely) a va_list. It could also be an invalid 3219 call with insufficient arguments. */ 3220 star_width = void_node; 3221 } 3222 ++pf; 3223 } 3224 else if (target_to_host (*pf) == '\'') 3225 { 3226 /* The POSIX apostrophe indicating a numeric grouping 3227 in the current locale. Even though it's possible to 3228 estimate the upper bound on the size of the output 3229 based on the number of digits it probably isn't worth 3230 continuing. */ 3231 return 0; 3232 } 3233 } 3234 3235 start_precision: 3236 if (target_to_host (*pf) == '.') 3237 { 3238 ++pf; 3239 3240 if (ISDIGIT (target_to_host (*pf))) 3241 { 3242 pprec = pf; 3243 precision = target_strtol10 (&pf, &perange); 3244 } 3245 else if (target_to_host (*pf) == '*') 3246 { 3247 if (*argno < gimple_call_num_args (info.callstmt)) 3248 star_precision = gimple_call_arg (info.callstmt, (*argno)++); 3249 else 3250 { 3251 /* This is (likely) a va_list. It could also be an invalid 3252 call with insufficient arguments. */ 3253 star_precision = void_node; 3254 } 3255 ++pf; 3256 } 3257 else 3258 { 3259 /* The decimal precision or the asterisk are optional. 3260 When neither is dirified it's taken to be zero. */ 3261 precision = 0; 3262 } 3263 } 3264 3265 switch (target_to_host (*pf)) 3266 { 3267 case 'h': 3268 if (target_to_host (pf[1]) == 'h') 3269 { 3270 ++pf; 3271 dir.modifier = FMT_LEN_hh; 3272 } 3273 else 3274 dir.modifier = FMT_LEN_h; 3275 ++pf; 3276 break; 3277 3278 case 'j': 3279 dir.modifier = FMT_LEN_j; 3280 ++pf; 3281 break; 3282 3283 case 'L': 3284 dir.modifier = FMT_LEN_L; 3285 ++pf; 3286 break; 3287 3288 case 'l': 3289 if (target_to_host (pf[1]) == 'l') 3290 { 3291 ++pf; 3292 dir.modifier = FMT_LEN_ll; 3293 } 3294 else 3295 dir.modifier = FMT_LEN_l; 3296 ++pf; 3297 break; 3298 3299 case 't': 3300 dir.modifier = FMT_LEN_t; 3301 ++pf; 3302 break; 3303 3304 case 'z': 3305 dir.modifier = FMT_LEN_z; 3306 ++pf; 3307 break; 3308 } 3309 3310 switch (target_to_host (*pf)) 3311 { 3312 /* Handle a sole '%' character the same as "%%" but since it's 3313 undefined prevent the result from being folded. */ 3314 case '\0': 3315 --pf; 3316 res->range.min = res->range.max = HOST_WIDE_INT_M1U; 3317 /* FALLTHRU */ 3318 case '%': 3319 dir.fmtfunc = format_percent; 3320 break; 3321 3322 case 'a': 3323 case 'A': 3324 case 'e': 3325 case 'E': 3326 case 'f': 3327 case 'F': 3328 case 'g': 3329 case 'G': 3330 res->floating = true; 3331 dir.fmtfunc = format_floating; 3332 break; 3333 3334 case 'd': 3335 case 'i': 3336 case 'o': 3337 case 'u': 3338 case 'x': 3339 case 'X': 3340 dir.fmtfunc = format_integer; 3341 break; 3342 3343 case 'p': 3344 /* The %p output is implementation-defined. It's possible 3345 to determine this format but due to extensions (edirially 3346 those of the Linux kernel -- see bug 78512) the first %p 3347 in the format string disables any further processing. */ 3348 return false; 3349 3350 case 'n': 3351 /* %n has side-effects even when nothing is actually printed to 3352 any buffer. */ 3353 info.nowrite = false; 3354 dir.fmtfunc = format_none; 3355 break; 3356 3357 case 'c': 3358 dir.fmtfunc = format_character; 3359 break; 3360 3361 case 'S': 3362 case 's': 3363 dir.fmtfunc = format_string; 3364 break; 3365 3366 default: 3367 /* Unknown conversion specification. */ 3368 return 0; 3369 } 3370 3371 dir.specifier = target_to_host (*pf++); 3372 3373 /* Store the length of the format directive. */ 3374 dir.len = pf - pcnt; 3375 3376 /* Buffer for the directive in the host character set (used when 3377 the source character set is different). */ 3378 char hostdir[32]; 3379 3380 if (star_width) 3381 { 3382 if (INTEGRAL_TYPE_P (TREE_TYPE (star_width))) 3383 dir.set_width (star_width, vr_values); 3384 else 3385 { 3386 /* Width specified by a va_list takes on the range [0, -INT_MIN] 3387 (width is the absolute value of that specified). */ 3388 dir.width[0] = 0; 3389 dir.width[1] = target_int_max () + 1; 3390 } 3391 } 3392 else 3393 { 3394 if (width == LONG_MAX && werange) 3395 { 3396 size_t begin = dir.beg - info.fmtstr + (pwidth - pcnt); 3397 size_t caret = begin + (werange - pcnt); 3398 size_t end = pf - info.fmtstr - 1; 3399 3400 /* Create a location for the width part of the directive, 3401 pointing the caret at the first out-of-range digit. */ 3402 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 3403 caret, begin, end); 3404 3405 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 3406 "%<%.*s%> directive width out of range", (int) dir.len, 3407 target_to_host (hostdir, sizeof hostdir, dir.beg)); 3408 } 3409 3410 dir.set_width (width); 3411 } 3412 3413 if (star_precision) 3414 { 3415 if (INTEGRAL_TYPE_P (TREE_TYPE (star_precision))) 3416 dir.set_precision (star_precision, vr_values); 3417 else 3418 { 3419 /* Precision specified by a va_list takes on the range [-1, INT_MAX] 3420 (unlike width, negative precision is ignored). */ 3421 dir.prec[0] = -1; 3422 dir.prec[1] = target_int_max (); 3423 } 3424 } 3425 else 3426 { 3427 if (precision == LONG_MAX && perange) 3428 { 3429 size_t begin = dir.beg - info.fmtstr + (pprec - pcnt) - 1; 3430 size_t caret = dir.beg - info.fmtstr + (perange - pcnt) - 1; 3431 size_t end = pf - info.fmtstr - 2; 3432 3433 /* Create a location for the precision part of the directive, 3434 including the leading period, pointing the caret at the first 3435 out-of-range digit . */ 3436 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), 3437 caret, begin, end); 3438 3439 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (), 3440 "%<%.*s%> directive precision out of range", (int) dir.len, 3441 target_to_host (hostdir, sizeof hostdir, dir.beg)); 3442 } 3443 3444 dir.set_precision (precision); 3445 } 3446 3447 /* Extract the argument if the directive takes one and if it's 3448 available (e.g., the function doesn't take a va_list). Treat 3449 missing arguments the same as va_list, even though they will 3450 have likely already been diagnosed by -Wformat. */ 3451 if (dir.specifier != '%' 3452 && *argno < gimple_call_num_args (info.callstmt)) 3453 dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++); 3454 3455 if (dump_file) 3456 { 3457 fprintf (dump_file, 3458 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED 3459 ": \"%.*s\"", 3460 dir.dirno, 3461 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr), 3462 (int)dir.len, dir.beg); 3463 if (star_width) 3464 { 3465 if (dir.width[0] == dir.width[1]) 3466 fprintf (dump_file, ", width = " HOST_WIDE_INT_PRINT_DEC, 3467 dir.width[0]); 3468 else 3469 fprintf (dump_file, 3470 ", width in range [" HOST_WIDE_INT_PRINT_DEC 3471 ", " HOST_WIDE_INT_PRINT_DEC "]", 3472 dir.width[0], dir.width[1]); 3473 } 3474 3475 if (star_precision) 3476 { 3477 if (dir.prec[0] == dir.prec[1]) 3478 fprintf (dump_file, ", precision = " HOST_WIDE_INT_PRINT_DEC, 3479 dir.prec[0]); 3480 else 3481 fprintf (dump_file, 