This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
3/3
ReleaseNotes.rst
-
lib/Sema/
-
Sema/
2/2
SemaChecking.cpp
-
test/Sema/
-
Sema/
5/5
warn-fortify-source.c

Differential D159138

[clang][Sema] Fix format size estimator's handling of %o, %x, %X with alternative form
ClosedPublic

Authored by hazohelet on Aug 29 2023, 2:08 PM.

Download Raw Diff

Details

Reviewers

aaron.ballman
nickdesaulniers
serge-sans-paille

Commits

rG72f6abb9bca6: [clang][Sema] Fix format size estimator's handling of %o, %x, %X with…

Summary

The wrong handling of %x specifier with alternative form causes a false positive in linux kernel (https://github.com/ClangBuiltLinux/linux/issues/1923#issuecomment-1696075886)

The kernel code: https://github.com/torvalds/linux/blob/651a00bc56403161351090a9d7ddbd7095975324/drivers/media/pci/cx18/cx18-mailbox.c#L99

This patch fixes this handling, and also adds some standard wordings as comments to clarify the reason.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

hazohelet created this revision.Aug 29 2023, 2:08 PM

Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 2:08 PM

hazohelet requested review of this revision.Aug 29 2023, 2:08 PM

Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 2:08 PM

Harbormaster completed remote builds in B255624: Diff 554484.Aug 29 2023, 6:13 PM

serge-sans-paille added inline comments.Aug 30 2023, 12:19 AM

clang/lib/Sema/SemaChecking.cpp
966	Then couldn't we increase the Size if the `FieldWidth` is unspecified?

hazohelet marked an inline comment as done.Aug 30 2023, 2:31 AM

hazohelet added inline comments.

clang/lib/Sema/SemaChecking.cpp
966	We cannot, unless the formatted integer is known to be nonzero. `("%#x", 0)` is `"0"` and not `"0x0"`

Mind adding tests for %#X and %#o as well, since you're changing the behavior of those, too?

I think it would also be good to have explicit tests for %o and %b where the value being printed was and was not 0. IIUC, we cannot diagnose those (unless a literal value is being printed)?

(Thanks for finding that one of the kernel cases was a false positive!)

Added %X and %o tests, which are also affected

Harbormaster completed remote builds in B256028: Diff 555043.Aug 31 2023, 8:24 AM

In D159138#4628858, @nickdesaulniers wrote:

Mind adding tests for %#X and %#o as well, since you're changing the behavior of those, too?

I think it would also be good to have explicit tests for %o and %b where the value being printed was and was not 0. IIUC, we cannot diagnose those (unless a literal value is being printed)?

(Thanks for finding that one of the kernel cases was a false positive!)

The current implementation only sees the format string and calculates the minimum possible length without taking into accout the actual value passed to it. So currently every case assumes that the value can be 0, even when a literal is passed.
Even if the printed expression is not literal, we can use something like Expr::EvaluateAsRValue to learn about the printed value.

As for the %b, it's C23 feature and Wfortify-source doesn't seem to support it yet (%b is considered a valid specifier, but does not increase Size here). I think %b tests should be added when we support it.

nickdesaulniers added inline comments.Aug 31 2023, 8:37 AM

clang/test/Sema/warn-fortify-source.c
100–102	Note that GCC -Wformat-truncation can warn on some of these. https://godbolt.org/z/jE3axWe1W Looks like the diagnostic keeps an up and lower bounds on the estimated format string expansion. Trunk for Clang also warns for these, so is this change a regression? Or are both GCC and Clang (trunk) incorrect?
121–123	Clang @ trunk and GCC both warn for these 3. Regression? https://godbolt.org/z/j551hTE5E

hazohelet added inline comments.Aug 31 2023, 6:57 PM

clang/test/Sema/warn-fortify-source.c
100–102	Clang trunk is saying something factually incorrect because it says the output `will always be truncated`, when in fact `__builtin_snprintf(buf, 2, "%#x", n);` doesn't trigger truncation if `n` is zero. GCC is correct but is more conservative than clang's `ALWAYS be truncated` diagnostics. GCC's warning message is `... directive output MAY BE truncated` . GCC doesn't warn on it when `n` is known to be zero. (https://godbolt.org/z/E51a3Pfhr) GCC's behavior makes sense here because the truncation does happen whenever `n` is not zero. If the user knows `n` is zero then they have no reason to use `%#x` specifier. So, I think it makes sense to assume `n` is not zero and emit diagnostics, but it definitely needs diagnostics rewording like `is likely to be truncated`.

