This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/Basic/
-
clang/
-
Basic/
1
DiagnosticSemaKinds.td
-
lib/Sema/
-
Sema/
10/17
SemaChecking.cpp
-
test/Sema/
-
Sema/
1
warn-fortify-source.c

Differential D71566

New checks for fortified sprintf
ClosedPublic

Authored by serge-sans-paille on Dec 16 2019, 1:19 PM.

Download Raw Diff

Details

Reviewers

erik.pilkington
aaron.ballman
rsmith

Commits

rG6d485ff455ea: Improve static checks for sprintf and __builtin___sprintf_chk

Summary

Implement a pessimistic evaluator of the minimal required size for a buffer based on the format string, and couple that with the fortified version to emit a warning when the buffer size is lower than the lower bound computed from the format string.

See the test cases for examples of warnings, and https://github.com/serge-sans-paille/llvm-project/pull/6/checks for the cross-platform validation.

Note: The lower bound could be improved, but I'd rather do that in an incremental commit, if that's okay with the reviewers.

Edit: thanks to @aaron.ballman interest, I've been able to support al(most|l) the scanf specification, ending up with a rather complete support.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

serge-sans-paille created this revision.Dec 16 2019, 1:19 PM

Herald added subscribers: cfe-commits, dexonsmith. · View Herald TranscriptDec 16 2019, 1:19 PM

Thanks for working on this! I think this would be a really useful diagnostic to have.

clang/lib/Sema/SemaChecking.cpp
392	nit: `namespace {`
580–581	Can you delete this comment now?
596	`Optional<APSInt>` might be a better way of representing this?
601	Can't you do this for `Builtin::sprintf` as well? The diagnostic would still be worth issuing when `_FORTIFY_SOURCE` is disabled.
605	Will this assert on: `sprintf(buf, L"foo");`? Not that that makes any sense, but we shouldn't crash.
612	I'm not sure why you're using `min` here, can you add a comment?

Take remarks into account:

support sprintf when the buffer has a known static size
use llvm::Optional
some extra minor tweaks.

serge-sans-paille marked 7 inline comments as done.Dec 17 2019, 3:47 AM

serge-sans-paille added inline comments.

clang/lib/Sema/SemaChecking.cpp
580–581	I only deleted the one related to sprintf
605	Still need to check that.

Prevent assert upon wide string format
More test cases

serge-sans-paille marked 2 inline comments as done.Dec 17 2019, 5:41 AM

serge-sans-paille added inline comments.

clang/lib/Sema/SemaChecking.cpp
605	Checked and fixed!

riccibruno added a subscriber: riccibruno.Dec 17 2019, 6:46 AM

Support %% and %c

@erik.pilkington up?

erik.pilkington added reviewers: aaron.ballman, rsmith.Jan 16 2020, 9:45 PM

erik.pilkington added inline comments.

clang/lib/Sema/SemaChecking.cpp
621	Wait, does this actually return a smaller length if there is a null-terminator embedded in the string? It looks like Format->getString() returns a StringRef with embedded nul bytes and .size() is returning the length. You might have to do something like: `FormatStrRef.find('0');`. Can you add a test for this?

Update size computation + test case involving null byte inside the format string.

Unit tests: fail. 61975 tests passed, 1 failed and 783 were skipped.

failed: LLVM.Bindings/Go/go.test

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44312: Diff 238868!Jan 17 2020, 1:26 PM

aaron.ballman added inline comments.Jan 20 2020, 8:29 AM

clang/include/clang/Basic/DiagnosticSemaKinds.td
745–746	I'm fine with the current wording because it's consistent with the existing diagnostics, but I wish we would quantify the size with units in these diagnostics. (e.g., mention that this is measured in bytes as opposed to anything else).
clang/lib/Sema/SemaChecking.cpp
405–406	Naming nits: `StartSpecifier` and `SpecifierLen`. It looks like `startSpecifier` isn't used and the name can probably just be dropped.
436–437	Why is size incremented by 3 here instead of 2 as above with a leading 0x?
448	Guard against wraparound?
607	Spurious whitespace.
608	We can handle UTF-8 format strings even when they contain non-ASCII characters?
8355	Spurious whitespace change?

Finer grain lower bound computations, and simpler control-flow for the checking function.

Unit tests: pass. 62028 tests passed, 0 failed and 783 were skipped.

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44433: Diff 239197!Jan 20 2020, 1:59 PM

More tests

Unit tests: pass. 62043 tests passed, 0 failed and 783 were skipped.