3482 ", precision in range [" HOST_WIDE_INT_PRINT_DEC 3483 HOST_WIDE_INT_PRINT_DEC "]", 3484 dir.prec[0], dir.prec[1]); 3485 } 3486 fputc ('\n', dump_file); 3487 } 3488 3489 return dir.len; 3490 } 3491 3492 /* Compute the length of the output resulting from the call to a formatted 3493 output function described by INFO and store the result of the call in 3494 *RES. Issue warnings for detected past the end writes. Return true 3495 if the complete format string has been processed and *RES can be relied 3496 on, false otherwise (e.g., when a unknown or unhandled directive was seen 3497 that caused the processing to be terminated early). */ 3498 3499 bool 3500 sprintf_dom_walker::compute_format_length (call_info &info, 3501 format_result *res) 3502 { 3503 if (dump_file) 3504 { 3505 location_t callloc = gimple_location (info.callstmt); 3506 fprintf (dump_file, "%s:%i: ", 3507 LOCATION_FILE (callloc), LOCATION_LINE (callloc)); 3508 print_generic_expr (dump_file, info.func, dump_flags); 3509 3510 fprintf (dump_file, 3511 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED 3512 ", fmtstr = \"%s\"\n", 3513 info.objsize, info.fmtstr); 3514 } 3515 3516 /* Reset the minimum and maximum byte counters. */ 3517 res->range.min = res->range.max = 0; 3518 3519 /* No directive has been seen yet so the length of output is bounded 3520 by the known range [0, 0] (with no conversion producing more than 3521 4K bytes) until determined otherwise. */ 3522 res->knownrange = true; 3523 res->under4k = true; 3524 res->floating = false; 3525 res->warned = false; 3526 3527 /* 1-based directive counter. */ 3528 unsigned dirno = 1; 3529 3530 /* The variadic argument counter. */ 3531 unsigned argno = info.argidx; 3532 3533 for (const char *pf = info.fmtstr; ; ++dirno) 3534 { 3535 directive dir = directive (); 3536 dir.dirno = dirno; 3537 3538 size_t n = parse_directive (info, dir, res, pf, &argno, 3539 evrp_range_analyzer.get_vr_values ()); 3540 3541 /* Return failure if the format function fails. */ 3542 if (!format_directive (info, res, dir, 3543 evrp_range_analyzer.get_vr_values ())) 3544 return false; 3545 3546 /* Return success the directive is zero bytes long and it's 3547 the last think in the format string (i.e., it's the terminating 3548 nul, which isn't really a directive but handling it as one makes 3549 things simpler). */ 3550 if (!n) 3551 return *pf == '\0'; 3552 3553 pf += n; 3554 } 3555 3556 /* The complete format string was processed (with or without warnings). */ 3557 return true; 3558 } 3559 3560 /* Return the size of the object referenced by the expression DEST if 3561 available, or -1 otherwise. */ 3562 3563 static unsigned HOST_WIDE_INT 3564 get_destination_size (tree dest) 3565 { 3566 /* Initialize object size info before trying to compute it. */ 3567 init_object_sizes (); 3568 3569 /* Use __builtin_object_size to determine the size of the destination 3570 object. When optimizing, determine the smallest object (such as 3571 a member array as opposed to the whole enclosing object), otherwise 3572 use type-zero object size to determine the size of the enclosing 3573 object (the function fails without optimization in this type). */ 3574 int ost = optimize > 0; 3575 unsigned HOST_WIDE_INT size; 3576 if (compute_builtin_object_size (dest, ost, &size)) 3577 return size; 3578 3579 return HOST_WIDE_INT_M1U; 3580 } 3581 3582 /* Return true if the call described by INFO with