[Bug c/115513] New: attribute nonstring could help with printf mistakes

[Bug c/115513] New: attribute nonstring could help with printf mistakes

[peter at eisentraut dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115513

            Bug ID: 115513
           Summary: attribute nonstring could help with printf mistakes
           Product: gcc
           Version: 14.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: peter at eisentraut dot org
  Target Milestone: ---

Created attachment 58446
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=58446&action=edit
test file

Consider this test program (also attached):

```
#include <stdio.h>
#include <string.h>

struct Data
{
        char name[32] __attribute__((nonstring));
};

int f (struct Data *pd, const char *s)
{
        strncpy(pd->name, s, sizeof pd->name);

        printf("%s", pd->name);  // unsafe, no warning!?!

        return strlen(pd->name);   // unsafe, gets a warning
}
```

Compile with, e.g.: gcc-14 -c -Wall -Wextra -O2 test.c

As per the documentation, this will warn about the strlen() call.

But it doesn't warn about the printf() call.  This would be quite useful and
seems to be a gap in the warning coverage of this attribute.

[Bug c/115513] attribute nonstring could help with printf mistakes

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115513

Xi Ruoyao <xry111 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2024-06-17
           Severity|normal                      |enhancement
             Status|UNCONFIRMED                 |NEW
           Keywords|                            |diagnostic
     Ever confirmed|0                           |1
                 CC|                            |xry111 at gcc dot gnu.org

--- Comment #1 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
Confirmed.

But what should we do with something like `printf("%32s", pd->name);`?

[Bug c/115513] attribute nonstring could help with printf mistakes

[peter at eisentraut dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115513

--- Comment #2 from Peter Eisentraut <peter at eisentraut dot org> ---
(In reply to Xi Ruoyao from comment #1)
> But what should we do with something like `printf("%32s", pd->name);`?

Perhaps you mean

    printf("%.32s", pd->name);

?  (I don't think the minimum field width is relevant to this issue.)  If so,
then yes, I think it would be good if this would be analyzed for correctness,
so that this incantation could be used for printing out these kinds of things.

(Better style might be `printf("%.*s", sizeof pd->name, pd->name);`.)

[Bug c/115513] attribute nonstring could help with printf mistakes

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115513

--- Comment #3 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
(In reply to Peter Eisentraut from comment #2)
> (In reply to Xi Ruoyao from comment #1)
> > But what should we do with something like `printf("%32s", pd->name);`?
> 
> Perhaps you mean
> 
>     printf("%.32s", pd->name);

Yes I mean "%.32s".