a guest Mar 28th, 2020 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- Check calls to "printf" and "scanf", etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified
- in the format string make sense. This includes standard functions, and others specified by format attributes, in the "printf", "scanf", "strftime" and "strfmon" (an X/Open
- extension, not in the C standard) families (or other target-specific families). Which functions are checked without format attributes having been specified depends on the
- standard version selected, and such checks of functions without the attribute specified are disabled by -ffreestanding or -fno-builtin.
- The formats are checked against the format features supported by GNU libc version 2.2. These include all ISO C90 and C99 features, as well as features from the Single Unix
- Specification and some BSD and GNU extensions. Other library implementations may not support all these features; GCC does not support warning about features that go beyond a
- particular library's limitations. However, if -Wpedantic is used with -Wformat, warnings are given about format features not in the selected standard version (but not for
- "strfmon" formats, since those are not in any version of the C standard).
- Option -Wformat is equivalent to -Wformat=1, and -Wno-format is equivalent to -Wformat=0. Since -Wformat also checks for null format arguments for several functions,
- -Wformat also implies -Wnonnull. Some aspects of this level of format checking can be disabled by the options: -Wno-format-contains-nul, -Wno-format-extra-args, and
- -Wno-format-zero-length. -Wformat is enabled by -Wall.
- If -Wformat is specified, do not warn about format strings that contain NUL bytes.
- If -Wformat is specified, do not warn about excess arguments to a "printf" or "scanf" format function. The C standard specifies that such arguments are ignored.
- Where the unused arguments lie between used arguments that are specified with $ operand number specifications, normally warnings are still given, since the implementation
- could not know what type to pass to "va_arg" to skip the unused arguments. However, in the case of "scanf" formats, this option suppresses the warning if the unused
- arguments are all pointers, since the Single Unix Specification says that such unused arguments are allowed.
- Warn about calls to formatted input/output functions such as "sprintf" and "vsprintf" that might overflow the destination buffer. When the exact number of bytes written
- by a format directive cannot be determined at compile-time it is estimated based on heuristics that depend on the level argument and on optimization. While enabling
- optimization will in most cases improve the accuracy of the warning, it may also result in false positives.
- Level 1 of -Wformat-overflow enabled by -Wformat employs a conservative approach that warns only about calls that most likely overflow the buffer. At this level,
- numeric arguments to format directives with unknown values are assumed to have the value of one, and strings of unknown length to be empty. Numeric arguments that are
- known to be bounded to a subrange of their type, or string arguments whose output is bounded either by their directive's precision or by a finite set of string
- literals, are assumed to take on the value within the range that results in the most bytes on output. For example, the call to "sprintf" below is diagnosed because
- even with both a and b equal to zero, the terminating NUL character ('\0') appended by the function to the destination buffer will be written past its end. Increasing
- the size of the buffer by a single byte is sufficient to avoid the warning, though it may not be sufficient to avoid the overflow.
- void f (int a, int b)
- char buf ;
- sprintf (buf, "a = %i, b = %i\n", a, b);
- Level 2 warns also about calls that might overflow the destination buffer given an argument of sufficient length or magnitude. At level 2, unknown numeric arguments
- are assumed to have the minimum representable value for signed types with a precision greater than 1, and the maximum representable value otherwise. Unknown string
- arguments whose length cannot be assumed to be bounded either by the directive's precision, or by a finite set of string literals they may evaluate to, or the
- character array they may point to, are assumed to be 1 character long.
- At level 2, the call in the example above is again diagnosed, but this time because with a equal to a 32-bit "INT_MIN" the first %i directive will write some of its
- digits beyond the end of the destination buffer. To make the call safe regardless of the values of the two variables, the size of the destination buffer must be
- increased to at least 34 bytes. GCC includes the minimum size of the buffer in an informational note following the warning.
- An alternative to increasing the size of the destination buffer is to constrain the range of formatted values. The maximum length of string arguments can be bounded
- by specifying the precision in the format directive. When numeric arguments of format directives can be assumed to be bounded by less than the precision of their
- type, choosing an appropriate length modifier to the format specifier will reduce the required buffer size. For example, if a and b in the example above can be
- assumed to be within the precision of the "short int" type then using either the %hi format directive or casting the argument to "short" reduces the maximum required
- size of the buffer to 24 bytes.
- void f (int a, int b)
- char buf ;
- sprintf (buf, "a = %hi, b = %i\n", a, (short)b);
RAW Paste Data