131
|
1 /* Copyright (C) 2016-2018 Free Software Foundation, Inc.
|
111
|
2 Contributed by Martin Sebor <msebor@redhat.com>.
|
|
3
|
|
4 This file is part of GCC.
|
|
5
|
|
6 GCC is free software; you can redistribute it and/or modify it under
|
|
7 the terms of the GNU General Public License as published by the Free
|
|
8 Software Foundation; either version 3, or (at your option) any later
|
|
9 version.
|
|
10
|
|
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
14 for more details.
|
|
15
|
|
16 You should have received a copy of the GNU General Public License
|
|
17 along with GCC; see the file COPYING3. If not see
|
|
18 <http://www.gnu.org/licenses/>. */
|
|
19
|
|
20 /* This file implements the printf-return-value pass. The pass does
|
|
21 two things: 1) it analyzes calls to formatted output functions like
|
|
22 sprintf looking for possible buffer overflows and calls to bounded
|
|
23 functions like snprintf for early truncation (and under the control
|
|
24 of the -Wformat-length option issues warnings), and 2) under the
|
|
25 control of the -fprintf-return-value option it folds the return
|
|
26 value of safe calls into constants, making it possible to eliminate
|
|
27 code that depends on the value of those constants.
|
|
28
|
|
29 For all functions (bounded or not) the pass uses the size of the
|
|
30 destination object. That means that it will diagnose calls to
|
|
31 snprintf not on the basis of the size specified by the function's
|
|
32 second argument but rathger on the basis of the size the first
|
|
33 argument points to (if possible). For bound-checking built-ins
|
|
34 like __builtin___snprintf_chk the pass uses the size typically
|
|
35 determined by __builtin_object_size and passed to the built-in
|
|
36 by the Glibc inline wrapper.
|
|
37
|
|
38 The pass handles all forms standard sprintf format directives,
|
|
39 including character, integer, floating point, pointer, and strings,
|
|
40 with the standard C flags, widths, and precisions. For integers
|
|
41 and strings it computes the length of output itself. For floating
|
|
42 point it uses MPFR to fornmat known constants with up and down
|
|
43 rounding and uses the resulting range of output lengths. For
|
|
44 strings it uses the length of string literals and the sizes of
|
|
45 character arrays that a character pointer may point to as a bound
|
|
46 on the longest string. */
|
|
47
|
|
48 #include "config.h"
|
|
49 #include "system.h"
|
|
50 #include "coretypes.h"
|
|
51 #include "backend.h"
|
|
52 #include "tree.h"
|
|
53 #include "gimple.h"
|
|
54 #include "tree-pass.h"
|
|
55 #include "ssa.h"
|
|
56 #include "gimple-fold.h"
|
|
57 #include "gimple-pretty-print.h"
|
|
58 #include "diagnostic-core.h"
|
|
59 #include "fold-const.h"
|
|
60 #include "gimple-iterator.h"
|
|
61 #include "tree-ssa.h"
|
|
62 #include "tree-object-size.h"
|
|
63 #include "params.h"
|
|
64 #include "tree-cfg.h"
|
|
65 #include "tree-ssa-propagate.h"
|
|
66 #include "calls.h"
|
|
67 #include "cfgloop.h"
|
|
68 #include "intl.h"
|
|
69 #include "langhooks.h"
|
|
70
|
|
71 #include "builtins.h"
|
|
72 #include "stor-layout.h"
|
|
73
|
|
74 #include "realmpfr.h"
|
|
75 #include "target.h"
|
|
76
|
|
77 #include "cpplib.h"
|
|
78 #include "input.h"
|
|
79 #include "toplev.h"
|
|
80 #include "substring-locations.h"
|
|
81 #include "diagnostic.h"
|
131
|
82 #include "domwalk.h"
|
|
83 #include "alloc-pool.h"
|
|
84 #include "vr-values.h"
|
|
85 #include "gimple-ssa-evrp-analyze.h"
|
111
|
86
|
|
87 /* The likely worst case value of MB_LEN_MAX for the target, large enough
|
|
88 for UTF-8. Ideally, this would be obtained by a target hook if it were
|
|
89 to be used for optimization but it's good enough as is for warnings. */
|
|
90 #define target_mb_len_max() 6
|
|
91
|
|
92 /* The maximum number of bytes a single non-string directive can result
|
|
93 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
|
|
94 LDBL_MAX_10_EXP of 4932. */
|
|
95 #define IEEE_MAX_10_EXP 4932
|
|
96 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
|
|
97
|
|
98 namespace {
|
|
99
|
|
100 const pass_data pass_data_sprintf_length = {
|
|
101 GIMPLE_PASS, // pass type
|
|
102 "printf-return-value", // pass name
|
|
103 OPTGROUP_NONE, // optinfo_flags
|
|
104 TV_NONE, // tv_id
|
|
105 PROP_cfg, // properties_required
|
|
106 0, // properties_provided
|
|
107 0, // properties_destroyed
|
|
108 0, // properties_start
|
|
109 0, // properties_finish
|
|
110 };
|
|
111
|
|
112 /* Set to the warning level for the current function which is equal
|
|
113 either to warn_format_trunc for bounded functions or to
|
|
114 warn_format_overflow otherwise. */
|
|
115
|
|
116 static int warn_level;
|
|
117
|
|
118 struct format_result;
|
|
119
|
131
|
120 class sprintf_dom_walker : public dom_walker
|
|
121 {
|
|
122 public:
|
|
123 sprintf_dom_walker () : dom_walker (CDI_DOMINATORS) {}
|
|
124 ~sprintf_dom_walker () {}
|
|
125
|
|
126 edge before_dom_children (basic_block) FINAL OVERRIDE;
|
|
127 void after_dom_children (basic_block) FINAL OVERRIDE;
|
|
128 bool handle_gimple_call (gimple_stmt_iterator *);
|
|
129
|
|
130 struct call_info;
|
|
131 bool compute_format_length (call_info &, format_result *);
|
|
132 class evrp_range_analyzer evrp_range_analyzer;
|
|
133 };
|
|
134
|
111
|
135 class pass_sprintf_length : public gimple_opt_pass
|
|
136 {
|
|
137 bool fold_return_value;
|
|
138
|
|
139 public:
|
|
140 pass_sprintf_length (gcc::context *ctxt)
|
|
141 : gimple_opt_pass (pass_data_sprintf_length, ctxt),
|
|
142 fold_return_value (false)
|
|
143 { }
|
|
144
|
|
145 opt_pass * clone () { return new pass_sprintf_length (m_ctxt); }
|
|
146
|
|
147 virtual bool gate (function *);
|
|
148
|
|
149 virtual unsigned int execute (function *);
|
|
150
|
|
151 void set_pass_param (unsigned int n, bool param)
|
|
152 {
|
|
153 gcc_assert (n == 0);
|
|
154 fold_return_value = param;
|
|
155 }
|
|
156
|
|
157 };
|
|
158
|
|
159 bool
|
|
160 pass_sprintf_length::gate (function *)
|
|
161 {
|
|
162 /* Run the pass iff -Warn-format-overflow or -Warn-format-truncation
|
|
163 is specified and either not optimizing and the pass is being invoked
|
|
164 early, or when optimizing and the pass is being invoked during
|
|
165 optimization (i.e., "late"). */
|
|
166 return ((warn_format_overflow > 0
|
|
167 || warn_format_trunc > 0
|
|
168 || flag_printf_return_value)
|
|
169 && (optimize > 0) == fold_return_value);
|
|
170 }
|
|
171
|
|
172 /* The minimum, maximum, likely, and unlikely maximum number of bytes
|
|
173 of output either a formatting function or an individual directive
|
|
174 can result in. */
|
|
175
|
|
176 struct result_range
|
|
177 {
|
|
178 /* The absolute minimum number of bytes. The result of a successful
|
|
179 conversion is guaranteed to be no less than this. (An erroneous
|
|
180 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
|
|
181 unsigned HOST_WIDE_INT min;
|
|
182 /* The likely maximum result that is used in diagnostics. In most
|
|
183 cases MAX is the same as the worst case UNLIKELY result. */
|
|
184 unsigned HOST_WIDE_INT max;
|
|
185 /* The likely result used to trigger diagnostics. For conversions
|
|
186 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
|
|
187 in that range. */
|
|
188 unsigned HOST_WIDE_INT likely;
|
|
189 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
|
|
190 the worst cases maximum result of a directive. In most cases
|
|
191 UNLIKELY == MAX. UNLIKELY is used to control the return value
|
|
192 optimization but not in diagnostics. */
|
|
193 unsigned HOST_WIDE_INT unlikely;
|
|
194 };
|
|
195
|
|
196 /* The result of a call to a formatted function. */
|
|
197
|
|
198 struct format_result
|
|
199 {
|
|
200 /* Range of characters written by the formatted function.
|
|
201 Setting the minimum to HOST_WIDE_INT_MAX disables all
|
|
202 length tracking for the remainder of the format string. */
|
|
203 result_range range;
|
|
204
|
|
205 /* True when the range above is obtained from known values of
|
|
206 directive arguments, or bounds on the amount of output such
|
|
207 as width and precision, and not the result of heuristics that
|
|
208 depend on warning levels. It's used to issue stricter diagnostics
|
|
209 in cases where strings of unknown lengths are bounded by the arrays
|
|
210 they are determined to refer to. KNOWNRANGE must not be used for
|
|
211 the return value optimization. */
|
|
212 bool knownrange;
|
|
213
|
131
|
214 /* True if no individual directive could fail or result in more than
|
|
215 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be
|
|
216 greater). Implementations are not required to handle directives
|
|
217 that produce more than 4K bytes (leading to undefined behavior)
|
|
218 and so when one is found it disables the return value optimization.
|
|
219 Similarly, directives that can fail (such as wide character
|
|
220 directives) disable the optimization. */
|
|
221 bool posunder4k;
|
111
|
222
|
|
223 /* True when a floating point directive has been seen in the format
|
|
224 string. */
|
|
225 bool floating;
|
|
226
|
|
227 /* True when an intermediate result has caused a warning. Used to
|
|
228 avoid issuing duplicate warnings while finishing the processing
|
|
229 of a call. WARNED also disables the return value optimization. */
|
|
230 bool warned;
|
|
231
|
|
232 /* Preincrement the number of output characters by 1. */
|
|
233 format_result& operator++ ()
|
|
234 {
|
|
235 return *this += 1;
|
|
236 }
|
|
237
|
|
238 /* Postincrement the number of output characters by 1. */
|
|
239 format_result operator++ (int)
|
|
240 {
|
|
241 format_result prev (*this);
|
|
242 *this += 1;
|
|
243 return prev;
|
|
244 }
|
|
245
|
|
246 /* Increment the number of output characters by N. */
|
|
247 format_result& operator+= (unsigned HOST_WIDE_INT);
|
|
248 };
|
|
249
|
|
250 format_result&
|
|
251 format_result::operator+= (unsigned HOST_WIDE_INT n)
|
|
252 {
|
|
253 gcc_assert (n < HOST_WIDE_INT_MAX);
|
|
254
|
|
255 if (range.min < HOST_WIDE_INT_MAX)
|
|
256 range.min += n;
|
|
257
|
|
258 if (range.max < HOST_WIDE_INT_MAX)
|
|
259 range.max += n;
|
|
260
|
|
261 if (range.likely < HOST_WIDE_INT_MAX)
|
|
262 range.likely += n;
|
|
263
|
|
264 if (range.unlikely < HOST_WIDE_INT_MAX)
|
|
265 range.unlikely += n;
|
|
266
|
|
267 return *this;
|
|
268 }
|
|
269
|
|
270 /* Return the value of INT_MIN for the target. */
|
|
271
|
|
272 static inline HOST_WIDE_INT
|
|
273 target_int_min ()
|
|
274 {
|
|
275 return tree_to_shwi (TYPE_MIN_VALUE (integer_type_node));
|
|
276 }
|
|
277
|
|
278 /* Return the value of INT_MAX for the target. */
|
|
279
|
|
280 static inline unsigned HOST_WIDE_INT
|
|
281 target_int_max ()
|
|
282 {
|
|
283 return tree_to_uhwi (TYPE_MAX_VALUE (integer_type_node));
|
|
284 }
|
|
285
|
|
286 /* Return the value of SIZE_MAX for the target. */
|
|
287
|
|
288 static inline unsigned HOST_WIDE_INT
|
|
289 target_size_max ()
|
|
290 {
|
|
291 return tree_to_uhwi (TYPE_MAX_VALUE (size_type_node));
|
|
292 }
|
|
293
|
|
294 /* A straightforward mapping from the execution character set to the host
|
|
295 character set indexed by execution character. */
|
|
296
|
|
297 static char target_to_host_charmap[256];
|
|
298
|
|
299 /* Initialize a mapping from the execution character set to the host
|
|
300 character set. */
|
|
301
|
|
302 static bool
|
|
303 init_target_to_host_charmap ()
|
|
304 {
|
|
305 /* If the percent sign is non-zero the mapping has already been
|
|
306 initialized. */
|
|
307 if (target_to_host_charmap['%'])
|
|
308 return true;
|
|
309
|
|
310 /* Initialize the target_percent character (done elsewhere). */
|
|
311 if (!init_target_chars ())
|
|
312 return false;
|
|
313
|
|
314 /* The subset of the source character set used by printf conversion
|
|
315 specifications (strictly speaking, not all letters are used but
|
|
316 they are included here for the sake of simplicity). The dollar
|
|
317 sign must be included even though it's not in the basic source
|
|
318 character set. */
|
|
319 const char srcset[] = " 0123456789!\"#%&'()*+,-./:;<=>?[\\]^_{|}~$"
|
|
320 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
|
|
321
|
|
322 /* Set the mapping for all characters to some ordinary value (i,e.,
|
|
323 not none used in printf conversion specifications) and overwrite
|
|
324 those that are used by conversion specifications with their
|
|
325 corresponding values. */
|
|
326 memset (target_to_host_charmap + 1, '?', sizeof target_to_host_charmap - 1);
|
|
327
|
|
328 /* Are the two sets of characters the same? */
|
|
329 bool all_same_p = true;
|
|
330
|
|
331 for (const char *pc = srcset; *pc; ++pc)
|
|
332 {
|
|
333 /* Slice off the high end bits in case target characters are
|
|
334 signed. All values are expected to be non-nul, otherwise
|
|
335 there's a problem. */
|
|
336 if (unsigned char tc = lang_hooks.to_target_charset (*pc))
|
|
337 {
|
|
338 target_to_host_charmap[tc] = *pc;
|
|
339 if (tc != *pc)
|
|
340 all_same_p = false;
|
|
341 }
|
|
342 else
|
|
343 return false;
|
|
344
|
|
345 }
|
|
346
|
|
347 /* Set the first element to a non-zero value if the mapping
|
|
348 is 1-to-1, otherwise leave it clear (NUL is assumed to be
|
|
349 the same in both character sets). */
|
|
350 target_to_host_charmap[0] = all_same_p;
|
|
351
|
|
352 return true;
|
|
353 }
|
|
354
|
|
355 /* Return the host source character corresponding to the character
|
|
356 CH in the execution character set if one exists, or some innocuous
|
|
357 (non-special, non-nul) source character otherwise. */
|
|
358
|
|
359 static inline unsigned char
|
|
360 target_to_host (unsigned char ch)
|
|
361 {
|
|
362 return target_to_host_charmap[ch];
|
|
363 }
|
|
364
|
|
365 /* Convert an initial substring of the string TARGSTR consisting of
|
|
366 characters in the execution character set into a string in the
|
|
367 source character set on the host and store up to HOSTSZ characters
|
|
368 in the buffer pointed to by HOSTR. Return HOSTR. */
|
|
369
|
|
370 static const char*
|
|
371 target_to_host (char *hostr, size_t hostsz, const char *targstr)
|
|
372 {
|
|
373 /* Make sure the buffer is reasonably big. */
|
|
374 gcc_assert (hostsz > 4);
|
|
375
|
|
376 /* The interesting subset of source and execution characters are
|
|
377 the same so no conversion is necessary. However, truncate
|
|
378 overlong strings just like the translated strings are. */
|
|
379 if (target_to_host_charmap['\0'] == 1)
|
|
380 {
|
|
381 strncpy (hostr, targstr, hostsz - 4);
|
|
382 if (strlen (targstr) >= hostsz)
|
|
383 strcpy (hostr + hostsz - 4, "...");
|
|
384 return hostr;
|
|
385 }
|
|
386
|
|
387 /* Convert the initial substring of TARGSTR to the corresponding
|
|
388 characters in the host set, appending "..." if TARGSTR is too
|
|
389 long to fit. Using the static buffer assumes the function is
|
|
390 not called in between sequence points (which it isn't). */
|
|
391 for (char *ph = hostr; ; ++targstr)
|
|
392 {
|
|
393 *ph++ = target_to_host (*targstr);
|
|
394 if (!*targstr)
|
|
395 break;
|
|
396
|
|
397 if (size_t (ph - hostr) == hostsz - 4)
|
|
398 {
|
|
399 *ph = '\0';
|
|
400 strcat (ph, "...");
|
|
401 break;
|
|
402 }
|
|
403 }
|
|
404
|
|
405 return hostr;
|
|
406 }
|
|
407
|
|
408 /* Convert the sequence of decimal digits in the execution character
|
|
409 starting at S to a long, just like strtol does. Return the result
|
|
410 and set *END to one past the last converted character. On range
|
|
411 error set ERANGE to the digit that caused it. */
|
|
412
|
|
413 static inline long
|
|
414 target_strtol10 (const char **ps, const char **erange)
|
|
415 {
|
|
416 unsigned HOST_WIDE_INT val = 0;
|
|
417 for ( ; ; ++*ps)
|
|
418 {
|
|
419 unsigned char c = target_to_host (**ps);
|
|
420 if (ISDIGIT (c))
|
|
421 {
|
|
422 c -= '0';
|
|
423
|
|
424 /* Check for overflow. */
|
|
425 if (val > (LONG_MAX - c) / 10LU)
|
|
426 {
|
|
427 val = LONG_MAX;
|
|
428 *erange = *ps;
|
|
429
|
|
430 /* Skip the remaining digits. */
|
|
431 do
|
|
432 c = target_to_host (*++*ps);
|
|
433 while (ISDIGIT (c));
|
|
434 break;
|
|
435 }
|
|
436 else
|
|
437 val = val * 10 + c;
|
|
438 }
|
|
439 else
|
|
440 break;
|
|
441 }
|
|
442
|
|
443 return val;
|
|
444 }
|
|
445
|
|
446 /* Given FORMAT, set *PLOC to the source location of the format string
|
|
447 and return the format string if it is known or null otherwise. */
|
|
448
|
|
449 static const char*
|
|
450 get_format_string (tree format, location_t *ploc)
|
|
451 {
|
|
452 *ploc = EXPR_LOC_OR_LOC (format, input_location);
|
|
453
|
131
|
454 return c_getstr (format);
|
111
|
455 }
|
|
456
|
131
|
457 /* For convenience and brevity, shorter named entrypoints of
|
|
458 format_string_diagnostic_t::emit_warning_va and
|
|
459 format_string_diagnostic_t::emit_warning_n_va.
|
|
460 These have to be functions with the attribute so that exgettext
|
|
461 works properly. */
|
111
|
462
|
|
463 static bool
|
131
|
464 ATTRIBUTE_GCC_DIAG (5, 6)
|
|
465 fmtwarn (const substring_loc &fmt_loc, location_t param_loc,
|
|
466 const char *corrected_substring, int opt, const char *gmsgid, ...)
|
|
467 {
|
|
468 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL,
|
|
469 corrected_substring);
|
|
470 va_list ap;
|
|
471 va_start (ap, gmsgid);
|
|
472 bool warned = diag.emit_warning_va (opt, gmsgid, &ap);
|
|
473 va_end (ap);
|
|
474
|
|
475 return warned;
|
|
476 }
|
|
477
|
|
478 static bool
|
|
479 ATTRIBUTE_GCC_DIAG (6, 8) ATTRIBUTE_GCC_DIAG (7, 8)
|
|
480 fmtwarn_n (const substring_loc &fmt_loc, location_t param_loc,
|
|
481 const char *corrected_substring, int opt, unsigned HOST_WIDE_INT n,
|
|
482 const char *singular_gmsgid, const char *plural_gmsgid, ...)
