Skip to content

[Sema] Suggest missing format attributes #166738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[Sema] Suggest missing format attributes #166738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
aebddd9
[Sema] Suggest missing format attributes
vvuksanovic Oct 31, 2025
c62ec64
Switch to portable attribute syntax
vvuksanovic Nov 7, 2025
a0a4ca6
Address review comments
vvuksanovic Nov 17, 2025
ba5e3d8
Emit fixit only when supported
vvuksanovic Nov 17, 2025
c1b001a
Fix ObjC fixit location
vvuksanovic Nov 18, 2025
948c282
Suggest format_matches when applicable
vvuksanovic Nov 18, 2025
4fd960b
Add implicit attribute
vvuksanovic Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions clang/docs/ReleaseNotes.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,8 @@ Improvements to Clang's diagnostics
or continue (#GH166013)
- Clang now emits a diagnostic in case `vector_size` or `ext_vector_type`
attributes are used with a negative size (#GH165463).
- Clang now detects potential missing format attributes on function declarations
when calling format functions. (#GH60718)
Copy link
Contributor

@Fznamznon Fznamznon Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#60718 seems to be closed already?

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That issue was closed by #70024, but it was later reverted. Then #105479 was created to fix the issues, but never merged.

This is an updated version of #105479 with most comments addressed.


Improvements to Clang's time-trace
----------------------------------
Expand Down
1 change: 0 additions & 1 deletion clang/include/clang/Basic/DiagnosticGroups.td
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -607,7 +607,6 @@ def MainReturnType : DiagGroup<"main-return-type">;
def MaxUnsignedZero : DiagGroup<"max-unsigned-zero">;
def MissingBraces : DiagGroup<"missing-braces">;
def MissingDeclarations: DiagGroup<"missing-declarations">;
def : DiagGroup<"missing-format-attribute">;
def MissingIncludeDirs : DiagGroup<"missing-include-dirs">;
def MissingNoreturn : DiagGroup<"missing-noreturn">;
def MultiChar : DiagGroup<"multichar">;
Expand Down
4 changes: 4 additions & 0 deletions clang/include/clang/Basic/DiagnosticSemaKinds.td
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3478,6 +3478,10 @@ def err_format_attribute_result_not : Error<"function does not return %0">;
def err_format_attribute_implicit_this_format_string : Error<
"format attribute cannot specify the implicit this argument as the format "
"string">;
def warn_missing_format_attribute : Warning<
"diagnostic behavior may be improved by adding the '%0' attribute to the "
"declaration of %1">,
InGroup<DiagGroup<"missing-format-attribute">>, DefaultIgnore;
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you help me put in context how -Wmissing-format-attribute works with GCC and its relationship with -Wformat, -Wformat=2 and -Wformat-nonliteral? It's kind of a least favorite way forward to add new off-by-default diagnostics.

Here's my thinking (before knowing how GCC deals with this):

  • Could -Wmissing-format-attribute be enabled by default and/or be part of -Wformat? (Do we need an adult to confirm the bar for adding on-by-default diagnostics? I think this should be OK given that this shouldn't have false positives at all.)
  • If -Wmissing-format-attribute cannot be enabled by default, what are our options for splitting the difference between it and -Wformat-nonliteral? Should -Wmissing-format-attribute be part of -Wformat-nonliteral so that users of -Wformat-nonliteral get it when possible?
  • In all cases, -Wformat-nonliteral always hitting when -Wmissing-format-attribute does is an overlook that we should address.

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In GCC -Wmissing-format-attribute or -Wsuggest-attribute=format is an off-by-default warning unrelated to all other -Wformat* options. I think it makes sense to group this in -Wformat-nonliteral or -Wformat, though it is more of a suggestion to improve diagnostics than an actual warning like -Wformat-nonliteral.

In all cases, -Wformat-nonliteral always hitting when -Wmissing-format-attribute does is an overlook that we should address.

