Hi, I've got a request from CRAN to correct my package rmumps using Rcpp: https://cran.r-project.org/web/checks/check_results_rmumps.html The problems come from RcppExports.cpp automatically generated lines like: ?? Rf_error(CHAR(rcpp_msgSEXP_gen)); With a message saying: Found the following significant warnings: ?? RcppExports.cpp:58:18: warning: format string is not a string literal (potentially insecure) [-Wformat-security] ?? ... The fix may be as trivial as: ? Rf_error("%s", CHAR(rcpp_msgSEXP_gen)); However, if I do it manually, it will be overwritten at the next RcppExports.cppbuild. Are there some plans to incorporate this fix in Rcpp? Am I alone in this case? Best, Serguei.
[Rcpp-devel] Rf_error() format string
5 messages · Serguei Sokol, Iñaki Ucar, Georgi Boshnakov +1 more
See https://github.com/RcppCore/Rcpp/pull/1288 I?aki
On Tue, 28 Nov 2023 at 14:49, Serguei Sokol <serguei.sokol at gmail.com> wrote:
Hi, I've got a request from CRAN to correct my package rmumps using Rcpp: https://cran.r-project.org/web/checks/check_results_rmumps.html The problems come from RcppExports.cpp automatically generated lines like: Rf_error(CHAR(rcpp_msgSEXP_gen)); With a message saying: Found the following significant warnings: RcppExports.cpp:58:18: warning: format string is not a string literal (potentially insecure) [-Wformat-security] ... The fix may be as trivial as: Rf_error("%s", CHAR(rcpp_msgSEXP_gen)); However, if I do it manually, it will be overwritten at the next RcppExports.cppbuild. Are there some plans to incorporate this fix in Rcpp? Am I alone in this case? Best, Serguei.
_______________________________________________ Rcpp-devel mailing list Rcpp-devel at lists.r-forge.r-project.org https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel
I?aki ?car Assistant Professor of Statistics Director of the Master in Computational Social Science Department of Statistics | Big Data Institute Universidad Carlos III de Madrid Av. de la Universidad 30, 28911 Legan?s, Spain Office: 7.3.J25, Tel: +34 916248804
The fix apparently is in the master branch. I did:
remotes::install_github("RcppCore/Rcpp")
and the warnings went away. Don't forget to restart R, in case the previous version of Rcpp has already been loaded.
Georgi Boshnakov
From: Rcpp-devel <rcpp-devel-bounces at lists.r-forge.r-project.org> on behalf of I?aki Ucar <inaki.ucar at uc3m.es>
Sent: 28 November 2023 14:05
To: serguei.sokol at gmail.com
Cc: Rcpp-devel
Subject: Re: [Rcpp-devel] Rf_error() format string
Sent: 28 November 2023 14:05
To: serguei.sokol at gmail.com
Cc: Rcpp-devel
Subject: Re: [Rcpp-devel] Rf_error() format string
See https://urldefense.com/v3/__https://github.com/RcppCore/Rcpp/pull/1288__;!!PDiH4ENfjr2_Jw!EFOOnpODjY8kqrYtd2kQYepR7zmvyr3eBy9xzfUdUGtRosBKJoz8N1MJcofoHAQzv3ZEzKkpyQWFu12_Sz3omFVkW8gDUfNfQg$ [github[.]com] I?aki On Tue, 28 Nov 2023 at 14:49, Serguei Sokol <serguei.sokol at gmail.com> wrote: > > Hi, > > I've got a request from CRAN to correct my package rmumps using Rcpp: > https://urldefense.com/v3/__https://cran.r-project.org/web/checks/check_results_rmumps.html__;!!PDiH4ENfjr2_Jw!EFOOnpODjY8kqrYtd2kQYepR7zmvyr3eBy9xzfUdUGtRosBKJoz8N1MJcofoHAQzv3ZEzKkpyQWFu12_Sz3omFVkW8hHt8kEWg$ [cran[.]r-project[.]org] > > The problems come from RcppExports.cpp automatically generated lines like: > > Rf_error(CHAR(rcpp_msgSEXP_gen)); > > With a message saying: > > Found the following significant warnings: > RcppExports.cpp:58:18: warning: format string is not a string > literal (potentially insecure) [-Wformat-security] > ... > > The fix may be as trivial as: > > Rf_error("%s", CHAR(rcpp_msgSEXP_gen)); > > However, if I do it manually, it will be overwritten at the next > RcppExports.cppbuild. > Are there some plans to incorporate this fix in Rcpp? > Am I alone in this case? > > Best, > Serguei. > _______________________________________________ > Rcpp-devel mailing list > Rcpp-devel at lists.r-forge.r-project.org > https://urldefense.com/v3/__https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel__;!!PDiH4ENfjr2_Jw!EFOOnpODjY8kqrYtd2kQYepR7zmvyr3eBy9xzfUdUGtRosBKJoz8N1MJcofoHAQzv3ZEzKkpyQWFu12_Sz3omFVkW8hGFGjKcQ$ [lists[.]r-forge[.]r-project[.]org] -- I?aki ?car Assistant Professor of Statistics Director of the Master in Computational Social Science Department of Statistics | Big Data Institute Universidad Carlos III de Madrid Av. de la Universidad 30, 28911 Legan?s, Spain Office: 7.3.J25, Tel: +34 916248804 _______________________________________________ Rcpp-devel mailing list Rcpp-devel at lists.r-forge.r-project.org https://urldefense.com/v3/__https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel__;!!PDiH4ENfjr2_Jw!EFOOnpODjY8kqrYtd2kQYepR7zmvyr3eBy9xzfUdUGtRosBKJoz8N1MJcofoHAQzv3ZEzKkpyQWFu12_Sz3omFVkW8hGFGjKcQ$ [lists[.]r-forge[.]r-project[.]org]
