projects / gcc.git / blob
? search:


6a39a71900a05d264b7e854e4243cd3b88df89ec
[gcc.git] / gcc / gimple-ssa-sprintf.c
1 /* Copyright (C) 2016-2019 Free Software Foundation, Inc.
2 Contributed by Martin Sebor <msebor@redhat.com>.
3
4 This file is part of GCC.
5
6 GCC is free software; you can redistribute it and/or modify it under
7 the terms of the GNU General Public License as published by the Free
8 Software Foundation; either version 3, or (at your option) any later
9 version.
10
11 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
12 WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with GCC; see the file COPYING3. If not see
18 <http://www.gnu.org/licenses/>. */
19
20 /* This file implements the printf-return-value pass. The pass does
21 two things: 1) it analyzes calls to formatted output functions like
22 sprintf looking for possible buffer overflows and calls to bounded
23 functions like snprintf for early truncation (and under the control
24 of the -Wformat-length option issues warnings), and 2) under the
25 control of the -fprintf-return-value option it folds the return
26 value of safe calls into constants, making it possible to eliminate
27 code that depends on the value of those constants.
28
29 For all functions (bounded or not) the pass uses the size of the
30 destination object. That means that it will diagnose calls to
31 snprintf not on the basis of the size specified by the function's
32 second argument but rathger on the basis of the size the first
33 argument points to (if possible). For bound-checking built-ins
34 like __builtin___snprintf_chk the pass uses the size typically
35 determined by __builtin_object_size and passed to the built-in
36 by the Glibc inline wrapper.
37
38 The pass handles all forms standard sprintf format directives,
39 including character, integer, floating point, pointer, and strings,
40 with the standard C flags, widths, and precisions. For integers
41 and strings it computes the length of output itself. For floating
42 point it uses MPFR to fornmat known constants with up and down
43 rounding and uses the resulting range of output lengths. For
44 strings it uses the length of string literals and the sizes of
45 character arrays that a character pointer may point to as a bound
46 on the longest string. */
47
48 #include "config.h"
49 #include "system.h"
50 #include "coretypes.h"
51 #include "backend.h"
52 #include "tree.h"
53 #include "gimple.h"
54 #include "tree-pass.h"
55 #include "ssa.h"
56 #include "gimple-fold.h"
57 #include "gimple-pretty-print.h"
58 #include "diagnostic-core.h"
59 #include "fold-const.h"
60 #include "gimple-iterator.h"
61 #include "tree-ssa.h"
62 #include "tree-object-size.h"
63 #include "params.h"
64 #include "tree-cfg.h"
65 #include "tree-ssa-propagate.h"
66 #include "calls.h"
67 #include "cfgloop.h"
68 #include "tree-scalar-evolution.h"
69 #include "tree-ssa-loop.h"
70 #include "intl.h"
71 #include "langhooks.h"
72
73 #include "attribs.h"
74 #include "builtins.h"
75 #include "stor-layout.h"
76
77 #include "realmpfr.h"
78 #include "target.h"
79
80 #include "cpplib.h"
81 #include "input.h"
82 #include "toplev.h"
83 #include "substring-locations.h"
84 #include "diagnostic.h"
85 #include "domwalk.h"
86 #include "alloc-pool.h"
87 #include "vr-values.h"
88 #include "tree-ssa-strlen.h"
89
90 /* The likely worst case value of MB_LEN_MAX for the target, large enough
91 for UTF-8. Ideally, this would be obtained by a target hook if it were
92 to be used for optimization but it's good enough as is for warnings. */
93 #define target_mb_len_max() 6
94
95 /* The maximum number of bytes a single non-string directive can result
96 in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for
97 LDBL_MAX_10_EXP of 4932. */
98 #define IEEE_MAX_10_EXP 4932
99 #define target_dir_max() (target_int_max () + IEEE_MAX_10_EXP + 2)
100
101 namespace {
102
103 /* Set to the warning level for the current function which is equal
104 either to warn_format_trunc for bounded functions or to
105 warn_format_overflow otherwise. */
106
107 static int warn_level;
108
109 struct call_info;
110 struct format_result;
111
112 /* The minimum, maximum, likely, and unlikely maximum number of bytes
113 of output either a formatting function or an individual directive
114 can result in. */
115
116 struct result_range
117 {
118 /* The absolute minimum number of bytes. The result of a successful
119 conversion is guaranteed to be no less than this. (An erroneous
120 conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */
121 unsigned HOST_WIDE_INT min;
122 /* The likely maximum result that is used in diagnostics. In most
123 cases MAX is the same as the worst case UNLIKELY result. */
124 unsigned HOST_WIDE_INT max;
125 /* The likely result used to trigger diagnostics. For conversions
126 that result in a range of bytes [MIN, MAX], LIKELY is somewhere
127 in that range. */
128 unsigned HOST_WIDE_INT likely;
129 /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives
130 the worst cases maximum result of a directive. In most cases
131 UNLIKELY == MAX. UNLIKELY is used to control the return value
132 optimization but not in diagnostics. */
133 unsigned HOST_WIDE_INT unlikely;
134 };
135
136 /* The result of a call to a formatted function. */
137
138 struct format_result
139 {
140 /* Range of characters written by the formatted function.
141 Setting the minimum to HOST_WIDE_INT_MAX disables all
142 length tracking for the remainder of the format string. */
143 result_range range;
144
145 /* True when the range above is obtained from known values of
146 directive arguments, or bounds on the amount of output such
147 as width and precision, and not the result of heuristics that
148 depend on warning levels. It's used to issue stricter diagnostics
149 in cases where strings of unknown lengths are bounded by the arrays
150 they are determined to refer to. KNOWNRANGE must not be used for
151 the return value optimization. */
152 bool knownrange;
153
154 /* True if no individual directive could fail or result in more than
155 4095 bytes of output (the total NUMBER_CHARS_{MIN,MAX} might be
156 greater). Implementations are not required to handle directives
157 that produce more than 4K bytes (leading to undefined behavior)
158 and so when one is found it disables the return value optimization.
159 Similarly, directives that can fail (such as wide character
160 directives) disable the optimization. */
161 bool posunder4k;
162
163 /* True when a floating point directive has been seen in the format
164 string. */
165 bool floating;
166
167 /* True when an intermediate result has caused a warning. Used to
168 avoid issuing duplicate warnings while finishing the processing
169 of a call. WARNED also disables the return value optimization. */
170 bool warned;
171
172 /* Preincrement the number of output characters by 1. */
173 format_result& operator++ ()
174 {
175 return *this += 1;
176 }
177
178 /* Postincrement the number of output characters by 1. */
179 format_result operator++ (int)
180 {
181 format_result prev (*this);
182 *this += 1;
183 return prev;
184 }
185
186 /* Increment the number of output characters by N. */
187 format_result& operator+= (unsigned HOST_WIDE_INT);
188 };
189
190 format_result&
191 format_result::operator+= (unsigned HOST_WIDE_INT n)
192 {
193 gcc_assert (n < HOST_WIDE_INT_MAX);
194
195 if (range.min < HOST_WIDE_INT_MAX)
196 range.min += n;
197
198 if (range.max < HOST_WIDE_INT_MAX)
199 range.max += n;
200
201 if (range.likely < HOST_WIDE_INT_MAX)
202 range.likely += n;
203
204 if (range.unlikely < HOST_WIDE_INT_MAX)
205 range.unlikely += n;
206
207 return *this;
208 }
209
210 /* Return the value of INT_MIN for the target. */
211
212 static inline HOST_WIDE_INT
213 target_int_min ()
214 {
215 return tree_to_shwi (TYPE_MIN_VALUE (integer_type_node));
216 }
217
218 /* Return the value of INT_MAX for the target. */
219
220 static inline unsigned HOST_WIDE_INT
221 target_int_max ()
222 {
223 return tree_to_uhwi (TYPE_MAX_VALUE (integer_type_node));
224 }
225
226 /* Return the value of SIZE_MAX for the target. */
227
228 static inline unsigned HOST_WIDE_INT
229 target_size_max ()
230 {
231 return tree_to_uhwi (TYPE_MAX_VALUE (size_type_node));
232 }
233
234 /* A straightforward mapping from the execution character set to the host
235 character set indexed by execution character. */
236
237 static char target_to_host_charmap[256];
238
239 /* Initialize a mapping from the execution character set to the host
240 character set. */
241
242 static bool
243 init_target_to_host_charmap ()
244 {
245 /* If the percent sign is non-zero the mapping has already been
246 initialized. */
247 if (target_to_host_charmap['%'])
248 return true;
249
250 /* Initialize the target_percent character (done elsewhere). */
251 if (!init_target_chars ())
252 return false;
253
254 /* The subset of the source character set used by printf conversion
255 specifications (strictly speaking, not all letters are used but
256 they are included here for the sake of simplicity). The dollar
257 sign must be included even though it's not in the basic source
258 character set. */
259 const char srcset[] = " 0123456789!\"#%&'()*+,-./:;<=>?[\\]^_{|}~$"
260 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
261
262 /* Set the mapping for all characters to some ordinary value (i,e.,
263 not none used in printf conversion specifications) and overwrite
264 those that are used by conversion specifications with their
265 corresponding values. */
266 memset (target_to_host_charmap + 1, '?', sizeof target_to_host_charmap - 1);
267
268 /* Are the two sets of characters the same? */
269 bool all_same_p = true;
270
271 for (const char *pc = srcset; *pc; ++pc)
272 {
273 /* Slice off the high end bits in case target characters are
274 signed. All values are expected to be non-nul, otherwise
275 there's a problem. */
276 if (unsigned char tc = lang_hooks.to_target_charset (*pc))
277 {
278 target_to_host_charmap[tc] = *pc;
279 if (tc != *pc)
280 all_same_p = false;
281 }
282 else
283 return false;
284
285 }
286
287 /* Set the first element to a non-zero value if the mapping
288 is 1-to-1, otherwise leave it clear (NUL is assumed to be
289 the same in both character sets). */
290 target_to_host_charmap[0] = all_same_p;
291
292 return true;
293 }
294
295 /* Return the host source character corresponding to the character
296 CH in the execution character set if one exists, or some innocuous
297 (non-special, non-nul) source character otherwise. */
298
299 static inline unsigned char
300 target_to_host (unsigned char ch)
301 {
302 return target_to_host_charmap[ch];
303 }
304
305 /* Convert an initial substring of the string TARGSTR consisting of
306 characters in the execution character set into a string in the
307 source character set on the host and store up to HOSTSZ characters
308 in the buffer pointed to by HOSTR. Return HOSTR. */
309
310 static const char*
311 target_to_host (char *hostr, size_t hostsz, const char *targstr)
312 {
313 /* Make sure the buffer is reasonably big. */
314 gcc_assert (hostsz > 4);
315
316 /* The interesting subset of source and execution characters are
317 the same so no conversion is necessary. However, truncate
318 overlong strings just like the translated strings are. */
319 if (target_to_host_charmap['\0'] == 1)
320 {
321 size_t len = strlen (targstr);
322 if (len >= hostsz)
323 {
324 memcpy (hostr, targstr, hostsz - 4);
325 strcpy (hostr + hostsz - 4, "...");
326 }
327 else
328 memcpy (hostr, targstr, len + 1);
329 return hostr;
330 }
331
332 /* Convert the initial substring of TARGSTR to the corresponding
333 characters in the host set, appending "..." if TARGSTR is too
334 long to fit. Using the static buffer assumes the function is
335 not called in between sequence points (which it isn't). */
336 for (char *ph = hostr; ; ++targstr)
337 {
338 *ph++ = target_to_host (*targstr);
339 if (!*targstr)
340 break;
341
342 if (size_t (ph - hostr) == hostsz)
343 {
344 strcpy (ph - 4, "...");
345 break;
346 }
347 }
348
349 return hostr;
350 }
351
352 /* Convert the sequence of decimal digits in the execution character
353 starting at *PS to a HOST_WIDE_INT, analogously to strtol. Return
354 the result and set *PS to one past the last converted character.
355 On range error set ERANGE to the digit that caused it. */
356
357 static inline HOST_WIDE_INT
358 target_strtowi (const char **ps, const char **erange)
359 {
360 unsigned HOST_WIDE_INT val = 0;
361 for ( ; ; ++*ps)
362 {
363 unsigned char c = target_to_host (**ps);
364 if (ISDIGIT (c))
365 {
366 c -= '0';
367
368 /* Check for overflow. */
369 if (val > ((unsigned HOST_WIDE_INT) HOST_WIDE_INT_MAX - c) / 10LU)
370 {
371 val = HOST_WIDE_INT_MAX;
372 *erange = *ps;
373
374 /* Skip the remaining digits. */
375 do
376 c = target_to_host (*++*ps);
377 while (ISDIGIT (c));
378 break;
379 }
380 else
381 val = val * 10 + c;
382 }
383 else
384 break;
385 }
386
387 return val;
388 }
389
390 /* Given FORMAT, set *PLOC to the source location of the format string
391 and return the format string if it is known or null otherwise. */
392
393 static const char*
394 get_format_string (tree format, location_t *ploc)
395 {
396 *ploc = EXPR_LOC_OR_LOC (format, input_location);
397
398 return c_getstr (format);
399 }
400
401 /* For convenience and brevity, shorter named entrypoints of
402 format_string_diagnostic_t::emit_warning_va and
403 format_string_diagnostic_t::emit_warning_n_va.
404 These have to be functions with the attribute so that exgettext
405 works properly. */
406
407 static bool
408 ATTRIBUTE_GCC_DIAG (5, 6)
409 fmtwarn (const substring_loc &fmt_loc, location_t param_loc,
410 const char *corrected_substring, int opt, const char *gmsgid, ...)
411 {
412 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL,
413 corrected_substring);
414 va_list ap;
415 va_start (ap, gmsgid);
416 bool warned = diag.emit_warning_va (opt, gmsgid, &ap);
417 va_end (ap);
418
419 return warned;
420 }
421
422 static bool
423 ATTRIBUTE_GCC_DIAG (6, 8) ATTRIBUTE_GCC_DIAG (7, 8)
424 fmtwarn_n (const substring_loc &fmt_loc, location_t param_loc,
425 const char *corrected_substring, int opt, unsigned HOST_WIDE_INT n,
426 const char *singular_gmsgid, const char *plural_gmsgid, ...)
427 {
428 format_string_diagnostic_t diag (fmt_loc, NULL, param_loc, NULL,
429 corrected_substring);
430 va_list ap;
431 va_start (ap, plural_gmsgid);
432 bool warned = diag.emit_warning_n_va (opt, n, singular_gmsgid, plural_gmsgid,
433 &ap);
434 va_end (ap);
435
436 return warned;
437 }
438
439 /* Format length modifiers. */
440
441 enum format_lengths
442 {
443 FMT_LEN_none,
444 FMT_LEN_hh, // char argument
445 FMT_LEN_h, // short
446 FMT_LEN_l, // long
447 FMT_LEN_ll, // long long
448 FMT_LEN_L, // long double (and GNU long long)
449 FMT_LEN_z, // size_t
450 FMT_LEN_t, // ptrdiff_t
451 FMT_LEN_j // intmax_t
452 };
453
454
455 /* Description of the result of conversion either of a single directive
456 or the whole format string. */
457
458 class fmtresult
459 {
460 public:
461 /* Construct a FMTRESULT object with all counters initialized
462 to MIN. KNOWNRANGE is set when MIN is valid. */
463 fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX)
464 : argmin (), argmax (), nonstr (),
465 knownrange (min < HOST_WIDE_INT_MAX),
466 mayfail (), nullp ()
467 {
468 range.min = min;
469 range.max = min;
470 range.likely = min;
471 range.unlikely = min;
472 }
473
474 /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters.
