ScanfFormatString.cpp source code [clang_source_code/lib/AST/ScanfFormatString.cpp]

1	//= ScanfFormatString.cpp - Analysis of printf format strings --- C++ --===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// Handling of format string in scanf and friends. The structure of format
10	// strings for fscanf() are described in C99 7.19.6.2.
11	//
12	//===----------------------------------------------------------------------===//
13
14	#include "clang/AST/FormatString.h"
15	#include "FormatStringParsing.h"
16	#include "clang/Basic/TargetInfo.h"
17
18	using clang::analyze_format_string::ArgType;
19	using clang::analyze_format_string::FormatStringHandler;
20	using clang::analyze_format_string::LengthModifier;
21	using clang::analyze_format_string::OptionalAmount;
22	using clang::analyze_format_string::ConversionSpecifier;
23	using clang::analyze_scanf::ScanfConversionSpecifier;
24	using clang::analyze_scanf::ScanfSpecifier;
25	using clang::UpdateOnReturn;
26	using namespace clang;
27
28	typedef clang::analyze_format_string::SpecifierResult<ScanfSpecifier>
29	ScanfSpecifierResult;
30
31	static bool ParseScanList(FormatStringHandler &H,
32	ScanfConversionSpecifier &CS,
33	const char &Beg, const char E) {
34	const char *I = Beg;
35	const char *start = I - 1;
36	UpdateOnReturn <const char*> UpdateBeg(Beg, I);
37
38	// No more characters?
39	if (I == E) {
40	H.HandleIncompleteScanList(start, I);
41	return true;
42	}
43
44	// Special case: ']' is the first character.
45	if (*I == ']') {
46	if (++I == E) {
47	H.HandleIncompleteScanList(start, I - 1);
48	return true;
49	}
50	}
51
52	// Special case: "^]" are the first characters.
53	if (I + 1 != E && I[0] == '^' && I[1] == ']') {
54	I += 2;
55	if (I == E) {
56	H.HandleIncompleteScanList(start, I - 1);
57	return true;
58	}
59	}
60
61	// Look for a ']' character which denotes the end of the scan list.
62	while (*I != ']') {
63	if (++I == E) {
64	H.HandleIncompleteScanList(start, I - 1);
65	return true;
66	}
67	}
68
69	CS.setEndScanList(I);
70	return false;
71	}
72
73	// FIXME: Much of this is copy-paste from ParsePrintfSpecifier.
74	// We can possibly refactor.
75	static ScanfSpecifierResult ParseScanfSpecifier(FormatStringHandler &H,
76	const char *&Beg,
77	const char *E,
78	unsigned &argIndex,
79	const LangOptions &LO,
80	const TargetInfo &Target) {
81	using namespace clang::analyze_format_string;
82	using namespace clang::analyze_scanf;
83	const char *I = Beg;
84	const char *Start = nullptr;
85	UpdateOnReturn <const char*> UpdateBeg(Beg, I);
86
87	// Look for a '%' character that indicates the start of a format specifier.
88	for ( ; I != E ; ++I) {
89	char c = *I;
90	if (c == '\0') {
91	// Detect spurious null characters, which are likely errors.
92	H.HandleNullChar(I);
93	return true;
94	}
95	if (c == '%') {
96	Start = I++; // Record the start of the format specifier.
97	break;
98	}
99	}
100
101	// No format specifier found?
102	if (!Start)
103	return false;
104
105	if (I == E) {
106	// No more characters left?
107	H.HandleIncompleteSpecifier(Start, E - Start);
108	return true;
109	}
110
111	ScanfSpecifier FS;
112	if (ParseArgPosition(H, FS, Start, I, E))
113	return true;
114
115	if (I == E) {
116	// No more characters left?
117	H.HandleIncompleteSpecifier(Start, E - Start);
118	return true;
119	}
120
121	// Look for '*' flag if it is present.
122	if (I == '') {
123	FS.setSuppressAssignment(I);
124	if (++I == E) {
125	H.HandleIncompleteSpecifier(Start, E - Start);
126	return true;
127	}
128	}
129
130	// Look for the field width (if any). Unlike printf, this is either
131	// a fixed integer or isn't present.
132	const OptionalAmount &Amt = clang::analyze_format_string::ParseAmount(I, E);
133	if (Amt.getHowSpecified() != OptionalAmount::NotSpecified) {
134	assert(Amt.getHowSpecified() == OptionalAmount::Constant);
135	FS.setFieldWidth(Amt);
136
137	if (I == E) {
138	// No more characters left?
139	H.HandleIncompleteSpecifier(Start, E - Start);
140	return true;
141	}
142	}
143
144	// Look for the length modifier.