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44456: Diff 239242!Jan 21 2020, 1:08 AM

(There are still some minor whitespace nits to resolve as well.)

clang/lib/Sema/SemaChecking.cpp
743	I think this assertion can be triggered in the case where no `UsedSize` was specified but then `UsedSizeArg` evaluates to `0`, can't it? Or does something catch that case and diagnose?

Remove useless assert

In D71566#1832394, @aaron.ballman wrote:

(There are still some minor whitespace nits to resolve as well.)

Strange, everything is passed through clang-format-diff :-/

Unit tests: pass. 62112 tests passed, 0 failed and 808 were skipped.

clang-tidy: pass.

clang-format: pass.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster completed remote builds in B44614: Diff 239654.Jan 22 2020, 11:37 AM

In D71566#1834472, @serge-sans-paille wrote:

In D71566#1832394, @aaron.ballman wrote:

(There are still some minor whitespace nits to resolve as well.)

Strange, everything is passed through clang-format-diff :-/

They may have been manually inserted by accident? It's newlines in a few places, I added phab review comments at them.

On the whole, I think this LGTM, assuming the requested test cases don't discover issues.

clang/test/Sema/warn-fortify-source.c
127	I'd like to see some additional tests for things like the `+` and flags, length modifiers like `ll`, escape characters, etc. Basically, we should be testing most of the conversion specifiers to verify our conservative length calculations.

This revision is now accepted and ready to land.Jan 23 2020, 5:59 AM

Remove extra new lines.
Add more test cases.

serge-sans-paille edited the summary of this revision. (Show Details)Jan 23 2020, 8:35 AM

Unit tests: pass. 62135 tests passed, 0 failed and 812 were skipped.

clang-tidy: pass.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Pre-merge checks is in beta. Report issue. Please join beta or enable it for your project.

Harbormaster failed remote builds in B44728: Diff 239913!Jan 23 2020, 8:43 AM

clang-format update.

Unit tests: fail. 62134 tests passed, 9 failed and 811 were skipped.

failed: LLVM.MC/AArch64/ete-sysregs.s
failed: LLVM.MC/AArch64/trace-regs.s
failed: LLVM.MC/Disassembler/AArch64/ete.txt
failed: LLVM.MC/Disassembler/AArch64/trace-regs.txt
failed: libc++.std/language_support/cmp/cmp_partialord/partialord.pass.cpp
failed: libc++.std/language_support/cmp/cmp_strongeq/cmp.strongeq.pass.cpp
failed: libc++.std/language_support/cmp/cmp_strongord/strongord.pass.cpp
failed: libc++.std/language_support/cmp/cmp_weakeq/cmp.weakeq.pass.cpp
failed: libc++.std/language_support/cmp/cmp_weakord/weakord.pass.cpp

clang-tidy: pass.

clang-format: pass.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Pre-merge checks is in beta. Report issue. Please join beta or enable it for your project.

Harbormaster failed remote builds in B44735: Diff 239920!Jan 23 2020, 11:05 AM

Continues to LG, do you need me to commit on your behalf?

In D71566#1839462, @aaron.ballman wrote:

Continues to LG, do you need me to commit on your behalf?

I was waiting for a last LG as I did some changes, thanks for all the quick iteration, I really enjoyed working with you on that patch! I'll submit it tomorrow morning.

Closed by commit rG6d485ff455ea: Improve static checks for sprintf and __builtin___sprintf_chk (authored by serge-sans-paille). · Explain WhyJan 25 2020, 9:13 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

include/

clang/

Basic/

DiagnosticSemaKinds.td

6 lines

lib/

Sema/

SemaChecking.cpp

247 lines

test/

Sema/

warn-fortify-source.c

51 lines

Diff 239197

clang/include/clang/Basic/DiagnosticSemaKinds.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 735 Lines • ▼ Show 20 Lines	def warn_builtin_chk_overflow : Warning<
InGroup<DiagGroup<"builtin-memcpy-chk-size">>;		InGroup<DiagGroup<"builtin-memcpy-chk-size">>;

def warn_fortify_source_overflow		def warn_fortify_source_overflow
: Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>;		: Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>;
def warn_fortify_source_size_mismatch : Warning<		def warn_fortify_source_size_mismatch : Warning<
"'%0' size argument is too large; destination buffer has size %1,"		"'%0' size argument is too large; destination buffer has size %1,"
" but size argument is %2">, InGroup<FortifySource>;		" but size argument is %2">, InGroup<FortifySource>;

		def warn_fortify_source_format_overflow : Warning<
		"'%0' will always overflow; destination buffer has size %1,"
		" but format string expands to at least %2">,
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I'm fine with the current wording because it's consistent with the existing diagnostics, but I wish we would quantify the size with units in these diagnostics. (e.g., mention that this is measured in bytes as opposed to anything else). aaron.ballman: I'm fine with the current wording because it's consistent with the existing diagnostics, but I…
		InGroup<FortifySource>;


