<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/126389>126389</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            `-Wformat-security` false-positive in consteval functions
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            false-positive
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          vvd170501
      </td>
    </tr>
</table>

<pre>
    Reproducer:

```cpp
void FormatFunc(const char* format, ...) __attribute__((__format__(__printf__, 1, 2)));

consteval void Foo() {
    if (false) {
 FormatFunc("test");  // error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
    }
}

constexpr void Bar() {
    if (false) {
        FormatFunc("test");  // ok in constexpr
    }
}

consteval void Baz() {
    if (false) {
 FormatFunc("%s", "test");  // Adding a second arg somehow fixes the warning
    }
}
```

The warning is present in clang trunk (https://godbolt.org/z/PxqzfE1W7) and in all recent versions of clang (I checked clang16-clang19).

<details><summary>A more realistic example:</summary>

```cpp
[[noreturn]] void Panic(const char* format, ...) noexcept __attribute__((__format__(__printf__, 1, 2)));

// assert()-like macro which allows adding description to failure message
#define FANCY_ASSERT(x, ...)    \
    if (!(x)) { \
        Panic(" " __VA_ARGS__);   \
    }

constexpr int NonZeroConstexpr(int x) {
    FANCY_ASSERT(x);
    return x;
}

constexpr int x1 = NonZeroConstexpr(1);  // ok
// constexpr int x2 = NonZeroConstexpr(0);  // error - Panic(...) is not constexpr

// Same, but with consteval
consteval int NonZeroConsteval(int x) {
 FANCY_ASSERT(x);  // error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
    return x;
}
```

</details>
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzEVVFvozgQ_jXOyygRDCWBBx6StDndy2q1XV1194IcMwRfjc3ZJk37608G2jTb7Kk6nXQRwjEeZr75ZuaDOycPmqhg6YaltzPe-8bY4nis4lWURvFsb6rn4ht11lS9IMuSNYuGaxmNl-g6Fq2PRlawM7blftdrwTATRjsPouGW4Rrq4YjhFhaLBcMcypJ7b-W-91SWDDOGWVmOVsO-LDsrta_DZgtxuCHDfLqSzYhiCEJHrmACYAZXObBVsAAAkDUwzGquHL07uIDKED05zxBH3wAMdwx3QNaakPIEH5y3Uh9AOtDGA3_dK-nJchXidMaT9pIr9QxSOxK9HcOmm_nD6A6384fR33w4l_6ZpbcTWrYK_6b7a36nzo75bQKZn8pv-n0uTfMIUsNbrH-C8kb1hr_8S6oZpm5YtvBTROuqCsRycCSMroDbAzjTUmOeoJYncuAbgidutdSHa3hfu3PE_v1sHIrXWXKk_ZC04voA3vb6MWBvvO9c6PEBxsFUe6P8wtgDw90Lw93X018v9V38sAr5cV0FF1wpsCSCwyNZJ412YOrJM8PsVxANiUeqxkfxcj6uoZEX0zAl24o8l8qx5I4lW9e3LbfPLLlbQ2ssgSWupPNSAJ142ykKGJMtw93Z9OpcDmO90caS760OfZbejgX8yrX8xJxqQydBnf-PBnaqL3eOrB8baK7kI0HLhTXw1EjRBEbNkwM-NkFFTljZeWk0eAM1l6q3BC05xw80-EwqqqUm2K2_bH8v1_f3d9--M8xO7_IIDZJuLxqVYTwa5VO3vrMIv1eGGGLoVCjL39bl-tsv9yHFsV3fvXFlZqX28MXoP8ia7dtwYRYeny4n5yPwibJwONYOThOJ1-OcYmDJ7bVw8YdpP9fhBx_4Mx_RNWGE-RtFE8mTML5XknOse95SKMi-9_AkfQNvinKhLh9ICwYfSbvO2P-o3FerdClD48SeJ31WFUmVJzmfURGvkjxKs5sonTWFqJD4kuerbB_lSxHXWZqIfJlgzaNEUDyTBUaYRhhlmNwsb9JFjTHueVbzOE-WlC3ZTUQtl2qh1LENAjaTzvVUxLhMsnym-J6UGz76iINgzzvjpJdHCmKc3s5sEd6c7_uDYzdREB939uWlV1SwZfSRj2UEl_7On5ZQ3brXIkyym_VWFT_IrfRNv18I0zLchVjTMu-s-ZOEZ7gbknAMd1MexwL_DgAA__85BKMk">