This is the mail archive of the
mailing list for the GDB project.
Re: format string is not a string literal
- From: Jack Howarth <howarth dot mailing dot lists at gmail dot com>
- To: pinskia at gmail dot com
- Cc: Simon Marchi <simon dot marchi at polymtl dot ca>, "Paul_Koning at dell dot com" <Paul_Koning at dell dot com>, "gdb at sourceware dot org" <gdb at sourceware dot org>
- Date: Wed, 25 Feb 2015 19:41:06 -0500
- Subject: Re: format string is not a string literal
- Authentication-results: sourceware.org; auth=none
- References: <CADtEn-1ZT1uznxPzQxr_nBQya1AVrNLyE+ZSDmm2x_ux8qyzUQ at mail dot gmail dot com> <0AB56024-875B-4724-8ED2-A9DDB237CBFF at dell dot com> <CADtEn-0txdtq6x6dAZZ5wew-VOvYU28fueT_kJ2cx7=H0=vdPg at mail dot gmail dot com> <23CC7871-C616-436C-920C-4A635DC87189 at dell dot com> <CAFXXi0=56gNf2GoSKkrx=bRArhjk+AhSbiu0crpdR3=df7B2BQ at mail dot gmail dot com> <7A311B56-C424-4C4F-A0E4-B12B65131745 at gmail dot com>
See the additional comments from the llvm.org clang developers at...
On Wed, Feb 25, 2015 at 7:12 PM, <firstname.lastname@example.org> wrote:
> On Feb 25, 2015, at 4:05 PM, Simon Marchi <email@example.com> wrote:
>>> I didnât say itâs a bug, Andrew did. But I agree with him.
>>> My comment (âthe code is legitâ) simply meant that GDB uses variable formats for obvious valid reasons (so the format can vary, being user-supplied). Given that itâs intentional, the warning is not wanted.
>>> But that point is really applicable to printf, not vprintf. Andrewâs point is that checking formats for vprintf is not possible because you canât know the argument list; only in printf do you see the arguments so you can match the types. So the bug is that format checking and complaining for non-literal formats should not be enabled at all for vprintf. That may be a header issue rather than a compiler issue, but either way, itâs not the right thing to do.
>> I think the warning is relevant. If you instruct the compiler that
>> inferior_debug takes a format string and format arguments (using a
>> format attribute, as mentioned by Richard in the bug report), then it
>> can check if the callers are doing something wrong.
>> In the case of inferior_debug, the attribute should be
>> __attribute__((format (printf, 2, 3)))
>> By adding the attribute, you get nice warnings of this kind:
>> test.c: In function âmainâ:
>> test.c:17:2: warning: too many arguments for format [-Wformat-extra-args]
>> inferior_debug (1, "pouet %d", 2, "hello");
>> If the function is vprintf-style, it's similar but the last argument
>> should be 0. It will push the argument check a level higher, where
>> eventually they are explicitely defined printf-style. The doc is
>> somewhere here  in the middle.
> Then clang's warning should suggest putting the format attribute on that function rather than giving out a warning that seems like it is a bogus one.
> Gcc does that iirc why not clang.
>> The warning also has some value because it will tell you if the string
>> originally comes from a non-literal, which should be avoided .
>>  http://en.wikipedia.org/wiki/Uncontrolled_format_string
>>  https://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html