|
|
483 {
|
|
484 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL,
|
|
485 corrected_substring);
|
|
486 va_list ap;
|
|
487 va_start (ap, plural_gmsgid);
|
|
488 bool warned = diag.emit_warning_n_va (opt, n, singular_gmsgid, plural_gmsgid,
|
|
489 &ap);
|
|
490 va_end (ap);
|
|
491
|
|
492 return warned;
|
|
493 }
|
111
|
494
|
|
495 /* Format length modifiers. */
|
|
496
|
|
497 enum format_lengths
|
|
498 {
|
|
499 FMT_LEN_none,
|
|
500 FMT_LEN_hh, // char argument
|
|
501 FMT_LEN_h, // short
|
|
502 FMT_LEN_l, // long
|
|
503 FMT_LEN_ll, // long long
|
|
504 FMT_LEN_L, // long double (and GNU long long)
|
|
505 FMT_LEN_z, // size_t
|
|
506 FMT_LEN_t, // ptrdiff_t
|
|
507 FMT_LEN_j // intmax_t
|
|
508 };
|
|
509
|
|
510
|
|
511 /* Description of the result of conversion either of a single directive
|
|
512 or the whole format string. */
|
|
513
|
|
514 struct fmtresult
|
|
515 {
|
|
516 /* Construct a FMTRESULT object with all counters initialized
|
|
517 to MIN. KNOWNRANGE is set when MIN is valid. */
|
|
518 fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX)
|
131
|
519 : argmin (), argmax (), nonstr (),
|
111
|
520 knownrange (min < HOST_WIDE_INT_MAX),
|
131
|
521 mayfail (), nullp ()
|
111
|
522 {
|
|
523 range.min = min;
|
|
524 range.max = min;
|
|
525 range.likely = min;
|
|
526 range.unlikely = min;
|
|
527 }
|
|
528
|
|
529 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
|
|
530 KNOWNRANGE is set when both MIN and MAX are valid. */
|
|
531 fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max,
|
|
532 unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX)
|
131
|
533 : argmin (), argmax (), nonstr (),
|
111
|
534 knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX),
|
131
|
535 mayfail (), nullp ()
|
111
|
536 {
|
|
537 range.min = min;
|
|
538 range.max = max;
|
|
539 range.likely = max < likely ? min : likely;
|
|
540 range.unlikely = max;
|
|
541 }
|
|
542
|
|
543 /* Adjust result upward to reflect the RANGE of values the specified
|
|
544 width or precision is known to be in. */
|
|
545 fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2],
|
|
546 tree = NULL_TREE,
|
|
547 unsigned = 0, unsigned = 0);
|
|
548
|
|
549 /* Return the maximum number of decimal digits a value of TYPE
|
|
550 formats as on output. */
|
|
551 static unsigned type_max_digits (tree, int);
|
|
552
|
|
553 /* The range a directive's argument is in. */
|
|
554 tree argmin, argmax;
|
|
555
|
|
556 /* The minimum and maximum number of bytes that a directive
|
|
557 results in on output for an argument in the range above. */
|
|
558 result_range range;
|
|
559
|
131
|
560 /* Non-nul when the argument of a string directive is not a nul
|
|
561 terminated string. */
|
|
562 tree nonstr;
|
|
563
|
111
|
564 /* True when the range above is obtained from a known value of
|
|
565 a directive's argument or its bounds and not the result of
|
|
566 heuristics that depend on warning levels. */
|
|
567 bool knownrange;
|
|
568
|
131
|
569 /* True for a directive that may fail (such as wide character
|
|
570 directives). */
|
|
571 bool mayfail;
|
|
572
|
111
|
573 /* True when the argument is a null pointer. */
|
|
574 bool nullp;
|
|
575 };
|
|
576
|
|
577 /* Adjust result upward to reflect the range ADJUST of values the
|
|
578 specified width or precision is known to be in. When non-null,
|
|
579 TYPE denotes the type of the directive whose result is being
|
|
580 adjusted, BASE gives the base of the directive (octal, decimal,
|
|
581 or hex), and ADJ denotes the additional adjustment to the LIKELY
|
|
582 counter that may need to be added when ADJUST is a range. */
|
|
583
|
|
584 fmtresult&
|
|
585 fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2],
|
|
586 tree type /* = NULL_TREE */,
|
|
587 unsigned base /* = 0 */,
|
|
588 unsigned adj /* = 0 */)
|
|
589 {
|
|
590 bool minadjusted = false;
|
|
591
|
|
592 /* Adjust the minimum and likely counters. */
|
|
593 if (adjust[0] >= 0)
|
|
594 {
|
|
595 if (range.min < (unsigned HOST_WIDE_INT)adjust[0])
|
|
596 {
|
|
597 range.min = adjust[0];
|
|
598 minadjusted = true;
|
|
599 }
|
|
600
|
|
601 /* Adjust the likely counter. */
|
|
602 if (range.likely < range.min)
|
|
603 range.likely = range.min;
|
|
604 }
|
|
605 else if (adjust[0] == target_int_min ()
|
|
606 && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ())
|
|
607 knownrange = false;
|
|
608
|
|
609 /* Adjust the maximum counter. */
|
|
610 if (adjust[1] > 0)
|
|
611 {
|
|
612 if (range.max < (unsigned HOST_WIDE_INT)adjust[1])
|
|
613 {
|
|
614 range.max = adjust[1];
|
|
615
|
|
616 /* Set KNOWNRANGE if both the minimum and maximum have been
|
|
617 adjusted. Otherwise leave it at what it was before. */
|
|
618 knownrange = minadjusted;
|
|
619 }
|
|
620 }
|
|
621
|
|
622 if (warn_level > 1 && type)
|
|
623 {
|
|
624 /* For large non-constant width or precision whose range spans
|
|
625 the maximum number of digits produced by the directive for
|
|
626 any argument, set the likely number of bytes to be at most
|
|
627 the number digits plus other adjustment determined by the
|
|
628 caller (one for sign or two for the hexadecimal "0x"
|
|
629 prefix). */
|
|
630 unsigned dirdigs = type_max_digits (type, base);
|
|
631 if (adjust[0] < dirdigs && dirdigs < adjust[1]
|
|
632 && range.likely < dirdigs)
|
|
633 range.likely = dirdigs + adj;
|
|
634 }
|
|
635 else if (range.likely < (range.min ? range.min : 1))
|
|
636 {
|
|
637 /* Conservatively, set LIKELY to at least MIN but no less than
|
|
638 1 unless MAX is zero. */
|
|
639 range.likely = (range.min
|
|
640 ? range.min
|
|
641 : range.max && (range.max < HOST_WIDE_INT_MAX
|
|
642 || warn_level > 1) ? 1 : 0);
|
|
643 }
|
|
644
|
|
645 /* Finally adjust the unlikely counter to be at least as large as
|
|
646 the maximum. */
|
|
647 if (range.unlikely < range.max)
|
|
648 range.unlikely = range.max;
|
|
649
|
|
650 return *this;
|
|
651 }
|
|
652
|
|
653 /* Return the maximum number of digits a value of TYPE formats in
|
|
654 BASE on output, not counting base prefix . */
|
|
655
|
|
656 unsigned
|
|
657 fmtresult::type_max_digits (tree type, int base)
|
|
658 {
|
|
659 unsigned prec = TYPE_PRECISION (type);
|
131
|
660 switch (base)
|
|
661 {
|
|
662 case 8:
|
|
663 return (prec + 2) / 3;
|
|
664 case 10:
|
|
665 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
|
|
666 of 8, 16, 32, and 64 bits. */
|
|
667 return prec * 301 / 1000 + 1;
|
|
668 case 16:
|
|
669 return prec / 4;
|
|
670 }
|
|
671
|
|
672 gcc_unreachable ();
|
111
|
673 }
|
|
674
|
|
675 static bool
|
131
|
676 get_int_range (tree, HOST_WIDE_INT *, HOST_WIDE_INT *, bool, HOST_WIDE_INT,
|
|
677 class vr_values *vr_values);
|
111
|
678
|
|
679 /* Description of a format directive. A directive is either a plain
|
|
680 string or a conversion specification that starts with '%'. */
|
|
681
|
|
682 struct directive
|
|
683 {
|
|
684 /* The 1-based directive number (for debugging). */
|
|
685 unsigned dirno;
|
|
686
|
|
687 /* The first character of the directive and its length. */
|
|
688 const char *beg;
|
|
689 size_t len;
|
|
690
|
|
691 /* A bitmap of flags, one for each character. */
|
|
692 unsigned flags[256 / sizeof (int)];
|
|
693
|
|
694 /* The range of values of the specified width, or -1 if not specified. */
|
|
695 HOST_WIDE_INT width[2];
|
|
696 /* The range of values of the specified precision, or -1 if not
|
|
697 specified. */
|
|
698 HOST_WIDE_INT prec[2];
|
|
699
|
|
700 /* Length modifier. */
|
|
701 format_lengths modifier;
|
|
702
|
|
703 /* Format specifier character. */
|
|
704 char specifier;
|
|
705
|
|
706 /* The argument of the directive or null when the directive doesn't
|
|
707 take one or when none is available (such as for vararg functions). */
|
|
708 tree arg;
|
|
709
|
|
710 /* Format conversion function that given a directive and an argument
|
|
711 returns the formatting result. */
|
131
|
712 fmtresult (*fmtfunc) (const directive &, tree, vr_values *);
|
111
|
713
|
|
714 /* Return True when a the format flag CHR has been used. */
|
|
715 bool get_flag (char chr) const
|
|
716 {
|
|
717 unsigned char c = chr & 0xff;
|
|
718 return (flags[c / (CHAR_BIT * sizeof *flags)]
|
|
719 & (1U << (c % (CHAR_BIT * sizeof *flags))));
|
|
720 }
|
|
721
|
|
722 /* Make a record of the format flag CHR having been used. */
|
|
723 void set_flag (char chr)
|
|
724 {
|
|
725 unsigned char c = chr & 0xff;
|
|
726 flags[c / (CHAR_BIT * sizeof *flags)]
|
|
727 |= (1U << (c % (CHAR_BIT * sizeof *flags)));
|
|
728 }
|
|
729
|
|
730 /* Reset the format flag CHR. */
|
|
731 void clear_flag (char chr)
|
|
732 {
|
|
733 unsigned char c = chr & 0xff;
|
|
734 flags[c / (CHAR_BIT * sizeof *flags)]
|
|
735 &= ~(1U << (c % (CHAR_BIT * sizeof *flags)));
|
|
736 }
|
|
737
|
|
738 /* Set both bounds of the width range to VAL. */
|
|
739 void set_width (HOST_WIDE_INT val)
|
|
740 {
|
|
741 width[0] = width[1] = val;
|
|
742 }
|
|
743
|
|
744 /* Set the width range according to ARG, with both bounds being
|
|
745 no less than 0. For a constant ARG set both bounds to its value
|
|
746 or 0, whichever is greater. For a non-constant ARG in some range
|
|
747 set width to its range adjusting each bound to -1 if it's less.
|
|
748 For an indeterminate ARG set width to [0, INT_MAX]. */
|
131
|
749 void set_width (tree arg, vr_values *vr_values)
|
111
|
750 {
|
131
|
751 get_int_range (arg, width, width + 1, true, 0, vr_values);
|
111
|
752 }
|
|
753
|
|
754 /* Set both bounds of the precision range to VAL. */
|
|
755 void set_precision (HOST_WIDE_INT val)
|
|
756 {
|
|
757 prec[0] = prec[1] = val;
|
|
758 }
|
|
759
|
|
760 /* Set the precision range according to ARG, with both bounds being
|
|
761 no less than -1. For a constant ARG set both bounds to its value
|
|
762 or -1 whichever is greater. For a non-constant ARG in some range
|
|
763 set precision to its range adjusting each bound to -1 if it's less.
|
|
764 For an indeterminate ARG set precision to [-1, INT_MAX]. */
|
131
|
765 void set_precision (tree arg, vr_values *vr_values)
|
111
|
766 {
|
131
|
767 get_int_range (arg, prec, prec + 1, false, -1, vr_values);
|
111
|
768 }
|
|
769
|
|
770 /* Return true if both width and precision are known to be
|
|
771 either constant or in some range, false otherwise. */
|
|
772 bool known_width_and_precision () const
|
|
773 {
|
|
774 return ((width[1] < 0
|
|
775 || (unsigned HOST_WIDE_INT)width[1] <= target_int_max ())
|
|
776 && (prec[1] < 0
|
|
777 || (unsigned HOST_WIDE_INT)prec[1] < target_int_max ()));
|
|
778 }
|
|
779 };
|
|
780
|
|
781 /* Return the logarithm of X in BASE. */
|
|
782
|
|
783 static int
|
|
784 ilog (unsigned HOST_WIDE_INT x, int base)
|
|
785 {
|
|
786 int res = 0;
|
|
787 do
|
|
788 {
|
|
789 ++res;
|
|
790 x /= base;
|
|
791 } while (x);
|
|
792 return res;
|
|
793 }
|
|
794
|
|
795 /* Return the number of bytes resulting from converting into a string
|
|
796 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
|
|
797 PLUS indicates whether 1 for a plus sign should be added for positive
|
|
798 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
|
|
799 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
|
|
800 be represented. */
|
|
801
|
|
802 static HOST_WIDE_INT
|
|
803 tree_digits (tree x, int base, HOST_WIDE_INT prec, bool plus, bool prefix)
|
|
804 {
|
|
805 unsigned HOST_WIDE_INT absval;
|
|
806
|
|
807 HOST_WIDE_INT res;
|
|
808
|
|
809 if (TYPE_UNSIGNED (TREE_TYPE (x)))
|
|
810 {
|
|
811 if (tree_fits_uhwi_p (x))
|
|
812 {
|
|
813 absval = tree_to_uhwi (x);
|
|
814 res = plus;
|
|
815 }
|
|
816 else
|
|
817 return -1;
|
|
818 }
|
|
819 else
|
|
820 {
|
|
821 if (tree_fits_shwi_p (x))
|
|
822 {
|
|
823 HOST_WIDE_INT i = tree_to_shwi (x);
|
|
824 if (HOST_WIDE_INT_MIN == i)
|
|
825 {
|
|
826 /* Avoid undefined behavior due to negating a minimum. */
|
|
827 absval = HOST_WIDE_INT_MAX;
|
|
828 res = 1;
|
|
829 }
|
|
830 else if (i < 0)
|
|
831 {
|
|
832 absval = -i;
|
|
833 res = 1;
|
|
834 }
|
|
835 else
|
|
836 {
|
|
837 absval = i;
|
|
838 res = plus;
|
|
839 }
|
|
840 }
|
|
841 else
|
|
842 return -1;
|
|
843 }
|
|
844
|
|
845 int ndigs = ilog (absval, base);
|
|
846
|
|
847 res += prec < ndigs ? ndigs : prec;
|
|
848
|
|
849 /* Adjust a non-zero value for the base prefix, either hexadecimal,
|
|
850 or, unless precision has resulted in a leading zero, also octal. */
|
|
851 if (prefix && absval && (base == 16 || prec <= ndigs))
|
|
852 {
|
|
853 if (base == 8)
|
|
854 res += 1;
|
|
855 else if (base == 16)
|
|
856 res += 2;
|
|
857 }
|
|
858
|
|
859 return res;
|
|
860 }
|
|
861
|
|
862 /* Given the formatting result described by RES and NAVAIL, the number
|
|
863 of available in the destination, return the range of bytes remaining
|
|
864 in the destination. */
|
|
865
|
|
866 static inline result_range
|
|
867 bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res)
|
|
868 {
|
|
869 result_range range;
|
|
870
|
|
871 if (HOST_WIDE_INT_MAX <= navail)
|
|
872 {
|
|
873 range.min = range.max = range.likely = range.unlikely = navail;
|
|
874 return range;
|
|
875 }
|
|
876
|
|
877 /* The lower bound of the available range is the available size
|
|
878 minus the maximum output size, and the upper bound is the size
|
|
879 minus the minimum. */
|
|
880 range.max = res.range.min < navail ? navail - res.range.min : 0;
|
|
881
|
|
882 range.likely = res.range.likely < navail ? navail - res.range.likely : 0;
|
|
883
|
|
884 if (res.range.max < HOST_WIDE_INT_MAX)
|
|
885 range.min = res.range.max < navail ? navail - res.range.max : 0;
|
|
886 else
|
|
887 range.min = range.likely;
|
|
888
|
|
889 range.unlikely = (res.range.unlikely < navail
|
|
890 ? navail - res.range.unlikely : 0);
|
|
891
|
|
892 return range;
|
|
893 }
|
|
894
|
|
895 /* Description of a call to a formatted function. */
|
|
896
|
131
|
897 struct sprintf_dom_walker::call_info
|
111
|
898 {
|
|
899 /* Function call statement. */
|
|
900 gimple *callstmt;
|
|
901
|
|
902 /* Function called. */
|
|
903 tree func;
|
|
904
|
|
905 /* Called built-in function code. */
|
|
906 built_in_function fncode;
|
|
907
|
|
908 /* Format argument and format string extracted from it. */
|
|
909 tree format;
|
|
910 const char *fmtstr;
|
|
911
|
|
912 /* The location of the format argument. */
|
|
913 location_t fmtloc;
|
|
914
|
|
915 /* The destination object size for __builtin___xxx_chk functions
|
|
916 typically determined by __builtin_object_size, or -1 if unknown. */
|
|
917 unsigned HOST_WIDE_INT objsize;
|
|
918
|
|
919 /* Number of the first variable argument. */
|
|
920 unsigned HOST_WIDE_INT argidx;
|
|
921
|
|
922 /* True for functions like snprintf that specify the size of
|
|
923 the destination, false for others like sprintf that don't. */
|
|
924 bool bounded;
|
|
925
|
|
926 /* True for bounded functions like snprintf that specify a zero-size
|
|
927 buffer as a request to compute the size of output without actually
|
|
928 writing any. NOWRITE is cleared in response to the %n directive
|
|
929 which has side-effects similar to writing output. */
|
|
930 bool nowrite;
|
|
931
|
|
932 /* Return true if the called function's return value is used. */
|
|
933 bool retval_used () const
|
|
934 {
|
|
935 return gimple_get_lhs (callstmt);
|
|
936 }
|
|
937
|
|
938 /* Return the warning option corresponding to the called function. */
|
|
939 int warnopt () const
|
|
940 {
|
|
941 return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_;
|
|
942 }
|
|
943 };
|
|
944
|
|
945 /* Return the result of formatting a no-op directive (such as '%n'). */
|
|
946
|
|
947 static fmtresult
|
131
|
948 format_none (const directive &, tree, vr_values *)
|
111
|
949 {
|
|
950 fmtresult res (0);
|
|
951 return res;
|
|
952 }
|
|
953
|
|
954 /* Return the result of formatting the '%%' directive. */
|
|
955
|
|
956 static fmtresult
|
131
|
957 format_percent (const directive &, tree, vr_values *)
|
111
|
958 {
|
|
959 fmtresult res (1);
|
|
960 return res;
|
|
961 }
|
|
962
|
|
963
|
|
964 /* Compute intmax_type_node and uintmax_type_node similarly to how
|
|
965 tree.c builds size_type_node. */
|
|
966
|
|
967 static void
|
|
968 build_intmax_type_nodes (tree *pintmax, tree *puintmax)
|
|
969 {
|
|
970 if (strcmp (UINTMAX_TYPE, "unsigned int") == 0)
|
|
971 {
|
|
972 *pintmax = integer_type_node;
|
|
973 *puintmax = unsigned_type_node;
|
|
974 }
|
|
975 else if (strcmp (UINTMAX_TYPE, "long unsigned int") == 0)
|
|
976 {
|
|
977 *pintmax = long_integer_type_node;
|
|
978 *puintmax = long_unsigned_type_node;
|
|
979 }
|
|
980 else if (strcmp (UINTMAX_TYPE, "long long unsigned int") == 0)
|
|
981 {
|
|
982 *pintmax = long_long_integer_type_node;
|
|
983 *puintmax = long_long_unsigned_type_node;
|
|
984 }
|
|
985 else
|
|
986 {
|
|
987 for (int i = 0; i < NUM_INT_N_ENTS; i++)
|
|
988 if (int_n_enabled_p[i])
|
|
989 {
|
|
990 char name[50];
|
|
991 sprintf (name, "__int%d unsigned", int_n_data[i].bitsize);
|
|
992
|
|
993 if (strcmp (name, UINTMAX_TYPE) == 0)
|
|
994 {
|
|
995 *pintmax = int_n_trees[i].signed_type;
|
|
996 *puintmax = int_n_trees[i].unsigned_type;
|
|
997 return;
|
|
998 }
|
|
999 }
|
|
1000 gcc_unreachable ();
|
|
1001 }
|
|
1002 }
|
|
1003
|
|
1004 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
|
|
1005 in and that is representable in type int.
|
|
1006 Return true when the range is a subrange of that of int.
|
|
1007 When ARG is null it is as if it had the full range of int.
|
|
1008 When ABSOLUTE is true the range reflects the absolute value of
|
|
1009 the argument. When ABSOLUTE is false, negative bounds of
|
|
1010 the determined range are replaced with NEGBOUND. */
|
|
1011
|
|
1012 static bool
|
|
1013 get_int_range (tree arg, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax,
|
131
|
1014 bool absolute, HOST_WIDE_INT negbound,
|
|
1015 class vr_values *vr_values)
|
111
|
1016 {
|
|
1017 /* The type of the result. */
|
|
1018 const_tree type = integer_type_node;
|
|
1019
|
|
1020 bool knownrange = false;
|
|
1021
|
|
1022 if (!arg)
|
|
1023 {
|
|
1024 *pmin = tree_to_shwi (TYPE_MIN_VALUE (type));
|
|
1025 *pmax = tree_to_shwi (TYPE_MAX_VALUE (type));
|
|
1026 }
|
|
1027 else if (TREE_CODE (arg) == INTEGER_CST
|
|
1028 && TYPE_PRECISION (TREE_TYPE (arg)) <= TYPE_PRECISION (type))
|
|
1029 {
|
|
1030 /* For a constant argument return its value adjusted as specified
|
|
1031 by NEGATIVE and NEGBOUND and return true to indicate that the
|
|
1032 result is known. */
|
|
1033 *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg);
|
|
1034 *pmax = *pmin;
|
|
1035 knownrange = true;
|
|
1036 }
|
|
1037 else
|
|
1038 {
|
|
1039 /* True if the argument's range cannot be determined. */
|
|
1040 bool unknown = true;
|
|
1041
|
|
1042 tree argtype = TREE_TYPE (arg);
|
|
1043
|
|
1044 /* Ignore invalid arguments with greater precision that that
|
|
1045 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
|
|
1046 They will have been detected and diagnosed by -Wformat and
|
|
1047 so it's not important to complicate this code to try to deal
|
|
1048 with them again. */
|
|
1049 if (TREE_CODE (arg) == SSA_NAME
|
|
1050 && INTEGRAL_TYPE_P (argtype)
|
|
1051 && TYPE_PRECISION (argtype) <= TYPE_PRECISION (type))
|
|
1052 {
|
|
1053 /* Try to determine the range of values of the integer argument. */
|
131
|
1054 value_range *vr = vr_values->get_value_range (arg);
|
|
1055 if (range_int_cst_p (vr))
|
111
|
1056 {
|
|
1057 HOST_WIDE_INT type_min
|
|
1058 = (TYPE_UNSIGNED (argtype)
|
|
1059 ? tree_to_uhwi (TYPE_MIN_VALUE (argtype))
|
|
1060 : tree_to_shwi (TYPE_MIN_VALUE (argtype)));
|
|
1061
|
|
1062 HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (argtype));
|
|
1063
|
131
|
1064 *pmin = TREE_INT_CST_LOW (vr->min ());
|
|
1065 *pmax = TREE_INT_CST_LOW (vr->max ());
|
111
|
1066
|
|
1067 if (*pmin < *pmax)
|
|
1068 {
|
|
1069 /* Return true if the adjusted range is a subrange of
|
|
1070 the full range of the argument's type. *PMAX may
|
|
1071 be less than *PMIN when the argument is unsigned
|
|
1072 and its upper bound is in excess of TYPE_MAX. In
|
|
1073 that (invalid) case disregard the range and use that
|
|
1074 of the expected type instead. */
|
|
1075 knownrange = type_min < *pmin || *pmax < type_max;
|
|
1076
|
|
1077 unknown = false;
|
|
1078 }
|
|
1079 }
|
|
1080 }
|
|
1081
|
|
1082 /* Handle an argument with an unknown range as if none had been
|
|
1083 provided. */
|
|
1084 if (unknown)
|
131
|
1085 return get_int_range (NULL_TREE, pmin, pmax, absolute,
|
|
1086 negbound, vr_values);
|
111
|
1087 }
|
|
1088
|
|
1089 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
|
|
1090 if (absolute)
|
|
1091 {
|
|
1092 if (*pmin < 0)
|
|
1093 {
|
|
1094 if (*pmin == *pmax)
|
|
1095 *pmin = *pmax = -*pmin;
|
|
1096 else
|
|
1097 {
|
|
1098 /* Make sure signed overlow is avoided. */
|
|
1099 gcc_assert (*pmin != HOST_WIDE_INT_MIN);
|
|
1100
|
|
1101 HOST_WIDE_INT tmp = -*pmin;
|
|
1102 *pmin = 0;
|
|
1103 if (*pmax < tmp)
|
|
1104 *pmax = tmp;
|
|
1105 }
|
|
1106 }
|
|
1107 }
|
|
1108 else if (*pmin < negbound)
|
|
1109 *pmin = negbound;
|
|
1110
|
|
1111 return knownrange;
|
|
1112 }
|
|
1113
|
|
1114 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
|
|
1115 argument, due to the conversion from either *ARGMIN or *ARGMAX to
|
|
1116 the type of the directive's formal argument it's possible for both
|
|
1117 to result in the same number of bytes or a range of bytes that's
|
|
1118 less than the number of bytes that would result from formatting
|
|
1119 some other value in the range [*ARGMIN, *ARGMAX]. This can be
|
|
1120 determined by checking for the actual argument being in the range
|
|
1121 of the type of the directive. If it isn't it must be assumed to
|
|
1122 take on the full range of the directive's type.
