[PATCH] - improve sprintf buffer overflow detection (middle-end/49905)

[Jakub Jelinek]

On Mon, Jul 18, 2016 at 03:59:11PM -0600, Martin Sebor wrote:
> +  /* Try to use __builtin_object_size although it rarely returns
> +     a useful result even for straighforward cases.  */
> +  tree ost = warn_format_length < 2
> +    ? integer_zero_node : build_int_cst (size_type_node, 2);
> +  tree args[] = { dest, ost };
> +  tree func = builtin_decl_explicit (BUILT_IN_OBJECT_SIZE);
> +  if (tree size = fold_builtin_n (UNKNOWN_LOCATION, func, args, 2, false))

What is the point of going through fold etc.?  You can just
(for ADDR_EXPR and SSA_NAME) call compute_builtin_object_size without,
and don't have to convert the result back to tree and then back to uhwi.

> +    return tree_to_uhwi (STRIP_NOPS  (size));

Formatting.
> +
> +  /* If __builtin_object_size fails to deliver, try to compute
> +     it for the very basic (but common) cases.  */
> +  if (TREE_CODE (dest) == SSA_NAME
> +      && POINTER_TYPE_P (TREE_TYPE (dest)))
> +    {
> +      gimple *def = SSA_NAME_DEF_STMT (dest);
> +      if (gimple_code (def) == GIMPLE_ASSIGN)

is_gimple_assign (def) ?

> +	{
> +	  tree_code code = gimple_assign_rhs_code (def);
> +	  if (code == POINTER_PLUS_EXPR)
> +	    {
> +	      tree off = gimple_assign_rhs2 (def);
> +	      dest = gimple_assign_rhs1 (def);
> +
> +	      if (cst_and_fits_in_hwi (off))
> +		{
> +		  unsigned HOST_WIDE_INT size = get_destination_size (dest);
> +		  if (size != HOST_WIDE_INT_M1U)
> +		    return size - tree_to_shwi (off);
> +		}

I think you need to be very careful on negative offsets here (or don't allow
them).

> +	    }

Shouldn't this have some upper bound for the recursion?
E.g. PARAM_VALUE (PARAM_MAX_SSA_NAME_QUERY_DEPTH)?
> +	}
> +    }
> +
> +  return -1;
> +}

	Jakub