475 KNOWNRANGE is set when both MIN and MAX are valid. */
476 fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max,
477 unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX)
478 : argmin (), argmax (), nonstr (),
479 knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX),
480 mayfail (), nullp ()
481 {
482 range.min = min;
483 range.max = max;
484 range.likely = max < likely ? min : likely;
485 range.unlikely = max;
486 }
487
488 /* Adjust result upward to reflect the RANGE of values the specified
489 width or precision is known to be in. */
490 fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2],
491 tree = NULL_TREE,
492 unsigned = 0, unsigned = 0);
493
494 /* Return the maximum number of decimal digits a value of TYPE
495 formats as on output. */
496 static unsigned type_max_digits (tree, int);
497
498 /* The range a directive's argument is in. */
499 tree argmin, argmax;
500
501 /* The minimum and maximum number of bytes that a directive
502 results in on output for an argument in the range above. */
503 result_range range;
504
505 /* Non-nul when the argument of a string directive is not a nul
506 terminated string. */
507 tree nonstr;
508
509 /* True when the range above is obtained from a known value of
510 a directive's argument or its bounds and not the result of
511 heuristics that depend on warning levels. */
512 bool knownrange;
513
514 /* True for a directive that may fail (such as wide character
515 directives). */
516 bool mayfail;
517
518 /* True when the argument is a null pointer. */
519 bool nullp;
520 };
521
522 /* Adjust result upward to reflect the range ADJUST of values the
523 specified width or precision is known to be in. When non-null,
524 TYPE denotes the type of the directive whose result is being
525 adjusted, BASE gives the base of the directive (octal, decimal,
526 or hex), and ADJ denotes the additional adjustment to the LIKELY
527 counter that may need to be added when ADJUST is a range. */
528
529 fmtresult&
530 fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2],
531 tree type /* = NULL_TREE */,
532 unsigned base /* = 0 */,
533 unsigned adj /* = 0 */)
534 {
535 bool minadjusted = false;
536
537 /* Adjust the minimum and likely counters. */
538 if (adjust[0] >= 0)
539 {
540 if (range.min < (unsigned HOST_WIDE_INT)adjust[0])
541 {
542 range.min = adjust[0];
543 minadjusted = true;
544 }
545
546 /* Adjust the likely counter. */
547 if (range.likely < range.min)
548 range.likely = range.min;
549 }
550 else if (adjust[0] == target_int_min ()
551 && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ())
552 knownrange = false;
553
554 /* Adjust the maximum counter. */
555 if (adjust[1] > 0)
556 {
557 if (range.max < (unsigned HOST_WIDE_INT)adjust[1])
558 {
559 range.max = adjust[1];
560
561 /* Set KNOWNRANGE if both the minimum and maximum have been
562 adjusted. Otherwise leave it at what it was before. */
563 knownrange = minadjusted;
564 }
565 }
566
567 if (warn_level > 1 && type)
568 {
569 /* For large non-constant width or precision whose range spans
570 the maximum number of digits produced by the directive for
571 any argument, set the likely number of bytes to be at most
572 the number digits plus other adjustment determined by the
573 caller (one for sign or two for the hexadecimal "0x"
574 prefix). */
575 unsigned dirdigs = type_max_digits (type, base);
576 if (adjust[0] < dirdigs && dirdigs < adjust[1]
577 && range.likely < dirdigs)
578 range.likely = dirdigs + adj;
579 }
580 else if (range.likely < (range.min ? range.min : 1))
581 {
582 /* Conservatively, set LIKELY to at least MIN but no less than
583 1 unless MAX is zero. */
584 range.likely = (range.min
585 ? range.min
586 : range.max && (range.max < HOST_WIDE_INT_MAX
587 || warn_level > 1) ? 1 : 0);
588 }
589
590 /* Finally adjust the unlikely counter to be at least as large as
591 the maximum. */
592 if (range.unlikely < range.max)
593 range.unlikely = range.max;
594
595 return *this;
596 }
597
598 /* Return the maximum number of digits a value of TYPE formats in
599 BASE on output, not counting base prefix . */
600
601 unsigned
602 fmtresult::type_max_digits (tree type, int base)
603 {
604 unsigned prec = TYPE_PRECISION (type);
605 switch (base)
606 {
607 case 8:
608 return (prec + 2) / 3;
609 case 10:
610 /* Decimal approximation: yields 3, 5, 10, and 20 for precision
611 of 8, 16, 32, and 64 bits. */
612 return prec * 301 / 1000 + 1;
613 case 16:
614 return prec / 4;
615 }
616
617 gcc_unreachable ();
618 }
619
620 static bool
621 get_int_range (tree, HOST_WIDE_INT *, HOST_WIDE_INT *, bool, HOST_WIDE_INT,
622 const vr_values *);
623
624 /* Description of a format directive. A directive is either a plain
625 string or a conversion specification that starts with '%'. */
626
627 struct directive
628 {
629 /* The 1-based directive number (for debugging). */
630 unsigned dirno;
631
632 /* The first character of the directive and its length. */
633 const char *beg;
634 size_t len;
635
636 /* A bitmap of flags, one for each character. */
637 unsigned flags[256 / sizeof (int)];
638
639 /* The range of values of the specified width, or -1 if not specified. */
640 HOST_WIDE_INT width[2];
641 /* The range of values of the specified precision, or -1 if not
642 specified. */
643 HOST_WIDE_INT prec[2];
644
645 /* Length modifier. */
646 format_lengths modifier;
647
648 /* Format specifier character. */
649 char specifier;
650
651 /* The argument of the directive or null when the directive doesn't
652 take one or when none is available (such as for vararg functions). */
653 tree arg;
654
655 /* Format conversion function that given a directive and an argument
656 returns the formatting result. */
657 fmtresult (*fmtfunc) (const directive &, tree, const vr_values *);
658
659 /* Return True when a the format flag CHR has been used. */
660 bool get_flag (char chr) const
661 {
662 unsigned char c = chr & 0xff;
663 return (flags[c / (CHAR_BIT * sizeof *flags)]
664 & (1U << (c % (CHAR_BIT * sizeof *flags))));
665 }
666
667 /* Make a record of the format flag CHR having been used. */
668 void set_flag (char chr)
669 {
670 unsigned char c = chr & 0xff;
671 flags[c / (CHAR_BIT * sizeof *flags)]
672 |= (1U << (c % (CHAR_BIT * sizeof *flags)));
673 }
674
675 /* Reset the format flag CHR. */
676 void clear_flag (char chr)
677 {
678 unsigned char c = chr & 0xff;
679 flags[c / (CHAR_BIT * sizeof *flags)]
680 &= ~(1U << (c % (CHAR_BIT * sizeof *flags)));
681 }
682
683 /* Set both bounds of the width range to VAL. */
684 void set_width (HOST_WIDE_INT val)
685 {
686 width[0] = width[1] = val;
687 }
688
689 /* Set the width range according to ARG, with both bounds being
690 no less than 0. For a constant ARG set both bounds to its value
691 or 0, whichever is greater. For a non-constant ARG in some range
692 set width to its range adjusting each bound to -1 if it's less.
693 For an indeterminate ARG set width to [0, INT_MAX]. */
694 void set_width (tree arg, const vr_values *vr)
695 {
696 get_int_range (arg, width, width + 1, true, 0, vr);
697 }
698
699 /* Set both bounds of the precision range to VAL. */
700 void set_precision (HOST_WIDE_INT val)
701 {
702 prec[0] = prec[1] = val;
703 }
704
705 /* Set the precision range according to ARG, with both bounds being
706 no less than -1. For a constant ARG set both bounds to its value
707 or -1 whichever is greater. For a non-constant ARG in some range
708 set precision to its range adjusting each bound to -1 if it's less.
709 For an indeterminate ARG set precision to [-1, INT_MAX]. */
710 void set_precision (tree arg, const vr_values *vr)
711 {
712 get_int_range (arg, prec, prec + 1, false, -1, vr);
713 }
714
715 /* Return true if both width and precision are known to be
716 either constant or in some range, false otherwise. */
717 bool known_width_and_precision () const
718 {
719 return ((width[1] < 0
720 || (unsigned HOST_WIDE_INT)width[1] <= target_int_max ())
721 && (prec[1] < 0
722 || (unsigned HOST_WIDE_INT)prec[1] < target_int_max ()));
723 }
724 };
725
726 /* Return the logarithm of X in BASE. */
727
728 static int
729 ilog (unsigned HOST_WIDE_INT x, int base)
730 {
731 int res = 0;
732 do
733 {
734 ++res;
735 x /= base;
736 } while (x);
737 return res;
738 }
739
740 /* Return the number of bytes resulting from converting into a string
741 the INTEGER_CST tree node X in BASE with a minimum of PREC digits.
742 PLUS indicates whether 1 for a plus sign should be added for positive
743 numbers, and PREFIX whether the length of an octal ('O') or hexadecimal
744 ('0x') prefix should be added for nonzero numbers. Return -1 if X cannot
745 be represented. */
746
747 static HOST_WIDE_INT
748 tree_digits (tree x, int base, HOST_WIDE_INT prec, bool plus, bool prefix)
749 {
750 unsigned HOST_WIDE_INT absval;
751
752 HOST_WIDE_INT res;
753
754 if (TYPE_UNSIGNED (TREE_TYPE (x)))
755 {
756 if (tree_fits_uhwi_p (x))
757 {
758 absval = tree_to_uhwi (x);
759 res = plus;
760 }
761 else
762 return -1;
763 }
764 else
765 {
766 if (tree_fits_shwi_p (x))
767 {
768 HOST_WIDE_INT i = tree_to_shwi (x);
769 if (HOST_WIDE_INT_MIN == i)
770 {
771 /* Avoid undefined behavior due to negating a minimum. */
772 absval = HOST_WIDE_INT_MAX;
773 res = 1;
774 }
775 else if (i < 0)
776 {
777 absval = -i;
778 res = 1;
779 }
780 else
781 {
782 absval = i;
783 res = plus;
784 }
785 }
786 else
787 return -1;
788 }
789
790 int ndigs = ilog (absval, base);
791
792 res += prec < ndigs ? ndigs : prec;
793
794 /* Adjust a non-zero value for the base prefix, either hexadecimal,
795 or, unless precision has resulted in a leading zero, also octal. */
796 if (prefix && absval && (base == 16 || prec <= ndigs))
797 {
798 if (base == 8)
799 res += 1;
800 else if (base == 16)
801 res += 2;
802 }
803
804 return res;
805 }
806
807 /* Given the formatting result described by RES and NAVAIL, the number
808 of available in the destination, return the range of bytes remaining
809 in the destination. */
810
811 static inline result_range
812 bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res)
813 {
814 result_range range;
815
816 if (HOST_WIDE_INT_MAX <= navail)
817 {
818 range.min = range.max = range.likely = range.unlikely = navail;
819 return range;
820 }
821
822 /* The lower bound of the available range is the available size
823 minus the maximum output size, and the upper bound is the size
824 minus the minimum. */
825 range.max = res.range.min < navail ? navail - res.range.min : 0;
826
827 range.likely = res.range.likely < navail ? navail - res.range.likely : 0;
828
829 if (res.range.max < HOST_WIDE_INT_MAX)
830 range.min = res.range.max < navail ? navail - res.range.max : 0;
831 else
832 range.min = range.likely;
833
834 range.unlikely = (res.range.unlikely < navail
835 ? navail - res.range.unlikely : 0);
836
837 return range;
838 }
839
840 /* Description of a call to a formatted function. */
841
842 struct call_info
843 {
844 /* Function call statement. */
845 gimple *callstmt;
846
847 /* Function called. */
848 tree func;
849
850 /* Called built-in function code. */
851 built_in_function fncode;
852
853 /* Format argument and format string extracted from it. */
854 tree format;
855 const char *fmtstr;
856
857 /* The location of the format argument. */
858 location_t fmtloc;
859
860 /* The destination object size for __builtin___xxx_chk functions
861 typically determined by __builtin_object_size, or -1 if unknown. */
862 unsigned HOST_WIDE_INT objsize;
863
864 /* Number of the first variable argument. */
865 unsigned HOST_WIDE_INT argidx;
866
867 /* True for functions like snprintf that specify the size of
868 the destination, false for others like sprintf that don't. */
869 bool bounded;
870
871 /* True for bounded functions like snprintf that specify a zero-size
872 buffer as a request to compute the size of output without actually
873 writing any. NOWRITE is cleared in response to the %n directive
874 which has side-effects similar to writing output. */
875 bool nowrite;
876
877 /* Return true if the called function's return value is used. */
878 bool retval_used () const
879 {
880 return gimple_get_lhs (callstmt);
881 }
882
883 /* Return the warning option corresponding to the called function. */
884 int warnopt () const
885 {
886 return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_;
887 }
888
889 /* Return true for calls to file formatted functions. */
890 bool is_file_func () const
891 {
892 return (fncode == BUILT_IN_FPRINTF
893 || fncode == BUILT_IN_FPRINTF_CHK
894 || fncode == BUILT_IN_FPRINTF_UNLOCKED
895 || fncode == BUILT_IN_VFPRINTF
896 || fncode == BUILT_IN_VFPRINTF_CHK);
897 }
898
899 /* Return true for calls to string formatted functions. */
900 bool is_string_func () const
901 {
902 return (fncode == BUILT_IN_SPRINTF
903 || fncode == BUILT_IN_SPRINTF_CHK
904 || fncode == BUILT_IN_SNPRINTF
905 || fncode == BUILT_IN_SNPRINTF_CHK
906 || fncode == BUILT_IN_VSPRINTF
907 || fncode == BUILT_IN_VSPRINTF_CHK
908 || fncode == BUILT_IN_VSNPRINTF
909 || fncode == BUILT_IN_VSNPRINTF_CHK);
910 }
911 };
912
913 /* Return the result of formatting a no-op directive (such as '%n'). */
914
915 static fmtresult
916 format_none (const directive &, tree, const vr_values *)
917 {
918 fmtresult res (0);
919 return res;
920 }
921
922 /* Return the result of formatting the '%%' directive. */
923
924 static fmtresult
925 format_percent (const directive &, tree, const vr_values *)
926 {
927 fmtresult res (1);
928 return res;
929 }
930
931
932 /* Compute intmax_type_node and uintmax_type_node similarly to how
933 tree.c builds size_type_node. */
934
935 static void
936 build_intmax_type_nodes (tree *pintmax, tree *puintmax)
937 {
938 if (strcmp (UINTMAX_TYPE, "unsigned int") == 0)
939 {
940 *pintmax = integer_type_node;
941 *puintmax = unsigned_type_node;
942 }
943 else if (strcmp (UINTMAX_TYPE, "long unsigned int") == 0)
944 {
945 *pintmax = long_integer_type_node;
946 *puintmax = long_unsigned_type_node;
947 }
948 else if (strcmp (UINTMAX_TYPE, "long long unsigned int") == 0)
949 {
950 *pintmax = long_long_integer_type_node;
951 *puintmax = long_long_unsigned_type_node;
952 }
953 else
954 {
955 for (int i = 0; i < NUM_INT_N_ENTS; i++)
956 if (int_n_enabled_p[i])
957 {
958 char name[50], altname[50];
959 sprintf (name, "__int%d unsigned", int_n_data[i].bitsize);
960 sprintf (altname, "__int%d__ unsigned", int_n_data[i].bitsize);
961
962 if (strcmp (name, UINTMAX_TYPE) == 0
963 || strcmp (altname, UINTMAX_TYPE) == 0)
964 {
965 *pintmax = int_n_trees[i].signed_type;
966 *puintmax = int_n_trees[i].unsigned_type;
967 return;
968 }
969 }
970 gcc_unreachable ();
971 }
972 }
973
974 /* Determine the range [*PMIN, *PMAX] that the expression ARG is
975 in and that is representable in type int.
976 Return true when the range is a subrange of that of int.
977 When ARG is null it is as if it had the full range of int.
978 When ABSOLUTE is true the range reflects the absolute value of
979 the argument. When ABSOLUTE is false, negative bounds of
980 the determined range are replaced with NEGBOUND. */
981
982 static bool
983 get_int_range (tree arg, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax,
984 bool absolute, HOST_WIDE_INT negbound,
985 const class vr_values *vr_values)
986 {
987 /* The type of the result. */
988 const_tree type = integer_type_node;
989
990 bool knownrange = false;
991
992 if (!arg)
993 {
994 *pmin = tree_to_shwi (TYPE_MIN_VALUE (type));
995 *pmax = tree_to_shwi (TYPE_MAX_VALUE (type));
996 }
997 else if (TREE_CODE (arg) == INTEGER_CST
998 && TYPE_PRECISION (TREE_TYPE (arg)) <= TYPE_PRECISION (type))
999 {
1000 /* For a constant argument return its value adjusted as specified
1001 by NEGATIVE and NEGBOUND and return true to indicate that the
1002 result is known. */
1003 *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg);
1004 *pmax = *pmin;
1005 knownrange = true;
1006 }
1007 else
1008 {
1009 /* True if the argument's range cannot be determined. */
1010 bool unknown = true;
1011
1012 tree argtype = TREE_TYPE (arg);
1013
1014 /* Ignore invalid arguments with greater precision that that
1015 of the expected type (e.g., in sprintf("%*i", 12LL, i)).
1016 They will have been detected and diagnosed by -Wformat and
1017 so it's not important to complicate this code to try to deal
1018 with them again. */
1019 if (TREE_CODE (arg) == SSA_NAME
1020 && INTEGRAL_TYPE_P (argtype)
1021 && TYPE_PRECISION (argtype) <= TYPE_PRECISION (type))
1022 {
1023 /* Try to determine the range of values of the integer argument. */
1024 const value_range *vr
1025 = CONST_CAST (class vr_values *, vr_values)->get_value_range (arg);
1026
1027 if (range_int_cst_p (vr))
1028 {
1029 HOST_WIDE_INT type_min
1030 = (TYPE_UNSIGNED (argtype)
1031 ? tree_to_uhwi (TYPE_MIN_VALUE (argtype))
1032 : tree_to_shwi (TYPE_MIN_VALUE (argtype)));
1033
1034 HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (argtype));
1035
1036 *pmin = TREE_INT_CST_LOW (vr->min ());
1037 *pmax = TREE_INT_CST_LOW (vr->max ());
1038
1039 if (*pmin < *pmax)
1040 {
1041 /* Return true if the adjusted range is a subrange of
1042 the full range of the argument's type. *PMAX may
1043 be less than *PMIN when the argument is unsigned
1044 and its upper bound is in excess of TYPE_MAX. In
1045 that (invalid) case disregard the range and use that
1046 of the expected type instead. */
1047 knownrange = type_min < *pmin || *pmax < type_max;
1048
1049 unknown = false;
1050 }
1051 }
1052 }
1053
1054 /* Handle an argument with an unknown range as if none had been
1055 provided. */
1056 if (unknown)
1057 return get_int_range (NULL_TREE, pmin, pmax, absolute,
1058 negbound, vr_values);
1059 }
1060
1061 /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */
1062 if (absolute)
1063 {
1064 if (*pmin < 0)
1065 {
1066 if (*pmin == *pmax)
1067 *pmin = *pmax = -*pmin;
1068 else
1069 {
1070 /* Make sure signed overlow is avoided. */
1071 gcc_assert (*pmin != HOST_WIDE_INT_MIN);
1072
1073 HOST_WIDE_INT tmp = -*pmin;
1074 *pmin = 0;
1075 if (*pmax < tmp)
1076 *pmax = tmp;
1077 }
1078 }
1079 }
1080 else if (*pmin < negbound)
1081 *pmin = negbound;
1082
1083 return knownrange;
1084 }
1085
1086 /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual
1087 argument, due to the conversion from either *ARGMIN or *ARGMAX to
1088 the type of the directive's formal argument it's possible for both
1089 to result in the same number of bytes or a range of bytes that's
1090 less than the number of bytes that would result from formatting
1091 some other value in the range [*ARGMIN, *ARGMAX]. This can be
1092 determined by checking for the actual argument being in the range
1093 of the type of the directive. If it isn't it must be assumed to
1094 take on the full range of the directive's type.
