[cfe-dev] Extending printf format string checking to cover ObjC format strings in NSLog

Ted Kremenek kremenek at apple.com
Mon Jun 16 11:29:39 PDT 2008 

On Jun 16, 2008, at 3:28 AM, Nikita Zhuk wrote:

> Hello,
>
> Current printf format string checking is very useful but it's  
> limited to printf -style functions which use C format strings. I  
> would like to propose extending this functionality to cover  
> Objective-C format strings in NSLog function. A simple  
> implementation of this extension is attached to this message.
>
> Speaking of format strings in ObjC, are there any plans to extend  
> format string checking to cover ObjC methods which accept format  
> strings as one of their arguments, such as various -[NSString  
> initWithFormat:...] methods?
>
> Best regards,
> Nikita Zhuk

Thanks Nikita!  Applied:

   http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20080616/006125.html

This is a good introductory patch for ObjC format strings.  A couple  
points worth thinking about:


1) NSLog uses the "NSString" attribute to document it has a "format- 
string" interface.  From Foundation.h:

   extern void NSLog(NSString *format, ...)  
__attribute__((format(__NSString__, 1, 2)));

Instead of checking for "NSLog", we should probably generalize the  
checking to just use the NSString attribute.  Right now we parse the  
NSString attribute, and create a FormatAttr object to represent that  
attribute.  We should probably generalize FormatAttr (or add a flag)  
to indicate that it came from __NSString__.



2) Format string checking for __NSString__ is not exactly the same as  
printf checking.  According to Apple's documentation, the set of  
format specifiers is not the same as for printf:

   http://developer.apple.com/documentation/Cocoa/Conceptual/Strings/Articles/formatSpecifiers.html#/ 
/apple_ref/doc/uid/TP40004265

For example, Objective-C format strings support things like %D, %qX,  
etc., but these are not supported by printf.  printf also supports %n  
(which is a security hole), but Objective-C format strings do not  
support %n.  We'll need to extend the format-string checking to  
distinguish between these two modes.

FYI: The C99 documentation for printf format-string arguments is in  
section 7.19.6.1 of the C99 Standard.



Overall, our format string checking needs to be greatly improved, and  
include things like more comprehensive type checking between  
specifiers and arguments, etc.  I plan on working on this over the  
next couple days.

Thanks for the patch!

Ted

More information about the cfe-dev mailing list