/// main()		/// main()
// static main() is not an error in C, just in C++.		// static main() is not an error in C, just in C++.
def warn_static_main : Warning<"'main' should not be declared static">,		def warn_static_main : Warning<"'main' should not be declared static">,
InGroup<Main>;		InGroup<Main>;
def err_static_main : Error<"'main' is not allowed to be declared static">;		def err_static_main : Error<"'main' is not allowed to be declared static">;
def err_inline_main : Error<"'main' is not allowed to be declared inline">;		def err_inline_main : Error<"'main' is not allowed to be declared inline">;
def ext_variadic_main : ExtWarn<		def ext_variadic_main : ExtWarn<
"'main' is not allowed to be declared variadic">, InGroup<Main>;		"'main' is not allowed to be declared variadic">, InGroup<Main>;
▲ Show 20 Lines • Show All 9,613 Lines • Show Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 383 Lines • ▼ Show 20 Lines	static bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
BuiltinCall->setType(CE->getType());		BuiltinCall->setType(CE->getType());
BuiltinCall->setValueKind(CE->getValueKind());		BuiltinCall->setValueKind(CE->getValueKind());
BuiltinCall->setObjectKind(CE->getObjectKind());		BuiltinCall->setObjectKind(CE->getObjectKind());
BuiltinCall->setCallee(Builtin);		BuiltinCall->setCallee(Builtin);
BuiltinCall->setArg(1, ChainResult.get());		BuiltinCall->setArg(1, ChainResult.get());

return false;		return false;
}		}

		erik.pilkingtonUnsubmitted Done Reply Inline Actions nit: `namespace {` erik.pilkington: nit: `namespace {`
		namespace {

		class EstimateSizeFormatHandler
		: public analyze_format_string::FormatStringHandler {
		size_t Size;

		public:
		EstimateSizeFormatHandler(StringRef Format)
		: Size(std::min(Format.find(0), Format.size()) +
		1 /* null byte always written by sprintf */) {}

		bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
		const char *, unsigned SpecifierLen) override {

		aaron.ballmanUnsubmitted Done Reply Inline Actions Naming nits: `StartSpecifier` and `SpecifierLen`. It looks like `startSpecifier` isn't used and the name can probably just be dropped. aaron.ballman: Naming nits: `StartSpecifier` and `SpecifierLen`. It looks like `startSpecifier` isn't used and…
		const size_t FieldWidth = computeFieldWidth(FS);
		const size_t Precision = computePrecision(FS);

		// The actual format.
		switch (FS.getConversionSpecifier().getKind()) {
		// Just a char.
		case analyze_format_string::ConversionSpecifier::cArg:
		case analyze_format_string::ConversionSpecifier::CArg:
		Size += std::max(FieldWidth, (size_t)1);
		break;
		// Just an integer.
		case analyze_format_string::ConversionSpecifier::dArg:
		case analyze_format_string::ConversionSpecifier::DArg:
		case analyze_format_string::ConversionSpecifier::iArg:
		case analyze_format_string::ConversionSpecifier::oArg:
		case analyze_format_string::ConversionSpecifier::OArg:
		case analyze_format_string::ConversionSpecifier::uArg:
		case analyze_format_string::ConversionSpecifier::UArg:
		case analyze_format_string::ConversionSpecifier::xArg:
		case analyze_format_string::ConversionSpecifier::XArg:
		Size += std::max(FieldWidth, Precision);
		break;

		// %g style conversion switches between %f or %e style dynamically.
		// %f always takes less space, so default to it.
		case analyze_format_string::ConversionSpecifier::gArg:
		case analyze_format_string::ConversionSpecifier::GArg:

		// Floating point number in the form '[+]ddd.ddd'.
		case analyze_format_string::ConversionSpecifier::fArg:
		case analyze_format_string::ConversionSpecifier::FArg:
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Why is size incremented by 3 here instead of 2 as above with a leading 0x? aaron.ballman: Why is size incremented by 3 here instead of 2 as above with a leading 0x?
		Size += std::max(FieldWidth, 1 /* integer part */ +
		(Precision ? 1 + Precision
		: 0) /* period + decimal */);
		break;

		// Floating point number in the form '[-]d.ddde[+-]dd'.
		case analyze_format_string::ConversionSpecifier::eArg:
		case analyze_format_string::ConversionSpecifier::EArg:
		Size +=
		std::max(FieldWidth,
		1 /* integer part */ +
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Guard against wraparound? aaron.ballman: Guard against wraparound?
		(Precision ? 1 + Precision : 0) /* period + decimal */ +
		1 /* e or E letter / + 2 / exponent */);
		break;