|
|
1123 Return true when the range has been adjusted to the full range
|
|
1124 of DIRTYPE, and false otherwise. */
|
|
1125
|
|
1126 static bool
|
|
1127 adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax)
|
|
1128 {
|
|
1129 tree argtype = TREE_TYPE (*argmin);
|
|
1130 unsigned argprec = TYPE_PRECISION (argtype);
|
|
1131 unsigned dirprec = TYPE_PRECISION (dirtype);
|
|
1132
|
|
1133 /* If the actual argument and the directive's argument have the same
|
|
1134 precision and sign there can be no overflow and so there is nothing
|
|
1135 to adjust. */
|
|
1136 if (argprec == dirprec && TYPE_SIGN (argtype) == TYPE_SIGN (dirtype))
|
|
1137 return false;
|
|
1138
|
|
1139 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
|
|
1140 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
|
|
1141
|
|
1142 if (TREE_CODE (*argmin) == INTEGER_CST
|
|
1143 && TREE_CODE (*argmax) == INTEGER_CST
|
|
1144 && (dirprec >= argprec
|
|
1145 || integer_zerop (int_const_binop (RSHIFT_EXPR,
|
|
1146 int_const_binop (MINUS_EXPR,
|
|
1147 *argmax,
|
|
1148 *argmin),
|
|
1149 size_int (dirprec)))))
|
|
1150 {
|
|
1151 *argmin = force_fit_type (dirtype, wi::to_widest (*argmin), 0, false);
|
|
1152 *argmax = force_fit_type (dirtype, wi::to_widest (*argmax), 0, false);
|
|
1153
|
|
1154 /* If *ARGMIN is still less than *ARGMAX the conversion above
|
|
1155 is safe. Otherwise, it has overflowed and would be unsafe. */
|
|
1156 if (tree_int_cst_le (*argmin, *argmax))
|
|
1157 return false;
|
|
1158 }
|
|
1159
|
|
1160 *argmin = TYPE_MIN_VALUE (dirtype);
|
|
1161 *argmax = TYPE_MAX_VALUE (dirtype);
|
|
1162 return true;
|
|
1163 }
|
|
1164
|
|
1165 /* Return a range representing the minimum and maximum number of bytes
|
|
1166 that the format directive DIR will output for any argument given
|
|
1167 the WIDTH and PRECISION (extracted from DIR). This function is
|
|
1168 used when the directive argument or its value isn't known. */
|
|
1169
|
|
1170 static fmtresult
|
131
|
1171 format_integer (const directive &dir, tree arg, vr_values *vr_values)
|
111
|
1172 {
|
|
1173 tree intmax_type_node;
|
|
1174 tree uintmax_type_node;
|
|
1175
|
|
1176 /* Base to format the number in. */
|
|
1177 int base;
|
|
1178
|
|
1179 /* True when a conversion is preceded by a prefix indicating the base
|
|
1180 of the argument (octal or hexadecimal). */
|
|
1181 bool maybebase = dir.get_flag ('#');
|
|
1182
|
|
1183 /* True when a signed conversion is preceded by a sign or space. */
|
|
1184 bool maybesign = false;
|
|
1185
|
|
1186 /* True for signed conversions (i.e., 'd' and 'i'). */
|
|
1187 bool sign = false;
|
|
1188
|
|
1189 switch (dir.specifier)
|
|
1190 {
|
|
1191 case 'd':
|
|
1192 case 'i':
|
|
1193 /* Space and '+' are only meaningful for signed conversions. */
|
|
1194 maybesign = dir.get_flag (' ') | dir.get_flag ('+');
|
|
1195 sign = true;
|
|
1196 base = 10;
|
|
1197 break;
|
|
1198 case 'u':
|
|
1199 base = 10;
|
|
1200 break;
|
|
1201 case 'o':
|
|
1202 base = 8;
|
|
1203 break;
|
|
1204 case 'X':
|
|
1205 case 'x':
|
|
1206 base = 16;
|
|
1207 break;
|
|
1208 default:
|
|
1209 gcc_unreachable ();
|
|
1210 }
|
|
1211
|
|
1212 /* The type of the "formal" argument expected by the directive. */
|
|
1213 tree dirtype = NULL_TREE;
|
|
1214
|
|
1215 /* Determine the expected type of the argument from the length
|
|
1216 modifier. */
|
|
1217 switch (dir.modifier)
|
|
1218 {
|
|
1219 case FMT_LEN_none:
|
|
1220 if (dir.specifier == 'p')
|
|
1221 dirtype = ptr_type_node;
|
|
1222 else
|
|
1223 dirtype = sign ? integer_type_node : unsigned_type_node;
|
|
1224 break;
|
|
1225
|
|
1226 case FMT_LEN_h:
|
|
1227 dirtype = sign ? short_integer_type_node : short_unsigned_type_node;
|
|
1228 break;
|
|
1229
|
|
1230 case FMT_LEN_hh:
|
|
1231 dirtype = sign ? signed_char_type_node : unsigned_char_type_node;
|
|
1232 break;
|
|
1233
|
|
1234 case FMT_LEN_l:
|
|
1235 dirtype = sign ? long_integer_type_node : long_unsigned_type_node;
|
|
1236 break;
|
|
1237
|
|
1238 case FMT_LEN_L:
|
|
1239 case FMT_LEN_ll:
|
|
1240 dirtype = (sign
|
|
1241 ? long_long_integer_type_node
|
|
1242 : long_long_unsigned_type_node);
|
|
1243 break;
|
|
1244
|
|
1245 case FMT_LEN_z:
|
|
1246 dirtype = signed_or_unsigned_type_for (!sign, size_type_node);
|
|
1247 break;
|
|
1248
|
|
1249 case FMT_LEN_t:
|
|
1250 dirtype = signed_or_unsigned_type_for (!sign, ptrdiff_type_node);
|
|
1251 break;
|
|
1252
|
|
1253 case FMT_LEN_j:
|
|
1254 build_intmax_type_nodes (&intmax_type_node, &uintmax_type_node);
|
|
1255 dirtype = sign ? intmax_type_node : uintmax_type_node;
|
|
1256 break;
|
|
1257
|
|
1258 default:
|
|
1259 return fmtresult ();
|
|
1260 }
|
|
1261
|
|
1262 /* The type of the argument to the directive, either deduced from
|
|
1263 the actual non-constant argument if one is known, or from
|
|
1264 the directive itself when none has been provided because it's
|
|
1265 a va_list. */
|
|
1266 tree argtype = NULL_TREE;
|
|
1267
|
|
1268 if (!arg)
|
|
1269 {
|
|
1270 /* When the argument has not been provided, use the type of
|
|
1271 the directive's argument as an approximation. This will
|
|
1272 result in false positives for directives like %i with
|
|
1273 arguments with smaller precision (such as short or char). */
|
|
1274 argtype = dirtype;
|
|
1275 }
|
|
1276 else if (TREE_CODE (arg) == INTEGER_CST)
|
|
1277 {
|
|
1278 /* When a constant argument has been provided use its value
|
|
1279 rather than type to determine the length of the output. */
|
|
1280 fmtresult res;
|
|
1281
|
|
1282 if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg))
|
|
1283 {
|
|
1284 /* As a special case, a precision of zero with a zero argument
|
|
1285 results in zero bytes except in base 8 when the '#' flag is
|
|
1286 specified, and for signed conversions in base 8 and 10 when
|
|
1287 either the space or '+' flag has been specified and it results
|
|
1288 in just one byte (with width having the normal effect). This
|
|
1289 must extend to the case of a specified precision with
|
|
1290 an unknown value because it can be zero. */
|
|
1291 res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign);
|
|
1292 if (res.range.min == 0 && dir.prec[0] != dir.prec[1])
|
|
1293 {
|
|
1294 res.range.max = 1;
|
|
1295 res.range.likely = 1;
|
|
1296 }
|
|
1297 else
|
|
1298 {
|
|
1299 res.range.max = res.range.min;
|
|
1300 res.range.likely = res.range.min;
|
|
1301 }
|
|
1302 }
|
|
1303 else
|
|
1304 {
|
|
1305 /* Convert the argument to the type of the directive. */
|
|
1306 arg = fold_convert (dirtype, arg);
|
|
1307
|
|
1308 res.range.min = tree_digits (arg, base, dir.prec[0],
|
|
1309 maybesign, maybebase);
|
|
1310 if (dir.prec[0] == dir.prec[1])
|
|
1311 res.range.max = res.range.min;
|
|
1312 else
|
|
1313 res.range.max = tree_digits (arg, base, dir.prec[1],
|
|
1314 maybesign, maybebase);
|
|
1315 res.range.likely = res.range.min;
|
|
1316 res.knownrange = true;
|
|
1317 }
|
|
1318
|
|
1319 res.range.unlikely = res.range.max;
|
|
1320
|
|
1321 /* Bump up the counters if WIDTH is greater than LEN. */
|
|
1322 res.adjust_for_width_or_precision (dir.width, dirtype, base,
|
|
1323 (sign | maybebase) + (base == 16));
|
|
1324 /* Bump up the counters again if PRECision is greater still. */
|
|
1325 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
|
|
1326 (sign | maybebase) + (base == 16));
|
|
1327
|
|
1328 return res;
|
|
1329 }
|
|
1330 else if (INTEGRAL_TYPE_P (TREE_TYPE (arg))
|
|
1331 || TREE_CODE (TREE_TYPE (arg)) == POINTER_TYPE)
|
|
1332 /* Determine the type of the provided non-constant argument. */
|
|
1333 argtype = TREE_TYPE (arg);
|
|
1334 else
|
|
1335 /* Don't bother with invalid arguments since they likely would
|
|
1336 have already been diagnosed, and disable any further checking
|
|
1337 of the format string by returning [-1, -1]. */
|
|
1338 return fmtresult ();
|
|
1339
|
|
1340 fmtresult res;
|
|
1341
|
|
1342 /* Using either the range the non-constant argument is in, or its
|
|
1343 type (either "formal" or actual), create a range of values that
|
|
1344 constrain the length of output given the warning level. */
|
|
1345 tree argmin = NULL_TREE;
|
|
1346 tree argmax = NULL_TREE;
|
|
1347
|
|
1348 if (arg
|
|
1349 && TREE_CODE (arg) == SSA_NAME
|
|
1350 && INTEGRAL_TYPE_P (argtype))
|
|
1351 {
|
|
1352 /* Try to determine the range of values of the integer argument
|
|
1353 (range information is not available for pointers). */
|
131
|
1354 value_range *vr = vr_values->get_value_range (arg);
|
|
1355 if (range_int_cst_p (vr))
|
111
|
1356 {
|
131
|
1357 argmin = vr->min ();
|
|
1358 argmax = vr->max ();
|
111
|
1359
|
|
1360 /* Set KNOWNRANGE if the argument is in a known subrange
|
|
1361 of the directive's type and neither width nor precision
|
|
1362 is unknown. (KNOWNRANGE may be reset below). */
|
|
1363 res.knownrange
|
|
1364 = ((!tree_int_cst_equal (TYPE_MIN_VALUE (dirtype), argmin)
|
|
1365 || !tree_int_cst_equal (TYPE_MAX_VALUE (dirtype), argmax))
|
|
1366 && dir.known_width_and_precision ());
|
|
1367
|
|
1368 res.argmin = argmin;
|
|
1369 res.argmax = argmax;
|
|
1370 }
|
131
|
1371 else if (vr->kind () == VR_ANTI_RANGE)
|
111
|
1372 {
|
|
1373 /* Handle anti-ranges if/when bug 71690 is resolved. */
|
|
1374 }
|
131
|
1375 else if (vr->varying_p () || vr->undefined_p ())
|
111
|
1376 {
|
|
1377 /* The argument here may be the result of promoting the actual
|
|
1378 argument to int. Try to determine the type of the actual
|
|
1379 argument before promotion and narrow down its range that
|
|
1380 way. */
|
|
1381 gimple *def = SSA_NAME_DEF_STMT (arg);
|
|
1382 if (is_gimple_assign (def))
|
|
1383 {
|
|
1384 tree_code code = gimple_assign_rhs_code (def);
|
|
1385 if (code == INTEGER_CST)
|
|
1386 {
|
|
1387 arg = gimple_assign_rhs1 (def);
|
131
|
1388 return format_integer (dir, arg, vr_values);
|
111
|
1389 }
|
|
1390
|
|
1391 if (code == NOP_EXPR)
|
|
1392 {
|
|
1393 tree type = TREE_TYPE (gimple_assign_rhs1 (def));
|
|
1394 if (INTEGRAL_TYPE_P (type)
|
|
1395 || TREE_CODE (type) == POINTER_TYPE)
|
|
1396 argtype = type;
|
|
1397 }
|
|
1398 }
|
|
1399 }
|
|
1400 }
|
|
1401
|
|
1402 if (!argmin)
|
|
1403 {
|
|
1404 if (TREE_CODE (argtype) == POINTER_TYPE)
|
|
1405 {
|
|
1406 argmin = build_int_cst (pointer_sized_int_node, 0);
|
|
1407 argmax = build_all_ones_cst (pointer_sized_int_node);
|
|
1408 }
|
|
1409 else
|
|
1410 {
|
|
1411 argmin = TYPE_MIN_VALUE (argtype);
|
|
1412 argmax = TYPE_MAX_VALUE (argtype);
|
|
1413 }
|
|
1414 }
|
|
1415
|
|
1416 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
|
|
1417 of the directive. If it has been cleared then since ARGMIN and/or
|
|
1418 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
|
|
1419 ARGMAX in the result to include in diagnostics. */
|
|
1420 if (adjust_range_for_overflow (dirtype, &argmin, &argmax))
|
|
1421 {
|
|
1422 res.knownrange = false;
|
|
1423 res.argmin = argmin;
|
|
1424 res.argmax = argmax;
|
|
1425 }
|
|
1426
|
|
1427 /* Recursively compute the minimum and maximum from the known range. */
|
|
1428 if (TYPE_UNSIGNED (dirtype) || tree_int_cst_sgn (argmin) >= 0)
|
|
1429 {
|
|
1430 /* For unsigned conversions/directives or signed when
|
|
1431 the minimum is positive, use the minimum and maximum to compute
|
|
1432 the shortest and longest output, respectively. */
|
131
|
1433 res.range.min = format_integer (dir, argmin, vr_values).range.min;
|
|
1434 res.range.max = format_integer (dir, argmax, vr_values).range.max;
|
111
|
1435 }
|
|
1436 else if (tree_int_cst_sgn (argmax) < 0)
|
|
1437 {
|
|
1438 /* For signed conversions/directives if maximum is negative,
|
|
1439 use the minimum as the longest output and maximum as the
|
|
1440 shortest output. */
|
131
|
1441 res.range.min = format_integer (dir, argmax, vr_values).range.min;
|
|
1442 res.range.max = format_integer (dir, argmin, vr_values).range.max;
|
111
|
1443 }
|
|
1444 else
|
|
1445 {
|
|
1446 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
|
|
1447 as the shortest output and for the longest output compute the
|
|
1448 length of the output of both minimum and maximum and pick the
|
|
1449 longer. */
|
131
|
1450 unsigned HOST_WIDE_INT max1
|
|
1451 = format_integer (dir, argmin, vr_values).range.max;
|
|
1452 unsigned HOST_WIDE_INT max2
|
|
1453 = format_integer (dir, argmax, vr_values).range.max;
|
|
1454 res.range.min
|
|
1455 = format_integer (dir, integer_zero_node, vr_values).range.min;
|
111
|
1456 res.range.max = MAX (max1, max2);
|
|
1457 }
|
|
1458
|
|
1459 /* If the range is known, use the maximum as the likely length. */
|
|
1460 if (res.knownrange)
|
|
1461 res.range.likely = res.range.max;
|
|
1462 else
|
|
1463 {
|
|
1464 /* Otherwise, use the minimum. Except for the case where for %#x or
|
|
1465 %#o the minimum is just for a single value in the range (0) and
|
|
1466 for all other values it is something longer, like 0x1 or 01.
|
|
1467 Use the length for value 1 in that case instead as the likely
|
|
1468 length. */
|
|
1469 res.range.likely = res.range.min;
|
|
1470 if (maybebase
|
|
1471 && base != 10
|
|
1472 && (tree_int_cst_sgn (argmin) < 0 || tree_int_cst_sgn (argmax) > 0))
|
|
1473 {
|
|
1474 if (res.range.min == 1)
|
|
1475 res.range.likely += base == 8 ? 1 : 2;
|
|
1476 else if (res.range.min == 2
|
|
1477 && base == 16
|
|
1478 && (dir.width[0] == 2 || dir.prec[0] == 2))
|
|
1479 ++res.range.likely;
|
|
1480 }
|
|
1481 }
|
|
1482
|
|
1483 res.range.unlikely = res.range.max;
|
|
1484 res.adjust_for_width_or_precision (dir.width, dirtype, base,
|
|
1485 (sign | maybebase) + (base == 16));
|
|
1486 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
|
|
1487 (sign | maybebase) + (base == 16));
|
|
1488
|
|
1489 return res;
|
|
1490 }
|
|
1491
|
|
1492 /* Return the number of bytes that a format directive consisting of FLAGS,
|
|
1493 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
|
|
1494 would result for argument X under ideal conditions (i.e., if PREC
|
|
1495 weren't excessive). MPFR 3.1 allocates large amounts of memory for
|
|
1496 values of PREC with large magnitude and can fail (see MPFR bug #21056).
|
|
1497 This function works around those problems. */
|
|
1498
|
|
1499 static unsigned HOST_WIDE_INT
|
|
1500 get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec,
|
|
1501 char spec, char rndspec)
|
|
1502 {
|
|
1503 char fmtstr[40];
|
|
1504
|
|
1505 HOST_WIDE_INT len = strlen (flags);
|
|
1506
|
|
1507 fmtstr[0] = '%';
|
|
1508 memcpy (fmtstr + 1, flags, len);
|
|
1509 memcpy (fmtstr + 1 + len, ".*R", 3);
|
|
1510 fmtstr[len + 4] = rndspec;
|
|
1511 fmtstr[len + 5] = spec;
|
|
1512 fmtstr[len + 6] = '\0';
|
|
1513
|
|
1514 spec = TOUPPER (spec);
|
|
1515 if (spec == 'E' || spec == 'F')
|
|
1516 {
|
|
1517 /* For %e, specify the precision explicitly since mpfr_sprintf
|
|
1518 does its own thing just to be different (see MPFR bug 21088). */
|
|
1519 if (prec < 0)
|
|
1520 prec = 6;
|
|
1521 }
|
|
1522 else
|
|
1523 {
|
|
1524 /* Avoid passing negative precisions with larger magnitude to MPFR
|
|
1525 to avoid exposing its bugs. (A negative precision is supposed
|
|
1526 to be ignored.) */
|
|
1527 if (prec < 0)
|
|
1528 prec = -1;
|
|
1529 }
|
|
1530
|
|
1531 HOST_WIDE_INT p = prec;
|
|
1532
|
|
1533 if (spec == 'G' && !strchr (flags, '#'))
|
|
1534 {
|
|
1535 /* For G/g without the pound flag, precision gives the maximum number
|
|
1536 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
|
|
1537 a 128 bit IEEE extended precision, 4932. Using twice as much here
|
|
1538 should be more than sufficient for any real format. */
|
|
1539 if ((IEEE_MAX_10_EXP * 2) < prec)
|
|
1540 prec = IEEE_MAX_10_EXP * 2;
|
|
1541 p = prec;
|
|
1542 }
|
|
1543 else
|
|
1544 {
|
|
1545 /* Cap precision arbitrarily at 1KB and add the difference
|
|
1546 (if any) to the MPFR result. */
|
|
1547 if (prec > 1024)
|
|
1548 p = 1024;
|
|
1549 }
|
|
1550
|
|
1551 len = mpfr_snprintf (NULL, 0, fmtstr, (int)p, x);
|
|
1552
|
|
1553 /* Handle the unlikely (impossible?) error by returning more than
|
|
1554 the maximum dictated by the function's return type. */
|
|
1555 if (len < 0)
|
|
1556 return target_dir_max () + 1;
|
|
1557
|
|
1558 /* Adjust the return value by the difference. */
|
|
1559 if (p < prec)
|
|
1560 len += prec - p;
|
|
1561
|
|
1562 return len;
|
|
1563 }
|
|
1564
|
|
1565 /* Return the number of bytes to format using the format specifier
|
|
1566 SPEC and the precision PREC the largest value in the real floating
|
|
1567 TYPE. */
|
|
1568
|
|
1569 static unsigned HOST_WIDE_INT
|
|
1570 format_floating_max (tree type, char spec, HOST_WIDE_INT prec)
|
|
1571 {
|
|
1572 machine_mode mode = TYPE_MODE (type);
|
|
1573
|
|
1574 /* IBM Extended mode. */
|
|
1575 if (MODE_COMPOSITE_P (mode))
|
|
1576 mode = DFmode;
|
|
1577
|
|
1578 /* Get the real type format desription for the target. */
|
|
1579 const real_format *rfmt = REAL_MODE_FORMAT (mode);
|
|
1580 REAL_VALUE_TYPE rv;
|
|
1581
|
|
1582 real_maxval (&rv, 0, mode);
|
|
1583
|
|
1584 /* Convert the GCC real value representation with the precision
|
|
1585 of the real type to the mpfr_t format with the GCC default
|
|
1586 round-to-nearest mode. */
|
|
1587 mpfr_t x;
|
|
1588 mpfr_init2 (x, rfmt->p);
|
|
1589 mpfr_from_real (x, &rv, GMP_RNDN);
|
|
1590
|
|
1591 /* Return a value one greater to account for the leading minus sign. */
|
|
1592 unsigned HOST_WIDE_INT r
|
|
1593 = 1 + get_mpfr_format_length (x, "", prec, spec, 'D');
|
|
1594 mpfr_clear (x);
|
|
1595 return r;
|
|
1596 }
|
|
1597
|
|
1598 /* Return a range representing the minimum and maximum number of bytes
|
|
1599 that the directive DIR will output for any argument. PREC gives
|
|
1600 the adjusted precision range to account for negative precisions
|
|
1601 meaning the default 6. This function is used when the directive
|
|
1602 argument or its value isn't known. */
|
|
1603
|
|
1604 static fmtresult
|
|
1605 format_floating (const directive &dir, const HOST_WIDE_INT prec[2])
|
|
1606 {
|
|
1607 tree type;
|
|
1608
|
|
1609 switch (dir.modifier)
|
|
1610 {
|
|
1611 case FMT_LEN_l:
|
|
1612 case FMT_LEN_none:
|
|
1613 type = double_type_node;
|
|
1614 break;
|
|
1615
|
|
1616 case FMT_LEN_L:
|
|
1617 type = long_double_type_node;
|
|
1618 break;
|
|
1619
|
|
1620 case FMT_LEN_ll:
|
|
1621 type = long_double_type_node;
|
|
1622 break;
|
|
1623
|
|
1624 default:
|
|
1625 return fmtresult ();
|
|
1626 }
|
|
1627
|
|
1628 /* The minimum and maximum number of bytes produced by the directive. */
|
|
1629 fmtresult res;
|
|
1630
|
|
1631 /* The minimum output as determined by flags. It's always at least 1.
