From patchwork Fri Dec 23 21:25:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Sebor X-Patchwork-Id: 88979 Delivered-To: patch@linaro.org Received: by 10.140.20.101 with SMTP id 92csp3515174qgi; Fri, 23 Dec 2016 13:26:54 -0800 (PST) X-Received: by 10.98.13.130 with SMTP id 2mr15694192pfn.185.1482528413930; Fri, 23 Dec 2016 13:26:53 -0800 (PST) Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id c2si35270476pli.60.2016.12.23.13.26.53 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Dec 2016 13:26:53 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-return-445030-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org; spf=pass (google.com: domain of gcc-patches-return-445030-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=gcc-patches-return-445030-patch=linaro.org@gcc.gnu.org; dmarc=fail (p=NONE dis=NONE) header.from=gmail.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:to :from:subject:message-id:date:mime-version:content-type; q=dns; s=default; b=XEaW8xKGeOdgn0Y001389xSi76/QipMa7LWNSTQRcWUo+2ABDH NO2WT1Ce0ea/b8i+rNOdOLzWE8yQcq4I9p+SPTq41/qvcEgmwoz7LGkXdBOP8+O4 vm0Vdenr6iggAukg341bZwq3mFWQJHb+OqleM38DLgdrAtEKPcHDjsGMM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:to :from:subject:message-id:date:mime-version:content-type; s= default; bh=2KP5W6H9jJjbScXkQ++YTTHb3jI=; b=KDMcLyfIgD7OtHLUbYHN M+Fg76VzqZi5PnMLsRPxTjyVcoqnuOTqueXQygpu+f8ZsVAxqCW2YnH4gONIGJQg NvHBxQ3vR9LpCWGWR3rOFAPK9oN04L2huWCrg7bn0UjOn5WWIKqchi7M1SHxETB0 /HT2G+n09XrArlUMLfVNNUA= Received: (qmail 20380 invoked by alias); 23 Dec 2016 21:26:11 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 20359 invoked by uid 89); 23 Dec 2016 21:26:09 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL, BAYES_50, FREEMAIL_FROM, KAM_ASCII_DIVIDERS, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=no version=3.3.2 spammy=dollar, 49418, digit, abc X-HELO: mail-qt0-f177.google.com Received: from mail-qt0-f177.google.com (HELO mail-qt0-f177.google.com) (209.85.216.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 23 Dec 2016 21:25:51 +0000 Received: by mail-qt0-f177.google.com with SMTP id d45so48244452qta.1 for ; Fri, 23 Dec 2016 13:25:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=FSjdKAElR3vVSvytI4YeIIac0C984zKLW3/4ewudj9Q=; b=RJs+oWbDJPQ/I+JXpM23TRueo1eNJ9Vtf8UvMdyMyeVwYZu8Glj0kbm0yPtr6xc+pj 4jZAwV6wjPQokx+UfNhaUrdNLkjVMBcYK/04JPVoihrKRuCEh9pBdB4LSzbRpKetu2hF tIzCjUa08hVI/lB50WYHAxQq3yhMABPJHMVOsAQLrKFdcrMEaKlEFTVgQmVP4J9nR6Ae RSTKcbm6FcvzRjiPjJNBrZ6l3dv3xGUKxm5xfPwGE4tumkrsk6uI2a2exhkL3Qbgoqrh iW5N1HeoBHDq83Kj+xglU6a5kQOPYf4ewxFtSwS3DHdxK3A0gIOmexXj0r1gmpsSKmOr rlJQ== X-Gm-Message-State: AIkVDXJNHAP/dGVRff0no8AVNDL+YxIwIGYrc60J0HKbu3EP5JNYOk0PAJwIu3/Pb42PLA== X-Received: by 10.200.41.33 with SMTP id y30mr16196004qty.225.1482528349934; Fri, 23 Dec 2016 13:25:49 -0800 (PST) Received: from [192.168.0.26] (97-124-188-210.hlrn.qwest.net. [97.124.188.210]) by smtp.gmail.com with ESMTPSA id t62sm2382284qkh.26.2016.12.23.13.25.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Dec 2016 13:25:49 -0800 (PST) To: Jeff Law , Gcc Patch List From: Martin Sebor Subject: [PATCH] better handling of ranges (PR 78703) Message-ID: Date: Fri, 23 Dec 2016 14:25:45 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 X-IsSubscribed: yes Bug 78703 points out that the decimal point character in floating directives can be longer than just one byte (in locales where the decimal point is a multibyte character). The decimal point can result in anywhere between 1 and MB_LEN_MAX bytes. This is unlikely but locales with two-byte decimal point are known to exist, and the gimple-ssa-sprintf pass must handle them correctly. In a comment on the bug Jakub suggests that while printf return value optimization must correctly deal with the worst case (i.e., MB_LEN_MAX of 6 for UTF-8), reflecting the worst case in the text of warnings could be confusing to users most of whom expect a single byte decimal point. Finally, a limitation of the gimple-ssa-sprintf pass has been that it only understands constant width and precision and treats others as essentially unlimited even if they are constrained to a limited range of values. This results in false positives and negatives that can be avoided. The attached patch enhances the pass to overcome both of these limitations. It does that by first replacing the exact byte counter with two other counters: 1) a likely counter that tracks the number of bytes a directive is likely to result in, and 2) an "unlikely" byte for lack of a better name, that tracks the unlikely maximum byte count in cases like multibyte decimal point, and second by adding range handling for width and precision specified by the asterisk (such as in sprintf("%*.*i", w, p, i)). The patch resulted in more extensive changes than I initially intended but the result is a simplified implementation. A good amount of the changes is factoring code out into more general functions that can be shared throughout the pass. With these enhancements, although the support for ranges in the pass is complete, it's not as robust as it could be. I think having the pass run later could improve things. The pass does produce a fair number of warnings for calls to snprintf in the linux kernel. Some of these I suspect will be considered false positives. I think it might be worth splitting up the snprintf warning from -Wformat-length and adding a separate option to control it. Martin PR middle-end/78703 - -fprintf-return-value floating point handling incorrect in locales with a mulltibyte decimal point gcc/ChangeLog: PR middle-end/78703 * gimple-ssa-sprintf.c (get_int_range): New function. (struct result_range): Add members. (struct format_result): Replace number_chars, number_chars_min, and number_chars_max, with struct result_ramge. Remove constant. (format_result::operator+=): Update and define out of class. (struct fmtresult): Add constructors. Remove constant and bounded members. (format_result::type_max_digits): New function. (format_result::adjust_for_width_and_precision): New function. (struct conversion_spec): Rename... (struct directive): ...to this. (struct directive): Add new data members. (directive::set_width, directive::set_precison): New functions. (bytes_remaining, get_int_range, format_character, format_plain): Same. (should_warn_p, maybe_warn, parse_directive): Same. (min_bytes_remaining, add_bytes): Remove. (format_percent, get_string_length): Simplify. (format_integer): Handle width and precision ranges. (format_floating): Same. (get_mpfr_format_length): Work around MPFR bugs and simplify. (format_string): Factor single character handling into format_character. Handle width and precision ranges. (format_directive): Factor out most warning code into maybe_warn. (pass_sprintf_length::compute_format_length): Factor out parsing into parse_directive. (try_substitute_return_value): Handle unlikely maximum byte counter. Simplify for better clarity. gcc/testsuite/ChangeLog: PR middle-end/78703 * gcc.dg/tree-ssa/builtin-sprintf-2.c: Adjust. * gcc.dg/tree-ssa/builtin-sprintf-5.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-1.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-2.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-3.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-4.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-7.c: Same. * gcc.dg/tree-ssa/builtin-sprintf-warn-9.c: New test. * gcc.dg/tree-ssa/builtin-sprintf.c: Adjust. * gcc.dg/format/pr78569.c: Same. diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c index a91dcb8..904e4f1 100644 --- a/gcc/gimple-ssa-sprintf.c +++ b/gcc/gimple-ssa-sprintf.c @@ -82,7 +82,7 @@ along with GCC; see the file COPYING3. If not see /* The likely worst case value of MB_LEN_MAX for the target, large enough for UTF-8. Ideally, this would be obtained by a target hook if it were to be used for optimization but it's good enough as is for warnings. */ -#define target_mb_len_max 6 +#define target_mb_len_max() 6 /* The maximum number of bytes a single non-string directive can result in. This is the result of printf("%.*Lf", INT_MAX, -LDBL_MAX) for @@ -92,6 +92,10 @@ along with GCC; see the file COPYING3. If not see namespace { +static bool +get_int_range (tree, tree, HOST_WIDE_INT *, HOST_WIDE_INT *, + bool, HOST_WIDE_INT); + const pass_data pass_data_sprintf_length = { GIMPLE_PASS, // pass type "printf-return-value", // pass name @@ -145,50 +149,53 @@ pass_sprintf_length::gate (function *) && (optimize > 0) == fold_return_value); } +/* The minimum, maximum, likely, and unlikely maximum number of bytes + of output either a formatting function or an individual directive + can result in. */ + +struct result_range +{ + /* The absolute minimum number of bytes. The result of a successful + conversion is guaranteed to be no less than this. (An erroneous + conversion can be indicated by MIN > HOST_WIDE_INT_MAX.) */ + unsigned HOST_WIDE_INT min; + /* The likely maximum result that is used in diagnostics. In most + cases MAX is the same as the worst case UNLIKELY result. */ + unsigned HOST_WIDE_INT max; + /* The likely result used to trigger diagnostics. For conversions + that result in a range of bytes [MIN, MAX], LIKELY is somewhere + in that range. */ + unsigned HOST_WIDE_INT likely; + /* In rare cases (e.g., for nultibyte characters) UNLIKELY gives + the worst cases maximum result of a directive. In most cases + UNLIKELY == MAX. UNLIKELY is used to control the return value + optimization but not in diagnostics. */ + unsigned HOST_WIDE_INT unlikely; +}; + /* The result of a call to a formatted function. */ struct format_result { - /* Number of characters written by the formatted function, exact, - minimum and maximum when an exact number cannot be determined. - Setting the minimum to HOST_WIDE_INT_MAX disables all length - tracking for the remainder of the format string. - Setting either of the other two members to HOST_WIDE_INT_MAX - disables the exact or maximum length tracking, respectively, - but continues to track the maximum. */ - unsigned HOST_WIDE_INT number_chars; - unsigned HOST_WIDE_INT number_chars_min; - unsigned HOST_WIDE_INT number_chars_max; - - /* True when the range given by NUMBER_CHARS_MIN and NUMBER_CHARS_MAX - can be relied on for value range propagation, false otherwise. - This means that BOUNDED must not be set if the number of bytes - produced by any directive is unspecified or implementation- - defined (unless the implementation's behavior is known and - determined via a target hook). - Note that BOUNDED only implies that the length of a function's - output is known to be within some range, not that it's constant - and a candidate for string folding. BOUNDED is a stronger - guarantee than KNOWNRANGE. */ - bool bounded; + /* Range of characters written by the formatted function. + Setting the minimum to HOST_WIDE_INT_MAX disables all + length tracking for the remainder of the format string. */ + result_range range; /* True when the range above is obtained from known values of - directive arguments or their bounds and not the result of - heuristics that depend on warning levels. It is used to - issue stricter diagnostics in cases where strings of unknown - lengths are bounded by the arrays they are determined to - refer to. KNOWNRANGE must not be used to set the range of - the return value of a call. */ + directive arguments, or bounds on the amount of output such + as width and precision, and not the result of heuristics that + depend on warning levels. It's used to issue stricter diagnostics + in cases where strings of unknown lengths are bounded by the arrays + they are determined to refer to. KNOWNRANGE must not be used for + the return value optimization. */ bool knownrange; - /* True when the output of the formatted call is constant (and - thus a candidate for string constant folding). This is rare - and typically requires that the arguments of all directives - are also constant. CONSTANT implies BOUNDED. */ - bool constant; - /* True if no individual directive resulted in more than 4095 bytes - of output (the total NUMBER_CHARS might be greater). */ + of output (the total NUMBER_CHARS_{MIN,MAX} might be greater). + Implementations are not required to handle directives that produce + more than 4K bytes (leading to undefined behavior) and so when one + is found it disables the return value optimization. */ bool under4k; /* True when a floating point directive has been seen in the format @@ -197,7 +204,7 @@ struct format_result /* True when an intermediate result has caused a warning. Used to avoid issuing duplicate warnings while finishing the processing - of a call. */ + of a call. WARNED also disables the return value optimization. */ bool warned; /* Preincrement the number of output characters by 1. */ @@ -215,20 +222,29 @@ struct format_result } /* Increment the number of output characters by N. */ - format_result& operator+= (unsigned HOST_WIDE_INT n) - { - gcc_assert (n < HOST_WIDE_INT_MAX); - - if (number_chars < HOST_WIDE_INT_MAX) - number_chars += n; - if (number_chars_min < HOST_WIDE_INT_MAX) - number_chars_min += n; - if (number_chars_max < HOST_WIDE_INT_MAX) - number_chars_max += n; - return *this; - } + format_result& operator+= (unsigned HOST_WIDE_INT); }; +format_result& +format_result::operator+= (unsigned HOST_WIDE_INT n) +{ + gcc_assert (n < HOST_WIDE_INT_MAX); + + if (range.min < HOST_WIDE_INT_MAX) + range.min += n; + + if (range.max < HOST_WIDE_INT_MAX) + range.max += n; + + if (range.likely < HOST_WIDE_INT_MAX) + range.likely += n; + + if (range.unlikely < HOST_WIDE_INT_MAX) + range.unlikely += n; + + return *this; +} + /* Return the value of INT_MIN for the target. */ static inline HOST_WIDE_INT @@ -426,25 +442,45 @@ enum format_lengths }; -/* A minimum and maximum number of bytes. */ - -struct result_range -{ - unsigned HOST_WIDE_INT min, max; -}; - /* Description of the result of conversion either of a single directive or the whole format string. */ struct fmtresult { - fmtresult () - : argmin (), argmax (), knownrange (), bounded (), constant (), nullp () + /* Construct a FMTRESULT object with all counters initialized + to MIN. KNOWNRANGE is set when MIN is valid. */ + fmtresult (unsigned HOST_WIDE_INT min = HOST_WIDE_INT_MAX) + : argmin (), argmax (), + knownrange (min < HOST_WIDE_INT_MAX), + nullp () + { + range.min = min; + range.max = min; + range.likely = min; + range.unlikely = min; + } + + /* Construct a FMTRESULT object with MIN, MAX, and LIKELY counters. + KNOWNRANGE is set when both MIN and MAX are valid. */ + fmtresult (unsigned HOST_WIDE_INT min, unsigned HOST_WIDE_INT max, + unsigned HOST_WIDE_INT likely = HOST_WIDE_INT_MAX) + : argmin (), argmax (), + knownrange (min < HOST_WIDE_INT_MAX && max < HOST_WIDE_INT_MAX), + nullp () { - range.min = range.max = HOST_WIDE_INT_MAX; + range.min = min; + range.max = max; + range.likely = max < likely ? min : likely; + range.unlikely = max; } - /* The range a directive's argument is in. */ +/* Adjust result upward to reflect the RANGE of values the specified + width or precision is known to be in. */ + fmtresult& adjust_for_width_or_precision (const HOST_WIDE_INT[2], + tree = NULL_TREE, + unsigned = 0, unsigned = 0); + + /* The range a directive's argument is in. */ tree argmin, argmax; /* The minimum and maximum number of bytes that a directive @@ -456,37 +492,129 @@ struct fmtresult heuristics that depend on warning levels. */ bool knownrange; - /* True when the range is the result of an argument determined - to be bounded to a subrange of its type or value (such as by - value range propagation or the width of the formt directive), - false otherwise. */ - bool bounded; - - /* True when the output of a directive is constant. This is rare - and typically requires that the argument(s) of the directive - are also constant (such as determined by constant propagation, - though not value range propagation). */ - bool constant; - /* True when the argument is a null pointer. */ bool nullp; + + /* Return the maximum number of decimal digits a value of TYPE + formats as on output. */ + static unsigned type_max_digits (tree, int); }; -/* Description of a conversion specification. */ +/* Adjust result upward to reflect the range ADJUST of values the + specified width or precision is known to be in. When non-null, + TYPE denotes the type of the directive whose result is being + adjusted, BASE gives the base of the directive (octal, decimal, + or hex), and ADJ denotes the additional adjustment to the LIKELY + counter that may need to be added when ADJUST is a range. */ + +fmtresult& +fmtresult::adjust_for_width_or_precision (const HOST_WIDE_INT adjust[2], + tree type /* = NULL_TREE */, + unsigned base /* = 0 */, + unsigned adj /* = 0 */) +{ + bool minadjusted = false; + + /* Adjust the minimum and likely counters. */ + if (0 <= adjust[0]) + { + if (range.min < (unsigned HOST_WIDE_INT)adjust[0]) + { + range.min = adjust[0]; + minadjusted = true; + } + + /* Adjust the likely counter. */ + if (range.likely < range.min) + range.likely = range.min; + } + else if (adjust[0] == target_int_min () + && (unsigned HOST_WIDE_INT)adjust[1] == target_int_max ()) + { + knownrange = false; + } + + /* Adjust the maximum counter. */ + if (0 < adjust[1]) + { + if (range.max < (unsigned HOST_WIDE_INT)adjust[1]) + { + range.max = adjust[1]; + + /* Set KNOWNRANGE if both the minimum and maximum have been + adjusted. Otherwise leave it at what it was before. */ + knownrange = minadjusted; + } + } + + if (warn_format_length > 1 && type) + { + /* For large non-constant width or precision whose range spans + the maximum number of digits produced by the directive for + any argument, set the likely number of bytes to be at most + the number digits plus other adjustment determined by the + caller (one for sign or two for the hexadecimal "0x" + prefix). */ + unsigned dirdigs = type_max_digits (type, base); + if (adjust[0] < dirdigs && dirdigs < adjust[1] + && range.likely < dirdigs) + range.likely = dirdigs + adj; + } + else if (range.likely < (range.min ? range.min : 1)) + { + /* Conservatively, set LIKELY to at least MIN but no less than + 1 unless MAX is zero. */ + range.likely = (range.min + ? range.min + : range.max ? 1 : 0); + } + + /* Finally adjust the unlikely counter to be at least as large as + the maximum. */ + if (range.unlikely < range.max) + range.unlikely = range.max; + + return *this; +} + +/* Return the maximum number of digits a value of TYPE formats in + BASE on output, not counting base prefix . */ + +unsigned +fmtresult::type_max_digits (tree type, int base) +{ + unsigned prec = TYPE_PRECISION (type); + if (base == 8) + return (prec + 2) / 3; + + if (base == 16) + return prec / 4; -struct conversion_spec + /* Decimal approximation: yields 3, 5, 10, and 20 for precision + of 8, 16, 32, and 64 bits. */ + return prec * 301 / 1000 + 1; +} + +/* Description of a format directive. A directive is either a plain + string or a conversion specification that starts with '%'. */ + +struct directive { + /* The 1-based directive number (for debugging). */ + unsigned dirno; + + /* The first character of the directive and its length. */ + const char *beg; + size_t len; + /* A bitmap of flags, one for each character. */ unsigned flags[256 / sizeof (int)]; - /* Numeric width as in "%8x". */ - int width; - /* Numeric precision as in "%.32s". */ - int precision; - /* Width specified via the '*' character. */ - tree star_width; - /* Precision specified via the asterisk. */ - tree star_precision; + /* The range of values of the specified width, or -1 if not specified. */ + HOST_WIDE_INT width[2]; + /* The range of values of the specified precision, or -1 if not + specified. */ + HOST_WIDE_INT prec[2]; /* Length modifier. */ format_lengths modifier; @@ -494,18 +622,13 @@ struct conversion_spec /* Format specifier character. */ char specifier; - /* Numeric width was given. */ - unsigned have_width: 1; - /* Numeric precision was given. */ - unsigned have_precision: 1; - /* Non-zero when certain flags should be interpreted even for a directive - that normally doesn't accept them (used when "%p" with flags such as - space or plus is interepreted as a "%x". */ - unsigned force_flags: 1; + /* The argument of the directive or null when the directive doesn't + take one or when none is available (such as for vararg functions). */ + tree arg; - /* Format conversion function that given a conversion specification - and an argument returns the formatting result. */ - fmtresult (*fmtfunc) (const conversion_spec &, tree); + /* Format conversion function that given a directive and an argument + returns the formatting result. */ + fmtresult (*fmtfunc) (const directive &, tree); /* Return True when a the format flag CHR has been used. */ bool get_flag (char chr) const @@ -530,6 +653,30 @@ struct conversion_spec flags[c / (CHAR_BIT * sizeof *flags)] &= ~(1U << (c % (CHAR_BIT * sizeof *flags))); } + + /* Set both bounds of the width range to VAL. */ + void set_width (HOST_WIDE_INT val) + { + width[0] = width[1] = val; + } + + /* Set the width range according to ARG. */ + void set_width (tree arg) + { + get_int_range (arg, integer_type_node, width, width + 1, true, 0); + } + + /* Set both bounds of the precision range to VAL. */ + void set_precision (HOST_WIDE_INT val) + { + prec[0] = prec[1] = val; + } + + /* Set the precision range according to ARG. */ + void set_precision (tree arg) + { + get_int_range (arg, integer_type_node, prec, prec + 1, false, -1); + } }; /* Return the logarithm of X in BASE. */ @@ -603,7 +750,7 @@ tree_digits (tree x, int base, bool plus, bool prefix) } /* Given the formatting result described by RES and NAVAIL, the number - of available in the destination, return the number of bytes remaining + of available in the destination, return the range of bytes remaining in the destination. */ static inline result_range @@ -613,68 +760,26 @@ bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res) if (HOST_WIDE_INT_MAX <= navail) { - range.min = range.max = navail; + range.min = range.max = range.likely = range.unlikely = navail; return range; } - if (res.number_chars < navail) - { - range.min = range.max = navail - res.number_chars; - } - else if (res.number_chars_min < navail) - { - range.max = navail - res.number_chars_min; - } - else - range.max = 0; - - if (res.number_chars_max < navail) - range.min = navail - res.number_chars_max; - else - range.min = 0; - - return range; -} - -/* Given the formatting result described by RES and NAVAIL, the number - of available in the destination, return the minimum number of bytes - remaining in the destination. */ + /* The lower bound of the available range is the available size + minus the maximum output size, and the upper bound is the size + minus the minimum. */ + range.max = res.range.min < navail ? navail - res.range.min : 0; -static inline unsigned HOST_WIDE_INT -min_bytes_remaining (unsigned HOST_WIDE_INT navail, const format_result &res) -{ - if (HOST_WIDE_INT_MAX <= navail) - return navail; + range.likely = res.range.likely < navail ? navail - res.range.likely : 0; - if (1 < warn_format_length || res.knownrange) - { - /* At level 2, or when all directives output an exact number - of bytes or when their arguments were bounded by known - ranges, use the greater of the two byte counters if it's - valid to compute the result. */ - if (res.number_chars_max < HOST_WIDE_INT_MAX) - navail -= res.number_chars_max; - else if (res.number_chars < HOST_WIDE_INT_MAX) - navail -= res.number_chars; - else if (res.number_chars_min < HOST_WIDE_INT_MAX) - navail -= res.number_chars_min; - } + if (res.range.max < HOST_WIDE_INT_MAX) + range.min = res.range.max < navail ? navail - res.range.max : 0; else - { - /* At level 1 use the smaller of the byte counters to compute - the result. */ - if (res.number_chars < HOST_WIDE_INT_MAX) - navail -= res.number_chars; - else if (res.number_chars_min < HOST_WIDE_INT_MAX) - navail -= res.number_chars_min; - else if (res.number_chars_max < HOST_WIDE_INT_MAX) - navail -= res.number_chars_max; - } + range.min = range.likely; - if (navail > HOST_WIDE_INT_MAX) - navail = 0; + range.unlikely = (res.range.unlikely < navail + ? navail - res.range.unlikely : 0); - return navail; + return range; } /* Description of a call to a formatted function. */ @@ -717,12 +822,9 @@ struct pass_sprintf_length::call_info /* Return the result of formatting the '%%' directive. */ static fmtresult -format_percent (const conversion_spec &, tree) +format_percent (const directive &, tree) { - fmtresult res; - res.argmin = res.argmax = NULL_TREE; - res.range.min = res.range.max = 1; - res.bounded = res.constant = true; + fmtresult res (1); return res; } @@ -767,57 +869,94 @@ build_intmax_type_nodes (tree *pintmax, tree *puintmax) } } -/* Set *PWIDTH and *PPREC according to the width and precision specified - in SPEC. Each is set to HOST_WIDE_INT_MIN when the corresponding - field is specified but unknown, to zero for width and -1 for precision, - respectively when it's not specified, or to a non-negative value - corresponding to the known value. */ +/* Determine the range [*PMIN, *PMAX] that the expression ARG of TYPE + is in. Return true when the range is a subrange of that of TYPE. + Whn ARG is null it is as if it had the full range of TYPE. + When ABSOLUTE is true the range reflects the absolute value of + the argument. When ABSOLUTE is false, negative bounds of + the determined range are replaced with NEGBOUND. */ -static void -get_width_and_precision (const conversion_spec &spec, - HOST_WIDE_INT *pwidth, HOST_WIDE_INT *pprec) +static bool +get_int_range (tree arg, tree type, HOST_WIDE_INT *pmin, HOST_WIDE_INT *pmax, + bool absolute, HOST_WIDE_INT negbound) { - HOST_WIDE_INT width = spec.have_width ? spec.width : 0; - HOST_WIDE_INT prec = spec.have_precision ? spec.precision : -1; + bool knownrange = false; - if (spec.star_width) + if (!arg) + { + *pmin = (TYPE_UNSIGNED (type) + ? tree_to_uhwi (TYPE_MIN_VALUE (type)) + : tree_to_shwi (TYPE_MIN_VALUE (type))); + *pmax = tree_to_uhwi (TYPE_MAX_VALUE (type)); + } + else if (TREE_CODE (arg) == INTEGER_CST) { - if (TREE_CODE (spec.star_width) == INTEGER_CST) + /* For a constant argument return its value adjusted as specified + by NEGATIVE and NEGBOUND and return true to indicate that the + result is known. */ + *pmin = tree_fits_shwi_p (arg) ? tree_to_shwi (arg) : tree_to_uhwi (arg); + *pmax = *pmin; + knownrange = true; + } + else + { + /* True if the argument's range cannot be determined. */ + bool unknown = true; + + type = TREE_TYPE (arg); + + if (TREE_CODE (arg) == SSA_NAME + && TREE_CODE (type) == INTEGER_TYPE) { - width = tree_to_shwi (spec.star_width); - if (width < 0) + /* Try to determine the range of values of the integer argument. */ + wide_int min, max; + enum value_range_type range_type = get_range_info (arg, &min, &max); + if (range_type == VR_RANGE) { - if (width == HOST_WIDE_INT_MIN) - { - /* Avoid undefined behavior due to negating a minimum. - This case will be diagnosed since it will result in - more than INT_MAX bytes on output, either by the - directive itself (when INT_MAX < HOST_WIDE_INT_MAX) - or by the format function itself. */ - width = HOST_WIDE_INT_MAX; - } - else - width = -width; + HOST_WIDE_INT type_min + = (TYPE_UNSIGNED (type) + ? tree_to_uhwi (TYPE_MIN_VALUE (type)) + : tree_to_shwi (TYPE_MIN_VALUE (type))); + + HOST_WIDE_INT type_max = tree_to_uhwi (TYPE_MAX_VALUE (type)); + + *pmin = min.to_shwi (); + *pmax = max.to_shwi (); + + /* Return true if the adjusted range is a subrange of + the full range of the argument's type. */ + knownrange = type_min < *pmin || *pmax < type_max; + + unknown = false; } } - else - width = HOST_WIDE_INT_MIN; + + /* Handle an argument with an unknown range as if none had been + provided. */ + if (unknown) + return get_int_range (NULL_TREE, type, pmin, pmax, absolute, negbound); } - if (spec.star_precision) + /* Adjust each bound as specified by ABSOLUTE and NEGBOUND. */ + if (absolute) { - if (TREE_CODE (spec.star_precision) == INTEGER_CST) + if (*pmin < 0) { - prec = tree_to_shwi (spec.star_precision); - if (prec < 0) - prec = -1; + if (*pmin == *pmax) + *pmin = *pmax = -*pmin; + else + { + HOST_WIDE_INT tmp = -*pmin; + *pmin = 0; + if (*pmax < tmp) + *pmax = tmp; + } } - else - prec = HOST_WIDE_INT_MIN; } + else if (*pmin < negbound) + *pmin = negbound; - *pwidth = width; - *pprec = prec; + return knownrange; } /* With the range [*ARGMIN, *ARGMAX] of an integer directive's actual @@ -889,27 +1028,56 @@ adjust_range_for_overflow (tree dirtype, tree *argmin, tree *argmax) functions). */ static fmtresult -format_integer (const conversion_spec &spec, tree arg) +format_integer (const directive &dir, tree arg) { tree intmax_type_node; tree uintmax_type_node; - /* Set WIDTH and PRECISION based on the specification. */ - HOST_WIDE_INT width; - HOST_WIDE_INT prec; - get_width_and_precision (spec, &width, &prec); + /* Base to format the number in. */ + int base; + + /* True when a conversion is preceded by a prefix indicating the base + of the argument (octal or hexadecimal). */ + bool maybebase = dir.get_flag ('#'); - bool sign = spec.specifier == 'd' || spec.specifier == 'i'; + /* True when a signed conversion is preceded by a sign or space. */ + bool maybesign = false; + + /* True for signed conversions (i.e., 'd' and 'i'). */ + bool sign = false; + + switch (dir.specifier) + { + case 'd': + case 'i': + /* Space and '+' are only meaningful for signed conversions. */ + maybesign = dir.get_flag (' ') | dir.get_flag ('+'); + sign = true; + base = 10; + break; + case 'u': + base = 10; + break; + case 'o': + base = 8; + break; + case 'X': + case 'x': + base = 16; + break; + default: + gcc_unreachable (); + } /* The type of the "formal" argument expected by the directive. */ tree dirtype = NULL_TREE; /* Determine the expected type of the argument from the length modifier. */ - switch (spec.modifier) + switch (dir.modifier) { case FMT_LEN_none: - if (spec.specifier == 'p') + if (dir.specifier == 'p') dirtype = ptr_type_node; else dirtype = sign ? integer_type_node : unsigned_type_node; @@ -969,38 +1137,9 @@ format_integer (const conversion_spec &spec, tree arg) { /* When a constant argument has been provided use its value rather than type to determine the length of the output. */ + fmtresult res; - /* Base to format the number in. */ - int base; - - /* True when a signed conversion is preceded by a sign or space. */ - bool maybesign = false; - - switch (spec.specifier) - { - case 'd': - case 'i': - /* Space and '+' are only meaningful for signed conversions. */ - maybesign = spec.get_flag (' ') | spec.get_flag ('+'); - base = 10; - break; - case 'u': - base = 10; - break; - case 'o': - base = 8; - break; - case 'X': - case 'x': - base = 16; - break; - default: - gcc_unreachable (); - } - - HOST_WIDE_INT len; - - if ((prec == HOST_WIDE_INT_MIN || prec == 0) && integer_zerop (arg)) + if ((dir.prec[0] <= 0 && dir.prec[1] >= 0) && integer_zerop (arg)) { /* As a special case, a precision of zero with a zero argument results in zero bytes except in base 8 when the '#' flag is @@ -1009,46 +1148,36 @@ format_integer (const conversion_spec &spec, tree arg) when it results in just one byte (with width having the normal effect). This must extend to the case of a specified precision with an unknown value because it can be zero. */ - len = ((base == 8 && spec.get_flag ('#')) || maybesign); + res.range.min = ((base == 8 && dir.get_flag ('#')) || maybesign); + if (res.range.min == 0 && dir.prec[0] != dir.prec[1]) + { + res.range.max = 1; + res.range.likely = 1; + } + else + { + res.range.max = res.range.min; + res.range.likely = res.range.min; + } } else { /* Convert the argument to the type of the directive. */ arg = fold_convert (dirtype, arg); - /* True when a conversion is preceded by a prefix indicating the base - of the argument (octal or hexadecimal). */ - bool maybebase = spec.get_flag ('#'); - len = tree_digits (arg, base, maybesign, maybebase); - - if (len < prec) - len = prec; + res.range.min = tree_digits (arg, base, maybesign, maybebase); + res.range.max = res.range.min; + res.range.likely = res.range.min; } - if (len < width) - len = width; - - /* The minimum and maximum number of bytes produced by the directive. */ - fmtresult res; - - res.range.min = len; - - /* The upper bound of the number of bytes is unlimited when either - width or precision is specified but its value is unknown, and - the same as the lower bound otherwise. */ - if (width == HOST_WIDE_INT_MIN || prec == HOST_WIDE_INT_MIN) - { - res.range.max = HOST_WIDE_INT_MAX; - } - else - { - res.range.max = len; - res.bounded = true; - res.constant = true; - res.knownrange = true; - res.bounded = true; - } + res.range.unlikely = res.range.max; + /* Bump up the counters if WIDTH is greater than LEN. */ + res.adjust_for_width_or_precision (dir.width, dirtype, base, + (sign | maybebase) + (base == 16)); + /* Bump up the counters again if PRECision is greater still. */ + res.adjust_for_width_or_precision (dir.prec, dirtype, base, + (sign | maybebase) + (base == 16)); return res; } else if (TREE_CODE (TREE_TYPE (arg)) == INTEGER_TYPE @@ -1063,10 +1192,6 @@ format_integer (const conversion_spec &spec, tree arg) fmtresult res; - /* The result is bounded unless width or precision has been specified - whose value is unknown. */ - res.bounded = width != HOST_WIDE_INT_MIN && prec != HOST_WIDE_INT_MIN; - /* Using either the range the non-constant argument is in, or its type (either "formal" or actual), create a range of values that constrain the length of output given the warning level. */ @@ -1114,7 +1239,7 @@ format_integer (const conversion_spec &spec, tree arg) if (code == INTEGER_CST) { arg = gimple_assign_rhs1 (def); - return format_integer (spec, arg); + return format_integer (dir, arg); } if (code == NOP_EXPR) @@ -1134,10 +1259,11 @@ format_integer (const conversion_spec &spec, tree arg) or one whose value range cannot be determined, create a T_MIN constant if the argument's type is signed and T_MAX otherwise, and use those to compute the range of bytes that the directive - can output. When precision is specified but unknown, use zero - as the minimum since it results in no bytes on output (unless - width is specified to be greater than 0). */ - argmin = build_int_cst (argtype, prec && prec != HOST_WIDE_INT_MIN); + can output. When precision may be zero, use zero as the minimum + since it results in no bytes on output (unless width is specified + to be greater than 0). */ + bool zero = dir.prec[0] <= 0 && dir.prec[1] >= 0; + argmin = build_int_cst (argtype, !zero); int typeprec = TYPE_PRECISION (dirtype); int argprec = TYPE_PRECISION (argtype); @@ -1192,8 +1318,8 @@ format_integer (const conversion_spec &spec, tree arg) /* For unsigned conversions/directives, use the minimum (i.e., 0 or 1) and maximum to compute the shortest and longest output, respectively. */ - res.range.min = format_integer (spec, argmin).range.min; - res.range.max = format_integer (spec, argmax).range.max; + res.range.min = format_integer (dir, argmin).range.min; + res.range.max = format_integer (dir, argmax).range.max; } else { @@ -1202,17 +1328,10 @@ format_integer (const conversion_spec &spec, tree arg) to compute the longest output. This is important when precision is specified but unknown because otherwise both output lengths would reflect the largest possible precision (i.e., INT_MAX). */ - res.range.min = format_integer (spec, argmax).range.min; - res.range.max = format_integer (spec, argmin).range.max; + res.range.min = format_integer (dir, argmax).range.min; + res.range.max = format_integer (dir, argmin).range.max; } - /* The result is bounded either when the argument is determined to be - (e.g., when it's within some range) or when the minimum and maximum - are the same. That can happen here for example when the specified - width is as wide as the greater of MIN and MAX, as would be the case - with sprintf (d, "%08x", x) with a 32-bit integer x. */ - res.bounded |= res.range.min == res.range.max; - if (res.range.max < res.range.min) { unsigned HOST_WIDE_INT tmp = res.range.max; @@ -1220,6 +1339,13 @@ format_integer (const conversion_spec &spec, tree arg) res.range.min = tmp; } + res.range.likely = res.knownrange ? res.range.max : res.range.min; + res.range.unlikely = res.range.max; + res.adjust_for_width_or_precision (dir.width, dirtype, base, + (sign | maybebase) + (base == 16)); + res.adjust_for_width_or_precision (dir.prec, dirtype, base, + (sign | maybebase) + (base == 16)); + return res; } @@ -1245,15 +1371,26 @@ get_mpfr_format_length (mpfr_ptr x, const char *flags, HOST_WIDE_INT prec, fmtstr[len + 5] = spec; fmtstr[len + 6] = '\0'; - /* Avoid passing negative precisions with larger magnitude to MPFR - to avoid exposing its bugs. (A negative precision is supposed - to be ignored.) */ - if (prec < 0) - prec = -1; + spec = TOUPPER (spec); + if (spec == 'E' || spec == 'F') + { + /* For %e, specify the precision explicitly since mpfr_sprintf + does its own thing just to be different (see MPFR bug 21088). */ + if (prec < 0) + prec = 6; + } + else + { + /* Avoid passing negative precisions with larger magnitude to MPFR + to avoid exposing its bugs. (A negative precision is supposed + to be ignored.) */ + if (prec < 0) + prec = -1; + } HOST_WIDE_INT p = prec; - if (TOUPPER (spec) == 'G') + if (spec == 'G') { /* For G/g, precision gives the maximum number of significant digits which is bounded by LDBL_MAX_10_EXP, or, for a 128 @@ -1301,18 +1438,14 @@ format_floating_max (tree type, char spec, HOST_WIDE_INT prec) const real_format *rfmt = REAL_MODE_FORMAT (mode); REAL_VALUE_TYPE rv; - { - char buf[256]; - get_max_float (rfmt, buf, sizeof buf); - real_from_string (&rv, buf); - } + real_maxval (&rv, 0, mode); /* Convert the GCC real value representation with the precision of the real type to the mpfr_t format with the GCC default round-to-nearest mode. */ mpfr_t x; mpfr_init2 (x, rfmt->p); - mpfr_from_real (x, &rv, GMP_RNDN); + mpfr_from_real (x, &rv, MPFR_RNDN); /* Return a value one greater to account for the leading minus sign. */ return 1 + get_mpfr_format_length (x, "", prec, spec, 'D'); @@ -1324,13 +1457,12 @@ format_floating_max (tree type, char spec, HOST_WIDE_INT prec) is used when the directive argument or its value isn't known. */ static fmtresult -format_floating (const conversion_spec &spec, HOST_WIDE_INT width, - HOST_WIDE_INT prec) +format_floating (const directive &dir) { tree type; bool ldbl = false; - switch (spec.modifier) + switch (dir.modifier) { case FMT_LEN_l: case FMT_LEN_none: @@ -1369,42 +1501,52 @@ format_floating (const conversion_spec &spec, HOST_WIDE_INT width, logexpdigs = ilog (expdigs, 10); } - switch (spec.specifier) + switch (dir.specifier) { case 'A': case 'a': { /* The minimum output is "0x.p+0". */ - res.range.min = 6 + (prec > 0 ? prec : 0); - res.range.max = (width == INT_MIN - ? HOST_WIDE_INT_MAX - : format_floating_max (type, 'a', prec)); - - /* The output of "%a" is fully specified only when precision - is explicitly specified and width isn't unknown. */ - res.bounded = INT_MIN != width && -1 < prec; + res.range.min = 6 + (dir.prec[0] > 0 ? dir.prec[0] : 0); + + res.range.max = format_floating_max (type, 'a', dir.prec[1]); + res.range.likely = res.range.min; + + /* The unlikely maximum accounts for the longest multibyte + decimal point character. */ + if (dir.prec[0] != dir.prec[1] + || dir.prec[0] == -1 || dir.prec[0] > 0) + res.range.unlikely = res.range.max + target_mb_len_max () - 1; + else + res.range.unlikely = res.range.max; break; } case 'E': case 'e': { - bool sign = spec.get_flag ('+') || spec.get_flag (' '); + bool sign = dir.get_flag ('+') || dir.get_flag (' '); /* The minimum output is "[-+]1.234567e+00" regardless of the value of the actual argument. */ res.range.min = (sign - + 1 /* unit */ + (prec < 0 ? 7 : prec ? prec + 1 : 0) + + 1 /* unit */ + + (dir.prec[0] < 0 + ? 7 : dir.prec[0] ? dir.prec[0] + 1 + : 0) + 2 /* e+ */ + 2); /* Unless width is uknown the maximum output is the minimum plus sign (unless already included), plus the difference between the minimum exponent of 2 and the maximum exponent for the type. */ - res.range.max = (width == INT_MIN - ? HOST_WIDE_INT_M1U - : res.range.min + !sign + logexpdigs - 2); - - /* "%e" is fully specified and the range of bytes is bounded - unless width is unknown. */ - res.bounded = INT_MIN != width; + res.range.max = res.range.min + !sign + logexpdigs - 2; + res.range.likely = res.range.min; + + /* The unlikely maximum accounts for the longest multibyte + decimal point character. */ + if (dir.prec[0] != dir.prec[1] + || dir.prec[0] == -1 || dir.prec[0] > 0) + res.range.unlikely = res.range.max + target_mb_len_max () -1; + else + res.range.unlikely = res.range.max; break; } @@ -1413,18 +1555,21 @@ format_floating (const conversion_spec &spec, HOST_WIDE_INT width, { /* The minimum output is "1.234567" regardless of the value of the actual argument. */ - res.range.min = 2 + (prec < 0 ? 6 : prec); + res.range.min = 2 + (dir.prec[0] < 0 ? 6 : dir.prec[0]); /* Compute the maximum just once. */ const HOST_WIDE_INT f_max[] = { - format_floating_max (double_type_node, 'f', prec), - format_floating_max (long_double_type_node, 'f', prec) + format_floating_max (double_type_node, 'f', dir.prec[1]), + format_floating_max (long_double_type_node, 'f', dir.prec[1]) }; - res.range.max = width == INT_MIN ? HOST_WIDE_INT_MAX : f_max [ldbl]; - - /* "%f" is fully specified and the range of bytes is bounded - unless width is unknown. */ - res.bounded = INT_MIN != width; + res.range.max = f_max [ldbl]; + res.range.likely = res.range.min; + + /* The unlikely maximum accounts for the longest multibyte + decimal point character. */ + if (dir.prec[0] != dir.prec[1] + || dir.prec[0] == -1 || dir.prec[0] > 0) + res.range.unlikely = res.range.max + target_mb_len_max () - 1; break; } case 'G': @@ -1435,14 +1580,15 @@ format_floating (const conversion_spec &spec, HOST_WIDE_INT width, /* Compute the maximum just once. */ const HOST_WIDE_INT g_max[] = { - format_floating_max (double_type_node, 'g', prec), - format_floating_max (long_double_type_node, 'g', prec) + format_floating_max (double_type_node, 'g', dir.prec[1]), + format_floating_max (long_double_type_node, 'g', dir.prec[1]) }; - res.range.max = width == INT_MIN ? HOST_WIDE_INT_MAX : g_max [ldbl]; + res.range.max = g_max [ldbl]; + res.range.likely = g_max [ldbl]; - /* "%g" is fully specified and the range of bytes is bounded - unless width is unknown. */ - res.bounded = INT_MIN != width; + /* The unlikely maximum accounts for the longest multibyte + decimal point character. */ + res.range.unlikely = res.range.max + target_mb_len_max () - 1; break; } @@ -1450,14 +1596,8 @@ format_floating (const conversion_spec &spec, HOST_WIDE_INT width, return fmtresult (); } - if (width > 0) - { - if (res.range.min < (unsigned)width) - res.range.min = width; - if (res.range.max < (unsigned)width) - res.range.max = width; - } - + /* Bump up the byte counters if WIDTH is greater. */ + res.adjust_for_width_or_precision (dir.width); return res; } @@ -1466,120 +1606,109 @@ format_floating (const conversion_spec &spec, HOST_WIDE_INT width, floating argument ARG. */ static fmtresult -format_floating (const conversion_spec &spec, tree arg) +format_floating (const directive &dir, tree arg) { - /* Set WIDTH to -1 when it's not specified, to INT_MIN when it is - specified by the asterisk to an unknown value, and otherwise to - a non-negative value corresponding to the specified width. */ - HOST_WIDE_INT width = -1; - HOST_WIDE_INT prec = -1; + if (!arg || TREE_CODE (arg) != REAL_CST) + return format_floating (dir); - /* The minimum and maximum number of bytes produced by the directive. */ - fmtresult res; - res.constant = arg && TREE_CODE (arg) == REAL_CST; + HOST_WIDE_INT prec[] = { dir.prec[0], dir.prec[1] }; - if (spec.have_width) - width = spec.width; - else if (spec.star_width) + if (TOUPPER (dir.specifier) == 'A') { - if (TREE_CODE (spec.star_width) == INTEGER_CST) + /* For %a, leave the minimum precision unspecified to let + MFPR trim trailing zeros (as it and many other systems + including Glibc happen to do) and set the maximum + precision to reflect what it would be with trailing zeros + present (as Solaris and derived systems do). */ + if (prec[0] < 0) + prec[0] = -1; + if (prec[1] < 0) { - width = tree_to_shwi (spec.star_width); - if (width < 0) - width = -width; + unsigned fmtprec + = (dir.modifier == FMT_LEN_L + ? REAL_MODE_FORMAT (XFmode)->p + : REAL_MODE_FORMAT (DFmode)->p); + + /* The precision of the IEEE 754 double format is 53. + The precision of all other GCC binary double formats + is 56 or less. */ + prec[1] = fmtprec <= 56 ? 