Ping

serge-sans-paille added inline comments.Sep 8 2023, 11:27 AM

clang/docs/ReleaseNotes.rst
125	??
139	looks like a leak from another patch ^^!

Thanks for the patch!

clang/test/Sema/warn-fortify-source.c
100–102	I see; thanks for the explanation. Sorry for the code review delay; I missed this comment in my inbox.

This revision is now accepted and ready to land.Sep 8 2023, 11:44 AM

Thanks for the review!

clang/docs/ReleaseNotes.rst
125	I'm not seeing any diff around here, so perhaps you were seeing some Phabricator bug?
clang/test/Sema/warn-fortify-source.c
100–102	As a future plan, I think it's generally good to follow GCC's behavior regarding this format warning considering GCC's high smartness on it. I want to emit some warning here like GCC does because users are highly likely to expect non-zero value to be printed, but I think it's reasonable to defer it for now because it's not ideal to add a new warning flag when we are considering changing this warning's flag from `Wfortify-source` to `Wformat-truncation`

This revision was landed with ongoing or failed builds.Sep 11 2023, 8:23 PM

Closed by commit rG72f6abb9bca6: [clang][Sema] Fix format size estimator's handling of %o, %x, %X with… (authored by hazohelet). · Explain Why

This revision was automatically updated to reflect the committed changes.

hazohelet marked an inline comment as done.

hazohelet added a commit: rG72f6abb9bca6: [clang][Sema] Fix format size estimator's handling of %o, %x, %X with….

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

2 lines

lib/

Sema/

SemaChecking.cpp

29 lines

test/

Sema/

warn-fortify-source.c

20 lines

Diff 556516

clang/docs/ReleaseNotes.rst

Show First 20 Lines • Show All 116 Lines • ▼ Show 20 Lines

Deprecated Compiler Flags		Deprecated Compiler Flags
-------------------------		-------------------------

Modified Compiler Flags		Modified Compiler Flags
-----------------------		-----------------------

* ``-Woverriding-t-option`` is renamed to ``-Woverriding-option``.		* ``-Woverriding-t-option`` is renamed to ``-Woverriding-option``.
* ``-Winterrupt-service-routine`` is renamed to ``-Wexcessive-regsave`` as a generalization		* ``-Winterrupt-service-routine`` is renamed to ``-Wexcessive-regsave`` as a generalization
		serge-sans-pailleUnsubmitted Done Reply Inline Actions ?? serge-sans-paille: ??
		hazoheletAuthorUnsubmitted Done Reply Inline Actions I'm not seeing any diff around here, so perhaps you were seeing some Phabricator bug? hazohelet: I'm not seeing any diff around here, so perhaps you were seeing some Phabricator bug?

Removed Compiler Flags		Removed Compiler Flags
-------------------------		-------------------------

* ``-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang`` has been removed.		* ``-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang`` has been removed.
It has not been needed to enable ``-ftrivial-auto-var-init=zero`` since Clang 16.		It has not been needed to enable ``-ftrivial-auto-var-init=zero`` since Clang 16.