1095 Return true when the range has been adjusted to the full range
1096 of DIRTYPE, and false otherwise. */
1097
1098 static bool
1099 adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax)
1100 {
1101 tree argtype = TREE_TYPE (*argmin);
1102 unsigned argprec = TYPE_PRECISION (argtype);
1103 unsigned dirprec = TYPE_PRECISION (dirtype);
1104
1105 /* If the actual argument and the directive's argument have the same
1106 precision and sign there can be no overflow and so there is nothing
1107 to adjust. */
1108 if (argprec == dirprec && TYPE_SIGN (argtype) == TYPE_SIGN (dirtype))
1109 return false;
1110
1111 /* The logic below was inspired/lifted from the CONVERT_EXPR_CODE_P
1112 branch in the extract_range_from_unary_expr function in tree-vrp.c. */
1113
1114 if (TREE_CODE (*argmin) == INTEGER_CST
1115 && TREE_CODE (*argmax) == INTEGER_CST
1116 && (dirprec >= argprec
1117 || integer_zerop (int_const_binop (RSHIFT_EXPR,
1118 int_const_binop (MINUS_EXPR,
1119 *argmax,
1120 *argmin),
1121 size_int (dirprec)))))
1122 {
1123 *argmin = force_fit_type (dirtype, wi::to_widest (*argmin), 0, false);
1124 *argmax = force_fit_type (dirtype, wi::to_widest (*argmax), 0, false);
1125
1126 /* If *ARGMIN is still less than *ARGMAX the conversion above
1127 is safe. Otherwise, it has overflowed and would be unsafe. */
1128 if (tree_int_cst_le (*argmin, *argmax))
1129 return false;
1130 }
1131
1132 *argmin = TYPE_MIN_VALUE (dirtype);
1133 *argmax = TYPE_MAX_VALUE (dirtype);
1134 return true;
1135 }
1136
1137 /* Return a range representing the minimum and maximum number of bytes
1138 that the format directive DIR will output for any argument given
1139 the WIDTH and PRECISION (extracted from DIR). This function is
1140 used when the directive argument or its value isn't known. */
1141
1142 static fmtresult
1143 format_integer (const directive &dir, tree arg, const vr_values *vr_values)
1144 {
1145 tree intmax_type_node;
1146 tree uintmax_type_node;
1147
1148 /* Base to format the number in. */
1149 int base;
1150
1151 /* True when a conversion is preceded by a prefix indicating the base
1152 of the argument (octal or hexadecimal). */
1153 bool maybebase = dir.get_flag ('#');
1154
1155 /* True when a signed conversion is preceded by a sign or space. */
1156 bool maybesign = false;
1157
1158 /* True for signed conversions (i.e., 'd' and 'i'). */
1159 bool sign = false;
1160
1161 switch (dir.specifier)
1162 {
1163 case 'd':
1164 case 'i':
1165 /* Space and '+' are only meaningful for signed conversions. */
1166 maybesign = dir.get_flag (' ') | dir.get_flag ('+');
1167 sign = true;
1168 base = 10;
1169 break;
1170 case 'u':
1171 base = 10;
1172 break;
1173 case 'o':
1174 base = 8;
1175 break;
1176 case 'X':
1177 case 'x':
1178 base = 16;
1179 break;
1180 default:
1181 gcc_unreachable ();
1182 }
1183
1184 /* The type of the "formal" argument expected by the directive. */
1185 tree dirtype = NULL_TREE;
1186
1187 /* Determine the expected type of the argument from the length
1188 modifier. */
1189 switch (dir.modifier)
1190 {
1191 case FMT_LEN_none:
1192 if (dir.specifier == 'p')
1193 dirtype = ptr_type_node;
1194 else
1195 dirtype = sign ? integer_type_node : unsigned_type_node;
1196 break;
1197
1198 case FMT_LEN_h:
1199 dirtype = sign ? short_integer_type_node : short_unsigned_type_node;
1200 break;
1201
1202 case FMT_LEN_hh:
1203 dirtype = sign ? signed_char_type_node : unsigned_char_type_node;
1204 break;
1205
1206 case FMT_LEN_l:
1207 dirtype = sign ? long_integer_type_node : long_unsigned_type_node;
1208 break;
1209
1210 case FMT_LEN_L:
1211 case FMT_LEN_ll:
1212 dirtype = (sign
1213 ? long_long_integer_type_node
1214 : long_long_unsigned_type_node);
1215 break;
1216
1217 case FMT_LEN_z:
1218 dirtype = signed_or_unsigned_type_for (!sign, size_type_node);
1219 break;
1220
1221 case FMT_LEN_t:
1222 dirtype = signed_or_unsigned_type_for (!sign, ptrdiff_type_node);
1223 break;
1224
1225 case FMT_LEN_j:
1226 build_intmax_type_nodes (&intmax_type_node, &uintmax_type_node);
1227 dirtype = sign ? intmax_type_node : uintmax_type_node;
1228 break;
1229
1230 default:
1231 return fmtresult ();
1232 }
1233
1234 /* The type of the argument to the directive, either deduced from
1235 the actual non-constant argument if one is known, or from
1236 the directive itself when none has been provided because it's
1237 a va_list. */
1238 tree argtype = NULL_TREE;
1239
1240 if (!arg)
1241 {
1242 /* When the argument has not been provided, use the type of
1243 the directive's argument as an approximation. This will
1244 result in false positives for directives like %i with
1245 arguments with smaller precision (such as short or char). */
1246 argtype = dirtype;
1247 }
1248 else if (TREE_CODE (arg) == INTEGER_CST)
1249 {
1250 /* When a constant argument has been provided use its value
1251 rather than type to determine the length of the output. */
1252 fmtresult res;
1253
1254 if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg))
1255 {
1256 /* As a special case, a precision of zero with a zero argument
1257 results in zero bytes except in base 8 when the '#' flag is
1258 specified, and for signed conversions in base 8 and 10 when
1259 either the space or '+' flag has been specified and it results
1260 in just one byte (with width having the normal effect). This
1261 must extend to the case of a specified precision with
1262 an unknown value because it can be zero. */
1263 res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign);
1264 if (res.range.min == 0 && dir.prec[0] != dir.prec[1])
1265 {
1266 res.range.max = 1;
1267 res.range.likely = 1;
1268 }
1269 else
1270 {
1271 res.range.max = res.range.min;
1272 res.range.likely = res.range.min;
1273 }
1274 }
1275 else
1276 {
1277 /* Convert the argument to the type of the directive. */
1278 arg = fold_convert (dirtype, arg);
1279
1280 res.range.min = tree_digits (arg, base, dir.prec[0],
1281 maybesign, maybebase);
1282 if (dir.prec[0] == dir.prec[1])
1283 res.range.max = res.range.min;
1284 else
1285 res.range.max = tree_digits (arg, base, dir.prec[1],
1286 maybesign, maybebase);
1287 res.range.likely = res.range.min;
1288 res.knownrange = true;
1289 }
1290
1291 res.range.unlikely = res.range.max;
1292
1293 /* Bump up the counters if WIDTH is greater than LEN. */
1294 res.adjust_for_width_or_precision (dir.width, dirtype, base,
1295 (sign | maybebase) + (base == 16));
1296 /* Bump up the counters again if PRECision is greater still. */
1297 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
1298 (sign | maybebase) + (base == 16));
1299
1300 return res;
1301 }
1302 else if (INTEGRAL_TYPE_P (TREE_TYPE (arg))
1303 || TREE_CODE (TREE_TYPE (arg)) == POINTER_TYPE)
1304 /* Determine the type of the provided non-constant argument. */
1305 argtype = TREE_TYPE (arg);
1306 else
1307 /* Don't bother with invalid arguments since they likely would
1308 have already been diagnosed, and disable any further checking
1309 of the format string by returning [-1, -1]. */
1310 return fmtresult ();
1311
1312 fmtresult res;
1313
1314 /* Using either the range the non-constant argument is in, or its
1315 type (either "formal" or actual), create a range of values that
1316 constrain the length of output given the warning level. */
1317 tree argmin = NULL_TREE;
1318 tree argmax = NULL_TREE;
1319
1320 if (arg
1321 && TREE_CODE (arg) == SSA_NAME
1322 && INTEGRAL_TYPE_P (argtype))
1323 {
1324 /* Try to determine the range of values of the integer argument
1325 (range information is not available for pointers). */
1326 const value_range *vr
1327 = CONST_CAST (class vr_values *, vr_values)->get_value_range (arg);
1328
1329 if (range_int_cst_p (vr))
1330 {
1331 argmin = vr->min ();
1332 argmax = vr->max ();
1333
1334 /* Set KNOWNRANGE if the argument is in a known subrange
1335 of the directive's type and neither width nor precision
1336 is unknown. (KNOWNRANGE may be reset below). */
1337 res.knownrange
1338 = ((!tree_int_cst_equal (TYPE_MIN_VALUE (dirtype), argmin)
1339 || !tree_int_cst_equal (TYPE_MAX_VALUE (dirtype), argmax))
1340 && dir.known_width_and_precision ());
1341
1342 res.argmin = argmin;
1343 res.argmax = argmax;
1344 }
1345 else if (vr->kind () == VR_ANTI_RANGE)
1346 {
1347 /* Handle anti-ranges if/when bug 71690 is resolved. */
1348 }
1349 else if (vr->varying_p () || vr->undefined_p ())
1350 {
1351 /* The argument here may be the result of promoting the actual
1352 argument to int. Try to determine the type of the actual
1353 argument before promotion and narrow down its range that
1354 way. */
1355 gimple *def = SSA_NAME_DEF_STMT (arg);
1356 if (is_gimple_assign (def))
1357 {
1358 tree_code code = gimple_assign_rhs_code (def);
1359 if (code == INTEGER_CST)
1360 {
1361 arg = gimple_assign_rhs1 (def);
1362 return format_integer (dir, arg, vr_values);
1363 }
1364
1365 if (code == NOP_EXPR)
1366 {
1367 tree type = TREE_TYPE (gimple_assign_rhs1 (def));
1368 if (INTEGRAL_TYPE_P (type)
1369 || TREE_CODE (type) == POINTER_TYPE)
1370 argtype = type;
1371 }
1372 }
1373 }
1374 }
1375
1376 if (!argmin)
1377 {
1378 if (TREE_CODE (argtype) == POINTER_TYPE)
1379 {
1380 argmin = build_int_cst (pointer_sized_int_node, 0);
1381 argmax = build_all_ones_cst (pointer_sized_int_node);
1382 }
1383 else
1384 {
1385 argmin = TYPE_MIN_VALUE (argtype);
1386 argmax = TYPE_MAX_VALUE (argtype);
1387 }
1388 }
1389
1390 /* Clear KNOWNRANGE if the range has been adjusted to the maximum
1391 of the directive. If it has been cleared then since ARGMIN and/or
1392 ARGMAX have been adjusted also adjust the corresponding ARGMIN and
1393 ARGMAX in the result to include in diagnostics. */
1394 if (adjust_range_for_overflow (dirtype, &argmin, &argmax))
1395 {
1396 res.knownrange = false;
1397 res.argmin = argmin;
1398 res.argmax = argmax;
1399 }
1400
1401 /* Recursively compute the minimum and maximum from the known range. */
1402 if (TYPE_UNSIGNED (dirtype) || tree_int_cst_sgn (argmin) >= 0)
1403 {
1404 /* For unsigned conversions/directives or signed when
1405 the minimum is positive, use the minimum and maximum to compute
1406 the shortest and longest output, respectively. */
1407 res.range.min = format_integer (dir, argmin, vr_values).range.min;
1408 res.range.max = format_integer (dir, argmax, vr_values).range.max;
1409 }
1410 else if (tree_int_cst_sgn (argmax) < 0)
1411 {
1412 /* For signed conversions/directives if maximum is negative,
1413 use the minimum as the longest output and maximum as the
1414 shortest output. */
1415 res.range.min = format_integer (dir, argmax, vr_values).range.min;
1416 res.range.max = format_integer (dir, argmin, vr_values).range.max;
1417 }
1418 else
1419 {
1420 /* Otherwise, 0 is inside of the range and minimum negative. Use 0
1421 as the shortest output and for the longest output compute the
1422 length of the output of both minimum and maximum and pick the
1423 longer. */
1424 unsigned HOST_WIDE_INT max1
1425 = format_integer (dir, argmin, vr_values).range.max;
1426 unsigned HOST_WIDE_INT max2
1427 = format_integer (dir, argmax, vr_values).range.max;
1428 res.range.min
1429 = format_integer (dir, integer_zero_node, vr_values).range.min;
1430 res.range.max = MAX (max1, max2);
1431 }
1432
1433 /* If the range is known, use the maximum as the likely length. */
1434 if (res.knownrange)
1435 res.range.likely = res.range.max;
1436 else
1437 {
1438 /* Otherwise, use the minimum. Except for the case where for %#x or
1439 %#o the minimum is just for a single value in the range (0) and
1440 for all other values it is something longer, like 0x1 or 01.
1441 Use the length for value 1 in that case instead as the likely
1442 length. */
1443 res.range.likely = res.range.min;
1444 if (maybebase
1445 && base != 10
1446 && (tree_int_cst_sgn (argmin) < 0 || tree_int_cst_sgn (argmax) > 0))
1447 {
1448 if (res.range.min == 1)
1449 res.range.likely += base == 8 ? 1 : 2;
1450 else if (res.range.min == 2
1451 && base == 16
1452 && (dir.width[0] == 2 || dir.prec[0] == 2))
1453 ++res.range.likely;
1454 }
1455 }
1456
1457 res.range.unlikely = res.range.max;
1458 res.adjust_for_width_or_precision (dir.width, dirtype, base,
1459 (sign | maybebase) + (base == 16));
1460 res.adjust_for_width_or_precision (dir.prec, dirtype, base,
1461 (sign | maybebase) + (base == 16));
1462
1463 return res;
1464 }
1465
1466 /* Return the number of bytes that a format directive consisting of FLAGS,
1467 PRECision, format SPECification, and MPFR rounding specifier RNDSPEC,
1468 would result for argument X under ideal conditions (i.e., if PREC
1469 weren't excessive). MPFR 3.1 allocates large amounts of memory for
1470 values of PREC with large magnitude and can fail (see MPFR bug #21056).
1471 This function works around those problems. */
1472
1473 static unsigned HOST_WIDE_INT
1474 get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec,
1475 char spec, char rndspec)
1476 {
1477 char fmtstr[40];
1478
1479 HOST_WIDE_INT len = strlen (flags);
1480
1481 fmtstr[0] = '%';
1482 memcpy (fmtstr + 1, flags, len);
1483 memcpy (fmtstr + 1 + len, ".*R", 3);
1484 fmtstr[len + 4] = rndspec;
1485 fmtstr[len + 5] = spec;
1486 fmtstr[len + 6] = '\0';
1487
1488 spec = TOUPPER (spec);
1489 if (spec == 'E' || spec == 'F')
1490 {
1491 /* For %e, specify the precision explicitly since mpfr_sprintf
1492 does its own thing just to be different (see MPFR bug 21088). */
1493 if (prec < 0)
1494 prec = 6;
1495 }
1496 else
1497 {
1498 /* Avoid passing negative precisions with larger magnitude to MPFR
1499 to avoid exposing its bugs. (A negative precision is supposed
1500 to be ignored.) */
1501 if (prec < 0)
1502 prec = -1;
1503 }
1504
1505 HOST_WIDE_INT p = prec;
1506
1507 if (spec == 'G' && !strchr (flags, '#'))
1508 {
1509 /* For G/g without the pound flag, precision gives the maximum number
1510 of significant digits which is bounded by LDBL_MAX_10_EXP, or, for
1511 a 128 bit IEEE extended precision, 4932. Using twice as much here
1512 should be more than sufficient for any real format. */
1513 if ((IEEE_MAX_10_EXP * 2) < prec)
1514 prec = IEEE_MAX_10_EXP * 2;
1515 p = prec;
1516 }
1517 else
1518 {
1519 /* Cap precision arbitrarily at 1KB and add the difference
1520 (if any) to the MPFR result. */
1521 if (prec > 1024)
1522 p = 1024;
1523 }
1524
1525 len = mpfr_snprintf (NULL, 0, fmtstr, (int)p, x);
1526
1527 /* Handle the unlikely (impossible?) error by returning more than
1528 the maximum dictated by the function's return type. */
1529 if (len < 0)
1530 return target_dir_max () + 1;
1531
1532 /* Adjust the return value by the difference. */
1533 if (p < prec)
1534 len += prec - p;
1535
1536 return len;
1537 }
1538
1539 /* Return the number of bytes to format using the format specifier
1540 SPEC and the precision PREC the largest value in the real floating
1541 TYPE. */
1542
1543 static unsigned HOST_WIDE_INT
1544 format_floating_max (tree type, char spec, HOST_WIDE_INT prec)
1545 {
1546 machine_mode mode = TYPE_MODE (type);
1547
1548 /* IBM Extended mode. */
1549 if (MODE_COMPOSITE_P (mode))
1550 mode = DFmode;
1551
1552 /* Get the real type format desription for the target. */
1553 const real_format *rfmt = REAL_MODE_FORMAT (mode);
1554 REAL_VALUE_TYPE rv;
1555
1556 real_maxval (&rv, 0, mode);
1557
1558 /* Convert the GCC real value representation with the precision
1559 of the real type to the mpfr_t format with the GCC default
1560 round-to-nearest mode. */
1561 mpfr_t x;
1562 mpfr_init2 (x, rfmt->p);
1563 mpfr_from_real (x, &rv, GMP_RNDN);
1564
1565 /* Return a value one greater to account for the leading minus sign. */
1566 unsigned HOST_WIDE_INT r
1567 = 1 + get_mpfr_format_length (x, "", prec, spec, 'D');
1568 mpfr_clear (x);
1569 return r;
1570 }
1571
1572 /* Return a range representing the minimum and maximum number of bytes
1573 that the directive DIR will output for any argument. PREC gives
1574 the adjusted precision range to account for negative precisions
1575 meaning the default 6. This function is used when the directive
1576 argument or its value isn't known. */
1577
1578 static fmtresult
1579 format_floating (const directive &dir, const HOST_WIDE_INT prec[2])
1580 {
1581 tree type;
1582
1583 switch (dir.modifier)
1584 {
1585 case FMT_LEN_l:
1586 case FMT_LEN_none:
1587 type = double_type_node;
1588 break;
1589
1590 case FMT_LEN_L:
1591 type = long_double_type_node;
1592 break;
1593
1594 case FMT_LEN_ll:
1595 type = long_double_type_node;
1596 break;
1597
1598 default:
1599 return fmtresult ();
1600 }
1601
1602 /* The minimum and maximum number of bytes produced by the directive. */
1603 fmtresult res;
1604
1605 /* The minimum output as determined by flags. It's always at least 1.
1606 When plus or space are set the output is preceded by either a sign
1607 or a space. */
1608 unsigned flagmin = (1 /* for the first digit */
1609 + (dir.get_flag ('+') | dir.get_flag (' ')));
1610
1611 /* The minimum is 3 for "inf" and "nan" for all specifiers, plus 1
1612 for the plus sign/space with the '+' and ' ' flags, respectively,
1613 unless reduced below. */
1614 res.range.min = 2 + flagmin;
1615
1616 /* When the pound flag is set the decimal point is included in output
1617 regardless of precision. Whether or not a decimal point is included
1618 otherwise depends on the specification and precision. */
1619 bool radix = dir.get_flag ('#');
1620
1621 switch (dir.specifier)
1622 {
1623 case 'A':
1624 case 'a':
1625 {
1626 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
1627 if (dir.prec[0] <= 0)
1628 minprec = 0;
1629 else if (dir.prec[0] > 0)
1630 minprec = dir.prec[0] + !radix /* decimal point */;
1631
1632 res.range.likely = (2 /* 0x */
1633 + flagmin
1634 + radix
1635 + minprec
1636 + 3 /* p+0 */);
1637
1638 res.range.max = format_floating_max (type, 'a', prec[1]);
1639
1640 /* The unlikely maximum accounts for the longest multibyte
1641 decimal point character. */
1642 res.range.unlikely = res.range.max;
1643 if (dir.prec[1] > 0)
1644 res.range.unlikely += target_mb_len_max () - 1;
1645
1646 break;
1647 }
1648
1649 case 'E':
1650 case 'e':
1651 {
1652 /* Minimum output attributable to precision and, when it's
1653 non-zero, decimal point. */
1654 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
1655
1656 /* The likely minimum output is "[-+]1.234567e+00" regardless
1657 of the value of the actual argument. */
1658 res.range.likely = (flagmin
1659 + radix
1660 + minprec
1661 + 2 /* e+ */ + 2);
1662
1663 res.range.max = format_floating_max (type, 'e', prec[1]);
1664
1665 /* The unlikely maximum accounts for the longest multibyte
1666 decimal point character. */
1667 if (dir.prec[0] != dir.prec[1]
1668 || dir.prec[0] == -1 || dir.prec[0] > 0)
1669 res.range.unlikely = res.range.max + target_mb_len_max () -1;
1670 else
1671 res.range.unlikely = res.range.max;
1672 break;
1673 }
1674
1675 case 'F':
1676 case 'f':
1677 {
1678 /* Minimum output attributable to precision and, when it's non-zero,
1679 decimal point. */
1680 HOST_WIDE_INT minprec = prec[0] ? prec[0] + !radix : 0;
1681
1682 /* For finite numbers (i.e., not infinity or NaN) the lower bound
1683 when precision isn't specified is 8 bytes ("1.23456" since
1684 precision is taken to be 6). When precision is zero, the lower
1685 bound is 1 byte (e.g., "1"). Otherwise, when precision is greater
1686 than zero, then the lower bound is 2 plus precision (plus flags).