|
|
1632 When plus or space are set the output is preceded by either a sign
|
|
1633 or a space. */
|
|
1634 unsigned flagmin = (1 /* for the first digit */
|
|
1635 + (dir.get_flag ('+') | dir.get_flag (' ')));
|
|
1636
|
131
|
1637 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
|
|
1638 for the plus sign/space with the '+' and ' ' flags, respectively,
|
|
1639 unless reduced below. */
|
|
1640 res.range.min = 2 + flagmin;
|
|
1641
|
111
|
1642 /* When the pound flag is set the decimal point is included in output
|
|
1643 regardless of precision. Whether or not a decimal point is included
|
|
1644 otherwise depends on the specification and precision. */
|
|
1645 bool radix = dir.get_flag ('#');
|
|
1646
|
|
1647 switch (dir.specifier)
|
|
1648 {
|
|
1649 case 'A':
|
|
1650 case 'a':
|
|
1651 {
|
|
1652 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
|
|
1653 if (dir.prec[0] <= 0)
|
|
1654 minprec = 0;
|
|
1655 else if (dir.prec[0] > 0)
|
|
1656 minprec = dir.prec[0] + !radix /* decimal point */;
|
|
1657
|
131
|
1658 res.range.likely = (2 /* 0x */
|
|
1659 + flagmin
|
|
1660 + radix
|
|
1661 + minprec
|
|
1662 + 3 /* p+0 */);
|
111
|
1663
|
|
1664 res.range.max = format_floating_max (type, 'a', prec[1]);
|
|
1665
|
|
1666 /* The unlikely maximum accounts for the longest multibyte
|
|
1667 decimal point character. */
|
|
1668 res.range.unlikely = res.range.max;
|
|
1669 if (dir.prec[1] > 0)
|
|
1670 res.range.unlikely += target_mb_len_max () - 1;
|
|
1671
|
|
1672 break;
|
|
1673 }
|
|
1674
|
|
1675 case 'E':
|
|
1676 case 'e':
|
|
1677 {
|
|
1678 /* Minimum output attributable to precision and, when it's
|
|
1679 non-zero, decimal point. */
|
|
1680 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
|
|
1681
|
131
|
1682 /* The likely minimum output is "[-+]1.234567e+00" regardless
|
111
|
1683 of the value of the actual argument. */
|
131
|
1684 res.range.likely = (flagmin
|
|
1685 + radix
|
|
1686 + minprec
|
|
1687 + 2 /* e+ */ + 2);
|
111
|
1688
|
|
1689 res.range.max = format_floating_max (type, 'e', prec[1]);
|
|
1690
|
|
1691 /* The unlikely maximum accounts for the longest multibyte
|
|
1692 decimal point character. */
|
|
1693 if (dir.prec[0] != dir.prec[1]
|
|
1694 || dir.prec[0] == -1 || dir.prec[0] > 0)
|
|
1695 res.range.unlikely = res.range.max + target_mb_len_max () -1;
|
|
1696 else
|
|
1697 res.range.unlikely = res.range.max;
|
|
1698 break;
|
|
1699 }
|
|
1700
|
|
1701 case 'F':
|
|
1702 case 'f':
|
|
1703 {
|
|
1704 /* Minimum output attributable to precision and, when it's non-zero,
|
|
1705 decimal point. */
|
|
1706 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
|
|
1707
|
131
|
1708 /* For finite numbers (i.e., not infinity or NaN) the lower bound
|
|
1709 when precision isn't specified is 8 bytes ("1.23456" since
|
|
1710 precision is taken to be 6). When precision is zero, the lower
|
|
1711 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
|
|
1712 than zero, then the lower bound is 2 plus precision (plus flags).
|
|
1713 But in all cases, the lower bound is no greater than 3. */
|
|
1714 unsigned HOST_WIDE_INT min = flagmin + radix + minprec;
|
|
1715 if (min < res.range.min)
|
|
1716 res.range.min = min;
|
111
|
1717
|
|
1718 /* Compute the upper bound for -TYPE_MAX. */
|
|
1719 res.range.max = format_floating_max (type, 'f', prec[1]);
|
|
1720
|
|
1721 /* The minimum output with unknown precision is a single byte
|
|
1722 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
|
|
1723 if (dir.prec[0] < 0 && dir.prec[1] > 0)
|
|
1724 res.range.likely = 3;
|
|
1725 else
|
131
|
1726 res.range.likely = min;
|
111
|
1727
|
|
1728 /* The unlikely maximum accounts for the longest multibyte
|
|
1729 decimal point character. */
|
|
1730 if (dir.prec[0] != dir.prec[1]
|
|
1731 || dir.prec[0] == -1 || dir.prec[0] > 0)
|
|
1732 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
|
|
1733 break;
|
|
1734 }
|
|
1735
|
|
1736 case 'G':
|
|
1737 case 'g':
|
|
1738 {
|
|
1739 /* The %g output depends on precision and the exponent of
|
|
1740 the argument. Since the value of the argument isn't known
|
|
1741 the lower bound on the range of bytes (not counting flags
|
|
1742 or width) is 1 plus radix (i.e., either "0" or "0." for
|
|
1743 "%g" and "%#g", respectively, with a zero argument). */
|
131
|
1744 unsigned HOST_WIDE_INT min = flagmin + radix;
|
|
1745 if (min < res.range.min)
|
|
1746 res.range.min = min;
|
111
|
1747
|
|
1748 char spec = 'g';
|
|
1749 HOST_WIDE_INT maxprec = dir.prec[1];
|
|
1750 if (radix && maxprec)
|
|
1751 {
|
|
1752 /* When the pound flag (radix) is set, trailing zeros aren't
|
|
1753 trimmed and so the longest output is the same as for %e,
|
|
1754 except with precision minus 1 (as specified in C11). */
|
|
1755 spec = 'e';
|
|
1756 if (maxprec > 0)
|
|
1757 --maxprec;
|
|
1758 else if (maxprec < 0)
|
|
1759 maxprec = 5;
|
|
1760 }
|
|
1761 else
|
|
1762 maxprec = prec[1];
|
|
1763
|
|
1764 res.range.max = format_floating_max (type, spec, maxprec);
|
|
1765
|
|
1766 /* The likely output is either the maximum computed above
|
|
1767 minus 1 (assuming the maximum is positive) when precision
|
|
1768 is known (or unspecified), or the same minimum as for %e
|
|
1769 (which is computed for a non-negative argument). Unlike
|
|
1770 for the other specifiers above the likely output isn't
|
|
1771 the minimum because for %g that's 1 which is unlikely. */
|
|
1772 if (dir.prec[1] < 0
|
|
1773 || (unsigned HOST_WIDE_INT)dir.prec[1] < target_int_max ())
|
|
1774 res.range.likely = res.range.max - 1;
|
|
1775 else
|
|
1776 {
|
|
1777 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
|
|
1778 res.range.likely = (flagmin
|
|
1779 + radix
|
|
1780 + minprec
|
|
1781 + 2 /* e+ */ + 2);
|
|
1782 }
|
|
1783
|
|
1784 /* The unlikely maximum accounts for the longest multibyte
|
|
1785 decimal point character. */
|
|
1786 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
|
|
1787 break;
|
|
1788 }
|
|
1789
|
|
1790 default:
|
|
1791 return fmtresult ();
|
|
1792 }
|
|
1793
|
|
1794 /* Bump up the byte counters if WIDTH is greater. */
|
|
1795 res.adjust_for_width_or_precision (dir.width);
|
|
1796 return res;
|
|
1797 }
|
|
1798
|
|
1799 /* Return a range representing the minimum and maximum number of bytes
|
|
1800 that the directive DIR will write on output for the floating argument
|
|
1801 ARG. */
|
|
1802
|
|
1803 static fmtresult
|
131
|
1804 format_floating (const directive &dir, tree arg, vr_values *)
|
111
|
1805 {
|
|
1806 HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] };
|
131
|
1807 tree type = (dir.modifier == FMT_LEN_L || dir.modifier == FMT_LEN_ll
|
|
1808 ? long_double_type_node : double_type_node);
|
111
|
1809
|
|
1810 /* For an indeterminate precision the lower bound must be assumed
|
|
1811 to be zero. */
|
|
1812 if (TOUPPER (dir.specifier) == 'A')
|
|
1813 {
|
|
1814 /* Get the number of fractional decimal digits needed to represent
|
|
1815 the argument without a loss of accuracy. */
|
|
1816 unsigned fmtprec
|
|
1817 = REAL_MODE_FORMAT (TYPE_MODE (type))->p;
|
|
1818
|
|
1819 /* The precision of the IEEE 754 double format is 53.
|
|
1820 The precision of all other GCC binary double formats
|
|
1821 is 56 or less. */
|
|
1822 unsigned maxprec = fmtprec <= 56 ? 13 : 15;
|
|
1823
|
|
1824 /* For %a, leave the minimum precision unspecified to let
|
|
1825 MFPR trim trailing zeros (as it and many other systems
|
|
1826 including Glibc happen to do) and set the maximum
|
|
1827 precision to reflect what it would be with trailing zeros
|
|
1828 present (as Solaris and derived systems do). */
|
|
1829 if (dir.prec[1] < 0)
|
|
1830 {
|
|
1831 /* Both bounds are negative implies that precision has
|
|
1832 not been specified. */
|
|
1833 prec[0] = maxprec;
|
|
1834 prec[1] = -1;
|
|
1835 }
|
|
1836 else if (dir.prec[0] < 0)
|
|
1837 {
|
|
1838 /* With a negative lower bound and a non-negative upper
|
|
1839 bound set the minimum precision to zero and the maximum
|
|
1840 to the greater of the maximum precision (i.e., with
|
|
1841 trailing zeros present) and the specified upper bound. */
|
|
1842 prec[0] = 0;
|
|
1843 prec[1] = dir.prec[1] < maxprec ? maxprec : dir.prec[1];
|
|
1844 }
|
|
1845 }
|
|
1846 else if (dir.prec[0] < 0)
|
|
1847 {
|
|
1848 if (dir.prec[1] < 0)
|
|
1849 {
|
|
1850 /* A precision in a strictly negative range is ignored and
|
|
1851 the default of 6 is used instead. */
|
|
1852 prec[0] = prec[1] = 6;
|
|
1853 }
|
|
1854 else
|
|
1855 {
|
|
1856 /* For a precision in a partly negative range, the lower bound
|
|
1857 must be assumed to be zero and the new upper bound is the
|
|
1858 greater of 6 (the default precision used when the specified
|
|
1859 precision is negative) and the upper bound of the specified
|
|
1860 range. */
|
|
1861 prec[0] = 0;
|
|
1862 prec[1] = dir.prec[1] < 6 ? 6 : dir.prec[1];
|
|
1863 }
|
|
1864 }
|
|
1865
|
131
|
1866 if (!arg
|
|
1867 || TREE_CODE (arg) != REAL_CST
|
|
1868 || !useless_type_conversion_p (type, TREE_TYPE (arg)))
|
111
|
1869 return format_floating (dir, prec);
|
|
1870
|
|
1871 /* The minimum and maximum number of bytes produced by the directive. */
|
|
1872 fmtresult res;
|
|
1873
|
|
1874 /* Get the real type format desription for the target. */
|
|
1875 const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg);
|
|
1876 const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg)));
|
|
1877
|
131
|
1878 if (!real_isfinite (rvp))
|
|
1879 {
|
|
1880 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
|
|
1881 and "[-]nan" with the choice being implementation-defined
|
|
1882 but not locale dependent. */
|
|
1883 bool sign = dir.get_flag ('+') || real_isneg (rvp);
|
|
1884 res.range.min = 3 + sign;
|
|
1885
|
|
1886 res.range.likely = res.range.min;
|
|
1887 res.range.max = res.range.min;
|
|
1888 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan".
|
|
1889 For NaN, the C/POSIX standards specify two formats:
|
|
1890 "[-/+]nan"
|
|
1891 and
|
|
1892 "[-/+]nan(n-char-sequence)"
|
|
1893 No known printf implementation outputs the latter format but AIX
|
|
1894 outputs QNaN and SNaN for quiet and signalling NaN, respectively,
|
|
1895 so the unlikely maximum reflects that. */
|
|
1896 res.range.unlikely = sign + (real_isinf (rvp) ? 8 : 4);
|
|
1897
|
|
1898 /* The range for infinity and NaN is known unless either width
|
|
1899 or precision is unknown. Width has the same effect regardless
|
|
1900 of whether the argument is finite. Precision is either ignored
|
|
1901 (e.g., Glibc) or can have an effect on the short vs long format
|
|
1902 such as inf/infinity (e.g., Solaris). */
|
|
1903 res.knownrange = dir.known_width_and_precision ();
|
|
1904
|
|
1905 /* Adjust the range for width but ignore precision. */
|
|
1906 res.adjust_for_width_or_precision (dir.width);
|
|
1907
|
|
1908 return res;
|
|
1909 }
|
|
1910
|
111
|
1911 char fmtstr [40];
|
|
1912 char *pfmt = fmtstr;
|
|
1913
|
|
1914 /* Append flags. */
|
|
1915 for (const char *pf = "-+ #0"; *pf; ++pf)
|
|
1916 if (dir.get_flag (*pf))
|
|
1917 *pfmt++ = *pf;
|
|
1918
|
|
1919 *pfmt = '\0';
|
|
1920
|
|
1921 {
|
|
1922 /* Set up an array to easily iterate over. */
|
|
1923 unsigned HOST_WIDE_INT* const minmax[] = {
|
|
1924 &res.range.min, &res.range.max
|
|
1925 };
|
|
1926
|
|
1927 for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i)
|
|
1928 {
|
|
1929 /* Convert the GCC real value representation with the precision
|
|
1930 of the real type to the mpfr_t format rounding down in the
|
|
1931 first iteration that computes the minimm and up in the second
|
|
1932 that computes the maximum. This order is arbibtrary because
|
|
1933 rounding in either direction can result in longer output. */
|
|
1934 mpfr_t mpfrval;
|
|
1935 mpfr_init2 (mpfrval, rfmt->p);
|
|
1936 mpfr_from_real (mpfrval, rvp, i ? GMP_RNDU : GMP_RNDD);
|
|
1937
|
|
1938 /* Use the MPFR rounding specifier to round down in the first
|
|
1939 iteration and then up. In most but not all cases this will
|
|
1940 result in the same number of bytes. */
|
|
1941 char rndspec = "DU"[i];
|
|
1942
|
|
1943 /* Format it and store the result in the corresponding member
|
|
1944 of the result struct. */
|
|
1945 *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i],
|
|
1946 dir.specifier, rndspec);
|
|
1947 mpfr_clear (mpfrval);
|
|
1948 }
|
|
1949 }
|
|
1950
|
|
1951 /* Make sure the minimum is less than the maximum (MPFR rounding
|
|
1952 in the call to mpfr_snprintf can result in the reverse. */
|
|
1953 if (res.range.max < res.range.min)
|
|
1954 {
|
|
1955 unsigned HOST_WIDE_INT tmp = res.range.min;
|
|
1956 res.range.min = res.range.max;
|
|
1957 res.range.max = tmp;
|
|
1958 }
|
|
1959
|
|
1960 /* The range is known unless either width or precision is unknown. */
|
|
1961 res.knownrange = dir.known_width_and_precision ();
|
|
1962
|
|
1963 /* For the same floating point constant, unless width or precision
|
|
1964 is unknown, use the longer output as the likely maximum since
|
|
1965 with round to nearest either is equally likely. Otheriwse, when
|
|
1966 precision is unknown, use the greater of the minimum and 3 as
|
|
1967 the likely output (for "0.0" since zero precision is unlikely). */
|
|
1968 if (res.knownrange)
|
|
1969 res.range.likely = res.range.max;
|
|
1970 else if (res.range.min < 3
|
|
1971 && dir.prec[0] < 0
|
|
1972 && (unsigned HOST_WIDE_INT)dir.prec[1] == target_int_max ())
|
|
1973 res.range.likely = 3;
|
|
1974 else
|
|
1975 res.range.likely = res.range.min;
|
|
1976
|
|
1977 res.range.unlikely = res.range.max;
|
|
1978
|
|
1979 if (res.range.max > 2 && (prec[0] != 0 || prec[1] != 0))
|
|
1980 {
|
|
1981 /* Unless the precision is zero output longer than 2 bytes may
|
|
1982 include the decimal point which must be a single character
|
|
1983 up to MB_LEN_MAX in length. This is overly conservative
|
|
1984 since in some conversions some constants result in no decimal
|
|
1985 point (e.g., in %g). */
|
|
1986 res.range.unlikely += target_mb_len_max () - 1;
|
|
1987 }
|
|
1988
|
|
1989 res.adjust_for_width_or_precision (dir.width);
|
|
1990 return res;
|
|
1991 }
|
|
1992
|
|
1993 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
|
|
1994 strings referenced by the expression STR, or (-1, -1) when not known.