13 : 15; } - else - width = INT_MIN; } - if (spec.have_precision) - prec = spec.precision; - else if (spec.star_precision) - { - if (TREE_CODE (spec.star_precision) == INTEGER_CST) - prec = tree_to_shwi (spec.star_precision); - else - { - /* FIXME: Handle non-constant precision. */ - res.range.min = res.range.max = HOST_WIDE_INT_M1U; - return res; - } - } - else if (res.constant && TOUPPER (spec.specifier) != 'A') - { - /* Specify the precision explicitly since mpfr_sprintf defaults - to zero. */ - prec = 6; - } + /* The minimum and maximum number of bytes produced by the directive. */ + fmtresult res; - if (res.constant) - { - /* Set up an array to easily iterate over. */ - unsigned HOST_WIDE_INT* const minmax[] = { - &res.range.min, &res.range.max - }; + /* Set up an array to easily iterate over. */ + unsigned HOST_WIDE_INT* const minmax[] = { + &res.range.min, &res.range.max + }; + + /* Get the real type format desription for the target. */ + const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg); + const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg))); - /* Get the real type format desription for the target. */ - const REAL_VALUE_TYPE *rvp = TREE_REAL_CST_PTR (arg); - const real_format *rfmt = REAL_MODE_FORMAT (TYPE_MODE (TREE_TYPE (arg))); + char fmtstr [40]; + char *pfmt = fmtstr; + /* Append flags. */ + for (const char *pf = "-+ #0"; *pf; ++pf) + if (dir.get_flag (*pf)) + *pfmt++ = *pf; + + *pfmt = '\0'; + + for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i) + { /* Convert the GCC real value representation with the precision - of the real type to the mpfr_t format with the GCC default - round-to-nearest mode. */ + of the real type to the mpfr_t format rounding down in the + first iteration that computes the minimum and up in the second + that computes the maximum. This order is arbibtrary because + rounding in either direction can result in longer output. */ mpfr_t mpfrval; mpfr_init2 (mpfrval, rfmt->p); - mpfr_from_real (mpfrval, rvp, GMP_RNDN); - - char fmtstr [40]; - char *pfmt = fmtstr; + mpfr_from_real (mpfrval, rvp, i ? MPFR_RNDU : MPFR_RNDD); - /* Append flags. */ - for (const char *pf = "-+ #0"; *pf; ++pf) - if (spec.get_flag (*pf)) - *pfmt++ = *pf; + /* Use the MPFR rounding specifier to round down in the first + iteration and then up. In most but not all cases this will + result in the same number of bytes. */ + char rndspec = "DU"[i]; - *pfmt = '\0'; + /* Format it and store the result in the corresponding member + of the result struct. */ + *minmax[i] = get_mpfr_format_length (mpfrval, fmtstr, prec[i], + dir.specifier, rndspec); + } - for (int i = 0; i != sizeof minmax / sizeof *minmax; ++i) - { - /* Use the MPFR rounding specifier to round down in the first - iteration and then up. In most but not all cases this will - result in the same number of bytes. */ - char rndspec = "DU"[i]; - - /* Format it and store the result in the corresponding member - of the result struct. */ - unsigned HOST_WIDE_INT len - = get_mpfr_format_length (mpfrval, fmtstr, prec, - spec.specifier, rndspec); - if (0 < width && len < (unsigned)width) - len = width; - - *minmax[i] = len; - } + if (res.range.max < res.range.min) + { + /* Swap the two bounds if rounding resulted in the maximum being + less than the minimum. */ + unsigned HOST_WIDE_INT tmp = res.range.max; + res.range.max = res.range.min; + res.range.min = tmp; + } - /* The range of output is known even if the result isn't bounded. */ - if (width == INT_MIN) - { - res.knownrange = false; - res.range.max = HOST_WIDE_INT_MAX; - } - else - res.knownrange = true; + res.knownrange = true; - /* The output of all directives except "%a" is fully specified - and so the result is bounded unless it exceeds INT_MAX. - For "%a" the output is fully specified only when precision - is explicitly specified. */ - res.bounded = (res.knownrange - && (TOUPPER (spec.specifier) != 'A' - || (0 <= prec && (unsigned) prec < target_int_max ())) - && res.range.min < target_int_max ()); + /* For the same floating point constant use the longer output + as the likely maximum since with round to nearest either is + equally likely. */ + res.range.likely = res.range.max; + res.range.unlikely = res.range.max; - return res; + if (prec[0] != 0 || prec[1] != 0) + { + /* Unless the precision is zero the output may include + the decimal point which must be a single character up + to MB_LEN_MAX in length. This is overly conservative + since in some conversions some constants result in no + decimal point (e.g., in %g). */ + res.range.unlikely += target_mb_len_max () - 1; } - return format_floating (spec, width, prec); + res.adjust_for_width_or_precision (dir.width); + return res; } /* Return a FMTRESULT struct set to the lengths of the shortest and longest @@ -1595,11 +1724,7 @@ get_string_length (tree str) if (tree slen = c_strlen (str, 1)) { /* Simply return the length of the string. */ - fmtresult res; - res.range.min = res.range.max = tree_to_shwi (slen); - res.bounded = true; - res.constant = true; - res.knownrange = true; + fmtresult res (tree_to_shwi (slen)); return res; } @@ -1613,24 +1738,23 @@ get_string_length (tree str) if (lenrange [0] || lenrange [1]) { - fmtresult res; + fmtresult res (tree_fits_uhwi_p (lenrange[0]) + ? tree_to_uhwi (lenrange[0]) : 1 < warn_format_length, + tree_fits_uhwi_p (lenrange[1]) + ? tree_to_uhwi (lenrange[1]) : HOST_WIDE_INT_M1U); - res.range.min = (tree_fits_uhwi_p (lenrange[0]) - ? tree_to_uhwi (lenrange[0]) : 1 < warn_format_length); - res.range.max = (tree_fits_uhwi_p (lenrange[1]) - ? tree_to_uhwi (lenrange[1]) : HOST_WIDE_INT_M1U); - - /* Set RES.BOUNDED to true if and only if all strings referenced + /* Set RES.KNOWNRANGE to true if and only if all strings referenced by STR are known to be bounded (though not necessarily by their actual length but perhaps by their maximum possible length). */ - res.bounded = res.range.max < target_int_max (); - res.knownrange = res.bounded; - - /* Set RES.CONSTANT to false even though that may be overly - conservative in rare cases like: 'x ? a : b' where a and - b have the same lengths and consist of the same characters. */ - res.constant = false; + if (res.range.max < target_int_max ()) + { + res.knownrange = true; + res.range.likely = res.range.max; + } + else + res.range.likely = res.range.min; + res.range.unlikely = res.range.max; return res; } @@ -1638,204 +1762,513 @@ get_string_length (tree str) } /* Return the minimum and maximum number of characters formatted - by the '%c' and '%s' format directives and ther wide character - forms for the argument ARG. ARG can be null (for functions - such as vsprinf). */ + by the '%c' format directives and its wide character form for + the argument ARG. ARG can be null (for functions such as + vsprinf). */ static fmtresult -format_string (const conversion_spec &spec, tree arg) +format_character (const directive &dir, tree arg) { - /* Set WIDTH and PRECISION based on the specification. */ - HOST_WIDE_INT width; - HOST_WIDE_INT prec; - get_width_and_precision (spec, &width, &prec); - fmtresult res; - /* The maximum number of bytes for an unknown wide character argument - to a "%lc" directive adjusted for precision but not field width. - 6 is the longest UTF-8 sequence for a single wide character. */ - const unsigned HOST_WIDE_INT max_bytes_for_unknown_wc - = (0 <= prec ? prec : 1 < warn_format_length ? 6 : 1); - - /* The maximum number of bytes for an unknown string argument to either - a "%s" or "%ls" directive adjusted for precision but not field width. */ - const unsigned HOST_WIDE_INT max_bytes_for_unknown_str - = (0 <= prec ? prec : 1 < warn_format_length); + res.knownrange = true; - /* The result is bounded unless overriddden for a non-constant string - of an unknown length. */ - bool bounded = true; - - if (spec.specifier == 'c') + if (dir.modifier == FMT_LEN_l) { - if (spec.modifier == FMT_LEN_l) + res.range.min = 0; + HOST_WIDE_INT min, max; + if (get_int_range (arg, integer_type_node, &min, &max, false, 0)) { - /* Positive if the argument is a wide NUL character? */ - int nul = (arg && TREE_CODE (arg) == INTEGER_CST - ? integer_zerop (arg) : -1); - - /* A '%lc' directive is the same as '%ls' for a two element - wide string character with the second element of NUL, so - when the character is unknown the minimum number of bytes - is the smaller of either 0 (at level 1) or 1 (at level 2) - and WIDTH, and the maximum is MB_CUR_MAX in the selected - locale, which is unfortunately, unknown. */ - res.range.min = 1 == warn_format_length ? !nul : nul < 1; - res.range.max = max_bytes_for_unknown_wc; - /* The range above is good enough to issue warnings but not - for value range propagation, so clear BOUNDED. */ - res.bounded = false; + if (min == 0 && max == 0) + { + res.range.min = res.range.max = 0; + res.range.likely = 0; + } + else if (0 < min && min < 128) + { + res.range.max = target_mb_len_max (); + res.range.likely = 1; + } + else + { + res.range.max = target_mb_len_max (); + res.range.likely = 2; + } } else { - /* A plain '%c' directive. Its ouput is exactly 1. */ - res.range.min = res.range.max = 1; - res.bounded = true; - res.knownrange = true; - res.constant = arg && TREE_CODE (arg) == INTEGER_CST; + res.range.max = target_mb_len_max (); + res.range.likely = 2; } + + res.range.unlikely = res.range.max; } - else /* spec.specifier == 's' */ + else { - /* Compute the range the argument's length can be in. */ - fmtresult slen = get_string_length (arg); - if (slen.constant) - { - gcc_checking_assert (slen.range.min == slen.range.max); + /* A plain '%c' directive. Its ouput is exactly 1. */ + res.range.min = res.range.max = 1; + res.range.likely = res.range.unlikely = 1; + res.knownrange = true; + } - /* A '%s' directive with a string argument with constant length. */ - res.range = slen.range; + /* Bump up the byte counters if WIDTH is greater. */ + return res.adjust_for_width_or_precision (dir.width); +} - /* The output of "%s" and "%ls" directives with a constant - string is in a known range unless width of an unknown value - is specified. For "%s" it is the length of the string. For - "%ls" it is in the range [length, length * MB_LEN_MAX]. - (The final range can be further constrained by width and - precision but it's always known.) */ - res.knownrange = -1 < width; +/* Return the minimum and maximum number of characters formatted + by the '%s' format directive and its wide character form for + the argument ARG. ARG can be null (for functions such as + vsprinf). */ - if (spec.modifier == FMT_LEN_l) - { - bounded = false; +static fmtresult +format_string (const directive &dir, tree arg) +{ + fmtresult res; - if (warn_format_length > 1) - { - /* Leave the minimum number of bytes the wide string - converts to equal to its length and set the maximum - to the worst case length which is the string length - multiplied by MB_LEN_MAX. */ - - /* It's possible to be smarter about computing the maximum - by scanning the wide string for any 8-bit characters and - if it contains none, using its length for the maximum. - Even though this would be simple to do it's unlikely to - be worth it when dealing with wide characters. */ - res.range.max *= target_mb_len_max; - } + /* Compute the range the argument's length can be in. */ + fmtresult slen = get_string_length (arg); + if (slen.range.min == slen.range.max + && slen.range.min < HOST_WIDE_INT_MAX) + { + /* The argument is either a string constant or it refers + to one of a number of strings of the same length. */ - /* For a wide character string, use precision as the maximum - even if precision is greater than the string length since - the number of bytes the string converts to may be greater - (due to MB_CUR_MAX). */ - if (0 <= prec) - res.range.max = prec; - } - else if (0 <= width) - { - /* The output of a "%s" directive with a constant argument - and constant or no width is bounded. It is constant if - precision is either not specified or it is specified and - its value is known. */ - res.bounded = true; - res.constant = prec != HOST_WIDE_INT_MIN; - } - else if (width == HOST_WIDE_INT_MIN) - { - /* Specified but unknown width makes the output unbounded. */ - res.range.max = HOST_WIDE_INT_MAX; - } + /* A '%s' directive with a string argument with constant length. */ + res.range = slen.range; - if (0 <= prec && (unsigned HOST_WIDE_INT)prec < res.range.min) - { - res.range.min = prec; - res.range.max = prec; - } - else if (prec == HOST_WIDE_INT_MIN) + if (dir.modifier == FMT_LEN_l) + { + /* In the worst case the length of output of a wide string S + is bounded by MB_LEN_MAX * wcslen (S). */ + res.range.max *= target_mb_len_max (); + res.range.unlikely = res.range.max; + /* It's likely that the the total length is not more that + 2 * wcslen (S).*/ + res.range.likely = res.range.min * 2; + + if (0 <= dir.prec[1] + && (unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) { - /* When precision is specified but not known the lower - bound is assumed to be as low as zero. */ - res.range.min = 0; + res.range.max = dir.prec[1]; + res.range.likely = dir.prec[1]; + res.range.unlikely = dir.prec[1]; } - } - else if (arg && integer_zerop (arg)) - { - /* Handle null pointer argument. */ - fmtresult res; + if (dir.prec[0] < 0 && dir.prec[1] > -1) + res.range.min = 0; + else if (0 <= dir.prec[0]) + res.range.likely = dir.prec[0]; + + /* Even a non-empty wide character string need not convert into + any bytes. */ res.range.min = 0; - res.range.max = HOST_WIDE_INT_MAX; - res.nullp = true; - return res; } else { - /* For a '%s' and '%ls' directive with a non-constant string, - the minimum number of characters is the greater of WIDTH - and either 0 in mode 1 or the smaller of PRECISION and 1 - in mode 2, and the maximum is PRECISION or -1 to disable - tracking. */ + res.knownrange = true; - if (0 <= prec) - { - if (slen.range.min >= target_int_max ()) - slen.range.min = 0; - else if ((unsigned HOST_WIDE_INT)prec < slen.range.min) - slen.range.min = prec; - - if ((unsigned HOST_WIDE_INT)prec < slen.range.max - || slen.range.max >= target_int_max ()) - slen.range.max = prec; - } - else if (slen.range.min >= target_int_max ()) + if (dir.prec[0] < 0 && dir.prec[1] > -1) + res.range.min = 0; + else if ((unsigned HOST_WIDE_INT)dir.prec[0] < res.range.min) + res.range.min = dir.prec[0]; + + if ((unsigned HOST_WIDE_INT)dir.prec[1] < res.range.max) { - slen.range.min = max_bytes_for_unknown_str; - slen.range.max = max_bytes_for_unknown_str; - bounded = false; + res.range.max = dir.prec[1]; + res.range.likely = dir.prec[1]; + res.range.unlikely = dir.prec[1]; } + } + } + else if (arg && integer_zerop (arg)) + { + /* Handle null pointer argument. */ + + fmtresult res (0); + res.nullp = true; + return res; + } + else + { + /* For a '%s' and '%ls' directive with a non-constant string, + the minimum number of characters is the greater of WIDTH + and either 0 in mode 1 or the smaller of PRECISION and 1 + in mode 2, and the maximum is PRECISION or -1 to disable + tracking. */ - res.range = slen.range; + if (0 <= dir.prec[0]) + { + if (slen.range.min >= target_int_max ()) + slen.range.min = 0; + else if ((unsigned HOST_WIDE_INT)dir.prec[0] < slen.range.min) + { + slen.range.min = dir.prec[0]; + slen.range.likely = slen.range.min; + } - /* The output is considered bounded when a precision has been - specified to limit the number of bytes or when the number - of bytes is known or contrained to some range. */ - res.bounded = 0 <= prec || slen.bounded; - res.knownrange = slen.knownrange; - res.constant = false; + if ((unsigned HOST_WIDE_INT)dir.prec[1] < slen.range.max + || slen.range.max >= target_int_max ()) + { + slen.range.max = dir.prec[1]; + slen.range.likely = slen.range.max; + } + } + else if (slen.range.min >= target_int_max ()) + { + slen.range.min = 0; + slen.range.max = HOST_WIDE_INT_MAX; + slen.range.likely = 1; } + + slen.range.unlikely = slen.range.max; + + res.range = slen.range; + res.knownrange = slen.knownrange; } - /* Adjust the lengths for field width. */ - if (0 < width) + /* Bump up the byte counters if WIDTH is greater. */ + return res.adjust_for_width_or_precision (dir.width); +} + +/* Format plain string (part of the format string itself). */ + +static fmtresult +format_plain (const directive &dir, tree) +{ + fmtresult res (dir.len); + return res; +} + +static bool +should_warn_p (const result_range &avail, const result_range &result) +{ + if (result.max <= avail.min) { - if (res.range.min < (unsigned HOST_WIDE_INT)width) - res.range.min = width; + /* The least amount of space remaining in the destination is big + enough for the longest output. */ + return false; + } - if (res.range.max < (unsigned HOST_WIDE_INT)width) - res.range.max = width; + if (1 == warn_format_length + && result.likely <= avail.likely) + { + /* The likely amount of space remaining in the destination is big + enough for the likely output. */ + return false; + } - /* Adjust BOUNDED if width happens to make them equal. */ - if (res.range.min == res.range.max && res.range.min < target_int_max () - && bounded) - res.bounded = true; + if (warn_format_length == 2 + && result.likely <= avail.min + && (result.max <= avail.min + || result.max > HOST_WIDE_INT_MAX)) + { + /* The minimum amount of space remaining in the destination is big + enough for the longest output. */ + return false; } - /* When precision is specified the range of characters on output - is known to be bounded by it. */ - if (-1 < width && -1 < prec) - res.knownrange = true; + return true; +} - return res; +/* At format string location describe by DIRLOC in a call described + by INFO, issue a warning for a directive DIR whose output may be + in excess of the available space AVAIL_RANGE in the destination + given the formatting result FMTRES. This function does nothing + except decide whether to issue a warning for a possible write + past the end or truncation and, if so, format the warning. + Return true if a warning has been issued. */ + +static bool +maybe_warn (substring_loc &dirloc, source_range *pargrange, + const pass_sprintf_length::call_info &info, + const result_range &avail_range, const result_range &res, + const directive &dir) +{ + if (!should_warn_p (avail_range, res)) + return false; + + /* A warning will definitely be issued below. */ + + /* The maximum byte count to reference in the warning. Larger counts + imply that the upper bound is unknown (and could be anywhere between + RES.MIN + 1 and SIZE_MAX / 2) are printed as "N or more bytes" rather + than "between N and X" where X is some huge number. */ + unsigned HOST_WIDE_INT maxbytes = target_dir_max (); + + /* True when there is enough room in the destination for the least + amount of a directive's output but not enough for its likely or + maximum output. */ + bool maybe = (res.min <= avail_range.max + && (avail_range.min < res.likely + || (res.max < HOST_WIDE_INT_MAX + && avail_range.min < res.max))); + + if (avail_range.min == avail_range.max) + { + /* The size of the destination region is exact. */ + unsigned HOST_WIDE_INT navail = avail_range.max; + + if (*dir.beg != '%') + { + /* For plain character directives (i.e., the format string itself) + but not others, point the caret at the first character that's + past the end of the destination. */ + dirloc.set_caret_index (dirloc.get_caret_idx () + navail); + } + + if (*dir.beg == '\0') + { + /* This is the terminating nul. */ + gcc_assert (res.min == 1 && res.min == res.max); + + const char *fmtstr + = (info.bounded + ? (maybe + ? G_("%qE output may be truncated before the last format " + "character") + : G_("%qE output truncated before the last format character")) + : (maybe + ? G_("%qE may write a terminating nul past the end " + "of the destination") + : G_("%qE writing a terminating nul past the end " + "of the destination"))); + + return fmtwarn (dirloc, NULL, NULL, OPT_Wformat_length_, fmtstr, + info.func); + } + + if (res.min == res.max) + { + const char* fmtstr + = (res.min == 1 + ? (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu byte into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu byte into a region of size %wu")) + : G_("%<%.*s%> directive writing %wu byte " + "into a region of size %wu")) + : (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu bytes into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu bytes into a region of size %wu")) + : G_("%<%.*s%> directive writing %wu bytes " + "into a region of size %wu"))); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, res.min, + navail); + } + + if (0 == res.min && res.max < maxbytes) + { + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "up to %wu bytes into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "up to %wu bytes into a region of size %wu")) + : G_("%<%.*s%> directive writing up to %wu bytes " + "into a region of size %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.max, navail); + } + + if (0 == res.min && maxbytes <= res.max) + { + /* This is a special case to avoid issuing the potentially + confusing warning: + writing 0 or more bytes into a region of size 0. */ + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "likely %wu or more bytes into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "likely %wu or more bytes into a region of size %wu")) + : G_("%<%.*s%> directive writing likely %wu or more bytes " + "into a region of size %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.likely, navail); + } + + if (res.max < maxbytes) + { + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "between %wu and %wu bytes into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "between %wu and %wu bytes into a region of size %wu")) + : G_("%<%.*s%> directive writing between %wu and " + "%wu bytes into a region of size %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.min, res.max, + navail); + } + + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu or more bytes into a region of size %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu or more bytes into a region of size %wu")) + : G_("%<%.