145	if (ParseLengthModifier(FS, I, E, LO, /scanf=/true) && I == E) {
146	// No more characters left?
147	H.HandleIncompleteSpecifier(Start, E - Start);
148	return true;
149	}
150
151	// Detect spurious null characters, which are likely errors.
152	if (*I == '\0') {
153	H.HandleNullChar(I);
154	return true;
155	}
156
157	// Finally, look for the conversion specifier.
158	const char *conversionPosition = I++;
159	ScanfConversionSpecifier::Kind k = ScanfConversionSpecifier::InvalidSpecifier;
160	switch (*conversionPosition) {
161	default:
162	break;
163	case '%': k = ConversionSpecifier::PercentArg; break;
164	case 'A': k = ConversionSpecifier::AArg; break;
165	case 'E': k = ConversionSpecifier::EArg; break;
166	case 'F': k = ConversionSpecifier::FArg; break;
167	case 'G': k = ConversionSpecifier::GArg; break;
168	case 'X': k = ConversionSpecifier::XArg; break;
169	case 'a': k = ConversionSpecifier::aArg; break;
170	case 'd': k = ConversionSpecifier::dArg; break;
171	case 'e': k = ConversionSpecifier::eArg; break;
172	case 'f': k = ConversionSpecifier::fArg; break;
173	case 'g': k = ConversionSpecifier::gArg; break;
174	case 'i': k = ConversionSpecifier::iArg; break;
175	case 'n': k = ConversionSpecifier::nArg; break;
176	case 'c': k = ConversionSpecifier::cArg; break;
177	case 'C': k = ConversionSpecifier::CArg; break;
178	case 'S': k = ConversionSpecifier::SArg; break;
179	case '[': k = ConversionSpecifier::ScanListArg; break;
180	case 'u': k = ConversionSpecifier::uArg; break;
181	case 'x': k = ConversionSpecifier::xArg; break;
182	case 'o': k = ConversionSpecifier::oArg; break;
183	case 's': k = ConversionSpecifier::sArg; break;
184	case 'p': k = ConversionSpecifier::pArg; break;
185	// Apple extensions
186	// Apple-specific
187	case 'D':
188	if (Target.getTriple().isOSDarwin())
189	k = ConversionSpecifier::DArg;
190	break;
191	case 'O':
192	if (Target.getTriple().isOSDarwin())
193	k = ConversionSpecifier::OArg;
194	break;
195	case 'U':
196	if (Target.getTriple().isOSDarwin())
197	k = ConversionSpecifier::UArg;
198	break;
199	}
200	ScanfConversionSpecifier CS(conversionPosition, k);
201	if (k == ScanfConversionSpecifier::ScanListArg) {
202	if (ParseScanList(H, CS, I, E))
203	return true;
204	}
205	FS.setConversionSpecifier(CS);
206	if (CS.consumesDataArgument() && !FS.getSuppressAssignment()
207	&& !FS.usesPositionalArg())
208	FS.setArgIndex(argIndex++);
209
210	// FIXME: '%' and '*' doesn't make sense. Issue a warning.
211	// FIXME: 'ConsumedSoFar' and '*' doesn't make sense.
212
213	if (k == ScanfConversionSpecifier::InvalidSpecifier) {
214	unsigned Len = I - Beg;
215	if (ParseUTF8InvalidSpecifier(Beg, E, Len)) {
216	CS.setEndScanList(Beg + Len);
217	FS.setConversionSpecifier(CS);
218	}
219	// Assume the conversion takes one argument.
220	return !H.HandleInvalidScanfConversionSpecifier(FS, Beg, Len);
221	}
222	return ScanfSpecifierResult(Start, FS);
223	}
224
225	ArgType ScanfSpecifier::getArgType(ASTContext &Ctx) const {
226	const ScanfConversionSpecifier &CS = getConversionSpecifier();
227
228	if (!CS.consumesDataArgument())
229	return ArgType::Invalid();
230
231	switch(CS.getKind()) {
232	// Signed int.
