[cfe-dev] RFC: default to -Werror=format-security

Craig, Ben via cfe-dev cfe-dev at lists.llvm.org
Wed Feb 17 13:10:05 PST 2016 

On 2/17/2016 3:03 PM, Sean Silva via cfe-dev wrote:
> On Wed, Feb 17, 2016 at 5:27 AM, Aaron Ballman via cfe-dev 
> <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>> wrote:
>
>     On Wed, Feb 17, 2016 at 3:48 AM, David Chisnall
>     <David.Chisnall at cl.cam.ac.uk <mailto:David.Chisnall at cl.cam.ac.uk>>
>     wrote:
>     > On 16 Feb 2016, at 21:56, Aaron Ballman via cfe-dev
>     <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>> wrote:
>     >>
>     >> Sorry, but printf(fmt); is *always* a true positive in my book.
>     Same
>     >> with failing to return from all code paths. (etc)
>     >
>     > You are wrong.  The most common reason for printf(fmt) to appear
>     is that fmt is the result of doing a lookup of the locale-aware
>     version of some constant string.  In this case, the contents of
>     fmt is entirely under the control of whoever shipped the
>     application, and will have been checked for format string
>     vulnerabilities by the localisation tools (at least, assuming that
>     the original that is being translated are free from
>     vulnerabilities).  If you are not doing any caching in the
>     application, then you can mark the translation function with the
>     attribute that indicates that its input and output have the same
>     format string compatibility.  If you are caching, then there is no
>     easy way of silencing this warning.
>     >
>     > Making this an error will cause valid and correct code to fail
>     to compile and will result in people simply disabling the warning,
>     rather than checking it.
>
>     If the expected string does not have any format specifiers, then
>     printf("%s", fmt) is definitely the correct way to write that because
>     the assumption "entirely under the control of whoever shipped the
>     application" is a poor one. If it does have format specifiers, I agree
>     that we should not err, but I don't believe that was on the table.
>
>
> I think David is talking about a situation where it is e.g.
>
> printf(translate("Please enter a number from %d-%d\n"), lo, hi);
>

Note from the original post:
     "This warning complains about a printf-like format string that is 
not a literal string and is used without any arguments."
That means that 'printf(translate("Please press OK to continue"));' 
would trigger this warning (rightfully).  But the example you gave would 
not trigger the warning, as the invocation has extra 'lo' and 'hi' 
arguments.

> -- Sean Silva
>
>
>     ~Aaron
>     _______________________________________________
>     cfe-dev mailing list
>     cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
>     http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-- 
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160217/abe3d91b/attachment.html>

More information about the cfe-dev mailing list