*s%> directive writing %wu or more bytes " + "into a region of size %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.min, navail); + } + + /* The size of the destination region is a range. */ + + if (*dir.beg != '%') + { + unsigned HOST_WIDE_INT navail = avail_range.max; + + /* For plain character directives (i.e., the format string itself) + but not others, point the caret at the first character that's + past the end of the destination. */ + dirloc.set_caret_index (dirloc.get_caret_idx () + navail); + } + + if (*dir.beg == '\0') + { + gcc_assert (res.min == 1 && res.min == res.max); + + const char *fmtstr + = (info.bounded + ? (maybe + ? G_("%qE output may be truncated before the last format " + "character") + : G_("%qE output truncated before the last format character")) + : (maybe + ? G_("%qE may write a terminating nul past the end " + "of the destination") + : G_("%qE writing a terminating nul past the end " + "of the destination"))); + + return fmtwarn (dirloc, NULL, NULL, OPT_Wformat_length_, fmtstr, + info.func); + } + + if (res.min == res.max) + { + const char* fmtstr + = (res.min == 1 + ? (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu byte into a region of size between %wu and %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu byte into a region of size between %wu and %wu")) + : G_("%<%.*s%> directive writing %wu byte " + "into a region of size between %wu and %wu")) + : (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu bytes into a region of size between %wu and %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu bytes into a region of size between %wu and %wu")) + : G_("%<%.*s%> directive writing %wu bytes " + "into a region of size between %wu and %wu"))); + + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, res.min, + avail_range.min, avail_range.max); + } + + if (0 == res.min && res.max < maxbytes) + { + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "up to %wu bytes into a region of size between " + "%wu and %wu") + : G_("%<%.*s%> directive output truncated writing " + "up to %wu bytes into a region of size between " + "%wu and %wu")) + : G_("%<%.*s%> directive writing up to %wu bytes " + "into a region of size between %wu and %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, res.max, + avail_range.min, avail_range.max); + } + + if (0 == res.min && maxbytes <= res.max) + { + /* This is a special case to avoid issuing the potentially confusing + warning: + writing 0 or more bytes into a region of size between 0 and N. */ + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "likely %wu or more bytes into a region of size between " + "%wu and %wu") + : G_("%<%.*s%> directive output truncated writing likely " + "%wu or more bytes into a region of size between " + "%wu and %wu")) + : G_("%<%.*s%> directive writing likely %wu or more bytes " + "into a region of size between %wu and %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, res.likely, + avail_range.min, avail_range.max); + } + + if (res.max < maxbytes) + { + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "between %wu and %wu bytes into a region of size " + "between %wu and %wu") + : G_("%<%.*s%> directive output truncated writing " + "between %wu and %wu bytes into a region of size " + "between %wu and %wu")) + : G_("%<%.*s%> directive writing between %wu and " + "%wu bytes into a region of size between %wu and %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.min, res.max, + avail_range.min, avail_range.max); + } + + const char* fmtstr + = (info.bounded + ? (maybe + ? G_("%<%.*s%> directive output may be truncated writing " + "%wu or more bytes into a region of size between " + "%wu and %wu") + : G_("%<%.*s%> directive output truncated writing " + "%wu or more bytes into a region of size between " + "%wu and %wu")) + : G_("%<%.*s%> directive writing %wu or more bytes " + "into a region of size between %wu and %wu")); + return fmtwarn (dirloc, pargrange, NULL, + OPT_Wformat_length_, fmtstr, + dir.len, dir.beg, + res.min, + avail_range.min, avail_range.max); } /* Compute the length of the output resulting from the conversion @@ -1843,27 +2276,28 @@ format_string (const conversion_spec &spec, tree arg) and update the overall result of the call in *RES. The format directive corresponding to SPEC starts at CVTBEG and is CVTLEN characters long. */ -static void +static bool format_directive (const pass_sprintf_length::call_info &info, - format_result *res, const char *cvtbeg, size_t cvtlen, - const conversion_spec &spec, tree arg) + format_result *res, directive &dir) { /* Offset of the beginning of the directive from the beginning of the format string. */ - size_t offset = cvtbeg - info.fmtstr; + size_t offset = dir.beg - info.fmtstr; + size_t start = offset; + size_t length = offset + dir.len - !!dir.len; /* Create a location for the whole directive from the % to the format specifier. */ substring_loc dirloc (info.fmtloc, TREE_TYPE (info.format), - offset, offset, offset + cvtlen - 1); + offset, start, length); /* Also create a location range for the argument if possible. This doesn't work for integer literals or function calls. */ source_range argrange; source_range *pargrange; - if (arg && CAN_HAVE_LOCATION_P (arg)) + if (dir.arg && CAN_HAVE_LOCATION_P (dir.arg)) { - argrange = EXPR_LOCATION_RANGE (arg); + argrange = EXPR_LOCATION_RANGE (dir.arg); pargrange = &argrange; } else @@ -1871,16 +2305,11 @@ format_directive (const pass_sprintf_length::call_info &info, /* Bail when there is no function to compute the output length, or when minimum length checking has been disabled. */ - if (!spec.fmtfunc || res->number_chars_min >= HOST_WIDE_INT_MAX) - return; - - /* Compute the (approximate) length of the formatted output. */ - fmtresult fmtres = spec.fmtfunc (spec, arg); + if (!dir.fmtfunc || res->range.min >= HOST_WIDE_INT_MAX) + return false; - /* The overall result is bounded and constant only if the output - of every directive is bounded and constant, respectively. */ - res->bounded &= fmtres.bounded; - res->constant &= fmtres.constant; + /* Compute the range of lengths of the formatted output. */ + fmtresult fmtres = dir.fmtfunc (dir, dir.arg); /* Record whether the output of all directives is known to be bounded by some maximum, implying that their arguments are @@ -1889,6 +2318,7 @@ format_directive (const pass_sprintf_length::call_info &info, they refer to. */ res->knownrange &= fmtres.knownrange; +#if 1 if (!fmtres.knownrange) { /* Only when the range is known, check it against the host value @@ -1908,8 +2338,7 @@ format_directive (const pass_sprintf_length::call_info &info, to determine the maximum number of characters (for example for wide characters or wide character strings) but continue tracking the minimum number of characters. */ - res->number_chars_max = HOST_WIDE_INT_M1U; - res->number_chars = HOST_WIDE_INT_M1U; + res->range.max = HOST_WIDE_INT_M1U; } if (fmtres.range.min > target_dir_max ()) @@ -1918,164 +2347,71 @@ format_directive (const pass_sprintf_length::call_info &info, even the minimum number of characters (it shouldn't happen except in an error) but keep tracking the minimum and maximum number of characters. */ - res->number_chars = HOST_WIDE_INT_M1U; - return; + return true; } } +#endif + + const char *dirbeg = dir.beg; + int dirlen = dir.len; if (fmtres.nullp) { fmtwarn (dirloc, pargrange, NULL, OPT_Wformat_length_, "%<%.*s%> directive argument is null", - (int)cvtlen, cvtbeg); + dirlen, dirbeg); /* Don't bother processing the rest of the format string. */ res->warned = true; - res->number_chars = HOST_WIDE_INT_M1U; - res->number_chars_min = res->number_chars_max = res->number_chars; - return; + res->range.min = HOST_WIDE_INT_M1U; + res->range.max = HOST_WIDE_INT_M1U; + return false; } - bool warned = res->warned; - /* Compute the number of available bytes in the destination. There must always be at least one byte of space for the terminating NUL that's appended after the format string has been processed. */ - unsigned HOST_WIDE_INT navail = min_bytes_remaining (info.objsize, *res); + // unsigned HOST_WIDE_INT navail = min_bytes_remaining (info.objsize, *res); + result_range avail_range = bytes_remaining (info.objsize, *res); - if (fmtres.range.min < fmtres.range.max) - { - /* The result is a range (i.e., it's inexact). */ - if (!warned) - { - if (navail < fmtres.range.min) - { - /* The minimum directive output is longer than there is - room in the destination. */ - if (fmtres.range.min == fmtres.range.max) - { - const char* fmtstr - = (info.bounded - ? G_("%<%.*s%> directive output truncated writing " - "%wu bytes into a region of size %wu") - : G_("%<%.*s%> directive writing %wu bytes " - "into a region of size %wu")); - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, fmtres.range.min, - navail); - } - else if (fmtres.range.max < HOST_WIDE_INT_MAX) - { - const char* fmtstr - = (info.bounded - ? G_("%<%.*s%> directive output truncated writing " - "between %wu and %wu bytes into a region of " - "size %wu") - : G_("%<%.*s%> directive writing between %wu and " - "%wu bytes into a region of size %wu")); - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, - fmtres.range.min, fmtres.range.max, navail); - } - else - { - const char* fmtstr - = (info.bounded - ? G_("%<%.*s%> directive output truncated writing " - "%wu or more bytes into a region of size %wu") - : G_("%<%.*s%> directive writing %wu or more bytes " - "into a region of size %wu")); - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, - fmtres.range.min, navail); - } - } - else if (navail < fmtres.range.max - && (((spec.specifier == 's' - && fmtres.range.max < HOST_WIDE_INT_MAX) - /* && (spec.precision || spec.star_precision) */) - || 1 < warn_format_length)) - { - /* The maximum directive output is longer than there is - room in the destination and the output length is either - explicitly constrained by the precision (for strings) - or the warning level is greater than 1. */ - if (fmtres.range.max >= HOST_WIDE_INT_MAX) - { - const char* fmtstr - = (info.bounded - ? G_("%<%.*s%> directive output may be truncated " - "writing %wu or more bytes a region of size %wu") - : G_("%<%.*s%> directive writing %wu or more bytes " - "into a region of size %wu")); - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, - fmtres.range.min, navail); - } - else - { - const char* fmtstr - = (info.bounded - ? G_("%<%.*s%> directive output may be truncated " - "writing between %wu and %wu bytes into a region " - "of size %wu") - : G_("%<%.*s%> directive writing between %wu and %wu " - "bytes into a region of size %wu")); - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, - fmtres.range.min, fmtres.range.max, - navail); - } - } - } + bool warned = res->warned; - /* Disable exact length checking but adjust the minimum and maximum. */ - res->number_chars = HOST_WIDE_INT_M1U; - if (res->number_chars_max < HOST_WIDE_INT_MAX - && fmtres.range.max < HOST_WIDE_INT_MAX) - res->number_chars_max += fmtres.range.max; + if (!warned) + warned = maybe_warn (dirloc, pargrange, info, avail_range, + fmtres.range, dir); - res->number_chars_min += fmtres.range.min; - } + /* Bump up the total maximum if it isn't too big. */ + if (res->range.max < HOST_WIDE_INT_MAX + && fmtres.range.max < HOST_WIDE_INT_MAX) + res->range.max += fmtres.range.max; + + /* Raise the total unlikely maximum by the larger of the maximum + and the unlikely maximum. It doesn't matter if the unlikely + maximum overflows. */ + if (fmtres.range.max < fmtres.range.unlikely) + res->range.unlikely += fmtres.range.unlikely; else - { - if (!warned && fmtres.range.min > 0 && navail < fmtres.range.min) - { - const char* fmtstr - = (info.bounded - ? (1 < fmtres.range.min - ? G_("%<%.*s%> directive output truncated while writing " - "%wu bytes into a region of size %wu") - : G_("%<%.*s%> directive output truncated while writing " - "%wu byte into a region of size %wu")) - : (1 < fmtres.range.min - ? G_("%<%.*s%> directive writing %wu bytes " - "into a region of size %wu") - : G_("%<%.*s%> directive writing %wu byte " - "into a region of size %wu"))); + res->range.unlikely += fmtres.range.max; - warned = fmtwarn (dirloc, pargrange, NULL, - OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, fmtres.range.min, - navail); - } - *res += fmtres.range.min; - } + res->range.min += fmtres.range.min; + res->range.likely += fmtres.range.likely; /* Has the minimum directive output length exceeded the maximum of 4095 bytes required to be supported? */ bool minunder4k = fmtres.range.min < 4096; - if (!minunder4k || fmtres.range.max > 4095) + bool maxunder4k = fmtres.range.max < 4096; + /* Clear UNDER4K in the overall result if the maximum has exceeded + the 4k (this is necessary to avoid the return valuye optimization + that may not be safe in the maximum case). */ + if (!maxunder4k) res->under4k = false; - if (!warned && 1 < warn_format_length - && (!minunder4k || fmtres.range.max > 4095)) + if (!warned + /* Only warn at level 2. */ + && 1 < warn_format_length + && (!minunder4k + || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX))) { /* The directive output may be longer than the maximum required to be handled by an implementation according to 7.21.6.1, p15 @@ -2089,30 +2425,34 @@ format_directive (const pass_sprintf_length::call_info &info, OPT_Wformat_length_, "%<%.*s%> directive output of %wu bytes exceeds " "minimum required size of 4095", - (int)cvtlen, cvtbeg, fmtres.range.min); + dirlen, dirbeg, fmtres.range.min); else { const char *fmtstr = (minunder4k - ? G_("%<%.*s%> directive output between %qu and %wu " + ? G_("%<%.*s%> directive output between %wu and %wu " "bytes may exceed minimum required size of 4095") - : G_("%<%.*s%> directive output between %qu and %wu " + : G_("%<%.*s%> directive output between %wu and %wu " "bytes exceeds minimum required size of 4095")); warned = fmtwarn (dirloc, pargrange, NULL, OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, + dirlen, dirbeg, fmtres.range.min, fmtres.range.max); } } - /* Has the minimum directive output length exceeded INT_MAX? */ - bool exceedmin = res->number_chars_min > target_int_max (); + /* Has the likely and maximum directive output exceeded INT_MAX? */ + bool likelyximax = *dirbeg && res->range.likely > target_int_max (); + bool maxximax = *dirbeg && res->range.max > target_int_max (); if (!warned - && (exceedmin + /* Warn for the likely output size at level 1. */ + && (likelyximax + /* But only warn for the maximum at level 2. */ || (1 < warn_format_length - && res->number_chars_max > target_int_max ()))) + && maxximax + && fmtres.range.max < HOST_WIDE_INT_MAX))) { /* The directive output causes the total length of output to exceed INT_MAX bytes. */ @@ -2122,22 +2462,32 @@ format_directive (const pass_sprintf_length::call_info &info, OPT_Wformat_length_, "%<%.*s%> directive output of %wu bytes causes " "result to exceed %", - (int)cvtlen, cvtbeg, fmtres.range.min); + dirlen, dirbeg, fmtres.range.min); else { const char *fmtstr - = (exceedmin + = (fmtres.range.min > target_int_max () ? G_ ("%<%.*s%> directive output between %wu and %wu " "bytes causes result to exceed %") : G_ ("%<%.*s%> directive output between %wu and %wu " "bytes may cause result to exceed %")); warned = fmtwarn (dirloc, pargrange, NULL, OPT_Wformat_length_, fmtstr, - (int)cvtlen, cvtbeg, + dirlen, dirbeg, fmtres.range.min, fmtres.range.max); } } + if (warned && fmtres.range.min < fmtres.range.likely + && fmtres.range.likely < fmtres.range.max) + { + inform (info.fmtloc, + (1 == fmtres.range.likely + ? G_("assuming directive output of %wu byte") + : G_("assuming directive output of %wu bytes")), + fmtres.range.likely); + } + if (warned && fmtres.argmin) { if (fmtres.argmin == fmtres.argmax) @@ -2152,118 +2502,8 @@ format_directive (const pass_sprintf_length::call_info &info, } res->warned |= warned; -} - -/* Account for the number of bytes between BEG and END (or between - BEG + strlen (BEG) when END is null) in the format string in a call - to a formatted output function described by INFO. Reflect the count - in RES and issue warnings as appropriate. */ - -static void -add_bytes (const pass_sprintf_length::call_info &info, - const char *beg, const char *end, format_result *res) -{ - if (res->number_chars_min >= HOST_WIDE_INT_MAX) - return; - - /* The number of bytes to output is the number of bytes between - the end of the last directive and the beginning of the next - one if it exists, otherwise the number of characters remaining - in the format string plus 1 for the terminating NUL. */ - size_t nbytes = end ? end - beg : strlen (beg) + 1; - - /* Return if there are no bytes to add at this time but there are - directives remaining in the format string. */ - if (!nbytes) - return; - - /* Compute the range of available bytes in the destination. There - must always be at least one byte left for the terminating NUL - that's appended after the format string has been processed. */ - result_range avail_range = bytes_remaining (info.objsize, *res); - - /* If issuing a diagnostic (only when one hasn't already been issued), - distinguish between a possible overflow ("may write") and a certain - overflow somewhere "past the end." (Ditto for truncation.) - KNOWNRANGE is used to warn even at level 1 about possibly writing - past the end or truncation due to strings of unknown lengths that - are bounded by the arrays they are known to refer to. */ - if (!res->warned - && (avail_range.max < nbytes - || ((res->knownrange || 1 < warn_format_length) - && avail_range.min < nbytes))) - { - /* Set NAVAIL to the number of available bytes used to decide - whether or not to issue a warning below. The exact kind of - warning will depend on AVAIL_RANGE. */ - unsigned HOST_WIDE_INT navail = avail_range.max; - if (nbytes <= navail && avail_range.min < HOST_WIDE_INT_MAX - && (res->knownrange || 1 < warn_format_length)) - navail = avail_range.min; - - /* Compute the offset of the first format character that is beyond - the end of the destination region and the length of the rest of - the format string from that point on. */ - unsigned HOST_WIDE_INT off - = (unsigned HOST_WIDE_INT)(beg - info.fmtstr) + navail; - - size_t len = strlen (info.fmtstr + off); - - /* Create a location that underscores the substring of the format - string that is or may be written past the end (or is or may be - truncated), pointing the caret at the first character of the - substring. */ - substring_loc loc - (info.fmtloc, TREE_TYPE (info.format), off, len ? off : 0, - off + len - !!len); - - /* Is the output of the last directive the result of the argument - being within a range whose lower bound would fit in the buffer - but the upper bound would not? If so, use the word "may" to - indicate that the overflow/truncation may (but need not) happen. */ - bool boundrange - = (res->number_chars_min < res->number_chars_max - && res->number_chars_min + nbytes <= info.objsize); - - if (!end && ((nbytes - navail) == 1 || boundrange)) - { - /* There is room for the rest of the format string but none - for the terminating nul. */ - const char *text - = (info.bounded // Snprintf and the like. - ? (boundrange - ? G_("output may be truncated before the last format character" - : "output truncated before the last format character")) - : (boundrange - ? G_("may write a terminating nul past the end " - "of the destination") - : G_("writing a terminating nul past the end " - "of the destination"))); - res->warned = fmtwarn (loc, NULL, NULL, OPT_Wformat_length_, text); - } - else - { - /* There isn't enough room for 1 or more characters that remain - to copy from the format string. */ - const char *text - = (info.bounded // Snprintf and the like. - ? (boundrange - ? G_("output may be truncated at or before format character " - "%qc at offset %wu") - : G_("output truncated at format character %qc at offset %wu")) - : (res->number_chars >= HOST_WIDE_INT_MAX - ? G_("may write format character %#qc at offset %wu past " - "the end of the destination") - : G_("writing format character %#qc at offset %wu past " - "the end of the destination"))); - - res->warned = fmtwarn (loc, NULL, NULL, OPT_Wformat_length_, - text, info.fmtstr[off], off); - } - } - - if (res->warned && !end && info.objsize < HOST_WIDE_INT_MAX) + if (!dir.beg[0] && res->warned && info.objsize < HOST_WIDE_INT_MAX) { /* If a warning has been issued for buffer overflow or truncation (but not otherwise) help the user figure out how big a buffer @@ -2271,390 +2511,433 @@ add_bytes (const pass_sprintf_length::call_info &info, location_t callloc = gimple_location (info.callstmt); - unsigned HOST_WIDE_INT min = res->number_chars_min; - unsigned HOST_WIDE_INT max = res->number_chars_max; - unsigned HOST_WIDE_INT exact - = (res->number_chars < HOST_WIDE_INT_MAX - ? res->number_chars : res->number_chars_min); + unsigned HOST_WIDE_INT min = res->range.min; + unsigned HOST_WIDE_INT max = res->range.max; + unsigned HOST_WIDE_INT exact = res->range.min; if (min < max && max < HOST_WIDE_INT_MAX) inform (callloc, - "format output between %wu and %wu bytes into " + "%qE output between %wu and %wu bytes into " "a destination of size %wu", - min + nbytes, max + nbytes, info.objsize); + info.func, min, max, info.objsize); else inform (callloc, - (nbytes + exact == 1 - ? G_("format output %wu byte into a destination of size %wu") - : G_("format output %wu bytes into a destination of size %wu")), - nbytes + exact, info.objsize); + (exact == 1 + ? G_("%qE output %wu byte into a destination of size %wu") + : G_("%qE output %wu bytes into a destination of size %wu")), + info.func, exact, info.objsize); } - /* Add the number of bytes and then check for INT_MAX overflow. */ - *res += nbytes; + if (dump_file && *dir.beg) + { + fprintf (dump_file, " Result: %lli, %lli, %lli, %lli " + "(%lli, %lli, %lli, %lli)\n", + (long long)fmtres.range.min, + (long long)fmtres.range.likely, + (long long)fmtres.range.max, + (long long)fmtres.range.unlikely, + (long long)res->range.min, + (long long)res->range.likely, + (long long)res->range.max, + (long long)res->range.unlikely); + } + + return true; +} + +#pragma GCC diagnostic pop - /* Has the minimum output length minus the terminating nul exceeded - INT_MAX? */ - bool exceedmin = (res->number_chars_min - !end) > target_int_max (); +static size_t +parse_directive (const pass_sprintf_length::call_info &info, + directive &dir, format_result *res, + const char *str, unsigned *argno) +{ + const char *pcnt = strchr (str, '%'); + dir.beg = str; - if (!res->warned - && (exceedmin - || (1 < warn_format_length - && (res->number_chars_max - !end) > target_int_max ()))) + if (size_t len = pcnt ? pcnt - str : *str ? strlen (str) : 1) { - /* The function's output exceeds INT_MAX bytes. */ + /* This directive is either a plain string or the terminating nul + (which isn't really a directive but it simplifies things to + handle it as if it were). */ + dir.len = len; + dir.fmtfunc = format_plain; - /* Set NAVAIL to the number of available bytes used to decide - whether or not to issue a warning below. The exact kind of - warning will depend on AVAIL_RANGE. */ - unsigned HOST_WIDE_INT navail = avail_range.max; - if (nbytes <= navail && avail_range.min < HOST_WIDE_INT_MAX - && (res->bounded || 1 < warn_format_length)) - navail = avail_range.min; - - /* Compute the offset of the first format character that is beyond - the end of the destination region and the length of the rest of - the format string from that point on. */ - unsigned HOST_WIDE_INT off = (unsigned HOST_WIDE_INT)(beg - info.fmtstr); - if (navail < HOST_WIDE_INT_MAX) - off += navail; - - size_t len = strlen (info.fmtstr + off); - - substring_loc loc - (info.fmtloc, TREE_TYPE (info.format), off - !len, len ? off : 0, - off + len - !!len); - - if (res->number_chars_min == res->number_chars_max) - res->warned = fmtwarn (loc, NULL, NULL, - OPT_Wformat_length_, - "output of %wu bytes causes " - "result to exceed %", - res->number_chars_min - !end); - else + if (dump_file) { - const char *text - = (exceedmin - ? G_ ("output between %wu and %wu bytes causes " - "result to exceed %") - : G_ ("output between %wu and %wu bytes may cause " - "result to exceed %")); - res->warned = fmtwarn (loc, NULL, NULL, OPT_Wformat_length_, - text, - res->number_chars_min - !end, - res->number_chars_max - !end); + fprintf (dump_file, " Directive %u at offset %zu: \"%.