Attribute Changes in Clang		Attribute Changes in Clang
--------------------------		--------------------------
- On X86, a warning is now emitted if a function with ``__attribute__((no_caller_saved_registers))``		- On X86, a warning is now emitted if a function with ``__attribute__((no_caller_saved_registers))``
calls a function without ``__attribute__((no_caller_saved_registers))``, and is not compiled with		calls a function without ``__attribute__((no_caller_saved_registers))``, and is not compiled with
``-mgeneral-regs-only``		``-mgeneral-regs-only``
- On X86, a function with ``__attribute__((interrupt))`` can now call a function without		- On X86, a function with ``__attribute__((interrupt))`` can now call a function without
``__attribute__((no_caller_saved_registers))`` provided that it is compiled with ``-mgeneral-regs-only``		``__attribute__((no_caller_saved_registers))`` provided that it is compiled with ``-mgeneral-regs-only``
		serge-sans-pailleUnsubmitted Done Reply Inline Actions looks like a leak from another patch ^^! serge-sans-paille: looks like a leak from another patch ^^!

- When a non-variadic function is decorated with the ``format`` attribute,		- When a non-variadic function is decorated with the ``format`` attribute,
Clang now checks that the format string would match the function's parameters'		Clang now checks that the format string would match the function's parameters'
types after default argument promotion. As a result, it's no longer an		types after default argument promotion. As a result, it's no longer an
automatic diagnostic to use parameters of types that the format style		automatic diagnostic to use parameters of types that the format style
supports but that are never the result of default argument promotion, such as		supports but that are never the result of default argument promotion, such as
``float``. (`#59824: <https://github.com/llvm/llvm-project/issues/59824>`_)		``float``. (`#59824: <https://github.com/llvm/llvm-project/issues/59824>`_)

Show All 11 Lines	- Clang's ``-Wtautological-negation-compare`` flag now diagnoses logical
(`#56035: <https://github.com/llvm/llvm-project/issues/56035>`_).		(`#56035: <https://github.com/llvm/llvm-project/issues/56035>`_).
- Clang constexpr evaluator now diagnoses compound assignment operators against		- Clang constexpr evaluator now diagnoses compound assignment operators against
uninitialized variables as a read of uninitialized object.		uninitialized variables as a read of uninitialized object.
(`#51536 <https://github.com/llvm/llvm-project/issues/51536>`_)		(`#51536 <https://github.com/llvm/llvm-project/issues/51536>`_)
- Clang's ``-Wfortify-source`` now diagnoses ``snprintf`` call that is known to		- Clang's ``-Wfortify-source`` now diagnoses ``snprintf`` call that is known to
result in string truncation.		result in string truncation.
(`#64871: <https://github.com/llvm/llvm-project/issues/64871>`_).		(`#64871: <https://github.com/llvm/llvm-project/issues/64871>`_).
Also clang no longer emits false positive warnings about the output length of		Also clang no longer emits false positive warnings about the output length of
``%g`` format specifier.		``%g`` format specifier and about ``%o, %x, %X`` with ``#`` flag.
- Clang now emits ``-Wcast-qual`` for functional-style cast expressions.		- Clang now emits ``-Wcast-qual`` for functional-style cast expressions.

Bug Fixes in This Version		Bug Fixes in This Version
-------------------------		-------------------------
- Fixed an issue where a class template specialization whose declaration is		- Fixed an issue where a class template specialization whose declaration is
instantiated in one module and whose definition is instantiated in another		instantiated in one module and whose definition is instantiated in another
module may end up with members associated with the wrong declaration of the		module may end up with members associated with the wrong declaration of the
class, which can result in miscompiles in some cases.		class, which can result in miscompiles in some cases.
▲ Show 20 Lines • Show All 254 Lines • Show Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 884 Lines • ▼ Show 20 Lines	bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
case analyze_format_string::ConversionSpecifier::xArg:		case analyze_format_string::ConversionSpecifier::xArg:
case analyze_format_string::ConversionSpecifier::XArg:		case analyze_format_string::ConversionSpecifier::XArg:
Size += std::max(FieldWidth, Precision);		Size += std::max(FieldWidth, Precision);
break;		break;

