[cfe-dev] RFC: default to -Werror=format-security

Tue Feb 16 11:29:39 PST 2016

> On Feb 16, 2016, at 11:01 AM, David Blaikie <dblaikie at gmail.com> wrote:
> 
> What other warnings do we default to error? Do we seem to have any (defacto or explicit) guideline for deciding?

Here is a list of the diagnostics that currently default to errors:

warn_module_config_mismatch
ext_reserved_user_defined_literal
ext_pp_bad_paste_ms
warn_use_of_private_header_outside_module
ext_cc_narrowing
ext_register_storage_class
warn_builtin_unknown
warn_cxx_ms_struct
warn_delegating_tor_cycle
ext_constexpr_function_never_constant_expr
ext_init_list_type_narrowing
ext_init_list_variable_narrowing
ext_init_list_constant_narrowing
ext_out_of_line_declaration
ext_array_init_parens
ext_typecheck_addrof_temporary
ext_increment_bool
warn_non_pod_vararg_with_format_string
warn_cannot_pass_non_pod_arg_to_vararg
ext_in_class_initializer_float_type_cxx11
warn_second_parameter_to_va_arg_not_pod
warn_second_parameter_to_va_arg_ownership_qualified
warn_return_missing_expr
ext_return_missing_expr
ext_return_has_expr
ext_module_import_in_extern_c
ext_module_import_not_at_top_level_noop
warn_nullability_declspec

Many of them are extensions. I’m not aware of any specific guidelines for this.

> 
> On Mon, Feb 15, 2016 at 6:04 PM, Bob Wilson via cfe-dev <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>> wrote:
> We’ve had a number of requests to make the format-security warning default to an error. This warning complains about a printf-like format string that is not a literal string and is used without any arguments. E.G.:
> 
> format-security.c:4:10: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>   printf(fmt);
>          ^~~
> 1 warning generated.
> 
> For background, if the format string can be controlled by external input, the security risk is that it could contain “%” characters and be used to clobber memory. The alternative is to use a fixed “%s” format, e.g., printf(“%s”, fmt).
> 
> This catches real-world security holes, but sometimes people don’t pay attention to warnings. Promoting this warning to an error by default would get people’s attention and help motivate them to fix their code. But, the obvious downside is that it could be disruptive. Existing code might fail to build and would either require source code fixes or build changes to specify -Wno-error=format-security.
> 
> Opinions?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160216/7f2b471c/attachment.html>