*s\", " + "length = %zu\n", + dir.dirno, (size_t)(dir.beg - info.fmtstr), + (int)dir.len, dir.beg, dir.len); } - } -} -#pragma GCC diagnostic pop + return len - !*str; + } -/* Compute the length of the output resulting from the call to a formatted - output function described by INFO and store the result of the call in - *RES. Issue warnings for detected past the end writes. Return true - if the complete format string has been processed and *RES can be relied - on, false otherwise (e.g., when a unknown or unhandled directive was seen - that caused the processing to be terminated early). */ + const char *pf = pcnt + 1; -bool -pass_sprintf_length::compute_format_length (const call_info &info, - format_result *res) -{ - /* The variadic argument counter. */ - unsigned argno = info.argidx; + /* POSIX numbered argument index or zero when none. */ + unsigned dollar = 0; + HOST_WIDE_INT width = -1; + HOST_WIDE_INT precision = -1; - /* Reset exact, minimum, and maximum character counters. */ - res->number_chars = res->number_chars_min = res->number_chars_max = 0; + tree star_width = NULL_TREE; + tree star_precision = NULL_TREE; - /* No directive has been seen yet so the length of output is bounded - by the known range [0, 0] and constant (with no conversion producing - more than 4K bytes) until determined otherwise. */ - res->bounded = true; - res->knownrange = true; - res->constant = true; - res->under4k = true; - res->floating = false; - res->warned = false; + if (ISDIGIT (*pf)) + { + /* This could be either a POSIX positional argument, the '0' + flag, or a width, depending on what follows. Store it as + width and sort it out later after the next character has + been seen. */ + char *end; + width = strtol (pf, &end, 10); + pf = end; + } + else if ('*' == *pf) + { + /* Similarly to the block above, this could be either a POSIX + positional argument or a width, depending on what follows. */ + if (gimple_call_num_args (info.callstmt) <= *argno) + return 0; - const char *pf = info.fmtstr; + star_width = gimple_call_arg (info.callstmt, (*argno)++); + ++pf; + } - for ( ; ; ) + if (*pf == '$') { - /* The beginning of the next format directive. */ - const char *dir = strchr (pf, '%'); + /* Handle the POSIX dollar sign which references the 1-based + positional argument number. */ + if (width != -1) + dollar = width + info.argidx; + else if (star_width + && TREE_CODE (star_width) == INTEGER_CST) + dollar = width + tree_to_shwi (star_width); - /* Add the number of bytes between the end of the last directive - and either the next if one exists, or the end of the format - string. */ - add_bytes (info, pf, dir, res); + /* Bail when the numbered argument is out of range (it will + have already been diagnosed by -Wformat). */ + if (dollar == 0 + || dollar == info.argidx + || dollar > gimple_call_num_args (info.callstmt)) + return false; - if (!dir) - break; + --dollar; - pf = dir + 1; + star_width = NULL_TREE; + width = -1; + ++pf; + } - if (0 && *pf == 0) + if (dollar || !star_width) + { + if (width != -1) { - /* Incomplete directive. */ - return false; + if (width == 0) + { + /* The '0' that has been interpreted as a width above is + actually a flag. Reset HAVE_WIDTH, set the '0' flag, + and continue processing other flags. */ + width = -1; + dir.set_flag ('0'); + } + else if (!dollar) + { + /* (Non-zero) width has been seen. The next character + is either a period or a digit. */ + goto start_precision; + } } + /* When either '$' has been seen, or width has not been seen, + the next field is the optional flags followed by an optional + width. */ + for ( ; ; ) { + switch (*pf) + { + case ' ': + case '0': + case '+': + case '-': + case '#': + dir.set_flag (*pf++); + break; + + default: + goto start_width; + } + } - conversion_spec spec = conversion_spec (); + start_width: + if (ISDIGIT (*pf)) + { + char *end; + width = strtol (pf, &end, 10); + pf = end; + } + else if ('*' == *pf) + { + star_width = gimple_call_arg (info.callstmt, (*argno)++); + ++pf; + } + else if ('\'' == *pf) + { + /* The POSIX apostrophe indicating a numeric grouping + in the current locale. Even though it's possible to + estimate the upper bound on the size of the output + based on the number of digits it probably isn't worth + continuing. */ + return 0; + } + } - /* POSIX numbered argument index or zero when none. */ - unsigned dollar = 0; + start_precision: + if ('.' == *pf) + { + ++pf; if (ISDIGIT (*pf)) { - /* This could be either a POSIX positional argument, the '0' - flag, or a width, depending on what follows. Store it as - width and sort it out later after the next character has - been seen. */ char *end; - spec.width = strtol (pf, &end, 10); - spec.have_width = true; + precision = strtol (pf, &end, 10); pf = end; } else if ('*' == *pf) { - /* Similarly to the block above, this could be either a POSIX - positional argument or a width, depending on what follows. */ - if (gimple_call_num_args (info.callstmt) <= argno) - return false; - - spec.star_width = gimple_call_arg (info.callstmt, argno++); + star_precision = gimple_call_arg (info.callstmt, (*argno)++); ++pf; } + else + { + /* The decimal precision or the asterisk are optional. + When neither is dirified it's taken to be zero. */ + precision = 0; + } + } - if (*pf == '$') + switch (*pf) + { + case 'h': + if (pf[1] == 'h') { - /* Handle the POSIX dollar sign which references the 1-based - positional argument number. */ - if (spec.have_width) - dollar = spec.width + info.argidx; - else if (spec.star_width - && TREE_CODE (spec.star_width) == INTEGER_CST) - dollar = spec.width + tree_to_shwi (spec.star_width); - - /* Bail when the numbered argument is out of range (it will - have already been diagnosed by -Wformat). */ - if (dollar == 0 - || dollar == info.argidx - || dollar > gimple_call_num_args (info.callstmt)) - return false; - - --dollar; - - spec.star_width = NULL_TREE; - spec.have_width = false; ++pf; + dir.modifier = FMT_LEN_hh; } + else + dir.modifier = FMT_LEN_h; + ++pf; + break; - if (dollar || !spec.star_width) - { - if (spec.have_width) - { - if (spec.width == 0) - { - /* The '0' that has been interpreted as a width above is - actually a flag. Reset HAVE_WIDTH, set the '0' flag, - and continue processing other flags. */ - spec.have_width = false; - spec.set_flag ('0'); - } - else if (!dollar) - { - /* (Non-zero) width has been seen. The next character - is either a period or a digit. */ - goto start_precision; - } - } - /* When either '$' has been seen, or width has not been seen, - the next field is the optional flags followed by an optional - width. */ - for ( ; ; ) { - switch (*pf) - { - case ' ': - case '0': - case '+': - case '-': - case '#': - spec.set_flag (*pf++); - break; - - default: - goto start_width; - } - } + case 'j': + dir.modifier = FMT_LEN_j; + ++pf; + break; - start_width: - if (ISDIGIT (*pf)) - { - char *end; - spec.width = strtol (pf, &end, 10); - spec.have_width = true; - pf = end; - } - else if ('*' == *pf) - { - spec.star_width = gimple_call_arg (info.callstmt, argno++); - ++pf; - } - else if ('\'' == *pf) - { - /* The POSIX apostrophe indicating a numeric grouping - in the current locale. Even though it's possible to - estimate the upper bound on the size of the output - based on the number of digits it probably isn't worth - continuing. */ - return false; - } - } + case 'L': + dir.modifier = FMT_LEN_L; + ++pf; + break; - start_precision: - if ('.' == *pf) + case 'l': + if (pf[1] == 'l') { ++pf; + dir.modifier = FMT_LEN_ll; + } + else + dir.modifier = FMT_LEN_l; + ++pf; + break; - if (ISDIGIT (*pf)) - { - char *end; - spec.precision = strtol (pf, &end, 10); - spec.have_precision = true; - pf = end; - } - else if ('*' == *pf) - { - spec.star_precision = gimple_call_arg (info.callstmt, argno++); - ++pf; - } + case 't': + dir.modifier = FMT_LEN_t; + ++pf; + break; + + case 'z': + dir.modifier = FMT_LEN_z; + ++pf; + break; + } + + switch (*pf) + { + /* Handle a sole '%' character the same as "%%" but since it's + undefined prevent the result from being folded. */ + case '\0': + --pf; + res->range.min = res->range.max = HOST_WIDE_INT_M1U; + /* FALLTHRU */ + case '%': + dir.fmtfunc = format_percent; + break; + + case 'a': + case 'A': + case 'e': + case 'E': + case 'f': + case 'F': + case 'g': + case 'G': + res->floating = true; + dir.fmtfunc = format_floating; + break; + + case 'd': + case 'i': + case 'o': + case 'u': + case 'x': + case 'X': + dir.fmtfunc = format_integer; + break; + + case 'p': + /* The %p output is implementation-defined. It's possible + to determine this format but due to extensions (edirially + those of the Linux kernel -- see bug 78512) the first %p + in the format string disables any further processing. */ + return false; + + case 'n': + break; + + case 'c': + dir.fmtfunc = format_character; + break; + + case 'S': + case 's': + dir.fmtfunc = format_string; + break; + + default: + /* Unknown conversion dirification. */ + return 0; + } + + dir.specifier = *pf++; + + if (star_width) + { + if (TREE_CODE (TREE_TYPE (star_width)) != INTEGER_TYPE) + return 0; + + dir.set_width (star_width); + } + else + dir.set_width (width); + + if (star_precision) + { + if (TREE_CODE (TREE_TYPE (star_precision)) != INTEGER_TYPE) + return 0; + + dir.set_precision (star_precision); + } + else + dir.set_precision (precision); + + /* Extract the argument if the directive takes one and if it's + available (e.g., the function doesn't take a va_list). Treat + missing arguments the same as va_list, even though they will + have likely already been diagnosed by -Wformat. */ + if (dir.specifier != '%' + && *argno < gimple_call_num_args (info.callstmt)) + dir.arg = gimple_call_arg (info.callstmt, dollar ? dollar : (*argno)++); + + /* Return the length of the format directive. */ + dir.len = pf - pcnt; + + if (dump_file) + { + fprintf (dump_file, " Directive %u at offset %zu: \"%.*s\"", + dir.dirno, (size_t)(dir.beg - info.fmtstr), + (int)dir.len, dir.beg); + if (star_width) + { + if (dir.width[0] == dir.width[1]) + fprintf (dump_file, ", width = %lli", (long long)dir.width[0]); else - { - /* The decimal precision or the asterisk are optional. - When neither is specified it's taken to be zero. */ - spec.precision = 0; - spec.have_precision = true; - } + fprintf (dump_file, ", width in range [%lli, %lli]", + (long long)dir.width[0], (long long)dir.width[1]); } - switch (*pf) + if (star_precision) { - case 'h': - if (pf[1] == 'h') - { - ++pf; - spec.modifier = FMT_LEN_hh; - } + if (dir.prec[0] == dir.prec[1]) + fprintf (dump_file, ", precision = %lli", (long long)dir.prec[0]); else - spec.modifier = FMT_LEN_h; - ++pf; - break; + fprintf (dump_file, ", precision in range [%lli, %lli]", + (long long)dir.prec[0], (long long)dir.prec[1]); + } + fputc ('\n', dump_file); + } - case 'j': - spec.modifier = FMT_LEN_j; - ++pf; - break; + return dir.len; +} - case 'L': - spec.modifier = FMT_LEN_L; - ++pf; - break; +/* Compute the length of the output resulting from the call to a formatted + output function described by INFO and store the result of the call in + *RES. Issue warnings for detected past the end writes. Return true + if the complete format string has been processed and *RES can be relied + on, false otherwise (e.g., when a unknown or unhandled directive was seen + that caused the processing to be terminated early). */ - case 'l': - if (pf[1] == 'l') - { - ++pf; - spec.modifier = FMT_LEN_ll; - } - else - spec.modifier = FMT_LEN_l; - ++pf; - break; +bool +pass_sprintf_length::compute_format_length (const call_info &info, + format_result *res) +{ + if (dump_file) + { + location_t callloc = gimple_location (info.callstmt); + fprintf (dump_file, "%s:%i: ", + LOCATION_FILE (callloc), LOCATION_LINE (callloc)); + print_generic_expr (dump_file, info.func, dump_flags); - case 't': - spec.modifier = FMT_LEN_t; - ++pf; - break; + fprintf (dump_file, ": objsize = %llu, fmtstr = \"%s\"\n", + (unsigned long long)info.objsize, info.fmtstr); + } - case 'z': - spec.modifier = FMT_LEN_z; - ++pf; - break; - } + /* Reset exact, minimum, and maximum character counters. */ + res->range.min = res->range.max = 0; - switch (*pf) - { - /* Handle a sole '%' character the same as "%%" but since it's - undefined prevent the result from being folded. */ - case '\0': - --pf; - res->bounded = false; - /* FALLTHRU */ - case '%': - spec.fmtfunc = format_percent; - break; - - case 'a': - case 'A': - case 'e': - case 'E': - case 'f': - case 'F': - case 'g': - case 'G': - res->floating = true; - spec.fmtfunc = format_floating; - break; - - case 'd': - case 'i': - case 'o': - case 'u': - case 'x': - case 'X': - spec.fmtfunc = format_integer; - break; - - case 'p': - /* The %p output is implementation-defined. It's possible - to determine this format but due to extensions (especially - those of the Linux kernel -- see bug 78512) the first %p - in the format string disables any further processing. */ - return false; - - case 'n': - break; - - case 'c': - case 'S': - case 's': - spec.fmtfunc = format_string; - break; - - default: - /* Unknown conversion specification. */ - return false; - } + /* No directive has been seen yet so the length of output is bounded + by the known range [0, 0] and constant (with no conversion producing + more than 4K bytes) until determined otherwise. */ + res->knownrange = true; + res->under4k = true; + res->floating = false; + res->warned = false; - spec.specifier = *pf++; + /* 1-based directive counter. */ + unsigned dirno = 1; - /* Compute the length of the format directive. */ - size_t dirlen = pf - dir; + /* The variadic argument counter. */ + unsigned argno = info.argidx; + + for (const char *pf = info.fmtstr; ; ++dirno) + { + directive dir = directive (); + dir.dirno = dirno; + + size_t n = parse_directive (info, dir, res, pf, &argno); + + /* Return failure if the format function fails. */ + if (!format_directive (info, res, dir)) + return false; - /* Extract the argument if the directive takes one and if it's - available (e.g., the function doesn't take a va_list). Treat - missing arguments the same as va_list, even though they will - have likely already been diagnosed by -Wformat. */ - tree arg = NULL_TREE; - if (spec.specifier != '%' - && argno < gimple_call_num_args (info.callstmt)) - arg = gimple_call_arg (info.callstmt, dollar ? dollar : argno++); + /* Return success the directive is zero bytes long and it's + the last think in the format string (i.e., it's the terminating + nul, which isn't really a directive but handling it as one makes + things simpler). */ + if (!n) + return *pf == '\0'; - ::format_directive (info, res, dir, dirlen, spec, arg); + pf += n; } - /* Complete format string was processed (with or without warnings). */ + /* The complete format string was processed (with or without warnings). */ return true; } @@ -2689,6 +2972,27 @@ try_substitute_return_value (gimple_stmt_iterator *gsi, const format_result &res) { tree lhs = gimple_get_lhs (info.callstmt); + if (!lhs) + return; + + unsigned HOST_WIDE_INT minretval = res.range.min; + + /* The maximum return value is in most cases bounded by RES.RANGE.MAX + but in cases involving multibyte characters could be as large as + RES.RANGE.UNLIKELY. */ + unsigned HOST_WIDE_INT maxretval + = res.range.unlikely < res.range.max ? res.range.max : res.range.unlikely; + + /* Adjust the number of bytes which includes the terminating nul + to reflect the return value of the function which does not. + Because the valid range of the function is [INT_MIN, INT_MAX], + a valid range before the adjustment below is [0, INT_MAX + 1] + (the functions only return negative values on error or undefined + behavior). */ + if (minretval <= target_int_max () + 1) + --minretval; + if (maxretval <= target_int_max () + 1) + --maxretval; /* Avoid the return value optimization when the behavior of the call is undefined either because any directive may have produced 4K or @@ -2696,18 +3000,18 @@ try_substitute_return_value (gimple_stmt_iterator *gsi, the output overflows the destination object (but leave it enabled when the function is bounded because then the behavior is well- defined). */ - if (lhs && res.bounded && res.under4k - && (info.bounded || res.number_chars <= info.objsize) - && res.number_chars - 1 <= target_int_max ()) + if (res.under4k + && minretval == maxretval + && (info.bounded || minretval < info.objsize) + && minretval <= target_int_max ()) { - tree cst = build_int_cst (integer_type_node, res.number_chars - 1); + tree cst = build_int_cst (integer_type_node, minretval); if (info.nowrite) { /* Replace the call to the bounded function with a zero size (e.g., snprintf(0, 0, "%i", 123) with the constant result - of the function minus 1 for the terminating NUL which - the function's return value does not include. */ + of the function. */ if (!update_call_from_tree (gsi, cst)) gimplify_and_update_call_from_tree (gsi, cst); gimple *callstmt = gsi_stmt (*gsi); @@ -2716,8 +3020,7 @@ try_substitute_return_value (gimple_stmt_iterator *gsi, else { /* Replace the left-hand side of the call with the constant - result of the formatted function minus 1 for the terminating - NUL which the function's return value does not include. */ + result of the formatted function. */ gimple_call_set_lhs (info.callstmt, NULL_TREE); gimple *g = gimple_build_assign (lhs, cst); gsi_insert_after (gsi, g, GSI_NEW_STMT); @@ -2726,72 +3029,62 @@ try_substitute_return_value (gimple_stmt_iterator *gsi, if (dump_file) { - location_t callloc = gimple_location (info.callstmt); - fprintf (dump_file, "On line %i substituting ", - LOCATION_LINE (callloc)); + fprintf (dump_file, " Substituting %llu", + (unsigned long long)info.objsize); print_generic_expr (dump_file, cst, dump_flags); - fprintf (dump_file, " for "); - print_generic_expr (dump_file, info.func, dump_flags); - fprintf (dump_file, " %s (output %s).\n", - info.nowrite ? "call" : "return value", - res.constant ? "constant" : "variable"); + fprintf (dump_file, " for %s.\n", + info.nowrite ? "statement" : "return value"); } } else { - unsigned HOST_WIDE_INT maxbytes; + bool setrange = false; - if (lhs - && res.bounded - && ((maxbytes = res.number_chars - 1) <= target_int_max () - || (res.number_chars_min - 1 <= target_int_max () - && (maxbytes = res.number_chars_max - 1) <= target_int_max ())) - && (info.bounded || maxbytes < info.objsize)) + if ((info.bounded || maxretval < info.objsize) + && (minretval <= target_int_max () + || maxretval <= target_int_max ())) { + if (target_int_max () < minretval || !res.under4k) + minretval = target_int_min (); + + if (target_int_max () < maxretval) + maxretval = target_int_max (); + /* If the result is in a valid range bounded by the size of the destination set it so that it can be used for subsequent optimizations. */ int prec = TYPE_PRECISION (integer_type_node); - if (res.number_chars < target_int_max () && res.under4k) - { - wide_int num = wi::shwi (res.number_chars - 1, prec); - set_range_info (lhs, VR_RANGE, num, num); - } - else if (res.number_chars_min < target_int_max () - && res.number_chars_max < target_int_max ()) - { - wide_int min = wi::shwi (res.under4k ? res.number_chars_min - 1 - : target_int_min (), prec); - wide_int max = wi::shwi (res.number_chars_max - 1, prec); - set_range_info (lhs, VR_RANGE, min, max); - } + wide_int min = wi::shwi (minretval, prec); + wide_int max = wi::shwi (maxretval, prec); + set_range_info (lhs, VR_RANGE, min, max); + + setrange = true; } if (dump_file) { const char *inbounds - = (res.number_chars_min <= info.objsize - ? (res.number_chars_max <= info.objsize + = (minretval <= info.objsize + ? (maxretval <= info.objsize ? "in" : "potentially out-of") : "out-of"); - location_t callloc = gimple_location (info.callstmt); - fprintf (dump_file, "On line %i ", LOCATION_LINE (callloc)); - print_generic_expr (dump_file, info.func, dump_flags); - - const char *ign = lhs ? "" : " ignored"; - if (res.number_chars >= HOST_WIDE_INT_MAX) + const char *what = setrange ? "Setting" : "Discarding"; + if (minretval != maxretval) fprintf (dump_file, - " %s-bounds return value in range [%lu, %lu]%s.