		// Floating point number in the form '[-]0xh.hhhhp±dd'.
		case analyze_format_string::ConversionSpecifier::aArg:
		case analyze_format_string::ConversionSpecifier::AArg:
		Size +=
		std::max(FieldWidth,
		2 /* 0x / + 1 / integer part */ +
		(Precision ? 1 + Precision : 0) /* period + decimal */ +
		1 /* p or P letter / + 1 / + or - / + 1 / value */);
		break;

		// Just a string.
		case analyze_format_string::ConversionSpecifier::sArg:
		case analyze_format_string::ConversionSpecifier::SArg:
		Size += FieldWidth;
		break;

		// Just a pointer in the form '0xddd'.
		case analyze_format_string::ConversionSpecifier::pArg:
		Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
		break;

		// A plain percent.
		case analyze_format_string::ConversionSpecifier::PercentArg:
		Size += 1;
		break;

		default:
		break;
		}

		Size += FS.hasPlusPrefix() \|\| FS.hasSpacePrefix();

		if (FS.hasAlternativeForm()) {
		switch (FS.getConversionSpecifier().getKind()) {
		default:
		break;
		// Force a leading '0'.
		case analyze_format_string::ConversionSpecifier::oArg:
		Size += 1;
		break;
		// Force a leading '0x'.
		case analyze_format_string::ConversionSpecifier::xArg:
		case analyze_format_string::ConversionSpecifier::XArg:
		Size += 2;
		break;
		// Force a period '.' before decimal, even if precision is 0.
		case analyze_format_string::ConversionSpecifier::aArg:
		case analyze_format_string::ConversionSpecifier::AArg:
		case analyze_format_string::ConversionSpecifier::eArg:
		case analyze_format_string::ConversionSpecifier::EArg:
		case analyze_format_string::ConversionSpecifier::fArg:
		case analyze_format_string::ConversionSpecifier::FArg:
		case analyze_format_string::ConversionSpecifier::gArg:
		case analyze_format_string::ConversionSpecifier::GArg:
		Size += (Precision ? 0 : 1);
		break;
		}
		}
		assert(SpecifierLen <= Size && "no underflow");
		Size -= SpecifierLen;
		return true;
		}

		size_t getSizeLowerBound() const { return Size; }

		private:
		static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
		const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
		size_t FieldWidth = 0;
		if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
		FieldWidth = FW.getConstantAmount();
		return FieldWidth;
		}

		static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
		const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
		size_t Precision = 0;

		// See man 3 printf for default precision value based on the specifier.
		switch (FW.getHowSpecified()) {
		case analyze_format_string::OptionalAmount::NotSpecified:
		switch (FS.getConversionSpecifier().getKind()) {
		default:
		break;
		case analyze_format_string::ConversionSpecifier::dArg: // %d
		case analyze_format_string::ConversionSpecifier::DArg: // %D
		case analyze_format_string::ConversionSpecifier::iArg: // %i
		Precision = 1;
		break;
		case analyze_format_string::ConversionSpecifier::oArg: // %d
		case analyze_format_string::ConversionSpecifier::OArg: // %D
		case analyze_format_string::ConversionSpecifier::uArg: // %d
		case analyze_format_string::ConversionSpecifier::UArg: // %D
		case analyze_format_string::ConversionSpecifier::xArg: // %d
		case analyze_format_string::ConversionSpecifier::XArg: // %D
		Precision = 1;
		break;
		case analyze_format_string::ConversionSpecifier::fArg: // %f
		case analyze_format_string::ConversionSpecifier::FArg: // %F
		case analyze_format_string::ConversionSpecifier::eArg: // %e
		case analyze_format_string::ConversionSpecifier::EArg: // %E
		case analyze_format_string::ConversionSpecifier::gArg: // %g
		case analyze_format_string::ConversionSpecifier::GArg: // %G
		Precision = 6;
		break;
		case analyze_format_string::ConversionSpecifier::pArg: // %d
		Precision = 1;
		break;
		}
		break;
		case analyze_format_string::OptionalAmount::Constant:
		Precision = FW.getConstantAmount();
		break;
		default:
		break;
		}
		return Precision;
		}
		};