1687 But in all cases, the lower bound is no greater than 3. */
1688 unsigned HOST_WIDE_INT min = flagmin + radix + minprec;
1689 if (min < res.range.min)
1690 res.range.min = min;
1691
1692 /* Compute the upper bound for -TYPE_MAX. */
1693 res.range.max = format_floating_max (type, 'f', prec[1]);
1694
1695 /* The minimum output with unknown precision is a single byte
1696 (e.g., "0") but the more likely output is 3 bytes ("0.0"). */
1697 if (dir.prec[0] < 0 && dir.prec[1] > 0)
1698 res.range.likely = 3;
1699 else
1700 res.range.likely = min;
1701
1702 /* The unlikely maximum accounts for the longest multibyte
1703 decimal point character. */
1704 if (dir.prec[0] != dir.prec[1]
1705 || dir.prec[0] == -1 || dir.prec[0] > 0)
1706 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
1707 break;
1708 }
1709
1710 case 'G':
1711 case 'g':
1712 {
1713 /* The %g output depends on precision and the exponent of
1714 the argument. Since the value of the argument isn't known
1715 the lower bound on the range of bytes (not counting flags
1716 or width) is 1 plus radix (i.e., either "0" or "0." for
1717 "%g" and "%#g", respectively, with a zero argument). */
1718 unsigned HOST_WIDE_INT min = flagmin + radix;
1719 if (min < res.range.min)
1720 res.range.min = min;
1721
1722 char spec = 'g';
1723 HOST_WIDE_INT maxprec = dir.prec[1];
1724 if (radix && maxprec)
1725 {
1726 /* When the pound flag (radix) is set, trailing zeros aren't
1727 trimmed and so the longest output is the same as for %e,
1728 except with precision minus 1 (as specified in C11). */
1729 spec = 'e';
1730 if (maxprec > 0)
1731 --maxprec;
1732 else if (maxprec < 0)
1733 maxprec = 5;
1734 }
1735 else
1736 maxprec = prec[1];
1737
1738 res.range.max = format_floating_max (type, spec, maxprec);
1739
1740 /* The likely output is either the maximum computed above
1741 minus 1 (assuming the maximum is positive) when precision
1742 is known (or unspecified), or the same minimum as for %e
1743 (which is computed for a non-negative argument). Unlike
1744 for the other specifiers above the likely output isn't
1745 the minimum because for %g that's 1 which is unlikely. */
1746 if (dir.prec[1] < 0
1747 || (unsigned HOST_WIDE_INT)dir.prec[1] < target_int_max ())
1748 res.range.likely = res.range.max - 1;
1749 else
1750 {
1751 HOST_WIDE_INT minprec = 6 + !radix /* decimal point */;
1752 res.range.likely = (flagmin
1753 + radix
1754 + minprec
1755 + 2 /* e+ */ + 2);
1756 }
1757
1758 /* The unlikely maximum accounts for the longest multibyte
1759 decimal point character. */
1760 res.range.unlikely = res.range.max + target_mb_len_max () - 1;
1761 break;
1762 }
1763
1764 default:
1765 return fmtresult ();
1766 }
1767
1768 /* Bump up the byte counters if WIDTH is greater. */
1769 res.adjust_for_width_or_precision (dir.width);
1770 return res;
1771 }
1772
1773 /* Return a range representing the minimum and maximum number of bytes
1774 that the directive DIR will write on output for the floating argument
1775 ARG. */
1776
1777 static fmtresult
1778 format_floating (const directive &dir, tree arg, const vr_values *)
1779 {
1780 HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] };
1781 tree type = (dir.modifier == FMT_LEN_L || dir.modifier == FMT_LEN_ll
1782 ? long_double_type_node : double_type_node);
1783
1784 /* For an indeterminate precision the lower bound must be assumed
1785 to be zero. */
1786 if (TOUPPER (dir.specifier) == 'A')
1787 {
1788 /* Get the number of fractional decimal digits needed to represent
1789 the argument without a loss of accuracy. */
1790 unsigned fmtprec
1791 = REAL_MODE_FORMAT (TYPE_MODE (type))->p;
1792
1793 /* The precision of the IEEE 754 double format is 53.
1794 The precision of all other GCC binary double formats
1795 is 56 or less. */
1796 unsigned maxprec = fmtprec <= 56 ? 13 : 15;
1797
1798 /* For %a, leave the minimum precision unspecified to let
1799 MFPR trim trailing zeros (as it and many other systems
1800 including Glibc happen to do) and set the maximum
1801 precision to reflect what it would be with trailing zeros
1802 present (as Solaris and derived systems do). */
1803 if (dir.prec[1] < 0)
1804 {
1805 /* Both bounds are negative implies that precision has
1806 not been specified. */
1807 prec[0] = maxprec;
1808 prec[1] = -1;
1809 }
1810 else if (dir.prec[0] < 0)
1811 {
1812 /* With a negative lower bound and a non-negative upper
1813 bound set the minimum precision to zero and the maximum
1814 to the greater of the maximum precision (i.e., with
1815 trailing zeros present) and the specified upper bound. */
1816 prec[0] = 0;
1817 prec[1] = dir.prec[1] < maxprec ? maxprec : dir.prec[1];
1818 }
1819 }
1820 else if (dir.prec[0] < 0)
1821 {
1822 if (dir.prec[1] < 0)
1823 {
1824 /* A precision in a strictly negative range is ignored and
1825 the default of 6 is used instead. */
1826 prec[0] = prec[1] = 6;
1827 }
1828 else
1829 {
1830 /* For a precision in a partly negative range, the lower bound
1831 must be assumed to be zero and the new upper bound is the
1832 greater of 6 (the default precision used when the specified
1833 precision is negative) and the upper bound of the specified
1834 range. */
1835 prec[0] = 0;
1836 prec[1] = dir.prec[1] < 6 ? 6 : dir.prec[1];
1837 }
1838 }
1839
1840 if (!arg
1841 || TREE_CODE (arg) != REAL_CST
1842 || !useless_type_conversion_p (type, TREE_TYPE (arg)))
1843 return format_floating (dir, prec);
1844
1845 /* The minimum and maximum number of bytes produced by the directive. */
1846 fmtresult res;
1847
1848 /* Get the real type format desription for the target. */
1849 const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg);
1850 const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg)));
1851
1852 if (!real_isfinite (rvp))
1853 {
1854 /* The format for Infinity and NaN is "[-]inf"/"[-]infinity"
1855 and "[-]nan" with the choice being implementation-defined
1856 but not locale dependent. */
1857 bool sign = dir.get_flag ('+') || real_isneg (rvp);
1858 res.range.min = 3 + sign;
1859
1860 res.range.likely = res.range.min;
1861 res.range.max = res.range.min;
1862 /* The unlikely maximum is "[-/+]infinity" or "[-/+][qs]nan".
1863 For NaN, the C/POSIX standards specify two formats:
1864 "[-/+]nan"
1865 and
1866 "[-/+]nan(n-char-sequence)"
1867 No known printf implementation outputs the latter format but AIX
1868 outputs QNaN and SNaN for quiet and signalling NaN, respectively,
1869 so the unlikely maximum reflects that. */
1870 res.range.unlikely = sign + (real_isinf (rvp) ? 8 : 4);
1871
1872 /* The range for infinity and NaN is known unless either width
1873 or precision is unknown. Width has the same effect regardless
1874 of whether the argument is finite. Precision is either ignored
1875 (e.g., Glibc) or can have an effect on the short vs long format
1876 such as inf/infinity (e.g., Solaris). */
1877 res.knownrange = dir.known_width_and_precision ();
1878
1879 /* Adjust the range for width but ignore precision. */
1880 res.adjust_for_width_or_precision (dir.width);
1881
1882 return res;
1883 }
1884
1885 char fmtstr [40];
1886 char *pfmt = fmtstr;
1887
1888 /* Append flags. */
1889 for (const char *pf = "-+ #0"; *pf; ++pf)
1890 if (dir.get_flag (*pf))
1891 *pfmt++ = *pf;
1892
1893 *pfmt = '\0';
1894
1895 {
1896 /* Set up an array to easily iterate over. */
1897 unsigned HOST_WIDE_INT* const minmax[] = {
1898 &res.range.min, &res.range.max
1899 };
1900
1901 for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i)
1902 {
1903 /* Convert the GCC real value representation with the precision
1904 of the real type to the mpfr_t format rounding down in the
1905 first iteration that computes the minimm and up in the second
1906 that computes the maximum. This order is arbibtrary because
1907 rounding in either direction can result in longer output. */
1908 mpfr_t mpfrval;
1909 mpfr_init2 (mpfrval, rfmt->p);
1910 mpfr_from_real (mpfrval, rvp, i ? GMP_RNDU : GMP_RNDD);
1911
1912 /* Use the MPFR rounding specifier to round down in the first
1913 iteration and then up. In most but not all cases this will
1914 result in the same number of bytes. */
1915 char rndspec = "DU"[i];
1916
1917 /* Format it and store the result in the corresponding member
1918 of the result struct. */
1919 *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i],
1920 dir.specifier, rndspec);
1921 mpfr_clear (mpfrval);
1922 }
1923 }
1924
1925 /* Make sure the minimum is less than the maximum (MPFR rounding
1926 in the call to mpfr_snprintf can result in the reverse. */
1927 if (res.range.max < res.range.min)
1928 {
1929 unsigned HOST_WIDE_INT tmp = res.range.min;
1930 res.range.min = res.range.max;
1931 res.range.max = tmp;
1932 }
1933
1934 /* The range is known unless either width or precision is unknown. */
1935 res.knownrange = dir.known_width_and_precision ();
1936
1937 /* For the same floating point constant, unless width or precision
1938 is unknown, use the longer output as the likely maximum since
1939 with round to nearest either is equally likely. Otheriwse, when
1940 precision is unknown, use the greater of the minimum and 3 as
1941 the likely output (for "0.0" since zero precision is unlikely). */
1942 if (res.knownrange)
1943 res.range.likely = res.range.max;
1944 else if (res.range.min < 3
1945 && dir.prec[0] < 0
1946 && (unsigned HOST_WIDE_INT)dir.prec[1] == target_int_max ())
1947 res.range.likely = 3;
1948 else
1949 res.range.likely = res.range.min;
1950
1951 res.range.unlikely = res.range.max;
1952
1953 if (res.range.max > 2 && (prec[0] != 0 || prec[1] != 0))
1954 {
1955 /* Unless the precision is zero output longer than 2 bytes may
1956 include the decimal point which must be a single character
1957 up to MB_LEN_MAX in length. This is overly conservative
1958 since in some conversions some constants result in no decimal
1959 point (e.g., in %g). */
1960 res.range.unlikely += target_mb_len_max () - 1;
1961 }
1962
1963 res.adjust_for_width_or_precision (dir.width);
1964 return res;
1965 }
1966
1967 /* Return a FMTRESULT struct set to the lengths of the shortest and longest
1968 strings referenced by the expression STR, or (-1, -1) when not known.
1969 Used by the format_string function below. */
1970
1971 static fmtresult
1972 get_string_length (tree str, unsigned eltsize, const vr_values *vr)
1973 {
1974 if (!str)
1975 return fmtresult ();
1976
1977 /* Try to determine the dynamic string length first. */
1978 c_strlen_data lendata = { };
1979 if (eltsize == 1)
1980 get_range_strlen_dynamic (str, &lendata, vr);
1981 else
1982 {
1983 /* Determine the length of the shortest and longest string referenced
1984 by STR. Strings of unknown lengths are bounded by the sizes of
1985 arrays that subexpressions of STR may refer to. Pointers that
1986 aren't known to point any such arrays result in LENDATA.MAXLEN
1987 set to SIZE_MAX. */
1988 get_range_strlen (str, &lendata, eltsize);
1989 }
1990
1991 /* LENDATA.MAXBOUND is null when LENDATA.MIN corresponds to the shortest
1992 string referenced by STR. Otherwise, if it's not equal to .MINLEN it
1993 corresponds to the bound of the largest array STR refers to, if known,
1994 or it's SIZE_MAX otherwise. */
1995
1996 /* Return the default result when nothing is known about the string. */
1997 if (lendata.maxbound
1998 && integer_all_onesp (lendata.maxbound)
1999 && integer_all_onesp (lendata.maxlen))
2000 return fmtresult ();
2001
2002 HOST_WIDE_INT min
2003 = (tree_fits_uhwi_p (lendata.minlen)
2004 ? tree_to_uhwi (lendata.minlen)
2005 : 0);
2006
2007 HOST_WIDE_INT max
2008 = (lendata.maxbound && tree_fits_uhwi_p (lendata.maxbound)
2009 ? tree_to_uhwi (lendata.maxbound)
2010 : HOST_WIDE_INT_M1U);
2011
2012 const bool unbounded = integer_all_onesp (lendata.maxlen);
2013
2014 /* Set the max/likely counters to unbounded when a minimum is known
2015 but the maximum length isn't bounded. This implies that STR is
2016 a conditional expression involving a string of known length and
2017 and an expression of unknown/unbounded length. */
2018 if (min
2019 && (unsigned HOST_WIDE_INT)min < HOST_WIDE_INT_M1U
2020 && unbounded)
2021 max = HOST_WIDE_INT_M1U;
2022
2023 /* get_range_strlen() returns the target value of SIZE_MAX for
2024 strings of unknown length. Bump it up to HOST_WIDE_INT_M1U
2025 which may be bigger. */
2026 if ((unsigned HOST_WIDE_INT)min == target_size_max ())
2027 min = HOST_WIDE_INT_M1U;
2028 if ((unsigned HOST_WIDE_INT)max == target_size_max ())
2029 max = HOST_WIDE_INT_M1U;
2030
2031 fmtresult res (min, max);
2032 res.nonstr = lendata.decl;
2033
2034 /* Set RES.KNOWNRANGE to true if and only if all strings referenced
2035 by STR are known to be bounded (though not necessarily by their
2036 actual length but perhaps by their maximum possible length). */
2037 if (res.range.max < target_int_max ())
2038 {
2039 res.knownrange = true;
2040 /* When the the length of the longest string is known and not
2041 excessive use it as the likely length of the string(s). */
2042 res.range.likely = res.range.max;
2043 }
2044 else
2045 {
2046 /* When the upper bound is unknown (it can be zero or excessive)
2047 set the likely length to the greater of 1. If MAXBOUND is
2048 set, also reset the length of the lower bound to zero. */
2049 res.range.likely = res.range.min ? res.range.min : warn_level > 1;
2050 if (lendata.maxbound)
2051 res.range.min = 0;
2052 }
2053
2054 res.range.unlikely = unbounded ? HOST_WIDE_INT_MAX : res.range.max;
2055
2056 return res;
2057 }
2058
2059 /* Return the minimum and maximum number of characters formatted
2060 by the '%c' format directives and its wide character form for
2061 the argument ARG. ARG can be null (for functions such as
2062 vsprinf). */
2063
2064 static fmtresult
2065 format_character (const directive &dir, tree arg, const vr_values *vr_values)
2066 {
2067 fmtresult res;
2068
2069 res.knownrange = true;
2070
2071 if (dir.specifier == 'C'
2072 || dir.modifier == FMT_LEN_l)
2073 {
2074 /* A wide character can result in as few as zero bytes. */
2075 res.range.min = 0;
2076
2077 HOST_WIDE_INT min, max;
2078 if (get_int_range (arg, &min, &max, false, 0, vr_values))
2079 {
2080 if (min == 0 && max == 0)
2081 {
2082 /* The NUL wide character results in no bytes. */
2083 res.range.max = 0;
2084 res.range.likely = 0;
2085 res.range.unlikely = 0;
2086 }
2087 else if (min >= 0 && min < 128)
2088 {
2089 /* Be conservative if the target execution character set
2090 is not a 1-to-1 mapping to the source character set or
2091 if the source set is not ASCII. */
2092 bool one_2_one_ascii
2093 = (target_to_host_charmap[0] == 1 && target_to_host ('a') == 97);
2094
2095 /* A wide character in the ASCII range most likely results
2096 in a single byte, and only unlikely in up to MB_LEN_MAX. */
2097 res.range.max = one_2_one_ascii ? 1 : target_mb_len_max ();;
2098 res.range.likely = 1;
2099 res.range.unlikely = target_mb_len_max ();
2100 res.mayfail = !one_2_one_ascii;
2101 }
2102 else
2103 {
2104 /* A wide character outside the ASCII range likely results
2105 in up to two bytes, and only unlikely in up to MB_LEN_MAX. */
2106 res.range.max = target_mb_len_max ();
2107 res.range.likely = 2;
2108 res.range.unlikely = res.range.max;
2109 /* Converting such a character may fail. */
2110 res.mayfail = true;
2111 }
2112 }
2113 else
2114 {
2115 /* An unknown wide character is treated the same as a wide
2116 character outside the ASCII range. */
2117 res.range.max = target_mb_len_max ();
2118 res.range.likely = 2;
2119 res.range.unlikely = res.range.max;
2120 res.mayfail = true;
2121 }
2122 }
2123 else
2124 {
2125 /* A plain '%c' directive. Its ouput is exactly 1. */
2126 res.range.min = res.range.max = 1;
2127 res.range.likely = res.range.unlikely = 1;
2128 res.knownrange = true;
2129 }
2130
2131 /* Bump up the byte counters if WIDTH is greater. */
2132 return res.adjust_for_width_or_precision (dir.width);
2133 }
2134
2135 /* Return the minimum and maximum number of characters formatted
2136 by the '%s' format directive and its wide character form for
2137 the argument ARG. ARG can be null (for functions such as
2138 vsprinf). */
2139
2140 static fmtresult
2141 format_string (const directive &dir, tree arg, const vr_values *vr_values)
2142 {
2143 fmtresult res;
2144
2145 /* Compute the range the argument's length can be in. */
2146 int count_by = 1;
2147 if (dir.specifier == 'S' || dir.modifier == FMT_LEN_l)
2148 {
2149 /* Get a node for a C type that will be the same size
2150 as a wchar_t on the target. */
2151 tree node = get_typenode_from_name (MODIFIED_WCHAR_TYPE);
2152
2153 /* Now that we have a suitable node, get the number of
2154 bytes it occupies. */
2155 count_by = int_size_in_bytes (node);
2156 gcc_checking_assert (count_by == 2 || count_by == 4);
2157 }
2158
2159 fmtresult slen = get_string_length (arg, count_by, vr_values);
2160 if (slen.range.min == slen.range.max
2161 && slen.range.min < HOST_WIDE_INT_MAX)
2162 {
2163 /* The argument is either a string constant or it refers
2164 to one of a number of strings of the same length. */
2165
2166 /* A '%s' directive with a string argument with constant length. */
2167 res.range = slen.range;
2168
2169 if (dir.specifier == 'S'
2170 || dir.modifier == FMT_LEN_l)
2171 {
2172 /* In the worst case the length of output of a wide string S
2173 is bounded by MB_LEN_MAX * wcslen (S). */
2174 res.range.max *= target_mb_len_max ();
2175 res.range.unlikely = res.range.max;
2176 /* It's likely that the the total length is not more that
2177 2 * wcslen (S).*/
2178 res.range.likely = res.range.min * 2;
2179
2180 if (dir.prec[1] >= 0
2181 && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
2182 {
2183 res.range.max = dir.prec[1];
2184 res.range.likely = dir.prec[1];
2185 res.range.unlikely = dir.prec[1];
2186 }
2187
2188 if (dir.prec[0] < 0 && dir.prec[1] > -1)
2189 res.range.min = 0;
2190 else if (dir.prec[0] >= 0)
2191 res.range.likely = dir.prec[0];
2192
2193 /* Even a non-empty wide character string need not convert into
2194 any bytes. */
2195 res.range.min = 0;
2196
2197 /* A non-empty wide character conversion may fail. */
2198 if (slen.range.max > 0)
2199 res.mayfail = true;
2200 }
2201 else
2202 {
2203 res.knownrange = true;
2204
2205 if (dir.prec[0] < 0 && dir.prec[1] > -1)
2206 res.range.min = 0;
