https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123232
Bug ID: 123232
Summary: printf format type mismatch should be a
non-suppressible diagnostic
Product: gcc
Version: 13.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: 220246428 at seu dot edu.cn
Target Milestone: ---
This report concerns a dangerous misuse of printf: the first argument (the
format string) is required to be a const char *, but an int is passed instead.
GCC currently diagnoses this as -Wint-conversion (a warning), so compilation
succeeds by default. In many real build environments, warnings may be ignored
in large logs or globally suppressed (e.g., using -w), which can allow this
clearly invalid call to build and ship without any visible diagnostic. The
resulting executable then treats a small integer value (e.g., 1) as a pointer
to a format string, which is undefined behavior and commonly causes an
immediate crash due to invalid memory access on typical platforms.
A minimal reproducer is:
#include <stdio.h>
int main(void) {
int k = 1, i = 2, j = 3;
printf(k, i, j, "index = [%d][%d][%d]\n");
return 0;
}
To reproduce, compile with gcc -std=c11 -O2 -Wall -Wextra -fsyntax-only repro.c
(GCC emits a warning and continues), or compile with warnings suppressed using
gcc -std=c11 -O2 -w repro.c (no diagnostic is printed and the build succeeds).
While GCC does produce a diagnostic in the default configuration, the fact that
this particular mismatch is easily suppressible is problematic because it
occurs specifically in the format-string position of a variadic printf-like
function, where missing it can directly lead to “build-success but
runtime-crash” behavior.