// %g style conversion switches between %f or %e style dynamically.		// %g style conversion switches between %f or %e style dynamically.
// %g removes trailing zeros, and does not print decimal point if there are		// %g removes trailing zeros, and does not print decimal point if there are
// no digits that follow it. Thus %g can print a single digit.		// no digits that follow it. Thus %g can print a single digit.
		// FIXME: If it is alternative form:
		// For g and G conversions, trailing zeros are not removed from the result.
case analyze_format_string::ConversionSpecifier::gArg:		case analyze_format_string::ConversionSpecifier::gArg:
case analyze_format_string::ConversionSpecifier::GArg:		case analyze_format_string::ConversionSpecifier::GArg:
Size += 1;		Size += 1;
break;		break;

// Floating point number in the form '[+]ddd.ddd'.		// Floating point number in the form '[+]ddd.ddd'.
case analyze_format_string::ConversionSpecifier::fArg:		case analyze_format_string::ConversionSpecifier::fArg:
case analyze_format_string::ConversionSpecifier::FArg:		case analyze_format_string::ConversionSpecifier::FArg:
▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Lines	bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
default:		default:
break;		break;
}		}

Size += FS.hasPlusPrefix() \|\| FS.hasSpacePrefix();		Size += FS.hasPlusPrefix() \|\| FS.hasSpacePrefix();

if (FS.hasAlternativeForm()) {		if (FS.hasAlternativeForm()) {
switch (FS.getConversionSpecifier().getKind()) {		switch (FS.getConversionSpecifier().getKind()) {
default:		// For o conversion, it increases the precision, if and only if necessary,
break;		// to force the first digit of the result to be a zero
// Force a leading '0'.		// (if the value and precision are both 0, a single 0 is printed)
case analyze_format_string::ConversionSpecifier::oArg:		case analyze_format_string::ConversionSpecifier::oArg:
Size += 1;		// For b conversion, a nonzero result has 0b prefixed to it.
break;		case analyze_format_string::ConversionSpecifier::bArg:
// Force a leading '0x'.		// For x (or X) conversion, a nonzero result has 0x (or 0X) prefixed to
		// it.
case analyze_format_string::ConversionSpecifier::xArg:		case analyze_format_string::ConversionSpecifier::xArg:
case analyze_format_string::ConversionSpecifier::XArg:		case analyze_format_string::ConversionSpecifier::XArg:
Size += 2;		// Note: even when the prefix is added, if
break;		// (prefix_width <= FieldWidth - formatted_length) holds,
// Force a period '.' before decimal, even if precision is 0.		// the prefix does not increase the format
		// size. e.g.(("%#3x", 0xf) is "0xf")

		serge-sans-pailleUnsubmitted Done Reply Inline Actions Then couldn't we increase the Size if the `FieldWidth` is unspecified? serge-sans-paille: Then couldn't we increase the Size if the `FieldWidth` is unspecified?
		hazoheletAuthorUnsubmitted Done Reply Inline Actions We cannot, unless the formatted integer is known to be nonzero. `("%#x", 0)` is `"0"` and not `"0x0"` hazohelet: We cannot, unless the formatted integer is known to be nonzero. `("%#x", 0)` is `"0"` and not…
		// If the result is zero, o, b, x, X adds nothing.
		break;
		// For a, A, e, E, f, F, g, and G conversions,
		// the result of converting a floating-point number always contains a
		// decimal-point
case analyze_format_string::ConversionSpecifier::aArg:		case analyze_format_string::ConversionSpecifier::aArg:
case analyze_format_string::ConversionSpecifier::AArg:		case analyze_format_string::ConversionSpecifier::AArg:
case analyze_format_string::ConversionSpecifier::eArg:		case analyze_format_string::ConversionSpecifier::eArg:
case analyze_format_string::ConversionSpecifier::EArg:		case analyze_format_string::ConversionSpecifier::EArg:
case analyze_format_string::ConversionSpecifier::fArg:		case analyze_format_string::ConversionSpecifier::fArg:
case analyze_format_string::ConversionSpecifier::FArg:		case analyze_format_string::ConversionSpecifier::FArg:
case analyze_format_string::ConversionSpecifier::gArg:		case analyze_format_string::ConversionSpecifier::gArg:
case analyze_format_string::ConversionSpecifier::GArg:		case analyze_format_string::ConversionSpecifier::GArg:
Size += (Precision ? 0 : 1);		Size += (Precision ? 0 : 1);
break;		break;
		// For other conversions, the behavior is undefined.
		default:
		break;
}		}
}		}
assert(SpecifierLen <= Size && "no underflow");		assert(SpecifierLen <= Size && "no underflow");
Size -= SpecifierLen;		Size -= SpecifierLen;
return true;		return true;
}		}