result RES safe to 3583 optimize (i.e., no undefined behavior), and set RETVAL to the range 3584 of its return values. */ 3585 3586 static bool 3587 is_call_safe (const sprintf_dom_walker::call_info &info, 3588 const format_result &res, bool under4k, 3589 unsigned HOST_WIDE_INT retval[2]) 3590 { 3591 if (under4k && !res.under4k) 3592 return false; 3593 3594 /* The minimum return value. */ 3595 retval[0] = res.range.min; 3596 3597 /* The maximum return value is in most cases bounded by RES.RANGE.MAX 3598 but in cases involving multibyte characters could be as large as 3599 RES.RANGE.UNLIKELY. */ 3600 retval[1] 3601 = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely; 3602 3603 /* Adjust the number of bytes which includes the terminating nul 3604 to reflect the return value of the function which does not. 3605 Because the valid range of the function is [INT_MIN, INT_MAX], 3606 a valid range before the adjustment below is [0, INT_MAX + 1] 3607 (the functions only return negative values on error or undefined 3608 behavior). */ 3609 if (retval[0] <= target_int_max () + 1) 3610 --retval[0]; 3611 if (retval[1] <= target_int_max () + 1) 3612 --retval[1]; 3613 3614 /* Avoid the return value optimization when the behavior of the call 3615 is undefined either because any directive may have produced 4K or 3616 more of output, or the return value exceeds INT_MAX, or because 3617 the output overflows the destination object (but leave it enabled 3618 when the function is bounded because then the behavior is well- 3619 defined). */ 3620 if (retval[0] == retval[1] 3621 && (info.bounded || retval[0] < info.objsize) 3622 && retval[0] <= target_int_max ()) 3623 return true; 3624 3625 if ((info.bounded || retval[1] < info.objsize) 3626 && (retval[0] < target_int_max () 3627 && retval[1] < target_int_max ())) 3628 return true; 3629 3630 if (!under4k && (info.bounded || retval[0] < info.objsize)) 3631 return true; 3632 3633 return false; 3634 } 3635 3636 /* Given a suitable result RES of a call to a formatted output function 3637 described by INFO, substitute the result for the return value of 3638 the call. The result is suitable if the number of bytes it represents 3639 is known and exact. A result that isn't suitable for substitution may 3640 have its range set to the range of return values, if that is known. 3641 Return true if the call is removed and gsi_next should not be performed 3642 in the caller. */ 3643 3644 static bool 3645 try_substitute_return_value (gimple_stmt_iterator *gsi, 3646 const sprintf_dom_walker::call_info &info, 3647 const format_result &res) 3648 { 3649 tree lhs = gimple_get_lhs (info.callstmt); 3650 3651 /* Set to true when the entire call has been removed. */ 3652 bool removed = false; 3653 3654 /* The minimum and maximum return value. */ 3655 unsigned HOST_WIDE_INT retval[2]; 3656 bool safe = is_call_safe (info, res, true, retval); 3657 3658 if (safe 3659 && retval[0] == retval[1] 3660 /* Not prepared to handle possibly throwing calls here; they shouldn't 3661 appear in non-artificial testcases, except when the __*_chk routines 3662 are badly declared. */ 3663 && !stmt_ends_bb_p (info.callstmt)) 3664 { 3665 tree cst = build_int_cst (integer_type_node, retval[0]); 3666 3667 if (lhs == NULL_TREE 3668 && info.nowrite) 3669 { 3670 /* Remove the call to the bounded function with a zero size 3671 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */ 3672 unlink_stmt_vdef (info.callstmt); 3673 gsi_remove (gsi, true); 3674 removed = true; 3675 } 3676 else if (info.nowrite) 3677 { 3678 /* Replace the call to the bounded function with a zero size 3679 (e.g., snprintf(0, 0, "%i", 123) with the constant result 3680 of the function. */ 3681 if (!update_call_from_tree (gsi, cst)) 3682 gimplify_and_update_call_from_tree (gsi, cst); 3683 gimple *callstmt = gsi_stmt (*gsi); 3684 update_stmt (callstmt); 3685 } 3686 else if (lhs) 3687 { 3688 /* Replace the left-hand side of the call with the constant 3689 result of the formatted function. */ 3690 gimple_call_set_lhs (info.callstmt, NULL_TREE); 3691 gimple *g = gimple_build_assign (lhs, cst); 3692 gsi_insert_after (gsi, g, GSI_NEW_STMT); 3693 update_stmt (info.callstmt); 3694 } 3695 3696 if (dump_file) 3697 { 3698 if (removed) 3699 fprintf (dump_file, " Removing call statement."); 3700 else 3701 { 3702 fprintf (dump_file, " Substituting "); 3703 print_generic_expr (dump_file, cst, dump_flags); 3704 fprintf (dump_file, " for %s.\n", 3705 info.nowrite ? "statement" : "return value"); 3706 } 3707 } 3708 } 3709 else if (lhs) 3710 { 3711 bool setrange = false; 3712 3713 if (safe 3714 && (info.bounded || retval[1] < info.objsize) 3715 && (retval[0] < target_int_max () 3716 && retval[1] < target_int_max ())) 3717 { 3718 /* If the result is in a valid range bounded by the size of 3719 the destination set it so that it can be used for subsequent 3720 optimizations. */ 3721 int prec = TYPE_PRECISION (integer_type_node); 3722 3723 wide_int min = wi::shwi (retval[0], prec); 3724 wide_int max = wi::shwi (retval[1], prec); 3725 set_range_info (lhs, VR_RANGE, min, max); 3726 3727 setrange = true; 3728 } 3729 3730 if (dump_file) 3731 { 3732 const char *inbounds 3733 = (retval[0] < info.objsize 3734 ? (retval[1] < info.objsize 3735 ? "in" : "potentially out-of") 3736 : "out-of"); 3737 3738 const char *what = setrange ? "Setting" : "Discarding"; 3739 if (retval[0] != retval[1]) 3740 fprintf (dump_file, 3741 " %s %s-bounds return value range [" 3742 HOST_WIDE_INT_PRINT_UNSIGNED ", " 3743 HOST_WIDE_INT_PRINT_UNSIGNED "].\n", 3744 what, inbounds, retval[0], retval[1]); 3745 else 3746 fprintf (dump_file, " %s %s-bounds return value " 3747 HOST_WIDE_INT_PRINT_UNSIGNED ".\n", 3748 what, inbounds, retval[0]); 3749 } 3750 } 3751 3752 if (dump_file) 3753 fputc ('\n', dump_file); 3754 3755 return removed; 3756 } 3757 3758 /* Try to simplify a s{,n}printf call described by INFO with result 3759 RES by replacing it with a simpler and presumably more efficient 3760 call (such as strcpy). */ 3761 3762 static bool 3763 try_simplify_call (gimple_stmt_iterator *gsi, 3764 const sprintf_dom_walker::call_info &info, 3765 const format_result &res) 3766 { 3767 unsigned HOST_WIDE_INT dummy[2]; 3768 if (!is_call_safe (info, res, info.retval_used (), dummy)) 3769 return false; 3770 3771 switch (info.fncode) 3772 { 3773 case BUILT_IN_SNPRINTF: 3774 return gimple_fold_builtin_snprintf (gsi); 3775 3776 case BUILT_IN_SPRINTF: 3777 return gimple_fold_builtin_sprintf (gsi); 3778 3779 default: 3780 ; 3781 } 3782 3783 return false; 3784 } 3785 3786 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in 3787 functions and if so, handle it. Return true if the call is removed 3788 and gsi_next should not be performed in the caller. */ 3789 3790 bool 3791 sprintf_dom_walker::handle_gimple_call (gimple_stmt_iterator *gsi) 3792 { 3793 call_info info = call_info (); 3794 3795 info.callstmt = gsi_stmt (*gsi); 3796 if (!gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL)) 3797 return false; 3798 3799 info.func = gimple_call_fndecl (info.callstmt); 3800 info.fncode = DECL_FUNCTION_CODE (info.func); 3801 3802 /* The size of the destination as in snprintf(dest, size, ...). */ 3803 unsigned HOST_WIDE_INT dstsize = HOST_WIDE_INT_M1U; 3804 3805 /* The size of the destination determined by __builtin_object_size. */ 3806 unsigned HOST_WIDE_INT objsize = HOST_WIDE_INT_M1U; 3807 3808 /* Buffer size argument number (snprintf and vsnprintf). */ 3809 unsigned HOST_WIDE_INT idx_dstsize = HOST_WIDE_INT_M1U; 3810 3811 /* Object size argument number (snprintf_chk and vsnprintf_chk). */ 3812 unsigned HOST_WIDE_INT idx_objsize = HOST_WIDE_INT_M1U; 3813 3814 /* Format string argument number (valid for all functions). */ 3815 unsigned idx_format; 3816 3817 switch (info.fncode) 3818 { 3819 case BUILT_IN_SPRINTF: 3820 // Signature: 3821 // __builtin_sprintf (dst, format, ...) 3822 idx_format = 1; 3823 info.argidx = 2; 3824 break; 3825 3826 case BUILT_IN_SPRINTF_CHK: 3827 // Signature: 3828 // __builtin___sprintf_chk (dst, ost, objsize, format, ...) 3829 idx_objsize = 2; 3830 idx_format = 3; 3831 info.argidx = 4; 3832 break; 3833 3834 case BUILT_IN_SNPRINTF: 3835 // Signature: 3836 // __builtin_snprintf (dst, size, format, ...) 3837 idx_dstsize = 1; 3838 idx_format = 2; 3839 info.argidx = 3; 3840 info.bounded = true; 3841 break; 3842 3843 case BUILT_IN_SNPRINTF_CHK: 3844 // Signature: 3845 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...) 3846 idx_dstsize = 1; 3847 idx_objsize = 3; 3848 idx_format = 4; 3849 info.argidx = 5; 3850 info.bounded = true; 3851 break; 3852 3853 case BUILT_IN_VSNPRINTF: 3854 // Signature: 3855 // __builtin_vsprintf (dst, size, format, va) 3856 idx_dstsize = 1; 3857 idx_format = 2; 3858 info.argidx = -1; 3859 info.bounded = true; 3860 break; 3861 3862 case BUILT_IN_VSNPRINTF_CHK: 3863 // Signature: 3864 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va) 3865 idx_dstsize = 1; 3866 idx_objsize = 3; 3867 idx_format = 4; 3868 info.argidx = -1; 3869 info.bounded = true; 3870 break; 3871 3872 case BUILT_IN_VSPRINTF: 3873 // Signature: 3874 // __builtin_vsprintf (dst, format, va) 3875 idx_format = 1; 3876 info.argidx = -1; 3877 break; 3878 3879 case BUILT_IN_VSPRINTF_CHK: 3880 // Signature: 3881 // __builtin___vsprintf_chk (dst, ost, objsize, format, va) 3882 idx_format = 3; 3883 idx_objsize = 2; 3884 info.argidx = -1; 3885 break; 3886 3887 default: 3888 return false; 3889 } 3890 3891 /* Set the global warning level for this function. */ 3892 warn_level = info.bounded ? warn_format_trunc : warn_format_overflow; 3893 3894 /* The first argument is a pointer to the destination. */ 3895 tree dstptr = gimple_call_arg (info.callstmt, 0); 3896 3897 info.format = gimple_call_arg (info.callstmt, idx_format); 3898 3899 /* True when the destination size is constant as opposed to the lower 3900 or upper bound of a range. */ 3901 bool dstsize_cst_p = true; 3902 3903 if (idx_dstsize == HOST_WIDE_INT_M1U) 3904 { 3905 /* For non-bounded functions like sprintf, determine the size 3906 of the destination from the object or pointer passed to it 3907 as the first argument. */ 3908 dstsize = get_destination_size (dstptr); 3909 } 3910 else if (tree size = gimple_call_arg (info.callstmt, idx_dstsize)) 3911 { 3912 /* For bounded functions try to get the size argument. */ 3913 3914 if (TREE_CODE (size) == INTEGER_CST) 3915 { 3916 dstsize = tree_to_uhwi (size); 3917 /* No object can be larger than SIZE_MAX bytes (half the address 3918 space) on the target. 