I mentioned in another comment, there is an exception with strftime calls. It does not trigger -Wformat-nonliteral since it always has one argument, but it still makes sense to add the attribute to the caller. Note that GCC actually doesn't emit -Wmissing-format-attribute in that case because the callee is not variadic.

def err_callback_attribute_no_callee : Error<
"'callback' attribute specifies no callback callee">;
def err_callback_attribute_invalid_callee : Error<
Expand Down
2 changes: 1 addition & 1 deletion clang/include/clang/Sema/Sema.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3019,7 +3019,7 @@ class Sema final : public SemaBase {
llvm::SmallBitVector &CheckedVarArgs);
bool CheckFormatArguments(ArrayRef<const Expr *> Args,
FormatArgumentPassingKind FAPK,
const StringLiteral *ReferenceFormatString,
StringLiteral *ReferenceFormatString,
unsigned format_idx, unsigned firstDataArg,
FormatStringType Type, VariadicCallType CallType,
SourceLocation Loc, SourceRange range,
Expand Down
209 changes: 176 additions & 33 deletions clang/lib/Sema/SemaChecking.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include "clang/AST/ASTDiagnostic.h"
#include "clang/AST/Attr.h"
#include "clang/AST/AttrIterator.h"
#include "clang/AST/Attrs.inc"
#include "clang/AST/CharUnits.h"
#include "clang/AST/Decl.h"
#include "clang/AST/DeclBase.h"
Expand All @@ -40,6 +41,7 @@
#include "clang/AST/TypeLoc.h"
#include "clang/AST/UnresolvedSet.h"
#include "clang/Basic/AddressSpaces.h"
#include "clang/Basic/CharInfo.h"
#include "clang/Basic/Diagnostic.h"
#include "clang/Basic/DiagnosticSema.h"
#include "clang/Basic/IdentifierTable.h"
Expand Down Expand Up @@ -6511,13 +6513,16 @@ static const Expr *maybeConstEvalStringLiteral(ASTContext &Context,
// If this function returns false on the arguments to a function expecting a
// format string, we will usually need to emit a warning.
// True string literals are then checked by CheckFormatString.
static StringLiteralCheckType checkFormatStringExpr(
Sema &S, const StringLiteral *ReferenceFormatString, const Expr *E,
ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
unsigned format_idx, unsigned firstDataArg, FormatStringType Type,
VariadicCallType CallType, bool InFunctionCall,
llvm::SmallBitVector &CheckedVarArgs, UncoveredArgHandler &UncoveredArg,
llvm::APSInt Offset, bool IgnoreStringsWithoutSpecifiers = false) {
static StringLiteralCheckType
checkFormatStringExpr(Sema &S, const StringLiteral *ReferenceFormatString,
const Expr *E, ArrayRef<const Expr *> Args,
Sema::FormatArgumentPassingKind APK, unsigned format_idx,
unsigned firstDataArg, FormatStringType Type,
VariadicCallType CallType, bool InFunctionCall,
llvm::SmallBitVector &CheckedVarArgs,
UncoveredArgHandler &UncoveredArg, llvm::APSInt Offset,
std::optional<unsigned> *CallerFormatParamIdx = nullptr,
bool IgnoreStringsWithoutSpecifiers = false) {
if (S.isConstantEvaluatedContext())
return SLCT_NotALiteral;
tryAgain:
Expand All @@ -6539,10 +6544,11 @@ static StringLiteralCheckType checkFormatStringExpr(
case Stmt::InitListExprClass:
// Handle expressions like {"foobar"}.
if (const clang::Expr *SLE = maybeConstEvalStringLiteral(S.Context, E)) {
return checkFormatStringExpr(
S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
return checkFormatStringExpr(S, ReferenceFormatString, SLE, Args, APK,
format_idx, firstDataArg, Type, CallType,
/*InFunctionCall*/ false, CheckedVarArgs,
UncoveredArg, Offset, CallerFormatParamIdx,
IgnoreStringsWithoutSpecifiers);
}
return SLCT_NotALiteral;
case Stmt::BinaryConditionalOperatorClass:
Expand Down Expand Up @@ -6574,10 +6580,11 @@ static StringLiteralCheckType checkFormatStringExpr(
if (!CheckLeft)
Left = SLCT_UncheckedLiteral;
else {
Left = checkFormatStringExpr(
S, ReferenceFormatString, C->getTrueExpr(), Args, APK, format_idx,
firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
Left = checkFormatStringExpr(S, ReferenceFormatString, C->getTrueExpr(),
Args, APK, format_idx, firstDataArg, Type,
CallType, InFunctionCall, CheckedVarArgs,
UncoveredArg, Offset, CallerFormatParamIdx,
IgnoreStringsWithoutSpecifiers);
if (Left == SLCT_NotALiteral || !CheckRight) {
return Left;
}
Expand All @@ -6586,7 +6593,8 @@ static StringLiteralCheckType checkFormatStringExpr(
StringLiteralCheckType Right = checkFormatStringExpr(
S, ReferenceFormatString, C->getFalseExpr(), Args, APK, format_idx,
firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
UncoveredArg, Offset, CallerFormatParamIdx,
IgnoreStringsWithoutSpecifiers);

