[cfe-dev] RFC: default to -Werror=format-security

Joerg Sonnenberger via cfe-dev cfe-dev at lists.llvm.org
Fri Feb 19 07:27:04 PST 2016


On Mon, Feb 15, 2016 at 06:04:30PM -0800, Bob Wilson via cfe-dev wrote:
> We’ve had a number of requests to make the format-security warning default to an error. This warning complains about a printf-like format string that is not a literal string and is used without any arguments. E.G.:
> 
> format-security.c:4:10: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>   printf(fmt);
>          ^~~
> 1 warning generated.

While the case of argument-less format strings is quite likely to be an
error, the slightly more generic case of non-literal format string with
arguments (or va_list) does introduce a non-trivial number of false
positives. As there is no workaround not involving compiler-specific
features, that is completely unacceptable as default error.

In my experience, even the case of argument-less format strings has a
significant FP rate, so this is even borderline for default-on warning.
The only justification for that is IMO the presence of a standard
compliant workaround, incidently often resulting in better code.

Joerg



More information about the cfe-dev mailing list