Commit Graph

108 Commits

Author SHA1 Message Date
Ted Kremenek 9e618ed1c9 Fix range in printf warnings for invalid conversion specifiers.
llvm-svn: 120735
2010-12-02 20:57:51 +00:00
Anders Carlsson a369f8dc3a The 'X' printf type has a valid alternative form. Fixes PR8641.
llvm-svn: 119946
2010-11-21 18:34:21 +00:00
Ted Kremenek 12a37de003 Previously, the printf warnings would say your arguments type was 'int' when it was really a 'char'
or a 'short'. This fixes that and allows the hints to suggest 'h' modifiers for small ints.

Patch by Justin Bogner!

llvm-svn: 116996
2010-10-21 04:00:58 +00:00
Ted Kremenek b8176da314 Check format strings when a called function has more than one FormatAttr (one for 'scanf' and one for 'printf'). Fixes <rdar://problem/8409437>.
llvm-svn: 113472
2010-09-09 04:33:05 +00:00
Ted Kremenek 1520dae606 It appears that technically a null format string is not warned under -Wformat-nonliteral, as
the function processing the format string can decided whether or not to accept a null format string (e.g., asl_log).  Fixes <rdar://problem/8269537>.

llvm-svn: 113469
2010-09-09 03:51:42 +00:00
Ted Kremenek 5f0c066062 Fix printf format string checking for '%lc' (which expects a wint_t or compatible argument). Fixes PR 7981.
llvm-svn: 111978
2010-08-24 22:24:51 +00:00
Ted Kremenek 6cd694233d Don't warn when a '%%' or '%*d' (scanf) is used in a format string with positional arguments, since
these don't actually consume an argument.

llvm-svn: 108757
2010-07-19 22:01:06 +00:00
Tom Care 3f272b853f Bug 7377: printf checking fails to flag some undefined behavior
http://llvm.org/bugs/show_bug.cgi?id=7377

Updated format string highlighting and fixits to take advantage of the new CharSourceRange class.
- Change HighlightRange to allow highlighting whitespace only in a CharSourceRange (for warnings about the ' ' (space) flag)
- Change format specifier range helper function to allow for half-open ranges (+1 to end)
- Enabled previously failing tests (FIXMEs/XFAILs removed)
- Small fixes and additions to format string test cases

M       test/Sema/format-strings.c
M       test/Sema/format-strings-fixit.c
M       lib/Frontend/TextDiagnosticPrinter.cpp
M       lib/Sema/SemaChecking.cpp

llvm-svn: 106480
2010-06-21 21:21:01 +00:00
Tom Care b49ec6907b Bug 7377: Fixed several bad printf format string bugs.
- Added warning for undefined behavior when using field specifier
- Added warning for undefined behavior when using length modifier
- Fixed warnings for invalid flags
- Added warning for ignored flags
- Added fixits for the above warnings
- Fixed accuracy of detecting several undefined behavior conditions
- Receive normal warnings in addition to security warnings when using %n
- Fix bug where '+' flag would remain on unsigned conversion suggestions

Summary of changes:
- Added expanded tests
- Added/expanded warnings
- Added position info to OptionalAmounts for fixits
- Extracted optional flags to a wrapper class with position info for fixits
- Added several methods to validate a FormatSpecifier by component, each checking for undefined behavior
- Fixed conversion specifier checking to conform to C99 standard
- Added hooks to detect the invalid states in CheckPrintfHandler::HandleFormatSpecifier

Note: warnings involving the ' ' (space) flag are temporarily disabled until whitespace highlighting no longer triggers assertions. I will make a post about this on cfe-dev shortly.

