1 /* Verify that all sprintf built-ins detect overflow involving directives
2 with non-constant arguments known to be constrained by some range of
3 values, and even when writing into dynamically allocated buffers.
4 -O2 (-ftree-vrp) is necessary for the tests involving ranges to pass,
5 otherwise -O1 is sufficient.
6 { dg-do compile }
7 { dg-require-effective-target alloca }
8 { dg-options "-O2 -Wformat -Wformat-overflow=1 -ftrack-macro-expansion=0" } */
9
10 typedef __SIZE_TYPE__ size_t;
11
12 /* Prevent equivalent functions from being merged. */
13 #define NOIPA __attribute__ ((noipa))
14
15 #ifndef LINE
16 # define LINE 0
17 #endif
18
19 #define bos(x) __builtin_object_size (x, 0)
20
21 /* Defined (and redefined) to the allocation function to use, either
22 malloc, or alloca, or a VLA. */
23 #define ALLOC(p, n) (p) = __builtin_malloc (n)
24
25 /* Defined (and redefined) to the sprintf function to exercise. */
26 #define TEST_SPRINTF(d, maxsize, objsize, fmt, ...) \
27 __builtin___sprintf_chk (d, 0, objsize, fmt, __VA_ARGS__)
28
29 #define T(bufsize, fmt, ...) \
30 do { \
31 if (!LINE || __LINE__ == LINE) \
32 { \
33 char *d; \
34 ALLOC (d, bufsize); \
35 TEST_SPRINTF (d, 0, bos (d), fmt, __VA_ARGS__); \
36 sink (d); \
37 } \
38 } while (0)
39
40 void sink (void*);
41
42 /* Identity function to verify that the checker figures out the value
43 of the operand even when it's not constant (i.e., makes use of
44 inlining and constant propagation information). */
45
i(int x)46 static int i (int x) { return x; }
s(const char * str)47 static const char* s (const char *str) { return str; }
48
49 /* Function to "generate" a unique unknown number (as far as GCC can
50 tell) each time it's called. It prevents the optimizer from being
51 able to narrow down the ranges of possible values in test functions
52 with repeated references to the same variable. */
53 extern int x (void);
54
55 /* Verify that the checker can detect buffer overflow when the "%s"
56 argument is in a known range of lengths and one or both of which
57 exceed the size of the destination. */
58
test_sprintf_chk_string(const char * s,const char * t)59 NOIPA void test_sprintf_chk_string (const char *s, const char *t)
60 {
61 #define x x ()
62
63 T (1, "%-s", x ? "" : "1"); /* { dg-warning "nul past the end" } */
64 T (1, "%-s", x ? "1" : ""); /* { dg-warning "nul past the end" } */
65 T (1, "%-s", x ? s : "1"); /* { dg-warning "nul past the end" } */
66 T (1, "%-s", x ? "1" : s); /* { dg-warning "nul past the end" } */
67
68 /* When neither string is known no warning should be issued at level 1
69 since their lenghts are assumed to be zero. */
70 T (1, "%s", x ? s : t);
71
72 T (2, "%s", x ? "" : "1");
73 T (2, "%s", x ? "" : s);
74 T (2, "%s", x ? "1" : "");
75 T (2, "%s", x ? s : "");
76 T (2, "%s", x ? "1" : "2");
77 T (2, "%s", x ? "" : "12"); /* { dg-warning "nul past the end" } */
78 T (2, "%s", x ? "12" : ""); /* { dg-warning "nul past the end" } */
79
80 T (2, "%s", x ? "" : "123"); /* { dg-warning "into a region" } */
81 T (2, "%s", x ? "123" : ""); /* { dg-warning "into a region" } */
82
83 #undef x
84 }
85
86
87 /* Verify that the checker makes use of integer constant propagation
88 to detect buffer overflow in non-constant cases. */
89
test_sprintf_chk_integer_value(void)90 NOIPA void test_sprintf_chk_integer_value (void)
91 {
92 T ( 1, "%i", i ( 0)); /* { dg-warning "nul past the end" } */
93 T ( 1, "%i", i ( 1)); /* { dg-warning "nul past the end" } */
94 T ( 1, "%i", i ( -1)); /* { dg-warning "into a region" } */
95 T ( 1, "%i_", i ( 1)); /* { dg-warning " 1 byte into a region of size 0" } */