|
|
1995 Used by the format_string function below. */
|
|
1996
|
|
1997 static fmtresult
|
131
|
1998 get_string_length (tree str, unsigned eltsize)
|
111
|
1999 {
|
|
2000 if (!str)
|
|
2001 return fmtresult ();
|
|
2002
|
131
|
2003 c_strlen_data data;
|
|
2004 memset (&data, 0, sizeof (c_strlen_data));
|
|
2005 tree slen = c_strlen (str, 1, &data, eltsize);
|
|
2006 if (slen && TREE_CODE (slen) == INTEGER_CST)
|
111
|
2007 {
|
131
|
2008 /* The string is properly terminated and
|
|
2009 we know its length. */
|
111
|
2010 fmtresult res (tree_to_shwi (slen));
|
131
|
2011 res.nonstr = NULL_TREE;
|
|
2012 return res;
|
|
2013 }
|
|
2014 else if (!slen
|
|
2015 && data.decl
|
|
2016 && data.len
|
|
2017 && TREE_CODE (data.len) == INTEGER_CST)
|
|
2018 {
|
|
2019 /* STR was not properly NUL terminated, but we have
|
|
2020 length information about the unterminated string. */
|
|
2021 fmtresult res (tree_to_shwi (data.len));
|
|
2022 res.nonstr = data.decl;
|
111
|
2023 return res;
|
|
2024 }
|
|
2025
|
|
2026 /* Determine the length of the shortest and longest string referenced
|
|
2027 by STR. Strings of unknown lengths are bounded by the sizes of
|
|
2028 arrays that subexpressions of STR may refer to. Pointers that
|
|
2029 aren't known to point any such arrays result in LENRANGE[1] set
|
131
|
2030 to SIZE_MAX. NONSTR is set to the declaration of the constant
|
|
2031 array that is known not to be nul-terminated. */
|
111
|
2032 tree lenrange[2];
|
131
|
2033 tree nonstr;
|
|
2034 bool flexarray = get_range_strlen (str, lenrange, eltsize, false, &nonstr);
|
111
|
2035
|
|
2036 if (lenrange [0] || lenrange [1])
|
|
2037 {
|
|
2038 HOST_WIDE_INT min
|
|
2039 = (tree_fits_uhwi_p (lenrange[0])
|
|
2040 ? tree_to_uhwi (lenrange[0])
|
|
2041 : 0);
|
|
2042
|
|
2043 HOST_WIDE_INT max
|
|
2044 = (tree_fits_uhwi_p (lenrange[1])
|
|
2045 ? tree_to_uhwi (lenrange[1])
|
|
2046 : HOST_WIDE_INT_M1U);
|
|
2047
|
|
2048 /* get_range_strlen() returns the target value of SIZE_MAX for
|
|
2049 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
|
|
2050 which may be bigger. */
|
|
2051 if ((unsigned HOST_WIDE_INT)min == target_size_max ())
|
|
2052 min = HOST_WIDE_INT_M1U;
|
|
2053 if ((unsigned HOST_WIDE_INT)max == target_size_max ())
|
|
2054 max = HOST_WIDE_INT_M1U;
|
|
2055
|
|
2056 fmtresult res (min, max);
|
131
|
2057 res.nonstr = nonstr;
|
111
|
2058
|
|
2059 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
|
|
2060 by STR are known to be bounded (though not necessarily by their
|
|
2061 actual length but perhaps by their maximum possible length). */
|
|
2062 if (res.range.max < target_int_max ())
|
|
2063 {
|
|
2064 res.knownrange = true;
|
|
2065 /* When the the length of the longest string is known and not
|
|
2066 excessive use it as the likely length of the string(s). */
|
|
2067 res.range.likely = res.range.max;
|
|
2068 }
|
|
2069 else
|
|
2070 {
|
|
2071 /* When the upper bound is unknown (it can be zero or excessive)
|
|
2072 set the likely length to the greater of 1 and the length of
|
|
2073 the shortest string and reset the lower bound to zero. */
|
|
2074 res.range.likely = res.range.min ? res.range.min : warn_level > 1;
|
|
2075 res.range.min = 0;
|
|
2076 }
|
|
2077
|
|
2078 /* If the range of string length has been estimated from the size
|
|
2079 of an array at the end of a struct assume that it's longer than
|
|
2080 the array bound says it is in case it's used as a poor man's
|
|
2081 flexible array member, such as in struct S { char a[4]; }; */
|
|
2082 res.range.unlikely = flexarray ? HOST_WIDE_INT_MAX : res.range.max;
|
|
2083
|
|
2084 return res;
|
|
2085 }
|
|
2086
|
131
|
2087 return fmtresult ();
|
111
|
2088 }
|
|
2089
|
|
2090 /* Return the minimum and maximum number of characters formatted
|
|
2091 by the '%c' format directives and its wide character form for
|
|
2092 the argument ARG. ARG can be null (for functions such as
|
|
2093 vsprinf). */
|
|
2094
|
|
2095 static fmtresult
|
131
|
2096 format_character (const directive &dir, tree arg, vr_values *vr_values)
|
111
|
2097 {
|
|
2098 fmtresult res;
|
|
2099
|
|
2100 res.knownrange = true;
|
|
2101
|
131
|
2102 if (dir.specifier == 'C'
|
|
2103 || dir.modifier == FMT_LEN_l)
|
111
|
2104 {
|
|
2105 /* A wide character can result in as few as zero bytes. */
|
|
2106 res.range.min = 0;
|
|
2107
|
|
2108 HOST_WIDE_INT min, max;
|
131
|
2109 if (get_int_range (arg, &min, &max, false, 0, vr_values))
|
111
|
2110 {
|
|
2111 if (min == 0 && max == 0)
|
|
2112 {
|
|
2113 /* The NUL wide character results in no bytes. */
|
|
2114 res.range.max = 0;
|
|
2115 res.range.likely = 0;
|
|
2116 res.range.unlikely = 0;
|
|
2117 }
|
131
|
2118 else if (min >= 0 && min < 128)
|
111
|
2119 {
|
131
|
2120 /* Be conservative if the target execution character set
|
|
2121 is not a 1-to-1 mapping to the source character set or
|
|
2122 if the source set is not ASCII. */
|
|
2123 bool one_2_one_ascii
|
|
2124 = (target_to_host_charmap[0] == 1 && target_to_host ('a') == 97);
|
|
2125
|
111
|
2126 /* A wide character in the ASCII range most likely results
|
|
2127 in a single byte, and only unlikely in up to MB_LEN_MAX. */
|
131
|
2128 res.range.max = one_2_one_ascii ? 1 : target_mb_len_max ();;
|
111
|
2129 res.range.likely = 1;
|
|
2130 res.range.unlikely = target_mb_len_max ();
|
131
|
2131 res.mayfail = !one_2_one_ascii;
|
111
|
2132 }
|
|
2133 else
|
|
2134 {
|
|
2135 /* A wide character outside the ASCII range likely results
|
|
2136 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
|
|
2137 res.range.max = target_mb_len_max ();
|
|
2138 res.range.likely = 2;
|
|
2139 res.range.unlikely = res.range.max;
|
131
|
2140 /* Converting such a character may fail. */
|
|
2141 res.mayfail = true;
|
111
|
2142 }
|
|
2143 }
|
|
2144 else
|
|
2145 {
|
|
2146 /* An unknown wide character is treated the same as a wide
|
|
2147 character outside the ASCII range. */
|
|
2148 res.range.max = target_mb_len_max ();
|
|
2149 res.range.likely = 2;
|
|
2150 res.range.unlikely = res.range.max;
|
131
|
2151 res.mayfail = true;
|
111
|
2152 }
|
|
2153 }
|
|
2154 else
|
|
2155 {
|
|
2156 /* A plain '%c' directive. Its ouput is exactly 1. */
|
|
2157 res.range.min = res.range.max = 1;
|
|
2158 res.range.likely = res.range.unlikely = 1;
|
|
2159 res.knownrange = true;
|
|
2160 }
|
|
2161
|
|
2162 /* Bump up the byte counters if WIDTH is greater. */
|
|
2163 return res.adjust_for_width_or_precision (dir.width);
|
|
2164 }
|
|
2165
|
|
2166 /* Return the minimum and maximum number of characters formatted
|
|
2167 by the '%s' format directive and its wide character form for
|
|
2168 the argument ARG. ARG can be null (for functions such as
|
|
2169 vsprinf). */
|
|
2170
|
|
2171 static fmtresult
|
131
|
2172 format_string (const directive &dir, tree arg, vr_values *)
|
111
|
2173 {
|
|
2174 fmtresult res;
|
|
2175
|
|
2176 /* Compute the range the argument's length can be in. */
|
131
|
2177 int count_by = 1;
|
|
2178 if (dir.specifier == 'S' || dir.modifier == FMT_LEN_l)
|
|
2179 {
|
|
2180 /* Get a node for a C type that will be the same size
|
|
2181 as a wchar_t on the target. */
|
|
2182 tree node = get_typenode_from_name (MODIFIED_WCHAR_TYPE);
|
|
2183
|
|
2184 /* Now that we have a suitable node, get the number of
|
|
2185 bytes it occupies. */
|
|
2186 count_by = int_size_in_bytes (node);
|
|
2187 gcc_checking_assert (count_by == 2 || count_by == 4);
|
|
2188 }
|
|
2189
|
|
2190 fmtresult slen = get_string_length (arg, count_by);
|
111
|
2191 if (slen.range.min == slen.range.max
|
|
2192 && slen.range.min < HOST_WIDE_INT_MAX)
|
|
2193 {
|
|
2194 /* The argument is either a string constant or it refers
|
|
2195 to one of a number of strings of the same length. */
|
|
2196
|
|
2197 /* A '%s' directive with a string argument with constant length. */
|
|
2198 res.range = slen.range;
|
|
2199
|
131
|
2200 if (dir.specifier == 'S'
|
|
2201 || dir.modifier == FMT_LEN_l)
|
111
|
2202 {
|
|
2203 /* In the worst case the length of output of a wide string S
|
|
2204 is bounded by MB_LEN_MAX * wcslen (S). */
|
|
2205 res.range.max *= target_mb_len_max ();
|
|
2206 res.range.unlikely = res.range.max;
|
|
2207 /* It's likely that the the total length is not more that
|
|
2208 2 * wcslen (S).*/
|
|
2209 res.range.likely = res.range.min * 2;
|
|
2210
|
|
2211 if (dir.prec[1] >= 0
|
|
2212 && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
|
|
2213 {
|
|
2214 res.range.max = dir.prec[1];
|
|
2215 res.range.likely = dir.prec[1];
|
|
2216 res.range.unlikely = dir.prec[1];
|
|
2217 }
|
|
2218
|
|
2219 if (dir.prec[0] < 0 && dir.prec[1] > -1)
|
|
2220 res.range.min = 0;
|
|
2221 else if (dir.prec[0] >= 0)
|
|
2222 res.range.likely = dir.prec[0];
|
|
2223
|
|
2224 /* Even a non-empty wide character string need not convert into
|
|
2225 any bytes. */
|
|
2226 res.range.min = 0;
|
131
|
2227
|
|
2228 /* A non-empty wide character conversion may fail. */
|
|
2229 if (slen.range.max > 0)
|
|
2230 res.mayfail = true;
|
111
|
2231 }
|
|
2232 else
|
|
2233 {
|
|
2234 res.knownrange = true;
|
|
2235
|
|
2236 if (dir.prec[0] < 0 && dir.prec[1] > -1)
|
|
2237 res.range.min = 0;
|
|
2238 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min)
|
|
2239 res.range.min = dir.prec[0];
|
|
2240
|
|
2241 if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
|
|
2242 {
|
|
2243 res.range.max = dir.prec[1];
|
|
2244 res.range.likely = dir.prec[1];
|
|
2245 res.range.unlikely = dir.prec[1];
|
|
2246 }
|
|
2247 }
|
|
2248 }
|
|
2249 else if (arg && integer_zerop (arg))
|
|
2250 {
|
|
2251 /* Handle null pointer argument. */
|
|
2252
|
|
2253 fmtresult res (0);
|
|
2254 res.nullp = true;
|
|
2255 return res;
|
|
2256 }
|
|
2257 else
|
|
2258 {
|
|
2259 /* For a '%s' and '%ls' directive with a non-constant string (either
|
|
2260 one of a number of strings of known length or an unknown string)
|
|
2261 the minimum number of characters is lesser of PRECISION[0] and
|
|
2262 the length of the shortest known string or zero, and the maximum
|
|
2263 is the lessser of the length of the longest known string or
|
|
2264 PTRDIFF_MAX and PRECISION[1]. The likely length is either
|
|
2265 the minimum at level 1 and the greater of the minimum and 1
|
|
2266 at level 2. This result is adjust upward for width (if it's
|
|
2267 specified). */
|
|
2268
|
131
|
2269 if (dir.specifier == 'S'
|
|
2270 || dir.modifier == FMT_LEN_l)
|
111
|
2271 {
|
|
2272 /* A wide character converts to as few as zero bytes. */
|
|
2273 slen.range.min = 0;
|
|
2274 if (slen.range.max < target_int_max ())
|
|
2275 slen.range.max *= target_mb_len_max ();
|
|
2276
|
|
2277 if (slen.range.likely < target_int_max ())
|
|
2278 slen.range.likely *= 2;
|
|
2279
|
|
2280 if (slen.range.likely < target_int_max ())
|
|
2281 slen.range.unlikely *= target_mb_len_max ();
|
131
|
2282
|
|
2283 /* A non-empty wide character conversion may fail. */
|
|
2284 if (slen.range.max > 0)
|
|
2285 res.mayfail = true;
|
111
|
2286 }
|
|
2287
|
|
2288 res.range = slen.range;
|
|
2289
|
|
2290 if (dir.prec[0] >= 0)
|
|
2291 {
|
|
2292 /* Adjust the minimum to zero if the string length is unknown,
|
|
2293 or at most the lower bound of the precision otherwise. */
|
|
2294 if (slen.range.min >= target_int_max ())
|
|
2295 res.range.min = 0;
|
|
2296 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min)
|
|
2297 res.range.min = dir.prec[0];
|
|
2298
|
|
2299 /* Make both maxima no greater than the upper bound of precision. */
|
|
2300 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max
|
|
2301 || slen.range.max >= target_int_max ())
|
|
2302 {
|
|
2303 res.range.max = dir.prec[1];
|
|
2304 res.range.unlikely = dir.prec[1];
|
|
2305 }
|
|
2306
|
|
2307 /* If precision is constant, set the likely counter to the lesser
|
|
2308 of it and the maximum string length. Otherwise, if the lower
|
|
2309 bound of precision is greater than zero, set the likely counter
|
|
2310 to the minimum. Otherwise set it to zero or one based on
|
|
2311 the warning level. */
|
|
2312 if (dir.prec[0] == dir.prec[1])
|
|
2313 res.range.likely
|
|
2314 = ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.max
|
|
2315 ? dir.prec[0] : slen.range.max);
|
|
2316 else if (dir.prec[0] > 0)
|
|
2317 res.range.likely = res.range.min;
|
|
2318 else
|
|
2319 res.range.likely = warn_level > 1;
|
|
2320 }
|
|
2321 else if (dir.prec[1] >= 0)
|
|
2322 {
|
|
2323 res.range.min = 0;
|
|
2324 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max)
|
|
2325 res.range.max = dir.prec[1];
|
|
2326 res.range.likely = dir.prec[1] ? warn_level > 1 : 0;
|
|
2327 }
|
|
2328 else if (slen.range.min >= target_int_max ())
|
|
2329 {
|
|
2330 res.range.min = 0;
|
|
2331 res.range.max = HOST_WIDE_INT_MAX;
|
|
2332 /* At level 1 strings of unknown length are assumed to be
|
|
2333 empty, while at level 1 they are assumed to be one byte
|
|
2334 long. */
|
|
2335 res.range.likely = warn_level > 1;
|
|
2336 }
|
|
2337 else
|
|
2338 {
|
|
2339 /* A string of unknown length unconstrained by precision is
|
|
2340 assumed to be empty at level 1 and just one character long
|
|
2341 at higher levels. */
|
|
2342 if (res.range.likely >= target_int_max ())
|
|
2343 res.range.likely = warn_level > 1;
|
|
2344 }
|
|
2345
|
|
2346 res.range.unlikely = res.range.max;
|
|
2347 }
|
|
2348
|
131
|
2349 /* If the argument isn't a nul-terminated string and the number
|
|
2350 of bytes on output isn't bounded by precision, set NONSTR. */
|
|
2351 if (slen.nonstr && slen.range.min < (unsigned HOST_WIDE_INT)dir.prec[0])
|
|
2352 res.nonstr = slen.nonstr;
|
|
2353
|
111
|
2354 /* Bump up the byte counters if WIDTH is greater. */
|
|
2355 return res.adjust_for_width_or_precision (dir.width);
|
|
2356 }
|
|
2357
|
|
2358 /* Format plain string (part of the format string itself). */
|
|
2359
|
|
2360 static fmtresult
|
131
|
2361 format_plain (const directive &dir, tree, vr_values *)
|
111
|
2362 {
|
|
2363 fmtresult res (dir.len);
|
|
2364 return res;
|
|
2365 }
|
|
2366
|
|
2367 /* Return true if the RESULT of a directive in a call describe by INFO
|
|
2368 should be diagnosed given the AVAILable space in the destination. */
|
|
2369
|
|
2370 static bool
|
131
|
2371 should_warn_p (const sprintf_dom_walker::call_info &info,
|
111
|
2372 const result_range &avail, const result_range &result)
|
|
2373 {
|
|
2374 if (result.max <= avail.min)
|
|
2375 {
|
|
2376 /* The least amount of space remaining in the destination is big
|
|
2377 enough for the longest output. */
|
|
2378 return false;
|
|
2379 }
|
|
2380
|
|
2381 if (info.bounded)
|
|
2382 {
|
|
2383 if (warn_format_trunc == 1 && result.min <= avail.max
|
|
2384 && info.retval_used ())
|
|
2385 {
|
|
2386 /* The likely amount of space remaining in the destination is big
|
|
2387 enough for the least output and the return value is used. */
|
|
2388 return false;
|
|
2389 }
|
|
2390
|
|
2391 if (warn_format_trunc == 1 && result.likely <= avail.likely
|
|
2392 && !info.retval_used ())
|
|
2393 {
|
|
2394 /* The likely amount of space remaining in the destination is big
|
|
2395 enough for the likely output and the return value is unused. */
|
|
2396 return false;
|
|
2397 }
|
|
2398
|
|
2399 if (warn_format_trunc == 2
|
|
2400 && result.likely <= avail.min
|
|
2401 && (result.max <= avail.min
|
|
2402 || result.max > HOST_WIDE_INT_MAX))
|
|
2403 {
|
|
2404 /* The minimum amount of space remaining in the destination is big
|
|
2405 enough for the longest output. */
|
|
2406 return false;
|
|
2407 }
|
|
2408 }
|
|
2409 else
|
|
2410 {
|
|
2411 if (warn_level == 1 && result.likely <= avail.likely)
|
|
2412 {
|
|
2413 /* The likely amount of space remaining in the destination is big
|
|
2414 enough for the likely output. */
|
|
2415 return false;
|
|
2416 }
|
|
2417
|
|
2418 if (warn_level == 2
|
|
2419 && result.likely <= avail.min
|
|
2420 && (result.max <= avail.min
|
|
2421 || result.max > HOST_WIDE_INT_MAX))
|
|
2422 {
|
|
2423 /* The minimum amount of space remaining in the destination is big
|
|
2424 enough for the longest output. */
|
|
2425 return false;
|
|
2426 }
|
|
2427 }
|
|
2428
|
|
2429 return true;
|
|
2430 }
|
|
2431
|
|
2432 /* At format string location describe by DIRLOC in a call described
|
|
2433 by INFO, issue a warning for a directive DIR whose output may be
|
|
2434 in excess of the available space AVAIL_RANGE in the destination
|
|
2435 given the formatting result FMTRES. This function does nothing
|
|
2436 except decide whether to issue a warning for a possible write
|
|
2437 past the end or truncation and, if so, format the warning.
