From patchwork Fri Feb 10 17:55:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Sebor X-Patchwork-Id: 726637 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vKjKp5wxhz9s78 for ; Sat, 11 Feb 2017 04:55:58 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="AysOaD0p"; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:to :from:subject:message-id:date:mime-version:content-type; q=dns; s=default; b=Vb3ACWydW+zCjAJOwwgRwocP1vO69xAi6XdOXzpODiqCLb7TDn QOwBRpJ+g3BFX9ktHFBIBvZgzo0FUKDfKvyM6VlsBPKy3Cqu6tX/hgZqN2T5knK2 3sMUmx1p70jiY4I3YKAXZcpO/c9hzOenXc4p5Xe8cz+cT5etGlCdH43DA= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:to :from:subject:message-id:date:mime-version:content-type; s= default; bh=GM68aC0PDO7vcDNlQvTmKCLIAUg=; b=AysOaD0pRUHylQkTUMxc hjUBaRWt8SoNX7eENSTQ3ibkZeLII6D3UJrl9l8AEzu092dVXHHf/YpxU5zCHJJx P3M2zhe/5AUKgeFfjOnp+yjt4Pm/BmtkVIfY4N2wKe65tR0DuS5HKAymEfIVnoaM lCRh80OOZo08IMUQ4Woefr4= Received: (qmail 30603 invoked by alias); 10 Feb 2017 17:55:47 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 30594 invoked by uid 89); 10 Feb 2017 17:55:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_PASS autolearn=no version=3.3.2 spammy=exercising, 4095, 1, 21, INT_MIN X-HELO: mail-qk0-f182.google.com Received: from mail-qk0-f182.google.com (HELO mail-qk0-f182.google.com) (209.85.220.182) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 10 Feb 2017 17:55:44 +0000 Received: by mail-qk0-f182.google.com with SMTP id s186so47167978qkb.1 for ; Fri, 10 Feb 2017 09:55:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=hVSSJVXThdV5AoOchJpwUR/yWAN4Lcf93da/42r/Fto=; b=bq6znf8NE1eVeKjQo/b5YAa2wE7+zIOsjSZsDHyKDeoOxpzWC5S37k9ercCkZ6Ask0 BpFm5K3qaLKVF7B782zP1oTe+QT46oCgRuTTWplc6uHji2ukH+9ZyeKrDF41wsTdBWgk Z3wdkei4o30C1yksPdbDivGRR+hzir4PJCD3wn1TpifRmhaV34xdi++HUvHmIfWm7pSV tT0zleWItReP7ZVIfkovWyBrQCn9Lj/74E3kx5V/lRjc/8hm/MrHkke1duzYHQAIaSoh 21gNcajh98pmGFzGsV3anAEr2iO8aWfSbUd2uR8laIR7eXUNlfkpHgo3+df5Rs5x65Jl FjhA== X-Gm-Message-State: AMke39la1Bz7wuNKdQ6YVm3NLOzTqy6QsK2bDVzwuiZV+G+tw2O8C81Je2MclmJDAmhkhw== X-Received: by 10.55.165.148 with SMTP id o142mr10588833qke.78.1486749342621; Fri, 10 Feb 2017 09:55:42 -0800 (PST) Received: from [192.168.0.3] (97-118-107-34.hlrn.qwest.net. [97.118.107.34]) by smtp.gmail.com with ESMTPSA id u5sm2042456qkd.46.2017.02.10.09.55.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2017 09:55:42 -0800 (PST) To: Gcc Patch List From: Martin Sebor Subject: [PATCH] suppress unhelpful -Wformat-truncation=2 INT_MAX warning (PR 79448) Message-ID: <324eb850-fb33-b0ef-84fd-eeb42761acf6@gmail.com> Date: Fri, 10 Feb 2017 10:55:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 X-IsSubscribed: yes The recent Fedora mass rebuild revealed that the Wformat-truncation=2 checker is still a bit too aggressive and complains about potentially unbounded strings causing subsequent directives t exceed the INT_MAX limit. (It's unclear how the build ended up enabling level 2 of the warning.) This is because for the purposes of the return value optimization the pass must assume that such strings really are potentially unbounded and result in as many as INT_MAX bytes (or more). That doesn't mean that it should warn on such cases. The attached patch relaxes the checker to avoid the warning in this case. Since there's no easy way for a user