It appears that technically a null format string is not warned under -Wformat-nonliteral, as

the function processing the format string can decided whether or not to accept a null format string (e.g., asl_log).  Fixes <rdar://problem/8269537>.

llvm-svn: 113469

clang/lib/Sema/SemaChecking.cpp

@@ -955,6 +955,13 @@ bool Sema::SemaCheckStringLiteral(const Expr *E, const CallExpr *TheCall,
                                   format_idx, firstDataArg, isPrintf);
   }
 
+  case Stmt::IntegerLiteralClass:
+    // Technically -Wformat-nonliteral does not warn about this case.
+    // The behavior of printf and friends in this case is implementation
+    // dependent.  Ideally if the format string cannot be null then
+    // it should have a 'nonnull' attribute in the function prototype.
+    return true;
+
   case Stmt::ImplicitCastExprClass: {
     E = cast<ImplicitCastExpr>(E)->getSubExpr();
     goto tryAgain;

clang/test/Sema/format-strings.c

@@ -301,3 +301,10 @@ void pr7981(wint_t c, wchar_t c2) {
   printf("%lc", c2); // no-warning
 }
 
+// <rdar://problem/8269537> -Wformat-security says NULL is not a string literal
+void r8269537() {
+  // This is likely to crash in most cases, but -Wformat-nonliteral technically
+  // doesn't warn in this case.
+  printf(0); // no-warning
+}
+