M    test/Sema/format-strings.c
M    include/clang/Basic/DiagnosticSemaKinds.td
M    include/clang/Analysis/Analyses/PrintfFormatString.h
M    lib/Analysis/PrintfFormatString.cpp
M    lib/Sema/SemaChecking.cpp

llvm-svn: 106233
2010-06-17 19:00:27 +00:00
Ted Kremenek 98008a47a0 Fix format string checking of '%c' by treating it as an integer conversion. Fixes PR 7391.
llvm-svn: 106196
2010-06-17 01:12:20 +00:00
Ted Kremenek 64c235e4c6 Extend format string type-checking to include '%p'. Fixes remaining cases PR 4468.
llvm-svn: 106151
2010-06-16 21:23:04 +00:00
Douglas Gregor 9af03022ff Tell the string literal parser when it's not permitted to emit
diagnostics. That would be while we're parsing string literals for the
sole purpose of producing a diagnostic about them. Fixes
<rdar://problem/8026030>.

llvm-svn: 104684
2010-05-26 05:35:51 +00:00
Douglas Gregor 4f4946aaaa Whenever we complain about a failed initialization of a function or
method parameter, provide a note pointing at the parameter itself so
the user does not have to manually look for the function/method being
called and match up parameters to arguments. For example, we now get:

t.c:4:5: warning: incompatible pointer types passing 'long *' to
parameter of
      type 'int *' [-pedantic]
  f(long_ptr);
    ^~~~~~~~
t.c:1:13: note: passing argument to parameter 'x' here
void f(int *x);
            ^

llvm-svn: 102038
2010-04-22 00:20:18 +00:00
Ted Kremenek 4d745dd5cb Fix two bugs in format-string checking:
(1) Do not assume the data arguments start after the format string
(2) Do not use the fact that a function is variadic to treat it like a va_list printf function

Fixes PR 6697.

llvm-svn: 99480
2010-03-25 03:59:12 +00:00
Ted Kremenek 80263e5905 Allow a '0' precision in format strings (as the man page says it is okay).
Fixes <rdar://problem/7700339>.

llvm-svn: 97482
2010-03-01 19:22:33 +00:00
Ted Kremenek 09597b461d Fix crasher caused by setting a bit in a possibly empty bitvector while
doing printf format string checking.  This is a recent regression.

llvm-svn: 97318
2010-02-27 08:34:51 +00:00
Ted Kremenek d166819c26 For printf format string checking, add support for positional format strings.
Along the way, coelesce some of the diagnostics.

llvm-svn: 97297
2010-02-27 01:41:03 +00:00
Ted Kremenek 4a49d9818b For printf format string checking, move the tracking of the data argument index out of
Sema and into analyze_printf::ParseFormatString().  Also use a bitvector to determine
what arguments have been covered (instead of just checking to see if the last argument consumed is the max argument).  This is prep. for support positional arguments (an IEEE extension).

llvm-svn: 97248
2010-02-26 19:18:41 +00:00
Ted Kremenek 4e5f30cae5 Disable one test case because of the inconsistent results it is giving on
Windows and Mac OS X.  Will investigate later.

llvm-svn: 97016
2010-02-24 02:28:29 +00:00
Ted Kremenek 74a4ce7f1e Add support for '%C' and '%S' printf conversion specifiers.
llvm-svn: 97005
2010-02-24 00:05:54 +00:00
Ted Kremenek 588fc83c74 Add test case to show that Clang now checks the format string
arguments of asprintf (<rdar://problem/6657191>).

llvm-svn: 96319
2010-02-16 02:14:24 +00:00
Ted Kremenek ccf701d375 Fix test case.
llvm-svn: 96311
2010-02-16 01:47:05 +00:00
Ted Kremenek c8b188d541 Refactor the logic for printf argument type-checking into analyze_printf::ArgTypeResult.
Implement printf argument type checking for '%s'.

Fixes <rdar://problem/3065808>.

llvm-svn: 96310
2010-02-16 01:46:59 +00:00
Ted Kremenek d31b2637ab Patch by Cristian Draghici:
Enhance the printf format string checking when using the format
specifier flags ' ', '0', '+' with the 'p' or 's' conversions (since
they are nonsensical and undefined).  This is similar to GCC's
checking.