size_t getSizeLowerBound() const { return Size; }		size_t getSizeLowerBound() const { return Size; }
▲ Show 20 Lines • Show All 18,356 Lines • Show Last 20 Lines

clang/test/Sema/warn-fortify-source.c

Show First 20 Lines • Show All 79 Lines • ▼ Show 20 Lines
}		}

void call_memset(void) {		void call_memset(void) {
char buf[10];		char buf[10];
__builtin_memset(buf, 0xff, 10);		__builtin_memset(buf, 0xff, 10);
__builtin_memset(buf, 0xff, 11); // expected-warning {{'memset' will always overflow; destination buffer has size 10, but size argument is 11}}		__builtin_memset(buf, 0xff, 11); // expected-warning {{'memset' will always overflow; destination buffer has size 10, but size argument is 11}}
}		}

void call_snprintf(double d) {		void call_snprintf(double d, int n) {
char buf[10];		char buf[10];
__builtin_snprintf(buf, 10, "merp");		__builtin_snprintf(buf, 10, "merp");
__builtin_snprintf(buf, 11, "merp"); // expected-warning {{'snprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}		__builtin_snprintf(buf, 11, "merp"); // expected-warning {{'snprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
__builtin_snprintf(buf, 0, "merp");		__builtin_snprintf(buf, 0, "merp");
__builtin_snprintf(buf, 3, "merp"); // expected-warning {{'snprintf' will always be truncated; specified size is 3, but format string expands to at least 5}}		__builtin_snprintf(buf, 3, "merp"); // expected-warning {{'snprintf' will always be truncated; specified size is 3, but format string expands to at least 5}}
__builtin_snprintf(buf, 4, "merp"); // expected-warning {{'snprintf' will always be truncated; specified size is 4, but format string expands to at least 5}}		__builtin_snprintf(buf, 4, "merp"); // expected-warning {{'snprintf' will always be truncated; specified size is 4, but format string expands to at least 5}}
__builtin_snprintf(buf, 5, "merp");		__builtin_snprintf(buf, 5, "merp");
__builtin_snprintf(buf, 1, "%.1000g", d); // expected-warning {{'snprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}		__builtin_snprintf(buf, 1, "%.1000g", d); // expected-warning {{'snprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
__builtin_snprintf(buf, 5, "%.1000g", d);		__builtin_snprintf(buf, 5, "%.1000g", d);
__builtin_snprintf(buf, 5, "%.1000G", d);		__builtin_snprintf(buf, 5, "%.1000G", d);
		__builtin_snprintf(buf, 10, " %#08x", n);
		__builtin_snprintf(buf, 2, "%#x", n);
		__builtin_snprintf(buf, 2, "%#X", n);
		__builtin_snprintf(buf, 2, "%#o", n);
		nickdesaulniersUnsubmitted Done Reply Inline Actions Note that GCC -Wformat-truncation can warn on some of these. https://godbolt.org/z/jE3axWe1W Looks like the diagnostic keeps an up and lower bounds on the estimated format string expansion. Trunk for Clang also warns for these, so is this change a regression? Or are both GCC and Clang (trunk) incorrect? nickdesaulniers: Note that GCC -Wformat-truncation can warn on some of these. https://godbolt.org/z/jE3axWe1W…
		hazoheletAuthorUnsubmitted Done Reply Inline Actions Clang trunk is saying something factually incorrect because it says the output `will always be truncated`, when in fact `__builtin_snprintf(buf, 2, "%#x", n);` doesn't trigger truncation if `n` is zero. GCC is correct but is more conservative than clang's `ALWAYS be truncated` diagnostics. GCC's warning message is `... directive output MAY BE truncated` . GCC doesn't warn on it when `n` is known to be zero. (https://godbolt.org/z/E51a3Pfhr) GCC's behavior makes sense here because the truncation does happen whenever `n` is not zero. If the user knows `n` is zero then they have no reason to use `%#x` specifier. So, I think it makes sense to assume `n` is not zero and emit diagnostics, but it definitely needs diagnostics rewording like `is likely to be truncated`. hazohelet: Clang trunk is saying something factually incorrect because it says the output `will always be…
		nickdesaulniersUnsubmitted Done Reply Inline Actions I see; thanks for the explanation. Sorry for the code review delay; I missed this comment in my inbox. nickdesaulniers: I see; thanks for the explanation. Sorry for the code review delay; I missed this comment in my…
		hazoheletAuthorUnsubmitted Done Reply Inline Actions As a future plan, I think it's generally good to follow GCC's behavior regarding this format warning considering GCC's high smartness on it. I want to emit some warning here like GCC does because users are highly likely to expect non-zero value to be printed, but I think it's reasonable to defer it for now because it's not ideal to add a new warning flag when we are considering changing this warning's flag from `Wfortify-source` to `Wformat-truncation` hazohelet: As a future plan, I think it's generally good to follow GCC's behavior regarding this format…
		__builtin_snprintf(buf, 1, "%#x", n); // expected-warning {{'snprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
		__builtin_snprintf(buf, 1, "%#X", n); // expected-warning {{'snprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
		__builtin_snprintf(buf, 1, "%#o", n); // expected-warning {{'snprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
}		}

