This is an archive of the discontinued LLVM Phabricator instance.

Differential D112927

[libc++] Enable -Wformat-nonliteral when building libc++
ClosedPublic

Authored by ldionne on Nov 1 2021, 7:06 AM.

Details

Reviewers
Quuxplusone
Group Reviewers
Restricted Project
Commits
rGa4ba78051051: [libc++] Enable -Wformat-nonliteral when building libc++
Summary

Using user-provided data as a format string is a well known source of
security vulnerabilities. For this reason, it is a good idea to compile
our code with -Wformat-nonliteral, which basically warns if a non-constant
string is used as a format specifier. This is the compiler’s best signal
that a format string call may be insecure.

I audited the code after adding the warning and made sure that the few
places where we used a non-literal string as a format string were not
potential security issues. I disabled the warning locally for those
instances. The idea is that after we add the warning to the build, any
new use of a non-literal string in a format string will trigger a
diagnostic, and we can either get rid of it or disable the warning
locally, which is a way of acknowledging that it has been audited.

I also looked into enabling it in the test suite, which would perhaps
allow finding additional instances of it in our headers, however that
is not possible at the moment because Clang doesn't support putting
attribute((format(...))) on variadic templates, which would
be needed.

rdar://84571685

Diff Detail

Event Timeline

ldionne created this revision.Nov 1 2021, 7:06 AM
Herald added a subscriber: mgorny. · View Herald TranscriptNov 1 2021, 7:06 AM
ldionne requested review of this revision.Nov 1 2021, 7:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 1 2021, 7:06 AM
Herald added a reviewer: Restricted Project. · View Herald Transcript
Herald added a subscriber: libcxx-commits. · View Herald Transcript
Quuxplusone accepted this revision as: Quuxplusone.Nov 1 2021, 7:45 AM
Quuxplusone added a subscriber: Quuxplusone.

because Clang doesn't support putting __attribute__((format(...))) on variadic templates

D112579 is related.

libcxx/include/locale
1617

Why on earth is this not just s/__fmt/"%p"/?

Harbormaster completed remote builds in B131742: Diff 383798.Nov 1 2021, 7:59 AM
ldionne updated this revision to Diff 385802.Nov 9 2021, 6:45 AM
ldionne marked an inline comment as done.

Address review comment

Harbormaster completed remote builds in B133244: Diff 385802.Nov 9 2021, 9:20 AM
ldionne accepted this revision as: Restricted Project.Nov 9 2021, 10:17 AM
This revision is now accepted and ready to land.Nov 9 2021, 10:17 AM
Closed by commit rGa4ba78051051: [libc++] Enable -Wformat-nonliteral when building libc++ (authored by ldionne). · Explain WhyNov 9 2021, 10:17 AM
This revision was automatically updated to reflect the committed changes.
ldionne added a commit: rGa4ba78051051: [libc++] Enable -Wformat-nonliteral when building libc++.
uabelho added a subscriber: uabelho.Nov 11 2021, 1:35 AM

Hi,

I see a whole bunch of warnings like this with this patch:

/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:116:37: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsnprintf(__s, __n, __format, __va);
                                    ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:126:32: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vasprintf(__s, __format, __va);
                               ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:136:30: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsscanf(__s, __format, __va);
                             ^~~~~~~~
3 warnings generated.

Both with clang 8 and gcc 9.3

uabelho mentioned this in D113876: [libc++] Add missing __format__ attributes.Nov 15 2021, 2:55 AM
In D112927#3123920, @uabelho wrote:

Hi,

I see a whole bunch of warnings like this with this patch:

/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:116:37: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsnprintf(__s, __n, __format, __va);
                                    ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:126:32: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vasprintf(__s, __format, __va);
                               ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:136:30: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsscanf(__s, __format, __va);
                             ^~~~~~~~
3 warnings generated.

Both with clang 8 and gcc 9.3

I put up
https://reviews.llvm.org/D113876
to silence the warnings

ldionne added a comment.Nov 16 2021, 9:09 AM
In D112927#3130882, @uabelho wrote:
In D112927#3123920, @uabelho wrote:

Hi,

I see a whole bunch of warnings like this with this patch:

/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:116:37: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsnprintf(__s, __n, __format, __va);
                                    ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:126:32: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vasprintf(__s, __format, __va);
                               ^~~~~~~~
/repo/uabelho/llvm-dev2/llvm/build-all-builtins/runtimes/runtimes-i386-unknown-linux-gnu-bins/compiler-rt/lib/fuzzer/libcxx_fuzzer_i386/include/c++/v1/__bsd_locale_fallbacks.h:136:30: warning: format string is not a string literal [-Wformat-nonliteral]
    int __res = vsscanf(__s, __format, __va);
                             ^~~~~~~~
3 warnings generated.

