[runtime] Adopt safer native compiler flags: Wformat-nonliteral (#24090)

rolfbjarne · web-flow · commit ee53f847857f · 2025-10-28T11:15:31.000Z
Example warning: ```objc nsstring-localization.m:33:46: error: format string is not a string literal [-Werror,-Wformat-nonliteral] 33 | return [NSString localizedStringWithFormat: format, a]; | ^~~~~~ ``` References: * https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app * https://releases.llvm.org/8.0.0/tools/clang/docs/ReleaseNotes.html#major-new-features (for -ftrivial-auto-var-init=zero) Contributes towards #23023.
diff --git a/mk/rules.mk b/mk/rules.mk
@@ -43,6 +43,7 @@ CFLAGS=\
 	-Wsemicolon-before-method-body \
 	-Wsign-compare \
 	-Wshadow \
+	-Wformat-nonliteral \
 	-g \
 	-I.
 SWIFTFLAGS=-g -emit-library
diff --git a/runtime/nsstring-localization.m b/runtime/nsstring-localization.m
@@ -14,10 +14,14 @@
 
 #include <pthread.h>
 
-// Silence this warning:
+// Silence these warnings:
 // nsstring-localization.m:22:46: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
 //        return [NSString localizedStringWithFormat: format];
 #pragma clang diagnostic ignored "-Wformat-security"
+// nsstring-localization.m:33:46: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
+//    33 |         return [NSString localizedStringWithFormat: format, a];
+//       |                                                     ^~~~~~
+#pragma clang diagnostic ignored "-Wformat-nonliteral"
 
 extern "C" {
 
diff --git a/runtime/runtime.m b/runtime/runtime.m
@@ -1310,7 +1310,16 @@ -(struct NSObjectData*) xamarinGetNSObjectData;
 	char *formatted = NULL;
 
 	va_start (args, msg);
+
+// Silence this warning:
+// runtime.m:1313:25: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
+//  1313 |         vasprintf (&formatted, msg, args);
+//       |                                ^~~~~
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wformat-nonliteral"
 	vasprintf (&formatted, msg, args);
+#pragma clang diagnostic pop
+
 	va_end (args);
 
 	return formatted;
@@ -1323,7 +1332,16 @@ -(struct NSObjectData*) xamarinGetNSObjectData;
 	char *formatted = NULL;
 
 	va_start (args, msg);
+
+// Silence this warning:
+// runtime.m:1335:25: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
+//  1335 |         vasprintf (&formatted, msg, args);
+//       |                                ^~~
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wformat-nonliteral"
 	vasprintf (&formatted, msg, args);
+#pragma clang diagnostic pop
+
 	if (formatted) {
 		PRINT ( PRODUCT ": %s", formatted);
 		free (formatted);
@@ -2552,7 +2570,14 @@ -(struct NSObjectData*) xamarinGetNSObjectData;
 void
 xamarin_vprintf (const char *format, va_list args)
 {
+// Silence this warning:
+// runtime.m:2564:56: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
+//  2564 |         NSString *message = [[NSString alloc] initWithFormat: [NSString stringWithUTF8String: format] arguments: args];
+//       |                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wformat-nonliteral"
 	NSString *message = [[NSString alloc] initWithFormat: [NSString stringWithUTF8String: format] arguments: args];
+#pragma clang diagnostic pop
 	
 	NSLog (@"%@", message);	
 
