format string is not a string literal

Simon Marchi simon.marchi@polymtl.ca
Thu Feb 26 00:41:00 GMT 2015


> I didn’t say it’s a bug, Andrew did.  But I agree with him.
>
> My comment (“the code is legit”) simply meant that GDB uses variable formats for obvious valid reasons (so the format can vary, being user-supplied).  Given that it’s intentional, the warning is not wanted.
>
> But that point is really applicable to printf, not vprintf.  Andrew’s point is that checking formats for vprintf is not possible because you can’t know the argument list; only in printf do you see the arguments so you can match the types.  So the bug is that format checking and complaining for non-literal formats should not be enabled at all for vprintf.  That may be a header issue rather than a compiler issue, but either way, it’s not the right thing to do.
>
>         paul

I think the warning is relevant. If you instruct the compiler that
inferior_debug takes a format string and format arguments (using a
format attribute, as mentioned by Richard in the bug report), then it
can check if the callers are doing something wrong.

In the case of inferior_debug, the attribute should be
    __attribute__((format (printf, 2, 3)))

By adding the attribute, you get nice warnings of this kind:

test.c: In function ‘main’:
test.c:17:2: warning: too many arguments for format [-Wformat-extra-args]
  inferior_debug (1, "pouet %d", 2, "hello");

If the function is vprintf-style, it's similar but the last argument
should be 0. It will push the argument check a level higher, where
eventually they are explicitely defined printf-style. The doc is
somewhere here [2] in the middle.

The warning also has some value because it will tell you if the string
originally comes from a non-literal, which should be avoided [1].

[1] http://en.wikipedia.org/wiki/Uncontrolled_format_string
[2] https://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Simon



More information about the Gdb mailing list