96 T ( 1, "_%i", i ( 1)); /* { dg-warning "into a region" } */
97 T ( 1, "_%i_",i ( 1)); /* { dg-warning "into a region" } */
98 T ( 1, "%o", i ( 0)); /* { dg-warning "nul past the end" } */
99 T ( 1, "%u", i ( 0)); /* { dg-warning "nul past the end" } */
100 T ( 1, "%x", i ( 0)); /* { dg-warning "nul past the end" } */
101 T ( 1, "%#x", i ( 0)); /* { dg-warning "nul past the end" } */
102 T ( 1, "%x", i ( 1)); /* { dg-warning "nul past the end" } */
103 T ( 1, "%#x", i ( 1)); /* { dg-warning "into a region" } */
104
105 T ( 2, "%i", i ( 0));
106 T ( 2, "%i", i ( 1));
107 T ( 2, "%i", i ( 9));
108 T ( 2, "%i", i ( -1)); /* { dg-warning "nul past the end" } */
109 T ( 2, "%i", i ( 10)); /* { dg-warning "nul past the end" } */
110 T ( 2, "%i_", i ( 0)); /* { dg-warning "nul past the end" } */
111 T ( 2, "_%i", i ( 0)); /* { dg-warning "nul past the end" } */
112 T ( 2, "_%i_",i ( 0)); /* { dg-warning " 1 byte into a region of size 0" } */
113 T ( 2, "%o", i ( 1));
114 T ( 2, "%o", i ( 7));
115 T ( 2, "%o", i ( 010)); /* { dg-warning "nul past the end" } */
116 T ( 2, "%o", i ( 0100)); /* { dg-warning "into a region" } */
117 T ( 2, "%x", i ( 1));
118 T ( 2, "%#x", i ( 1)); /* { dg-warning "into a region" } */
119 T ( 2, "%x", i ( 0xa));
120 T ( 2, "%x", i ( 0xf));
121 T ( 2, "%x", i ( 0x10)); /* { dg-warning "nul past the end" } */
122 T ( 2, "%x", i ( 0xff)); /* { dg-warning "nul past the end" } */
123 T ( 2, "%x", i (0x1ff)); /* { dg-warning "into a region" } */
124
125 T ( 3, "%i", i ( 0));
126 T ( 3, "%i", i ( 1));
127 T ( 3, "%i", i ( 9));
128 T ( 3, "%i", i ( -9));
129 T ( 3, "%i", i ( 10));
130 T ( 3, "%i", i ( 99));
131 T ( 3, "%i", i ( -99)); /* { dg-warning "nul past the end" } */
132
133 T ( 3, "%i", i (99) + i (1)); /* { dg-warning "nul past the end" } */
134
135 T ( 8, "%8u", i ( 1)); /* { dg-warning "nul past the end" } */
136 T ( 9, "%8u", i ( 1));
137 }
138
139 extern int rand (void);
140
141 /* Functions to require optimization to figure out the range of the operand.
142 Used to verify that the checker makes use of the range information to
143 avoid diagnosing the output of sufficiently constrained arguments to
144 integer directives. */
145
146 static signed char
range_schar(signed char min,signed char max)147 range_schar (signed char min, signed char max)
148 {
149 signed char val = rand ();
150 return val < min || max < val ? min : val;
151 }
152
153 static unsigned char
range_uchar(unsigned char min,unsigned char max)154 range_uchar (unsigned char min, unsigned char max)
155 {
156 unsigned char val = rand ();
157 return val < min || max < val ? min : val;
158 }
159
160 static signed short
range_sshrt(signed short min,signed short max)161 range_sshrt (signed short min, signed short max)
162 {
163 signed short val = rand ();
164 return val < min || max < val ? min : val;
165 }
166
167 static unsigned short
range_ushrt(unsigned short min,unsigned short max)168 range_ushrt (unsigned short min, unsigned short max)
169 {
170 unsigned short val = rand ();
171 return val < min || max < val ? min : val;
172 }
173
174 static signed int
range_sint(signed int min,signed int max)175 range_sint (signed int min, signed int max)
176 {
177 signed int val = rand ();
178 return val < min || max < val ? min : val;
179 }
180
181 static unsigned int
range_uint(unsigned int min,unsigned int max)182 range_uint (unsigned int min, unsigned int max)
183 {
184 unsigned int val = rand ();
185 return val < min || max < val ? min : val;
186 }
187
test_sprintf_chk_range_schar(void)188 NOIPA void test_sprintf_chk_range_schar (void)