return (CheckLeft && Left < Right) ? Left : Right;
}
Expand Down Expand Up @@ -6637,8 +6645,8 @@ static StringLiteralCheckType checkFormatStringExpr(
}
return checkFormatStringExpr(
S, ReferenceFormatString, Init, Args, APK, format_idx,
firstDataArg, Type, CallType,
/*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg, Offset);
firstDataArg, Type, CallType, /*InFunctionCall=*/false,
CheckedVarArgs, UncoveredArg, Offset, CallerFormatParamIdx);
}
}

Expand Down Expand Up @@ -6690,6 +6698,8 @@ static StringLiteralCheckType checkFormatStringExpr(
// format arguments, in all cases.
//
if (const auto *PV = dyn_cast<ParmVarDecl>(VD)) {
if (CallerFormatParamIdx)
*CallerFormatParamIdx = PV->getFunctionScopeIndex();
if (const auto *D = dyn_cast<Decl>(PV->getDeclContext())) {
for (const auto *PVFormatMatches :
D->specific_attrs<FormatMatchesAttr>()) {
Expand All @@ -6715,7 +6725,7 @@ static StringLiteralCheckType checkFormatStringExpr(
S, ReferenceFormatString, PVFormatMatches->getFormatString(),
Args, APK, format_idx, firstDataArg, Type, CallType,
/*InFunctionCall*/ false, CheckedVarArgs, UncoveredArg,
Offset, IgnoreStringsWithoutSpecifiers);
Offset, CallerFormatParamIdx, IgnoreStringsWithoutSpecifiers);
}
}

Expand Down Expand Up @@ -6770,7 +6780,7 @@ static StringLiteralCheckType checkFormatStringExpr(
StringLiteralCheckType Result = checkFormatStringExpr(
S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
Offset, IgnoreStringsWithoutSpecifiers);
Offset, CallerFormatParamIdx, IgnoreStringsWithoutSpecifiers);
if (IsFirst) {
CommonResult = Result;
IsFirst = false;
Expand All @@ -6787,15 +6797,17 @@ static StringLiteralCheckType checkFormatStringExpr(
return checkFormatStringExpr(
S, ReferenceFormatString, Arg, Args, APK, format_idx,
firstDataArg, Type, CallType, InFunctionCall, CheckedVarArgs,
UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
UncoveredArg, Offset, CallerFormatParamIdx,
IgnoreStringsWithoutSpecifiers);
}
}
}
if (const Expr *SLE = maybeConstEvalStringLiteral(S.Context, E))
return checkFormatStringExpr(
S, ReferenceFormatString, SLE, Args, APK, format_idx, firstDataArg,
Type, CallType, /*InFunctionCall*/ false, CheckedVarArgs,
UncoveredArg, Offset, IgnoreStringsWithoutSpecifiers);
return checkFormatStringExpr(S, ReferenceFormatString, SLE, Args, APK,
format_idx, firstDataArg, Type, CallType,
/*InFunctionCall*/ false, CheckedVarArgs,
UncoveredArg, Offset, CallerFormatParamIdx,
IgnoreStringsWithoutSpecifiers);
return SLCT_NotALiteral;
}
case Stmt::ObjCMessageExprClass: {
Expand All @@ -6821,7 +6833,7 @@ static StringLiteralCheckType checkFormatStringExpr(
return checkFormatStringExpr(
S, ReferenceFormatString, Arg, Args, APK, format_idx, firstDataArg,
Type, CallType, InFunctionCall, CheckedVarArgs, UncoveredArg,
Offset, IgnoreStringsWithoutSpecifiers);
Offset, CallerFormatParamIdx, IgnoreStringsWithoutSpecifiers);
}
}

Expand Down Expand Up @@ -7001,9 +7013,133 @@ bool Sema::CheckFormatString(const FormatMatchesAttr *Format,
return false;
}

std::string escapeFormatString(StringRef Input) {
std::string Result;
llvm::raw_string_ostream OS(Result);
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine, but OS.write_escaped does something pretty similar to this loop.

