Hi Khem, Khem Raj <[email protected]> writes:
> On Mon, Jan 12, 2026 at 2:27 PM Bruno Haible <[email protected]> wrote: > >> Khem Raj wrote: >> > Clang 22 treats format strings more strictly and flags the use of >> > gettext-translated strings directly as format arguments without an >> > explicit format specifier as a security issue. >> > >> > Add "%s" format specifier to properly handle the translated strings. >> > >> > Fixes errors like: >> > error: format string is not a string literal (potentially insecure) >> [-Werror,-Wformat-security] >> >> 1. It is not an error. It is a warning, and *you* (or the coreutils >> configure.ac) >> decided to turn the warning into an error. >> >> 2. The patch is wrong. We discussed this already a while ago, and the >> summary >> is [1]: >> - There is nothing to warn about, because format string translations >> returned by _() are checked by 'msgfmt -c'. >> - It works with gcc. gcc hides such warnings when the function is >> gettext(). >> > > I wonder if this is the right thing to do. GCC does it, but should the > compiler in general > treat gettext() as special ? It looks like __attribute__ ((__format_arg__ (index))) was designed explicitly for this purpose [1]. Also see check_format_arg() in gcc/c-family/c-format.cc and check_function_arguments_recurse() in gcc/c-family/c-common.cc. It looks like Clang supports it. But this warning and the lack of documentation makes me think the support is poor [2]. I.e., it can compile code that uses the attribute but does nothing with it. Collin [1] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-format_005farg-function-attribute [2] https://clang.llvm.org/docs/AttributeReference.html#format-arg
