PR tree-optimization/88993 - GCC 9 -Wformat-overflow=2 should reflect real libc limits

PR tree-optimization/88993 - GCC 9 -Wformat-overflow=2 should reflect real libc limits PR tree-optimization/88835 - overly aggressive -Werror=format-overflow for printf gcc/ChangeLog: PR tree-optimization/88993 PR tree-optimization/88853 * gimple-ssa-sprintf.c (sprintf_dom_walker::call_info::is_file_func): New helper. (sprintf_dom_walker::call_info::is_string_func): New helper. (format_directive): Only issue "may exceed" 4095/INT_MAX warnings for formatted string functions. (sprintf_dom_walker::handle_gimple_call): Fix a typo in a comment. gcc/testsuite/ChangeLog: PR tree-optimization/88993 PR tree-optimization/88853 * gcc.dg/tree-ssa/builtin-fprintf-warn-2.c: New test. * gcc.dg/tree-ssa/builtin-printf-warn-2.c: New test. * gcc.dg/tree-ssa/builtin-snprintf-warn-3.c: Adjust. * gcc.dg/tree-ssa/builtin-sprintf-warn-18.c: Same. From-SVN: r269125

PR tree-optimization/88993 - GCC 9 -Wformat-overflow=2 should reflect real libc limits
PR tree-optimization/88993 - GCC 9 -Wformat-overflow=2 should reflect real libc limits PR tree-optimization/88835 - overly aggressive -Werror=format-overflow for printf gcc/ChangeLog: PR tree-optimization/88993 PR tree-optimization/88853 * gimple-ssa-sprintf.c (sprintf_dom_walker::call_info::is_file_func): New helper. (sprintf_dom_walker::call_info::is_string_func): New helper. (format_directive): Only issue "may exceed" 4095/INT_MAX warnings for formatted string functions. (sprintf_dom_walker::handle_gimple_call): Fix a typo in a comment. gcc/testsuite/ChangeLog: PR tree-optimization/88993 PR tree-optimization/88853 * gcc.dg/tree-ssa/builtin-fprintf-warn-2.c: New test. * gcc.dg/tree-ssa/builtin-printf-warn-2.c: New test. * gcc.dg/tree-ssa/builtin-snprintf-warn-3.c: Adjust. * gcc.dg/tree-ssa/builtin-sprintf-warn-18.c: Same. From-SVN: r269125
eb319c50 · Martin Sebor · cfed471a · eb319c50 · eb319c50 · eb319c50
Commit eb319c50 authored Feb 22, 2019 by Martin Sebor
5 changed files
--- a/gcc/gimple-ssa-sprintf.c
+++ b/gcc/gimple-ssa-sprintf.c
@@ -945,6 +945,29 @@ struct sprintf_dom_walker::call_info
  {
    return bounded ? OPT_Wformat_truncation_ : OPT_Wformat_overflow_;
  }
+
+  /* Return true for calls to file formatted functions.  */
+  bool is_file_func () const
+  {
+    return (fncode == BUILT_IN_FPRINTF
+	    || fncode == BUILT_IN_FPRINTF_CHK
+	    || fncode == BUILT_IN_FPRINTF_UNLOCKED
+	    || fncode == BUILT_IN_VFPRINTF
+	    || fncode == BUILT_IN_VFPRINTF_CHK);
+  }
+
+  /* Return true for calls to string formatted functions.  */
+  bool is_string_func () const
+  {
+    return (fncode == BUILT_IN_SPRINTF
+	    || fncode == BUILT_IN_SPRINTF_CHK
+	    || fncode == BUILT_IN_SNPRINTF
+	    || fncode == BUILT_IN_SNPRINTF_CHK
+	    || fncode == BUILT_IN_VSPRINTF
+	    || fncode == BUILT_IN_VSPRINTF_CHK
+	    || fncode == BUILT_IN_VSNPRINTF
+	    || fncode == BUILT_IN_VSNPRINTF_CHK);
+  }
 };