Both with clang 8 and gcc 9.3

I put up
https://reviews.llvm.org/D113876
to silence the warnings

Yup, I'm seeing them too on the build bots. I missed them cause I was only building on Darwin, and that header isn't used on Darwin. Also since those are just warnings they are not failing the build, so CI passed. Looking at your patch now.

ldionne mentioned this in rG7dc9a03cfd78: [libc++] Add missing __format__ attributes.Nov 26 2021, 8:03 AM

Revision Contents

PathSize
libcxx/
3 lines
include/
9 lines

Diff 385877

libcxx/CMakeLists.txt

Show First 20 LinesShow All 608 Lines▼ Show 20 Lines if (MSVC)
# -W4 is the cl.exe/clang-cl equivalent of -Wall. (In cl.exe and clang-cl, # -W4 is the cl.exe/clang-cl equivalent of -Wall. (In cl.exe and clang-cl,
# -Wall is equivalent to -Weverything in GCC style compiler drivers.) # -Wall is equivalent to -Weverything in GCC style compiler drivers.)
target_add_compile_flags_if_supported(${target} PRIVATE -W4) target_add_compile_flags_if_supported(${target} PRIVATE -W4)
else() else()
target_add_compile_flags_if_supported(${target} PRIVATE -Wall) target_add_compile_flags_if_supported(${target} PRIVATE -Wall)
endif() endif()
target_add_compile_flags_if_supported(${target} PRIVATE -Wextra -W -Wwrite-strings target_add_compile_flags_if_supported(${target} PRIVATE -Wextra -W -Wwrite-strings
-Wno-unused-parameter -Wno-long-long -Wno-unused-parameter -Wno-long-long
-Werror=return-type -Wextra-semi -Wundef) -Werror=return-type -Wextra-semi -Wundef
-Wformat-nonliteral)
if ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang") if ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")
target_add_compile_flags_if_supported(${target} PRIVATE target_add_compile_flags_if_supported(${target} PRIVATE
-Wno-user-defined-literals -Wno-user-defined-literals
-Wno-covered-switch-default -Wno-covered-switch-default
-Wno-suggest-override -Wno-suggest-override
) )
if (LIBCXX_TARGETING_CLANG_CL) if (LIBCXX_TARGETING_CLANG_CL)
target_add_compile_flags_if_supported(${target} PRIVATE target_add_compile_flags_if_supported(${target} PRIVATE
▲ Show 20 LinesShow All 359 LinesShow Last 20 Lines

