[cfe-commits] [Patch] Warn about non-standard format strings (PR12017)

Nico Weber thakis at chromium.org
Mon Feb 20 12:13:27 PST 2012


On Mon, Feb 20, 2012 at 12:05 PM, Ted Kremenek <kremenek at apple.com> wrote:
> On Feb 20, 2012, at 11:51 AM, Joerg Sonnenberger <joerg at britannica.bec.de>
> wrote:
>
> The default behavior for -Wformat would be "check that the format string
> is standard compliant". I think that's a perfectively sane default and
> if someone wants to use non-standard format extensions, clang tells them
> how to get them.
>
>
> There's "non-standard" and then there's completely unportable.  Warnings
> like:
>
> +  // Combining 'L' with an integer conversion specifier.
> +  printf("%Li", (long long)42); // expected-warning{{using the length
> modifier 'L' with the conversion specifier 'i' is non-standard}}
> +  printf("%Lo", (long long)42); // expected-warning{{using the length
> modifier 'L' with the conversion specifier 'o' is non-standard}}
>
> are likely going to just irritate people.  What's the value in that?
>
> I don't think that the average piece of code written
> nowadays will only ever run on glibc-Linux / *BSD / Mac OSX or any other
> single platform. I do know that the GCC behavior of silently accepting
> them has created hidden bugs.
>
>
> I agree with you that permissive checking is allowing bugs to creep in.
>  There's no disagreement here.
>
> I still think that (presently) having no good solution to handling
> non-portable format string specifiers doesn't mean we should just
> unconditionally warn about them.  Consider '%S' and and '%C'.  For OS X
> developers, it may be perfectly reasonable to use those, especially if they
> aren't using printf (there are other printf-like APIs on OS X).  Should we
> just penalize those developers, who are intentionally writing non-portable
> code?  I'll admit I'm a bit torn here, but I do know if we just started
> warning about these without any more intelligence on Clang's part to try and
> just warn when it makes sense the push back I'd receive from OS X developers
> would be significant.

The format checker knows if a string is an objc string literal – it
already does something different for %S and %C in objc string literals
(where these mean unichar) than in c string literals (where these mean
wchar_t, which is usually utf32). So it's possible to have different
defaults for C string literals and objc string literals.

Nico




More information about the cfe-commits mailing list