Re: kern/60034: Eliminate -Wformat-nonliteral warnings and improve security in ahd, ddb, and dev_verbose.c

["Joao Bonifacio via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR kern/60034; it has been noted by GNATS.

From: Joao Bonifacio <joaoboni017%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost, kern-bug-people%netbsd.org@localhost,
 gnats-admin%netbsd.org@localhost, 	netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/60034: Eliminate -Wformat-nonliteral warnings and improve
 security in ahd, ddb, and dev_verbose.c
Date: Fri, 27 Feb 2026 12:44:26 -0300

 Hi Valery Ushakov, i wish you're fine.
 
 Thanks for the feedback.
 
 I agree that since these formats are internal, using a __format_arg
 helper is a much more better way to satisfy WARNS=3D5 without breaking
 flexibility or bloating the code with conditionals.
 
 I will rework the three patches into a V2 using a format_ok inline
 helper (or similar) to keep the original logic intact. This should also
 solve the issues I was seeing with ixgbe.
 
 I'll send the updated patches soon.
 
 
 Em qua, 2026-02-25 =C3=A0s 01:05 +0000, Valery Ushakov via gnats escreveu:
 > The following reply was made to PR kern/60034; it has been noted by
 > GNATS.
 >=20
 > From: Valery Ushakov <uwe%stderr.spb.ru@localhost>
 > To: gnats-bugs%netbsd.org@localhost
 > Cc:=20
 > Subject: Re: kern/60034: Eliminate -Wformat-nonliteral warnings and
 > improve
 > =C2=A0security in ahd, ddb, and dev_verbose.c
 > Date: Wed, 25 Feb 2026 03:46:02 +0300
 >=20
 > =C2=A0Just a quick drive-by comment, I haven't actually looked at the cod=
 e
 > =C2=A0too closely.
 > =C2=A0
 > =C2=A0On Tue, Feb 24, 2026 at 22:55:00 +0000, joaoboni017%gmail.com@localhost=C2=A0=
 via
 > gnats wrote:
 > =C2=A0
 > =C2=A0> This PR addresses several -Wformat-nonliteral warnings across
 > =C2=A0> different subsystems (pci, ddb, and dev_verbose).=C2=A0 These war=
 nings
 > =C2=A0> are currently blocking the transition to a higher WARNS level
 > =C2=A0> (WARNS=3D5) for these files.
 > =C2=A0
 > =C2=A0I haven't checked, but all of these variable format strings actuall=
 y
 > =C2=A0come from our own source code, so it's not _too_ bad.=C2=A0 And you=
  can
 > =C2=A0shut up gcc with something like:
 > =C2=A0
 > =C2=A0
 > https://hg.sr.ht/~nbuwe/printf_checkformat/browse/printf_checkformat.c
 > ?rev=3Dedc408c65ea3#L61
 > =C2=A0
 > =C2=A0/*
 > =C2=A0 * A do-nothing counterpart to printf_checkformat(3) (or
 > fmtcheck(3))
 > =C2=A0 * that only supplies the __format_arg marker.=C2=A0 Actual check i=
 s
 > =C2=A0 * expected to have been done once, in advance.
 > =C2=A0 *
 > =C2=A0 *=C2=A0=C2=A0 printf(format_ok("%d", userfmt), arg);
 > =C2=A0 */
 > =C2=A0__always_inline __format_arg(1)
 > =C2=A0static inline const char *
 > =C2=A0format_ok(const char *template, const char *userfmt)
 > =C2=A0{
 > =C2=A0	(void) template;
 > =C2=A0	return userfmt;
 > =C2=A0}
 > =C2=A0
 > =C2=A0
 > =C2=A0
 > =C2=A0> @@ -94,6 +103,14 @@ dev_findproduct(char *buf, size_t len, const
 > char *words, size_t nwords,
 > =C2=A0>=C2=A0=C2=A0		while (n < nproducts && products[n] !=3D 0)
 > =C2=A0>=C2=A0=C2=A0			n++;
 > =C2=A0>=C2=A0=C2=A0	}
 > =C2=A0> -	snprintf(buf, len, fmt, product);
 > =C2=A0> +=C2=A0=C2=A0=C2=A0 /*
 > =C2=A0> +=C2=A0=C2=A0=C2=A0=C2=A0 * Avoid Wformat-nonliteral
 > =C2=A0> +=C2=A0=C2=A0=C2=A0=C2=A0 */
 > =C2=A0> +=C2=A0=C2=A0=C2=A0=C2=A0 if (fmt !=3D NULL && strcmp(fmt, "0x%04=
 x") =3D=3D 0){
 > =C2=A0> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 snprintf(buf, len, "0=
 x%04x", product);
 > =C2=A0> +=C2=A0=C2=A0=C2=A0 } else {
 > =C2=A0> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 snprintf(buf, len, "0=
 x%08x", product);
 > =C2=A0> +=C2=A0=C2=A0=C2=A0 }
 > =C2=A0> +
 > =C2=A0
 > =C2=A0This seems to completely ignore the formats passed to this function=
 ,
 > =C2=A0like
 > =C2=A0
 > =C2=A0#define mii_id1_format	 "oui %6.6x"
 > =C2=A0#define mii_id2_format	 "model %4.4x"
 > =C2=A0
 > =C2=A0-uwe
 > =C2=A0