[clang-tidy] Check request: bugprone-avoid-invalid-format-string

[denzor200]

Needs a check that will find incorrect format strings and point them out. This check will not provide fix-it hints.

int number = 42;
printf("Value: %s\n", number);             // BAD - expected string but an integer was passed
printf("Numbers: %d, %d\n", 42);           // BAD - wrong number of arguments
printf("String: %.*s\n", "Hello world");   // BAD - %.*s requires two arguments
const char* user_input = get_user_input();
printf(user_input);                        // BAD - format string vulnerability
printf("Numbers: %d, %d\n", 100, 200);     // OK
constexpr const char* no_user_input = get_format();
printf(no_user_input);                     // OK

[llvmbot]

@llvm/issue-subscribers-clang-tidy

Author: Denis Mikhailov (denzor200)

Needs a check that will find incorrect format strings and point them out. This check will not provide fix-it hints.

int number = 42;
printf("Value: %s\n", number);             // BAD - expected string but an integer was passed
printf("Numbers: %d, %d\n", 42);           // BAD - wrong number of arguments
printf("String: %.*s\n", "Hello world");   // BAD - %.*s requires two arguments
const char* user_input = get_user_input();
printf(user_input);                        // BAD - format string vulnerability
printf("Numbers: %d, %d\n", 100, 200);     // OK
constexpr const char* no_user_input = get_format();
printf(no_user_input);                     // OK

[EugeneZelenko]

Isn't -Wformat cover this?

[denzor200]

Isn't -Wformat cover this?

It covers, but wait is that flag configurable? The situation is that I have my own format-like functions and I can't check them using -Wformat flag. That's the reason why I created this issue

[denzor200]

We also want the same checker for scanf-like functions. I don't know where to put it - in this checker or should I create a separate check-request for it.

[EugeneZelenko]

Isn't -Wformat cover this?

It covers, but wait is that flag configurable? The situation is that I have my own format-like functions and I can't check them using -Wformat flag. That's the reason why I created this issue

Possibility to annotate format-like functions exist for very long time: https://stackoverflow.com/questions/12388614/printf-like-function-with-optional-format-string-argument-and-gcc-format-type-ch.

[EugeneZelenko]

We also want the same checker for scanf-like functions. I don't know where to put it - in this checker or should I create a separate check-request for it.

At least in GCC -Wformat covers scanf-like functions: https://gcc.gnu.org/onlinedocs/gcc-14.2.0/gcc/Warning-Options.html

[denzor200]

@EugeneZelenko thanks for good point, today I've got acquainted with the format-like functions' annotating. Then I suppose we don't need to duplicate this feature in Clang Tidy

[denzor200]

Also I've figured out how to use that feature in a project which ignores compiler side warning: https://godbolt.org/z/14vdav3jT

[EugeneZelenko]

Great! However some other cases may be worth to implement, like type checking CPython APIs, but this may be too specific area to gain enough interest.

[denzor200]

Great! However some other cases may be worth to implement, like type checking CPython APIs, but this may be too specific area to gain enough interest.

You mean PyObject *PyErr_Format(PyObject *exception, const char *format, ...); and so ? Does it worth to create a sepatate module for CPython APIs?

[EugeneZelenko]

Great! However some other cases may be worth to implement, like type checking CPython APIs, but this may be too specific area to gain enough interest.

You mean PyObject *PyErr_Format(PyObject *exception, const char *format, ...); and so ? Does it worth to create a sepatate module for CPython APIs?

Also https://docs.python.org/3/c-api/arg.html. I could not tell how popular CPython usage is.

[denzor200]

Even though -Wformat covers this, we still need a check that will suggest using PRIu64.

BEFORE(Linux):

std::uint64_t value = 100;
printf("Value: %lu\n", value);

BEFORE(Windows):

std::uint64_t value = 100;
printf("Value: %llu\n", value);

AFTER:

std::uint64_t value = 100;
printf("Value: %" PRIu64 "\n", value);

This check will be a good candidate for "portability" section.