I’ve coded up some support in clang to flag warnings for non-constant format strings used in calls to printf-like functions (all the functions listed in “man fprintf”). Non-constant format strings are a source of many security exploits in C/C++ programs, and I believe are currently detected by gcc using the flag -Wformat-nonliteral.
I’ve attached a patch that adds this support. I’ve also included two new files not under version control, including one file for regression testing.
I plan on adding additional checking for format strings.
in Sema/: SemaChecking.cpp
in test/: format-strings.c
format_string.patch (4.75 KB)
SemaChecking.cpp (3.58 KB)
format-strings.c (982 Bytes)