libcxx/include/locale

Show First 20 LinesShow All 1,480 Lines▼ Show 20 Linesnum_put<_CharT, _OutputIterator>::__do_put_integral(iter_type __s, ios_base& __iob,
// Worst case is octal, with showbase enabled. Note that octal is always // Worst case is octal, with showbase enabled. Note that octal is always
// printed as an unsigned value. // printed as an unsigned value.
using _Unsigned = typename make_unsigned<_Integral>::type; using _Unsigned = typename make_unsigned<_Integral>::type;
_LIBCPP_CONSTEXPR const unsigned __nbuf _LIBCPP_CONSTEXPR const unsigned __nbuf
= (numeric_limits<_Unsigned>::digits / 3) // 1 char per 3 bits = (numeric_limits<_Unsigned>::digits / 3) // 1 char per 3 bits
+ ((numeric_limits<_Unsigned>::digits % 3) != 0) // round up + ((numeric_limits<_Unsigned>::digits % 3) != 0) // round up
+ 2; // base prefix + terminating null character + 2; // base prefix + terminating null character
char __nar[__nbuf]; char __nar[__nbuf];
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wformat-nonliteral"
int __nc = __libcpp_snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, __fmt, __v); int __nc = __libcpp_snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, __fmt, __v);
#pragma clang diagnostic pop
char* __ne = __nar + __nc; char* __ne = __nar + __nc;
char* __np = this->__identify_padding(__nar, __ne, __iob); char* __np = this->__identify_padding(__nar, __ne, __iob);
// Stage 2 - Widen __nar while adding thousands separators // Stage 2 - Widen __nar while adding thousands separators
char_type __o[2*(__nbuf-1) - 1]; char_type __o[2*(__nbuf-1) - 1];
char_type* __op; // pad here char_type* __op; // pad here
char_type* __oe; // end of output char_type* __oe; // end of output
this->__widen_and_group_int(__nar, __np, __ne, __o, __op, __oe, __iob.getloc()); this->__widen_and_group_int(__nar, __np, __ne, __o, __op, __oe, __iob.getloc());
// [__o, __oe) contains thousands_sep'd wide number // [__o, __oe) contains thousands_sep'd wide number
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines
{ {
// Stage 1 - Get number in narrow char // Stage 1 - Get number in narrow char
char __fmt[8] = {'%', 0}; char __fmt[8] = {'%', 0};
bool __specify_precision = this->__format_float(__fmt+1, __len, __iob.flags()); bool __specify_precision = this->__format_float(__fmt+1, __len, __iob.flags());
const unsigned __nbuf = 30; const unsigned __nbuf = 30;
char __nar[__nbuf]; char __nar[__nbuf];
char* __nb = __nar; char* __nb = __nar;
int __nc; int __nc;
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wformat-nonliteral"
if (__specify_precision) if (__specify_precision)
__nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt, __nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt,
(int)__iob.precision(), __v); (int)__iob.precision(), __v);
else else
__nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt, __v); __nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt, __v);
unique_ptr<char, void(*)(void*)> __nbh(nullptr, free); unique_ptr<char, void(*)(void*)> __nbh(nullptr, free);
if (__nc > static_cast<int>(__nbuf-1)) if (__nc > static_cast<int>(__nbuf-1))
{ {
if (__specify_precision) if (__specify_precision)
__nc = __libcpp_asprintf_l(&__nb, _LIBCPP_GET_C_LOCALE, __fmt, (int)__iob.precision(), __v); __nc = __libcpp_asprintf_l(&__nb, _LIBCPP_GET_C_LOCALE, __fmt, (int)__iob.precision(), __v);
else else
__nc = __libcpp_asprintf_l(&__nb, _LIBCPP_GET_C_LOCALE, __fmt, __v); __nc = __libcpp_asprintf_l(&__nb, _LIBCPP_GET_C_LOCALE, __fmt, __v);
if (__nc == -1) if (__nc == -1)
__throw_bad_alloc(); __throw_bad_alloc();
__nbh.reset(__nb); __nbh.reset(__nb);
} }
#pragma clang diagnostic pop
char* __ne = __nb + __nc; char* __ne = __nb + __nc;
char* __np = this->__identify_padding(__nb, __ne, __iob); char* __np = this->__identify_padding(__nb, __ne, __iob);
// Stage 2 - Widen __nar while adding thousands separators // Stage 2 - Widen __nar while adding thousands separators
char_type __o[2*(__nbuf-1) - 1]; char_type __o[2*(__nbuf-1) - 1];
char_type* __ob = __o; char_type* __ob = __o;
unique_ptr<char_type, void(*)(void*)> __obh(0, free); unique_ptr<char_type, void(*)(void*)> __obh(0, free);
if (__nb != __nar) if (__nb != __nar)
{ {
Show All 28 Lines
} }
template <class _CharT, class _OutputIterator> template <class _CharT, class _OutputIterator>
_OutputIterator _OutputIterator
num_put<_CharT, _OutputIterator>::do_put(iter_type __s, ios_base& __iob, num_put<_CharT, _OutputIterator>::do_put(iter_type __s, ios_base& __iob,
char_type __fl, const void* __v) const char_type __fl, const void* __v) const
{ {
// Stage 1 - Get pointer in narrow char // Stage 1 - Get pointer in narrow char
char __fmt[6] = "%p";
const unsigned __nbuf = 20; const unsigned __nbuf = 20;
char __nar[__nbuf]; char __nar[__nbuf];
int __nc = __libcpp_snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, __fmt, __v); int __nc = __libcpp_snprintf_l(__nar, sizeof(__nar), _LIBCPP_GET_C_LOCALE, "%p", __v);
QuuxplusoneUnsubmitted
Done
ReplyInline Actions

Why on earth is this not just s/__fmt/"%p"/?

Quuxplusone: Why on earth is this not just `s/__fmt/"%p"/`?
char* __ne = __nar + __nc; char* __ne = __nar + __nc;
char* __np = this->__identify_padding(__nar, __ne, __iob); char* __np = this->__identify_padding(__nar, __ne, __iob);
// Stage 2 - Widen __nar // Stage 2 - Widen __nar
char_type __o[2*(__nbuf-1) - 1]; char_type __o[2*(__nbuf-1) - 1];
char_type* __op; // pad here char_type* __op; // pad here
char_type* __oe; // end of output char_type* __oe; // end of output
const ctype<char_type>& __ct = use_facet<ctype<char_type> >(__iob.getloc()); const ctype<char_type>& __ct = use_facet<ctype<char_type> >(__iob.getloc());
__ct.widen(__nar, __ne, __o); __ct.widen(__nar, __ne, __o);
▲ Show 20 LinesShow All 2,717 LinesShow Last 20 Lines