\n", - inbounds, - (unsigned long)res.number_chars_min, - (unsigned long)res.number_chars_max, ign); + " %s %s-bounds return value range [%llu, %llu].\n", + what, inbounds, + (unsigned long long)minretval, + (unsigned long long)maxretval); else - fprintf (dump_file, " %s-bounds return value %lu%s.\n", - inbounds, (unsigned long)res.number_chars, ign); + fprintf (dump_file, " %s %s-bounds return value %llu.\n", + what, inbounds, (unsigned long long)minretval); } } + + if (dump_file) + fputc ('\n', dump_file); } /* Determine if a GIMPLE CALL is to one of the sprintf-like built-in diff --git a/gcc/testsuite/gcc.dg/format/pr78569.c b/gcc/testsuite/gcc.dg/format/pr78569.c index e827087..5755986 100644 --- a/gcc/testsuite/gcc.dg/format/pr78569.c +++ b/gcc/testsuite/gcc.dg/format/pr78569.c @@ -20,5 +20,5 @@ void test (void) "channel uplink (see section 7.6.1)."); /* { dg-warning "output truncated" "" { target *-*-* } 7 } */ - /* { dg-message "format output" "" { target *-*-* } 6 } */ + /* { dg-message ".__builtin_snprintf. output" "" { target *-*-* } 6 } */ } diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-5.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-5.c index c4489ac..abffcae 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-5.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-5.c @@ -135,7 +135,6 @@ void test_arg_string (const char *s) void test_arg_multiarg (int i, double d) { - EQL (16, "%i %f %s", 123, 3.14, "abc"); EQL (16, "%12i %s", i, "abc"); EQL (16, "%*i %s", 12, i, "abc"); } diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c index 4d08bcd..e34f0bc 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-1.c @@ -11,21 +11,19 @@ #define INT_MAX __INT_MAX__ +typedef __builtin_va_list va_list; + + char buffer [256]; extern char *ptr; -/* Evaluate to an array of SIZE characters when non-negative and LINE - is not set or set to the line the macro is on, or to a pointer to - an unknown object otherwise. */ -#define buffer(size) \ - (0 <= size && (!LINE || __LINE__ == LINE) \ - ? buffer + sizeof buffer - size : ptr) +/* Evaluate to an array of SIZE characters when non-negative, or to + a pointer to an unknown object otherwise. */ +#define buffer(size) \ + ((0 <= size) ? buffer + sizeof buffer - (size) : ptr) -/* Evaluate to SIZE when non-negative and LINE is not set or set to - the line the macro is on, or to SIZE_MAX otherise. */ -#define objsize(size) \ - (0 <= size && (!LINE || __LINE__ == LINE) \ - ? size : __SIZE_MAX__) +/* Evaluate to SIZE when non-negative, or to SIZE_MAX otherise. */ +#define objsize(size) ((0 <= size) ? (size) : __SIZE_MAX__) typedef __SIZE_TYPE__ size_t; @@ -61,12 +59,26 @@ const char s8[] = "12345678"; void sink (void*, ...); +int dummy_sprintf (char*, const char*, ...); +int dummy_snprintf (char*, size_t, const char*, ...); +int dummy_vsprintf (char*, const char*, va_list); +int dummy_vsnprintf (char*, size_t, const char*, va_list); +int dummy___sprintf_chk (char*, int, size_t, const char*, ...); +int dummy___snprintf_chk (char*, size_t, int, size_t, const char*, ...); +int dummy___vsprintf_chk (char*, int, size_t, const char*, va_list); +int dummy___vsnprintf_chk (char*, size_t, int, size_t, const char*, va_list); + +/* Helper to expand function to either __builtin_f or dummy_f to + make debugging GCC easy. */ +#define FUNC(f) \ + ((!LINE || LINE == __LINE__) ? __builtin_ ## f : dummy_ ## f) + /* Macro to verify that calls to __builtin_sprintf (i.e., with no size argument) issue diagnostics by correctly determining the size of the destination buffer. */ #define T(size, fmt, ...) \ - __builtin_sprintf (buffer (size), fmt, __VA_ARGS__), \ - sink (buffer, ptr); + (FUNC (sprintf) (buffer (size), fmt, __VA_ARGS__), \ + sink (buffer, ptr)) /* Exercise the "%c" and "%lc" directive with constant arguments. */ @@ -109,19 +121,21 @@ void test_sprintf_flexarray (void *p, int i) struct S { int n; - char a []; + char a[]; } *s = p; - __builtin_sprintf (s->a, "%c", 'x'); + FUNC (sprintf)(s->a, "%c", 'x'); - __builtin_sprintf (s->a, "%s", ""); - __builtin_sprintf (s->a, "%s", "abc"); - __builtin_sprintf (s->a, "abc%sghi", "def"); + FUNC (sprintf)(s->a, "%-s", ""); + FUNC (sprintf)(s->a, "%-s", "abc"); + FUNC (sprintf)(s->a, "abc%sghi", "def"); - __builtin_sprintf (s->a, "%i", 1234); + FUNC (sprintf)(s->a, "%i", 1234); - __builtin_sprintf (buffer (1), "%s", s->a); - __builtin_sprintf (buffer (1), "%s", s [i].a); + FUNC (sprintf)(buffer (1), "%-s", s->a); /* { dg-warning "may write a terminating nul past the end" } */ + FUNC (sprintf)(buffer (1), "%-s", s [i].a); /* { dg-warning "may write a terminating nul past the end" } */ + FUNC (sprintf)(buffer (2), "%-s", s->a); + FUNC (sprintf)(buffer (2), "%-s", s [i].a); } /* Same as above but for zero-length arrays. */ @@ -134,22 +148,22 @@ void test_sprintf_zero_length_array (void *p, int i) char a [0]; } *s = p; - __builtin_sprintf (s->a, "%c", 'x'); + FUNC (sprintf)(s->a, "%c", 'x'); - __builtin_sprintf (s->a, "%s", ""); - __builtin_sprintf (s->a, "%s", "abc"); - __builtin_sprintf (s->a, "abc%sghi", "def"); + FUNC (sprintf)(s->a, "%s", ""); + FUNC (sprintf)(s->a, "%s", "abc"); + FUNC (sprintf)(s->a, "abc%sghi", "def"); - __builtin_sprintf (s->a, "%i", 1234); + FUNC (sprintf)(s->a, "%i", 1234); - __builtin_sprintf (buffer (1), "%s", s->a); - __builtin_sprintf (buffer (1), "%s", s [i].a); + FUNC (sprintf)(buffer (1), "%s", s->a); + FUNC (sprintf)(buffer (1), "%s", s [i].a); } #undef T -#define T(size, fmt, ...) \ - __builtin___sprintf_chk (buffer (size), 0, objsize (size), fmt, \ - __VA_ARGS__), sink (buffer, ptr) +#define T(size, fmt, ...) \ + (FUNC (__sprintf_chk) (buffer (size), 0, objsize (size), fmt, __VA_ARGS__), \ + sink (buffer, ptr)) /* Exercise the "%c" and "%lc" directive with constant arguments. */ @@ -286,6 +300,7 @@ void test_sprintf_chk_s_const (void) T (2, "_%s", ""); T (2, "%%%s", ""); + T (2, "%%%%%s", ""); /* { dg-warning "nul past the end" } */ T (2, "%s%%", ""); T (2, "_%s", "1"); /* { dg-warning "nul past the end" } */ T (2, "%%%s", "1"); /* { dg-warning "nul past the end" } */ @@ -317,7 +332,10 @@ void test_sprintf_chk_s_const (void) T (1, "%*ls", 0, L"\0"); T (1, "%*ls", 1, L""); /* { dg-warning "nul past the end" } */ - T (1, "%ls", L"1"); /* { dg-warning "nul past the end" } */ + /* A wide character string need not convert into any bytes (although + individual ASCII characters are assumed to convert into 1 bt %lc + so this could be made smarter. */ + T (1, "%ls", L"1"); /* { dg-warning "directive writing up to 6 bytes into a region of size 1" } */ T (1, "%.0ls", L"1"); T (2, "%.0ls", L"1"); T (2, "%.1ls", L"1"); @@ -333,9 +351,9 @@ void test_sprintf_chk_s_const (void) T (3, "%.0ls", L"1"); T (3, "%.1ls", L"1"); T (3, "%.2ls", L"1"); - T (3, "%ls", L"12"); + T (3, "%ls", L"12"); /* { dg-warning "directive writing up to 12 bytes" } */ - T (3, "%ls", L"123"); /* { dg-warning "nul past the end" } */ + T (3, "%ls", L"123"); /* { dg-warning "directive writing up to 18 bytes" } */ T (3, "%.0ls", L"123"); T (3, "%.1ls", L"123"); T (3, "%.2ls", L"123"); @@ -579,7 +597,7 @@ void test_sprintf_chk_integer_const (void) T ( 1, "%i", 0); /* { dg-warning "nul past the end" } */ T ( 1, "%i", 1); /* { dg-warning "nul past the end" } */ T ( 1, "%i", -1); /* { dg-warning "into a region" } */ - T ( 1, "%i_", 1); /* { dg-warning "character ._. at offset 2 past the end" } */ + T ( 1, "%i_", 1); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 1, "_%i", 1); /* { dg-warning "into a region" } */ T ( 1, "_%i_", 1); /* { dg-warning "into a region" } */ T ( 1, "%o", 0); /* { dg-warning "nul past the end" } */ @@ -596,7 +614,7 @@ void test_sprintf_chk_integer_const (void) T ( 2, "%i", 10); /* { dg-warning "nul past the end" } */ T ( 2, "%i_", 0); /* { dg-warning "nul past the end" } */ T ( 2, "_%i", 0); /* { dg-warning "nul past the end" } */ - T ( 2, "_%i_", 0); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 2, "_%i_", 0); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 2, "%o", 1); T ( 2, "%o", 7); T ( 2, "%o", 010); /* { dg-warning "nul past the end" } */ @@ -678,7 +696,7 @@ void test_sprintf_chk_j_const (void) T ( 1, "%ji", I ( 0)); /* { dg-warning "nul past the end" } */ T ( 1, "%ji", I ( 1)); /* { dg-warning "nul past the end" } */ T ( 1, "%ji", I ( -1)); /* { dg-warning "into a region" } */ - T ( 1, "%ji_", I ( 1)); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 1, "%ji_", I ( 1)); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 1, "_%ji", I ( 1)); /* { dg-warning "into a region" } */ T ( 1, "_%ji_",I ( 1)); /* { dg-warning "into a region" } */ T ( 1, "%jo", I ( 0)); /* { dg-warning "nul past the end" } */ @@ -695,7 +713,7 @@ void test_sprintf_chk_j_const (void) T ( 2, "%ji", I ( 10)); /* { dg-warning "nul past the end" } */ T ( 2, "%ji_", I ( 0)); /* { dg-warning "nul past the end" } */ T ( 2, "_%ji", I ( 0)); /* { dg-warning "nul past the end" } */ - T ( 2, "_%ji_",I ( 0)); /* { dg-warning "character ._. at offset 4 past the end" } */ + T ( 2, "_%ji_",I ( 0)); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 2, "%jo", I ( 1)); T ( 2, "%jo", I ( 7)); T ( 2, "%jo", I ( 010)); /* { dg-warning "nul past the end" } */ @@ -754,7 +772,7 @@ void test_sprintf_chk_l_const (void) T ( 1, "%li", 0L); /* { dg-warning "nul past the end" } */ T ( 1, "%li", 1L); /* { dg-warning "nul past the end" } */ T ( 1, "%li", -1L); /* { dg-warning "into a region" } */ - T ( 1, "%li_", 1L); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 1, "%li_", 1L); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 1, "_%li", 1L); /* { dg-warning "into a region" } */ T ( 1, "_%li_", 1L); /* { dg-warning "into a region" } */ T ( 1, "%lo", 0L); /* { dg-warning "nul past the end" } */ @@ -771,7 +789,7 @@ void test_sprintf_chk_l_const (void) T ( 2, "%li", 10L); /* { dg-warning "nul past the end" } */ T ( 2, "%li_", 0L); /* { dg-warning "nul past the end" } */ T ( 2, "_%li", 0L); /* { dg-warning "nul past the end" } */ - T ( 2, "_%li_", 0L); /* { dg-warning "character ._. at offset 4 past the end" } */ + T ( 2, "_%li_", 0L); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 2, "%lo", 1L); T ( 2, "%lo", 7L); T ( 2, "%lo", 010L); /* { dg-warning "nul past the end" } */ @@ -830,7 +848,7 @@ void test_sprintf_chk_ll_const (void) T ( 1, "%lli", 0LL); /* { dg-warning "nul past the end" } */ T ( 1, "%lli", 1LL); /* { dg-warning "nul past the end" } */ T ( 1, "%lli", -1LL); /* { dg-warning "into a region" } */ - T ( 1, "%lli_", 1LL); /* { dg-warning "character ._. at offset 4 past the end" } */ + T ( 1, "%lli_", 1LL); /* { dg-warning " 1 byte into a region of size 0 " } */ T ( 1, "_%lli", 1LL); /* { dg-warning "into a region" } */ T ( 1, "_%lli_", 1LL); /* { dg-warning "into a region" } */ T ( 1, "%llo", 0LL); /* { dg-warning "nul past the end" } */ @@ -847,7 +865,7 @@ void test_sprintf_chk_ll_const (void) T ( 2, "%lli", 10LL); /* { dg-warning "nul past the end" } */ T ( 2, "%lli_", 0LL); /* { dg-warning "nul past the end" } */ T ( 2, "_%lli", 0LL); /* { dg-warning "nul past the end" } */ - T ( 2, "_%lli_", 0LL); /* { dg-warning "character ._. at offset 5 past the end" } */ + T ( 2, "_%lli_", 0LL); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 2, "%llo", 1LL); T ( 2, "%llo", 7LL); T ( 2, "%llo", 010LL); /* { dg-warning "nul past the end" } */ @@ -909,7 +927,7 @@ void test_sprintf_chk_L_const (void) T ( 1, "%Li", 0LL); /* { dg-warning "nul past the end" } */ T ( 1, "%Li", 1LL); /* { dg-warning "nul past the end" } */ T ( 1, "%Li", -1LL); /* { dg-warning "into a region" } */ - T ( 1, "%Li_", 1LL); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 1, "%Li_", 1LL); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 1, "_%Li", 1LL); /* { dg-warning "into a region" } */ T ( 1, "_%Li_", 1LL); /* { dg-warning "into a region" } */ } @@ -920,7 +938,7 @@ void test_sprintf_chk_z_const (void) T ( 1, "%zi", (size_t)0); /* { dg-warning "nul past the end" } */ T ( 1, "%zi", (size_t)1); /* { dg-warning "nul past the end" } */ T ( 1, "%zi", (size_t)-1L);/* { dg-warning "into a region" } */ - T ( 1, "%zi_", (size_t)1); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 1, "%zi_", (size_t)1); /* { dg-warning " 1 byte into a region of size 0" } */ T ( 1, "_%zi", (size_t)1); /* { dg-warning "into a region" } */ T ( 1, "_%zi_", (size_t)1); /* { dg-warning "into a region" } */ @@ -942,16 +960,20 @@ void test_sprintf_chk_a_const (void) /* The least number of bytes on output is 6 for "0x0p+0". When precision is missing the number of digits after the decimal point isn't fully - specified by C (it seems like a defect). */ - T (0, "%a", 0.0); /* { dg-warning "into a region" } */ - T (0, "%la", 0.0); /* { dg-warning "into a region" } */ - T (1, "%a", 0.0); /* { dg-warning "into a region" } */ - T (2, "%a", 0.0); /* { dg-warning "into a region" } */ - T (3, "%a", 0.0); /* { dg-warning "into a region" } */ - T (4, "%a", 0.0); /* { dg-warning "into a region" } */ - T (5, "%a", 0.0); /* { dg-warning "into a region" } */ - T (6, "%a", 0.0); /* { dg-warning "writing a terminating nul" } */ - T (7, "%a", 0.0); + specified by C (a defect). Two sets of implementations are known to + exist: those that trim trailing zeros (e.g., Glibc) and those that + pad output with trailing zeros so that all floating point numbers + result in the same number of bytes on output (e.g., Solaris). */ + T ( 0, "%a", 0.0); /* { dg-warning "writing between 6 and 20 bytes" } */ + T ( 0, "%la", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 1, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 2, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 3, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 4, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 5, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T ( 6, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T (19, "%a", 0.0); /* { dg-warning "between 6 and 20 bytes" } */ + T (20, "%a", 0.0); /* { dg-warning "may write a terminating nul" } */ T (0, "%.a", 0.0); /* { dg-warning "into a region" } */ T (0, "%.0a", 0.0); /* { dg-warning "into a region" } */ @@ -1008,24 +1030,21 @@ void test_sprintf_chk_e_const (void) T ( 6, "%.e", 1.0); T ( 6, "%.0e", 1.0); - /* The actual output of the following directives depends on the rounding - mode. Verify that the warning correctly reflects that. At level 1, - since the minimum number of bytes output by the directive fits the - space the directive itself isn't diagnosed but the terminating nul - is. The directive is diagnosed at level 2. */ - T (12, "%e", 9.999999e+99); /* { dg-warning "terminating nul" } */ - T (12, "%e", 9.9999994e+99); /* { dg-warning "terminating nul" } */ - T (12, "%e", 9.9999995e+99); /* { dg-warning "terminating nul" } */ - T (12, "%e", 9.9999996e+99); /* { dg-warning "terminating nul" } */ - T (12, "%e", 9.9999997e+99); /* { dg-warning "terminating nul" } */ - T (12, "%e", 9.9999998e+99); /* { dg-warning "terminating nul" } */ - - T (12, "%Le", 9.9999994e+99L);/* { dg-warning "terminating nul" } */ - T (12, "%Le", 9.9999995e+99L);/* { dg-warning "terminating nul" } */ - T (12, "%Le", 9.9999996e+99L);/* { dg-warning "terminating nul" } */ - T (12, "%Le", 9.9999997e+99L);/* { dg-warning "terminating nul" } */ - T (12, "%Le", 9.9999998e+99L);/* { dg-warning "terminating nul" } */ - T (12, "%Le", 9.9999999e+99L);/* { dg-warning "terminating nul" } */ + /* The output of the following directives depends on the rounding + mode. */ + T (12, "%e", 9.999999e+99); /* { dg-warning "between 12 and 13" } */ + T (12, "%e", 9.9999994e+99); /* { dg-warning "between 12 and 13" } */ + T (12, "%e", 9.9999995e+99); /* { dg-warning "between 12 and 13" } */ + T (12, "%e", 9.9999996e+99); /* { dg-warning "between 12 and 13" } */ + T (12, "%e", 9.9999997e+99); /* { dg-warning "between 12 and 13" } */ + T (12, "%e", 9.9999998e+99); /* { dg-warning "between 12 and 13" } */ + + T (12, "%Le", 9.9999994e+99L);/* { dg-warning "between 12 and 13" } */ + T (12, "%Le", 9.9999995e+99L);/* { dg-warning "between 12 and 13" } */ + T (12, "%Le", 9.9999996e+99L);/* { dg-warning "between 12 and 13" } */ + T (12, "%Le", 9.9999997e+99L);/* { dg-warning "between 12 and 13" } */ + T (12, "%Le", 9.9999998e+99L);/* { dg-warning "between 12 and 13" } */ + T (12, "%Le", 9.9999999e+99L);/* { dg-warning "between 12 and 13" } */ } /* At -Wformat-length level 1 unknown numbers are assumed to have @@ -1035,21 +1054,32 @@ void test_sprintf_chk_e_const (void) void test_sprintf_chk_s_nonconst (int w, int p, const char *s) { T (-1, "%s", s); - T ( 0, "%s", s); /* { dg-warning "nul past the end" } */ - T ( 1, "%s", s); + T ( 0, "%s", s); /* { dg-warning "writing likely 1 or more bytes" } */ + T ( 1, "%s", s); /* { dg-warning "may write a terminating nul" } */ + T (-1, "%.0s", s); T ( 1, "%.0s", s); - T ( 1, "%.1s", s); /* { dg-warning "nul past the end" } */ + T (-1, "%.1s", s); + T ( 1, "%.1s", s); /* { dg-warning "may write a terminating nul past the end" } */ + T (-1, "%.2s", s); + T ( 1, "%.2s", s); /* { dg-warning "directive writing up to 2 bytes" } */ + T ( 2, "%.2s", s); /* { dg-warning "may write a terminating nul" } */ + T ( 3, "%.2s", s); /* The string argument is constant but the width and/or precision is not. */ - T ( 1, "%*s", w, ""); - T ( 1, "%*s", w, "1"); /* { dg-warning "nul past the end" } */ + T (-1, "%*s", w, ""); + T ( 1, "%*s", w, ""); /* { dg-warning "may write a terminating nul past the end" } */ + T (-1, "%*s", w, "1"); + T ( 1, "%*s", w, "1"); /* { dg-warning "writing a terminating nul past the end" } */ + T (-1, "%.*s", p, ""); T ( 1, "%.*s", p, ""); + T (-1, "%.*s", p, "1"); T ( 1, "%.*s", p, "1"); /* { dg-warning "may write a terminating nul" } */ - T ( 1, "%.*s", w, "123"); /* { dg-warning "writing between 0 and 3 bytes into a region of size 1" } */ + T ( 1, "%.*s", w, "123"); /* { dg-warning "writing up to 3 bytes into a region of size 1" } */ - T ( 1, "%*s", w, "123"); /* { dg-warning "writing 3 or more bytes into a region of size 1" } */ - T ( 2, "%*s", w, "123"); /* { dg-warning "writing 3 or more bytes into a region of size 2" } */ + /* Either of the messages below is acceptable. */ + T ( 1, "%*s", w, "123"); /* { dg-warning "writing 3 or more bytes into a region of size 1|writing between 3 and 2147483648 bytes" } */ + T ( 2, "%*s", w, "123"); /* { dg-warning "writing 3 or more bytes into a region of size 2|writing between 3 and 2147483648 bytes" } */ T ( 3, "%*s", w, "123"); /* { dg-warning "writing a terminating nul past the end" } */ T ( 4, "%*s", w, "123"); @@ -1059,6 +1089,13 @@ void test_sprintf_chk_s_nonconst (int w, int p, const char *s) the end (we don't print "past the end" when we're not sure which we can't be with an unknown string. */ T (1, "%1s", s); /* { dg-warning "writing a terminating nul past the end" } */ + + /* Multiple directives. */ + T (1, "%s%-s", s, s); /* { dg-warning ".%-s. directive writing likely 1 or more bytes" } */ + T (1, "%s%-s%s", s, s, s); /* { dg-warning ".%-s. directive writing likely 1 or more bytes" } */ + T (1, "%1s%-s%s", s, s, s); /* { dg-warning ".%-s. directive writing likely 1 or more bytes into a region of size 0" } */ + T (1, "%s%1s%s", s, s, s); /* { dg-warning ".%1s. directive writing 1 or more bytes into a region of size between 0 and 1" } */ + T (1, "%s%-s%1s", s, s, s); /* { dg-warning ".%-s. directive writing likely 1 or more bytes into a region of size between 0 and 1" } */ } /* Exercise the hh length modifier with all integer specifiers and @@ -1167,15 +1204,15 @@ void test_sprintf_chk_hh_nonconst (int w, int p, int a) /* The argument is known but precision isn't. When the argument is zero only the first call can be diagnosed since a zero precision would result in no bytes on output. */ - T (0, "%.*hhi", p, 0); /* { dg-warning "nul past the end" } */ - T (1, "%.*hhi", p, 0); + T (0, "%.*hhi", p, 0); /* { dg-warning " writing up to \[0-9\]+ bytes" } */ + T (1, "%.*hhi", p, 0); /* { dg-warning "may write a terminating nul" }*/ T (2, "%.*hhi", p, 0); T (2, "%.*hhi", p, 12); /* { dg-warning "nul past the end" } */ T (2, "%.*hhi", p, 123); /* { dg-warning "into a region" } */ /* The argument is known but neither width nor precision is. */ - T (0, "%*.*hhi", w, p, 0); /* { dg-warning "nul past the end" } */ - T (1, "%*.*hhi", w, p, 0); + T (0, "%*.*hhi", w, p, 0); /* { dg-warning "writing up to \[0-9\]+ bytes" } */ + T (1, "%*.*hhi", w, p, 0); /* { dg-warning "may write a terminating nul" } */ T (2, "%*.*hhi", w, p, 0); T (2, "%*.*hhi", w, p, 12); /* { dg-warning "nul past the end" } */ T (2, "%*.*hhi", w, p, 123); /* { dg-warning "into a region" } */ @@ -1298,12 +1335,13 @@ void test_sprintf_chk_int_nonconst (int w, int p, int a) T (3, "%2u", a); T (3, "%2x", a); - T (1, "%.*d", p, a); + T (1, "%.*d", p, a); /* { dg-warning "nul past the end" } */ + T (2, "%.