for (char C : Input) {
StringRef Escaped = escapeCStyle<EscapeChar::Double>(C);
if (Escaped.empty())
OS << C;
else
OS << Escaped;
}
return Result;
}

static void CheckMissingFormatAttributes(
Sema *S, ArrayRef<const Expr *> Args, Sema::FormatArgumentPassingKind APK,
StringLiteral *ReferenceFormatString, unsigned FormatIdx,
unsigned FirstDataArg, FormatStringType FormatType, unsigned CallerParamIdx,
SourceLocation Loc) {
NamedDecl *Caller = S->getCurFunctionOrMethodDecl();
if (!Caller)
return;
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will always fail in Objective-C because ObjCMethodDecl does not inherit from FunctionDecl. Would you add an Objective-C test to ensure this works? If you're not super familiar with it, the declaration/use syntax should be:

#include <stdarg.h>

@interface Foo
-(void)myprintf:(const char *)fmt, ... __attribute__((format(printf, 1, 2)));
-(void)myvprintf:(const char *)fmt list:(va_list)ap __attribute__((format(printf, 1, 0)));
@end

void bar(Foo *f) {
    [f myprintf:"hello %i", 123];
}

void baz(Foo *f, const char *fmt, va_list ap) {
    [f myvprintf:fmt list:ap];
}

Happy to answer other questions you may have.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this also always fails for blocks, but it matters less because __attribute__((format)) is sugar so adding the attribute on the block type doesn't guarantee that the block you receive also has it.

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with objective-c and there doesn't seem to be much documentation regarding attributes, but I think I have a working implementation. Just one question: is there an implicit 'this' argument on obj-c methods?

I'll have to look into blocks to see how they fit in here.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Objective-C methods have two implicit arguments (self and _cmd), but IIRC index 1 corresponds to the first explicit argument (ie, not like how it's done for C++).

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added support for Objective-C. Let me know if there are other cases I should test. Also, I wasn't sure which attribute syntax is supported, so I used the GNU extension.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to cover it, thank you!

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested where Objective-C tolerates attributes, and the fixit is incorrect currently:

#include <stdarg.h>

__attribute__((format(printf, 1, 0)))
int vprintf(const char *, va_list ap);

@interface Foo
-(void)printf:(const char *)fmt, ...;
@end

@implementation Foo
-(void)printf:(const char *)fmt, ...  {
	va_list ap;
	va_start(ap, fmt);
	vprintf(fmt, ap);
	va_end(ap);
}
@end

The fixit will suggest __attribute__((format(printf, 1, 2))) -(void)printf:(const char *)fmt, ... {, which is a syntax error. Attributes go at the end of the declaration, so it should be -(void)printf:(const char *)fmt, ... __attribute__((...)).

To make it as effective as possible, the fixit should also go to the canonical declaration, as returned by getCanonicalDecl(), which seems to do the right thing for both FunctionDecl (returns the first decl) and ObjCMethodDecl (finds the decl in the relevant @interface block).

Here's a patch for your change which I think does the trick (but that I didn't test extensively): objc-placement.patch

Caller = dyn_cast<NamedDecl>(Caller->getCanonicalDecl());

unsigned NumCallerParams = getFunctionOrMethodNumParams(Caller);

// Find the offset to convert between attribute and parameter indexes.
unsigned CallerArgumentIndexOffset =
hasImplicitObjectParameter(Caller) ? 2 : 1;

unsigned FirstArgumentIndex = -1;
switch (APK) {
case Sema::FormatArgumentPassingKind::FAPK_Fixed:
case Sema::FormatArgumentPassingKind::FAPK_Variadic: {
// As an extension, clang allows the format attribute on non-variadic
// functions.
// Caller must have fixed arguments to pass them to a fixed or variadic
// function. Try to match caller and callee arguments. If successful, then
// emit a diag with the caller idx, otherwise we can't determine the callee
// arguments.
unsigned NumCalleeArgs = Args.size() - FirstDataArg;
if (NumCalleeArgs == 0 || NumCallerParams < NumCalleeArgs) {
// There aren't enough arguments in the caller to pass to callee.
return;
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's possible in this case that one could use __attribute__((format_matches)) instead, which I believe I landed between your last PR and this one. I haven't thought very deeply about whether you have all the information you need here to do it, though, so there's a decent likelihood that you would look at it and decide it's not actually possible.

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd have to generate a format string for format_matches which I guess should be doable based on the argument types in the call, unless some non-scalar type is used.