 /* Return the result of formatting a no-op directive (such as '%n').  */
@@ -2841,6 +2864,8 @@ format_directive (const sprintf_dom_walker::call_info &info,
  if (!warned
      /* Only warn at level 2.  */
      && warn_level > 1
+      /* Only warn for string functions.  */
+      && info.is_string_func ()
      && (!minunder4k
 	  || (!maxunder4k && fmtres.range.max < HOST_WIDE_INT_MAX)))
    {
@@ -2849,7 +2874,9 @@ format_directive (const sprintf_dom_walker::call_info &info,
 	 of C11.  Warn on this only at level 2 but remember this and
 	 prevent folding the return value when done.  This allows for
 	 the possibility of the actual libc call failing due to ENOMEM
-	 (like Glibc does under some conditions).  */
+	 (like Glibc does with very large precision or width).
+	 Issue the "may exceed" warning only for string functions and
+	 not for fprintf or printf.  */

      if (fmtres.range.min == fmtres.range.max)
 	warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
@@ -2857,14 +2884,18 @@ format_directive (const sprintf_dom_walker::call_info &info,
 			  "minimum required size of 4095", dirlen,
 			  target_to_host (hostdir, sizeof hostdir, dir.beg),
 			  fmtres.range.min);
-      else
+      else if (!minunder4k)
+	warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
+			  "%<%.*s%> directive output between %wu and %wu "
+			  "bytes exceeds minimum required size of 4095",
+			  dirlen,
+			  target_to_host (hostdir, sizeof hostdir, dir.beg),
+			  fmtres.range.min, fmtres.range.max);
+      else if (!info.retval_used () && info.is_string_func ())
 	warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
-			  minunder4k
-			  ? G_("%<%.*s%> directive output between %wu and %wu "
+			  "%<%.*s%> directive output between %wu and %wu "
 			  "bytes may exceed minimum required size of "
-			       "4095")
-			  : G_("%<%.*s%> directive output between %wu and %wu "
-			       "bytes exceeds minimum required size of 4095"),
+			  "4095",
 			  dirlen,
 			  target_to_host (hostdir, sizeof hostdir, dir.beg),
 			  fmtres.range.min, fmtres.range.max);
@@ -2887,9 +2918,26 @@ format_directive (const sprintf_dom_walker::call_info &info,
 	      && maxximax
 	      && fmtres.range.max < HOST_WIDE_INT_MAX)))
    {
-      /* The directive output causes the total length of output
+      if (fmtres.range.min > target_int_max ())
+	{
+	  /* The directive output exceeds INT_MAX bytes.  */
+	  if (fmtres.range.min == fmtres.range.max)
+	    warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
+			      "%<%.*s%> directive output of %wu bytes exceeds "
+			      "%<INT_MAX%>", dirlen,
+			      target_to_host (hostdir, sizeof hostdir, dir.beg),
+			      fmtres.range.min);
+	  else
+	    warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
+			      "%<%.*s%> directive output between %wu and "
+			      "%wu bytes exceeds %<INT_MAX%>", dirlen,
+			      target_to_host (hostdir, sizeof hostdir, dir.beg),
+			      fmtres.range.min, fmtres.range.max);
+	}
+      else if (res->range.min > target_int_max ())
+	{
+	  /* The directive output is under INT_MAX but causes the result
 	     to exceed INT_MAX bytes.  */
-
 	  if (fmtres.range.min == fmtres.range.max)
 	    warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
 			      "%<%.*s%> directive output of %wu bytes causes "
@@ -2898,13 +2946,20 @@ format_directive (const sprintf_dom_walker::call_info &info,
 			      fmtres.range.min);
 	  else
 	    warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
-			  fmtres.range.min > target_int_max ()
-			  ? G_("%<%.*s%> directive output between %wu and "
-			       "%wu bytes causes result to exceed "
-			       "%<INT_MAX%>")
-			  : G_("%<%.*s%> directive output between %wu and "
+			      "%<%.*s%> directive output between %wu and "
+			      "%wu bytes causes result to exceed %<INT_MAX%>",
+			      dirlen,
+			      target_to_host (hostdir, sizeof hostdir, dir.beg),
+			      fmtres.range.min, fmtres.range.max);
+	}
+      else if ((!info.retval_used () || !info.bounded)
+	       && (info.is_string_func ()))
+	/* Warn for calls to string functions that either aren't bounded
+	   (sprintf) or whose return value isn't used.  */
+	warned = fmtwarn (dirloc, argloc, NULL, info.warnopt (),
+			  "%<%.*s%> directive output between %wu and "
 			  "%wu bytes may cause result to exceed "
-			       "%<INT_MAX%>"), dirlen,
+			  "%<INT_MAX%>", dirlen,
 			  target_to_host (hostdir, sizeof hostdir, dir.beg),
 			  fmtres.range.min, fmtres.range.max);
    }
@@ -2944,22 +2999,24 @@ format_directive (const sprintf_dom_walker::call_info &info,