		} // namespace

/// Check a call to BuiltinID for buffer overflows. If BuiltinID is a		/// Check a call to BuiltinID for buffer overflows. If BuiltinID is a
/// __builtin_*_chk function, then use the object size argument specified in the		/// __builtin_*_chk function, then use the object size argument specified in the
/// source. Otherwise, infer the object size using __builtin_object_size.		/// source. Otherwise, infer the object size using __builtin_object_size.
void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,		void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
CallExpr *TheCall) {		CallExpr *TheCall) {
// FIXME: There are some more useful checks we could be doing here:		// FIXME: There are some more useful checks we could be doing here:
// - Analyze the format string of sprintf to see how much of buffer is used.
// - Evaluate strlen of strcpy arguments, use as object size.		// - Evaluate strlen of strcpy arguments, use as object size.
		erik.pilkingtonUnsubmitted Done Reply Inline Actions Can you delete this comment now? erik.pilkington: Can you delete this comment now?
		serge-sans-pailleAuthorUnsubmitted Done Reply Inline Actions I only deleted the one related to sprintf serge-sans-paille: I only deleted the one related to sprintf

if (TheCall->isValueDependent() \|\| TheCall->isTypeDependent() \|\|		if (TheCall->isValueDependent() \|\| TheCall->isTypeDependent() \|\|
isConstantEvaluated())		isConstantEvaluated())
return;		return;

unsigned BuiltinID = FD->getBuiltinID(/ConsiderWrappers=/true);		unsigned BuiltinID = FD->getBuiltinID(/ConsiderWrappers=/true);
if (!BuiltinID)		if (!BuiltinID)
return;		return;

		const TargetInfo &TI = getASTContext().getTargetInfo();
		unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());

unsigned DiagID = 0;		unsigned DiagID = 0;
bool IsChkVariant = false;		bool IsChkVariant = false;
		Optional<llvm::APSInt> UsedSize;
		erik.pilkingtonUnsubmitted Done Reply Inline Actions `Optional<APSInt>` might be a better way of representing this? erik.pilkington: `Optional<APSInt>` might be a better way of representing this?
unsigned SizeIndex, ObjectIndex;		unsigned SizeIndex, ObjectIndex;
switch (BuiltinID) {		switch (BuiltinID) {
default:		default:
return;		return;
		case Builtin::BIsprintf:
		erik.pilkingtonUnsubmitted Done Reply Inline Actions Can't you do this for `Builtin::sprintf` as well? The diagnostic would still be worth issuing when `_FORTIFY_SOURCE` is disabled. erik.pilkington: Can't you do this for `Builtin::sprintf` as well? The diagnostic would still be worth issuing…
		case Builtin::BI__builtin___sprintf_chk: {
		size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
		auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();

		erik.pilkingtonUnsubmitted Done Reply Inline Actions Will this assert on: `sprintf(buf, L"foo");`? Not that that makes any sense, but we shouldn't crash. erik.pilkington: Will this assert on: `sprintf(buf, L"foo");`? Not that that makes any sense, but we shouldn't…
		serge-sans-pailleAuthorUnsubmitted Done Reply Inline Actions Still need to check that. serge-sans-paille: Still need to check that.
		serge-sans-pailleAuthorUnsubmitted Done Reply Inline Actions Checked and fixed! serge-sans-paille: Checked and fixed!
		if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) {

		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Spurious whitespace. aaron.ballman: Spurious whitespace.
		if (!Format->isAscii() && !Format->isUTF8())
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions We can handle UTF-8 format strings even when they contain non-ASCII characters? aaron.ballman: We can handle UTF-8 format strings even when they contain non-ASCII characters?
		return;

		StringRef FormatStrRef = Format->getString();
		EstimateSizeFormatHandler H(FormatStrRef);
		erik.pilkingtonUnsubmitted Done Reply Inline Actions I'm not sure why you're using `min` here, can you add a comment? erik.pilkington: I'm not sure why you're using `min` here, can you add a comment?
		const char *FormatBytes = FormatStrRef.data();
		const ConstantArrayType *T =
		Context.getAsConstantArrayType(Format->getType());
		assert(T && "String literal not of constant array type!");
		size_t TypeSize = T->getSize().getZExtValue();