2207 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min)
2208 res.range.min = dir.prec[0];
2209
2210 if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max)
2211 {
2212 res.range.max = dir.prec[1];
2213 res.range.likely = dir.prec[1];
2214 res.range.unlikely = dir.prec[1];
2215 }
2216 }
2217 }
2218 else if (arg && integer_zerop (arg))
2219 {
2220 /* Handle null pointer argument. */
2221
2222 fmtresult res (0);
2223 res.nullp = true;
2224 return res;
2225 }
2226 else
2227 {
2228 /* For a '%s' and '%ls' directive with a non-constant string (either
2229 one of a number of strings of known length or an unknown string)
2230 the minimum number of characters is lesser of PRECISION[0] and
2231 the length of the shortest known string or zero, and the maximum
2232 is the lessser of the length of the longest known string or
2233 PTRDIFF_MAX and PRECISION[1]. The likely length is either
2234 the minimum at level 1 and the greater of the minimum and 1
2235 at level 2. This result is adjust upward for width (if it's
2236 specified). */
2237
2238 if (dir.specifier == 'S'
2239 || dir.modifier == FMT_LEN_l)
2240 {
2241 /* A wide character converts to as few as zero bytes. */
2242 slen.range.min = 0;
2243 if (slen.range.max < target_int_max ())
2244 slen.range.max *= target_mb_len_max ();
2245
2246 if (slen.range.likely < target_int_max ())
2247 slen.range.likely *= 2;
2248
2249 if (slen.range.likely < target_int_max ())
2250 slen.range.unlikely *= target_mb_len_max ();
2251
2252 /* A non-empty wide character conversion may fail. */
2253 if (slen.range.max > 0)
2254 res.mayfail = true;
2255 }
2256
2257 res.range = slen.range;
2258
2259 if (dir.prec[0] >= 0)
2260 {
2261 /* Adjust the minimum to zero if the string length is unknown,
2262 or at most the lower bound of the precision otherwise. */
2263 if (slen.range.min >= target_int_max ())
2264 res.range.min = 0;
2265 else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min)
2266 res.range.min = dir.prec[0];
2267
2268 /* Make both maxima no greater than the upper bound of precision. */
2269 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max
2270 || slen.range.max >= target_int_max ())
2271 {
2272 res.range.max = dir.prec[1];
2273 res.range.unlikely = dir.prec[1];
2274 }
2275
2276 /* If precision is constant, set the likely counter to the lesser
2277 of it and the maximum string length. Otherwise, if the lower
2278 bound of precision is greater than zero, set the likely counter
2279 to the minimum. Otherwise set it to zero or one based on
2280 the warning level. */
2281 if (dir.prec[0] == dir.prec[1])
2282 res.range.likely
2283 = ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.max
2284 ? dir.prec[0] : slen.range.max);
2285 else if (dir.prec[0] > 0)
2286 res.range.likely = res.range.min;
2287 else
2288 res.range.likely = warn_level > 1;
2289 }
2290 else if (dir.prec[1] >= 0)
2291 {
2292 res.range.min = 0;
2293 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max)
2294 res.range.max = dir.prec[1];
2295 res.range.likely = dir.prec[1] ? warn_level > 1 : 0;
2296 if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.unlikely)
2297 res.range.unlikely = dir.prec[1];
2298 }
2299 else if (slen.range.min >= target_int_max ())
2300 {
2301 res.range.min = 0;
2302 res.range.max = HOST_WIDE_INT_MAX;
2303 /* At level 1 strings of unknown length are assumed to be
2304 empty, while at level 1 they are assumed to be one byte
2305 long. */
2306 res.range.likely = warn_level > 1;
2307 res.range.unlikely = HOST_WIDE_INT_MAX;
2308 }
2309 else
2310 {
2311 /* A string of unknown length unconstrained by precision is
2312 assumed to be empty at level 1 and just one character long
2313 at higher levels. */
2314 if (res.range.likely >= target_int_max ())
2315 res.range.likely = warn_level > 1;
2316 }
2317 }
2318
2319 /* If the argument isn't a nul-terminated string and the number
2320 of bytes on output isn't bounded by precision, set NONSTR. */
2321 if (slen.nonstr && slen.range.min < (unsigned HOST_WIDE_INT)dir.prec[0])
2322 res.nonstr = slen.nonstr;
2323
2324 /* Bump up the byte counters if WIDTH is greater. */
2325 return res.adjust_for_width_or_precision (dir.width);
2326 }
2327
2328 /* Format plain string (part of the format string itself). */
2329
2330 static fmtresult
2331 format_plain (const directive &dir, tree, const vr_values *)
2332 {
2333 fmtresult res (dir.len);
2334 return res;
2335 }
2336
2337 /* Return true if the RESULT of a directive in a call describe by INFO
2338 should be diagnosed given the AVAILable space in the destination. */
2339
2340 static bool
2341 should_warn_p (const call_info &info,
2342 const result_range &avail, const result_range &result)
2343 {
2344 if (result.max <= avail.min)
2345 {
2346 /* The least amount of space remaining in the destination is big
2347 enough for the longest output. */
2348 return false;
2349 }
2350
2351 if (info.bounded)
2352 {
2353 if (warn_format_trunc == 1 && result.min <= avail.max
2354 && info.retval_used ())
2355 {
2356 /* The likely amount of space remaining in the destination is big
2357 enough for the least output and the return value is used. */
2358 return false;
2359 }
2360
2361 if (warn_format_trunc == 1 && result.likely <= avail.likely
2362 && !info.retval_used ())
2363 {
2364 /* The likely amount of space remaining in the destination is big
2365 enough for the likely output and the return value is unused. */
2366 return false;
2367 }
2368
2369 if (warn_format_trunc == 2
2370 && result.likely <= avail.min
2371 && (result.max <= avail.min
2372 || result.max > HOST_WIDE_INT_MAX))
2373 {
2374 /* The minimum amount of space remaining in the destination is big
2375 enough for the longest output. */
2376 return false;
2377 }
2378 }
2379 else
2380 {
2381 if (warn_level == 1 && result.likely <= avail.likely)
2382 {
2383 /* The likely amount of space remaining in the destination is big
2384 enough for the likely output. */
2385 return false;
2386 }
2387
2388 if (warn_level == 2
2389 && result.likely <= avail.min
2390 && (result.max <= avail.min
2391 || result.max > HOST_WIDE_INT_MAX))
2392 {
2393 /* The minimum amount of space remaining in the destination is big
2394 enough for the longest output. */
2395 return false;
2396 }
2397 }
2398
2399 return true;
2400 }
2401
2402 /* At format string location describe by DIRLOC in a call described
2403 by INFO, issue a warning for a directive DIR whose output may be
2404 in excess of the available space AVAIL_RANGE in the destination
2405 given the formatting result FMTRES. This function does nothing
2406 except decide whether to issue a warning for a possible write
2407 past the end or truncation and, if so, format the warning.
2408 Return true if a warning has been issued. */
2409
2410 static bool
2411 maybe_warn (substring_loc &dirloc, location_t argloc,
2412 const call_info &info,
2413 const result_range &avail_range, const result_range &res,
2414 const directive &dir)
2415 {
2416 if (!should_warn_p (info, avail_range, res))
2417 return false;
2418
2419 /* A warning will definitely be issued below. */
2420
2421 /* The maximum byte count to reference in the warning. Larger counts
2422 imply that the upper bound is unknown (and could be anywhere between
2423 RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather
2424 than "between N and X" where X is some huge number. */
2425 unsigned HOST_WIDE_INT maxbytes = target_dir_max ();
2426
2427 /* True when there is enough room in the destination for the least
2428 amount of a directive's output but not enough for its likely or
2429 maximum output. */
2430 bool maybe = (res.min <= avail_range.max
2431 && (avail_range.min < res.likely
2432 || (res.max < HOST_WIDE_INT_MAX
2433 && avail_range.min < res.max)));
2434
2435 /* Buffer for the directive in the host character set (used when
2436 the source character set is different). */
2437 char hostdir[32];
2438
2439 if (avail_range.min == avail_range.max)
2440 {
2441 /* The size of the destination region is exact. */
2442 unsigned HOST_WIDE_INT navail = avail_range.max;
2443
2444 if (target_to_host (*dir.beg) != '%')
2445 {
2446 /* For plain character directives (i.e., the format string itself)
2447 but not others, point the caret at the first character that's
2448 past the end of the destination. */
2449 if (navail < dir.len)
2450 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
2451 }
2452
2453 if (*dir.beg == '\0')
2454 {
2455 /* This is the terminating nul. */
2456 gcc_assert (res.min == 1 && res.min == res.max);
2457
2458 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
2459 info.bounded
2460 ? (maybe
2461 ? G_("%qE output may be truncated before the "
2462 "last format character")
2463 : G_("%qE output truncated before the last "
2464 "format character"))
2465 : (maybe
2466 ? G_("%qE may write a terminating nul past the "
2467 "end of the destination")
2468 : G_("%qE writing a terminating nul past the "
2469 "end of the destination")),
2470 info.func);
2471 }
2472
2473 if (res.min == res.max)
2474 {
2475 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
2476 if (!info.bounded)
2477 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2478 "%<%.*s%> directive writing %wu byte into a "
2479 "region of size %wu",
2480 "%<%.*s%> directive writing %wu bytes into a "
2481 "region of size %wu",
2482 (int) dir.len, d, res.min, navail);
2483 else if (maybe)
2484 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2485 "%<%.*s%> directive output may be truncated "
2486 "writing %wu byte into a region of size %wu",
2487 "%<%.*s%> directive output may be truncated "
2488 "writing %wu bytes into a region of size %wu",
2489 (int) dir.len, d, res.min, navail);
2490 else
2491 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2492 "%<%.*s%> directive output truncated writing "
2493 "%wu byte into a region of size %wu",
2494 "%<%.*s%> directive output truncated writing "
2495 "%wu bytes into a region of size %wu",
2496 (int) dir.len, d, res.min, navail);
2497 }
2498 if (res.min == 0 && res.max < maxbytes)
2499 return fmtwarn (dirloc, argloc, NULL,
2500 info.warnopt (),
2501 info.bounded
2502 ? (maybe
2503 ? G_("%<%.*s%> directive output may be truncated "
2504 "writing up to %wu bytes into a region of "
2505 "size %wu")
2506 : G_("%<%.*s%> directive output truncated writing "
2507 "up to %wu bytes into a region of size %wu"))
2508 : G_("%<%.*s%> directive writing up to %wu bytes "
2509 "into a region of size %wu"), (int) dir.len,
2510 target_to_host (hostdir, sizeof hostdir, dir.beg),
2511 res.max, navail);
2512
2513 if (res.min == 0 && maxbytes <= res.max)
2514 /* This is a special case to avoid issuing the potentially
2515 confusing warning:
2516 writing 0 or more bytes into a region of size 0. */
2517 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2518 info.bounded
2519 ? (maybe
2520 ? G_("%<%.*s%> directive output may be truncated "
2521 "writing likely %wu or more bytes into a "
2522 "region of size %wu")
2523 : G_("%<%.*s%> directive output truncated writing "
2524 "likely %wu or more bytes into a region of "
2525 "size %wu"))
2526 : G_("%<%.*s%> directive writing likely %wu or more "
2527 "bytes into a region of size %wu"), (int) dir.len,
2528 target_to_host (hostdir, sizeof hostdir, dir.beg),
2529 res.likely, navail);
2530
2531 if (res.max < maxbytes)
2532 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2533 info.bounded
2534 ? (maybe
2535 ? G_("%<%.*s%> directive output may be truncated "
2536 "writing between %wu and %wu bytes into a "
2537 "region of size %wu")
2538 : G_("%<%.*s%> directive output truncated "
2539 "writing between %wu and %wu bytes into a "
2540 "region of size %wu"))
2541 : G_("%<%.*s%> directive writing between %wu and "
2542 "%wu bytes into a region of size %wu"),
2543 (int) dir.len,
2544 target_to_host (hostdir, sizeof hostdir, dir.beg),
2545 res.min, res.max, navail);
2546
2547 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2548 info.bounded
2549 ? (maybe
2550 ? G_("%<%.*s%> directive output may be truncated "
2551 "writing %wu or more bytes into a region of "
2552 "size %wu")
2553 : G_("%<%.*s%> directive output truncated writing "
2554 "%wu or more bytes into a region of size %wu"))
2555 : G_("%<%.*s%> directive writing %wu or more bytes "
2556 "into a region of size %wu"), (int) dir.len,
2557 target_to_host (hostdir, sizeof hostdir, dir.beg),
2558 res.min, navail);
2559 }
2560
2561 /* The size of the destination region is a range. */
2562
2563 if (target_to_host (*dir.beg) != '%')
2564 {
2565 unsigned HOST_WIDE_INT navail = avail_range.max;
2566
2567 /* For plain character directives (i.e., the format string itself)
2568 but not others, point the caret at the first character that's
2569 past the end of the destination. */
2570 if (navail < dir.len)
2571 dirloc.set_caret_index (dirloc.get_caret_idx () + navail);
2572 }
2573
2574 if (*dir.beg == '\0')
2575 {
2576 gcc_assert (res.min == 1 && res.min == res.max);
2577
2578 return fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
2579 info.bounded
2580 ? (maybe
2581 ? G_("%qE output may be truncated before the last "
2582 "format character")
2583 : G_("%qE output truncated before the last format "
2584 "character"))
2585 : (maybe
2586 ? G_("%qE may write a terminating nul past the end "
2587 "of the destination")
2588 : G_("%qE writing a terminating nul past the end "
2589 "of the destination")), info.func);
2590 }
2591
2592 if (res.min == res.max)
2593 {
2594 const char *d = target_to_host (hostdir, sizeof hostdir, dir.beg);
2595 if (!info.bounded)
2596 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2597 "%<%.*s%> directive writing %wu byte into a region "
2598 "of size between %wu and %wu",
2599 "%<%.*s%> directive writing %wu bytes into a region "
2600 "of size between %wu and %wu", (int) dir.len, d,
2601 res.min, avail_range.min, avail_range.max);
2602 else if (maybe)
2603 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2604 "%<%.*s%> directive output may be truncated writing "
2605 "%wu byte into a region of size between %wu and %wu",
2606 "%<%.*s%> directive output may be truncated writing "
2607 "%wu bytes into a region of size between %wu and "
2608 "%wu", (int) dir.len, d, res.min, avail_range.min,
2609 avail_range.max);
2610 else
2611 return fmtwarn_n (dirloc, argloc, NULL, info.warnopt (), res.min,
2612 "%<%.*s%> directive output truncated writing %wu "
2613 "byte into a region of size between %wu and %wu",
2614 "%<%.*s%> directive output truncated writing %wu "
2615 "bytes into a region of size between %wu and %wu",
2616 (int) dir.len, d, res.min, avail_range.min,
2617 avail_range.max);
2618 }
2619
2620 if (res.min == 0 && res.max < maxbytes)
2621 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2622 info.bounded
2623 ? (maybe
2624 ? G_("%<%.*s%> directive output may be truncated "
2625 "writing up to %wu bytes into a region of size "
2626 "between %wu and %wu")
2627 : G_("%<%.*s%> directive output truncated writing "
2628 "up to %wu bytes into a region of size between "
2629 "%wu and %wu"))
2630 : G_("%<%.*s%> directive writing up to %wu bytes "
2631 "into a region of size between %wu and %wu"),
2632 (int) dir.len,
2633 target_to_host (hostdir, sizeof hostdir, dir.beg),
2634 res.max, avail_range.min, avail_range.max);
2635
2636 if (res.min == 0 && maxbytes <= res.max)
2637 /* This is a special case to avoid issuing the potentially confusing
2638 warning:
2639 writing 0 or more bytes into a region of size between 0 and N. */
2640 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2641 info.bounded
2642 ? (maybe
2643 ? G_("%<%.*s%> directive output may be truncated "
2644 "writing likely %wu or more bytes into a region "
2645 "of size between %wu and %wu")
2646 : G_("%<%.*s%> directive output truncated writing "
2647 "likely %wu or more bytes into a region of size "
2648 "between %wu and %wu"))
2649 : G_("%<%.*s%> directive writing likely %wu or more bytes "
2650 "into a region of size between %wu and %wu"),
2651 (int) dir.len,
2652 target_to_host (hostdir, sizeof hostdir, dir.beg),
2653 res.likely, avail_range.min, avail_range.max);
2654
2655 if (res.max < maxbytes)
2656 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2657 info.bounded
2658 ? (maybe
2659 ? G_("%<%.*s%> directive output may be truncated "
2660 "writing between %wu and %wu bytes into a region "
2661 "of size between %wu and %wu")
2662 : G_("%<%.*s%> directive output truncated writing "
2663 "between %wu and %wu bytes into a region of size "
2664 "between %wu and %wu"))
2665 : G_("%<%.*s%> directive writing between %wu and "
2666 "%wu bytes into a region of size between %wu and "
2667 "%wu"), (int) dir.len,
2668 target_to_host (hostdir, sizeof hostdir, dir.beg),
2669 res.min, res.max, avail_range.min, avail_range.max);
2670
2671 return fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2672 info.bounded
2673 ? (maybe
2674 ? G_("%<%.*s%> directive output may be truncated writing "
2675 "%wu or more bytes into a region of size between "
2676 "%wu and %wu")
2677 : G_("%<%.*s%> directive output truncated writing "
2678 "%wu or more bytes into a region of size between "
2679 "%wu and %wu"))
2680 : G_("%<%.*s%> directive writing %wu or more bytes "
2681 "into a region of size between %wu and %wu"),
2682 (int) dir.len,
2683 target_to_host (hostdir, sizeof hostdir, dir.beg),
2684 res.min, avail_range.min, avail_range.max);
2685 }
2686
2687 /* Compute the length of the output resulting from the directive DIR
2688 in a call described by INFO and update the overall result of the call
2689 in *RES. Return true if the directive has been handled. */
2690
2691 static bool
2692 format_directive (const call_info &info,
2693 format_result *res, const directive &dir,
2694 const class vr_values *vr_values)
2695 {
2696 /* Offset of the beginning of the directive from the beginning
2697 of the format string. */
2698 size_t offset = dir.beg - info.fmtstr;
2699 size_t start = offset;
2700 size_t length = offset + dir.len - !!dir.len;
2701
2702 /* Create a location for the whole directive from the % to the format
2703 specifier. */
2704 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
2705 offset, start, length);
2706
2707 /* Also get the location of the argument if possible.