}
for (unsigned CalleeIdx = Args.size() - 1, CallerIdx = NumCallerParams - 1;
CalleeIdx >= FirstDataArg; --CalleeIdx, --CallerIdx) {
const auto *Arg =
dyn_cast<DeclRefExpr>(Args[CalleeIdx]->IgnoreParenCasts());
if (!Arg)
return;
const auto *Param = dyn_cast<ParmVarDecl>(Arg->getDecl());
if (!Param || Param->getFunctionScopeIndex() != CallerIdx)
return;
}
FirstArgumentIndex =
NumCallerParams + CallerArgumentIndexOffset - NumCalleeArgs;
break;
}
case Sema::FormatArgumentPassingKind::FAPK_VAList:
// Caller arguments are either variadic or a va_list.
FirstArgumentIndex = isFunctionOrMethodVariadic(Caller)
? (NumCallerParams + CallerArgumentIndexOffset)
: 0;
break;
case Sema::FormatArgumentPassingKind::FAPK_Elsewhere:
// The callee has a format_matches attribute. We will emit that instead.
if (!ReferenceFormatString)
return;
break;
}

// Emit the diagnostic and fixit.
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a recovery action, should we also add an implicit format attribute to Caller? It might catch issues in the rest of the file.

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That changes some behavior:

void foo(const char *fmt, va_list args) {
  vprintf(fmt, args);
  vscanf(fmt, args);
}

Previously, this would emit two diagnostics to suggest a printf and scanf format attribute. If we add an implicit attr, then when looking at vscanf we would get passing 'printf' format string where 'scanf' format string is expected. Also, this would eliminate duplicate diagnostics created by multiple format function calls of the same type.

I'll see if there are any other differences before updating the PR, but these changes make sense to me.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes also make sense to me.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, one thing to mention is that we should only add the attribute if the diagnostic is enabled at the call site, otherwise people will start seeing inexplicable format warnings that cannot be silenced. This would probably be a net positive, but the respectful way to do this would be to enable the diagnostic by default.

unsigned FormatStringIndex = CallerParamIdx + CallerArgumentIndexOffset;
StringRef FormatTypeName = S->GetFormatStringTypeName(FormatType);
do {
std::string Attr, Fixit;
if (APK != Sema::FormatArgumentPassingKind::FAPK_Elsewhere)
llvm::raw_string_ostream(Attr)
<< "format(" << FormatTypeName << ", " << FormatStringIndex << ", "
<< FirstArgumentIndex << ")";
else
llvm::raw_string_ostream(Attr)
<< "format_matches(" << FormatTypeName << ", " << FormatStringIndex
<< ", \"" << escapeFormatString(ReferenceFormatString->getString())
<< "\")";
auto DB = S->Diag(Loc, diag::warn_missing_format_attribute)
<< Attr << Caller;

SourceLocation SL;
llvm::raw_string_ostream IS(Fixit);
// The attribute goes at the start of the declaration in C/C++ functions
// and methods, but after the declaration for Objective-C methods.
if (isa<ObjCMethodDecl>(Caller)) {
IS << ' ';
SL = Caller->getEndLoc();
}
const LangOptions &LO = S->getLangOpts();
if (LO.C23 || LO.CPlusPlus11)
IS << "[[gnu::" << Attr << "]]";
else if (LO.ObjC || LO.GNUMode)
IS << "__attribute__((" << Attr << "))";
else
break;
if (!isa<ObjCMethodDecl>(Caller)) {
IS << ' ';
SL = Caller->getBeginLoc();
}
IS.flush();

DB << FixItHint::CreateInsertion(SL, Fixit);
} while (false);
S->Diag(Caller->getLocation(), diag::note_entity_declared_at) << Caller;

if (APK != Sema::FormatArgumentPassingKind::FAPK_Elsewhere) {
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should only do this if diag::warn_missing_format_attribute is enabled because it can cause new diagnostics to cascade, which users would have no way to disable. You can check with !Diag.isIgnored(diag::warn_missing_format_attribute, Loc).

Caller->addAttr(FormatAttr::CreateImplicit(
S->getASTContext(), &S->getASTContext().Idents.get(FormatTypeName),
FormatStringIndex, FirstArgumentIndex));
} else {
Caller->addAttr(FormatMatchesAttr::CreateImplicit(
S->getASTContext(), &S->getASTContext().Idents.get(FormatTypeName),
FormatStringIndex, ReferenceFormatString));
}
}

bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
Sema::FormatArgumentPassingKind APK,
const StringLiteral *ReferenceFormatString,
StringLiteral *ReferenceFormatString,
unsigned format_idx, unsigned firstDataArg,
FormatStringType Type,
VariadicCallType CallType, SourceLocation Loc,
Expand All @@ -7030,11 +7166,12 @@ bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
// ObjC string uses the same format specifiers as C string, so we can use
// the same format string checking logic for both ObjC and C strings.
UncoveredArgHandler UncoveredArg;
std::optional<unsigned> CallerParamIdx;
StringLiteralCheckType CT = checkFormatStringExpr(
*this, ReferenceFormatString, OrigFormatExpr, Args, APK, format_idx,
firstDataArg, Type, CallType,
/*IsFunctionCall*/ true, CheckedVarArgs, UncoveredArg,
/*no string offset*/ llvm::APSInt(64, false) = 0);
/*no string offset*/ llvm::APSInt(64, false) = 0, &CallerParamIdx);

// Generate a diagnostic where an uncovered argument is detected.
if (UncoveredArg.hasUncoveredArg()) {
Expand All @@ -7047,11 +7184,6 @@ bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
// Literal format string found, check done!
return CT == SLCT_CheckedLiteral;

// Strftime is particular as it always uses a single 'time' argument,
// so it is safe to pass a non-literal string.
if (Type == FormatStringType::Strftime)
return false;

// Do not emit diag when the string param is a macro expansion and the
// format is either NSString or CFString. This is a hack to prevent
// diag when using the NSLocalizedString and CFCopyLocalizedString macros
Expand All @@ -7061,6 +7193,17 @@ bool Sema::CheckFormatArguments(ArrayRef<const Expr *> Args,
SourceMgr.isInSystemMacro(FormatLoc))
return false;

const LangOptions &LO = getLangOpts();
if (CallerParamIdx && (LO.GNUMode || LO.C23 || LO.CPlusPlus11))
Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should warn in all cases and use the language mode only to decide whether to offer a fixit.

Copy link
Member

@Sirraide Sirraide Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue I see w/ that is that for language modes that don’t support [[]]-style attributes, there is no way to actually make the warning go away in a portable manner (you can use a #pragma but that’s a bit sad and also not portable).

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should warn in all cases and use the language mode only to decide whether to offer a fixit.

I'm not sure if the warning that suggests adding an attribute makes sense if there isn't a portable way to actually add the attribute.

Copy link
Contributor

@apple-fcloutier apple-fcloutier Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are portable ways to annotate your functions, it's just that you can't offer them as fixits for a variety of reasons (for instance, create a macro that adds the format attribute based on a __has_attribute test); in fact, even when a language-defined syntax is available, it might not be the preferred way to add the attribute in any given project.

But even then, I disagree that the only value (or even the main value) of any diagnostic is the fixit. Clang doesn't only diagnose situations that it knows how to fix. For a codebase that truly can't do anything about missing format attributes, the solution is to not take the intentional step of enabling the diagnostic.

Copy link
Contributor Author

@vvuksanovic vvuksanovic Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, the user can figure out a way to write the attribute in a suitable way. I have changed the diagnostic message to include the attribute parameters as well like:

diagnostic behavior may be improved by adding the 'format(printf, X, Y)' attribute to the declaration of 'foo'

so even if there is no fixit, the full suggested attribute is still shown.

CheckMissingFormatAttributes(this, Args, APK, ReferenceFormatString,
format_idx, firstDataArg, Type,
*CallerParamIdx, Loc);

// Strftime is particular as it always uses a single 'time' argument,
// so it is safe to pass a non-literal string.
if (Type == FormatStringType::Strftime)
return false;

// If there are no arguments specified, warn with -Wformat-security, otherwise
// warn only with -Wformat-nonliteral.
if (Args.size() == firstDataArg) {
Expand Down
4 changes: 2 additions & 2 deletions clang/lib/Sema/SemaDeclAttr.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3572,7 +3572,7 @@ static void handleEnumExtensibilityAttr(Sema &S, Decl *D,
}

/// Handle __attribute__((format_arg((idx)))) attribute based on
/// http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
/// https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
static void handleFormatArgAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
const Expr *IdxExpr = AL.getArgAsExpr(0);
ParamIdx Idx;
Expand Down Expand Up @@ -3771,7 +3771,7 @@ struct FormatAttrCommon {
};

/// Handle __attribute__((format(type,idx,firstarg))) attributes based on
/// http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
/// https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
static bool handleFormatAttrCommon(Sema &S, Decl *D, const ParsedAttr &AL,
FormatAttrCommon *Info) {
// Checks the first two arguments of the attribute; this is shared between
Expand Down
Loading