233	case ConversionSpecifier::dArg:
234	case ConversionSpecifier::DArg:
235	case ConversionSpecifier::iArg:
236	switch (LM.getKind()) {
237	case LengthModifier::None:
238	return ArgType::PtrTo(Ctx.IntTy);
239	case LengthModifier::AsChar:
240	return ArgType::PtrTo(ArgType::AnyCharTy);
241	case LengthModifier::AsShort:
242	return ArgType::PtrTo(Ctx.ShortTy);
243	case LengthModifier::AsLong:
244	return ArgType::PtrTo(Ctx.LongTy);
245	case LengthModifier::AsLongLong:
246	case LengthModifier::AsQuad:
247	return ArgType::PtrTo(Ctx.LongLongTy);
248	case LengthModifier::AsInt64:
249	return ArgType::PtrTo(ArgType(Ctx.LongLongTy, "__int64"));
250	case LengthModifier::AsIntMax:
251	return ArgType::PtrTo(ArgType(Ctx.getIntMaxType(), "intmax_t"));
252	case LengthModifier::AsSizeT:
253	return ArgType::PtrTo(ArgType(Ctx.getSignedSizeType(), "ssize_t"));
254	case LengthModifier::AsPtrDiff:
255	return ArgType::PtrTo(ArgType(Ctx.getPointerDiffType(), "ptrdiff_t"));
256	case LengthModifier::AsLongDouble:
257	// GNU extension.
258	return ArgType::PtrTo(Ctx.LongLongTy);
259	case LengthModifier::AsAllocate:
260	case LengthModifier::AsMAllocate:
261	case LengthModifier::AsInt32:
262	case LengthModifier::AsInt3264:
263	case LengthModifier::AsWide:
264	case LengthModifier::AsShortLong:
265	return ArgType::Invalid();
266	}
267	llvm_unreachable("Unsupported LengthModifier Type");
268
269	// Unsigned int.
270	case ConversionSpecifier::oArg:
271	case ConversionSpecifier::OArg:
272	case ConversionSpecifier::uArg:
273	case ConversionSpecifier::UArg:
274	case ConversionSpecifier::xArg:
275	case ConversionSpecifier::XArg:
276	switch (LM.getKind()) {
277	case LengthModifier::None:
278	return ArgType::PtrTo(Ctx.UnsignedIntTy);
279	case LengthModifier::AsChar:
280	return ArgType::PtrTo(Ctx.UnsignedCharTy);
281	case LengthModifier::AsShort:
282	return ArgType::PtrTo(Ctx.UnsignedShortTy);
283	case LengthModifier::AsLong:
284	return ArgType::PtrTo(Ctx.UnsignedLongTy);
285	case LengthModifier::AsLongLong:
286	case LengthModifier::AsQuad:
287	return ArgType::PtrTo(Ctx.UnsignedLongLongTy);
288	case LengthModifier::AsInt64:
289	return ArgType::PtrTo(ArgType(Ctx.UnsignedLongLongTy, "unsigned __int64"));
290	case LengthModifier::AsIntMax:
291	return ArgType::PtrTo(ArgType(Ctx.getUIntMaxType(), "uintmax_t"));
292	case LengthModifier::AsSizeT:
293	return ArgType::PtrTo(ArgType(Ctx.getSizeType(), "size_t"));
294	case LengthModifier::AsPtrDiff:
295	return ArgType::PtrTo(
296	ArgType(Ctx.getUnsignedPointerDiffType(), "unsigned ptrdiff_t"));
297	case LengthModifier::AsLongDouble:
298	// GNU extension.
299	return ArgType::PtrTo(Ctx.UnsignedLongLongTy);
300	case LengthModifier::AsAllocate:
301	case LengthModifier::AsMAllocate:
302	case LengthModifier::AsInt32:
303	case LengthModifier::AsInt3264:
304	case LengthModifier::AsWide:
305	case LengthModifier::AsShortLong:
306	return ArgType::Invalid();
307	}
308	llvm_unreachable("Unsupported LengthModifier Type");
309
310	// Float.
311	case ConversionSpecifier::aArg:
312	case ConversionSpecifier::AArg:
313	case ConversionSpecifier::eArg:
314	case ConversionSpecifier::EArg:
315	case ConversionSpecifier::fArg:
316	case ConversionSpecifier::FArg:
317	case ConversionSpecifier::gArg:
318	case ConversionSpecifier::GArg:
319	switch (LM.getKind()) {
320	case LengthModifier::None:
321	return ArgType::PtrTo(Ctx.FloatTy);
322	case LengthModifier::AsLong:
323	return ArgType::PtrTo(Ctx.DoubleTy);
324	case LengthModifier::AsLongDouble:
325	return ArgType::PtrTo(Ctx.LongDoubleTy);
326	default:
327	return ArgType::Invalid();
328	}
329
330	// Char, string and scanlist.