3919 The functions are defined only for output of at most INT_MAX 3920 bytes. Specifying a bound in excess of that limit effectively 3921 defeats the bounds checking (and on some implementations such 3922 as Solaris cause the function to fail with EINVAL). */ 3923 if (dstsize > target_size_max () / 2) 3924 { 3925 /* Avoid warning if -Wstringop-overflow is specified since 3926 it also warns for the same thing though only for the 3927 checking built-ins. */ 3928 if ((idx_objsize == HOST_WIDE_INT_M1U 3929 || !warn_stringop_overflow)) 3930 warning_at (gimple_location (info.callstmt), info.warnopt (), 3931 "specified bound %wu exceeds maximum object size " 3932 "%wu", 3933 dstsize, target_size_max () / 2); 3934 } 3935 else if (dstsize > target_int_max ()) 3936 warning_at (gimple_location (info.callstmt), info.warnopt (), 3937 "specified bound %wu exceeds %<INT_MAX%>", 3938 dstsize); 3939 } 3940 else if (TREE_CODE (size) == SSA_NAME) 3941 { 3942 /* Try to determine the range of values of the argument 3943 and use the greater of the two at level 1 and the smaller 3944 of them at level 2. */ 3945 value_range *vr = evrp_range_analyzer.get_value_range (size); 3946 if (vr->type == VR_RANGE 3947 && TREE_CODE (vr->min) == INTEGER_CST 3948 && TREE_CODE (vr->max) == INTEGER_CST) 3949 dstsize = (warn_level < 2 3950 ? TREE_INT_CST_LOW (vr->max) 3951 : TREE_INT_CST_LOW (vr->min)); 3952 3953 /* The destination size is not constant. If the function is 3954 bounded (e.g., snprintf) a lower bound of zero doesn't 3955 necessarily imply it can be eliminated. */ 3956 dstsize_cst_p = false; 3957 } 3958 } 3959 3960 if (idx_objsize != HOST_WIDE_INT_M1U) 3961 if (tree size = gimple_call_arg (info.callstmt, idx_objsize)) 3962 if (tree_fits_uhwi_p (size)) 3963 objsize = tree_to_uhwi (size); 3964 3965 if (info.bounded && !dstsize) 3966 { 3967 /* As a special case, when the explicitly specified destination 3968 size argument (to a bounded function like snprintf) is zero 3969 it is a request to determine the number of bytes on output 3970 without actually producing any. Pretend the size is 3971 unlimited in this case. */ 3972 info.objsize = HOST_WIDE_INT_MAX; 3973 info.nowrite = dstsize_cst_p; 3974 } 3975 else 3976 { 3977 /* For calls to non-bounded functions or to those of bounded 3978 functions with a non-zero size, warn if the destination 3979 pointer is null. */ 3980 if (integer_zerop (dstptr)) 3981 { 3982 /* This is diagnosed with -Wformat only when the null is a constant 3983 pointer. The warning here diagnoses instances where the pointer 3984 is not constant. */ 3985 location_t loc = gimple_location (info.callstmt); 3986 warning_at (EXPR_LOC_OR_LOC (dstptr, loc), 3987 info.warnopt (), "null destination pointer"); 3988 return false; 3989 } 3990 3991 /* Set the object size to the smaller of the two arguments 3992 of both have been specified and they're not equal. */ 3993 info.objsize = dstsize < objsize ? dstsize : objsize; 3994 3995 if (info.bounded 3996 && dstsize < target_size_max () / 2 && objsize < dstsize 3997 /* Avoid warning if -Wstringop-overflow is specified since 3998 it also warns for the same thing though