to suppress the warning, is this change okay for trunk at this stage? Martin PR middle-end/79448 - unhelpful -Wformat-truncation=2 warning gcc/testsuite/ChangeLog: PR middle-end/79448 * gcc.dg/tree-ssa/builtin-snprintf-warn-3.c: New test. * gcc.dg/tree-ssa/pr79448-2.c: New test. * gcc.dg/tree-ssa/pr79448.c: New test. gcc/ChangeLog: PR middle-end/79448 * gimple-ssa-sprintf.c (format_directive): Avoid issuing INT_MAX warning for strings of unknown length. diff --git a/gcc/gimple-ssa-sprintf.c b/gcc/gimple-ssa-sprintf.c index e6cc31d..bf76162 100644 --- a/gcc/gimple-ssa-sprintf.c +++ b/gcc/gimple-ssa-sprintf.c @@ -2561,11 +2561,15 @@ format_directive (const pass_sprintf_length::call_info &info, /* Raise the total unlikely maximum by the larger of the maximum and the unlikely maximum. It doesn't matter if the unlikely maximum overflows. */ + unsigned HOST_WIDE_INT save = res->range.unlikely; if (fmtres.range.max < fmtres.range.unlikely) res->range.unlikely += fmtres.range.unlikely; else res->range.unlikely += fmtres.range.max; + if (res->range.unlikely < save) + res->range.unlikely = HOST_WIDE_INT_M1U; + res->range.min += fmtres.range.min; res->range.likely += fmtres.range.likely; @@ -2616,7 +2620,12 @@ format_directive (const pass_sprintf_length::call_info &info, /* Has the likely and maximum directive output exceeded INT_MAX? */ bool likelyximax = *dir.beg && res->range.likely > target_int_max (); - bool maxximax = *dir.beg && res->range.max > target_int_max (); + /* Don't consider the maximum to be in excess when it's the result + of a string of unknown length (i.e., whose maximum has been set + to HOST_WIDE_INT_M1U. */ + bool maxximax = (*dir.beg + && res->range.max > target_int_max () + && res->range.max < HOST_WIDE_INT_MAX); if (!warned /* Warn for the likely output size at level 1. */ diff --git a/gcc/testsuite/gcc.dg/tree-ssa/builtin-snprintf-warn-3.c b/gcc/testsuite/gcc.dg/tree-ssa/builtin-snprintf-warn-3.c new file mode 100644 index 0000000..81c1d89 --- /dev/null +++ b/gcc/testsuite/gcc.dg/tree-ssa/builtin-snprintf-warn-3.c @@ -0,0 +1,193 @@ +/* PR middle-end/79448 - unhelpful -Wformat-truncation=2 warning + { dg-do compile } + { dg-options "-O2 -Wformat -Wformat-truncation=2 -ftrack-macro-expansion=0" } */ + +typedef __SIZE_TYPE__ size_t; +typedef __WCHAR_TYPE__ wchar_t; + +#define INT_MAX __INT_MAX__ +#define INT_MIN (-INT_MAX - 1) + +/* When debugging, define LINE to the line number of the test case to exercise + and avoid exercising any of the others. The buffer and objsize macros + below make use of LINE to avoid warnings for other lines. */ +#ifndef LINE +# define LINE 0 +#endif + +extern int int_value (void); +extern size_t size_value (void); + +int int_range (int min, int max) +{ + int n = int_value (); + return n < min || max < n ? min : n; +} + +void sink (int, char*, char*); + +int dummy_snprintf (char*, size_t, const char*, ...); + +char fixed_buffer [256]; +extern char *unknown_buffer; +extern size_t unknown_size; + +/* Helper to expand function to either __builtin_f or dummy_f to + make debugging GCC easy. */ +#define FUNC(f) \ + ((!LINE || LINE == __LINE__) ? __builtin_ ## f : dummy_ ## f) + +/* Helper test macro. */ +#define T(size, ...) \ + do { \ + size_t n = size < 0 ? unknown_size : size; \ + char *buf = size < 0 ? unknown_buffer \ + : n < sizeof fixed_buffer \ + ? fixed_buffer + sizeof fixed_buffer - size \ + : unknown_buffer; \ + FUNC (snprintf) (buf, n, __VA_ARGS__); \ + sink (0, fixed_buffer, unknown_buffer); \ + } while (0) + +/* Return a value in the range [MIN, MAX]. */ +#define IR(min, max) int_range (min, max) + +struct Arrays +{ + char a1[1]; + char a4k[4096]; + char a4kp1[4097]; +#if INT_MAX < LONG_MAX + char amax[INT_MAX]; +#else + char amax[32767]; +#endif + char ax[]; +}; + +void test_string_unchecked (const char *s, const struct Arrays *ar) +{ + /* Verify there is no warning with strings of unknown length. */ + T (-1, "%-s", s); + T (-1, "%-s", ar->ax); + + T (-1, "%s%s", s, s); + T (-1, "%s%s", "", s); + T (-1, "%s%s", s, "1"); + T (-1, "%s%s", "1", s); + + /* Verify there is no warning with strings of length that cannot + exceed 4k (because of the array size). */ + T (-1, "%-s", ar->a1); + T (-1, "%-s", ar->a4k); + + /* Verify there's no "exceeds minimum required size of 4095" warning + with multiple %s directives and a combination of strings of unknown + (and potentially unbounded) length and strings whose length is + bounded by the size of the arrays they are stored in. */ + T (-1, "%s%s", s, ar->a4k); + T (-1, "%s%s", ar->a4k, s); + T (-1, "%s%s", ar->a4k, ar->a4k); + T (-1, "%s%s", ar->a4k, "123"); + T (-1, "%s%s", "123", ar->a4k); + T (-1, "%s%s", ar->ax, ar->a4k); + T (-1, "%s%s", ar->a4k, ar->ax); + + /* Verify that an array that fits a string longer than 4095 bytes + does trigger a warning. */ + T (-1, "%-s", ar->a4kp1); /* { dg-warning "directive output between 0 and 4096 bytes may exceed minimum required size of 4095" } */ + + /* Also verify that a %s directive with width greater than 4095 + triggers a warning even if the argument is not longer than 4k. */ + T (-1, "%*s", 4096, ar->a4k); /* { dg-warning "directive output of 4096 bytes exceeds minimum required size of 4095" } */ + + /* Verify that precision constrains the putput and suppresses the 4k + warning. */ + T (-1, "%.*s", 4095, ar->a4kp1); + + T (-1, "%s %s", s, ""); + T (-1, "%s %s", "", s); + T (-1, "%s %s", s, "1"); + T (-1, "%s %s", "1", s); + + T (-1, "%s%s%s", s, "1", s); + T (-1, "%s%s%s", "1", s, "1"); + T (-1, "%s%s%s", s, s, s); + T (-1, "%*s%*s%*s", 4093, s, 4094, s, 4095, s); + T (-1, "%s %s %s", s, s, s); + T (-1, "%s %s %s", ar->a4k, ar->a4k, ar->a4k); + T (-1, "%s %s %s", ar->ax, ar->ax, ar->ax); + + /* Verify that an array of INT_MAX elements doesn't trigger the INT_MAX + warning (LP64 only). */ + T (-1, "%-s", ar->amax); /* { dg-warning "directive output between 0 and \[0-9\]+ bytes may exceed minimum required size of 4095" } */ +} + +#undef T +/* Helper test macro. */ +#define T(size, ...) \ + do { \ + size_t n = size < 0 ? unknown_size : size; \ + char *buf = size < 0 ? unknown_buffer \ + : n < sizeof fixed_buffer \ + ? fixed_buffer + sizeof fixed_buffer - size \ + : unknown_buffer; \ + int r = FUNC (snprintf) (buf, n, __VA_ARGS__); \ + sink (r, fixed_buffer, unknown_buffer); \ + } while (0) + +void test_string_checked (const char *s, const struct Arrays *ar) +{ + /* Verify there is no warning with strings of unknown length. */ + T (-1, "%-s", s); + T (-1, "%-s", ar->ax); + + T (-1, "%s%s", s, s); + T (-1, "%s%s", "", s); + T (-1, "%s%s", s, "1"); + T (-1, "%s%s", "1", s); + + /* Verify there is