|
|
2438 Return true if a warning has been issued. */
|
|
2439
|
|
2440 static bool
|
|
2441 maybe_warn (substring_loc &dirloc, location_t argloc,
|
131
|
2442 const sprintf_dom_walker::call_info &info,
|
111
|
2443 const result_range &avail_range, const result_range &res,
|
|
2444 const directive &dir)
|
|
2445 {
|
|
2446 if (!should_warn_p (info, avail_range, res))
|
|
2447 return false;
|
|
2448
|
|
2449 /* A warning will definitely be issued below. */
|
|
2450
|
|
2451 /* The maximum byte count to reference in the warning. Larger counts
|
|
2452 imply that the upper bound is unknown (and could be anywhere between
|
|
2453 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
|
|
2454 than "between N and X" where X is some huge number. */
|
|
2455 unsigned HOST_WIDE_INT maxbytes = target_dir_max ();
|
|
2456
|
|
2457 /* True when there is enough room in the destination for the least
|
|
2458 amount of a directive's output but not enough for its likely or
|
|
2459 maximum output. */
|
|
2460 bool maybe = (res.min <= avail_range.max
|
|
2461 && (avail_range.min < res.likely
|
|
2462 || (res.max < HOST_WIDE_INT_MAX
|
|
2463 && avail_range.min < res.max)));
|
|
2464
|
|
2465 /* Buffer for the directive in the host character set (used when
|
|
2466 the source character set is different). */
|
|
2467 char hostdir[32];
|
|
2468
|
|
2469 if (avail_range.min == avail_range.max)
|
|
2470 {
|
|
2471 /* The size of the destination region is exact. */
|
|
2472 unsigned HOST_WIDE_INT navail = avail_range.max;
|
|
2473
|
|
2474 if (target_to_host (*dir.beg) != '%')
|
|
2475 {
|
|
2476 /* For plain character directives (i.e., the format string itself)
|
|
2477 but not others, point the caret at the first character that's
|
|
2478 past the end of the destination. */
|
131
|
2479 if (navail < dir.len)
|
|
2480 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
|
111
|
2481 }
|
|
2482
|
|
2483 if (*dir.beg == '\0')
|
|
2484 {
|
|
2485 /* This is the terminating nul. */
|
|
2486 gcc_assert (res.min == 1 && res.min == res.max);
|
|
2487
|
|
2488 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
|
131
|
2489 info.bounded
|
|
2490 ? (maybe
|
|
2491 ? G_("%qE output may be truncated before the "
|
|
2492 "last format character")
|
|
2493 : G_("%qE output truncated before the last "
|
|
2494 "format character"))
|
|
2495 : (maybe
|
|
2496 ? G_("%qE may write a terminating nul past the "
|
|
2497 "end of the destination")
|
|
2498 : G_("%qE writing a terminating nul past the "
|
|
2499 "end of the destination")),
|
|
2500 info.func);
|
111
|
2501 }
|
|
2502
|
|
2503 if (res.min == res.max)
|
|
2504 {
|
131
|
2505 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
|
|
2506 if (!info.bounded)
|
|
2507 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2508 "%<%.*s%> directive writing %wu byte into a "
|
|
2509 "region of size %wu",
|
|
2510 "%<%.*s%> directive writing %wu bytes into a "
|
|
2511 "region of size %wu",
|
|
2512 (int) dir.len, d, res.min, navail);
|
|
2513 else if (maybe)
|
|
2514 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2515 "%<%.*s%> directive output may be truncated "
|
|
2516 "writing %wu byte into a region of size %wu",
|
|
2517 "%<%.*s%> directive output may be truncated "
|
|
2518 "writing %wu bytes into a region of size %wu",
|
|
2519 (int) dir.len, d, res.min, navail);
|
|
2520 else
|
|
2521 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2522 "%<%.*s%> directive output truncated writing "
|
|
2523 "%wu byte into a region of size %wu",
|
|
2524 "%<%.*s%> directive output truncated writing "
|
|
2525 "%wu bytes into a region of size %wu",
|
|
2526 (int) dir.len, d, res.min, navail);
|
111
|
2527 }
|
|
2528 if (res.min == 0 && res.max < maxbytes)
|
131
|
2529 return fmtwarn (dirloc, argloc, NULL,
|
|
2530 info.warnopt (),
|
|
2531 info.bounded
|
|
2532 ? (maybe
|
|
2533 ? G_("%<%.*s%> directive output may be truncated "
|
|
2534 "writing up to %wu bytes into a region of "
|
|
2535 "size %wu")
|
|
2536 : G_("%<%.*s%> directive output truncated writing "
|
|
2537 "up to %wu bytes into a region of size %wu"))
|
|
2538 : G_("%<%.*s%> directive writing up to %wu bytes "
|
|
2539 "into a region of size %wu"), (int) dir.len,
|
|
2540 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2541 res.max, navail);
|
111
|
2542
|
|
2543 if (res.min == 0 && maxbytes <= res.max)
|
131
|
2544 /* This is a special case to avoid issuing the potentially
|
|
2545 confusing warning:
|
|
2546 writing 0 or more bytes into a region of size 0. */
|
|
2547 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2548 info.bounded
|
|
2549 ? (maybe
|
|
2550 ? G_("%<%.*s%> directive output may be truncated "
|
|
2551 "writing likely %wu or more bytes into a "
|
|
2552 "region of size %wu")
|
|
2553 : G_("%<%.*s%> directive output truncated writing "
|
|
2554 "likely %wu or more bytes into a region of "
|
|
2555 "size %wu"))
|
|
2556 : G_("%<%.*s%> directive writing likely %wu or more "
|
|
2557 "bytes into a region of size %wu"), (int) dir.len,
|
|
2558 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2559 res.likely, navail);
|
111
|
2560
|
|
2561 if (res.max < maxbytes)
|
131
|
2562 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2563 info.bounded
|
|
2564 ? (maybe
|
|
2565 ? G_("%<%.*s%> directive output may be truncated "
|
|
2566 "writing between %wu and %wu bytes into a "
|
|
2567 "region of size %wu")
|
|
2568 : G_("%<%.*s%> directive output truncated "
|
|
2569 "writing between %wu and %wu bytes into a "
|
|
2570 "region of size %wu"))
|
|
2571 : G_("%<%.*s%> directive writing between %wu and "
|
|
2572 "%wu bytes into a region of size %wu"),
|
|
2573 (int) dir.len,
|
|
2574 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2575 res.min, res.max, navail);
|
|
2576
|
|
2577 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2578 info.bounded
|
|
2579 ? (maybe
|
|
2580 ? G_("%<%.*s%> directive output may be truncated "
|
|
2581 "writing %wu or more bytes into a region of "
|
|
2582 "size %wu")
|
|
2583 : G_("%<%.*s%> directive output truncated writing "
|
|
2584 "%wu or more bytes into a region of size %wu"))
|
|
2585 : G_("%<%.*s%> directive writing %wu or more bytes "
|
|
2586 "into a region of size %wu"), (int) dir.len,
|
111
|
2587 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2588 res.min, navail);
|
|
2589 }
|
|
2590
|
|
2591 /* The size of the destination region is a range. */
|
|
2592
|
|
2593 if (target_to_host (*dir.beg) != '%')
|
|
2594 {
|
|
2595 unsigned HOST_WIDE_INT navail = avail_range.max;
|
|
2596
|
|
2597 /* For plain character directives (i.e., the format string itself)
|
|
2598 but not others, point the caret at the first character that's
|
|
2599 past the end of the destination. */
|
131
|
2600 if (navail < dir.len)
|
|
2601 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
|
111
|
2602 }
|
|
2603
|
|
2604 if (*dir.beg == '\0')
|
|
2605 {
|
|
2606 gcc_assert (res.min == 1 && res.min == res.max);
|
|
2607
|
131
|
2608 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
|
|
2609 info.bounded
|
|
2610 ? (maybe
|
|
2611 ? G_("%qE output may be truncated before the last "
|
|
2612 "format character")
|
|
2613 : G_("%qE output truncated before the last format "
|
|
2614 "character"))
|
|
2615 : (maybe
|
|
2616 ? G_("%qE may write a terminating nul past the end "
|
|
2617 "of the destination")
|
|
2618 : G_("%qE writing a terminating nul past the end "
|
|
2619 "of the destination")), info.func);
|
111
|
2620 }
|
|
2621
|
|
2622 if (res.min == res.max)
|
|
2623 {
|
131
|
2624 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
|
|
2625 if (!info.bounded)
|
|
2626 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2627 "%<%.*s%> directive writing %wu byte into a region "
|
|
2628 "of size between %wu and %wu",
|
|
2629 "%<%.*s%> directive writing %wu bytes into a region "
|
|
2630 "of size between %wu and %wu", (int) dir.len, d,
|
|
2631 res.min, avail_range.min, avail_range.max);
|
|
2632 else if (maybe)
|
|
2633 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2634 "%<%.*s%> directive output may be truncated writing "
|
|
2635 "%wu byte into a region of size between %wu and %wu",
|
|
2636 "%<%.*s%> directive output may be truncated writing "
|
|
2637 "%wu bytes into a region of size between %wu and "
|
|
2638 "%wu", (int) dir.len, d, res.min, avail_range.min,
|
|
2639 avail_range.max);
|
|
2640 else
|
|
2641 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
|
|
2642 "%<%.*s%> directive output truncated writing %wu "
|
|
2643 "byte into a region of size between %wu and %wu",
|
|
2644 "%<%.*s%> directive output truncated writing %wu "
|
|
2645 "bytes into a region of size between %wu and %wu",
|
|
2646 (int) dir.len, d, res.min, avail_range.min,
|
|
2647 avail_range.max);
|
111
|
2648 }
|
|
2649
|
|
2650 if (res.min == 0 && res.max < maxbytes)
|
131
|
2651 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2652 info.bounded
|
|
2653 ? (maybe
|
|
2654 ? G_("%<%.*s%> directive output may be truncated "
|
|
2655 "writing up to %wu bytes into a region of size "
|
|
2656 "between %wu and %wu")
|
|
2657 : G_("%<%.*s%> directive output truncated writing "
|
|
2658 "up to %wu bytes into a region of size between "
|
|
2659 "%wu and %wu"))
|
|
2660 : G_("%<%.*s%> directive writing up to %wu bytes "
|
|
2661 "into a region of size between %wu and %wu"),
|
|
2662 (int) dir.len,
|
|
2663 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2664 res.max, avail_range.min, avail_range.max);
|
111
|
2665
|
|
2666 if (res.min == 0 && maxbytes <= res.max)
|
131
|
2667 /* This is a special case to avoid issuing the potentially confusing
|
|
2668 warning:
|
|
2669 writing 0 or more bytes into a region of size between 0 and N. */
|
|
2670 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2671 info.bounded
|
|
2672 ? (maybe
|
|
2673 ? G_("%<%.*s%> directive output may be truncated "
|
|
2674 "writing likely %wu or more bytes into a region "
|
|
2675 "of size between %wu and %wu")
|
|
2676 : G_("%<%.*s%> directive output truncated writing "
|
|
2677 "likely %wu or more bytes into a region of size "
|
|
2678 "between %wu and %wu"))
|
|
2679 : G_("%<%.*s%> directive writing likely %wu or more bytes "
|
|
2680 "into a region of size between %wu and %wu"),
|
|
2681 (int) dir.len,
|
|
2682 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2683 res.likely, avail_range.min, avail_range.max);
|
111
|
2684
|
|
2685 if (res.max < maxbytes)
|
131
|
2686 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2687 info.bounded
|
|
2688 ? (maybe
|
|
2689 ? G_("%<%.*s%> directive output may be truncated "
|
|
2690 "writing between %wu and %wu bytes into a region "
|
|
2691 "of size between %wu and %wu")
|
|
2692 : G_("%<%.*s%> directive output truncated writing "
|
|
2693 "between %wu and %wu bytes into a region of size "
|
|
2694 "between %wu and %wu"))
|
|
2695 : G_("%<%.*s%> directive writing between %wu and "
|
|
2696 "%wu bytes into a region of size between %wu and "
|
|
2697 "%wu"), (int) dir.len,
|
|
2698 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2699 res.min, res.max, avail_range.min, avail_range.max);
|
|
2700
|
|
2701 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2702 info.bounded
|
|
2703 ? (maybe
|
|
2704 ? G_("%<%.*s%> directive output may be truncated writing "
|
|
2705 "%wu or more bytes into a region of size between "
|
|
2706 "%wu and %wu")
|
|
2707 : G_("%<%.*s%> directive output truncated writing "
|
|
2708 "%wu or more bytes into a region of size between "
|
|
2709 "%wu and %wu"))
|
|
2710 : G_("%<%.*s%> directive writing %wu or more bytes "
|
|
2711 "into a region of size between %wu and %wu"),
|
|
2712 (int) dir.len,
|
111
|
2713 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2714 res.min, avail_range.min, avail_range.max);
|
|
2715 }
|
|
2716
|
|
2717 /* Compute the length of the output resulting from the directive DIR
|
|
2718 in a call described by INFO and update the overall result of the call
|
|
2719 in *RES. Return true if the directive has been handled. */
|
|
2720
|
|
2721 static bool
|
131
|
2722 format_directive (const sprintf_dom_walker::call_info &info,
|
|
2723 format_result *res, const directive &dir,
|
|
2724 class vr_values *vr_values)
|
111
|
2725 {
|
|
2726 /* Offset of the beginning of the directive from the beginning
|
|
2727 of the format string. */
|
|
2728 size_t offset = dir.beg - info.fmtstr;
|
|
2729 size_t start = offset;
|
|
2730 size_t length = offset + dir.len - !!dir.len;
|
|
2731
|
|
2732 /* Create a location for the whole directive from the % to the format
|
|
2733 specifier. */
|
|
2734 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
|
|
2735 offset, start, length);
|
|
2736
|
|
2737 /* Also get the location of the argument if possible.
|
|
2738 This doesn't work for integer literals or function calls. */
|
|
2739 location_t argloc = UNKNOWN_LOCATION;
|
|
2740 if (dir.arg)
|
|
2741 argloc = EXPR_LOCATION (dir.arg);
|
|
2742
|
|
2743 /* Bail when there is no function to compute the output length,
|
|
2744 or when minimum length checking has been disabled. */
|
|
2745 if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX)
|
|
2746 return false;
|
|
2747
|
|
2748 /* Compute the range of lengths of the formatted output. */
|
131
|
2749 fmtresult fmtres = dir.fmtfunc (dir, dir.arg, vr_values);
|
111
|
2750
|
|
2751 /* Record whether the output of all directives is known to be
|
|
2752 bounded by some maximum, implying that their arguments are
|
|
2753 either known exactly or determined to be in a known range
|
|
2754 or, for strings, limited by the upper bounds of the arrays
|
|
2755 they refer to. */
|
|
2756 res->knownrange &= fmtres.knownrange;
|
|
2757
|
|
2758 if (!fmtres.knownrange)
|
|
2759 {
|
|
2760 /* Only when the range is known, check it against the host value
|
|
2761 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
|
|
2762 INT_MAX precision, which is the longest possible output of any
|
|
2763 single directive). That's the largest valid byte count (though
|
|
2764 not valid call to a printf-like function because it can never
|
|
2765 return such a count). Otherwise, the range doesn't correspond
|
|
2766 to known values of the argument. */
|
|
2767 if (fmtres.range.max > target_dir_max ())
|
|
2768 {
|
|
2769 /* Normalize the MAX counter to avoid having to deal with it
|
|
2770 later. The counter can be less than HOST_WIDE_INT_M1U
|
|
2771 when compiling for an ILP32 target on an LP64 host. */
|
|
2772 fmtres.range.max = HOST_WIDE_INT_M1U;
|
|
2773 /* Disable exact and maximum length checking after a failure
|
|
2774 to determine the maximum number of characters (for example
|
|
2775 for wide characters or wide character strings) but continue
|
|
2776 tracking the minimum number of characters. */
|
|
2777 res->range.max = HOST_WIDE_INT_M1U;
|
|
2778 }
|
|
2779
|
|
2780 if (fmtres.range.min > target_dir_max ())
|
|
2781 {
|
|
2782 /* Disable exact length checking after a failure to determine
|
|
2783 even the minimum number of characters (it shouldn't happen
|
|
2784 except in an error) but keep tracking the minimum and maximum
|
|
2785 number of characters. */
|
|
2786 return true;
|
|
2787 }
|
|
2788 }
|
|
2789
|
|
2790 /* Buffer for the directive in the host character set (used when
|
|
2791 the source character set is different). */
|
|
2792 char hostdir[32];
|
|
2793
|
|
2794 int dirlen = dir.len;
|
|
2795
|
|
2796 if (fmtres.nullp)
|
|
2797 {
|
|
2798 fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2799 "%<%.*s%> directive argument is null",
|
|
2800 dirlen, target_to_host (hostdir, sizeof hostdir, dir.beg));
|
|
2801
|
|
2802 /* Don't bother processing the rest of the format string. */
|
|
2803 res->warned = true;
|
|
2804 res->range.min = HOST_WIDE_INT_M1U;
|
|
2805 res->range.max = HOST_WIDE_INT_M1U;
|
|
2806 return false;
|
|
2807 }
|
|
2808
|
|
2809 /* Compute the number of available bytes in the destination. There
|
|
2810 must always be at least one byte of space for the terminating
|
|
2811 NUL that's appended after the format string has been processed. */
|
|
2812 result_range avail_range = bytes_remaining (info.objsize, *res);
|
|
2813
|
|
2814 bool warned = res->warned;
|
|
2815
|
|
2816 if (!warned)
|
|
2817 warned = maybe_warn (dirloc, argloc, info, avail_range,
|
|
2818 fmtres.range, dir);
|
|
2819
|
|
2820 /* Bump up the total maximum if it isn't too big. */
|
|
2821 if (res->range.max < HOST_WIDE_INT_MAX
|
|
2822 && fmtres.range.max < HOST_WIDE_INT_MAX)
|
|
2823 res->range.max += fmtres.range.max;
|
|
2824
|
|
2825 /* Raise the total unlikely maximum by the larger of the maximum
|
|
2826 and the unlikely maximum. */
|
|
2827 unsigned HOST_WIDE_INT save = res->range.unlikely;
|
|
2828 if (fmtres.range.max < fmtres.range.unlikely)
|
|
2829 res->range.unlikely += fmtres.range.unlikely;
|
|
2830 else
|
|
2831 res->range.unlikely += fmtres.range.max;
|
|
2832
|
|
2833 if (res->range.unlikely < save)
|
|
2834 res->range.unlikely = HOST_WIDE_INT_M1U;
|
|
2835
|
|
2836 res->range.min += fmtres.range.min;
|
|
2837 res->range.likely += fmtres.range.likely;
|
|
2838
|
|
2839 /* Has the minimum directive output length exceeded the maximum
|
|
2840 of 4095 bytes required to be supported? */
|
|
2841 bool minunder4k = fmtres.range.min < 4096;
|
|
2842 bool maxunder4k = fmtres.range.max < 4096;
|
131
|
2843 /* Clear POSUNDER4K in the overall result if the maximum has exceeded
|
|
2844 the 4k (this is necessary to avoid the return value optimization
|
111
|
2845 that may not be safe in the maximum case). */
|
|
2846 if (!maxunder4k)
|
131
|
2847 res->posunder4k = false;
|
|
2848 /* Also clear POSUNDER4K if the directive may fail. */
|
|
2849 if (fmtres.mayfail)
|
|
2850 res->posunder4k = false;
|
111
|
2851
|
|
2852 if (!warned
|
|
2853 /* Only warn at level 2. */
|
131
|
2854 && warn_level > 1
|
111
|
2855 && (!minunder4k
|
|
2856 || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX)))
|
|
2857 {
|
|
2858 /* The directive output may be longer than the maximum required
|
|
2859 to be handled by an implementation according to 7.21.6.1, p15
|
|
2860 of C11. Warn on this only at level 2 but remember this and
|
|
2861 prevent folding the return value when done. This allows for
|
|
2862 the possibility of the actual libc call failing due to ENOMEM
|
|
2863 (like Glibc does under some conditions). */
|
|
2864
|
|
2865 if (fmtres.range.min == fmtres.range.max)
|
131
|
2866 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
111
|
2867 "%<%.*s%> directive output of %wu bytes exceeds "
|
131
|
2868 "minimum required size of 4095", dirlen,
|
111
|
2869 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2870 fmtres.range.min);
|
|
2871 else
|
131
|
2872 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2873 minunder4k
|
|
2874 ? G_("%<%.*s%> directive output between %wu and %wu "
|
|
2875 "bytes may exceed minimum required size of "
|
|
2876 "4095")
|
|
2877 : G_("%<%.*s%> directive output between %wu and %wu "
|
|
2878 "bytes exceeds minimum required size of 4095"),
|
|
2879 dirlen,
|
|
2880 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2881 fmtres.range.min, fmtres.range.max);
|
111
|
2882 }
|
|
2883
|
|
2884 /* Has the likely and maximum directive output exceeded INT_MAX? */
|
|
2885 bool likelyximax = *dir.beg && res->range.likely > target_int_max ();
|
|
2886 /* Don't consider the maximum to be in excess when it's the result
|
|
2887 of a string of unknown length (i.e., whose maximum has been set
|
|
2888 to be greater than or equal to HOST_WIDE_INT_MAX. */
|
|
2889 bool maxximax = (*dir.beg
|
|
2890 && res->range.max > target_int_max ()
|
|
2891 && res->range.max < HOST_WIDE_INT_MAX);
|
|
2892
|
|
2893 if (!warned
|
|
2894 /* Warn for the likely output size at level 1. */
|
|
2895 && (likelyximax
|
|
2896 /* But only warn for the maximum at level 2. */
|
131
|
2897 || (warn_level > 1
|
111
|
2898 && maxximax
|
|
2899 && fmtres.range.max < HOST_WIDE_INT_MAX)))
|
|
2900 {
|
|
2901 /* The directive output causes the total length of output
|
|
2902 to exceed INT_MAX bytes. */
|
|
2903
|
|
2904 if (fmtres.range.min == fmtres.range.max)
|
|
2905 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2906 "%<%.*s%> directive output of %wu bytes causes "
|
131
|
2907 "result to exceed %<INT_MAX%>", dirlen,
|
111
|
2908 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2909 fmtres.range.min);
|
|
2910 else
|
131
|
2911 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2912 fmtres.range.min > target_int_max ()
|
|
2913 ? G_("%<%.*s%> directive output between %wu and "
|
|
2914 "%wu bytes causes result to exceed "
|
|
2915 "%<INT_MAX%>")
|
|
2916 : G_("%<%.*s%> directive output between %wu and "
|
|
2917 "%wu bytes may cause result to exceed "
|
|
2918 "%<INT_MAX%>"), dirlen,
|
|
2919 target_to_host (hostdir, sizeof hostdir, dir.beg),
|
|
2920 fmtres.range.min, fmtres.range.max);
|
|
2921 }
|
|
2922
|
|
2923 if (!warned && fmtres.nonstr)
|
|
2924 {
|
|
2925 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
|
|
2926 "%<%.*s%> directive argument is not a nul-terminated "
|
|
2927 "string",
|
|
2928 dirlen,
|
|
2929 target_to_host (hostdir, sizeof hostdir, dir.beg));
|
|
2930 if (warned && DECL_P (fmtres.nonstr))
|
|
2931 inform (DECL_SOURCE_LOCATION (fmtres.nonstr),
|
|
2932 "referenced argument declared here");
|
|
2933 return false;
|
111
|
2934 }
|
|
2935
|
|
2936 if (warned && fmtres.range.min < fmtres.range.likely
|
|
2937 && fmtres.range.likely < fmtres.range.max)
|
131
|
2938 inform_n (info.fmtloc, fmtres.range.likely,
|
|
2939 "assuming directive output of %wu byte",
|
|
2940 "assuming directive output of %wu bytes",
|
111
|
2941 fmtres.range.likely);
|
|
2942
|
|
2943 if (warned && fmtres.argmin)
|
|
2944 {
|
|
2945 if (fmtres.argmin == fmtres.argmax)
|
|
2946 inform (info.fmtloc, "directive argument %qE", fmtres.argmin);
|
|
2947 else if (fmtres.knownrange)
|
|
2948 inform (info.fmtloc, "directive argument in the range [%E, %E]",
|
|
2949 fmtres.argmin, fmtres.argmax);
|
|
2950 else
|
|
2951 inform (info.fmtloc,
|
|
2952 "using the range [%E, %E] for directive argument",
|
|
2953 fmtres.argmin, fmtres.argmax);
|
|
2954 }
|
|
2955
|
|
2956 res->warned |= warned;
|
|
2957
|
|
2958 if (!dir.beg[0] && res->warned && info.objsize < HOST_WIDE_INT_MAX)
|
|
2959 {
|
|
2960 /* If a warning has been issued for buffer overflow or truncation
|
|
2961 (but not otherwise) help the user figure out how big a buffer
|
|
2962 they need. */
|
|
2963
|
|
2964 location_t callloc = gimple_location (info.callstmt);
|
|
2965
|
|
2966 unsigned HOST_WIDE_INT min = res->range.min;
|
|
2967 unsigned HOST_WIDE_INT max = res->range.max;
|
|
2968
|
|
2969 if (min == max)
|
|
2970 inform (callloc,
|
|
2971 (min == 1
|
|
2972 ? G_("%qE output %wu byte into a destination of size %wu")
|
|
2973 : G_("%qE output %wu bytes into a destination of size %wu")),
|
|
2974 info.func, min, info.objsize);
|
|
2975 else if (max < HOST_WIDE_INT_MAX)
|
|
2976 inform (callloc,
|
|
2977 "%qE output between %wu and %wu bytes into "
|
|
2978 "a destination of size %wu",
|
|
2979 info.func, min, max, info.objsize);
|
|
2980 else if (min < res->range.likely && res->range.likely < max)
|
|
2981 inform (callloc,
|
|
2982 "%qE output %wu or more bytes (assuming %wu) into "
|
|
2983 "a destination of size %wu",
|
|
2984 info.func, min, res->range.likely, info.objsize);
|
|
2985 else
|
|
2986 inform (callloc,
|
|
2987 "%qE output %wu or more bytes into a destination of size %wu",
|
|
2988 info.func, min, info.objsize);
|
|
2989 }
|
|
2990
|
|
2991 if (dump_file && *dir.beg)
|
|
2992 {
|
131
|
2993 fprintf (dump_file,
|
|
2994 " Result: "
|
|
2995 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
|
|
2996 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC " ("
|
|
2997 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
|
|
2998 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ")\n",
|
|
2999 fmtres.range.min, fmtres.range.likely,
|
|
3000 fmtres.range.max, fmtres.range.unlikely,
|
|
3001 res->range.min, res->range.likely,
|
|
3002 res->range.max, res->range.unlikely);
|
111
|
3003 }
|
|
3004
|
|
3005 return true;
|
|
3006 }
|
|
3007
|
|
3008 /* Parse a format directive in function call described by INFO starting
|
|
3009 at STR and populate DIR structure. Bump up *ARGNO by the number of
|
|
3010 arguments extracted for the directive. Return the length of
|
|
3011 the directive. */
|
|
3012
|
|
3013 static size_t
|
131
|
3014 parse_directive (sprintf_dom_walker::call_info &info,
|
111
|
3015 directive &dir, format_result *res,
|
131
|
3016 const char *str, unsigned *argno,
|
|
3017 vr_values *vr_values)
|
111
|
3018 {
|
|
3019 const char *pcnt = strchr (str, target_percent);
|
|
3020 dir.beg = str;
|
|
3021
|
|
3022 if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1)
|
|
3023 {
|
|
3024 /* This directive is either a plain string or the terminating nul
|
|
3025 (which isn't really a directive but it simplifies things to
|
|
3026 handle it as if it were). */
|
|
3027 dir.len = len;
|
|
3028 dir.fmtfunc = format_plain;
|
|
3029
|
|
3030 if (dump_file)
|
|
3031 {
|
131
|
3032 fprintf (dump_file, " Directive %u at offset "
|
|
3033 HOST_WIDE_INT_PRINT_UNSIGNED ": \"%.*s\", "
|
|
3034 "length = " HOST_WIDE_INT_PRINT_UNSIGNED "\n",
|
111
|
3035 dir.dirno,
|
131
|
3036 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
|
|
3037 (int)dir.len, dir.beg, (unsigned HOST_WIDE_INT) dir.len);
|
111
|
3038 }
|
|
3039
|
|
3040 return len - !*str;
|
|
3041 }
|
|
3042
|
|
3043 const char *pf = pcnt + 1;
|
|
3044
|
|
3045 /* POSIX numbered argument index or zero when none. */
|
|
3046 HOST_WIDE_INT dollar = 0;
|
|
3047
|
|
3048 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
|
|
3049 when given by a va_list argument, and a non-negative value
|
|
3050 when specified in the format string itself. */
|
|
3051 HOST_WIDE_INT width = -1;
|
|
3052 HOST_WIDE_INT precision = -1;
|
|
3053
|
|
3054 /* Pointers to the beginning of the width and precision decimal
|
|
3055 string (if any) within the directive. */
|
|
3056 const char *pwidth = 0;
|
|
3057 const char *pprec = 0;
|
|
3058
|
|
3059 /* When the value of the decimal string that specifies width or
|
|
3060 precision is out of range, points to the digit that causes
|
|
3061 the value to exceed the limit. */
|
|
3062 const char *werange = NULL;
|
|
3063 const char *perange = NULL;
|
|
3064
|
|
3065 /* Width specified via the asterisk. Need not be INTEGER_CST.