2708 This doesn't work for integer literals or function calls. */
2709 location_t argloc = UNKNOWN_LOCATION;
2710 if (dir.arg)
2711 argloc = EXPR_LOCATION (dir.arg);
2712
2713 /* Bail when there is no function to compute the output length,
2714 or when minimum length checking has been disabled. */
2715 if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX)
2716 return false;
2717
2718 /* Compute the range of lengths of the formatted output. */
2719 fmtresult fmtres = dir.fmtfunc (dir, dir.arg, vr_values);
2720
2721 /* Record whether the output of all directives is known to be
2722 bounded by some maximum, implying that their arguments are
2723 either known exactly or determined to be in a known range
2724 or, for strings, limited by the upper bounds of the arrays
2725 they refer to. */
2726 res->knownrange &= fmtres.knownrange;
2727
2728 if (!fmtres.knownrange)
2729 {
2730 /* Only when the range is known, check it against the host value
2731 of INT_MAX + (the number of bytes of the "%.*Lf" directive with
2732 INT_MAX precision, which is the longest possible output of any
2733 single directive). That's the largest valid byte count (though
2734 not valid call to a printf-like function because it can never
2735 return such a count). Otherwise, the range doesn't correspond
2736 to known values of the argument. */
2737 if (fmtres.range.max > target_dir_max ())
2738 {
2739 /* Normalize the MAX counter to avoid having to deal with it
2740 later. The counter can be less than HOST_WIDE_INT_M1U
2741 when compiling for an ILP32 target on an LP64 host. */
2742 fmtres.range.max = HOST_WIDE_INT_M1U;
2743 /* Disable exact and maximum length checking after a failure
2744 to determine the maximum number of characters (for example
2745 for wide characters or wide character strings) but continue
2746 tracking the minimum number of characters. */
2747 res->range.max = HOST_WIDE_INT_M1U;
2748 }
2749
2750 if (fmtres.range.min > target_dir_max ())
2751 {
2752 /* Disable exact length checking after a failure to determine
2753 even the minimum number of characters (it shouldn't happen
2754 except in an error) but keep tracking the minimum and maximum
2755 number of characters. */
2756 return true;
2757 }
2758 }
2759
2760 /* Buffer for the directive in the host character set (used when
2761 the source character set is different). */
2762 char hostdir[32];
2763
2764 int dirlen = dir.len;
2765
2766 if (fmtres.nullp)
2767 {
2768 fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2769 "%G%<%.*s%> directive argument is null",
2770 info.callstmt, dirlen,
2771 target_to_host (hostdir, sizeof hostdir, dir.beg));
2772
2773 /* Don't bother processing the rest of the format string. */
2774 res->warned = true;
2775 res->range.min = HOST_WIDE_INT_M1U;
2776 res->range.max = HOST_WIDE_INT_M1U;
2777 return false;
2778 }
2779
2780 /* Compute the number of available bytes in the destination. There
2781 must always be at least one byte of space for the terminating
2782 NUL that's appended after the format string has been processed. */
2783 result_range avail_range = bytes_remaining (info.objsize, *res);
2784
2785 bool warned = res->warned;
2786
2787 if (!warned)
2788 warned = maybe_warn (dirloc, argloc, info, avail_range,
2789 fmtres.range, dir);
2790
2791 /* Bump up the total maximum if it isn't too big. */
2792 if (res->range.max < HOST_WIDE_INT_MAX
2793 && fmtres.range.max < HOST_WIDE_INT_MAX)
2794 res->range.max += fmtres.range.max;
2795
2796 /* Raise the total unlikely maximum by the larger of the maximum
2797 and the unlikely maximum. */
2798 unsigned HOST_WIDE_INT save = res->range.unlikely;
2799 if (fmtres.range.max < fmtres.range.unlikely)
2800 res->range.unlikely += fmtres.range.unlikely;
2801 else
2802 res->range.unlikely += fmtres.range.max;
2803
2804 if (res->range.unlikely < save)
2805 res->range.unlikely = HOST_WIDE_INT_M1U;
2806
2807 res->range.min += fmtres.range.min;
2808 res->range.likely += fmtres.range.likely;
2809
2810 /* Has the minimum directive output length exceeded the maximum
2811 of 4095 bytes required to be supported? */
2812 bool minunder4k = fmtres.range.min < 4096;
2813 bool maxunder4k = fmtres.range.max < 4096;
2814 /* Clear POSUNDER4K in the overall result if the maximum has exceeded
2815 the 4k (this is necessary to avoid the return value optimization
2816 that may not be safe in the maximum case). */
2817 if (!maxunder4k)
2818 res->posunder4k = false;
2819 /* Also clear POSUNDER4K if the directive may fail. */
2820 if (fmtres.mayfail)
2821 res->posunder4k = false;
2822
2823 if (!warned
2824 /* Only warn at level 2. */
2825 && warn_level > 1
2826 /* Only warn for string functions. */
2827 && info.is_string_func ()
2828 && (!minunder4k
2829 || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX)))
2830 {
2831 /* The directive output may be longer than the maximum required
2832 to be handled by an implementation according to 7.21.6.1, p15
2833 of C11. Warn on this only at level 2 but remember this and
2834 prevent folding the return value when done. This allows for
2835 the possibility of the actual libc call failing due to ENOMEM
2836 (like Glibc does with very large precision or width).
2837 Issue the "may exceed" warning only for string functions and
2838 not for fprintf or printf. */
2839
2840 if (fmtres.range.min == fmtres.range.max)
2841 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2842 "%<%.*s%> directive output of %wu bytes exceeds "
2843 "minimum required size of 4095", dirlen,
2844 target_to_host (hostdir, sizeof hostdir, dir.beg),
2845 fmtres.range.min);
2846 else if (!minunder4k)
2847 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2848 "%<%.*s%> directive output between %wu and %wu "
2849 "bytes exceeds minimum required size of 4095",
2850 dirlen,
2851 target_to_host (hostdir, sizeof hostdir, dir.beg),
2852 fmtres.range.min, fmtres.range.max);
2853 else if (!info.retval_used () && info.is_string_func ())
2854 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2855 "%<%.*s%> directive output between %wu and %wu "
2856 "bytes may exceed minimum required size of "
2857 "4095",
2858 dirlen,
2859 target_to_host (hostdir, sizeof hostdir, dir.beg),
2860 fmtres.range.min, fmtres.range.max);
2861 }
2862
2863 /* Has the likely and maximum directive output exceeded INT_MAX? */
2864 bool likelyximax = *dir.beg && res->range.likely > target_int_max ();
2865 /* Don't consider the maximum to be in excess when it's the result
2866 of a string of unknown length (i.e., whose maximum has been set
2867 to be greater than or equal to HOST_WIDE_INT_MAX. */
2868 bool maxximax = (*dir.beg
2869 && res->range.max > target_int_max ()
2870 && res->range.max < HOST_WIDE_INT_MAX);
2871
2872 if (!warned
2873 /* Warn for the likely output size at level 1. */
2874 && (likelyximax
2875 /* But only warn for the maximum at level 2. */
2876 || (warn_level > 1
2877 && maxximax
2878 && fmtres.range.max < HOST_WIDE_INT_MAX)))
2879 {
2880 if (fmtres.range.min > target_int_max ())
2881 {
2882 /* The directive output exceeds INT_MAX bytes. */
2883 if (fmtres.range.min == fmtres.range.max)
2884 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2885 "%<%.*s%> directive output of %wu bytes exceeds "
2886 "%<INT_MAX%>", dirlen,
2887 target_to_host (hostdir, sizeof hostdir, dir.beg),
2888 fmtres.range.min);
2889 else
2890 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2891 "%<%.*s%> directive output between %wu and "
2892 "%wu bytes exceeds %<INT_MAX%>", dirlen,
2893 target_to_host (hostdir, sizeof hostdir, dir.beg),
2894 fmtres.range.min, fmtres.range.max);
2895 }
2896 else if (res->range.min > target_int_max ())
2897 {
2898 /* The directive output is under INT_MAX but causes the result
2899 to exceed INT_MAX bytes. */
2900 if (fmtres.range.min == fmtres.range.max)
2901 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2902 "%<%.*s%> directive output of %wu bytes causes "
2903 "result to exceed %<INT_MAX%>", dirlen,
2904 target_to_host (hostdir, sizeof hostdir, dir.beg),
2905 fmtres.range.min);
2906 else
2907 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2908 "%<%.*s%> directive output between %wu and "
2909 "%wu bytes causes result to exceed %<INT_MAX%>",
2910 dirlen,
2911 target_to_host (hostdir, sizeof hostdir, dir.beg),
2912 fmtres.range.min, fmtres.range.max);
2913 }
2914 else if ((!info.retval_used () || !info.bounded)
2915 && (info.is_string_func ()))
2916 /* Warn for calls to string functions that either aren't bounded
2917 (sprintf) or whose return value isn't used. */
2918 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2919 "%<%.*s%> directive output between %wu and "
2920 "%wu bytes may cause result to exceed "
2921 "%<INT_MAX%>", dirlen,
2922 target_to_host (hostdir, sizeof hostdir, dir.beg),
2923 fmtres.range.min, fmtres.range.max);
2924 }
2925
2926 if (!warned && fmtres.nonstr)
2927 {
2928 warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
2929 "%<%.*s%> directive argument is not a nul-terminated "
2930 "string",
2931 dirlen,
2932 target_to_host (hostdir, sizeof hostdir, dir.beg));
2933 if (warned && DECL_P (fmtres.nonstr))
2934 inform (DECL_SOURCE_LOCATION (fmtres.nonstr),
2935 "referenced argument declared here");
2936 return false;
2937 }
2938
2939 if (warned && fmtres.range.min < fmtres.range.likely
2940 && fmtres.range.likely < fmtres.range.max)
2941 inform_n (info.fmtloc, fmtres.range.likely,
2942 "assuming directive output of %wu byte",
2943 "assuming directive output of %wu bytes",
2944 fmtres.range.likely);
2945
2946 if (warned && fmtres.argmin)
2947 {
2948 if (fmtres.argmin == fmtres.argmax)
2949 inform (info.fmtloc, "directive argument %qE", fmtres.argmin);
2950 else if (fmtres.knownrange)
2951 inform (info.fmtloc, "directive argument in the range [%E, %E]",
2952 fmtres.argmin, fmtres.argmax);
2953 else
2954 inform (info.fmtloc,
2955 "using the range [%E, %E] for directive argument",
2956 fmtres.argmin, fmtres.argmax);
2957 }
2958
2959 res->warned |= warned;
2960
2961 if (!dir.beg[0] && res->warned)
2962 {
2963 location_t callloc = gimple_location (info.callstmt);
2964
2965 unsigned HOST_WIDE_INT min = res->range.min;
2966 unsigned HOST_WIDE_INT max = res->range.max;
2967
2968 if (info.objsize < HOST_WIDE_INT_MAX)
2969 {
2970 /* If a warning has been issued for buffer overflow or truncation
2971 help the user figure out how big a buffer they need. */
2972
2973 if (min == max)
2974 inform_n (callloc, min,
2975 "%qE output %wu byte into a destination of size %wu",
2976 "%qE output %wu bytes into a destination of size %wu",
2977 info.func, min, info.objsize);
2978 else if (max < HOST_WIDE_INT_MAX)
2979 inform (callloc,
2980 "%qE output between %wu and %wu bytes into "
2981 "a destination of size %wu",
2982 info.func, min, max, info.objsize);
2983 else if (min < res->range.likely && res->range.likely < max)
2984 inform (callloc,
2985 "%qE output %wu or more bytes (assuming %wu) into "
2986 "a destination of size %wu",
2987 info.func, min, res->range.likely, info.objsize);
2988 else
2989 inform (callloc,
2990 "%qE output %wu or more bytes into a destination of size "
2991 "%wu",
2992 info.func, min, info.objsize);
2993 }
2994 else if (!info.is_string_func ())
2995 {
2996 /* If the warning is for a file function function like fprintf
2997 of printf with no destination size just print the computed
2998 result. */
2999 if (min == max)
3000 inform_n (callloc, min,
3001 "%qE output %wu byte", "%qE output %wu bytes",
3002 info.func, min);
3003 else if (max < HOST_WIDE_INT_MAX)
3004 inform (callloc,
3005 "%qE output between %wu and %wu bytes",
3006 info.func, min, max);
3007 else if (min < res->range.likely && res->range.likely < max)
3008 inform (callloc,
3009 "%qE output %wu or more bytes (assuming %wu)",
3010 info.func, min, res->range.likely);
3011 else
3012 inform (callloc,
3013 "%qE output %wu or more bytes",
3014 info.func, min);
3015 }
3016 }
3017
3018 if (dump_file && *dir.beg)
3019 {
3020 fprintf (dump_file,
3021 " Result: "
3022 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
3023 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC " ("
3024 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ", "
3025 HOST_WIDE_INT_PRINT_DEC ", " HOST_WIDE_INT_PRINT_DEC ")\n",
3026 fmtres.range.min, fmtres.range.likely,
3027 fmtres.range.max, fmtres.range.unlikely,
3028 res->range.min, res->range.likely,
3029 res->range.max, res->range.unlikely);
3030 }
3031
3032 return true;
3033 }
3034
3035 /* Parse a format directive in function call described by INFO starting
3036 at STR and populate DIR structure. Bump up *ARGNO by the number of
3037 arguments extracted for the directive. Return the length of
3038 the directive. */
3039
3040 static size_t
3041 parse_directive (call_info &info,
3042 directive &dir, format_result *res,
3043 const char *str, unsigned *argno,
3044 const vr_values *vr_values)
3045 {
3046 const char *pcnt = strchr (str, target_percent);
3047 dir.beg = str;
3048
3049 if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1)
3050 {
3051 /* This directive is either a plain string or the terminating nul
3052 (which isn't really a directive but it simplifies things to
3053 handle it as if it were). */
3054 dir.len = len;
3055 dir.fmtfunc = format_plain;
3056
3057 if (dump_file)
3058 {
3059 fprintf (dump_file, " Directive %u at offset "
3060 HOST_WIDE_INT_PRINT_UNSIGNED ": \"%.*s\", "
3061 "length = " HOST_WIDE_INT_PRINT_UNSIGNED "\n",
3062 dir.dirno,
3063 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
3064 (int)dir.len, dir.beg, (unsigned HOST_WIDE_INT) dir.len);
3065 }
3066
3067 return len - !*str;
3068 }
3069
3070 const char *pf = pcnt + 1;
3071
3072 /* POSIX numbered argument index or zero when none. */
3073 HOST_WIDE_INT dollar = 0;
3074
3075 /* With and precision. -1 when not specified, HOST_WIDE_INT_MIN
3076 when given by a va_list argument, and a non-negative value
3077 when specified in the format string itself. */
3078 HOST_WIDE_INT width = -1;
3079 HOST_WIDE_INT precision = -1;
3080
3081 /* Pointers to the beginning of the width and precision decimal
3082 string (if any) within the directive. */
3083 const char *pwidth = 0;
3084 const char *pprec = 0;
3085
3086 /* When the value of the decimal string that specifies width or
3087 precision is out of range, points to the digit that causes
3088 the value to exceed the limit. */
3089 const char *werange = NULL;
3090 const char *perange = NULL;
3091
3092 /* Width specified via the asterisk. Need not be INTEGER_CST.
3093 For vararg functions set to void_node. */
3094 tree star_width = NULL_TREE;
3095
3096 /* Width specified via the asterisk. Need not be INTEGER_CST.