189 {
190 #define R(min, max) range_sint (min, max)
191
192 T ( 0, "%hhi", R (0, 1)); /* { dg-warning ".%hhi. directive writing 1 byte into a region of size 0" } */
193 /* { dg-message "directive argument in the range \\\[0, 1\\\]" "note" { target *-*-* } .-1 } */
194
195 T ( 0, "%hhi", R (0, 127)); /* { dg-warning ".%hhi. directive writing between 1 and 3 bytes into a region of size 0" } */
196 /* { dg-message "directive argument in the range \\\[0, 127\\\]" "note" { target *-*-* } .-1 } */
197
198 T ( 0, "%hhi", R (1024, 1033)); /* { dg-warning ".%hhi. directive writing 1 byte into a region of size 0" } */
199 /* { dg-message "directive argument in the range \\\[1024, 1033\\\]" "note" { target *-*-* } .-1 } */
200
201 T ( 0, "%hhi", R (1024, 1034)); /* { dg-warning ".%hhi. directive writing between 1 and 2 bytes into a region of size 0" } */
202 /* { dg-message "directive argument in the range \\\[1024, 1034\\\]" "note" { target *-*-* } .-1 } */
203
204 T ( 0, "%hhi", R (1024, 2035)); /* { dg-warning ".%hhi. directive writing between 1 and 4 bytes into a region of size 0" } */
205 /* { dg-message "using the range \\\[-128, 127\\\] for directive argument" "note" { target *-*-* } .-1 } */
206
207 T ( 2, "%#hhx", R (1234, 12345)); /* { dg-warning "'%#hhx' directive writing between 1 and 4 bytes into a region of size 2 " } */
208 T ( 3, "%#hhx", R (1234, 12345)); /* { dg-warning "may write a terminating nul" } */
209 T ( 4, "%#hhx", R (1234, 12345));
210
211 #undef R
212 #define R(min, max) range_schar (min, max)
213
214 T ( 0, "%i", R (0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
215 T ( 1, "%i", R (0, 9)); /* { dg-warning "nul past the end" } */
216 T ( 2, "%i", R (0, 9));
217 T ( 2, "%i", R (-1, 0)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
218 T ( 2, "%i", R (9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
219
220 T ( 3, "%i", R ( -9, 9));
221 T ( 3, "%i", R (-99, 99)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
222 T ( 3, "%i", R ( 0, 99));
223 T ( 3, "%i", R ( 0, 100)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
224
225 /* The following call may write as few as 2 bytes and as many as 4.
226 It's a judgment call how best to diagnose it to make the potential
227 problem clear. */
228 T ( 3, "%i%i", R (1, 10), R (9, 10)); /* { dg-warning "directive writing between 1 and 2 bytes into a region of size between 1 and 2" } */
229
230 T ( 4, "%i%i", R (10, 11), R (12, 13)); /* { dg-warning "nul past the end" } */
231
232 T ( 5, "%i%i", R (-9, 99), R (-9, 99));
233
234 T ( 6, "%i_%i_%i", R (0, 9), R (0, 9), R (0, 9));
235 T ( 6, "%i_%i_%i", R (0, 9), R (0, 9), R (0, 10)); /* { dg-warning "may write a terminating nul past the end" } */
236 T ( 6, "%i_%i_%i", R (0, 9), R (0, 10), R (0, 9)); /* { dg-warning "may write a terminating nul past the end" } */
237 T ( 6, "%i_%i_%i", R (0, 10), R (0, 9), R (0, 9)); /* { dg-warning "may write a terminating nul past the end" } */
238 T ( 6, "%hhi_%hi_%i", R (0, 9), R (0, 10), R (0, 10)); /* { dg-warning ".i. directive writing between 1 and 2 bytes into a region of size between 1 and 2" } */
239 T ( 6, "%3i|%2i/%1i", R (0, 99), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */
240 T ( 6, "%.3i|%.2i/%i", R (0, 99), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */
241 T ( 6, "%.3i|%.2i/%i", R (0, 119), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */
242 T ( 6, "%.3i|%.2i/%i", R (0, 1), R (0, 2), R (0, 3)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */
243 }
244
test_sprintf_chk_range_uchar(void)245 NOIPA void test_sprintf_chk_range_uchar (void)
