[cfe-dev] RFC: default to -Werror=format-security

Aaron Ballman via cfe-dev cfe-dev at lists.llvm.org
Wed Feb 17 05:27:11 PST 2016


On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall
<David.Chisnall at cl.cam.ac.uk> wrote:
> On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev <cfe-dev at lists.llvm.org> wrote:
>>
>> Sorry, but printf(fmt); is *always* a true positive in my book. Same
>> with failing to return from all code paths. (etc)
>
> You are wrong.  The most common reason for printf(fmt) to appear is that fmt is the result of doing a lookup of the locale-aware version of some constant string.  In this case, the contents of fmt is entirely under the control of whoever shipped the application, and will have been checked for format string vulnerabilities by the localisation tools (at least, assuming that the original that is being translated are free from vulnerabilities).  If you are not doing any caching in the application, then you can mark the translation function with the attribute that indicates that its input and output have the same format string compatibility.  If you are caching, then there is no easy way of silencing this warning.
>
> Making this an error will cause valid and correct code to fail to compile and will result in people simply disabling the warning, rather than checking it.

If the expected string does not have any format specifiers, then
printf("%s", fmt) is definitely the correct way to write that because
the assumption "entirely under the control of whoever shipped the
application" is a poor one. If it does have format specifiers, I agree
that we should not err, but I don't believe that was on the table.

~Aaron



More information about the cfe-dev mailing list