  res->warned |= warned;

-  if (!dir.beg[0] && res->warned && info.objsize < HOST_WIDE_INT_MAX)
+  if (!dir.beg[0] && res->warned)
    {
-      /* If a warning has been issued for buffer overflow or truncation
-	 (but not otherwise) help the user figure out how big a buffer
-	 they need.  */
-
      location_t callloc = gimple_location (info.callstmt);

      unsigned HOST_WIDE_INT min = res->range.min;
      unsigned HOST_WIDE_INT max = res->range.max;

+      if (info.objsize < HOST_WIDE_INT_MAX)
+	{
+	  /* If a warning has been issued for buffer overflow or truncation
+	     help the user figure out how big a buffer they need.  */
+
 	  if (min == max)
 	    inform (callloc,
 		    (min == 1
 		     ? G_("%qE output %wu byte into a destination of size %wu")
-		 : G_("%qE output %wu bytes into a destination of size %wu")),
+		     : G_("%qE output %wu bytes into a destination of size "
+			  "%wu")),
 		    info.func, min, info.objsize);
 	  else if (max < HOST_WIDE_INT_MAX)
 	    inform (callloc,
@@ -2973,9 +3030,35 @@ format_directive (const sprintf_dom_walker::call_info &info,
 		    info.func, min, res->range.likely, info.objsize);
 	  else
 	    inform (callloc,
-		"%qE output %wu or more bytes into a destination of size %wu",
+		    "%qE output %wu or more bytes into a destination of size "
+		    "%wu",
 		    info.func, min, info.objsize);
 	}
+      else if (!info.is_string_func ())
+	{
+	  /* If the warning is for a file function function like fprintf
+	     of printf with no destination size just print the computed
+	     result.  */
+	  if (min == max)
+	    inform (callloc,
+		    (min == 1
+		     ? G_("%qE output %wu byte")
+		     : G_("%qE output %wu bytes")),
+		    info.func, min);
+	  else if (max < HOST_WIDE_INT_MAX)
+	    inform (callloc,
+		    "%qE output between %wu and %wu bytes",
+		    info.func, min, max);
+	  else if (min < res->range.likely && res->range.likely < max)
+	    inform (callloc,
+		    "%qE output %wu or more bytes (assuming %wu)",
+		    info.func, min, res->range.likely);
+	  else
+	    inform (callloc,
+		    "%qE output %wu or more bytes",
+		    info.func, min);
+	}
+    }

  if (dump_file && *dir.beg)
    {
@@ -3501,14 +3584,14 @@ sprintf_dom_walker::compute_format_length (call_info &info,
 }

 /* Return the size of the object referenced by the expression DEST if
-   available, or -1 otherwise.  */
+   available, or the maximum possible size otherwise.  */

 static unsigned HOST_WIDE_INT
 get_destination_size (tree dest)
 {
-  /* When there is no destination return -1.  */
+  /* When there is no destination return the maximum.  */
  if (!dest)
-    return HOST_WIDE_INT_M1U;
+    return HOST_WIDE_INT_MAX;