Also warning when a precision is used with the 'p' conversin
specifier, since it has no meaning.

llvm-svn: 95869
2010-02-11 09:27:41 +00:00
Douglas Gregor a71cc15361 Implement promotion for enumeration types.
WHAT!?!

It turns out that Type::isPromotableIntegerType() was not considering
enumeration types to be promotable, so we would never do the
promotion despite having properly computed the promotion type when the
enum was defined. Various operations on values of enum type just
"worked" because we could still compute the integer rank of an enum
type; the oddity, however, is that operations such as "add an enum and
an unsigned" would often have an enum result type (!). The bug
actually showed up as a spurious -Wformat diagnostic
(<rdar://problem/7595366>), but in theory it could cause miscompiles.

In this commit:
  - Enum types with a promotion type of "int" or "unsigned int" are
  promotable.
  - Tweaked the computation of promotable types for enums
  - For all of the ABIs, treat enum types the same way as their
  underlying types (*not* their promotion types) for argument passing
  and return values
  - Extend the ABI tester with support for enumeration types

llvm-svn: 95117
2010-02-02 20:10:50 +00:00
Ted Kremenek 016b605266 Add format string type checking support for 'long double'.
llvm-svn: 95026
2010-02-01 23:23:50 +00:00
Ted Kremenek cd83106151 Format string checking: selectively ignore implicit casts to 'int'
when checking if the format specifier matches the type of the data
argument and the length modifier indicates the data type is 'char' or
'short'.

llvm-svn: 94992
2010-02-01 19:28:15 +00:00
Daniel Dunbar 19b70bd46c Recognize 'q' as a format length modifier (from BSD).
llvm-svn: 94894
2010-01-30 15:49:20 +00:00
Ted Kremenek 9ff02052dd Add format string checking of 'double' arguments. Fixes <rdar://problem/6931734>.
llvm-svn: 94867
2010-01-30 01:02:18 +00:00
Ted Kremenek c3bdff7c8c Add basic type checking of format string conversion specifiers and their arguments. Thanks to Cristian Draghici for his help with this patch!
llvm-svn: 94864
2010-01-30 00:49:51 +00:00
Ted Kremenek 605b0113f3 Be a little more permissive than C99: allow 'unsigned' to be used for
the field width and precision of a format specifier instead of just
'int'.  This matches GCC, and fixes <rdar://problem/6079850>.

llvm-svn: 94856
2010-01-29 23:32:22 +00:00
Ted Kremenek 8d9842d43f Switch Sema over to using the new implementation of format string
checking.  It passes all existing tests, and the diagnostics have been
refined to provide better range information (we now highlight
individual format specifiers) and more precise wording in the
diagnostics.

llvm-svn: 94837
2010-01-29 20:55:36 +00:00
Chris Lattner f9895c48fd add a bunch of missing prototypes to tests
llvm-svn: 93072
2010-01-09 20:43:19 +00:00
Chris Lattner d806cbc98d fix a bug handling the gnu ?: extension. Patch by Storlek on IRC,
who prefers to be stealthy and mysterious.

llvm-svn: 91888
2009-12-22 06:00:13 +00:00
Daniel Dunbar 8fbe78f6fc Update tests to use %clang_cc1 instead of 'clang-cc' or 'clang -cc1'.
- This is designed to make it obvious that %clang_cc1 is a "test variable"
   which is substituted. It is '%clang_cc1' instead of '%clang -cc1' because it
   can be useful to redefine what gets run as 'clang -cc1' (for example, to set
   a default target).

llvm-svn: 91446
2009-12-15 20:14:24 +00:00
Daniel Dunbar feedba68b5 Don't #include <stdio.h> when tests don't need it, or use clang instead of clang-cc when they do.
llvm-svn: 89070
2009-11-17 08:57:36 +00:00
John Thompson e413e88f2e Fix some Window-isms to get these tests to pass on Windows.
llvm-svn: 85450
2009-10-29 00:10:42 +00:00
Ted Kremenek 4554f9b134 Fix <rdar://problem/6880975> [format string] Assertion failed: (Arg < NumArgs && "Arg access out of range!").
For format string checking, only check the type of the format
specifier for non-vararg functions.