331	case ConversionSpecifier::cArg:
332	case ConversionSpecifier::sArg:
333	case ConversionSpecifier::ScanListArg:
334	switch (LM.getKind()) {
335	case LengthModifier::None:
336	return ArgType::PtrTo(ArgType::AnyCharTy);
337	case LengthModifier::AsLong:
338	case LengthModifier::AsWide:
339	return ArgType::PtrTo(ArgType(Ctx.getWideCharType(), "wchar_t"));
340	case LengthModifier::AsAllocate:
341	case LengthModifier::AsMAllocate:
342	return ArgType::PtrTo(ArgType::CStrTy);
343	case LengthModifier::AsShort:
344	if (Ctx.getTargetInfo().getTriple().isOSMSVCRT())
345	return ArgType::PtrTo(ArgType::AnyCharTy);
346	LLVM_FALLTHROUGH;
347	default:
348	return ArgType::Invalid();
349	}
350	case ConversionSpecifier::CArg:
351	case ConversionSpecifier::SArg:
352	// FIXME: Mac OS X specific?
353	switch (LM.getKind()) {
354	case LengthModifier::None:
355	case LengthModifier::AsWide:
356	return ArgType::PtrTo(ArgType(Ctx.getWideCharType(), "wchar_t"));
357	case LengthModifier::AsAllocate:
358	case LengthModifier::AsMAllocate:
359	return ArgType::PtrTo(ArgType(ArgType::WCStrTy, "wchar_t *"));
360	case LengthModifier::AsShort:
361	if (Ctx.getTargetInfo().getTriple().isOSMSVCRT())
362	return ArgType::PtrTo(ArgType::AnyCharTy);
363	LLVM_FALLTHROUGH;
364	default:
365	return ArgType::Invalid();
366	}
367
368	// Pointer.
369	case ConversionSpecifier::pArg:
370	return ArgType::PtrTo(ArgType::CPointerTy);
371
372	// Write-back.
373	case ConversionSpecifier::nArg:
374	switch (LM.getKind()) {
375	case LengthModifier::None:
376	return ArgType::PtrTo(Ctx.IntTy);
377	case LengthModifier::AsChar:
378	return ArgType::PtrTo(Ctx.SignedCharTy);
379	case LengthModifier::AsShort:
380	return ArgType::PtrTo(Ctx.ShortTy);
381	case LengthModifier::AsLong:
382	return ArgType::PtrTo(Ctx.LongTy);
383	case LengthModifier::AsLongLong:
384	case LengthModifier::AsQuad:
385	return ArgType::PtrTo(Ctx.LongLongTy);
386	case LengthModifier::AsInt64:
387	return ArgType::PtrTo(ArgType(Ctx.LongLongTy, "__int64"));
388	case LengthModifier::AsIntMax:
389	return ArgType::PtrTo(ArgType(Ctx.getIntMaxType(), "intmax_t"));
390	case LengthModifier::AsSizeT:
391	return ArgType::PtrTo(ArgType(Ctx.getSignedSizeType(), "ssize_t"));
392	case LengthModifier::AsPtrDiff:
393	return ArgType::PtrTo(ArgType(Ctx.getPointerDiffType(), "ptrdiff_t"));
394	case LengthModifier::AsLongDouble:
395	return ArgType(); // FIXME: Is this a known extension?
396	case LengthModifier::AsAllocate:
397	case LengthModifier::AsMAllocate:
398	case LengthModifier::AsInt32:
399	case LengthModifier::AsInt3264:
400	case LengthModifier::AsWide:
401	case LengthModifier::AsShortLong:
402	return ArgType::Invalid();
403	}
404
405	default:
406	break;
407	}
408
409	return ArgType();
410	}
411
412	bool ScanfSpecifier::fixType(QualType QT, QualType RawQT,
413	const LangOptions &LangOpt,
414	ASTContext &Ctx) {
415
416	// %n is different from other conversion specifiers; don't try to fix it.
417	if (CS.getKind() == ConversionSpecifier::nArg)
418	return false;
419
420	if (!QT->isPointerType())
421	return false;
422
423	QualType PT = QT->getPointeeType();
424
425	// If it's an enum, get its underlying type.
426	if (const EnumType *ETy = PT->getAs<EnumType>()) {
427	// Don't try to fix incomplete enums.
428	if (!ETy->getDecl()->isComplete())
429	return false;
430	PT = ETy->getDecl()->getIntegerType();
431	}
432
433	const BuiltinType *BT = PT->getAs<BuiltinType>();
434	if (!BT)
435	return false;
436
437	// Pointer to a character.
438	if (PT->isAnyCharacterType()) {
439	CS.setKind(ConversionSpecifier::sArg);
440	if (PT->isWideCharType())
441	LM.setKind(LengthModifier::AsWideChar);
442	else
443	LM.setKind(LengthModifier::None);
444
445	// If we know the target array length, we can use it as a field width.