3097 For vararg functions set to void_node. */
3098 tree star_precision = NULL_TREE;
3099
3100 if (ISDIGIT (target_to_host (*pf)))
3101 {
3102 /* This could be either a POSIX positional argument, the '0'
3103 flag, or a width, depending on what follows. Store it as
3104 width and sort it out later after the next character has
3105 been seen. */
3106 pwidth = pf;
3107 width = target_strtowi (&pf, &werange);
3108 }
3109 else if (target_to_host (*pf) == '*')
3110 {
3111 /* Similarly to the block above, this could be either a POSIX
3112 positional argument or a width, depending on what follows. */
3113 if (*argno < gimple_call_num_args (info.callstmt))
3114 star_width = gimple_call_arg (info.callstmt, (*argno)++);
3115 else
3116 star_width = void_node;
3117 ++pf;
3118 }
3119
3120 if (target_to_host (*pf) == '$')
3121 {
3122 /* Handle the POSIX dollar sign which references the 1-based
3123 positional argument number. */
3124 if (width != -1)
3125 dollar = width + info.argidx;
3126 else if (star_width
3127 && TREE_CODE (star_width) == INTEGER_CST
3128 && (TYPE_PRECISION (TREE_TYPE (star_width))
3129 <= TYPE_PRECISION (integer_type_node)))
3130 dollar = width + tree_to_shwi (star_width);
3131
3132 /* Bail when the numbered argument is out of range (it will
3133 have already been diagnosed by -Wformat). */
3134 if (dollar == 0
3135 || dollar == (int)info.argidx
3136 || dollar > gimple_call_num_args (info.callstmt))
3137 return false;
3138
3139 --dollar;
3140
3141 star_width = NULL_TREE;
3142 width = -1;
3143 ++pf;
3144 }
3145
3146 if (dollar || !star_width)
3147 {
3148 if (width != -1)
3149 {
3150 if (width == 0)
3151 {
3152 /* The '0' that has been interpreted as a width above is
3153 actually a flag. Reset HAVE_WIDTH, set the '0' flag,
3154 and continue processing other flags. */
3155 width = -1;
3156 dir.set_flag ('0');
3157 }
3158 else if (!dollar)
3159 {
3160 /* (Non-zero) width has been seen. The next character
3161 is either a period or a digit. */
3162 goto start_precision;
3163 }
3164 }
3165 /* When either '$' has been seen, or width has not been seen,
3166 the next field is the optional flags followed by an optional
3167 width. */
3168 for ( ; ; ) {
3169 switch (target_to_host (*pf))
3170 {
3171 case ' ':
3172 case '0':
3173 case '+':
3174 case '-':
3175 case '#':
3176 dir.set_flag (target_to_host (*pf++));
3177 break;
3178
3179 default:
3180 goto start_width;
3181 }
3182 }
3183
3184 start_width:
3185 if (ISDIGIT (target_to_host (*pf)))
3186 {
3187 werange = 0;
3188 pwidth = pf;
3189 width = target_strtowi (&pf, &werange);
3190 }
3191 else if (target_to_host (*pf) == '*')
3192 {
3193 if (*argno < gimple_call_num_args (info.callstmt))
3194 star_width = gimple_call_arg (info.callstmt, (*argno)++);
3195 else
3196 {
3197 /* This is (likely) a va_list. It could also be an invalid
3198 call with insufficient arguments. */
3199 star_width = void_node;
3200 }
3201 ++pf;
3202 }
3203 else if (target_to_host (*pf) == '\'')
3204 {
3205 /* The POSIX apostrophe indicating a numeric grouping
3206 in the current locale. Even though it's possible to
3207 estimate the upper bound on the size of the output
3208 based on the number of digits it probably isn't worth
3209 continuing. */
3210 return 0;
3211 }
3212 }
3213
3214 start_precision:
3215 if (target_to_host (*pf) == '.')
3216 {
3217 ++pf;
3218
3219 if (ISDIGIT (target_to_host (*pf)))
3220 {
3221 pprec = pf;
3222 precision = target_strtowi (&pf, &perange);
3223 }
3224 else if (target_to_host (*pf) == '*')
3225 {
3226 if (*argno < gimple_call_num_args (info.callstmt))
3227 star_precision = gimple_call_arg (info.callstmt, (*argno)++);
3228 else
3229 {
3230 /* This is (likely) a va_list. It could also be an invalid
3231 call with insufficient arguments. */
3232 star_precision = void_node;
3233 }
3234 ++pf;
3235 }
3236 else
3237 {
3238 /* The decimal precision or the asterisk are optional.
3239 When neither is dirified it's taken to be zero. */
3240 precision = 0;
3241 }
3242 }
3243
3244 switch (target_to_host (*pf))
3245 {
3246 case 'h':
3247 if (target_to_host (pf[1]) == 'h')
3248 {
3249 ++pf;
3250 dir.modifier = FMT_LEN_hh;
3251 }
3252 else
3253 dir.modifier = FMT_LEN_h;
3254 ++pf;
3255 break;
3256
3257 case 'j':
3258 dir.modifier = FMT_LEN_j;
3259 ++pf;
3260 break;
3261
3262 case 'L':
3263 dir.modifier = FMT_LEN_L;
3264 ++pf;
3265 break;
3266
3267 case 'l':
3268 if (target_to_host (pf[1]) == 'l')
3269 {
3270 ++pf;
3271 dir.modifier = FMT_LEN_ll;
3272 }
3273 else
3274 dir.modifier = FMT_LEN_l;
3275 ++pf;
3276 break;
3277
3278 case 't':
3279 dir.modifier = FMT_LEN_t;
3280 ++pf;
3281 break;
3282
3283 case 'z':
3284 dir.modifier = FMT_LEN_z;
3285 ++pf;
3286 break;
3287 }
3288
3289 switch (target_to_host (*pf))
3290 {
3291 /* Handle a sole '%' character the same as "%%" but since it's
3292 undefined prevent the result from being folded. */
3293 case '\0':
3294 --pf;
3295 res->range.min = res->range.max = HOST_WIDE_INT_M1U;
3296 /* FALLTHRU */
3297 case '%':
3298 dir.fmtfunc = format_percent;
3299 break;
3300
3301 case 'a':
3302 case 'A':
3303 case 'e':
3304 case 'E':
3305 case 'f':
3306 case 'F':
3307 case 'g':
3308 case 'G':
3309 res->floating = true;
3310 dir.fmtfunc = format_floating;
3311 break;
3312
3313 case 'd':
3314 case 'i':
3315 case 'o':
3316 case 'u':
3317 case 'x':
3318 case 'X':
3319 dir.fmtfunc = format_integer;
3320 break;
3321
3322 case 'p':
3323 /* The %p output is implementation-defined. It's possible
3324 to determine this format but due to extensions (edirially
3325 those of the Linux kernel -- see bug 78512) the first %p
3326 in the format string disables any further processing. */
3327 return false;
3328
3329 case 'n':
3330 /* %n has side-effects even when nothing is actually printed to
3331 any buffer. */
3332 info.nowrite = false;
3333 dir.fmtfunc = format_none;
3334 break;
3335
3336 case 'C':
3337 case 'c':
3338 /* POSIX wide character and C/POSIX narrow character. */
3339 dir.fmtfunc = format_character;
3340 break;
3341
3342 case 'S':
3343 case 's':
3344 /* POSIX wide string and C/POSIX narrow character string. */
3345 dir.fmtfunc = format_string;
3346 break;
3347
3348 default:
3349 /* Unknown conversion specification. */
3350 return 0;
3351 }
3352
3353 dir.specifier = target_to_host (*pf++);
3354
3355 /* Store the length of the format directive. */
3356 dir.len = pf - pcnt;
3357
3358 /* Buffer for the directive in the host character set (used when
3359 the source character set is different). */
3360 char hostdir[32];
3361
3362 if (star_width)
3363 {
3364 if (INTEGRAL_TYPE_P (TREE_TYPE (star_width)))
3365 dir.set_width (star_width, vr_values);
3366 else
3367 {
3368 /* Width specified by a va_list takes on the range [0, -INT_MIN]
3369 (width is the absolute value of that specified). */
3370 dir.width[0] = 0;
3371 dir.width[1] = target_int_max () + 1;
3372 }
3373 }
3374 else
3375 {
3376 if (width == HOST_WIDE_INT_MAX && werange)
3377 {
3378 size_t begin = dir.beg - info.fmtstr + (pwidth - pcnt);
3379 size_t caret = begin + (werange - pcnt);
3380 size_t end = pf - info.fmtstr - 1;
3381
3382 /* Create a location for the width part of the directive,
3383 pointing the caret at the first out-of-range digit. */
3384 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
3385 caret, begin, end);
3386
3387 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
3388 "%<%.*s%> directive width out of range", (int) dir.len,
3389 target_to_host (hostdir, sizeof hostdir, dir.beg));
3390 }
3391
3392 dir.set_width (width);
3393 }
3394
3395 if (star_precision)
3396 {
3397 if (INTEGRAL_TYPE_P (TREE_TYPE (star_precision)))
3398 dir.set_precision (star_precision, vr_values);
3399 else
3400 {
3401 /* Precision specified by a va_list takes on the range [-1, INT_MAX]
3402 (unlike width, negative precision is ignored). */
3403 dir.prec[0] = -1;
3404 dir.prec[1] = target_int_max ();
3405 }
3406 }
3407 else
3408 {
3409 if (precision == HOST_WIDE_INT_MAX && perange)
3410 {
3411 size_t begin = dir.beg - info.fmtstr + (pprec - pcnt) - 1;
3412 size_t caret = dir.beg - info.fmtstr + (perange - pcnt) - 1;
3413 size_t end = pf - info.fmtstr - 2;
3414
3415 /* Create a location for the precision part of the directive,
3416 including the leading period, pointing the caret at the first
3417 out-of-range digit . */
3418 substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format),
3419 caret, begin, end);
3420
3421 fmtwarn (dirloc, UNKNOWN_LOCATION, NULL, info.warnopt (),
3422 "%<%.*s%> directive precision out of range", (int) dir.len,
3423 target_to_host (hostdir, sizeof hostdir, dir.beg));
3424 }
3425
3426 dir.set_precision (precision);
3427 }
3428
3429 /* Extract the argument if the directive takes one and if it's
3430 available (e.g., the function doesn't take a va_list). Treat
3431 missing arguments the same as va_list, even though they will
3432 have likely already been diagnosed by -Wformat. */
3433 if (dir.specifier != '%'
3434 && *argno < gimple_call_num_args (info.callstmt))
3435 dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++);
3436
3437 if (dump_file)
3438 {
3439 fprintf (dump_file,
3440 " Directive %u at offset " HOST_WIDE_INT_PRINT_UNSIGNED
3441 ": \"%.*s\"",
3442 dir.dirno,
3443 (unsigned HOST_WIDE_INT)(size_t)(dir.beg - info.fmtstr),
3444 (int)dir.len, dir.beg);
3445 if (star_width)
3446 {
3447 if (dir.width[0] == dir.width[1])
3448 fprintf (dump_file, ", width = " HOST_WIDE_INT_PRINT_DEC,
3449 dir.width[0]);
3450 else
3451 fprintf (dump_file,
3452 ", width in range [" HOST_WIDE_INT_PRINT_DEC
3453 ", " HOST_WIDE_INT_PRINT_DEC "]",
3454 dir.width[0], dir.width[1]);
3455 }
3456
3457 if (star_precision)
3458 {
3459 if (dir.prec[0] == dir.prec[1])
3460 fprintf (dump_file, ", precision = " HOST_WIDE_INT_PRINT_DEC,
3461 dir.prec[0]);
3462 else
3463 fprintf (dump_file,
3464 ", precision in range [" HOST_WIDE_INT_PRINT_DEC
3465 HOST_WIDE_INT_PRINT_DEC "]",
3466 dir.prec[0], dir.prec[1]);
3467 }
3468 fputc ('\n', dump_file);
3469 }
3470
3471 return dir.len;
3472 }
3473
3474 /* Compute the length of the output resulting from the call to a formatted
3475 output function described by INFO and store the result of the call in
3476 *RES. Issue warnings for detected past the end writes. Return true
3477 if the complete format string has been processed and *RES can be relied
3478 on, false otherwise (e.g., when a unknown or unhandled directive was seen
3479 that caused the processing to be terminated early). */
3480
3481 static bool
3482 compute_format_length (call_info &info, format_result *res, const vr_values *vr)
3483 {
3484 if (dump_file)
3485 {
3486 location_t callloc = gimple_location (info.callstmt);
3487 fprintf (dump_file, "%s:%i: ",
3488 LOCATION_FILE (callloc), LOCATION_LINE (callloc));
3489 print_generic_expr (dump_file, info.func, dump_flags);
3490
3491 fprintf (dump_file,
3492 ": objsize = " HOST_WIDE_INT_PRINT_UNSIGNED
3493 ", fmtstr = \"%s\"\n",
3494 info.objsize, info.fmtstr);
3495 }
3496
3497 /* Reset the minimum and maximum byte counters. */
3498 res->range.min = res->range.max = 0;
3499
3500 /* No directive has been seen yet so the length of output is bounded
3501 by the known range [0, 0] (with no conversion resulting in a failure
3502 or producing more than 4K bytes) until determined otherwise. */
3503 res->knownrange = true;
3504 res->floating = false;
3505 res->warned = false;
3506
3507 /* 1-based directive counter. */
3508 unsigned dirno = 1;
3509
3510 /* The variadic argument counter. */
3511 unsigned argno = info.argidx;
3512
3513 for (const char *pf = info.fmtstr; ; ++dirno)
3514 {
3515 directive dir = directive ();
3516 dir.dirno = dirno;
3517
3518 size_t n = parse_directive (info, dir, res, pf, &argno, vr);
3519
3520 /* Return failure if the format function fails. */
3521 if (!format_directive (info, res, dir, vr))
3522 return false;
3523
3524 /* Return success the directive is zero bytes long and it's
3525 the last think in the format string (i.e., it's the terminating
3526 nul, which isn't really a directive but handling it as one makes
3527 things simpler). */
3528 if (!n)
3529 return *pf == '\0';
3530
3531 pf += n;
3532 }
3533
3534 /* The complete format string was processed (with or without warnings). */
3535 return true;
3536 }
3537
3538 /* Return the size of the object referenced by the expression DEST if
3539 available, or the maximum possible size otherwise. */
3540
3541 static unsigned HOST_WIDE_INT
3542 get_destination_size (tree dest)
3543 {
3544 /* When there is no destination return the maximum. */
3545 if (!dest)
3546 return HOST_WIDE_INT_MAX;
3547
3548 /* Initialize object size info before trying to compute it. */
3549 init_object_sizes ();
3550
3551 /* Use __builtin_object_size to determine the size of the destination
3552 object. When optimizing, determine the smallest object (such as
3553 a member array as opposed to the whole enclosing object), otherwise
3554 use type-zero object size to determine the size of the enclosing
3555 object (the function fails without optimization in this type). */
3556 int ost = optimize > 0;
3557 unsigned HOST_WIDE_INT size;
3558 if (compute_builtin_object_size (dest, ost, &size))
3559 return size;
3560
3561 return HOST_WIDE_INT_MAX;
3562 }
3563
3564 /* Return true if the call described by INFO with result RES safe to
3565 optimize (i.e., no undefined behavior), and set RETVAL to the range
3566 of its return values. */
3567
3568 static bool
3569 is_call_safe (const call_info &info,
3570 const format_result &res, bool under4k,
3571 unsigned HOST_WIDE_INT retval[2])
3572 {
3573 if (under4k && !res.posunder4k)
3574 return false;
3575
3576 /* The minimum return value. */
3577 retval[0] = res.range.min;
3578
3579 /* The maximum return value is in most cases bounded by RES.RANGE.MAX
3580 but in cases involving multibyte characters could be as large as
3581 RES.RANGE.UNLIKELY. */
3582 retval[1]
3583 = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely;
3584
3585 /* Adjust the number of bytes which includes the terminating nul
3586 to reflect the return value of the function which does not.
3587 Because the valid range of the function is [INT_MIN, INT_MAX],
3588 a valid range before the adjustment below is [0, INT_MAX + 1]
3589 (the functions only return negative values on error or undefined
3590 behavior). */
3591 if (retval[0] <= target_int_max () + 1)
3592 --retval[0];
3593 if (retval[1] <= target_int_max () + 1)
3594 --retval[1];
3595
3596 /* Avoid the return value optimization when the behavior of the call
3597 is undefined either because any directive may have produced 4K or
3598 more of output, or the return value exceeds INT_MAX, or because
3599 the output overflows the destination object (but leave it enabled
3600 when the function is bounded because then the behavior is well-
3601 defined). */
3602 if (retval[0] == retval[1]
3603 && (info.bounded || retval[0] < info.objsize)
3604 && retval[0] <= target_int_max ())
3605 return true;
3606
3607 if ((info.bounded || retval[1] < info.objsize)
3608 && (retval[0] < target_int_max ()
3609 && retval[1] < target_int_max ()))
3610 return true;
3611
3612 if (!under4k && (info.bounded || retval[0] < info.objsize))
3613 return true;
3614
3615 return false;
3616 }
3617
3618 /* Given a suitable result RES of a call to a formatted output function
3619 described by INFO, substitute the result for the return value of
3620 the call. The result is suitable if the number of bytes it represents
3621 is known and exact. A result that isn't suitable for substitution may
3622 have its range set to the range of return values, if that is known.
