Re: Use (f)puts instead of (f)printf when possible.

[Bruno H. <br...@cl...>]

Jörg wrote on 2017-08-25:
> 1) There is an (undocumented) way to avoid this security warning.
> Test case:
> ===============================================================================
> #include <stdio.h>
> extern const char * transform1 (const char * s);
> extern const char * transform2 (const char * s) __attribute__ ((__format_arg__ (1)));
> void foo1 () { fprintf(stderr, transform1("Hello")); }
> void foo2 () { fprintf(stderr, transform2("Hello")); }
> ===============================================================================
> $ gcc -S -Wall -Wformat-security foo.c
> foo.c: In function 'foo1':
> foo.c:4:1: warning: format not a string literal and no format arguments [-Wformat-security]
>  void foo1 () { fprintf(stderr, transform1("Hello")); }
>  ^~~~
> As you can see, this __attribute__ ((__format_arg__ (1))) has the effect of
> avoiding the warning.
> -----
> 
> What is undocumented?
> https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
> https://gcc.gnu.org/onlinedocs/gcc-3.1/gcc/Function-Attributes.html
> ... mentions __attribute__ ((format_arg...)).

It is not documented that this attribute will silence a -Wformat-security
warning.

> here I find that declaration completely unsafe, because it depends on foreign PO/MO files' contents!!

GCC itself declares the gettext function like this.
builtins.def [1] contains this:

  DEF_EXT_LIB_BUILTIN    (BUILT_IN_GETTEXT, "gettext", BT_FN_STRING_CONST_STRING, ATTR_FORMAT_ARG_1)

The ATTR_FORMAT_ARG_1 is __attribute__ ((__format_arg__ (1))).

clisp does the same with gettext, clgettext, clgettext1 (which are merely
variants of gettext).

So, apparently the GCC developers think it's not worth for GCC to complain
about every use of a translated format string. The reason is that the
gettext tools ('msgfmt' in particular) contain the appropriate checking.

Bruno

[1] https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/builtins.def?revision=249685&view=co