446	if (const ConstantArrayType *CAT = Ctx.getAsConstantArrayType(RawQT)) {
447	if (CAT->getSizeModifier() == ArrayType::Normal)
448	FieldWidth = OptionalAmount(OptionalAmount::Constant,
449	CAT->getSize().getZExtValue() - 1,
450	"", 0, false);
451
452	}
453	return true;
454	}
455
456	// Figure out the length modifier.
457	switch (BT->getKind()) {
458	// no modifier
459	case BuiltinType::UInt:
460	case BuiltinType::Int:
461	case BuiltinType::Float:
462	LM.setKind(LengthModifier::None);
463	break;
464
465	// hh
466	case BuiltinType::Char_U:
467	case BuiltinType::UChar:
468	case BuiltinType::Char_S:
469	case BuiltinType::SChar:
470	LM.setKind(LengthModifier::AsChar);
471	break;
472
473	// h
474	case BuiltinType::Short:
475	case BuiltinType::UShort:
476	LM.setKind(LengthModifier::AsShort);
477	break;
478
479	// l
480	case BuiltinType::Long:
481	case BuiltinType::ULong:
482	case BuiltinType::Double:
483	LM.setKind(LengthModifier::AsLong);
484	break;
485
486	// ll
487	case BuiltinType::LongLong:
488	case BuiltinType::ULongLong:
489	LM.setKind(LengthModifier::AsLongLong);
490	break;
491
492	// L
493	case BuiltinType::LongDouble:
494	LM.setKind(LengthModifier::AsLongDouble);
495	break;
496
497	// Don't know.
498	default:
499	return false;
500	}
501
502	// Handle size_t, ptrdiff_t, etc. that have dedicated length modifiers in C99.
503	if (isa<TypedefType>(PT) && (LangOpt.C99 \|\| LangOpt.CPlusPlus11))
504	namedTypeToLengthModifier(PT, LM);
505
506	// If fixing the length modifier was enough, we are done.
507	if (hasValidLengthModifier(Ctx.getTargetInfo(), LangOpt)) {
508	const analyze_scanf::ArgType &AT = getArgType(Ctx);
509	if (AT.isValid() && AT.matchesType(Ctx, QT))
510	return true;
511	}
512
513	// Figure out the conversion specifier.
514	if (PT->isRealFloatingType())
515	CS.setKind(ConversionSpecifier::fArg);
516	else if (PT->isSignedIntegerType())
517	CS.setKind(ConversionSpecifier::dArg);
518	else if (PT->isUnsignedIntegerType())
519	CS.setKind(ConversionSpecifier::uArg);
520	else
521	llvm_unreachable("Unexpected type");
522
523	return true;
524	}
525
526	void ScanfSpecifier::toString(raw_ostream &os) const {
527	os << "%";
528
529	if (usesPositionalArg())
530	os << getPositionalArgIndex() << "$";
531	if (SuppressAssignment)
532	os << "*";
533
534	FieldWidth.toString(os);
535	os << LM.toString();
536	os << CS.toString();
537	}
538
539	bool clang::analyze_format_string::ParseScanfString(FormatStringHandler &H,
540	const char *I,
541	const char *E,
542	const LangOptions &LO,
543	const TargetInfo &Target) {
544
545	unsigned argIndex = 0;
546
547	// Keep looking for a format specifier until we have exhausted the string.
548	while (I != E) {
549	const ScanfSpecifierResult &FSR = ParseScanfSpecifier(H, I, E, argIndex,
550	LO, Target);
551	// Did a fail-stop error of any kind occur when parsing the specifier?
552	// If so, don't do any more processing.
553	if (FSR.shouldStop())
554	return true;
555	// Did we exhaust the string or encounter an error that
556	// we can recover from?
557	if (!FSR.hasValue())
558	continue;
559	// We have a format specifier. Pass it to the callback.
560	if (!H.HandleScanfSpecifier(FSR.getValue(), FSR.getStart(),
561	I - FSR.getStart())) {
562	return true;
563	}
564	}
565	(0) . __assert_fail ("I == E && \"Format string not exhausted\"", "/home/seafit/code_projects/clang_source/clang/lib/AST/ScanfFormatString.cpp", 565, __PRETTY_FUNCTION__))" file_link="../../../include/assert.h.html#88" macro="true">assert(I == E && "Format string not exhausted");
566	return false;
567	}
568

clang::analyze_scanf::ScanfSpecifier::getArgType

clang::analyze_scanf::ScanfSpecifier::fixType

clang::analyze_scanf::ScanfSpecifier::toString

Clang Project