void call_vsnprintf(void) {		void call_vsnprintf(void) {
char buf[10];		char buf[10];
__builtin_va_list list;		__builtin_va_list list;
__builtin_vsnprintf(buf, 10, "merp", list);		__builtin_vsnprintf(buf, 10, "merp", list);
__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}		__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
__builtin_vsnprintf(buf, 0, "merp", list);		__builtin_vsnprintf(buf, 0, "merp", list);
__builtin_vsnprintf(buf, 3, "merp", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 3, but format string expands to at least 5}}		__builtin_vsnprintf(buf, 3, "merp", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 3, but format string expands to at least 5}}
__builtin_vsnprintf(buf, 4, "merp", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 4, but format string expands to at least 5}}		__builtin_vsnprintf(buf, 4, "merp", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 4, but format string expands to at least 5}}
__builtin_vsnprintf(buf, 5, "merp", list);		__builtin_vsnprintf(buf, 5, "merp", list);
__builtin_vsnprintf(buf, 1, "%.1000g", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}		__builtin_vsnprintf(buf, 1, "%.1000g", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
__builtin_vsnprintf(buf, 5, "%.1000g", list);		__builtin_vsnprintf(buf, 5, "%.1000g", list);
__builtin_vsnprintf(buf, 5, "%.1000G", list);		__builtin_vsnprintf(buf, 5, "%.1000G", list);
		__builtin_vsnprintf(buf, 10, " %#08x", list);
		__builtin_vsnprintf(buf, 2, "%#x", list);
		__builtin_vsnprintf(buf, 2, "%#X", list);
		__builtin_vsnprintf(buf, 2, "%#o", list);
		nickdesaulniersUnsubmitted Done Reply Inline Actions Clang @ trunk and GCC both warn for these 3. Regression? https://godbolt.org/z/j551hTE5E nickdesaulniers: Clang @ trunk and GCC both warn for these 3. Regression? https://godbolt.org/z/j551hTE5E
		__builtin_vsnprintf(buf, 1, "%#x", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
		__builtin_vsnprintf(buf, 1, "%#X", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
		__builtin_vsnprintf(buf, 1, "%#o", list); // expected-warning {{'vsnprintf' will always be truncated; specified size is 1, but format string expands to at least 2}}
}		}

