implement -Wformat-security properly, which is enabled by default.

This enables one specific class of non-literal format warnings. llvm-svn: 70368
2009-04-29 04:59:47 +00:00 · 2009-04-29 04:59:47 +00:00 · cc5d1c2e4e
parent e009a881ea
commit cc5d1c2e4e
4 changed files with 27 additions and 5 deletions
--- a/clang/include/clang/Basic/DiagnosticGroups.td
+++ b/clang/include/clang/Basic/DiagnosticGroups.td
@ -35,8 +35,8 @@ def ExtraTokens : DiagGroup<"extra-tokens">;
 def FormatExtraArgs : DiagGroup<"format-extra-args">;

 def Format : DiagGroup<"format", [FormatExtraArgs]>;
-def FormatNonLiteral : DiagGroup<"format-nonliteral", [Format]>;
 def FormatSecurity : DiagGroup<"format-security", [Format]>;
+def FormatNonLiteral : DiagGroup<"format-nonliteral", [FormatSecurity]>;
 def FormatY2K : DiagGroup<"format-y2k", [Format]>;
 def Format2 : DiagGroup<"format=2",
                        [FormatNonLiteral, FormatSecurity, FormatY2K]>;
--- a/clang/include/clang/Basic/DiagnosticSemaKinds.td
+++ b/clang/include/clang/Basic/DiagnosticSemaKinds.td
@ -1057,8 +1057,11 @@ def err_builtin_direct_init_more_than_one_arg : Error<
  "initializer of a builtin type can only take one argument">;
 def err_value_init_for_array_type : Error<
  "array types cannot be value-initialized">;
-def warn_printf_not_string_constant : Warning<
+def warn_printf_nonliteral_noargs : Warning<
  "format string is not a string literal (potentially insecure)">,
+  InGroup<FormatSecurity>;
+def warn_printf_nonliteral : Warning<
+  "format string is not a string literal">,
  InGroup<FormatNonLiteral>, DefaultIgnore;

 def err_unexpected_interface : Error<
--- a/clang/lib/Sema/SemaChecking.cpp
+++ b/clang/lib/Sema/SemaChecking.cpp
@ -604,9 +604,16 @@ Sema::CheckPrintfArguments(const CallExpr *TheCall, bool HasVAListArg,
      if (isa<ParmVarDecl>(DR->getDecl()))
        return;

-  Diag(TheCall->getArg(format_idx)->getLocStart(), 
-       diag::warn_printf_not_string_constant)
-       << OrigFormatExpr->getSourceRange();
+  // If there are no arguments specified, warn with -Wformat-security, otherwise
+  // warn only with -Wformat-nonliteral.
+  if (TheCall->getNumArgs() == format_idx+1)
+    Diag(TheCall->getArg(format_idx)->getLocStart(), 
+         diag::warn_printf_nonliteral_noargs)
+      << OrigFormatExpr->getSourceRange();
+  else
+    Diag(TheCall->getArg(format_idx)->getLocStart(), 
+         diag::warn_printf_nonliteral)
+           << OrigFormatExpr->getSourceRange();
 }

 void Sema::CheckPrintfString(const StringLiteral *FExpr,
--- a/clang/test/Sema/format-strings.c
+++ b/clang/test/Sema/format-strings.c
@ -113,3 +113,15 @@ void test_constant_bindings(void) {
  printf(s4); // expected-warning{{not a string literal}}
  printf(s5); // expected-warning{{not a string literal}}
 }
+
+
+// Test what happens when -Wformat-security only.
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
+#pragma GCC diagnostic warning "-Wformat-security"
+
+void test9(char *P) {
+  int x;
+  printf(P);   // expected-warning {{format string is not a string literal (potentially insecure)}}
+  printf(P, 42);
+  printf("%n", &x); // expected-warning {{use of '%n' in format string discouraged }}
+}