<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">This sounds reasonable to me. Thanks for all the feedback.<div class=""><br class=""></div><div class="">Iām testing a patch to add a fix-it and I found some other things to clean up related to this.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 17, 2016, at 3:25 PM, Nico Weber via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Let me attempt a summary here:<div class=""><br class=""></div><div class="">* For the specific warning, it sounds like making it more useful (give it a fixit, improve error text -- see the bug that was just linked to, etc) will likely make people pay more attention to it</div><div class="">* It sounds like a "warning level" concept is considered useful by some since there's too much stuff on by default (?) and the jump from "default warnings" to "-Wall" is too big. From what I gathered, people want something more granular than default, -wall, -wextra, but something less granular than turning individual groups on and off.</div><div class="">* Some people think it might make sense to turn on warnings-as-errors for lower warning levels.</div><div class="">* But that's contested, and it's also not clear if -Wformat-security would be in a low warning level category.</div><div class=""><br class=""></div><div class="">So I think the consensus to the question in the original post is what Reid said ("My feeling is that we shouldn't do this in upstream clang. [...]<span style="font-size:12.8px" class=""> think it's totally reasonable for vendors to want to make this default to an error, though</span>").</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Feb 17, 2016 at 3:04 PM, Alexander Riccio via cfe-dev <span dir="ltr" class=""><<a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev@lists.llvm.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#ffffff" class=""><div class=""><div style="font-family:Calibri,sans-serif;font-size:11pt" class="">I think the recent bug I opened up is pertinent, as it's not clearly (for some people, like me) bad code at fault:<br class=""><br class=""><a href="https://llvm.org/bugs/show_bug.cgi?id=26643" target="_blank" class="">https://llvm.org/bugs/show_bug.cgi?id=26643</a><br class=""><br class="">sent from my (stupid) windows phone</div></div><div dir="ltr" class=""><hr class=""><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">From: </span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">Craig, Ben via cfe-dev</a></span><br class=""><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Sent: </span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">ā2/ā17/ā2016 4:10 PM</span><br class=""><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">To: </span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:chisophugis@gmail.com" target="_blank" class="">Sean Silva</a>; <a href="mailto:aaron@aaronballman.com" target="_blank" class="">Aaron Ballman</a></span><br class=""><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Cc: </span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev</a></span><br class=""><span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Subject: </span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">Re: [cfe-dev] RFC: default to -Werror=format-security</span><br class=""><br class=""></div><div class=""><div class="h5">
On 2/17/2016 3:03 PM, Sean Silva via cfe-dev wrote:<br class="">
<blockquote type="cite" class="">
<div dir="ltr" class="">On Wed, Feb 17, 2016 at 5:27 AM, Aaron Ballman via
cfe-dev <span dir="ltr" class=""><<a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev@lists.llvm.org</a>></span>
wrote:<br class="">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><span class="">On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall<br class="">
<<a href="mailto:David.Chisnall@cl.cam.ac.uk" target="_blank" class="">David.Chisnall@cl.cam.ac.uk</a>>
wrote:<br class="">
> On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev
<<a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev@lists.llvm.org</a>>
wrote:<br class="">
>><br class="">
>> Sorry, but printf(fmt); is *always* a true
positive in my book. Same<br class="">
>> with failing to return from all code paths.
(etc)<br class="">
><br class="">
> You are wrong. The most common reason for
printf(fmt) to appear is that fmt is the result of doing
a lookup of the locale-aware version of some constant
string. In this case, the contents of fmt is entirely
under the control of whoever shipped the application,
and will have been checked for format string
vulnerabilities by the localisation tools (at least,
assuming that the original that is being translated are
free from vulnerabilities). If you are not doing any
caching in the application, then you can mark the
translation function with the attribute that indicates
that its input and output have the same format string
compatibility. If you are caching, then there is no
easy way of silencing this warning.<br class="">
><br class="">
> Making this an error will cause valid and correct
code to fail to compile and will result in people simply
disabling the warning, rather than checking it.<br class="">
<br class="">
</span>If the expected string does not have any format
specifiers, then<br class="">
printf("%s", fmt) is definitely the correct way to write
that because<br class="">
the assumption "entirely under the control of whoever
shipped the<br class="">
application" is a poor one. If it does have format
specifiers, I agree<br class="">
that we should not err, but I don't believe that was on
the table.<br class="">
</blockquote>
<div class=""><br class="">
</div>
<div class="">I think David is talking about a situation where it is
e.g.</div>
<div class=""><br class="">
</div>
<div class="">printf(translate("Please enter a number from %d-%d\n"),
lo, hi);</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
</blockquote>
<br class="">
Note from the original post:<br class="">
"This warning complains about a printf-like format string that
is not a literal string and is used without any arguments."<br class="">
That means that 'printf(translate("Please press OK to continue"));'
would trigger this warning (rightfully). But the example you gave
would not trigger the warning, as the invocation has extra 'lo' and
'hi' arguments.<br class="">
<br class="">
<blockquote type="cite" class="">
<div dir="ltr" class="">
<div class="gmail_extra">
<div class="gmail_quote">
<div class="">-- Sean Silva</div>
<div class=""> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><br class="">
~Aaron<br class="">
<div class="">
<div class="">_______________________________________________<br class="">
cfe-dev mailing list<br class="">
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev@lists.llvm.org</a><br class="">
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank" class="">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
<br class="">
<fieldset class=""></fieldset>
<br class="">
<pre class="">_______________________________________________
cfe-dev mailing list
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank" class="">cfe-dev@lists.llvm.org</a>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" target="_blank" class="">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a>
</pre>
</blockquote>
<br class="">
<pre cols="72" class="">--
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
</pre>
</div></div></div><br class="">_______________________________________________<br class="">
cfe-dev mailing list<br class="">
<a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a><br class="">
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank" class="">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br class="">
<br class=""></blockquote></div><br class=""></div>
_______________________________________________<br class="">cfe-dev mailing list<br class=""><a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a><br class="">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev<br class=""></div></blockquote></div><br class=""></div></body></html>