246 {
247 #undef R
248 #define R(min, max) range_uchar (min, max)
249
250 T ( 0, "%i", R (0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
251 T ( 1, "%i", R (0, 9)); /* { dg-warning "nul past the end" } */
252 T ( 2, "%i", R (0, 9));
253 T ( 2, "%i", R (9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
254
255 T ( 3, "%i", R (0, 99));
256 T ( 3, "%i", R (0, 100)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
257 }
258
test_sprintf_chk_range_sshrt(void)259 NOIPA void test_sprintf_chk_range_sshrt (void)
260 {
261 #undef R
262 #define R(min, max) range_sshrt (min, max)
263
264 T ( 0, "%i", R ( 0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
265 T ( 1, "%i", R ( 0, 1)); /* { dg-warning "nul past the end" } */
266 T ( 1, "%i", R ( 0, 9)); /* { dg-warning "nul past the end" } */
267 T ( 2, "%i", R ( 0, 1));
268 T ( 2, "%i", R ( 8, 9));
269 T ( 2, "%i", R ( 0, 9));
270 T ( 2, "%i", R (-1, 0)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
271 T ( 2, "%i", R ( 9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
272
273 T ( 3, "%i", R ( 0, 99));
274 T ( 3, "%i", R (99, 999)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
275
276 T ( 4, "%i", R ( 0, 999));
277 T ( 4, "%i", R ( 99, 999));
278 T ( 4, "%i", R (998, 999));
279 T ( 4, "%i", R (999, 1000)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
280 }
281
test_sprintf_chk_range_ushrt(void)282 NOIPA void test_sprintf_chk_range_ushrt (void)
283 {
284 #undef R
285 #define R(min, max) range_ushrt (min, max)
286
287 T ( 0, "%i", R ( 0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
288 T ( 1, "%i", R ( 0, 1)); /* { dg-warning "nul past the end" } */
289 T ( 1, "%i", R ( 0, 9)); /* { dg-warning "nul past the end" } */
290 T ( 2, "%i", R ( 0, 1));
291 T ( 2, "%i", R ( 8, 9));
292 T ( 2, "%i", R ( 0, 9));
293 T ( 2, "%i", R ( 9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
294
295 T ( 3, "%i", R ( 0, 99));
296 T ( 3, "%i", R (99, 999)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
297
298 T ( 4, "%i", R ( 0, 999));
299 T ( 4, "%i", R ( 99, 999));
300 T ( 4, "%i", R (998, 999));
301 T ( 4, "%i", R (999, 1000)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
302 }
303
test_sprintf_chk_range_sint(void)304 NOIPA void test_sprintf_chk_range_sint (void)
305 {
306 #undef R
307 #define R(min, max) range_sint (min, max)
308
309 T ( 0, "%i", R ( 0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
310 T ( 1, "%i", R ( 0, 1)); /* { dg-warning "nul past the end" } */
311 T ( 1, "%i", R ( 0, 9)); /* { dg-warning "nul past the end" } */
312 T ( 2, "%i", R ( 0, 1));
313 T ( 2, "%i", R ( 8, 9));
314 T ( 2, "%i", R ( 0, 9));
315 T ( 2, "%i", R (-1, 0)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
316 T ( 2, "%i", R ( 9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
317
318 T ( 3, "%i", R ( 0, 99));
319 T ( 3, "%i", R (99, 999)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
320
321 T ( 4, "%i", R ( 0, 999));
322 T ( 4, "%i", R ( 99, 999));
323 T ( 4, "%i", R (998, 999));
324 T ( 4, "%i", R (999, 1000)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
325 }
326
test_sprintf_chk_range_uint(void)327 NOIPA void test_sprintf_chk_range_uint (void)
328 {
329 #undef R
330 #define R(min, max) range_uint (min, max)
331
332 T ( 0, "%i", R ( 0, 9)); /* { dg-warning ".%i. directive writing 1 byte into a region of size 0" } */
333 T ( 1, "%i", R ( 0, 1)); /* { dg-warning "nul past the end" } */
334 T ( 1, "%i", R ( 0, 9)); /* { dg-warning "nul past the end" } */
335 T ( 2, "%i", R ( 0, 1));
336 T ( 2, "%i", R ( 8, 9));