*d", p, a); T (4, "%i %i", a, a); /* The following will definitely be "writing a terminating nul past the end" (i.e., not "may write".) */ - T (4, "%i %i ", a, a); /* { dg-warning "writing a terminating nul past the end" } */ + T (4, "%i %i ", a, a); /* { dg-warning "nul past the end" } */ T (4, "%i %i %i", a, a, a); /* { dg-warning "into a region" }*/ } @@ -1347,7 +1385,7 @@ void test_sprintf_chk_e_nonconst (int w, int p, double d) T ( 8, "%.1e", d); T ( 0, "%*e", 0, d); /* { dg-warning "writing between 12 and 14 bytes into a region of size 0" } */ - T ( 0, "%*e", w, d); /* { dg-warning "writing 12 or more bytes into a region of size 0" } */ + T ( 0, "%*e", w, d); /* { dg-warning "writing 12 or more bytes into a region of size 0|writing between 12 and \[0-9\]+ bytes into a region of size 0" } */ } void test_sprintf_chk_f_nonconst (double d) @@ -1381,9 +1419,10 @@ void test_sprintf_chk_f_nonconst (double d) __builtin_sprintf_chk with non-constant arguments. */ #undef T #define T(size, fmt) \ - __builtin___vsprintf_chk (buffer (size), 0, objsize (size), fmt, va) + (FUNC (__vsprintf_chk) (buffer (size), 0, objsize (size), fmt, va), \ + sink (buffer)) -void test_vsprintf_chk_c (__builtin_va_list va) +void test_vsprintf_chk_c (va_list va) { T (-1, "%c"); @@ -1399,26 +1438,25 @@ void test_vsprintf_chk_c (__builtin_va_list va) T (3, "%c%c"); /* Wide characters. */ - T (0, "%lc"); /* { dg-warning "nul past the end" } */ - T (1, "%lc"); - T (2, "%lc"); + T (0, "%lc"); /* { dg-warning "up to 6 bytes " } */ + T (1, "%lc"); /* { dg-warning "up to 6 bytes " } */ + T (2, "%lc"); /* { dg-warning "may write a terminating nul" } */ /* The following could result in as few as a single byte and in as many as MB_CUR_MAX, but since the MB_CUR_MAX value is a runtime property the write cannot be reliably diagnosed. */ - T (2, "%lc"); - T (2, "%1lc"); + T (2, "%1lc"); /* { dg-warning "may write a terminating nul" } */ /* Writing some unknown number of bytes into a field two characters wide. */ T (2, "%2lc"); /* { dg-warning "nul past the end" } */ - T (2, "%lc%lc"); + T (2, "%lc%lc"); /* { dg-warning "writing up to 6 bytes into a region of size between 0 and 2" } */ - T (3, "%lc%c"); + T (3, "%lc%c"); /* { dg-warning "may write a terminating nul" } */ /* Here in the best case each argument will format as single character, causing the terminating NUL to be written past the end. */ - T (3, "%lc%c%c"); + T (3, "%lc%c%c"); /* { dg-warning "writing 1 byte into a region of size between 0 and 2" } */ } -void test_vsprintf_chk_int (__builtin_va_list va) +void test_vsprintf_chk_int (va_list va) { T (-1, "%d"); @@ -1462,8 +1500,9 @@ void test_vsprintf_chk_int (__builtin_va_list va) } #undef T -#define T(size, fmt, ...) \ - __builtin_snprintf (buffer (size), objsize (size), fmt, __VA_ARGS__) +#define T(size, fmt, ...) \ + (FUNC (snprintf) (buffer (size), objsize (size), fmt, __VA_ARGS__), \ + sink (buffer)) void test_snprintf_c_const (char *d) { @@ -1498,24 +1537,25 @@ void test_snprintf_c_const (char *d) T (2, "%2lc", (wint_t)L'1'); /* { dg-warning "output truncated before the last format character" } */ T (3, "%lc%c", (wint_t)'1', '2'); - /* Here in the best case each argument will format as single character, - causing the output to be truncated just before the terminating NUL - (i.e., cutting off the '3'). */ - T (3, "%lc%c%c", (wint_t)'1', '2', '3'); /* { dg-warning "output truncated" } */ - T (3, "%lc%lc%c", (wint_t)'1', (wint_t)'2', '3'); /* { dg-warning "output truncated" } */ + /* Here %lc may result in anywhere between 0 and MB_CUR_MAX characters + so the minimum number of bytes on output is 2 (plus the terminating + nul), but the likely number is 3 (plus the nul). */ + T (3, "%lc%c%c", (wint_t)'1', '2', '3'); /* { dg-warning "output may be truncated" } */ + T (3, "%lc%lc%c", (wint_t)'1', (wint_t)'2', '3'); /* { dg-warning "output may be truncated" } */ } #undef T #define T(size, fmt, ...) \ - __builtin___snprintf_chk (buffer (size), objsize (size), \ - 0, objsize (size), fmt, __VA_ARGS__) + (FUNC (__snprintf_chk) (buffer (size), objsize (size), \ + 0, objsize (size), fmt, __VA_ARGS__), \ + sink (buffer)) void test_snprintf_chk_c_const (void) { /* Verify that specifying a size of the destination buffer that's bigger than its actual size (normally determined and passed to the function by __builtin_object_size) is diagnosed. */ - __builtin___snprintf_chk (buffer, 3, 0, 2, " "); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" } */ + FUNC (__snprintf_chk)(buffer, 3, 0, 2, " "); /* { dg-warning "specified bound 3 exceeds the size 2 of the destination" } */ T (-1, "%c", 0); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */ @@ -1547,11 +1587,11 @@ void test_snprintf_chk_c_const (void) T (2, "%2lc", (wint_t)'1'); /* { dg-warning "output truncated before the last format character" } */ T (3, "%lc%c", (wint_t)'1', '2'); - /* Here in the best case each argument will format as single character, - causing the output to be truncated just before the terminating NUL - (i.e., cutting off the '3'). */ - T (3, "%lc%c%c", (wint_t)'1', '2', '3'); /* { dg-warning "output truncated" } */ - T (3, "%lc%lc%c", (wint_t)'1', (wint_t)'2', '3'); /* { dg-warning "output truncated" } */ + /* Here %lc may result in anywhere between 0 and MB_CUR_MAX characters + so the minimum number of bytes on output is 2 (plus the terminating + nul), but the likely number is 3 (plus the nul). */ + T (3, "%lc%c%c", (wint_t)'1', '2', '3'); /* { dg-warning "output may be truncated" } */ + T (3, "%lc%lc%c", (wint_t)'1', (wint_t)'2', '3'); /* { dg-warning "output may be truncated" } */ } /* Macro to verify that calls to __builtin_vsprintf (i.e., with no size @@ -1559,27 +1599,28 @@ void test_snprintf_chk_c_const (void) the destination buffer. */ #undef T #define T(size, fmt) \ - __builtin_vsprintf (buffer (size), fmt, va) + (FUNC (vsprintf) (buffer (size), fmt, va), \ + sink (buffer)) -void test_vsprintf_s (__builtin_va_list va) +void test_vsprintf_s (va_list va) { T (-1, "%s"); - T (0, "%s"); /* { dg-warning "writing a terminating nul past the end" } */ - T (1, "%s"); + T (0, "%s"); /* { dg-warning "writing likely 1 or more bytes" } */ + T (1, "%s"); /* { dg-warning "may write a terminating nul" } */ T (1, "%1s"); /* { dg-warning "writing a terminating nul past the end" } */ - T (2, "%s%s"); - T (2, "%s%s_"); - T (2, "%s_%s"); - T (2, "_%s%s"); - T (2, "_%s_%s"); /* { dg-warning "writing a terminating nul past the end" } */ + T (2, "%s%s"); /* { dg-warning "may write a terminating nul" } */ + T (2, "%s%s_"); /* { dg-warning "writing 1 byte into a region of size between 0 and 2" } */ + T (2, "%s_%s"); /* { dg-warning "writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s%s"); /* { dg-warning "writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s_%s"); /* { dg-warning "writing 1 byte into a region of size between 0 and" } */ } /* Exercise all integer specifiers with no modifier and a non-constant argument. */ -void test_vsprintf_int (__builtin_va_list va) +void test_vsprintf_int (va_list va) { T (-1, "%d"); @@ -1623,45 +1664,47 @@ void test_vsprintf_int (__builtin_va_list va) } #undef T -#define T(size, fmt) \ - __builtin_vsnprintf (buffer (size), objsize (size), fmt, va) +#define T(size, fmt) \ + (FUNC (vsnprintf) (buffer (size), objsize (size), fmt, va), \ + sink (buffer)) -void test_vsnprintf_s (__builtin_va_list va) +void test_vsnprintf_s (va_list va) { T (-1, "%s"); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */ T (0, "%s"); - T (1, "%s"); + T (1, "%s"); /* { dg-warning "output may be truncated" } */ T (1, "%1s"); /* { dg-warning "output truncated before the last format character" } */ - T (2, "%s%s"); - T (2, "%s%s_"); - T (2, "%s_%s"); - T (2, "_%s%s"); - T (2, "_%s_%s"); /* { dg-warning "output truncated before the last format character" } */ + T (2, "%s%s"); /* { dg-warning "output may be truncated" } */ + T (2, "%s%s_"); /* { dg-warning "output may be truncated writing 1 byte into a region of size between 0 and 2" } */ + T (2, "%s_%s"); /* { dg-warning "directive output may be truncated writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s%s"); /* { dg-warning "output may be truncated writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s_%s"); /* { dg-warning "output may be truncated writing 1 byte into a region of size between 0 and 1" } */ } #undef T -#define T(size, fmt) \ - __builtin___vsnprintf_chk (buffer (size), objsize (size), \ - 0, objsize (size), fmt, va) +#define T(size, fmt) \ + (FUNC (__vsnprintf_chk) (buffer (size), objsize (size), \ + 0, objsize (size), fmt, va), \ + sink (buffer)) -void test_vsnprintf_chk_s (__builtin_va_list va) +void test_vsnprintf_chk_s (va_list va) { /* Verify that specifying a size of the destination buffer that's bigger than its actual size (normally determined and passed to the function by __builtin_object_size) is diagnosed. */ - __builtin___vsnprintf_chk (buffer, 123, 0, 122, "%-s", va); /* { dg-warning "specified bound 123 exceeds the size 122 of the destination" } */ + FUNC (__vsnprintf_chk)(buffer, 123, 0, 122, "%-s", va); /* { dg-warning "specified bound 123 exceeds the size 122 of the destination" } */ - __builtin___vsnprintf_chk (buffer, __SIZE_MAX__, 0, 2, "%-s", va); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */ + FUNC (__vsnprintf_chk)(buffer, __SIZE_MAX__, 0, 2, "%-s", va); /* { dg-warning "specified bound \[0-9\]+ exceeds maximum object size \[0-9\]+" } */ T (0, "%s"); - T (1, "%s"); + T (1, "%s"); /* { dg-warning "output may be truncated before the last format character" } */ T (1, "%1s"); /* { dg-warning "output truncated before the last format character" } */ - T (2, "%s%s"); - T (2, "%s%s_"); - T (2, "%s_%s"); - T (2, "_%s%s"); - T (2, "_%s_%s"); /* { dg-warning "output truncated before the last format character" } */ + T (2, "%s%s"); /* { dg-warning "output may be truncated before the last format character" } */ + T (2, "%s%s_"); /* { dg-warning "output may be truncated writing 1 byte into a region of size between 0 and 2" } */ + T (2, "%s_%s"); /* { dg-warning "output may be truncated writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s%s"); /* { dg-warning "output may be truncated writing likely 1 or more bytes into a region of size between 0 and 1" } */ + T (2, "_%s_%s"); /* { dg-warning "output may be truncated writing 1 byte into a region of size between 0 and 1" } */ } diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c index 7acb83d..75ee792 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-2.c @@ -1,5 +1,5 @@ /* { dg-do compile } */ -/* { dg-options "-std=c99 -Wformat -Wformat-length=2 -ftrack-macro-expansion=0" } */ +/* { dg-options "-Wformat -Wformat-length=2 -ftrack-macro-expansion=0" } */ /* When debugging, define LINE to the line number of the test case to exercise and avoid exercising any of the others. The buffer and objsize macros @@ -47,12 +47,16 @@ void test_s_const (void) T (1, "%*ls", 0, L"\0"); T (1, "%*ls", 1, L""); /* { dg-warning "nul past the end" } */ - T (1, "%ls", L"1"); /* { dg-warning "directive writing between 1 and 6 bytes into a region of size 1" } */ + /* A wide character converts into between zero and MB_LEN_MAX bytes + (although individual ASCII characters are assumed to convert into + 1 bt %lc so this could be made smarter. */ + T (1, "%ls", L"1"); /* { dg-warning "directive writing up to 6 bytes into a region of size 1" } */ T (1, "%.0ls", L"1"); T (2, "%.0ls", L"1"); T (2, "%.1ls", L"1"); T (2, "%.2ls", L"1"); /* { dg-warning "nul past the end" } */ - T (2, "%.3ls", L"1"); /* { dg-warning "directive writing between 1 and 3 bytes into a region of size 2" } */ + T (2, "%.3ls", L"1"); /* { dg-warning "directive writing up to 3 bytes into a region of size 2" } */ + T (2, "%.7ls", L"1"); /* { dg-warning "directive writing up to 6 bytes into a region of size 2" } */ T (2, "%.2ls", L"12"); /* { dg-warning "nul past the end" } */ /* The "%.2ls" directive below will write at a minimum 1 byte (because @@ -71,8 +75,8 @@ void test_s_const (void) T (3, "%.3ls", L"12"); /* { dg-warning "nul past the end" } */ T (4, "%.3ls", L"123"); T (4, "%.4ls", L"123"); /* { dg-warning "nul past the end" } */ - T (4, "%.5ls", L"123"); /* { dg-warning "directive writing between 3 and 5 bytes into a region of size 4" } */ - T (4, "%.6ls", L"123"); /* { dg-warning "directive writing between 3 and 6 bytes into a region of size 4" } */ + T (4, "%.5ls", L"123"); /* { dg-warning "directive writing up to 5 bytes into a region of size 4" } */ + T (4, "%.6ls", L"123"); /* { dg-warning "directive writing up to 6 bytes into a region of size 4" } */ } @@ -87,21 +91,32 @@ struct Arrays { /* Exercise buffer overflow detection with non-const string arguments. */ -void test_s_nonconst (const char *s, const wchar_t *ws, struct Arrays *a) +void test_s_nonconst (int w, int p, const char *s, const wchar_t *ws, + struct Arrays *a) { T (0, "%s", s); /* { dg-warning "into a region" "sprintf transformed into strcpy" { xfail *-*-* } } */ T (1, "%s", s); /* { dg-warning "nul past the end" "sprintf transformed into strcpy" { xfail *-*-* } } */ - T (1, "%1s", s); /* { dg-warning "nul past the end" } */ + T (1, "%1s", s); /* { dg-warning "writing a terminating nul" } */ T (1, "%.0s", s); T (1, "%.1s", s); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*s", 0, s); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*s", 1, s); /* { dg-warning "writing a terminating nul" } */ + T (1, "%*s", 2, s); /* { dg-warning "directive writing 2 or more bytes" } */ + T (1, "%*s", 3, s); /* { dg-warning "directive writing 3 or more bytes" } */ + + T (1, "%.*s", 1, s); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*s", 2, s); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%.*s", 3, s); /* { dg-warning "writing up to 3 bytes" } */ T (1, "%.0ls", ws); T (1, "%.1ls", ws); /* { dg-warning "may write a terminating nul" } */ - T (1, "%ls", ws); /* { dg-warning "writing a terminating nul" } */ + T (1, "%ls", ws); /* { dg-warning "may write a terminating nul" } */ /* Verify that the size of the array is used in lieu of its length. - The minus sign disables GCC's sprintf to strcpy transformation. */ - T (1, "%-s", a->a1); /* { dg-warning "nul past the end" } */ + The minus sign disables GCC's sprintf to strcpy transformation. + In the case below, the length of s->a1 can be at most zero, so + the call should not be diagnosed. */ + T (1, "%-s", a->a1); /* In the following test, since the length of the strings isn't known, their type (the array) is used to bound the maximum length to 1, @@ -116,8 +131,8 @@ void test_s_nonconst (const char *s, const wchar_t *ws, struct Arrays *a) /* The length of a zero length array and flexible array member is unknown and at leve 2 assumed to be at least 1. */ - T (1, "%-s", a->a0); /* { dg-warning "nul past the end" } */ - T (1, "%-s", a->ax); /* { dg-warning "nul past the end" } */ + T (1, "%-s", a->a0); /* { dg-warning "may write a terminating nul" } */ + T (1, "%-s", a->ax); /* { dg-warning "may write a terminating nul" } */ T (2, "%-s", a->a0); T (2, "%-s", a->ax); @@ -145,20 +160,20 @@ void test_hh_nonconst (int w, int p, int x, unsigned y) /* Zero precision means that zero argument formats as no bytes unless length or flags make it otherwise. */ - T (1, "%.*hhi", 0, x); /* { dg-warning "between 0 and 4 bytes" } */ - T (2, "%.*hhi", 0, x); /* { dg-warning "between 0 and 4 bytes" } */ - T (3, "%.*hhi", 0, x); /* { dg-warning "between 0 and 4 bytes" } */ + T (1, "%.*hhi", 0, x); /* { dg-warning "writing up to 4 bytes" } */ + T (2, "%.*hhi", 0, x); /* { dg-warning "writing up to 4 bytes" } */ + T (3, "%.*hhi", 0, x); /* { dg-warning "writing up to 4 bytes" } */ T (4, "%.*hhi", 0, x); /* { dg-warning "may write a terminating nul past the end of the destination" } */ - T (1, "%.*hhi", 0, y); /* { dg-warning "between 0 and 4 bytes" } */ - T (2, "%.*hhi", 0, y); /* { dg-warning "between 0 and 4 bytes" } */ - T (3, "%.*hhi", 0, y); /* { dg-warning "between 0 and 4 bytes" } */ + T (1, "%.*hhi", 0, y); /* { dg-warning "writing up to 4 bytes" } */ + T (2, "%.*hhi", 0, y); /* { dg-warning "writing up to 4 bytes" } */ + T (3, "%.*hhi", 0, y); /* { dg-warning "writing up to 4 bytes" } */ T (4, "%.*hhi", 0, y); /* { dg-warning "may write a terminating nul past the end of the destination" } */ - T (1, "%#.*hhi", 0, y); /* { dg-warning "between 0 and 4 bytes" } */ + T (1, "%#.*hhi", 0, y); /* { dg-warning "writing up to 4 bytes" } */ /* { dg-warning ".#. flag used" "-Wformat" { target *-*-* } .-1 } */ T (1, "%+.*hhi", 0, y); /* { dg-warning "between 1 and 4 bytes" } */ - T (1, "%-.*hhi", 0, y); /* { dg-warning "between 0 and 4 bytes" } */ + T (1, "%-.*hhi", 0, y); /* { dg-warning "writing up to 4 bytes" } */ T (1, "% .*hhi", 0, y); /* { dg-warning "between 1 and 4 bytes" } */ T (1, "%#.*hhi", 1, y); /* { dg-warning "between 1 and 4 bytes" } */ @@ -167,18 +182,18 @@ void test_hh_nonconst (int w, int p, int x, unsigned y) T (1, "%-.*hhi", 1, y); /* { dg-warning "between 1 and 4 bytes" } */ T (1, "% .*hhi", 1, y); /* { dg-warning "between 2 and 4 bytes" } */ - T (1, "%#.*hhi", p, y); /* { dg-warning "writing 0 or more bytes" } */ + T (1, "%#.*hhi", p, y); /* { dg-warning "writing up to \[0-9\]+ bytes" } */ /* { dg-warning ".#. flag used" "-Wformat" { target *-*-* } .-1 } */ - T (1, "%+.*hhi", p, y); /* { dg-warning "writing 1 or more bytes" } */ - T (1, "%-.*hhi", p, y); /* { dg-warning "writing 0 or more bytes" } */ - T (1, "% .*hhi", p, y); /* { dg-warning "writing 1 or more bytes" } */ + T (1, "%+.*hhi", p, y); /* { dg-warning "writing 1 or more bytes|writing between 1 and \[0-9\]+ bytes" } */ + T (1, "%-.*hhi", p, y); /* { dg-warning "writing up to \[0-9\]+ bytes" } */ + T (1, "% .*hhi", p, y); /* { dg-warning "writing between 1 and \[0-9\]+ bytes|writing 1 or more bytes" } */ - T (1, "%#.*hhu", 0, y); /* { dg-warning "between 0 and 3 bytes" } */ + T (1, "%#.*hhu", 0, y); /* { dg-warning "writing up to 3 bytes" } */ /* { dg-warning ".#. flag used" "-Wformat" { target *-*-* } .-1 } */ - T (1, "%+.*hhu", 0, y); /* { dg-warning "between 0 and 3 bytes" } */ + T (1, "%+.*hhu", 0, y); /* { dg-warning "writing up to 3 bytes" } */ /* { dg-warning ".\\+. flag used" "-Wformat" { target *-*-* } .-1 } */ - T (1, "%-.*hhu", 0, y); /* { dg-warning "between 0 and 3 bytes" } */ - T (1, "% .*hhu", 0, y); /* { dg-warning "between 0 and 3 bytes" } */ + T (1, "%-.*hhu", 0, y); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "% .*hhu", 0, y); /* { dg-warning "writing up to 3 bytes" } */ /* { dg-warning ". . flag used" "-Wformat" { target *-*-* } .-1 } */ } diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-3.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-3.c index 1ca0a66..f325e46 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-3.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-3.c @@ -47,7 +47,7 @@ void test_sprintf_chk_string (const char *s, const char *t) T (1, "%s", x ? "1" : ""); /* { dg-warning "nul past the end" } */ T (1, "%s", x ? s : "1"); /* { dg-warning "nul past the end" } */ T (1, "%s", x ? "1" : s); /* { dg-warning "nul past the end" } */ - T (1, "%s", x ? s : t); + T (1, "%s", x ? s : t); /* { dg-warning "may write a terminating nul" } */ T (2, "%s", x ? "" : "1"); T (2, "%s", x ? "" : s); @@ -72,7 +72,7 @@ void test_sprintf_chk_integer_value (void) T ( 1, "%i", i ( 0)); /* { dg-warning "nul past the end" } */ T ( 1, "%i", i ( 1)); /* { dg-warning "nul past the end" } */ T ( 1, "%i", i ( -1)); /* { dg-warning "into a region" } */ - T ( 1, "%i_", i ( 1)); /* { dg-warning "character ._. at offset 2 past the end" } */ + T ( 1, "%i_", i ( 1)); /* { dg-warning "directive writing 1 byte into a region of size 0" } */ T ( 1, "_%i", i ( 1)); /* { dg-warning "into a region" } */ T ( 1, "_%i_",i ( 1)); /* { dg-warning "into a region" } */ T ( 1, "%o", i ( 0)); /* { dg-warning "nul past the end" } */ @@ -89,7 +89,7 @@ void test_sprintf_chk_integer_value (void) T ( 2, "%i", i ( 10)); /* { dg-warning "nul past the end" } */ T ( 2, "%i_", i ( 0)); /* { dg-warning "nul past the end" } */ T ( 2, "_%i", i ( 0)); /* { dg-warning "nul past the end" } */ - T ( 2, "_%i_",i ( 0)); /* { dg-warning "character ._. at offset 3 past the end" } */ + T ( 2, "_%i_",i ( 0)); /* { dg-warning "directive writing 1 byte" } */ T ( 2, "%o", i ( 1)); T ( 2, "%o", i ( 7)); T ( 2, "%o", i ( 010)); /* { dg-warning "nul past the end" } */ @@ -198,10 +198,10 @@ void test_sprintf_chk_range_schar (void) T ( 3, "%i", R ( 0, 99)); T ( 3, "%i", R ( 0, 100)); /* { dg-warning "may write a terminating nul past the end of the destination" } */ - /* The following call may write as few as 3 bytes and as many as 5. + /* The following call may write as few as 2 bytes and as many as 4. It's a judgment call how best to diagnose it to make the potential problem clear. */ - T ( 3, "%i%i", R (1, 10), R (9, 10)); /* { dg-warning "may write a terminating nul past the end|.%i. directive writing between 1 and 2 bytes into a region of size 1" } */ + T ( 3, "%i%i", R (1, 10), R (9, 10)); /* { dg-warning "directive writing between 1 and 2 bytes into a region of size between 1 and 2" } */ T ( 4, "%i%i", R (10, 11), R (12, 13)); /* { dg-warning "nul past the end" } */ @@ -211,7 +211,11 @@ void test_sprintf_chk_range_schar (void) T ( 6, "%i_%i_%i", R (0, 9), R (0, 9), R (0, 10)); /* { dg-warning "may write a terminating nul past the end" } */ T ( 6, "%i_%i_%i", R (0, 9), R (0, 10), R (0, 9)); /* { dg-warning "may write a terminating nul past the end" } */ T ( 6, "%i_%i_%i", R (0, 10), R (0, 9), R (0, 9)); /* { dg-warning "may write a terminating nul past the end" } */ - T ( 6, "%i_%i_%i", R (0, 9), R (0, 10), R (0, 10)); /* { dg-warning "may write a terminating nul past the end|.%i. directive writing between 1 and 2 bytes into a region of size 1" } */ + T ( 6, "%hhi_%hi_%i", R (0, 9), R (0, 10), R (0, 10)); /* { dg-warning ".i. directive writing between 1 and 2 bytes into a region of size between 1 and 2" } */ + T ( 6, "%3i|%2i/%1i", R (0, 99), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */ + T ( 6, "%.3i|%.2i/%i", R (0, 99), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */ + T ( 6, "%.3i|%.2i/%i", R (0, 119), R (0, 99), R (0, 99)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */ + T ( 6, "%.3i|%.2i/%i", R (0, 1), R (0, 2), R (0, 3)); /* { dg-warning "./. directive writing 1 byte into a region of size 0" } */ } void test_sprintf_chk_range_uchar (void) diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-4.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-4.c index 3b3fb68..66fc0a7 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-4.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-4.c @@ -12,14 +12,14 @@ void test (void) The redundant argument is there to get around GCC bug 77799. */ sprintf (dst + 2, "1", 0); /* { dg-warning "writing a terminating nul past the end of the destination" "nul warning" { target *-*-* } .-1 } - { dg-message "format output 2 bytes into a destination of size 1" "note" { target *-*-* } .-2 } + { dg-message ".sprintf. output 2 bytes into a destination of size 1" "note" { target *-*-* } .-2 } { dg-begin-multiline-output "-Wformat output: redundant argument" } sprintf (dst + 2, "1", 0); ^~~ { dg-end-multiline-output "" } { dg-begin-multiline-output "-Wformat-length output" } sprintf (dst + 2, "1", 0); - ~^ + ^ { dg-end-multiline-output "" } { dg-begin-multiline-output "note" } sprintf (dst + 2, "1", 0); @@ -29,15 +29,15 @@ void test (void) /* Verify thet the caret points at the first format character written past the end of the destination. */ sprintf (dst, "1234", 0); - /* { dg-warning "writing format character .4. at offset 3 past the end of the destination" "nul warning" { target *-*-* } .