Tom Tromey <[EMAIL PROTECTED]> writes: > Ian> The second approach is of course to write a little language which is > Ian> powerful enough to describe printf. The state machine language I > Ian> described earlier is too simple and perhaps overly cryptic. > > If we're doing that, why not use an already existing little language?
I thought about that, but it doesn't quite make sense to me yet. It introduces yet another external software dependency into gcc, and it does it not for any fundamental need but for a rather limited feature--one which is used only for warnings, not for quality of generated code. (I also don't know of any embeddable little language which is really right for the problem space, although of course there are quite a few which are powerful enough to solve the problem. I think the closest existing languages to what we need are lex or awk, although I'm not aware of any easily embeddable version of either.) > The idea of letting gcc load a .so to do the checking also seems fine. > At least then the checking language is a standard one, not one we made > up. Yes. My main concerns would be * It's obviously vastly more powerful than anything we actually need, and using dlopen exposes the compiler to bugs in the implementation of the format checker--slowness, random memory clobbering, etc. * The compiler is, in its own way, a system security component. If somebody were to put format checking into a system header file which used a shared library, then substituting that shared library-- perhaps by just getting the compiler to pick up a different version of it--becomes an avenue for a complex but subtle attack on the system as a whole. Ian
