[LLVMbugs] [Bug 11608] New: -Wformat-security false positive with literal string + offset

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Sun Dec 18 09:20:50 PST 2011


             Bug #: 11608
           Summary: -Wformat-security false positive with literal string +
           Product: clang
           Version: trunk
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: -New Bugs
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: dimitry at andric.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

In a bit of older code that I am running through clang, to clean out
warnings, I encountered the following rather tricky construction (but is
still valid C):

#include <stdio.h>

void foo(void)
  int noquotes = 2
  printf("\" hello world" + noquotes);

Of course in the original program, noquotes could be either 0 or 2, so
quotes before the string would either be printed or not.

However, clang always warns about it, as follows:

literal.c:6:10: warning: format string is not a string literal (potentially
insecure) [-Wformat-security]
  printf("\" hello world" + noquotes);

Somebody pointed out to me that a string literal plus an offset is still
a string literal, so this is a false positive.

Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list