only for the 3999 checking built-ins. */ 4000 && (idx_objsize == HOST_WIDE_INT_M1U 4001 || !warn_stringop_overflow)) 4002 { 4003 warning_at (gimple_location (info.callstmt), info.warnopt (), 4004 "specified bound %wu exceeds the size %wu " 4005 "of the destination object", dstsize, objsize); 4006 } 4007 } 4008 4009 if (integer_zerop (info.format)) 4010 { 4011 /* This is diagnosed with -Wformat only when the null is a constant 4012 pointer. The warning here diagnoses instances where the pointer 4013 is not constant. */ 4014 location_t loc = gimple_location (info.callstmt); 4015 warning_at (EXPR_LOC_OR_LOC (info.format, loc), 4016 info.warnopt (), "null format string"); 4017 return false; 4018 } 4019 4020 info.fmtstr = get_format_string (info.format, &info.fmtloc); 4021 if (!info.fmtstr) 4022 return false; 4023 4024 /* The result is the number of bytes output by the formatted function, 4025 including the terminating NUL. */ 4026 format_result res = format_result (); 4027 4028 bool success = compute_format_length (info, &res); 4029 4030 /* When optimizing and the printf return value optimization is enabled, 4031 attempt to substitute the computed result for the return value of 4032 the call. Avoid this optimization when -frounding-math is in effect 4033 and the format string contains a floating point directive. */ 4034 bool call_removed = false; 4035 if (success && optimize > 0) 4036 { 4037 /* Save a copy of the iterator pointing at the call. The iterator 4038 may change to point past the call in try_substitute_return_value 4039 but the original value is needed in try_simplify_call. */ 4040 gimple_stmt_iterator gsi_call = *gsi; 4041 4042 if (flag_printf_return_value 4043 && (!flag_rounding_math || !res.floating)) 4044 call_removed = try_substitute_return_value (gsi, info, res); 4045 4046 if (!call_removed) 4047 try_simplify_call (&gsi_call, info, res); 4048 } 4049 4050 return call_removed; 4051 } 4052 4053 edge 4054 sprintf_dom_walker::before_dom_children (basic_block bb) 4055 { 4056 evrp_range_analyzer.enter (bb); 4057 for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si); ) 4058 { 4059 /* Iterate over statements, looking for function calls. */ 4060 gimple *stmt = gsi_stmt (si); 4061 4062 /* First record ranges generated by this statement. */ 4063 evrp_range_analyzer.record_ranges_from_stmt (stmt, false); 4064 4065 if (is_gimple_call (stmt) && handle_gimple_call (&si)) 4066 /* If handle_gimple_call returns true, the iterator is 4067 already pointing to the next statement. */ 4068 continue; 4069 4070 gsi_next (&si); 4071 } 4072 return NULL; 4073 } 4074 4075 void 4076 sprintf_dom_walker::after_dom_children (basic_block bb) 4077 { 4078 evrp_range_analyzer.leave (bb); 4079 } 4080 4081 /* Execute the pass for function FUN. */ 4082 4083 unsigned int 4084 pass_sprintf_length::execute (function *fun) 4085 { 4086 init_target_to_host_charmap (); 4087 4088 calculate_dominance_info (CDI_DOMINATORS); 4089 4090 sprintf_dom_walker sprintf_dom_walker; 4091 sprintf_dom_walker.walk (ENTRY_BLOCK_PTR_FOR_FN (fun)); 4092 4093 /* Clean up object size info. */ 4094 fini_object_sizes (); 4095 return 0; 4096 } 4097 4098 } /* Unnamed namespace. */ 4099 4100 /* Return a pointer to a pass object newly constructed from the context 4101 CTXT. */ 4102 4103 gimple_opt_pass * 4104 make_pass_sprintf_length (gcc::context *ctxt) 4105 { 4106 return new pass_sprintf_length (ctxt); 4107 } 4108