Make -Wformat check the argument type for %n.

This makes Clang check that the corresponding argument for "%n" in a
format string is a pointer to int.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@160966 91177308-0d34-0410-b5e6-96231b3b80d8

lib/Analysis/PrintfFormatString.cpp

@@ -330,6 +330,8 @@ ArgTypeResult PrintfSpecifier::getArgType(ASTContext &Ctx,
       return ArgTypeResult(Ctx.WCharTy, "wchar_t");
     case ConversionSpecifier::pArg:
       return ArgTypeResult::CPointerTy;
+    case ConversionSpecifier::nArg:
+      return Ctx.getPointerType(Ctx.IntTy);
     case ConversionSpecifier::ObjCObjArg:
       return ArgTypeResult::ObjCPointerTy;
     default:
@@ -342,6 +344,10 @@ ArgTypeResult PrintfSpecifier::getArgType(ASTContext &Ctx,
 
 bool PrintfSpecifier::fixType(QualType QT, const LangOptions &LangOpt,
                               ASTContext &Ctx, bool IsObjCLiteral) {
+  // %n is different from other conversion specifiers; don't try to fix it.
+  if (CS.getKind() == ConversionSpecifier::nArg)
+    return false;
+
   // Handle Objective-C objects first. Note that while the '%@' specifier will
   // not warn for structure pointer or void pointer arguments (because that's
   // how CoreFoundation objects are implemented), we only show a fixit for '%@'

lib/Analysis/ScanfFormatString.cpp

@@ -303,6 +303,9 @@ ScanfArgTypeResult ScanfSpecifier::getArgType(ASTContext &Ctx) const {
     case ConversionSpecifier::pArg:
       return ScanfArgTypeResult(ArgTypeResult(ArgTypeResult::CPointerTy));
 
+    case ConversionSpecifier::nArg:
+      return ArgTypeResult(Ctx.IntTy);
+
     default:
       break;
   }
@@ -315,6 +318,10 @@ bool ScanfSpecifier::fixType(QualType QT, const LangOptions &LangOpt,
   if (!QT->isPointerType())
     return false;
 
+  // %n is different from other conversion specifiers; don't try to fix it.
+  if (CS.getKind() == ConversionSpecifier::nArg)
+    return false;
+
   QualType PT = QT->getPointeeType();
 
   // If it's an enum, get its underlying type.

lib/Sema/SemaChecking.cpp

@@ -2568,8 +2568,6 @@ CheckPrintfHandler::HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier
                          getLocationOfByte(CS.getStart()),
                          /*IsStringLocation*/true,
                          getSpecifierRange(startSpecifier, specifierLen));
-    // Continue checking the other format specifiers.
-    return true;
   }
 
   // The remaining checks depend on the data arguments.

test/Sema/format-strings-scanf.c

@@ -121,3 +121,8 @@ void test_quad(int *x, long long *llx) {
   scanf("%qd", x); // expected-warning{{format specifies type 'long long *' but the argument has type 'int *'}}
   scanf("%qd", llx); // no-warning
 }
+
+void test_writeback(int *x) {
+  scanf("%n", (void*)0); // expected-warning{{format specifies type 'int *' but the argument has type 'void *'}}
+  scanf("%n %c", x, x); // expected-warning{{format specifies type 'char *' but the argument has type 'int *'}}
+}

test/Sema/format-strings.c

@@ -91,6 +91,7 @@ void check_writeback_specifier()
 
   printf("%n",&x); // expected-warning {{'%n' in format string discouraged}}
   sprintf(b,"%d%%%n",1, &x); // expected-warning {{'%n' in format string dis}}
+  printf("%n",b); // expected-warning {{'%n' in format string discouraged}} expected-warning{{format specifies type 'int *' but the argument has type 'char *'}}
 }
 
 void check_invalid_specifier(FILE* fp, char *buf)
@@ -316,14 +317,14 @@ void bug7377_bad_length_mod_usage() {
   // Bad flag usage
   printf("%#p", (void *) 0); // expected-warning{{flag '#' results in undefined behavior with 'p' conversion specifier}}
   printf("%0d", -1); // no-warning
-  printf("%#n", (void *) 0); // expected-warning{{flag '#' results in undefined behavior with 'n' conversion specifier}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
-  printf("%-n", (void *) 0); // expected-warning{{flag '-' results in undefined behavior with 'n' conversion specifier}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
+  printf("%#n", (int *) 0); // expected-warning{{flag '#' results in undefined behavior with 'n' conversion specifier}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
+  printf("%-n", (int *) 0); // expected-warning{{flag '-' results in undefined behavior with 'n' conversion specifier}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
   printf("%-p", (void *) 0); // no-warning
 
   // Bad optional amount use
   printf("%.2c", 'a'); // expected-warning{{precision used with 'c' conversion specifier, resulting in undefined behavior}}
-  printf("%1n", (void *) 0); // expected-warning{{field width used with 'n' conversion specifier, resulting in undefined behavior}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
-  printf("%.9n", (void *) 0); // expected-warning{{precision used with 'n' conversion specifier, resulting in undefined behavior}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
+  printf("%1n", (int *) 0); // expected-warning{{field width used with 'n' conversion specifier, resulting in undefined behavior}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
+  printf("%.9n", (int *) 0); // expected-warning{{precision used with 'n' conversion specifier, resulting in undefined behavior}} expected-warning{{use of '%n' in format string discouraged (potentially insecure)}}
 
   // Ignored flags
   printf("% +f", 1.23); // expected-warning{{flag ' ' is ignored when flag '+' is present}}
@@ -436,8 +437,9 @@ void pr9751() {
   printf("%18$s\n", 1, "foo"); // expected-warning{{data argument position '18' exceeds the number of data arguments (2)}}
 
   const char kFormat3[] = "%n"; // expected-note{{format string is defined here}}
-  printf(kFormat3, "as"); // expected-warning{{use of '%n' in format string discouraged}}
-  printf("%n", "as"); // expected-warning{{use of '%n' in format string discouraged}}
+  printf(kFormat3, (int*)NULL); // expected-warning{{use of '%n' in format string discouraged}}
+  printf("%n", (int*)NULL); // expected-warning{{use of '%n' in format string discouraged}}
+
 
   const char kFormat4[] = "%y"; // expected-note{{format string is defined here}}
   printf(kFormat4, 5); // expected-warning{{invalid conversion specifier 'y'}}