-Wformat -Wformat=n Check calls to "printf" and "scan

1. -Wformat
2. -Wformat=n
3. Check calls to "printf" and "scanf", etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified
4. in the format string make sense. This includes standard functions, and others specified by format attributes, in the "printf", "scanf", "strftime" and "strfmon" (an X/Open
5. extension, not in the C standard) families (or other target-specific families). Which functions are checked without format attributes having been specified depends on the
6. standard version selected, and such checks of functions without the attribute specified are disabled by -ffreestanding or -fno-builtin.
7.  
8. The formats are checked against the format features supported by GNU libc version 2.2. These include all ISO C90 and C99 features, as well as features from the Single Unix
9. Specification and some BSD and GNU extensions. Other library implementations may not support all these features; GCC does not support warning about features that go beyond a
10. particular library's limitations. However, if -Wpedantic is used with -Wformat, warnings are given about format features not in the selected standard version (but not for
11. "strfmon" formats, since those are not in any version of the C standard).
12.  
13. -Wformat=1
14. -Wformat
15. Option -Wformat is equivalent to -Wformat=1, and -Wno-format is equivalent to -Wformat=0. Since -Wformat also checks for null format arguments for several functions,
16. -Wformat also implies -Wnonnull. Some aspects of this level of format checking can be disabled by the options: -Wno-format-contains-nul, -Wno-format-extra-args, and
17. -Wno-format-zero-length. -Wformat is enabled by -Wall.
18.  
19. -Wno-format-contains-nul
20. If -Wformat is specified, do not warn about format strings that contain NUL bytes.
21.  
22. -Wno-format-extra-args
23. If -Wformat is specified, do not warn about excess arguments to a "printf" or "scanf" format function. The C standard specifies that such arguments are ignored.
24.  
25. Where the unused arguments lie between used arguments that are specified with $ operand number specifications, normally warnings are still given, since the implementation
26. could not know what type to pass to "va_arg" to skip the unused arguments. However, in the case of "scanf" formats, this option suppresses the warning if the unused
27. arguments are all pointers, since the Single Unix Specification says that such unused arguments are allowed.
28.  
29. -Wformat-overflow
30. -Wformat-overflow=level
31. Warn about calls to formatted input/output functions such as "sprintf" and "vsprintf" that might overflow the destination buffer. When the exact number of bytes written
32. by a format directive cannot be determined at compile-time it is estimated based on heuristics that depend on the level argument and on optimization. While enabling
33. optimization will in most cases improve the accuracy of the warning, it may also result in false positives.
34.  
35. -Wformat-overflow
36. -Wformat-overflow=1
37. Level 1 of -Wformat-overflow enabled by -Wformat employs a conservative approach that warns only about calls that most likely overflow the buffer. At this level,
38. numeric arguments to format directives with unknown values are assumed to have the value of one, and strings of unknown length to be empty. Numeric arguments that are
39. known to be bounded to a subrange of their type, or string arguments whose output is bounded either by their directive's precision or by a finite set of string
40. literals, are assumed to take on the value within the range that results in the most bytes on output. For example, the call to "sprintf" below is diagnosed because
41. even with both a and b equal to zero, the terminating NUL character ('\0') appended by the function to the destination buffer will be written past its end. Increasing
42. the size of the buffer by a single byte is sufficient to avoid the warning, though it may not be sufficient to avoid the overflow.
43.  
44. void f (int a, int b)
45. {
46. char buf [13];
47. sprintf (buf, "a = %i, b = %i\n", a, b);
48. }
49.  
50. -Wformat-overflow=2
51. Level 2 warns also about calls that might overflow the destination buffer given an argument of sufficient length or magnitude. At level 2, unknown numeric arguments
52. are assumed to have the minimum representable value for signed types with a precision greater than 1, and the maximum representable value otherwise. Unknown string
53. arguments whose length cannot be assumed to be bounded either by the directive's precision, or by a finite set of string literals they may evaluate to, or the
54. character array they may point to, are assumed to be 1 character long.
55.  
56. At level 2, the call in the example above is again diagnosed, but this time because with a equal to a 32-bit "INT_MIN" the first %i directive will write some of its
57. digits beyond the end of the destination buffer. To make the call safe regardless of the values of the two variables, the size of the destination buffer must be
58. increased to at least 34 bytes. GCC includes the minimum size of the buffer in an informational note following the warning.
59.  
60. An alternative to increasing the size of the destination buffer is to constrain the range of formatted values. The maximum length of string arguments can be bounded
61. by specifying the precision in the format directive. When numeric arguments of format directives can be assumed to be bounded by less than the precision of their
62. type, choosing an appropriate length modifier to the format specifier will reduce the required buffer size. For example, if a and b in the example above can be
63. assumed to be within the precision of the "short int" type then using either the %hi format directive or casting the argument to "short" reduces the maximum required
64. size of the buffer to 24 bytes.
65.  
66. void f (int a, int b)
67. {
68. char buf [23];
69. sprintf (buf, "a = %hi, b = %i\n", a, (short)b);
70. }