Skip to content

gh-112301: Add -Wformat=2 compiler option to NODIST#122474

Open
nohlson wants to merge 20 commits intopython:mainfrom
nohlson:add-format-level-2
Open

gh-112301: Add -Wformat=2 compiler option to NODIST#122474
nohlson wants to merge 20 commits intopython:mainfrom
nohlson:add-format-level-2

Conversation

@nohlson
Copy link
Contributor

@nohlson nohlson commented Jul 30, 2024
edited
Loading

This adds -Wformat and -Wformat=2 to the CFLAGS_NODIST set of compiler flags. This is a warning flag that relates for format strings and for more information you can take a look at the OpenSSF guidance on this flag.

This does generate a few warnings in build_ubuntu and the new warning checker catches them catches them:

| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2857, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2857, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2858, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2858, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2862, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2862, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2863, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2863, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2867, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2867, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2868, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2868, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 19, 'display-column': 19, 'line': 2871, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 19}, 'caret': {'byte-column': 17, 'display-column': 17, 'line': 2871, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 17}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2875, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2875, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2876, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2876, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2880, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2880, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 27, 'display-column': 27, 'line': 2881, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 27}, 'caret': {'byte-column': 21, 'display-column': 21, 'line': 2881, 'file': '../cpython-ro-srcdir/Objects/unicodeobject.c', 'column': 21}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}
| {'kind': 'warning', 'locations': [{'finish': {'byte-column': 28, 'display-column': 28, 'line': 23, 'file': '../cpython-ro-srcdir/Python/getversion.c', 'column': 28}, 'caret': {'byte-column': 19, 'display-column': 19, 'line': 23, 'file': '../cpython-ro-srcdir/Python/getversion.c', 'column': 19}}], 'column-origin': 1, 'option': '-Wformat-nonliteral', 'children': [], 'option_url': 'https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-nonliteral', 'message': 'format not a string literal, argument types not checked'}

unicodeobject.c warnings look like they could be ignored since format strings for sprintf operations are pulled from a const array of const format strings, and the variable that indexes these arrays is set from constants. However if we add this file to .warningignore_ubuntu then if either of those things change maybe vulnerabilities could be introduced.

As for getversion.c it also could be ignored. I don't think there is too much of a concern in putting this in the warning ignore file.

This change should require pre-merge build bots @corona10

Attn: @hugovk

EDIT: Removed content from the issue that pertained to already merged tooling options

@bedevere-app bedevere-app bot mentioned this pull request Jul 30, 2024
Open
@corona10 corona10 added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 31, 2024
@bedevere-bot
Copy link

bedevere-bot commented Jul 31, 2024

🤖 New build scheduled with the buildbot fleet by @corona10 for commit 178bcc6 🤖

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 31, 2024
nohlson
nohlson commented Jul 31, 2024
View reviewed changes
encukou
encukou reviewed Aug 7, 2024
View reviewed changes
Python/getversion.c Outdated
#else
const char *buildinfo_format = "%.80s (%.80s) %.80s";
#endif
// The format string is defined above and is observably safe.
Copy link
Member

@encukou encukou Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be switched to a #defined literal? That way it could look safe to the compiler, too.

Copy link
Contributor Author

@nohlson nohlson Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just pushed a change. I figure instead of going through the trouble defining a format string in the preprocessor #if/#else blocks and adding all of the diagnostic pragmas we can just put the PyOS_snprintf() with the relevant format string literals in the respective #if/#else blocks. We eliminate the root cause of the warning instead of ignore it.

encukou
encukou reviewed Aug 7, 2024
View reviewed changes
Objects/unicodeobject.c Outdated
// is only assigned known constant values. Ignore warnings related
// to the format string not being a string literal.
#if defined(__GNUC__) || defined(__clang__)
#pragma GCC diagnostic push
Copy link
Member

@encukou encukou Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using _Py_COMP_DIAG_PUSH/_Py_COMP_DIAG_POP, and adding a macro like _Py_COMP_DIAG_IGNORE_DEPR_DECLS, to make this easier to port to other compilers.

Copy link
Contributor Author

@nohlson nohlson Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@encukou created macro for ignoring format nonliterals and applied it to this block

@encukou
Copy link
Member

encukou commented Sep 18, 2024

I wanted to see if it's possible to avoid the warning altogether -- and had an implementation before I realized I should have probably delegated it.
Please see if #124203 makes sense to you.

@nohlson
Copy link
Contributor Author

nohlson commented Sep 24, 2024

@encukou I do prefer your PR that addresses the cause of the warning directly in unicodeobject.c #124203 either of the implementations. I will remove the changes here for unicodeobject.c and leave getversion.c changes.

@encukou
Copy link
Member

encukou commented Sep 25, 2024

That PR is merged now :)
But it seems new warnings appeared in one of the tests. You might be interested in __attribute__((format)), and how we apply it to e.g. PyOS_vsnprintf in Include/pyerrors.h.

erlend-aasland
erlend-aasland reviewed Oct 14, 2024
View reviewed changes
Tools/build/.warningignore_macos
Objects/mimalloc/ *
Python/pylifecycle.c 1
Python/sysmodule.c 1
Python/tracemalloc.c 1 No newline at end of file
Copy link
Contributor

@erlend-aasland erlend-aasland Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: can you please add the missing newline at EOF?

@picnixz
Copy link
Member

picnixz commented Oct 22, 2024

@encukou

But it seems new warnings appeared in one of the tests. You might be interested in attribute((format)), and how we apply it to e.g. PyOS_vsnprintf in Include/pyerrors.h.

Is this still relevant? I stumbled upon that and wondered whether it's something relevant to add in this PR or in a separate PR (I was working with __attribute__ ((unused)) and remembered that there was also this attribute that could be useful).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukou encukou encukou left review comments

@erlend-aasland erlend-aasland erlend-aasland left review comments

@corona10 corona10 Awaiting requested review from corona10 corona10 is a code owner

@ezio-melotti ezio-melotti Awaiting requested review from ezio-melotti

@hugovk hugovk Awaiting requested review from hugovk

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@nohlson @bedevere-bot @encukou @picnixz @erlend-aasland @corona10