		// In case there's a null byte somewhere.
		size_t StrLen =
		std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
		erik.pilkingtonUnsubmitted Not Done Reply Inline Actions Wait, does this actually return a smaller length if there is a null-terminator embedded in the string? It looks like Format->getString() returns a StringRef with embedded nul bytes and .size() is returning the length. You might have to do something like: `FormatStrRef.find('0');`. Can you add a test for this? erik.pilkington: Wait, does this actually return a smaller length if there is a null-terminator embedded in the…
		if (!analyze_format_string::ParsePrintfString(
		H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
		Context.getTargetInfo(), false)) {
		DiagID = diag::warn_fortify_source_format_overflow;
		UsedSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
		.extOrTrunc(SizeTypeWidth);
		if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
		IsChkVariant = true;
		ObjectIndex = 2;
		} else {
		IsChkVariant = false;
		ObjectIndex = 0;
		}
		break;
		}
		}
		return;
		}
case Builtin::BI__builtin___memcpy_chk:		case Builtin::BI__builtin___memcpy_chk:
case Builtin::BI__builtin___memmove_chk:		case Builtin::BI__builtin___memmove_chk:
case Builtin::BI__builtin___memset_chk:		case Builtin::BI__builtin___memset_chk:
case Builtin::BI__builtin___strlcat_chk:		case Builtin::BI__builtin___strlcat_chk:
case Builtin::BI__builtin___strlcpy_chk:		case Builtin::BI__builtin___strlcpy_chk:
case Builtin::BI__builtin___strncat_chk:		case Builtin::BI__builtin___strncat_chk:
case Builtin::BI__builtin___strncpy_chk:		case Builtin::BI__builtin___strncpy_chk:
case Builtin::BI__builtin___stpncpy_chk:		case Builtin::BI__builtin___stpncpy_chk:
▲ Show 20 Lines • Show All 76 Lines • ▼ Show 20 Lines	if (const auto *POS =
FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>())		FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType();		BOSType = POS->getType();

Expr *ObjArg = TheCall->getArg(ObjectIndex);		Expr *ObjArg = TheCall->getArg(ObjectIndex);
uint64_t Result;		uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))		if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return;		return;
// Get the object size in the target's size_t width.		// Get the object size in the target's size_t width.
const TargetInfo &TI = getASTContext().getTargetInfo();
unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);		ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
}		}

// Evaluate the number of bytes of the object that this call will use.		// Evaluate the number of bytes of the object that this call will use.
		if (!UsedSize) {
Expr::EvalResult Result;		Expr::EvalResult Result;
Expr *UsedSizeArg = TheCall->getArg(SizeIndex);		Expr *UsedSizeArg = TheCall->getArg(SizeIndex);
if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext()))		if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext()))
return;		return;
llvm::APSInt UsedSize = Result.Val.getInt();		UsedSize = Result.Val.getInt().extOrTrunc(SizeTypeWidth);
		}
if (UsedSize.ule(ObjectSize))		assert(UsedSize && "Found a size estimate");
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I think this assertion can be triggered in the case where no `UsedSize` was specified but then `UsedSizeArg` evaluates to `0`, can't it? Or does something catch that case and diagnose? aaron.ballman: I think this assertion can be triggered in the case where no `UsedSize` was specified but then…
		if (UsedSize.getValue().ule(ObjectSize))
return;		return;

StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);		StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
// Skim off the details of whichever builtin was called to produce a better		// Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikley that the user wrote the __builtin explicitly.		// diagnostic, as it's unlikley that the user wrote the __builtin explicitly.
if (IsChkVariant) {		if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));		FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
FunctionName = FunctionName.drop_back(std::strlen("_chk"));		FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) {		} else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));		FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
}		}

DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,		DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
PDiag(DiagID)		PDiag(DiagID)
<< FunctionName << ObjectSize.toString(/Radix=/10)		<< FunctionName << ObjectSize.toString(/Radix=/10)
<< UsedSize.toString(/Radix=/10));		<< UsedSize.getValue().toString(/Radix=/10));
}		}

static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,		static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
Scope::ScopeFlags NeededScopeFlags,		Scope::ScopeFlags NeededScopeFlags,
unsigned DiagID) {		unsigned DiagID) {
// Scopes aren't available during instantiation. Fortunately, builtin		// Scopes aren't available during instantiation. Fortunately, builtin
// functions cannot be template args so they cannot be formed through template		// functions cannot be template args so they cannot be formed through template
// instantiation. Therefore checking once during the parse is sufficient.		// instantiation. Therefore checking once during the parse is sufficient.
▲ Show 20 Lines • Show All 7,578 Lines • ▼ Show 20 Lines	CheckPrintfHandler H(
HasVAListArg, Args, format_idx, inFunctionCall, CallType,		HasVAListArg, Args, format_idx, inFunctionCall, CallType,
CheckedVarArgs, UncoveredArg);		CheckedVarArgs, UncoveredArg);

if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen,		if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen,
S.getLangOpts(),		S.getLangOpts(),
S.Context.getTargetInfo(),		S.Context.getTargetInfo(),
Type == Sema::FST_FreeBSDKPrintf))		Type == Sema::FST_FreeBSDKPrintf))
H.DoneProcessing();		H.DoneProcessing();