Sorry for being slow to respond (very busy morning at work and play, got five such emails myself) but as Inaki and Georgi helpfully pointed out already the issue is _known_ and has a _fix_ at either the default branch of the Rcpp repo, or, if you prefer, via the Rcpp drat repo as detailed in this comment of issue #1287 at the Rcpp repo https://github.com/RcppCore/Rcpp/issues/1287#issuecomment-1829886024 from which I quote (and, again, sorry for not posting here sooner) Yes, I actually got five such emails myself today for packages of mine using Rcpp. The fix is simple thanks to PR #1288 we made two days ago. Install Rcpp 1.0.11.5 from the Rcpp drat repo via, e.g., Rscript -e 'install.packages("Rcpp", \ repos=c("https://RcppCore.github.io/drat", getOption("repos")))' and then re-run compileAttributes(). That will fix the RcppExports.cpp file for you. You then need to upload your updated package to CRAN. It has no change in its run-time dependency on Rcpp so you do not need to change anything in DESCRIPTION. Just re-run compileAttributes(). Of course, you can also use whichever tool runs `compileAttributes()` for you. I tend to use `littler` script `compAttr.r` on the command-line. Others rely on RStudio which automagically does it if it notices you rebuild a package using Rcpp. I believe the devtools/usethis nexus has this in `document_all()` (?), and I am sure someone somewhere cooked something up for VSCode too. The key is the provided function Rcpp::compileAttributes() which remains at your service and is now updated. I may also push an updated `rocker/drd` container which I recently switched to being based on ubuntu and r2u (rather than debian). Then installing your build dependencies for you packages is trivial (I run `installDeps.r` inside the container) and it will come with an r-devel build. You "only" need to create `~/.R/Makevars` to tell the compiler to use extended format warnings. That allows you to replicate the CRAN warnings, and ensure rebuild RcppExports.cpp addresses it. If I find time I'll post an example on my blog. Cheers, Dirk
dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
Thanks to all. As CRAN said: package rmumps_5.2.1-26.tar.gz is on its way to CRAN. Best, Serguei. Le 28/11/2023 ? 17:49, Dirk Eddelbuettel a ?crit?:
Sorry for being slow to respond (very busy morning at work and play, got five
such emails myself) but as Inaki and Georgi helpfully pointed out already the
issue is _known_ and has a _fix_ at either the default branch of the Rcpp
repo, or, if you prefer, via the Rcpp drat repo as detailed in this comment
of issue #1287 at the Rcpp repo
https://github.com/RcppCore/Rcpp/issues/1287#issuecomment-1829886024
from which I quote (and, again, sorry for not posting here sooner)
Yes, I actually got five such emails myself today for packages of mine
using Rcpp.
The fix is simple thanks to PR #1288 we made two days ago. Install Rcpp
1.0.11.5 from the Rcpp drat repo via, e.g.,
Rscript -e 'install.packages("Rcpp", \
repos=c("https://RcppCore.github.io/drat", getOption("repos")))'
and then re-run compileAttributes(). That will fix the RcppExports.cpp file
for you. You then need to upload your updated package to CRAN. It has no
change in its run-time dependency on Rcpp so you do not need to change
anything in DESCRIPTION. Just re-run compileAttributes().
Of course, you can also use whichever tool runs `compileAttributes()` for
you. I tend to use `littler` script `compAttr.r` on the command-line. Others
rely on RStudio which automagically does it if it notices you rebuild a
package using Rcpp. I believe the devtools/usethis nexus has this in
`document_all()` (?), and I am sure someone somewhere cooked something up for
VSCode too. The key is the provided function Rcpp::compileAttributes() which
remains at your service and is now updated.
I may also push an updated `rocker/drd` container which I recently switched
to being based on ubuntu and r2u (rather than debian). Then installing your
build dependencies for you packages is trivial (I run `installDeps.r` inside
the container) and it will come with an r-devel build. You "only" need to
create `~/.R/Makevars` to tell the compiler to use extended format warnings.
That allows you to replicate the CRAN warnings, and ensure rebuild
RcppExports.cpp addresses it. If I find time I'll post an example on my
blog.
Cheers, Dirk