void call_sprintf_chk(char *buf) {		void call_sprintf_chk(char *buf) {
__builtin___sprintf_chk(buf, 1, 6, "hell\n");		__builtin___sprintf_chk(buf, 1, 6, "hell\n");
__builtin___sprintf_chk(buf, 1, 5, "hell\n"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}		__builtin___sprintf_chk(buf, 1, 5, "hell\n"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
__builtin___sprintf_chk(buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} \		__builtin___sprintf_chk(buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} \
// nofortify-warning {{format string contains '\0' within the string body}}		// nofortify-warning {{format string contains '\0' within the string body}}
__builtin___sprintf_chk(buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} \		__builtin___sprintf_chk(buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} \
Show All 21 Lines	void call_sprintf_chk(char *buf) {
__builtin___sprintf_chk(buf, 1, 1, "%hd", (short)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}		__builtin___sprintf_chk(buf, 1, 1, "%hd", (short)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%ld", 9l);		__builtin___sprintf_chk(buf, 1, 2, "%ld", 9l);
__builtin___sprintf_chk(buf, 1, 1, "%ld", 9l); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}		__builtin___sprintf_chk(buf, 1, 1, "%ld", 9l); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%lld", 9ll);		__builtin___sprintf_chk(buf, 1, 2, "%lld", 9ll);
__builtin___sprintf_chk(buf, 1, 1, "%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}		__builtin___sprintf_chk(buf, 1, 1, "%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%%");		__builtin___sprintf_chk(buf, 1, 2, "%%");
__builtin___sprintf_chk(buf, 1, 1, "%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}		__builtin___sprintf_chk(buf, 1, 1, "%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 4, "%#x", 9);		__builtin___sprintf_chk(buf, 1, 4, "%#x", 9);
__builtin___sprintf_chk(buf, 1, 3, "%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}		__builtin___sprintf_chk(buf, 1, 3, "%#x", 9);
__builtin___sprintf_chk(buf, 1, 4, "%p", (void *)9);		__builtin___sprintf_chk(buf, 1, 4, "%p", (void *)9);
__builtin___sprintf_chk(buf, 1, 3, "%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}		__builtin___sprintf_chk(buf, 1, 3, "%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}
__builtin___sprintf_chk(buf, 1, 3, "%+d", 9);		__builtin___sprintf_chk(buf, 1, 3, "%+d", 9);
__builtin___sprintf_chk(buf, 1, 2, "%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}		__builtin___sprintf_chk(buf, 1, 2, "%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}
__builtin___sprintf_chk(buf, 1, 3, "% i", 9);		__builtin___sprintf_chk(buf, 1, 3, "% i", 9);
__builtin___sprintf_chk(buf, 1, 2, "% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}		__builtin___sprintf_chk(buf, 1, 2, "% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}
__builtin___sprintf_chk(buf, 1, 6, "%5d", 9);		__builtin___sprintf_chk(buf, 1, 6, "%5d", 9);
__builtin___sprintf_chk(buf, 1, 5, "%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}		__builtin___sprintf_chk(buf, 1, 5, "%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
Show All 20 Lines	void call_sprintf(void) {
sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%c", '9');		sprintf(buf, "1234%c", '9');
sprintf(buf, "12345%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "12345%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%d", 9);		sprintf(buf, "1234%d", 9);
sprintf(buf, "12345%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "12345%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%lld", 9ll);		sprintf(buf, "1234%lld", 9ll);
sprintf(buf, "12345%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "12345%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "12%#x", 9);		sprintf(buf, "12%#x", 9);
sprintf(buf, "123%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "123%#x", 9);
sprintf(buf, "12%p", (void *)9);		sprintf(buf, "12%p", (void *)9);
sprintf(buf, "123%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "123%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "123%+d", 9);		sprintf(buf, "123%+d", 9);
sprintf(buf, "1234%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "1234%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "123% i", 9);		sprintf(buf, "123% i", 9);
sprintf(buf, "1234% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "1234% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "%5d", 9);		sprintf(buf, "%5d", 9);
sprintf(buf, "1%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}		sprintf(buf, "1%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
Show All 29 Lines