  /* Initialize object size info before trying to compute it.  */
  init_object_sizes ();
@@ -3523,7 +3606,7 @@ get_destination_size (tree dest)
  if (compute_builtin_object_size (dest, ost, &size))
    return size;

-  return HOST_WIDE_INT_M1U;
+  return HOST_WIDE_INT_MAX;
 }

 /* Return true if the call described by INFO with result RES safe to
@@ -3844,7 +3927,7 @@ sprintf_dom_walker::handle_gimple_call (gimple_stmt_iterator *gsi)

    case BUILT_IN_PRINTF_CHK:
      // Signature:
-      //   __builtin_printf_chk (it, format, ...)
+      //   __builtin_printf_chk (ost, format, ...)
      idx_format = 1;
      info.argidx = 2;
      idx_dstptr = -1;

--- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-fprintf-warn-2.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-fprintf-warn-2.c
--- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-printf-warn-2.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-printf-warn-2.c
--- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-snprintf-warn-3.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-snprintf-warn-3.c
@@ -166,11 +166,17 @@ void test_string_checked (const char *s, const struct Arrays *ar)
  T (-1, "%s%s", ar->a4k, ar->ax);

  /* Verify that an array that fits a string longer than 4095 bytes
-     does trigger a warning.  */
-  T (-1, "%-s", ar->a4kp1);   /* { dg-warning "directive output between 0 and 4096 bytes may exceed minimum required size of 4095" } */
-
-  /* Also verify that a %s directive with width greater than 4095
-     triggers a warning even if the argument is not longer than 4k.  */
+     does not trigger a warning.  (No known implementation has trouble
+     with this).  */
+  T (-1, "%s", ar->a4kp1);
+
+  /* Verify that a %s directive with width greater than 4095 does
+     trigger a warning even if the string argument is not longer
+     than 4k.  Glibc only has trouble with directives whose width
+     or precision exceeds 64K or so:
+     https://bugzilla.redhat.com/show_bug.cgi?id=441945 *
+     but hardcoding that as the limit and assuming no other
+     implementation has a lower one seems unwise.  */
  T (-1, "%*s", 4096, ar->a4k);   /* { dg-warning "directive output of 4096 bytes exceeds minimum required size of 4095" } */

  /* Verify that precision constrains the putput and suppresses the 4k
@@ -190,5 +196,7 @@ void test_string_checked (const char *s, const struct Arrays *ar)
  T (-1, "%s %s %s", ar->a4k, ar->a4k, ar->a4k);
  T (-1, "%s %s %s", ar->ax, ar->ax, ar->ax);

-  T (-1, "%-s", ar->amax);   /* { dg-warning "directive output between 0 and \[0-9\]+ bytes may exceed minimum required size of 4095" } */
+  /* Similar to the above, verify there's no warning for an array
+     just because its size is INT_MAX bytes.  */
+  T (-1, "%s", ar->amax);
 }
--- a/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-18.c
+++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-sprintf-warn-18.c
@@ -118,9 +118,9 @@ void test_width_and_precision_out_of_range (char *d)
  /* The range here happens to be a property of the compiler, not
     one of the target.  */
  T ("%9223372036854775808i", 0);    /* { dg-warning "width out of range" "first" } */
-  /* { dg-warning "result to exceed .INT_MAX." "second" { target *-*-* } .-1 } */
+  /* { dg-warning "exceeds .INT_MAX." "second" { target *-*-* } .-1 } */
  T ("%.9223372036854775808i", 0);   /* { dg-warning "precision out of range" "first" } */
-  /* { dg-warning "causes result to exceed .INT_MAX." "second" { target *-*-* } .-1 } */
+  /* { dg-warning "exceeds .INT_MAX." "second" { target *-*-* } .-1 } */

  /* The following is diagnosed by -Wformat (disabled here).  */
  /* T ("%9223372036854775808$i", 0); */