|
|
3066 For vararg functions set to void_node. */
|
|
3067 tree star_width = NULL_TREE;
|
|
3068
|
|
3069 /* Width specified via the asterisk. Need not be INTEGER_CST.
|
|
3070 For vararg functions set to void_node. */
|
|
3071 tree star_precision = NULL_TREE;
|
|
3072
|
|
3073 if (ISDIGIT (target_to_host (*pf)))
|
|
3074 {
|
|
3075 /* This could be either a POSIX positional argument, the '0'
|
|
3076 flag, or a width, depending on what follows. Store it as
|
|
3077 width and sort it out later after the next character has
|
|
3078 been seen. */
|
|
3079 pwidth = pf;
|
|
3080 width = target_strtol10 (&pf, &werange);
|
|
3081 }
|
|
3082 else if (target_to_host (*pf) == '*')
|
|
3083 {
|
|
3084 /* Similarly to the block above, this could be either a POSIX
|
|
3085 positional argument or a width, depending on what follows. */
|
|
3086 if (*argno < gimple_call_num_args (info.callstmt))
|
|
3087 star_width = gimple_call_arg (info.callstmt, (*argno)++);
|
|
3088 else
|
|
3089 star_width = void_node;
|
|
3090 ++pf;
|
|
3091 }
|
|
3092
|
|
3093 if (target_to_host (*pf) == '$')
|
|
3094 {
|
|
3095 /* Handle the POSIX dollar sign which references the 1-based
|
|
3096 positional argument number. */
|
|
3097 if (width != -1)
|
|
3098 dollar = width + info.argidx;
|
|
3099 else if (star_width
|
|
3100 && TREE_CODE (star_width) == INTEGER_CST
|
|
3101 && (TYPE_PRECISION (TREE_TYPE (star_width))
|
|
3102 <= TYPE_PRECISION (integer_type_node)))
|
|
3103 dollar = width + tree_to_shwi (star_width);
|
|
3104
|
|
3105 /* Bail when the numbered argument is out of range (it will
|
|
3106 have already been diagnosed by -Wformat). */
|
|
3107 if (dollar == 0
|
|
3108 || dollar == (int)info.argidx
|
|
3109 || dollar > gimple_call_num_args (info.callstmt))
|
|
3110 return false;
|
|
3111
|
|
3112 --dollar;
|
|
3113
|
|
3114 star_width = NULL_TREE;
|
|
3115 width = -1;
|
|
3116 ++pf;
|
|
3117 }
|
|
3118
|
|
3119 if (dollar || !star_width)
|
|
3120 {
|
|
3121 if (width != -1)
|
|
3122 {
|
|
3123 if (width == 0)
|
|
3124 {
|
|
3125 /* The '0' that has been interpreted as a width above is
|
|
3126 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
|
|
3127 and continue processing other flags. */
|
|
3128 width = -1;
|
|
3129 dir.set_flag ('0');
|
|
3130 }
|
|
3131 else if (!dollar)
|
|
3132 {
|
|
3133 /* (Non-zero) width has been seen. The next character
|
|
3134 is either a period or a digit. */
|
|
3135 goto start_precision;
|
|
3136 }
|
|
3137 }
|
|
3138 /* When either '$' has been seen, or width has not been seen,
|
|
3139 the next field is the optional flags followed by an optional
|
|
3140 width. */
|
|
3141 for ( ; ; ) {
|
|
3142 switch (target_to_host (*pf))
|
|
3143 {
|
|
3144 case ' ':
|
|
3145 case '0':
|
|
3146 case '+':
|
|
3147 case '-':
|
|
3148 case '#':
|
|
3149 dir.set_flag (target_to_host (*pf++));
|
|
3150 break;
|
|
3151
|
|
3152 default:
|
|
3153 goto start_width;
|
|
3154 }
|
|
3155 }
|
|
3156
|
|
3157 start_width:
|
|
3158 if (ISDIGIT (target_to_host (*pf)))
|
|
3159 {
|
|
3160 werange = 0;
|
|
3161 pwidth = pf;
|
|
3162 width = target_strtol10 (&pf, &werange);
|
|
3163 }
|
|
3164 else if (target_to_host (*pf) == '*')
|
|
3165 {
|
|
3166 if (*argno < gimple_call_num_args (info.callstmt))
|
|
3167 star_width = gimple_call_arg (info.callstmt, (*argno)++);
|
|
3168 else
|
|
3169 {
|
|
3170 /* This is (likely) a va_list. It could also be an invalid
|
|
3171 call with insufficient arguments. */
|
|
3172 star_width = void_node;
|
|
3173 }
|
|
3174 ++pf;
|
|
3175 }
|
|
3176 else if (target_to_host (*pf) == '\'')
|
|
3177 {
|
|
3178 /* The POSIX apostrophe indicating a numeric grouping
|
|
3179 in the current locale. Even though it's possible to
|
|
3180 estimate the upper bound on the size of the output
|
|
3181 based on the number of digits it probably isn't worth
|
|
3182 continuing. */
|
|
3183 return 0;
|
|
3184 }
|
|
3185 }
|
|
3186
|
|
3187 start_precision:
|
|
3188 if (target_to_host (*pf) == '.')
|
|
3189 {
|
|
3190 ++pf;
|
|
3191
|
|
3192 if (ISDIGIT (target_to_host (*pf)))
|
|
3193 {
|
|
3194 pprec = pf;
|
|
3195 precision = target_strtol10 (&pf, &perange);
|
|
3196 }
|
|
3197 else if (target_to_host (*pf) == '*')
|
|
3198 {
|
|
3199 if (*argno < gimple_call_num_args (info.callstmt))
|
|
3200 star_precision = gimple_call_arg (info.callstmt, (*argno)++);
|
|
3201 else
|
|
3202 {
|
|
3203 /* This is (likely) a va_list. It could also be an invalid
|
|
3204 call with insufficient arguments. */
|
|
3205 star_precision = void_node;
|
|
3206 }
|
|
3207 ++pf;
|
|
3208 }
|
|
3209 else
|
|
3210 {
|
|
3211 /* The decimal precision or the asterisk are optional.
|
|
3212 When neither is dirified it's taken to be zero. */
|
|
3213 precision = 0;
|
|
3214 }
|
|
3215 }
|
|
3216
|
|
3217 switch (target_to_host (*pf))
|
|
3218 {
|
|
3219 case 'h':
|
|
3220 if (target_to_host (pf[1]) == 'h')
|
|
3221 {
|
|
3222 ++pf;
|
|
3223 dir.modifier = FMT_LEN_hh;
|
|
3224 }
|
|
3225 else
|
|
3226 dir.modifier = FMT_LEN_h;
|
|
3227 ++pf;
|
|
3228 break;
|
|
3229
|
|
3230 case 'j':
|
|
3231 dir.modifier = FMT_LEN_j;
|
|
3232 ++pf;
|
|
3233 break;
|
|
3234
|
|
3235 case 'L':
|
|
3236 dir.modifier = FMT_LEN_L;
|
|
3237 ++pf;
|
|
3238 break;
|
|
3239
|
|
3240 case 'l':
|
|
3241 if (target_to_host (pf[1]) == 'l')
|
|
3242 {
|
|
3243 ++pf;
|
|
3244 dir.modifier = FMT_LEN_ll;
|
|
3245 }
|
|
3246 else
|
|
3247 dir.modifier = FMT_LEN_l;
|
|
3248 ++pf;
|
|
3249 break;
|
|
3250
|
|
3251 case 't':
|
|
3252 dir.modifier = FMT_LEN_t;
|
|
3253 ++pf;
|
|
3254 break;
|
|
3255
|
|
3256 case 'z':
|
|
3257 dir.modifier = FMT_LEN_z;
|
|
3258 ++pf;
|
|
3259 break;
|
|
3260 }
|
|
3261
|
|
3262 switch (target_to_host (*pf))
|
|
3263 {
|
|
3264 /* Handle a sole '%' character the same as "%%" but since it's
|
|
3265 undefined prevent the result from being folded. */
|
|
3266 case '\0':
|
|
3267 --pf;
|
|
3268 res->range.min = res->range.max = HOST_WIDE_INT_M1U;
|
|
3269 /* FALLTHRU */
|
|
3270 case '%':
|
|
3271 dir.fmtfunc = format_percent;
|
|
3272 break;
|
|
3273
|
|
3274 case 'a':
|
|
3275 case 'A':
|
|
3276 case 'e':
|
|
3277 case 'E':
|
|
3278 case 'f':
|
|
3279 case 'F':
|
|
3280 case 'g':
|
|
3281 case 'G':
|
|
3282 res->floating = true;
|
|
3283 dir.fmtfunc = format_floating;
|
|
3284 break;
|
|
3285
|
|
3286 case 'd':
|
|
3287 case 'i':
|
|
3288 case 'o':
|
|
3289 case 'u':
|
|
3290 case 'x':
|
|
3291 case 'X':
|
|
3292 dir.fmtfunc = format_integer;
|
|
3293 break;
|
|
3294
|
|
3295 case 'p':
|
|
3296 /* The %p output is implementation-defined. It's possible
|
|
3297 to determine this format but due to extensions (edirially
|
|
3298 those of the Linux kernel -- see bug 78512) the first %p
|
|
3299 in the format string disables any further processing. */
|
|
3300 return false;
|
|
3301
|
|
3302 case 'n':
|
|
3303 /* %n has side-effects even when nothing is actually printed to
|
|
3304 any buffer. */
|
|
3305 info.nowrite = false;
|
|
3306 dir.fmtfunc = format_none;
|
|
3307 break;
|
|
3308
|
131
|
3309 case 'C':
|
111
|
3310 case 'c':
|
131
|
3311 /* POSIX wide character and C/POSIX narrow character. */
|
111
|
3312 dir.fmtfunc = format_character;
|
|
3313 break;
|
|
3314
|
|
3315 case 'S':
|
|
3316 case 's':
|
131
|
3317 /* POSIX wide string and C/POSIX narrow character string. */
|
111
|
3318 dir.fmtfunc = format_string;
|
|
3319 break;
|
|
3320
|
|
3321 default:
|
|
3322 /* Unknown conversion specification. */
|
|
3323 return 0;
|
|
3324 }
|
|
3325
|
|
3326 dir.specifier = target_to_host (*pf++);
|
|
3327
|
|
3328 /* Store the length of the format directive. */
|
|
3329 dir.len = pf - pcnt;
|
|
3330
|
|
3331 /* Buffer for the directive in the host character set (used when
|
|
3332 the source character set is different). */
|
|
3333 char hostdir[32];
|
|
3334
|
|
3335 if (star_width)
|
|
3336 {
|
|
3337 if (INTEGRAL_TYPE_P (TREE_TYPE (star_width)))
|
131
|
3338 dir.set_width (star_width, vr_values);
|
111
|
3339 else
|
|
3340 {
|
|
3341 /* Width specified by a va_list takes on the range [0, -INT_MIN]
|
|
3342 (width is the absolute value of that specified). */
|
|
3343 dir.width[0] = 0;
|
|
3344 dir.width[1] = target_int_max () + 1;
|
|
3345 }
|
|
3346 }
|
|
3347 else
|
|
3348 {
|
|
3349 if (width == LONG_MAX && werange)
|
|
3350 {
|
|
3351 size_t begin = dir.beg - info.fmtstr + (pwidth - pcnt);
|
|
3352 size_t caret = begin + (werange - pcnt);
|
|
3353 size_t end = pf - info.fmtstr - 1;
|
|
3354
|
|
3355 /* Create a location for the width part of the directive,
|
|
3356 pointing the caret at the first out-of-range digit. */
|
|
3357 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
|
|
3358 caret, begin, end);
|
|
3359
|
131
|
3360 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
|
|
3361 "%<%.*s%> directive width out of range", (int) dir.len,
|
|
3362 target_to_host (hostdir, sizeof hostdir, dir.beg));
|
111
|
3363 }
|
|
3364
|
|
3365 dir.set_width (width);
|
|
3366 }
|
|
3367
|
|
3368 if (star_precision)
|
|
3369 {
|
|
3370 if (INTEGRAL_TYPE_P (TREE_TYPE (star_precision)))
|
131
|
3371 dir.set_precision (star_precision, vr_values);
|
111
|
3372 else
|
|
3373 {
|
|
3374 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
|
|
3375 (unlike width, negative precision is ignored). */
|
|
3376 dir.prec[0] = -1;
|
|
3377 dir.prec[1] = target_int_max ();
|
|
3378 }
|
|
3379 }
|
|
3380 else
|
|
3381 {
|
|
3382 if (precision == LONG_MAX && perange)
|
|
3383 {
|
|
3384 size_t begin = dir.beg - info.fmtstr + (pprec - pcnt) - 1;
|
|
3385 size_t caret = dir.beg - info.fmtstr + (perange - pcnt) - 1;
|
|
3386 size_t end = pf - info.fmtstr - 2;
|
|
3387
|
|
3388 /* Create a location for the precision part of the directive,
|
|
3389 including the leading period, pointing the caret at the first
|
|
3390 out-of-range digit . */
|
|
3391 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
|
|
3392 caret, begin, end);
|
|
3393
|
131
|
3394 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
|
|
3395 "%<%.*s%> directive precision out of range", (int) dir.len,
|
|
3396 target_to_host (hostdir, sizeof hostdir, dir.beg));
|
111
|
3397 }
|
|
3398
|
|
3399 dir.set_precision (precision);
|
|
3400 }
|
|
3401
|
|
3402 /* Extract the argument if the directive takes one and if it's
|
|
3403 available (e.g., the function doesn't take a va_list). Treat
|
|
3404 missing arguments the same as va_list, even though they will
|
|
3405 have likely already been diagnosed by -Wformat. */
|
|
3406 if (dir.specifier != '%'
|
|
3407 && *argno < gimple_call_num_args (info.callstmt))
|
|
3408 dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++);
|
|
3409
|
|
3410 if (dump_file)
|
|
3411 {
|
131
|
3412 fprintf (dump_file,
|
|
3413 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
|
|
3414 ": \"%.*s\"",
|
|
3415 dir.dirno,
|
|
3416 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
|
111
|
3417 (int)dir.len, dir.beg);
|
|
3418 if (star_width)
|
|
3419 {
|
|
3420 if (dir.width[0] == dir.width[1])
|
131
|
3421 fprintf (dump_file, ", width = " HOST_WIDE_INT_PRINT_DEC,
|
|
3422 dir.width[0]);
|
111
|
3423 else
|
131
|
3424 fprintf (dump_file,
|
|
3425 ", width in range [" HOST_WIDE_INT_PRINT_DEC
|
|
3426 ", " HOST_WIDE_INT_PRINT_DEC "]",
|
|
3427 dir.width[0], dir.width[1]);
|
111
|
3428 }
|
|
3429
|
|
3430 if (star_precision)
|
|
3431 {
|
|
3432 if (dir.prec[0] == dir.prec[1])
|
131
|
3433 fprintf (dump_file, ", precision = " HOST_WIDE_INT_PRINT_DEC,
|
|
3434 dir.prec[0]);
|
111
|
3435 else
|
131
|
3436 fprintf (dump_file,
|
|
3437 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
|
|
3438 HOST_WIDE_INT_PRINT_DEC "]",
|
|
3439 dir.prec[0], dir.prec[1]);
|
111
|
3440 }
|
|
3441 fputc ('\n', dump_file);
|
|
3442 }
|
|
3443
|
|
3444 return dir.len;
|
|
3445 }
|
|
3446
|
|
3447 /* Compute the length of the output resulting from the call to a formatted
|
|
3448 output function described by INFO and store the result of the call in
|
|
3449 *RES. Issue warnings for detected past the end writes. Return true
|
|
3450 if the complete format string has been processed and *RES can be relied
|
|
3451 on, false otherwise (e.g., when a unknown or unhandled directive was seen
|
|
3452 that caused the processing to be terminated early). */
|
|
3453
|
|
3454 bool
|
131
|
3455 sprintf_dom_walker::compute_format_length (call_info &info,
|
|
3456 format_result *res)
|
111
|
3457 {
|
|
3458 if (dump_file)
|
|
3459 {
|
|
3460 location_t callloc = gimple_location (info.callstmt);
|
|
3461 fprintf (dump_file, "%s:%i: ",
|
|
3462 LOCATION_FILE (callloc), LOCATION_LINE (callloc));
|
|
3463 print_generic_expr (dump_file, info.func, dump_flags);
|
|
3464
|
131
|
3465 fprintf (dump_file,
|
|
3466 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
|
|
3467 ", fmtstr = \"%s\"\n",
|
|
3468 info.objsize, info.fmtstr);
|
111
|
3469 }
|
|
3470
|
|
3471 /* Reset the minimum and maximum byte counters. */
|
|
3472 res->range.min = res->range.max = 0;
|
|
3473
|
|
3474 /* No directive has been seen yet so the length of output is bounded
|
131
|
3475 by the known range [0, 0] (with no conversion resulting in a failure
|
|
3476 or producing more than 4K bytes) until determined otherwise. */
|
111
|
3477 res->knownrange = true;
|
131
|
3478 res->posunder4k = true;
|
111
|
3479 res->floating = false;
|
|
3480 res->warned = false;
|
|
3481
|
|
3482 /* 1-based directive counter. */
|
|
3483 unsigned dirno = 1;
|
|
3484
|
|
3485 /* The variadic argument counter. */
|
|
3486 unsigned argno = info.argidx;
|
|
3487
|
|
3488 for (const char *pf = info.fmtstr; ; ++dirno)
|
|
3489 {
|
|
3490 directive dir = directive ();
|
|
3491 dir.dirno = dirno;
|
|
3492
|
131
|
3493 size_t n = parse_directive (info, dir, res, pf, &argno,
|
|
3494 evrp_range_analyzer.get_vr_values ());
|
111
|
3495
|
|
3496 /* Return failure if the format function fails. */
|
131
|
3497 if (!format_directive (info, res, dir,
|
|
3498 evrp_range_analyzer.get_vr_values ()))
|
111
|
3499 return false;
|
|
3500
|
|
3501 /* Return success the directive is zero bytes long and it's
|
|
3502 the last think in the format string (i.e., it's the terminating
|
|
3503 nul, which isn't really a directive but handling it as one makes
|
|
3504 things simpler). */
|
|
3505 if (!n)
|
|
3506 return *pf == '\0';
|
|
3507
|
|
3508 pf += n;
|
|
3509 }
|
|
3510
|
|
3511 /* The complete format string was processed (with or without warnings). */
|
|
3512 return true;
|
|
3513 }
|
|
3514
|
|
3515 /* Return the size of the object referenced by the expression DEST if
|
|
3516 available, or -1 otherwise. */
|
|
3517
|
|
3518 static unsigned HOST_WIDE_INT
|
|
3519 get_destination_size (tree dest)
|
|
3520 {
|
|
3521 /* Initialize object size info before trying to compute it. */
|
|
3522 init_object_sizes ();
|
|
3523
|
|
3524 /* Use __builtin_object_size to determine the size of the destination
|
|
3525 object. When optimizing, determine the smallest object (such as
|
|
3526 a member array as opposed to the whole enclosing object), otherwise
|
|
3527 use type-zero object size to determine the size of the enclosing
|
|
3528 object (the function fails without optimization in this type). */
|
|
3529 int ost = optimize > 0;
|
|
3530 unsigned HOST_WIDE_INT size;
|
|
3531 if (compute_builtin_object_size (dest, ost, &size))
|
|
3532 return size;
|
|
3533
|
|
3534 return HOST_WIDE_INT_M1U;
|
|
3535 }
|
|
3536
|
|
3537 /* Return true if the call described by INFO with result RES safe to
|
|
3538 optimize (i.e., no undefined behavior), and set RETVAL to the range
|
|
3539 of its return values. */
|
|
3540
|
|
3541 static bool
|
131
|
3542 is_call_safe (const sprintf_dom_walker::call_info &info,
|
111
|
3543 const format_result &res, bool under4k,
|
|
3544 unsigned HOST_WIDE_INT retval[2])
|
|
3545 {
|
131
|
3546 if (under4k && !res.posunder4k)
|
111
|
3547 return false;
|
|
3548
|
|
3549 /* The minimum return value. */
|
|
3550 retval[0] = res.range.min;
|
|
3551
|
|
3552 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
|
|
3553 but in cases involving multibyte characters could be as large as
|
|
3554 RES.RANGE.UNLIKELY. */
|
|
3555 retval[1]
|
|
3556 = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely;
|
|
3557
|
|
3558 /* Adjust the number of bytes which includes the terminating nul
|
|
3559 to reflect the return value of the function which does not.