llvm-svn: 71672
2009-05-13 16:06:05 +00:00
Chris Lattner cc5d1c2e4e implement -Wformat-security properly, which is enabled by default.
This enables one specific class of non-literal format warnings.

llvm-svn: 70368
2009-04-29 04:59:47 +00:00
Chris Lattner 941153afcd tweak warning options to be more like gcc:
1. All all variants of -Wformat*, make them imply -Wformat.  GCC warns 
   if you use -Wformatfoo without -Wformat.  We just make one imply the 
   other.
2. Make -Wformat-nonliteral default to off, like gcc.  It is an incredible
   nuisance.
3. Accept but currently ignore -Wformat-extra-args.

llvm-svn: 70362
2009-04-29 04:15:07 +00:00
Daniel Dunbar a45cf5b6b0 Rename clang to clang-cc.
Tests and drivers updated, still need to shuffle dirs.

llvm-svn: 67602
2009-03-24 02:24:46 +00:00
Ted Kremenek dfd72c2b44 Fix <rdar://problem/6704086> by allowing the format string checking in Sema to
allow non-literal format strings that are variables that (a) permanently bind to
a string constant and (b) whose string constants are resolvable within the same
translation unit.

llvm-svn: 67404
2009-03-20 21:35:28 +00:00
Chris Lattner f638b97fe0 use the full spelling of a string literal token so that trigraphs
and escaped newlines don't throw off the offset computation.

On this testcase:
  printf("abc\
def"
         "%*d", (unsigned) 1, 1);

Before:
t.m:5:5: warning: field width should have type 'int', but argument has type 'unsigned int'
def"
    ^

after:
t.m:6:12: warning: field width should have type 'int', but argument has type 'unsigned int'
         "%*d", (unsigned) 1, 1);
           ^    ~~~~~~~~~~~~

llvm-svn: 64930
2009-02-18 18:34:12 +00:00
Chris Lattner df18c6a9af add c testcase for string literal diagnostic improvement.
llvm-svn: 64929
2009-02-18 18:25:31 +00:00
Douglas Gregor e711f7052e Add hook to add attributes to function declarations that we know
about, whether they are builtins or not. Use this to add the
appropriate "format" attribute to NSLog, NSLogv, asprintf, and
vasprintf, and to translate builtin attributes (from Builtins.def)
into actual attributes on the function declaration.

Use the "printf" format attribute on function declarations to
determine whether we should do format string checking, rather than
looking at an ad hoc list of builtins and "known" function names.

Be a bit more careful about when we consider a function a "builtin" in
C++.

llvm-svn: 64561
2009-02-14 18:57:46 +00:00
Ted Kremenek 94a5f6f949 Fix test case (incomplete "expected-warning" line)
llvm-svn: 62119
2009-01-12 23:09:55 +00:00
Ted Kremenek 6dfeb55897 Patch by Roman Divacky:
Extend string-literal checking for printf() format string to handle conditional
ternary operators where both sides are literals.

This fixes PR 3319: http://llvm.org/bugs/show_bug.cgi?id=3319

llvm-svn: 62117
2009-01-12 23:09:09 +00:00
Daniel Dunbar dd9b2d16f9 Add support for format string checking of object-size checking
versions of sprintf and friends.
 - Added FIXME that this mechanism should be generalized.

llvm-svn: 56962
2008-10-02 18:44:07 +00:00
Eli Friedman 5dd15a3c45 Fix test failure on Linux.
llvm-svn: 55032
2008-08-20 01:05:41 +00:00
Daniel Dunbar 81f7f2904c Add EXTWARN Diagnostic class.
- Like EXTENSION but always generates a warning (even without
   -pedantic).
 - Updated ptr -> int, int -> ptr, and incompatible cast warnings to
   be EXTWARN.
 - Other EXTENSION level diagnostics should be audited for upgrade.
 - Updated several test cases to fix code which produced unanticipated
   warnings.

llvm-svn: 54335
2008-08-05 00:07:51 +00:00
Ted Kremenek 3fbeaea7ee Modified format-string checking to not emit a warning when all of the
following hold:

(1) A vprintf-like function is called that takes the argument list via a
    via_list argument.

