<div dir="ltr">I've just noticed that there's no warning when printf has more than one argument, is this a bug?</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 17, 2016 at 9:47 AM, Craig, Ben via cfe-dev <span dir="ltr"><<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As a note on this, I'm only mildly in favor of making this an error by default. The points raised by Nico are good, though they haven't convinced me to abandon the cause entirely :). I won't be super upset if we keep this a warning.<br>
<br>
Regardless of the default-ness of this particular issue, I would really love to see a fixit for the trivial "printf(fmt);" case.<div class="HOEnZb"><div class="h5"><br>
<br>
On 2/16/2016 3:56 PM, Aaron Ballman wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Feb 16, 2016 at 4:26 PM, Nico Weber <<a href="mailto:thakis@chromium.org" target="_blank">thakis@chromium.org</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Feb 16, 2016 at 3:59 PM, Aaron Ballman <<a href="mailto:aaron@aaronballman.com" target="_blank">aaron@aaronballman.com</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Feb 16, 2016 at 3:44 PM, Nico Weber via cfe-dev<br>
<<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Feb 16, 2016 at 12:22 PM, Craig, Ben <<a href="mailto:ben.craig@codeaurora.org" target="_blank">ben.craig@codeaurora.org</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On 2/16/2016 1:18 PM, Nico Weber via cfe-dev wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Won't this line of reasoning lead to all useful warnings being in<br>
-Werror<br>
eventually? Say, forgetting a return statement in a function is also<br>
"just"<br>
a warning...<br>
</blockquote>
<br>
Not all of them :)<br>
<br>
Visual Studio groups warnings into big warning level buckets. Level 1<br>
has<br>
the most important / severe (obvious use of uninitialized value), level<br>
4<br>
has fairly minor warnings (unused parameter), and /Weverything will<br>
tell you<br>
about really useless stuff (warning! you just used __declspec(align)!<br>
). I<br>
could imagine a world where the "Level 1", and maybe "Level 2" warnings<br>
were<br>
errors by default.<br>
</blockquote>
<br>
We have this too: on-by-default warnings, -Wall, -Wextra, -Weverything.<br>
I<br>
don't think we should turn on-by-default warnings into errors.<br>
</blockquote>
We already do (in fact, we have over two dozen that we turn on,<br>
according to the list posted earlier in the thread).<br>
</blockquote>
<br>
But that's for things that are supposed to be errors but can't be due to<br>
system headers, not the other way round.<br>
</blockquote>
Fair point.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We should make it harder to compile broken code, and easier to write<br>
correct code. We can't change it all at once without angering the<br>
world<br>
though :)<br>
</blockquote>
<br>
People who don't like writing broken code don't ignore warnings. People<br>
who<br>
do like writing broken code will just pass -Wno-error. I don't think<br>
this<br>
proposal helps either party.<br>
</blockquote>
I think there's a reasonable distinction between "this code may not do<br>
what you expect" and "this code may not do what you expect, and is<br>
likely to result in security vulnerabilities."<br>
</blockquote>
<br>
"may not be what you expect" can always be a security vulnerability – think<br>
of -Wfor-loop-analysis, -Wunreachable, etc. We have warnings with much<br>
higher true positive rate than -Wformat-security.<br>
</blockquote>
Sorry, but printf(fmt); is *always* a true positive in my book. Same<br>
with failing to return from all code paths. (etc)<br>
<br>
I do hear what you are saying and am not suggesting we should go about<br>
this in a shotgun fashion. Each warning would require careful thought,<br>
and possibly also require alterations to the diagnostic before turning<br>
it into something that is an error by default.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If someone elects to<br>
turn on -Wno-error to get their insecure code to compile, there's<br>
basically no help for them. But for projects that don't compile<br>
particularly cleanly (so security-related diagnostics get lost in the<br>
noise)<br>
</blockquote>
<br>
If our default warning set is too noisy, that's a bug. Every on-by-default<br>
warning should be super useful -- that's the bar for on-by-default warnings.<br>
</blockquote>
Super useful doesn't mean "is actually fixed by the developer." I have<br>
been on projects that have a significant number of super useful<br>
diagnostics that live in the source for *years* because of the sheer<br>
quantity of diagnostics. When attempting to improve those kinds of<br>
projects, they would get serious benefit from the notion of "some<br>
diagnostics are more important than others." In fact, one such project<br>
like that used Visual Studio's warning levels to do exactly that.<br>
Unfortunately, clang has no such mechanism -- this sounds like a<br>
proposal to add one. Perhaps the discussion should not be "warning vs<br>
error" but instead about warning levels or some other mechanism to<br>
call out the severity of a diagnostic. I want to get some utilities in<br>
place that help existing code bases that are diagnostic-heavy get<br>
security-related warnings under control.<br>
<br>
~Aaron<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
, being alerted, "no, really, this is bad" will definitely help<br>
*some* programmers. I am interested in alerting people who might be<br>
willing to fix security vulnerabilities in their code. I'm unconcerned<br>
about people who will go to any lengths to get their code to compile<br>
without actually fixing their code when it comes to security concerns.<br>
<br>
~Aaron<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
--<br>
Employee of Qualcomm Innovation Center, Inc.<br>
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a<br>
Linux<br>
Foundation Collaborative Project<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
<br>
</blockquote></blockquote>
<br>
</blockquote></blockquote>
<br>
-- <br>
Employee of Qualcomm Innovation Center, Inc.<br>
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project<br>
<br>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</div></div></blockquote></div><br></div>