337 T ( 2, "%i", R ( 0, 9));
338 T ( 2, "%i", R ( 9, 10)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
339
340 T ( 3, "%i", R ( 0, 99));
341 T ( 3, "%i", R (99, 999)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
342
343 T ( 4, "%i", R ( 0, 999));
344 T ( 4, "%i", R ( 99, 999));
345 T ( 4, "%i", R (998, 999));
346 T ( 4, "%i", R (999, 1000)); /* { dg-warning "may write a terminating nul past the end of the destination" } */
347 }
348
349 /* Verify that destination size in excess of INT_MAX (and, separately,
350 in excess of the largest object) is diagnosed. The former because
351 the functions are defined only for output of at most INT_MAX and
352 specifying a large upper bound defeats the bounds checking (and,
353 on some implementations such as Solaris, causes the function to
354 fail. The latter because due to the limit of ptrdiff_t no object
355 can be larger than PTRDIFF_MAX bytes. */
356
test_too_large(char * d,int x,__builtin_va_list va)357 NOIPA void test_too_large (char *d, int x, __builtin_va_list va)
358 {
359 const size_t imax = __INT_MAX__;
360 const size_t imax_p1 = imax + 1;
361
362 __builtin_snprintf (d, imax, "%c", x);
363 __builtin_snprintf (d, imax_p1, "%c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "INT_MAX + 1" { target { lp64 || msp430_large } } } */
364 /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size" "INT_MAX + 1" { target { { avr-*-* } || { { ilp32 } || { int16 && { ! msp430_large } } } } } .-1 } */
365
366 __builtin_vsnprintf (d, imax, "%c", va);
367 __builtin_vsnprintf (d, imax_p1, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "INT_MAX + 1" { target { lp64 || msp430_large } } } */
368 /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size" "INT_MAX + 1" { target { { avr-*-* } || { { ilp32 } || { int16 && { ! msp430_large } } } } } .-1 } */
369
370 __builtin___snprintf_chk (d, imax, 0, imax, "%c", x);
371 __builtin___snprintf_chk (d, imax_p1, 0, imax_p1, "%c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "INT_MAX + 1" { target { lp64 || msp430_large } } } */
372 /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size" "INT_MAX + 1" { target { { avr-*-* } || { { ilp32 } || { int16 && { ! msp430_large } } } } } .-1 } */
373
374 __builtin___vsnprintf_chk (d, imax, 0, imax, "%c", va);
375 __builtin___vsnprintf_chk (d, imax_p1, 0, imax_p1, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "INT_MAX + 1" { target { lp64 || msp430_large } } } */
376 /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size" "INT_MAX + 1" { target { { avr-*-* } || { { ilp32 } || { int16 && { ! msp430_large } } } } } .-1 } */
377
378 const size_t ptrmax = __PTRDIFF_MAX__;
379 const size_t ptrmax_m1 = ptrmax - 1;
380
381 __builtin_snprintf (d, ptrmax_m1, "%c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX - 1" { target { lp64 || msp430_large } } } */
382 __builtin_snprintf (d, ptrmax, " %c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX" { target { lp64 || msp430_large } } } */
383
384 __builtin_vsnprintf (d, ptrmax_m1, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX - 1" { target { lp64 || msp430_large } } } */
385 __builtin_vsnprintf (d, ptrmax, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX" { target { lp64 || msp430_large } } } */
386
387 __builtin___snprintf_chk (d, ptrmax_m1, 0, ptrmax_m1, "%c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX - 1" { target { lp64 || msp430_large } } } */
388 __builtin___snprintf_chk (d, ptrmax, 0, ptrmax, "%c", x); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX" { target { lp64 || msp430_large } } } */