(2) The format string is a non-literal that is the parameter value of
    the enclosing function, e.g:
    
    void logmessage(const char *fmt,...) { 
      va_list ap;
      va_start(ap,fmt);
      fprintf(fmt,ap);  // Do not emit a warning.
    }
    
In the future this special case will be enhanced to consult the "format"
attribute attached to a function declaration instead of just allowing a blank
check for all function parameters to be used as format strings to vprintf-like
functions. This will happen when more support for attributes becomes
available.

llvm-svn: 45114
2007-12-17 19:03:13 +00:00
Anders Carlsson b30f47a869 Fix a warning
llvm-svn: 42973
2007-10-15 02:50:04 +00:00
Ted Kremenek 41362cea7b Added notion of '*' specified format width/specifiers when checking
printf format strings.  Added type checking to see if the matching
width/precision argument was of type 'int'.

Thanks to Anders Carlsson for reporting this missing feature.

llvm-svn: 42933
2007-10-12 20:51:52 +00:00
Anders Carlsson 431ef632cb Add some more diagnostics for va_start, fix tests so they pass with these new diags.
llvm-svn: 42917
2007-10-12 17:48:41 +00:00
Chris Lattner 5e4c75f4ef rename -parse-ast-print to -ast-print
rename -parse-ast-dump to -ast-dump
remove -parse-ast, which is redundant with -fsyntax-only

llvm-svn: 42852
2007-10-11 00:18:28 +00:00
Ted Kremenek 0883fd5817 Removed option "-parse-ast-check" from clang driver. This is now implemented
using "-parse-ast -verify".

Updated all test cases (using a sed script) that invoked -parse-ast-check to
now use -parse-ast -verify.

Fixed a bug where using "-verify" instead of "-parse-ast-check" would not
correctly create the DiagClient needed to accumulate diagnostics.

llvm-svn: 42365
2007-09-26 20:14:22 +00:00
Ted Kremenek e68f1aad65 Added support for additional format string checking for the printf
family of functions.  Previous functionality only included checking to
see if the format string was a string literal.  Now we check parse the
format string (if it is a literal) and perform the following checks:

(1) Warn if: number conversions (e.g. "%d") != number data arguments.

(2) Warn about missing format strings  (e.g., "printf()").

(3) Warn if the format string is not a string literal.

(4) Warn about the use se of '%n' conversion.  This conversion is
    discouraged for security reasons.

(5) Warn about malformed conversions.  For example '%;', '%v'; these
    are not valid.

(6) Warn about empty format strings; e.g. printf("").  Although these
    can be optimized away by the compiler, they can be indicative of
    broken programmer logic.  We may need to add additional support to
    see when such cases occur within macro expansion to avoid false
    positives.

(7) Warn if the string literal is wide; e.g. L"%d".

(8) Warn if we detect a '\0' character WITHIN the format string.

Test cases are included.

llvm-svn: 41076
2007-08-14 17:39:48 +00:00
Chris Lattner b87b1b36ee initial support for checking format strings, patch by Ted Kremenek:
"I've coded up some support in clang to flag warnings for non-constant format strings used in calls to printf-like functions (all the functions listed in "man fprintf").  Non-constant format strings are a source of many security exploits in C/C++ programs, and I believe are currently detected by gcc using the flag -Wformat-nonliteral."

llvm-svn: 41003
2007-08-10 20:18:51 +00:00