os_log: When there are multiple privacy annotations in the format

string, choose the strictest one instead of the last.

Also fix an undefined behavior. Move the pointer update to a later point to
avoid adding StringRef::npos to the pointer.

rdar://problem/40706280

llvm-svn: 336863

1 files changed, 6 insertions, 5 deletions

diff --git a/clang/lib/Analysis/PrintfFormatString.cpp b/clang/lib/Analysis/PrintfFormatString.cpp
index 2e5841e..00591ab 100644
--- a/clang/lib/Analysis/PrintfFormatString.cpp
+++ b/clang/lib/Analysis/PrintfFormatString.cpp
@@ -135,17 +135,16 @@ static PrintfSpecifierResult ParsePrintfSpecifier(FormatStringHandler &H,
         MatchedStr = Matches[1];
         I += Matches[0].size();
 
-        // Set the privacy flag if there is a privacy annotation in the
-        // comma-delimited segment. This overrides any privacy annotations that
-        // appeared in previous comma-delimited segments.
+        // Set the privacy flag if the privacy annotation in the
+        // comma-delimited segment is at least as strict as the privacy
+        // annotations in previous comma-delimited segments.
         if (MatchedStr.equals("private"))
           PrivacyFlags = clang::analyze_os_log::OSLogBufferItem::IsPrivate;
-        else if (MatchedStr.equals("public"))
+        else if (PrivacyFlags == 0 && MatchedStr.equals("public"))
           PrivacyFlags = clang::analyze_os_log::OSLogBufferItem::IsPublic;
       } else {
         size_t CommaOrBracePos =
             Str.find_if([](char c) { return c == ',' || c == '}'; });
-        I += CommaOrBracePos + 1;
 
         if (CommaOrBracePos == StringRef::npos) {
           // Neither a comma nor the closing brace was found.
@@ -153,6 +152,8 @@ static PrintfSpecifierResult ParsePrintfSpecifier(FormatStringHandler &H,
             H.HandleIncompleteSpecifier(Start, E - Start);
           return true;
         }
+
+        I += CommaOrBracePos + 1;
       }
       // Continue until the closing brace is found.
     } while (*(I - 1) == ',');