no warning with strings of length that cannot + exceed 4k (because of the array size). */ + T (-1, "%-s", ar->a1); + T (-1, "%-s", ar->a4k); + + /* Verify there's no "exceeds minimum required size of 4095" warning + with multiple %s directives and a combination of strings of unknown + (and potentially unbounded) length and strings whose length is + bounded by the size of the arrays they are stored in. */ + T (-1, "%s%s", s, ar->a4k); + T (-1, "%s%s", ar->a4k, s); + T (-1, "%s%s", ar->a4k, ar->a4k); + T (-1, "%s%s", ar->a4k, "123"); + T (-1, "%s%s", "123", ar->a4k); + T (-1, "%s%s", ar->ax, ar->a4k); + T (-1, "%s%s", ar->a4k, ar->ax); + + /* Verify that an array that fits a string longer than 4095 bytes + does trigger a warning. */ + T (-1, "%-s", ar->a4kp1); /* { dg-warning "directive output between 0 and 4096 bytes may exceed minimum required size of 4095" } */ + + /* Also verify that a %s directive with width greater than 4095 + triggers a warning even if the argument is not longer than 4k. */ + T (-1, "%*s", 4096, ar->a4k); /* { dg-warning "directive output of 4096 bytes exceeds minimum required size of 4095" } */ + + /* Verify that precision constrains the putput and suppresses the 4k + warning. */ + T (-1, "%.*s", 4095, ar->a4kp1); + + T (-1, "%s %s", s, ""); + T (-1, "%s %s", "", s); + T (-1, "%s %s", s, "1"); + T (-1, "%s %s", "1", s); + + T (-1, "%s%s%s", s, "1", s); + T (-1, "%s%s%s", "1", s, "1"); + T (-1, "%s%s%s", s, s, s); + T (-1, "%*s%*s%*s", 4093, s, 4094, s, 4095, s); + T (-1, "%s %s %s", s, s, s); + T (-1, "%s %s %s", ar->a4k, ar->a4k, ar->a4k); + T (-1, "%s %s %s", ar->ax, ar->ax, ar->ax); + + T (-1, "%-s", ar->amax); /* { dg-warning "directive output between 0 and \[0-9\]+ bytes may exceed minimum required size of 4095" } */ +} diff --git a/gcc/testsuite/gcc.dg/tree-ssa/pr79448-2.c b/gcc/testsuite/gcc.dg/tree-ssa/pr79448-2.c new file mode 100644 index 0000000..f75f523 --- /dev/null +++ b/gcc/testsuite/gcc.dg/tree-ssa/pr79448-2.c @@ -0,0 +1,21 @@ +/* PR middle-end/79448 - unhelpful -Wformat-truncation=2 warning + Verify that there's no warning with optimization. + { dg-do compile } + { dg-options "-O2 -Wall -Wformat -Wformat-truncation=2" } */ + +typedef __SIZE_TYPE__ size_t; + +extern int +snprintf (char*, size_t, const char*, ...); + +char* +gettext (char*); + +char* +fill (char *buf, size_t len, int count) +{ + if (snprintf (buf, len, "%s: %d", gettext ("count"), count) >= len) /* { dg-bogus "directive output of 2 bytes causes result to exceed .INT_MAX." */ + return 0; + + return buf; +} diff --git a/gcc/testsuite/gcc.dg/tree-ssa/pr79448.c b/gcc/testsuite/gcc.dg/tree-ssa/pr79448.c new file mode 100644 index 0000000..c346c9e --- /dev/null +++ b/gcc/testsuite/gcc.dg/tree-ssa/pr79448.c @@ -0,0 +1,21 @@ +/* PR middle-end/79448 - unhelpful -Wformat-truncation=2 warning + Verify that there's no warning without optimization. + { dg-do compile } + { dg-options "-Wall -Wformat -Wformat-truncation=2" } */ + +typedef __SIZE_TYPE__ size_t; + +extern int +snprintf (char*, size_t, const char*, ...); + +char* +gettext (char*); + +char* +fill (char *buf, size_t len, int count) +{ + if (snprintf (buf, len, "%s: %d", gettext ("count"), count) >= len) /* { dg-bogus "directive output of 2 bytes causes result to exceed .INT_MAX." */ + return 0; + + return buf; +}