-1 } - { dg-message "format output 5 bytes into a destination of size 3" "note" { target *-*-* } .-2 } + /* { dg-warning "writing 4 bytes into a region of size 3" "overlong format string" { target *-*-* } .-1 } + { dg-message ".sprintf. output 5 bytes into a destination of size 3" "note" { target *-*-* } .-2 } { dg-begin-multiline-output "-Wformat output: redundant argument" } sprintf (dst, "1234", 0); ^~~~~~ { dg-end-multiline-output "" } { dg-begin-multiline-output "-Wformat-length output" } sprintf (dst, "1234", 0); - ^ + ~~~^ { dg-end-multiline-output "" } { dg-begin-multiline-output "note" } sprintf (dst, "1234", 0); @@ -48,15 +48,15 @@ void test (void) past the end of the destination and the rest of the format string is underlined. */ sprintf (dst, "12345", 0); - /* { dg-warning "writing format character .4. at offset 3 past the end of the destination" "nul warning" { target *-*-* } .-1 } - { dg-message "format output 6 bytes into a destination of size 3" "note" { target *-*-* } .-2 } + /* { dg-warning "writing 5 bytes into a region of size 3" "nul warning" { target *-*-* } .-1 } + { dg-message ".sprintf. output 6 bytes into a destination of size 3" "note" { target *-*-* } .-2 } { dg-begin-multiline-output "-Wformat output: redundant argument" } sprintf (dst, "12345", 0); ^~~~~~~ { dg-end-multiline-output "" } { dg-begin-multiline-output "-Wformat-length output" } sprintf (dst, "12345", 0); - ^~ + ~~~^~ { dg-end-multiline-output "" } { dg-begin-multiline-output "note" } sprintf (dst, "12345", 0); @@ -67,10 +67,10 @@ void test (void) get around GCC bug 77671. */ sprintf (dst + 2, "%-s", "1"); /* { dg-warning "writing a terminating nul past the end of the destination" "warning" { target *-*-* } .-1 } - { dg-message "format output 2 bytes into a destination of size 1" "note" { target *-*-* } .-2 } + { dg-message ".sprintf. output 2 bytes into a destination of size 1" "note" { target *-*-* } .-2 } { dg-begin-multiline-output "-Wformat-length output" } sprintf (dst + 2, "%-s", "1"); - ~~~^ + ^ { dg-end-multiline-output "" } { dg-begin-multiline-output "note" } sprintf (dst + 2, "%-s", "1"); @@ -79,7 +79,7 @@ void test (void) sprintf (dst + 2, "%-s", "abcd"); /* { dg-warning ".%-s. directive writing 4 bytes into a region of size 1" "warning" { target *-*-* } .-1 } - { dg-message "format output 5 bytes into a destination of size 1" "note" { target *-*-* } .-2 } + { dg-message ".sprintf. output 5 bytes into a destination of size 1" "note" { target *-*-* } .-2 } { dg-begin-multiline-output "-Wformat-length output" } sprintf (dst + 2, "%-s", "abcd"); ^~~ ~~~~~~ @@ -124,7 +124,7 @@ void test_sprintf_note (void) ^~ { dg-end-multiline-output "" } - { dg-message "format output 4 bytes into a destination of size 0" "" { target *-*-* } .-7 } + { dg-message ".__builtin_sprintf. output 4 bytes into a destination of size 0" "" { target *-*-* } .-7 } { dg-begin-multiline-output "" } __builtin_sprintf (buffer (0), "%c%s%i", '1', "2", 3); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -137,7 +137,7 @@ void test_sprintf_note (void) ^~ ~~~~ { dg-end-multiline-output "" } - { dg-message "format output 6 bytes into a destination of size 1" "" { target *-*-* } .-7 } + { dg-message ".__builtin_sprintf. output 6 bytes into a destination of size 1" "" { target *-*-* } .-7 } { dg-begin-multiline-output "" } __builtin_sprintf (buffer (1), "%c%s%i", '1', "23", 45); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -150,7 +150,7 @@ void test_sprintf_note (void) ^~ { dg-end-multiline-output "" } - { dg-message "format output 6 bytes into a destination of size 2" "" { target *-*-* } .-7 } + { dg-message ".__builtin_sprintf. output 6 bytes into a destination of size 2" "" { target *-*-* } .-7 } { dg-begin-multiline-output "" } __builtin_sprintf (buffer (2), "%c%s%i", '1', "2", 345); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -160,10 +160,10 @@ void test_sprintf_note (void) /* { dg-warning "41: writing a terminating nul past the end of the destination" "" { target *-*-* } .-1 } { dg-begin-multiline-output "" } __builtin_sprintf (buffer (6), "%c%s%i", '1', "2", 3456); - ~~~~~~^ + ^ { dg-end-multiline-output "" } - { dg-message "format output 7 bytes into a destination of size 6" "" { target *-*-* } .-7 } + { dg-message ".__builtin_sprintf. output 7 bytes into a destination of size 6" "" { target *-*-* } .-7 } { dg-begin-multiline-output "" } __builtin_sprintf (buffer (6), "%c%s%i", '1', "2", 3456); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-7.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-7.c index 0069348..0649038 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-7.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-7.c @@ -47,7 +47,10 @@ void test_floating_a_cst (void) T (0, "%*a", INT_MIN, 0.); /* { dg-warning "writing 2147483648 bytes" } */ T (0, "%*a", INT_MAX, 0.); /* { dg-warning "writing 2147483647 bytes" } */ - T (0, "%.*a", INT_MIN, 0.); /* { dg-warning "writing 6 bytes" } */ + /* %a is poorly specified and as a result some implementations trim + redundant trailing zeros (e.g., Glibc) and others don't (e.g., + Solaris). */ + T (0, "%.*a", INT_MIN, 0.); /* { dg-warning "writing between 6 and 20 bytes" } */ T (0, "%.*a", INT_MAX, 0.); /* { dg-warning "writing 2147483654 bytes" } */ @@ -75,7 +78,7 @@ void test_floating_e_cst (void) T (0, "%*e", INT_MIN, 0.); /* { dg-warning "writing 2147483648 bytes" } */ T (0, "%*e", INT_MAX, 0.); /* { dg-warning "writing 2147483647 bytes" } */ - T (0, "%.*e", INT_MIN, 0.); /* { dg-warning "writing 5 bytes" } */ + T (0, "%.*e", INT_MIN, 0.); /* { dg-warning "writing 12 bytes" } */ T (0, "%.*e", INT_MAX, 0.); /* { dg-warning "writing 2147483653 bytes" } */ @@ -103,7 +106,7 @@ void test_floating_f_cst (void) T (0, "%*f", INT_MIN, 0.); /* { dg-warning "writing 2147483648 bytes" } */ T (0, "%*f", INT_MAX, 0.); /* { dg-warning "writing 2147483647 bytes" } */ - T (0, "%.*f", INT_MIN, 0.); /* { dg-warning "writing 1 byte" } */ + T (0, "%.*f", INT_MIN, 0.); /* { dg-warning "writing 8 bytes" } */ T (0, "%.*f", INT_MAX, 0.); /* { dg-warning "writing 2147483649 bytes" } */ @@ -170,14 +173,14 @@ void test_string_cst (void) void test_string_var (const char *s) { - T (0, "%*s", INT_MIN, s); /* { dg-warning "writing 2147483648 bytes" } */ - T (0, "%*s", INT_MAX, s); /* { dg-warning "writing 2147483647 bytes" } */ + T (0, "%*s", INT_MIN, s); /* { dg-warning "writing 2147483648 or more bytes" } */ + T (0, "%*s", INT_MAX, s); /* { dg-warning "writing 2147483647 or more bytes" } */ - T (0, "%.*s", INT_MIN, s); /* { dg-warning "writing a terminating nul" } */ + T (0, "%.*s", INT_MIN, s); /* { dg-warning "writing likely 1 or more bytes" } */ - T (0, "%.*s", INT_MAX, s); /* { dg-warning "writing between 0 and 2147483647 bytes" } */ + T (0, "%.*s", INT_MAX, s); /* { dg-warning "writing up to 2147483647 bytes" } */ - T (0, "%*.*s", INT_MIN, INT_MIN, s); /* { dg-warning "writing 2147483648 bytes" } */ + T (0, "%*.*s", INT_MIN, INT_MIN, s); /* { dg-warning "writing 2147483648 or more bytes" } */ T (0, "%*.*s", INT_MAX, INT_MAX, s); /* { dg-warning "writing 2147483647 bytes" } */ } diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-9.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-9.c new file mode 100644 index 0000000..0cf92c3 --- /dev/null +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-9.c @@ -0,0 +1,158 @@ +/* { dg-do compile } */ +/* { dg-options "-O2 -Wformat -Wformat-length=2 -ftrack-macro-expansion=0" } */ + +typedef __SIZE_TYPE__ size_t; + +#define INT_MAX __INT_MAX__ +#define INT_MIN (-INT_MAX - 1) + +#ifndef LINE +# define LINE 0 +#endif + +int dummy_sprintf (char*, const char*, ...); +void sink (void*); + +char buffer[4096]; +char *ptr; + +/* Helper to expand function to either __builtin_f or dummy_f to + make debugging GCC easy. */ +#define FUNC(f) \ + ((!LINE || LINE == __LINE__) ? __builtin_ ## f : dummy_ ## f) + +/* Evaluate to an array of SIZE characters when non-negative, or to + a pointer to an unknown object otherwise. */ +#define buffer(size) \ + ((0 <= size) ? buffer + sizeof buffer - (size) : ptr) + +#define T(bufsize, fmt, ...) \ + do { \ + char *buf = buffer (bufsize); \ + FUNC (sprintf)(buf, fmt, __VA_ARGS__); \ + sink (buf); \ + } while (0) + + +/* Identity function to verify that the checker figures out the value + of the operand even when it's not constant (i.e., makes use of + inlining and constant propagation information). */ + +int i (int x) { return x; } +const char* s (const char *str) { return str; } + +/* Function to "generate" a unique unknown number (as far as GCC can + tell) each time it's called. It prevents the optimizer from being + able to narrow down the ranges of possible values in test functions + with repeated references to the same variable. */ +extern int value (void); + +/* Return a value in the range [MIN, MAX]. */ +int range (int min, int max) +{ + int val = value (); + return val < min || max < val ? min : val; +} + +#define R(min, max) range (min, max) + +/* Verify that the checker can detect buffer overflow when the "%s" + argument is in a known range of lengths and one or both of which + exceed the size of the destination. */ + +void test_sprintf_chk_string (const char *s) +{ + T (1, "%*s", R (0, 1), ""); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*s", R (-2, -1), ""); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*s", R (-3, 2), ""); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*s", R (-4, 5), ""); /* { dg-warning "writing up to 5 bytes" } */ + + T (1, "%*s", R ( -5, 6), "1"); /* { dg-warning "writing between 1 and 6 bytes" } */ + T (1, "%*s", R ( -6, 7), "12"); /* { dg-warning "writing between 2 and 7 bytes" } */ + + T (1, "%.*s", R (0, 1), ""); + T (1, "%.*s", R (0, 1), s); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*s", R (-2, -1), ""); + T (1, "%.*s", R (-2, -1), s); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*s", R (-3, 2), ""); + T (1, "%.*s", R (-4, 5), ""); + + T (1, "%.*s", R ( -5, 6), "1"); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*s", R ( -6, 7), "12"); /* { dg-warning "writing up to 2 bytes " } */ + T (1, "%.*s", R ( 1, 7), "12"); /* { dg-warning "writing between 1 and 2 bytes " } */ + T (1, "%.*s", R ( 2, 7), "12"); /* { dg-warning "writing 2 bytes " } */ + + T (1, "%*.*s", R (0, 1), R (0, 1), ""); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*.*s", R (0, 2), R (0, 1), ""); /* { dg-warning "directive writing up to 2 bytes into a region of size 1" } */ + T (1, "%*.*s", R (0, 3), R (0, 1), ""); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (0, 1), R (0, 1), "1"); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*.*s", R (0, 2), R (0, 1), "1"); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 1), "1"); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (0, 1), R (0, 1), "12"); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*.*s", R (0, 2), R (0, 1), "12"); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 1), "12"); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (0, 1), R (0, 1), "123"); /* { dg-warning "may write a terminating nul" } */ + T (1, "%*.*s", R (0, 2), R (0, 1), "123"); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 1), "123"); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 1), s); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (0, 1), R (0, 2), "123"); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*.*s", R (0, 2), R (0, 2), "123"); /* { dg-warning "writing up to 2 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 2), "123"); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 2), s); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (0, 1), R (0, 3), "123"); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*.*s", R (0, 2), R (0, 3), "123"); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 3), "123"); /* { dg-warning "writing up to 3 bytes" } */ + T (1, "%*.*s", R (0, 3), R (0, 3), s); /* { dg-warning "writing up to 3 bytes" } */ + + T (1, "%*.*s", R (1, 1), R (0, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 2), R (0, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 3), R (0, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 3), R (0, 3), s); /* { dg-warning "writing between 1 and 3 bytes" } */ + + T (1, "%*.*s", R (1, 1), R (1, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 2), R (1, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 3), R (1, 3), "123"); /* { dg-warning "writing between 1 and 3 bytes" } */ + T (1, "%*.*s", R (1, 3), R (1, 3), s); /* { dg-warning "writing between 1 and 3 bytes" } */ + + T (1, "%*.*s", R (2, 3), R (1, 3), "123"); /* { dg-warning "writing between 2 and 3 bytes" } */ + T (1, "%*.*s", R (3, 4), R (1, 3), "123"); /* { dg-warning "writing between 3 and 4 bytes" } */ + T (1, "%*.*s", R (4, 5), R (1, 3), "123"); /* { dg-warning "writing between 4 and 5 bytes" } */ + T (1, "%*.*s", R (2, 3), R (1, 3), s); /* { dg-warning "writing between 2 and 3 bytes" } */ +} + +void test_sprintf_chk_int (int w, int p, int i) +{ + T (1, "%*d", w, 0); /* { dg-warning "may write a terminating nul|directive writing between 1 and \[0-9\]+ bytes" } */ + T (1, "%*d", w, i); /* { dg-warning "may write a terminating nul|directive writing between 1 and \[0-9\]+ bytes" } */ + + T (1, "%*d", R (-1, 1), 0); /* { dg-warning "writing a terminating nul" } */ + T (1, "%*d", R ( 0, 1), 0); /* { dg-warning "writing a terminating nul" } */ + T (1, "%+*d", R ( 0, 1), 0); /* { dg-warning "directive writing 2 bytes" } */ + T (1, "%+*u", R ( 0, 1), 0); /* { dg-warning "writing a terminating nul" } */ + T (2, "%*d", R (-3, -2), 0); /* { dg-warning "directive writing between 1 and 3 bytes" } */ + T (2, "%*d", R (-3, -1), 0); /* { dg-warning "directive writing between 1 and 3 bytes" } */ + T (2, "%*d", R (-3, 0), 0); /* { dg-warning "directive writing between 1 and 3 bytes" } */ + T (2, "%*d", R (-2, -1), 0); /* { dg-warning "may write a terminating nul" } */ + T (2, "%*d", R (-2, 2), 0); /* { dg-warning "may write a terminating nul" } */ + T (2, "%*d", R (-1, 2), 0); /* { dg-warning "may write a terminating nul" } */ + T (2, "%*d", R ( 0, 2), 0); /* { dg-warning "may write a terminating nul" } */ + T (2, "%*d", R ( 1, 2), 0); /* { dg-warning "may write a terminating nul" } */ + + T (1, "%.*d", p, 0); /* { dg-warning "may write a terminating nul|directive writing up to \[0-9\]+ bytes" } */ + T (1, "%.*d", p, i); /* { dg-warning "may write a terminating nul||directive writing up to \[0-9\]+ bytes" } */ + T (1, "%.*d", R (INT_MIN, -1), 0); /* { dg-warning "writing a terminating nul" } */ + T (1, "%.*d", R (INT_MIN, 0), 0); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*d", R (-2, -1), 0); /* { dg-warning "writing a terminating nul" } */ + T (1, "%.*d", R (-1, 1), 0); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*d", R ( 0, 1), 0); /* { dg-warning "may write a terminating nul" } */ + T (1, "%.*d", R ( 0, 2), 0); /* { dg-warning "directive writing up to 2 bytes" } */ + T (1, "%.*d", R ( 0, INT_MAX - 1), 0); /* { dg-warning "directive writing up to \[0-9\]+ bytes" } */ + T (1, "%.*d", R ( 1, INT_MAX - 1), 0); /* { dg-warning "directive writing between 1 and \[0-9\]+ bytes" } */ +} + +/* { dg-prune-output "flag used with .%.. gnu_printf format" } */ diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf.c index 35a5bd0..b559090 100644 --- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf.c +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf.c @@ -411,14 +411,19 @@ test_a_double (double d) EQL ( 6, 7, "%.0a", 0.0); /* 0x0p+0 */ EQL ( 6, 7, "%.0a", 1.0); /* 0x8p-3 */ EQL ( 6, 7, "%.0a", 2.0); /* 0x8p-2 */ - EQL ( 8, 9, "%.1a", 3.0); /* 0xc.0p-2 */ - EQL ( 9, 10, "%.2a", 4.0); /* 0x8.00p-1 */ - EQL (10, 11, "%.3a", 5.0); /* 0xa.000p-1 */ + + /* The decimal point may be up to MB_LEN_MAX long. */ + RNG ( 8, 13, 14, "%.1a", 3.0); /* 0xc.0p-2 */ + RNG ( 9, 14, 15, "%.2a", 4.0); /* 0x8.00p-1 */ + RNG (10, 15, 16, "%.3a", 5.0); /* 0xa.000p-1 */ /* d is in [ 0, -DBL_MAX ] */ RNG ( 6, 10, 11, "%.0a", d); /* 0x0p+0 ... -0x2p+1023 */ - RNG ( 6, 12, 13, "%.1a", d); /* 0x0p+0 ... -0x2.0p+1023 */ - RNG ( 6, 13, 14, "%.2a", d); /* 0x0p+0 ... -0x2.00p+1023 */ + /* %a is poorly specified and allows for implementations divergence: + some (such as Glibc) trim redundant trailing zeros after decimal + point and others (e.g., Solaris) don't. */ + RNG ( 6, 30, 31, "%.1a", d); /* 0x0p+0 ... -0x2.0...0p+1023 */ + RNG ( 6, 30, 31, "%.2a", d); /* 0x0p+0 ... -0x2.00...0p+1023 */ } static void __attribute__ ((noinline, noclone)) @@ -427,111 +432,113 @@ test_a_long_double (void) EQL ( 6, 7, "%.0La", 0.0L); /* 0x0p+0 */ EQL ( 6, 7, "%.0La", 1.0L); /* 0x8p-3 */ EQL ( 6, 7, "%.0La", 2.0L); /* 0x8p-2 */ - EQL ( 8, 9, "%.1La", 3.0L); /* 0xc.0p-2 */ - EQL ( 9, 10, "%.2La", 4.0L); /* 0xa.00p-1 */ + + RNG ( 8, 13, 14, "%.1La", 3.0L); /* 0xc.0p-2 */ + RNG ( 9, 14, 15, "%.2La", 4.0L); /* 0xa.00p-1 */ } static void __attribute__ ((noinline, noclone)) test_e_double (void) { - EQL (12, 13, "%e", 1.0e0); - EQL (13, 14, "%e", -1.0e0); - EQL (12, 13, "%e", 1.0e+1); - EQL (13, 14, "%e", -1.0e+1); - EQL (12, 13, "%e", 1.0e+12); - EQL (13, 14, "%e", -1.0e+12); - EQL (13, 14, "%e", 1.0e+123); - EQL (14, 15, "%e", -1.0e+123); - - EQL (12, 13, "%e", 9.999e+99); - EQL (12, 13, "%e", 9.9999e+99); - EQL (12, 13, "%e", 9.99999e+99); + RNG (12, 17, 18, "%e", 1.0e0); + RNG (13, 18, 19, "%e", -1.0e0); + RNG (12, 17, 18, "%e", 1.0e+1); + RNG (13, 18, 19, "%e", -1.0e+1); + RNG (12, 17, 18, "%e", 1.0e+12); + RNG (13, 18, 19, "%e", -1.0e+12); + RNG (13, 18, 19, "%e", 1.0e+123); + RNG (14, 19, 20, "%e", -1.0e+123); + + RNG (12, 17, 18, "%e", 9.999e+99); + RNG (12, 17, 18, "%e", 9.9999e+99); + RNG (12, 17, 18, "%e", 9.99999e+99); /* The actual output of the following directive depends on the rounding mode. */ - /* EQL (12, "%e", 9.9999994e+99); */ + /* RNG (12, "%e", 9.9999994e+99); */ - EQL (12, 13, "%e", 1.0e-1); - EQL (12, 13, "%e", 1.0e-12); - EQL (13, 14, "%e", 1.0e-123); + RNG (12, 17, 18, "%e", 1.0e-1); + RNG (12, 17, 18, "%e", 1.0e-12); + RNG (13, 18, 19, "%e", 1.0e-123); } static void __attribute__ ((noinline, noclone)) test_e_long_double (void) { - EQL (12, 13, "%Le", 1.0e0L); - EQL (13, 14, "%Le", -1.0e0L); - EQL (12, 13, "%Le", 1.0e+1L); - EQL (13, 14, "%Le", -1.0e+1L); - EQL (12, 13, "%Le", 1.0e+12L); - EQL (13, 14, "%Le", -1.0e+12L); - EQL (13, 14, "%Le", 1.0e+123L); - EQL (14, 15, "%Le", -1.0e+123L); - - EQL (12, 13, "%Le", 9.999e+99L); - EQL (12, 13, "%Le", 9.9999e+99L); - EQL (12, 13, "%Le", 9.99999e+99L); + RNG (12, 17, 18, "%Le", 1.0e0L); + RNG (13, 18, 19, "%Le", -1.0e0L); + RNG (12, 17, 18, "%Le", 1.0e+1L); + RNG (13, 18, 19, "%Le", -1.0e+1L); + RNG (12, 18, 19, "%Le", 1.0e+12L); + RNG (13, 19, 20, "%Le", -1.0e+12L); + RNG (13, 19, 20, "%Le", 1.0e+123L); + RNG (14, 20, 21, "%Le", -1.0e+123L); + + RNG (12, 18, 19, "%Le", 9.999e+99L); + RNG (12, 18, 19, "%Le", 9.9999e+99L); + RNG (12, 18, 19, "%Le", 9.99999e+99L); #if __DBL_DIG__ < __LDBL_DIG__ - EQL (12, 13, "%Le", 9.999999e+99L); + RNG (12, 17, 18, "%Le", 9.999999e+99L); #else - RNG (12, 13, 14, "%Le", 9.999999e+99L); + RNG (12, 18, 19, "%Le", 9.999999e+99L); #endif /* The actual output of the following directive depends on the rounding mode. */ - /* EQL (12, "%Le", 9.9999994e+99L); */ + /* RNG (12, "%Le", 9.9999994e+99L); */ - EQL (12, 13, "%Le", 1.0e-1L); - EQL (12, 13, "%Le", 1.0e-12L); - EQL (13, 14, "%Le", 1.0e-123L); + RNG (12, 17, 18, "%Le", 1.0e-1L); + RNG (12, 17, 18, "%Le", 1.0e-12L); + RNG (13, 18, 19, "%Le", 1.0e-123L); EQL ( 6, 7, "%.0Le", 1.0e-111L); - EQL ( 8, 9, "%.1Le", 1.0e-111L); - EQL (19, 20, "%.12Le", 1.0e-112L); - EQL (20, 21, "%.13Le", 1.0e-113L); + + RNG ( 8, 13, 14, "%.1Le", 1.0e-111L); + RNG (19, 25, 25, "%.12Le", 1.0e-112L); + RNG (20, 26, 27, "%.13Le", 1.0e-113L); } static void __attribute__ ((noinline, noclone)) test_f_double (void) { - EQL ( 8, 9, "%f", 0.0e0); - EQL ( 8, 9, "%f", 0.1e0); - EQL ( 8, 9, "%f", 0.12e0); - EQL ( 8, 9, "%f", 0.123e0); - EQL ( 8, 9, "%f", 0.1234e0); - EQL ( 8, 9, "%f", 0.12345e0); - EQL ( 8, 9, "%f", 0.123456e0); - EQL ( 8, 9, "%f", 1.234567e0); - - EQL ( 9, 10, "%f", 1.0e+1); - EQL ( 20, 21, "%f", 1.0e+12); - EQL (130, 131, "%f", 1.0e+123); - - EQL ( 8, 9, "%f", 1.0e-1); - EQL ( 8, 9, "%f", 1.0e-12); - EQL ( 8, 9, "%f", 1.0e-123); + RNG ( 8, 13, 14, "%f", 0.0e0); + RNG ( 8, 13, 14, "%f", 0.1e0); + RNG ( 8, 13, 14, "%f", 0.12e0); + RNG ( 8, 13, 14, "%f", 0.123e0); + RNG ( 8, 13, 14, "%f", 0.1234e0); + RNG ( 8, 13, 14, "%f", 0.12345e0); + RNG ( 8, 13, 14, "%f", 0.123456e0); + RNG ( 8, 13, 14, "%f", 1.234567e0); + + RNG ( 9, 14, 15, "%f", 1.0e+1); + RNG ( 20, 26, 27, "%f", 1.0e+12); + RNG (130, 136, 137, "%f", 1.0e+123); + + RNG ( 8, 13, 14, "%f", 1.0e-1); + RNG ( 8, 13, 14, "%f", 1.0e-12); + RNG ( 8, 13, 14, "%f", 1.0e-123); } static void __attribute__ ((noinline, noclone)) test_f_long_double (void) { - EQL ( 8, 9, "%Lf", 0.0e0L); - EQL ( 8, 9, "%Lf", 0.1e0L); - EQL ( 8, 9, "%Lf", 0.12e0L); - EQL ( 8, 9, "%Lf", 0.123e0L); - EQL ( 8, 9, "%Lf", 0.1234e0L); - EQL ( 8, 9, "%Lf", 0.12345e0L); - EQL ( 8, 9, "%Lf", 0.123456e0L); - EQL ( 8, 9, "%Lf", 1.234567e0L); - - EQL ( 9, 10, "%Lf", 1.0e+1L); - EQL ( 20, 21, "%Lf", 1.0e+12L); - EQL (130, 131, "%Lf", 1.0e+123L); - - EQL ( 8, 9, "%Lf", 1.0e-1L); - EQL ( 8, 9, "%Lf", 1.0e-12L); - EQL ( 8, 9, "%Lf", 1.0e-123L); + RNG ( 8, 15, 16, "%Lf", 0.0e0L); + RNG ( 8, 14, 15, "%Lf", 0.1e0L); + RNG ( 8, 14, 15, "%Lf", 0.12e0L); + RNG ( 8, 14, 15, "%Lf", 0.123e0L); + RNG ( 8, 14, 15, "%Lf", 0.1234e0L); + RNG ( 8, 14, 15, "%Lf", 0.12345e0L); + RNG ( 8, 14, 15, "%Lf", 0.123456e0L); + RNG ( 8, 14, 15, "%Lf", 1.234567e0L); + + RNG ( 9, 15, 16, "%Lf", 1.0e+1L); + RNG ( 20, 26, 27, "%Lf", 1.0e+12L); + RNG (130, 136, 137, "%Lf", 1.0e+123L); + + RNG ( 8, 14, 15, "%Lf", 1.0e-1L); + RNG ( 8, 14, 15, "%Lf", 1.0e-12L); + RNG ( 8, 14, 15, "%Lf", 1.0e-123L); } static void __attribute__ ((noinline, noclone))