389
390 __builtin___vsnprintf_chk (d, ptrmax_m1, 0, ptrmax_m1, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX - 1" { target { lp64 || msp430_large } } } */
391 __builtin___vsnprintf_chk (d, ptrmax, 0, ptrmax, "%c", va); /* { dg-warning "specified bound \[0-9\]+ exceeds .INT_MAX." "PTRDIFF_MAX" { target { lp64 || msp430_large } } } */
392 }
393
394 /* Exercise ordinary sprintf with malloc. */
395 #undef TEST_SPRINTF
396 #define TEST_SPRINTF(d, maxsize, objsize, fmt, ...) \
397 __builtin_sprintf (d, fmt, __VA_ARGS__)
398
test_sprintf_malloc(const char * s,const char * t)399 NOIPA void test_sprintf_malloc (const char *s, const char *t)
400 {
401 #define x x ()
402
403 T (1, "%-s", x ? "" : "1"); /* { dg-warning "nul past the end" } */
404 T (1, "%-s", x ? "1" : ""); /* { dg-warning "nul past the end" } */
405 T (1, "%-s", x ? s : "1"); /* { dg-warning "nul past the end" } */
406 T (1, "%-s", x ? "1" : s); /* { dg-warning "nul past the end" } */
407 T (1, "%-s", x ? s : t);
408
409 T (2, "%-s", x ? "" : "1");
410 T (2, "%-s", x ? "" : s);
411 T (2, "%-s", x ? "1" : "");
412 T (2, "%-s", x ? s : "");
413 T (2, "%-s", x ? "1" : "2");
414 T (2, "%-s", x ? "" : "12"); /* { dg-warning "nul past the end" } */
415 T (2, "%-s", x ? "12" : ""); /* { dg-warning "nul past the end" } */
416
417 T (2, "%-s", x ? "" : "123"); /* { dg-warning "into a region" } */
418 T (2, "%-s", x ? "123" : ""); /* { dg-warning "into a region" } */
419
420 #undef x
421 }
422
423 /* Exercise ordinary sprintf with alloca. */
424 #undef ALLOC
425 #define ALLOC(p, n) (p) = __builtin_alloca (n)
426
test_sprintf_alloca(const char * s,const char * t)427 NOIPA void test_sprintf_alloca (const char *s, const char *t)
428 {
429 #define x x ()
430
431 T (1, "%-s", x ? "" : "1"); /* { dg-warning "nul past the end" } */
432 T (1, "%-s", x ? "1" : ""); /* { dg-warning "nul past the end" } */
433 T (1, "%-s", x ? s : "1"); /* { dg-warning "nul past the end" } */
434 T (1, "%-s", x ? "1" : s); /* { dg-warning "nul past the end" } */
435 T (1, "%-s", x ? s : t);
436
437 T (2, "%-s", x ? "" : "1");
438 T (2, "%-s", x ? "" : s);
439 T (2, "%-s", x ? "1" : "");
440 T (2, "%-s", x ? s : "");
441 T (2, "%-s", x ? "1" : "2");
442 T (2, "%-s", x ? "" : "12"); /* { dg-warning "nul past the end" } */
443 T (2, "%-s", x ? "12" : ""); /* { dg-warning "nul past the end" } */
444
445 T (2, "%-s", x ? "" : "123"); /* { dg-warning "into a region" } */
446 T (2, "%-s", x ? "123" : ""); /* { dg-warning "into a region" } */
447
448 #undef x
449 }
450
451 /* Exercise ordinary sprintf with a VLA. */
452 #undef ALLOC
453 #define ALLOC(p, n) char vla [i (n)]; (p) = vla
454
test_sprintf_vla(const char * s,const char * t)455 NOIPA void test_sprintf_vla (const char *s, const char *t)
456 {
457 #define x x ()
458
459 T (1, "%-s", x ? "" : "1"); /* { dg-warning "nul past the end" } */
460 T (1, "%-s", x ? "1" : ""); /* { dg-warning "nul past the end" } */
461 T (1, "%-s", x ? s : "1"); /* { dg-warning "nul past the end" } */
462 T (1, "%-s", x ? "1" : s); /* { dg-warning "nul past the end" } */
463 T (1, "%-s", x ? s : t);
464
465 T (2, "%-s", x ? "" : "1");
466 T (2, "%-s", x ? "" : s);
467 T (2, "%-s", x ? "1" : "");
468 T (2, "%-s", x ? s : "");
469 T (2, "%-s", x ? "1" : "2");
470 T (2, "%-s", x ? "" : "12"); /* { dg-warning "nul past the end" } */
471 T (2, "%-s", x ? "12" : ""); /* { dg-warning "nul past the end" } */
472
473 T (2, "%-s", x ? "" : "123"); /* { dg-warning "into a region" } */
474 T (2, "%-s", x ? "123" : ""); /* { dg-warning "into a region" } */
475
476 #undef x
477 }
478