		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Spurious whitespace change? aaron.ballman: Spurious whitespace change?
} else if (Type == Sema::FST_Scanf) {		} else if (Type == Sema::FST_Scanf) {
CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,		CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
numDataArgs, Str, HasVAListArg, Args, format_idx,		numDataArgs, Str, HasVAListArg, Args, format_idx,
inFunctionCall, CallType, CheckedVarArgs, UncoveredArg);		inFunctionCall, CallType, CheckedVarArgs, UncoveredArg);

if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen,		if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen,
S.getLangOpts(),		S.getLangOpts(),
S.Context.getTargetInfo()))		S.Context.getTargetInfo()))
▲ Show 20 Lines • Show All 6,089 Lines • Show Last 20 Lines

clang/test/Sema/warn-fortify-source.c

	// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify			// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify
	// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE			// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE
	// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS			// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS
	// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify			// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify
	// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE			// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE
	// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS			// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS

	typedef unsigned long size_t;			typedef unsigned long size_t;

	#ifdef __cplusplus			#ifdef __cplusplus
	extern "C" {			extern "C" {
	#endif			#endif

				extern int sprintf(char str, const char format, ...);

	#if defined(USE_PASS_OBJECT_SIZE)			#if defined(USE_PASS_OBJECT_SIZE)
	void memcpy(void dst, const void *src, size_t c);			void memcpy(void dst, const void *src, size_t c);
	static void memcpy(void dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) __asm__("merp");			static void memcpy(void dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) __asm__("merp");
	static void memcpy(void const dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) {			static void memcpy(void const dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) {
	return 0;			return 0;
	}			}
	#elif defined(USE_BUILTINS)			#elif defined(USE_BUILTINS)
	#define memcpy(x,y,z) __builtin_memcpy(x,y,z)			#define memcpy(x,y,z) __builtin_memcpy(x,y,z)
	▲ Show 20 Lines • Show All 69 Lines • ▼ Show 20 Lines

	void call_vsnprintf() {			void call_vsnprintf() {
	char buf[10];			char buf[10];
	__builtin_va_list list;			__builtin_va_list list;
	__builtin_vsnprintf(buf, 10, "merp", list);			__builtin_vsnprintf(buf, 10, "merp", list);
	__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}			__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
	}			}

				void call_sprintf_chk(char *buf) {
				__builtin___sprintf_chk(buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} - __builtin___sprintf_chk(buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} - // expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 5}} + __builtin___sprintf_chk( + buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains + // '\0' within the string body}} + __builtin___sprintf_chk( + buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains + // '\0' within the string body}} + // expected-warning@-1 {{'sprintf' will always overflow; destination buffer + // has size 2, but format string expands to at least 5}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 6, "hell\0 boy")…
				__builtin___sprintf_chk(buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
				// expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 5}}
				__builtin___sprintf_chk(buf, 1, 6, "hello");
				__builtin___sprintf_chk(buf, 1, 5, "hello"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 5, "hello"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}} + __builtin___sprintf_chk(buf, 1, 5, + "hello"); // expected-warning {{'sprintf' will always + // overflow; destination buffer has size 5, + // but format string expands to at least 6}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 5, "hello"); //…
				__builtin___sprintf_chk(buf, 1, 2, "%c", '9');
				__builtin___sprintf_chk(buf, 1, 1, "%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 1, "%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}} + __builtin___sprintf_chk( + buf, 1, 1, "%c", + '9'); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 1, but format string expands to at least 2}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 1, "%c", '9'); //…
				__builtin___sprintf_chk(buf, 1, 2, "%d", 9);
				__builtin___sprintf_chk(buf, 1, 1, "%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 1, "%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}} + __builtin___sprintf_chk( + buf, 1, 1, "%d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 1, but format string expands to at least 2}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 1, "%d", 9); //…
				__builtin___sprintf_chk(buf, 1, 2, "%%");
				__builtin___sprintf_chk(buf, 1, 1, "%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 1, "%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}} + __builtin___sprintf_chk( + buf, 1, 1, + "%%"); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 1, but format string expands to at least 2}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 1, "%%"); //…
				__builtin___sprintf_chk(buf, 1, 4, "%#x", 9);
				__builtin___sprintf_chk(buf, 1, 3, "%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 3, "%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}} + __builtin___sprintf_chk( + buf, 1, 3, "%#x", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 3, but format string expands to at least 4}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 3, "%#x", 9); //…
				__builtin___sprintf_chk(buf, 1, 4, "%p", (void *)9);
				__builtin___sprintf_chk(buf, 1, 3, "%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 3, "%p", (void )9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}} + __builtin___sprintf_chk( + buf, 1, 3, "%p", (void )9); // expected-warning {{'sprintf' will always + // overflow; destination buffer has size 3, + // but format string expands to at least 4}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 3, "%p", (void…
				__builtin___sprintf_chk(buf, 1, 3, "%+d", 9);
				__builtin___sprintf_chk(buf, 1, 2, "%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 2, "%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}} + __builtin___sprintf_chk( + buf, 1, 2, "%+d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 2, but format string expands to at least 3}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 2, "%+d", 9); //…
				__builtin___sprintf_chk(buf, 1, 6, "%5d", 9);
				__builtin___sprintf_chk(buf, 1, 5, "%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 5, "%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}} + __builtin___sprintf_chk( + buf, 1, 5, "%5d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 5, but format string expands to at least 6}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 5, "%5d", 9); //…
				__builtin___sprintf_chk(buf, 1, 9, "%f", 9.f);
				__builtin___sprintf_chk(buf, 1, 8, "%f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 8, but format string expands to at least 9}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - __builtin___sprintf_chk(buf, 1, 8, "%f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 8, but format string expands to at least 9}} + __builtin___sprintf_chk( + buf, 1, 8, "%f", + 9.f); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 8, but format string expands to at least 9}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - __builtin___sprintf_chk(buf, 1, 8, "%f", 9.f); //…
				}

