[PATCH] D35068: [analyzer] Detect usages of unsafe I/O functions
Kristóf Umann via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Thu Jan 17 10:07:39 PST 2019
Szelethus added inline comments.
================
Comment at: test/Analysis/security-syntax-checks.m:253
+ FILE *file;
+ sprintf(buf, "a"); // expected-warning{{Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11}}
+ scanf("%d", &a); // expected-warning{{Call to function 'scanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'scanf_s' in case of C11}}
----------------
Szelethus wrote:
> When using `{{}}`, you actually supply a regex as an argument, and the output of the analyzer is matched against it. My point is, could you instead just write
> ```
> // expected-warning{{Call to function 'sprintf' is insecure}}
> ```
> to improve readability?
Or whatever the shortest string is needed to know whether the expected output it there.
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D35068/new/
https://reviews.llvm.org/D35068
More information about the cfe-commits
mailing list