|
|
3560 Because the valid range of the function is [INT_MIN, INT_MAX],
|
|
3561 a valid range before the adjustment below is [0, INT_MAX + 1]
|
|
3562 (the functions only return negative values on error or undefined
|
|
3563 behavior). */
|
|
3564 if (retval[0] <= target_int_max () + 1)
|
|
3565 --retval[0];
|
|
3566 if (retval[1] <= target_int_max () + 1)
|
|
3567 --retval[1];
|
|
3568
|
|
3569 /* Avoid the return value optimization when the behavior of the call
|
|
3570 is undefined either because any directive may have produced 4K or
|
|
3571 more of output, or the return value exceeds INT_MAX, or because
|
|
3572 the output overflows the destination object (but leave it enabled
|
|
3573 when the function is bounded because then the behavior is well-
|
|
3574 defined). */
|
|
3575 if (retval[0] == retval[1]
|
|
3576 && (info.bounded || retval[0] < info.objsize)
|
|
3577 && retval[0] <= target_int_max ())
|
|
3578 return true;
|
|
3579
|
|
3580 if ((info.bounded || retval[1] < info.objsize)
|
|
3581 && (retval[0] < target_int_max ()
|
|
3582 && retval[1] < target_int_max ()))
|
|
3583 return true;
|
|
3584
|
|
3585 if (!under4k && (info.bounded || retval[0] < info.objsize))
|
|
3586 return true;
|
|
3587
|
|
3588 return false;
|
|
3589 }
|
|
3590
|
|
3591 /* Given a suitable result RES of a call to a formatted output function
|
|
3592 described by INFO, substitute the result for the return value of
|
|
3593 the call. The result is suitable if the number of bytes it represents
|
|
3594 is known and exact. A result that isn't suitable for substitution may
|
|
3595 have its range set to the range of return values, if that is known.
|
|
3596 Return true if the call is removed and gsi_next should not be performed
|
|
3597 in the caller. */
|
|
3598
|
|
3599 static bool
|
|
3600 try_substitute_return_value (gimple_stmt_iterator *gsi,
|
131
|
3601 const sprintf_dom_walker::call_info &info,
|
111
|
3602 const format_result &res)
|
|
3603 {
|
|
3604 tree lhs = gimple_get_lhs (info.callstmt);
|
|
3605
|
|
3606 /* Set to true when the entire call has been removed. */
|
|
3607 bool removed = false;
|
|
3608
|
|
3609 /* The minimum and maximum return value. */
|
|
3610 unsigned HOST_WIDE_INT retval[2];
|
|
3611 bool safe = is_call_safe (info, res, true, retval);
|
|
3612
|
|
3613 if (safe
|
|
3614 && retval[0] == retval[1]
|
|
3615 /* Not prepared to handle possibly throwing calls here; they shouldn't
|
|
3616 appear in non-artificial testcases, except when the __*_chk routines
|
|
3617 are badly declared. */
|
|
3618 && !stmt_ends_bb_p (info.callstmt))
|
|
3619 {
|
|
3620 tree cst = build_int_cst (integer_type_node, retval[0]);
|
|
3621
|
|
3622 if (lhs == NULL_TREE
|
|
3623 && info.nowrite)
|
|
3624 {
|
|
3625 /* Remove the call to the bounded function with a zero size
|
|
3626 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
|
|
3627 unlink_stmt_vdef (info.callstmt);
|
|
3628 gsi_remove (gsi, true);
|
|
3629 removed = true;
|
|
3630 }
|
|
3631 else if (info.nowrite)
|
|
3632 {
|
|
3633 /* Replace the call to the bounded function with a zero size
|
|
3634 (e.g., snprintf(0, 0, "%i", 123) with the constant result
|
|
3635 of the function. */
|
|
3636 if (!update_call_from_tree (gsi, cst))
|
|
3637 gimplify_and_update_call_from_tree (gsi, cst);
|
|
3638 gimple *callstmt = gsi_stmt (*gsi);
|
|
3639 update_stmt (callstmt);
|
|
3640 }
|
|
3641 else if (lhs)
|
|
3642 {
|
|
3643 /* Replace the left-hand side of the call with the constant
|
|
3644 result of the formatted function. */
|
|
3645 gimple_call_set_lhs (info.callstmt, NULL_TREE);
|
|
3646 gimple *g = gimple_build_assign (lhs, cst);
|
|
3647 gsi_insert_after (gsi, g, GSI_NEW_STMT);
|
|
3648 update_stmt (info.callstmt);
|
|
3649 }
|
|
3650
|
|
3651 if (dump_file)
|
|
3652 {
|
|
3653 if (removed)
|
|
3654 fprintf (dump_file, " Removing call statement.");
|
|
3655 else
|
|
3656 {
|
|
3657 fprintf (dump_file, " Substituting ");
|
|
3658 print_generic_expr (dump_file, cst, dump_flags);
|
|
3659 fprintf (dump_file, " for %s.\n",
|
|
3660 info.nowrite ? "statement" : "return value");
|
|
3661 }
|
|
3662 }
|
|
3663 }
|
|
3664 else if (lhs)
|
|
3665 {
|
|
3666 bool setrange = false;
|
|
3667
|
|
3668 if (safe
|
|
3669 && (info.bounded || retval[1] < info.objsize)
|
|
3670 && (retval[0] < target_int_max ()
|
|
3671 && retval[1] < target_int_max ()))
|
|
3672 {
|
|
3673 /* If the result is in a valid range bounded by the size of
|
|
3674 the destination set it so that it can be used for subsequent
|
|
3675 optimizations. */
|
|
3676 int prec = TYPE_PRECISION (integer_type_node);
|
|
3677
|
|
3678 wide_int min = wi::shwi (retval[0], prec);
|
|
3679 wide_int max = wi::shwi (retval[1], prec);
|
|
3680 set_range_info (lhs, VR_RANGE, min, max);
|
|
3681
|
|
3682 setrange = true;
|
|
3683 }
|
|
3684
|
|
3685 if (dump_file)
|
|
3686 {
|
|
3687 const char *inbounds
|
|
3688 = (retval[0] < info.objsize
|
|
3689 ? (retval[1] < info.objsize
|
|
3690 ? "in" : "potentially out-of")
|
|
3691 : "out-of");
|
|
3692
|
|
3693 const char *what = setrange ? "Setting" : "Discarding";
|
|
3694 if (retval[0] != retval[1])
|
|
3695 fprintf (dump_file,
|
131
|
3696 " %s %s-bounds return value range ["
|
|
3697 HOST_WIDE_INT_PRINT_UNSIGNED ", "
|
|
3698 HOST_WIDE_INT_PRINT_UNSIGNED "].\n",
|
|
3699 what, inbounds, retval[0], retval[1]);
|
111
|
3700 else
|
131
|
3701 fprintf (dump_file, " %s %s-bounds return value "
|
|
3702 HOST_WIDE_INT_PRINT_UNSIGNED ".\n",
|
|
3703 what, inbounds, retval[0]);
|
111
|
3704 }
|
|
3705 }
|
|
3706
|
|
3707 if (dump_file)
|
|
3708 fputc ('\n', dump_file);
|
|
3709
|
|
3710 return removed;
|
|
3711 }
|
|
3712
|
|
3713 /* Try to simplify a s{,n}printf call described by INFO with result
|
|
3714 RES by replacing it with a simpler and presumably more efficient
|
|
3715 call (such as strcpy). */
|
|
3716
|
|
3717 static bool
|
|
3718 try_simplify_call (gimple_stmt_iterator *gsi,
|
131
|
3719 const sprintf_dom_walker::call_info &info,
|
111
|
3720 const format_result &res)
|
|
3721 {
|
|
3722 unsigned HOST_WIDE_INT dummy[2];
|
|
3723 if (!is_call_safe (info, res, info.retval_used (), dummy))
|
|
3724 return false;
|
|
3725
|
|
3726 switch (info.fncode)
|
|
3727 {
|
|
3728 case BUILT_IN_SNPRINTF:
|
|
3729 return gimple_fold_builtin_snprintf (gsi);
|
|
3730
|
|
3731 case BUILT_IN_SPRINTF:
|
|
3732 return gimple_fold_builtin_sprintf (gsi);
|
|
3733
|
|
3734 default:
|
|
3735 ;
|
|
3736 }
|
|
3737
|
|
3738 return false;
|
|
3739 }
|
|
3740
|
|
3741 /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in
|
|
3742 functions and if so, handle it. Return true if the call is removed
|
|
3743 and gsi_next should not be performed in the caller. */
|
|
3744
|
|
3745 bool
|
131
|
3746 sprintf_dom_walker::handle_gimple_call (gimple_stmt_iterator *gsi)
|
111
|
3747 {
|
|
3748 call_info info = call_info ();
|
|
3749
|
|
3750 info.callstmt = gsi_stmt (*gsi);
|
|
3751 if (!gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL))
|
|
3752 return false;
|
|
3753
|
|
3754 info.func = gimple_call_fndecl (info.callstmt);
|
|
3755 info.fncode = DECL_FUNCTION_CODE (info.func);
|
|
3756
|
|
3757 /* The size of the destination as in snprintf(dest, size, ...). */
|
|
3758 unsigned HOST_WIDE_INT dstsize = HOST_WIDE_INT_M1U;
|
|
3759
|
|
3760 /* The size of the destination determined by __builtin_object_size. */
|
|
3761 unsigned HOST_WIDE_INT objsize = HOST_WIDE_INT_M1U;
|
|
3762
|
|
3763 /* Buffer size argument number (snprintf and vsnprintf). */
|
|
3764 unsigned HOST_WIDE_INT idx_dstsize = HOST_WIDE_INT_M1U;
|
|
3765
|
|
3766 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
|
|
3767 unsigned HOST_WIDE_INT idx_objsize = HOST_WIDE_INT_M1U;
|
|
3768
|
|
3769 /* Format string argument number (valid for all functions). */
|
|
3770 unsigned idx_format;
|
|
3771
|
|
3772 switch (info.fncode)
|
|
3773 {
|
|
3774 case BUILT_IN_SPRINTF:
|
|
3775 // Signature:
|
|
3776 // __builtin_sprintf (dst, format, ...)
|
|
3777 idx_format = 1;
|
|
3778 info.argidx = 2;
|
|
3779 break;
|
|
3780
|
|
3781 case BUILT_IN_SPRINTF_CHK:
|
|
3782 // Signature:
|
|
3783 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
|
|
3784 idx_objsize = 2;
|
|
3785 idx_format = 3;
|
|
3786 info.argidx = 4;
|
|
3787 break;
|
|
3788
|
|
3789 case BUILT_IN_SNPRINTF:
|
|
3790 // Signature:
|
|
3791 // __builtin_snprintf (dst, size, format, ...)
|
|
3792 idx_dstsize = 1;
|
|
3793 idx_format = 2;
|
|
3794 info.argidx = 3;
|
|
3795 info.bounded = true;
|
|
3796 break;
|
|
3797
|
|
3798 case BUILT_IN_SNPRINTF_CHK:
|
|
3799 // Signature:
|
|
3800 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
|
|
3801 idx_dstsize = 1;
|
|
3802 idx_objsize = 3;
|
|
3803 idx_format = 4;
|
|
3804 info.argidx = 5;
|
|
3805 info.bounded = true;
|
|
3806 break;
|
|
3807
|
|
3808 case BUILT_IN_VSNPRINTF:
|
|
3809 // Signature:
|
|
3810 // __builtin_vsprintf (dst, size, format, va)
|
|
3811 idx_dstsize = 1;
|
|
3812 idx_format = 2;
|
|
3813 info.argidx = -1;
|
|
3814 info.bounded = true;
|
|
3815 break;
|
|
3816
|
|
3817 case BUILT_IN_VSNPRINTF_CHK:
|
|
3818 // Signature:
|
|
3819 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
|
|
3820 idx_dstsize = 1;
|
|
3821 idx_objsize = 3;
|
|
3822 idx_format = 4;
|
|
3823 info.argidx = -1;
|
|
3824 info.bounded = true;
|
|
3825 break;
|
|
3826
|
|
3827 case BUILT_IN_VSPRINTF:
|
|
3828 // Signature:
|
|
3829 // __builtin_vsprintf (dst, format, va)
|
|
3830 idx_format = 1;
|
|
3831 info.argidx = -1;
|
|
3832 break;
|
|
3833
|
|
3834 case BUILT_IN_VSPRINTF_CHK:
|
|
3835 // Signature:
|
|
3836 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
|
|
3837 idx_format = 3;
|
|
3838 idx_objsize = 2;
|
|
3839 info.argidx = -1;
|
|
3840 break;
|
|
3841
|
|
3842 default:
|
|
3843 return false;
|
|
3844 }
|
|
3845
|
|
3846 /* Set the global warning level for this function. */
|
|
3847 warn_level = info.bounded ? warn_format_trunc : warn_format_overflow;
|
|
3848
|
|
3849 /* The first argument is a pointer to the destination. */
|
|
3850 tree dstptr = gimple_call_arg (info.callstmt, 0);
|
|
3851
|
|
3852 info.format = gimple_call_arg (info.callstmt, idx_format);
|
|
3853
|
|
3854 /* True when the destination size is constant as opposed to the lower
|
|
3855 or upper bound of a range. */
|
|
3856 bool dstsize_cst_p = true;
|
|
3857
|
|
3858 if (idx_dstsize == HOST_WIDE_INT_M1U)
|
|
3859 {
|
|
3860 /* For non-bounded functions like sprintf, determine the size
|
|
3861 of the destination from the object or pointer passed to it
|
|
3862 as the first argument. */
|
|
3863 dstsize = get_destination_size (dstptr);
|
|
3864 }
|
|
3865 else if (tree size = gimple_call_arg (info.callstmt, idx_dstsize))
|
|
3866 {
|
|
3867 /* For bounded functions try to get the size argument. */
|
|
3868
|
|
3869 if (TREE_CODE (size) == INTEGER_CST)
|
|
3870 {
|
|
3871 dstsize = tree_to_uhwi (size);
|
|
3872 /* No object can be larger than SIZE_MAX bytes (half the address
|
|
3873 space) on the target.
|
|
3874 The functions are defined only for output of at most INT_MAX
|
|
3875 bytes. Specifying a bound in excess of that limit effectively
|
|
3876 defeats the bounds checking (and on some implementations such
|
|
3877 as Solaris cause the function to fail with EINVAL). */
|
|
3878 if (dstsize > target_size_max () / 2)
|
|
3879 {
|
|
3880 /* Avoid warning if -Wstringop-overflow is specified since
|
|
3881 it also warns for the same thing though only for the
|
|
3882 checking built-ins. */
|
|
3883 if ((idx_objsize == HOST_WIDE_INT_M1U
|
|
3884 || !warn_stringop_overflow))
|
|
3885 warning_at (gimple_location (info.callstmt), info.warnopt (),
|
|
3886 "specified bound %wu exceeds maximum object size "
|
|
3887 "%wu",
|
|
3888 dstsize, target_size_max () / 2);
|
|
3889 }
|
|
3890 else if (dstsize > target_int_max ())
|
|
3891 warning_at (gimple_location (info.callstmt), info.warnopt (),
|
|
3892 "specified bound %wu exceeds %<INT_MAX%>",
|
|
3893 dstsize);
|
|
3894 }
|
|
3895 else if (TREE_CODE (size) == SSA_NAME)
|
|
3896 {
|
|
3897 /* Try to determine the range of values of the argument
|
|
3898 and use the greater of the two at level 1 and the smaller
|
|
3899 of them at level 2. */
|
131
|
3900 value_range *vr = evrp_range_analyzer.get_value_range (size);
|
|
3901 if (range_int_cst_p (vr))
|
|
3902 dstsize = (warn_level < 2
|
|
3903 ? TREE_INT_CST_LOW (vr->max ())
|
|
3904 : TREE_INT_CST_LOW (vr->min ()));
|
111
|
3905
|
|
3906 /* The destination size is not constant. If the function is
|
|
3907 bounded (e.g., snprintf) a lower bound of zero doesn't
|
|
3908 necessarily imply it can be eliminated. */
|
|
3909 dstsize_cst_p = false;
|
|
3910 }
|
|
3911 }
|
|
3912
|
|
3913 if (idx_objsize != HOST_WIDE_INT_M1U)
|
|
3914 if (tree size = gimple_call_arg (info.callstmt, idx_objsize))
|
|
3915 if (tree_fits_uhwi_p (size))
|
|
3916 objsize = tree_to_uhwi (size);
|
|
3917
|
|
3918 if (info.bounded && !dstsize)
|
|
3919 {
|
|
3920 /* As a special case, when the explicitly specified destination
|
|
3921 size argument (to a bounded function like snprintf) is zero
|
|
3922 it is a request to determine the number of bytes on output
|
|
3923 without actually producing any. Pretend the size is
|
|
3924 unlimited in this case. */
|
|
3925 info.objsize = HOST_WIDE_INT_MAX;
|
|
3926 info.nowrite = dstsize_cst_p;
|
|
3927 }
|
|
3928 else
|
|
3929 {
|
|
3930 /* For calls to non-bounded functions or to those of bounded
|
|
3931 functions with a non-zero size, warn if the destination
|
|
3932 pointer is null. */
|
|
3933 if (integer_zerop (dstptr))
|
|
3934 {
|
|
3935 /* This is diagnosed with -Wformat only when the null is a constant
|
|
3936 pointer. The warning here diagnoses instances where the pointer
|
|
3937 is not constant. */
|
|
3938 location_t loc = gimple_location (info.callstmt);
|
|
3939 warning_at (EXPR_LOC_OR_LOC (dstptr, loc),
|
|
3940 info.warnopt (), "null destination pointer");
|
|
3941 return false;
|
|
3942 }
|
|
3943
|
|
3944 /* Set the object size to the smaller of the two arguments
|
|
3945 of both have been specified and they're not equal. */
|
|
3946 info.objsize = dstsize < objsize ? dstsize : objsize;
|
|
3947
|
|
3948 if (info.bounded
|
|
3949 && dstsize < target_size_max () / 2 && objsize < dstsize
|
|
3950 /* Avoid warning if -Wstringop-overflow is specified since
|
|
3951 it also warns for the same thing though only for the
|
|
3952 checking built-ins. */
|
|
3953 && (idx_objsize == HOST_WIDE_INT_M1U
|
|
3954 || !warn_stringop_overflow))
|
|
3955 {
|
|
3956 warning_at (gimple_location (info.callstmt), info.warnopt (),
|
|
3957 "specified bound %wu exceeds the size %wu "
|
|
3958 "of the destination object", dstsize, objsize);
|
|
3959 }
|
|
3960 }
|
|
3961
|
|
3962 if (integer_zerop (info.format))
|
|
3963 {
|
|
3964 /* This is diagnosed with -Wformat only when the null is a constant
|
|
3965 pointer. The warning here diagnoses instances where the pointer
|
|
3966 is not constant. */
|
|
3967 location_t loc = gimple_location (info.callstmt);
|
|
3968 warning_at (EXPR_LOC_OR_LOC (info.format, loc),
|
|
3969 info.warnopt (), "null format string");
|
|
3970 return false;
|
|
3971 }
|
|
3972
|
|
3973 info.fmtstr = get_format_string (info.format, &info.fmtloc);
|
|
3974 if (!info.fmtstr)
|
|
3975 return false;
|
|
3976
|
|
3977 /* The result is the number of bytes output by the formatted function,
|
|
3978 including the terminating NUL. */
|
|
3979 format_result res = format_result ();
|
|
3980
|
|
3981 bool success = compute_format_length (info, &res);
|
131
|
3982 if (res.warned)
|
|
3983 gimple_set_no_warning (info.callstmt, true);
|
111
|
3984
|
|
3985 /* When optimizing and the printf return value optimization is enabled,
|
|
3986 attempt to substitute the computed result for the return value of
|
|
3987 the call. Avoid this optimization when -frounding-math is in effect
|
|
3988 and the format string contains a floating point directive. */
|
|
3989 bool call_removed = false;
|
|
3990 if (success && optimize > 0)
|
|
3991 {
|
|
3992 /* Save a copy of the iterator pointing at the call. The iterator
|
|
3993 may change to point past the call in try_substitute_return_value
|
|
3994 but the original value is needed in try_simplify_call. */
|
|
3995 gimple_stmt_iterator gsi_call = *gsi;
|
|
3996
|
|
3997 if (flag_printf_return_value
|
|
3998 && (!flag_rounding_math || !res.floating))
|
|
3999 call_removed = try_substitute_return_value (gsi, info, res);
|
|
4000
|
|
4001 if (!call_removed)
|
|
4002 try_simplify_call (&gsi_call, info, res);
|
|
4003 }
|
|
4004
|
|
4005 return call_removed;
|
|
4006 }
|
|
4007
|
131
|
4008 edge
|
|
4009 sprintf_dom_walker::before_dom_children (basic_block bb)
|
|
4010 {
|
|
4011 evrp_range_analyzer.enter (bb);
|
|
4012 for (gimple_stmt_iterator si = gsi_start_bb (bb); !gsi_end_p (si); )
|
|
4013 {
|
|
4014 /* Iterate over statements, looking for function calls. */
|
|
4015 gimple *stmt = gsi_stmt (si);
|
|
4016
|
|
4017 /* First record ranges generated by this statement. */
|
|
4018 evrp_range_analyzer.record_ranges_from_stmt (stmt, false);
|
|
4019
|
|
4020 if (is_gimple_call (stmt) && handle_gimple_call (&si))
|
|
4021 /* If handle_gimple_call returns true, the iterator is
|
|
4022 already pointing to the next statement. */
|
|
4023 continue;
|
|
4024
|
|
4025 gsi_next (&si);
|
|
4026 }
|
|
4027 return NULL;
|
|
4028 }
|
|
4029
|
|
4030 void
|
|
4031 sprintf_dom_walker::after_dom_children (basic_block bb)
|
|
4032 {
|
|
4033 evrp_range_analyzer.leave (bb);
|
|
4034 }
|
|
4035
|
111
|
4036 /* Execute the pass for function FUN. */
|
|
4037
|
|
4038 unsigned int
|
|
4039 pass_sprintf_length::execute (function *fun)
|
|
4040 {
|
|
4041 init_target_to_host_charmap ();
|
|
4042
|
131
|
4043 calculate_dominance_info (CDI_DOMINATORS);
|
|
4044
|
|
4045 sprintf_dom_walker sprintf_dom_walker;
|
|
4046 sprintf_dom_walker.walk (ENTRY_BLOCK_PTR_FOR_FN (fun));
|
111
|
4047
|
|
4048 /* Clean up object size info. */
|
|
4049 fini_object_sizes ();
|
|
4050 return 0;
|
|
4051 }
|
|
4052
|
|
4053 } /* Unnamed namespace. */
|
|
4054
|
|
4055 /* Return a pointer to a pass object newly constructed from the context
|
|
4056 CTXT. */
|
|
4057
|
|
4058 gimple_opt_pass *
|
|
4059 make_pass_sprintf_length (gcc::context *ctxt)
|
|
4060 {
|
|
4061 return new pass_sprintf_length (ctxt);
|
|
4062 }
|