				void call_sprintf() {
				char buf[6];
				sprintf(buf, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}} - sprintf(buf, "hello b\0y"); // expected-warning {{format string contains '\0' within the string body}} - // expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 8}} + sprintf(buf, "hell\0 boy"); // expected-warning {{format string contains '\0' + // within the string body}} + sprintf(buf, "hello b\0y"); // expected-warning {{format string contains '\0' + // within the string body}} + // expected-warning@-1 {{'sprintf' will always overflow; destination buffer + // has size 6, but format string expands to at least 8}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "hell\0 boy"); // expected-warning…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions I'd like to see some additional tests for things like the `+` and flags, length modifiers like `ll`, escape characters, etc. Basically, we should be testing most of the conversion specifiers to verify our conservative length calculations. aaron.ballman: I'd like to see some additional tests for things like the `+` and ` ` flags, length modifiers…
				sprintf(buf, "hello b\0y"); // expected-warning {{format string contains '\0' within the string body}}
				// expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 8}}
				sprintf(buf, "hello");
				sprintf(buf, "hello!"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "hello!"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "hello!"); // expected-warning {{'sprintf' will always overflow; + // destination buffer has size 6, but format string + // expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "hello!"); // expected-warning…
				sprintf(buf, "1234%%");
				sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; + // destination buffer has size 6, but format string + // expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "12345%%"); // expected-warning…
				sprintf(buf, "1234%c", '9');
				sprintf(buf, "12345%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "12345%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf( + buf, "12345%c", + '9'); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "12345%c", '9'); // expected-warning…
				sprintf(buf, "1234%d", 9);
				sprintf(buf, "12345%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "12345%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "12345%d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "12345%d", 9); // expected-warning…
				sprintf(buf, "12%#x", 9);
				sprintf(buf, "123%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "123%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "123%#x", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "123%#x", 9); // expected-warning…
				sprintf(buf, "12%p", (void *)9);
				sprintf(buf, "123%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "123%p", (void )9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "123%p", (void )9); // expected-warning {{'sprintf' will always + // overflow; destination buffer has size 6, + // but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "123%p", (void *)9); // expected…
				sprintf(buf, "123%+d", 9);
				sprintf(buf, "1234%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "1234%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "1234%+d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "1234%+d", 9); // expected-warning…
				sprintf(buf, "%5d", 9);
				sprintf(buf, "1%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "1%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf(buf, "1%5d", + 9); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "1%5d", 9); // expected-warning…
				sprintf(buf, "%.3f", 9.f);
				sprintf(buf, "5%.3f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
				Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - sprintf(buf, "5%.3f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}} + sprintf( + buf, "5%.3f", + 9.f); // expected-warning {{'sprintf' will always overflow; destination + // buffer has size 6, but format string expands to at least 7}} Lint: Pre-merge checks: clang-format: please reformat the code ``` - sprintf(buf, "5%.3f", 9.f); // expected-warning…
				}

	#ifdef __cplusplus			#ifdef __cplusplus
	template <class> struct S {			template <class> struct S {
	void mf() const {			void mf() const {
	__builtin_memset(const_cast<char *>(mv), 0, 0);			__builtin_memset(const_cast<char *>(mv), 0, 0);
	}			}

	char mv[10];			char mv[10];
	};			};
	Show All 13 Lines

This is an archive of the discontinued LLVM Phabricator instance.

New checks for fortified sprintfClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 239197

clang/include/clang/Basic/DiagnosticSemaKinds.td

clang/lib/Sema/SemaChecking.cpp

clang/test/Sema/warn-fortify-source.c

New checks for fortified sprintf
ClosedPublic