https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78703
--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> --- I agree. It's hard to strike a balance between false positives and false negatives. FYI: The pass tracks three byte counters for every sprintf call: exact (for values we know are exact), minimum (optimistic), and maximum (worst case), and two for each directive (minimum and maximum; when they're the same the count is exact). It also uses some flags: the bounded flag[1] indicates that the function's output/return value is guaranteed to be bounded by the range (i.e., it can be used for optimization); and the knownrange flag indicates that the range comes from values in known ranges (e.g., determined by VRP). To decide what to diagnose the pass uses the exact counter when it's available. When it isn't (because a directive's exact output cannot be determined[2]), at level one it uses the minimum counter and at level two the maximum. It also uses the knownrange flag to fine tune the text of the diagnostics. There's some hardwired fuzzy logic here to help diagnose what's likely (like unknown strings are assumed to have a length of 0 at level 1, and a length of 1 at level 2, though I'm not sure how useful this is). This logic could be generalized (e.g., by adding another counter) to make the warnings even more independent of the optimization. --- [1] I think the bounded flag might be unnecessary because all output is bounded by INT_MAX (and so if the result is less than INT_MAX it's implicitly bounded). [2] Such as for directives with unknown width specified by an asterisk, or strings of unknown length, or numbers with a precision specified by an asterisk.