3623 Return true if the call is removed and gsi_next should not be performed
3624 in the caller. */
3625
3626 static bool
3627 try_substitute_return_value (gimple_stmt_iterator *gsi,
3628 const call_info &info,
3629 const format_result &res)
3630 {
3631 tree lhs = gimple_get_lhs (info.callstmt);
3632
3633 /* Set to true when the entire call has been removed. */
3634 bool removed = false;
3635
3636 /* The minimum and maximum return value. */
3637 unsigned HOST_WIDE_INT retval[2];
3638 bool safe = is_call_safe (info, res, true, retval);
3639
3640 if (safe
3641 && retval[0] == retval[1]
3642 /* Not prepared to handle possibly throwing calls here; they shouldn't
3643 appear in non-artificial testcases, except when the __*_chk routines
3644 are badly declared. */
3645 && !stmt_ends_bb_p (info.callstmt))
3646 {
3647 tree cst = build_int_cst (lhs ? TREE_TYPE (lhs) : integer_type_node,
3648 retval[0]);
3649
3650 if (lhs == NULL_TREE && info.nowrite)
3651 {
3652 /* Remove the call to the bounded function with a zero size
3653 (e.g., snprintf(0, 0, "%i", 123)) if there is no lhs. */
3654 unlink_stmt_vdef (info.callstmt);
3655 gsi_remove (gsi, true);
3656 removed = true;
3657 }
3658 else if (info.nowrite)
3659 {
3660 /* Replace the call to the bounded function with a zero size
3661 (e.g., snprintf(0, 0, "%i", 123) with the constant result
3662 of the function. */
3663 if (!update_call_from_tree (gsi, cst))
3664 gimplify_and_update_call_from_tree (gsi, cst);
3665 gimple *callstmt = gsi_stmt (*gsi);
3666 update_stmt (callstmt);
3667 }
3668 else if (lhs)
3669 {
3670 /* Replace the left-hand side of the call with the constant
3671 result of the formatted function. */
3672 gimple_call_set_lhs (info.callstmt, NULL_TREE);
3673 gimple *g = gimple_build_assign (lhs, cst);
3674 gsi_insert_after (gsi, g, GSI_NEW_STMT);
3675 update_stmt (info.callstmt);
3676 }
3677
3678 if (dump_file)
3679 {
3680 if (removed)
3681 fprintf (dump_file, " Removing call statement.");
3682 else
3683 {
3684 fprintf (dump_file, " Substituting ");
3685 print_generic_expr (dump_file, cst, dump_flags);
3686 fprintf (dump_file, " for %s.\n",
3687 info.nowrite ? "statement" : "return value");
3688 }
3689 }
3690 }
3691 else if (lhs && types_compatible_p (TREE_TYPE (lhs), integer_type_node))
3692 {
3693 bool setrange = false;
3694
3695 if (safe
3696 && (info.bounded || retval[1] < info.objsize)
3697 && (retval[0] < target_int_max ()
3698 && retval[1] < target_int_max ()))
3699 {
3700 /* If the result is in a valid range bounded by the size of
3701 the destination set it so that it can be used for subsequent
3702 optimizations. */
3703 int prec = TYPE_PRECISION (integer_type_node);
3704
3705 wide_int min = wi::shwi (retval[0], prec);
3706 wide_int max = wi::shwi (retval[1], prec);
3707 set_range_info (lhs, VR_RANGE, min, max);
3708
3709 setrange = true;
3710 }
3711
3712 if (dump_file)
3713 {
3714 const char *inbounds
3715 = (retval[0] < info.objsize
3716 ? (retval[1] < info.objsize
3717 ? "in" : "potentially out-of")
3718 : "out-of");
3719
3720 const char *what = setrange ? "Setting" : "Discarding";
3721 if (retval[0] != retval[1])
3722 fprintf (dump_file,
3723 " %s %s-bounds return value range ["
3724 HOST_WIDE_INT_PRINT_UNSIGNED ", "
3725 HOST_WIDE_INT_PRINT_UNSIGNED "].\n",
3726 what, inbounds, retval[0], retval[1]);
3727 else
3728 fprintf (dump_file, " %s %s-bounds return value "
3729 HOST_WIDE_INT_PRINT_UNSIGNED ".\n",
3730 what, inbounds, retval[0]);
3731 }
3732 }
3733
3734 if (dump_file)
3735 fputc ('\n', dump_file);
3736
3737 return removed;
3738 }
3739
3740 /* Try to simplify a s{,n}printf call described by INFO with result
3741 RES by replacing it with a simpler and presumably more efficient
3742 call (such as strcpy). */
3743
3744 static bool
3745 try_simplify_call (gimple_stmt_iterator *gsi,
3746 const call_info &info,
3747 const format_result &res)
3748 {
3749 unsigned HOST_WIDE_INT dummy[2];
3750 if (!is_call_safe (info, res, info.retval_used (), dummy))
3751 return false;
3752
3753 switch (info.fncode)
3754 {
3755 case BUILT_IN_SNPRINTF:
3756 return gimple_fold_builtin_snprintf (gsi);
3757
3758 case BUILT_IN_SPRINTF:
3759 return gimple_fold_builtin_sprintf (gsi);
3760
3761 default:
3762 ;
3763 }
3764
3765 return false;
3766 }
3767
3768 /* Return the zero-based index of the format string argument of a printf
3769 like function and set *IDX_ARGS to the first format argument. When
3770 no such index exists return UINT_MAX. */
3771
3772 static unsigned
3773 get_user_idx_format (tree fndecl, unsigned *idx_args)
3774 {
3775 tree attrs = lookup_attribute ("format", DECL_ATTRIBUTES (fndecl));
3776 if (!attrs)
3777 attrs = lookup_attribute ("format", TYPE_ATTRIBUTES (TREE_TYPE (fndecl)));
3778
3779 if (!attrs)
3780 return UINT_MAX;
3781
3782 attrs = TREE_VALUE (attrs);
3783
3784 tree archetype = TREE_VALUE (attrs);
3785 if (strcmp ("printf", IDENTIFIER_POINTER (archetype)))
3786 return UINT_MAX;
3787
3788 attrs = TREE_CHAIN (attrs);
3789 tree fmtarg = TREE_VALUE (attrs);
3790
3791 attrs = TREE_CHAIN (attrs);
3792 tree elliparg = TREE_VALUE (attrs);
3793
3794 /* Attribute argument indices are 1-based but we use zero-based. */
3795 *idx_args = tree_to_uhwi (elliparg) - 1;
3796 return tree_to_uhwi (fmtarg) - 1;
3797 }
3798
3799 } /* Unnamed namespace. */
3800
3801 /* Determine if a GIMPLE call at *GSI is to one of the sprintf-like built-in
3802 functions and if so, handle it. Return true if the call is removed and
3803 gsi_next should not be performed in the caller. */
3804
3805 bool
3806 handle_printf_call (gimple_stmt_iterator *gsi, const vr_values *vr_values)
3807 {
3808 init_target_to_host_charmap ();
3809
3810 call_info info = call_info ();
3811
3812 info.callstmt = gsi_stmt (*gsi);
3813 info.func = gimple_call_fndecl (info.callstmt);
3814 if (!info.func)
3815 return false;
3816
3817 /* Format string argument number (valid for all functions). */
3818 unsigned idx_format = UINT_MAX;
3819 if (gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL))
3820 info.fncode = DECL_FUNCTION_CODE (info.func);
3821 else
3822 {
3823 unsigned idx_args;
3824 idx_format = get_user_idx_format (info.func, &idx_args);
3825 if (idx_format == UINT_MAX
3826 || idx_format >= gimple_call_num_args (info.callstmt)
3827 || idx_args > gimple_call_num_args (info.callstmt)
3828 || !POINTER_TYPE_P (TREE_TYPE (gimple_call_arg (info.callstmt,
3829 idx_format))))
3830 return false;
3831 info.fncode = BUILT_IN_NONE;
3832 info.argidx = idx_args;
3833 }
3834
3835 /* The size of the destination as in snprintf(dest, size, ...). */
3836 unsigned HOST_WIDE_INT dstsize = HOST_WIDE_INT_M1U;
3837
3838 /* The size of the destination determined by __builtin_object_size. */
3839 unsigned HOST_WIDE_INT objsize = HOST_WIDE_INT_M1U;
3840
3841 /* Zero-based buffer size argument number (snprintf and vsnprintf). */
3842 unsigned idx_dstsize = UINT_MAX;
3843
3844 /* Object size argument number (snprintf_chk and vsnprintf_chk). */
3845 unsigned idx_objsize = UINT_MAX;
3846
3847 /* Destinaton argument number (valid for sprintf functions only). */
3848 unsigned idx_dstptr = 0;
3849
3850 switch (info.fncode)
3851 {
3852 case BUILT_IN_NONE:
3853 // User-defined function with attribute format (printf).
3854 idx_dstptr = -1;
3855 break;
3856
3857 case BUILT_IN_FPRINTF:
3858 // Signature:
3859 // __builtin_fprintf (FILE*, format, ...)
3860 idx_format = 1;
3861 info.argidx = 2;
3862 idx_dstptr = -1;
3863 break;
3864
3865 case BUILT_IN_FPRINTF_CHK:
3866 // Signature:
3867 // __builtin_fprintf_chk (FILE*, ost, format, ...)
3868 idx_format = 2;
3869 info.argidx = 3;
3870 idx_dstptr = -1;
3871 break;
3872
3873 case BUILT_IN_FPRINTF_UNLOCKED:
3874 // Signature:
3875 // __builtin_fprintf_unnlocked (FILE*, format, ...)
3876 idx_format = 1;
3877 info.argidx = 2;
3878 idx_dstptr = -1;
3879 break;
3880
3881 case BUILT_IN_PRINTF:
3882 // Signature:
3883 // __builtin_printf (format, ...)
3884 idx_format = 0;
3885 info.argidx = 1;
3886 idx_dstptr = -1;
3887 break;
3888
3889 case BUILT_IN_PRINTF_CHK:
3890 // Signature:
3891 // __builtin_printf_chk (ost, format, ...)
3892 idx_format = 1;
3893 info.argidx = 2;
3894 idx_dstptr = -1;
3895 break;
3896
3897 case BUILT_IN_PRINTF_UNLOCKED:
3898 // Signature:
3899 // __builtin_printf (format, ...)
3900 idx_format = 0;
3901 info.argidx = 1;
3902 idx_dstptr = -1;
3903 break;
3904
3905 case BUILT_IN_SPRINTF:
3906 // Signature:
3907 // __builtin_sprintf (dst, format, ...)
3908 idx_format = 1;
3909 info.argidx = 2;
3910 break;
3911
3912 case BUILT_IN_SPRINTF_CHK:
3913 // Signature:
3914 // __builtin___sprintf_chk (dst, ost, objsize, format, ...)
3915 idx_objsize = 2;
3916 idx_format = 3;
3917 info.argidx = 4;
3918 break;
3919
3920 case BUILT_IN_SNPRINTF:
3921 // Signature:
3922 // __builtin_snprintf (dst, size, format, ...)
3923 idx_dstsize = 1;
3924 idx_format = 2;
3925 info.argidx = 3;
3926 info.bounded = true;
3927 break;
3928
3929 case BUILT_IN_SNPRINTF_CHK:
3930 // Signature:
3931 // __builtin___snprintf_chk (dst, size, ost, objsize, format, ...)
3932 idx_dstsize = 1;
3933 idx_objsize = 3;
3934 idx_format = 4;
3935 info.argidx = 5;
3936 info.bounded = true;
3937 break;
3938
3939 case BUILT_IN_VFPRINTF:
3940 // Signature:
3941 // __builtin_vprintf (FILE*, format, va_list)
3942 idx_format = 1;
3943 info.argidx = -1;
3944 idx_dstptr = -1;
3945 break;
3946
3947 case BUILT_IN_VFPRINTF_CHK:
3948 // Signature:
3949 // __builtin___vfprintf_chk (FILE*, ost, format, va_list)
3950 idx_format = 2;
3951 info.argidx = -1;
3952 idx_dstptr = -1;
3953 break;
3954
3955 case BUILT_IN_VPRINTF:
3956 // Signature:
3957 // __builtin_vprintf (format, va_list)
3958 idx_format = 0;
3959 info.argidx = -1;
3960 idx_dstptr = -1;
3961 break;
3962
3963 case BUILT_IN_VPRINTF_CHK:
3964 // Signature:
3965 // __builtin___vprintf_chk (ost, format, va_list)
3966 idx_format = 1;
3967 info.argidx = -1;
3968 idx_dstptr = -1;
3969 break;
3970
3971 case BUILT_IN_VSNPRINTF:
3972 // Signature:
3973 // __builtin_vsprintf (dst, size, format, va)
3974 idx_dstsize = 1;
3975 idx_format = 2;
3976 info.argidx = -1;
3977 info.bounded = true;
3978 break;
3979
3980 case BUILT_IN_VSNPRINTF_CHK:
3981 // Signature:
3982 // __builtin___vsnprintf_chk (dst, size, ost, objsize, format, va)
3983 idx_dstsize = 1;
3984 idx_objsize = 3;
3985 idx_format = 4;
3986 info.argidx = -1;
3987 info.bounded = true;
3988 break;
3989
3990 case BUILT_IN_VSPRINTF:
3991 // Signature:
3992 // __builtin_vsprintf (dst, format, va)
3993 idx_format = 1;
3994 info.argidx = -1;
3995 break;
3996
3997 case BUILT_IN_VSPRINTF_CHK:
3998 // Signature:
3999 // __builtin___vsprintf_chk (dst, ost, objsize, format, va)
4000 idx_format = 3;
4001 idx_objsize = 2;
4002 info.argidx = -1;
4003 break;
4004
4005 default:
4006 return false;
4007 }
4008
4009 /* Set the global warning level for this function. */
4010 warn_level = info.bounded ? warn_format_trunc : warn_format_overflow;
4011
4012 /* For all string functions the first argument is a pointer to
4013 the destination. */
4014 tree dstptr = (idx_dstptr < gimple_call_num_args (info.callstmt)
4015 ? gimple_call_arg (info.callstmt, 0) : NULL_TREE);
4016
4017 info.format = gimple_call_arg (info.callstmt, idx_format);
4018
4019 /* True when the destination size is constant as opposed to the lower
4020 or upper bound of a range. */
4021 bool dstsize_cst_p = true;
4022 bool posunder4k = true;
4023
4024 if (idx_dstsize == UINT_MAX)
4025 {
4026 /* For non-bounded functions like sprintf, determine the size
4027 of the destination from the object or pointer passed to it
4028 as the first argument. */
4029 dstsize = get_destination_size (dstptr);
4030 }
4031 else if (tree size = gimple_call_arg (info.callstmt, idx_dstsize))
4032 {
4033 /* For bounded functions try to get the size argument. */
4034
4035 if (TREE_CODE (size) == INTEGER_CST)
4036 {
4037 dstsize = tree_to_uhwi (size);
4038 /* No object can be larger than SIZE_MAX bytes (half the address
4039 space) on the target.
4040 The functions are defined only for output of at most INT_MAX
4041 bytes. Specifying a bound in excess of that limit effectively
4042 defeats the bounds checking (and on some implementations such
4043 as Solaris cause the function to fail with EINVAL). */
4044 if (dstsize > target_size_max () / 2)
4045 {
4046 /* Avoid warning if -Wstringop-overflow is specified since
4047 it also warns for the same thing though only for the
4048 checking built-ins. */
4049 if ((idx_objsize == UINT_MAX
4050 || !warn_stringop_overflow))
4051 warning_at (gimple_location (info.callstmt), info.warnopt (),
4052 "specified bound %wu exceeds maximum object size "
4053 "%wu",
4054 dstsize, target_size_max () / 2);
4055 /* POSIX requires snprintf to fail if DSTSIZE is greater
4056 than INT_MAX. Even though not all POSIX implementations
4057 conform to the requirement, avoid folding in this case. */
4058 posunder4k = false;
4059 }
4060 else if (dstsize > target_int_max ())
4061 {
4062 warning_at (gimple_location (info.callstmt), info.warnopt (),
4063 "specified bound %wu exceeds %<INT_MAX%>",
4064 dstsize);
4065 /* POSIX requires snprintf to fail if DSTSIZE is greater
4066 than INT_MAX. Avoid folding in that case. */
4067 posunder4k = false;
4068 }
4069 }
4070 else if (TREE_CODE (size) == SSA_NAME)
4071 {
4072 /* Try to determine the range of values of the argument
4073 and use the greater of the two at level 1 and the smaller
4074 of them at level 2. */
4075 const value_range *vr
4076 = CONST_CAST (class vr_values *, vr_values)->get_value_range (size);
4077
4078 if (range_int_cst_p (vr))
4079 {
4080 unsigned HOST_WIDE_INT minsize = TREE_INT_CST_LOW (vr->min ());
4081 unsigned HOST_WIDE_INT maxsize = TREE_INT_CST_LOW (vr->max ());
4082 dstsize = warn_level < 2 ? maxsize : minsize;
4083
4084 if (minsize > target_int_max ())
4085 warning_at (gimple_location (info.callstmt), info.warnopt (),
4086 "specified bound range [%wu, %wu] exceeds "
4087 "%<INT_MAX%>",
4088 minsize, maxsize);
4089
4090 /* POSIX requires snprintf to fail if DSTSIZE is greater
4091 than INT_MAX. Avoid folding if that's possible. */
4092 if (maxsize > target_int_max ())
4093 posunder4k = false;
4094 }
4095 else if (vr->varying_p ())
4096 {
4097 /* POSIX requires snprintf to fail if DSTSIZE is greater
4098 than INT_MAX. Since SIZE's range is unknown, avoid
4099 folding. */
4100 posunder4k = false;
4101 }
4102
4103 /* The destination size is not constant. If the function is
4104 bounded (e.g., snprintf) a lower bound of zero doesn't
4105 necessarily imply it can be eliminated. */
4106 dstsize_cst_p = false;
4107 }
4108 }
4109
4110 if (idx_objsize != UINT_MAX)
4111 if (tree size = gimple_call_arg (info.callstmt, idx_objsize))
4112 if (tree_fits_uhwi_p (size))
4113 objsize = tree_to_uhwi (size);
4114
4115 if (info.bounded && !dstsize)
4116 {
4117 /* As a special case, when the explicitly specified destination
4118 size argument (to a bounded function like snprintf) is zero
4119 it is a request to determine the number of bytes on output
4120 without actually producing any. Pretend the size is
4121 unlimited in this case. */
4122 info.objsize = HOST_WIDE_INT_MAX;
4123 info.nowrite = dstsize_cst_p;
4124 }
4125 else
4126 {
4127 /* For calls to non-bounded functions or to those of bounded
4128 functions with a non-zero size, warn if the destination
4129 pointer is null. */
4130 if (dstptr && integer_zerop (dstptr))
4131 {
4132 /* This is diagnosed with -Wformat only when the null is a constant
4133 pointer. The warning here diagnoses instances where the pointer
4134 is not constant. */
4135 location_t loc = gimple_location (info.callstmt);
4136 warning_at (EXPR_LOC_OR_LOC (dstptr, loc),
4137 info.warnopt (), "%Gnull destination pointer",
4138 info.callstmt);
4139 return false;
4140 }
4141
4142 /* Set the object size to the smaller of the two arguments
4143 of both have been specified and they're not equal. */
4144 info.objsize = dstsize < objsize ? dstsize : objsize;
4145
4146 if (info.bounded
4147 && dstsize < target_size_max () / 2 && objsize < dstsize
4148 /* Avoid warning if -Wstringop-overflow is specified since
4149 it also warns for the same thing though only for the
4150 checking built-ins. */
4151 && (idx_objsize == UINT_MAX
4152 || !warn_stringop_overflow))
4153 {
4154 warning_at (gimple_location (info.callstmt), info.warnopt (),
4155 "specified bound %wu exceeds the size %wu "
4156 "of the destination object", dstsize, objsize);
4157 }
4158 }
4159
4160 /* Determine if the format argument may be null and warn if not
4161 and if the argument is null. */
4162 if (integer_zerop (info.format)
4163 && gimple_call_builtin_p (info.callstmt, BUILT_IN_NORMAL))
4164 {
4165 location_t loc = gimple_location (info.callstmt);
4166 warning_at (EXPR_LOC_OR_LOC (info.format, loc),
4167 info.warnopt (), "%Gnull format string",
4168 info.callstmt);
4169 return false;
4170 }
4171
4172 info.fmtstr = get_format_string (info.format, &info.fmtloc);
4173 if (!info.fmtstr)
4174 return false;
4175
4176 /* The result is the number of bytes output by the formatted function,
4177 including the terminating NUL. */
4178 format_result res = format_result ();
4179
4180 /* I/O functions with no destination argument (i.e., all forms of fprintf
4181 and printf) may fail under any conditions. Others (i.e., all forms of
4182 sprintf) may only fail under specific conditions determined for each
4183 directive. Clear POSUNDER4K for the former set of functions and set
4184 it to true for the latter (it can only be cleared later, but it is
4185 never set to true again). */
4186 res.posunder4k = posunder4k && dstptr;
4187
4188 bool success = compute_format_length (info, &res, vr_values);
4189 if (res.warned)
4190 gimple_set_no_warning (info.callstmt, true);
4191
4192 /* When optimizing and the printf return value optimization is enabled,
4193 attempt to substitute the computed result for the return value of
4194 the call. Avoid this optimization when -frounding-math is in effect
4195 and the format string contains a floating point directive. */
4196 bool call_removed = false;
4197 if (success && optimize > 0)
4198 {
4199 /* Save a copy of the iterator pointing at the call. The iterator
4200 may change to point past the call in try_substitute_return_value
4201 but the original value is needed in try_simplify_call. */
4202 gimple_stmt_iterator gsi_call = *gsi;
4203
4204 if (flag_printf_return_value
4205 && (!flag_rounding_math || !res.floating))
4206 call_removed = try_substitute_return_value (gsi, info, res);
4207
4208 if (!call_removed)
4209 try_simplify_call (&gsi_call, info, res);
4210 }
4211
4212 return call_removed;
4213 }