New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SR-9109] String.init(format:_:), String.init(format:arguments:), String.init(format:locale:_:), String.init(format:locale:arguments), and String.localizedStringWithFormat are dangerous and should be removed. #3601
Comments
The other thing we've been missing is an equivalent of Clang's -Wformat. That would help too. |
@belkadan That was my sentiment in the Radar as well — do we have something tracking that? My thoughts, since there's nothing private about this:
|
We have an Apple-internal <rdar://problem/19414352> -Wformat equivalents for Swift, but no JIRA yet. I don't think it's too hard, but it's no Starter Bug either. |
Comment by Federico Cappelli (JIRA) @itaiferber @belkadan Any update on this? I think that if we want to maintain the use of CVarArg in swift the compiler should help with the format validation implementing something like the objc `NS_FORMAT_FUNCTION()` A real-life example is os_log, that is the way-to-go for logging but it's a pain to use, with countless crashes due to wrong format strings. Something like this compiles with no problems :/ os_log("ups %@, %@, %d", "bug!") I've created an improvement ticket: https://bugs.swift.org/browse/SR-10655 |
No updates on this yet, but for |
Additional Detail from JIRA
md5: 97f356ca0132291f075d7a8709f5a166
relates to:
Issue Description:
Swift's String contains the following five functions that end up calling into CoreFoundation's CFString formatting APIs:
These all have the unappealing property of being able to cause segfaults in pure-Swift code. This is because the underlying CF functions use C variadic arguments (as exposed in the Swift API), and neither CF nor Swift validates that there are the same number of variadic arguments as there are format specifiers in the string.
This set of APIs is simply very dangerous. We should probably do some or all of the following:
1. Document these functions as being only safe to use with static format strings, and as triggering memory-unsafe behaviour if the format specifier and argument count is mismatched.
2. Adjust the function signature to only accept StaticString for the format argument. This makes it harder to misuse (dynamic format strings are almost never going to be right).
3. Replace with the new String interpolation functions.
The text was updated successfully, but these errors were encountered: