247 lines
8.9 KiB
C++
247 lines
8.9 KiB
C++
// Copyright 2013 The Chromium Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef BASE_STRINGS_SAFE_SPRINTF_H_
|
|
#define BASE_STRINGS_SAFE_SPRINTF_H_
|
|
|
|
#include "build/build_config.h"
|
|
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include <stdlib.h>
|
|
|
|
#if defined(OS_POSIX) || defined(OS_FUCHSIA)
|
|
// For ssize_t
|
|
#include <unistd.h>
|
|
#endif
|
|
|
|
#include "base/base_export.h"
|
|
|
|
namespace base {
|
|
namespace strings {
|
|
|
|
#if defined(COMPILER_MSVC)
|
|
// Define ssize_t inside of our namespace.
|
|
#if defined(_WIN64)
|
|
typedef __int64 ssize_t;
|
|
#else
|
|
typedef long ssize_t;
|
|
#endif
|
|
#endif
|
|
|
|
// SafeSPrintf() is a type-safe and completely self-contained version of
|
|
// snprintf().
|
|
//
|
|
// SafeSNPrintf() is an alternative function signature that can be used when
|
|
// not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
|
|
// always be used instead of SafeSNPrintf()
|
|
//
|
|
// These functions allow for formatting complicated messages from contexts that
|
|
// require strict async-signal-safety. In fact, it is safe to call them from
|
|
// any low-level execution context, as they are guaranteed to make no library
|
|
// or system calls. It deliberately never touches "errno", either.
|
|
//
|
|
// The only exception to this rule is that in debug builds the code calls
|
|
// RAW_CHECK() to help diagnose problems when the format string does not
|
|
// match the rest of the arguments. In release builds, no CHECK()s are used,
|
|
// and SafeSPrintf() instead returns an output string that expands only
|
|
// those arguments that match their format characters. Mismatched arguments
|
|
// are ignored.
|
|
//
|
|
// The code currently only supports a subset of format characters:
|
|
// %c, %o, %d, %x, %X, %p, and %s.
|
|
//
|
|
// SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
|
|
// values of arbitrary width can be passed to all of the format characters
|
|
// that expect integers. Thus, it is explicitly legal to pass an "int" to
|
|
// "%c", and output will automatically look at the LSB only. It is also
|
|
// explicitly legal to pass either signed or unsigned values, and the format
|
|
// characters will automatically interpret the arguments accordingly.
|
|
//
|
|
// It is still not legal to mix-and-match integer-like values with pointer
|
|
// values. For instance, you cannot pass a pointer to %x, nor can you pass an
|
|
// integer to %p.
|
|
//
|
|
// The one exception is "0" zero being accepted by "%p". This works-around
|
|
// the problem of C++ defining NULL as an integer-like value.
|
|
//
|
|
// All format characters take an optional width parameter. This must be a
|
|
// positive integer. For %d, %o, %x, %X and %p, if the width starts with
|
|
// a leading '0', padding is done with '0' instead of ' ' characters.
|
|
//
|
|
// There are a few features of snprintf()-style format strings, that
|
|
// SafeSPrintf() does not support at this time.
|
|
//
|
|
// If an actual user showed up, there is no particularly strong reason they
|
|
// couldn't be added. But that assumes that the trade-offs between complexity
|
|
// and utility are favorable.
|
|
//
|
|
// For example, adding support for negative padding widths, and for %n are all
|
|
// likely to be viewed positively. They are all clearly useful, low-risk, easy
|
|
// to test, don't jeopardize the async-signal-safety of the code, and overall
|
|
// have little impact on other parts of SafeSPrintf() function.
|
|
//
|
|
// On the other hands, adding support for alternate forms, positional
|
|
// arguments, grouping, wide characters, localization or floating point numbers
|
|
// are all unlikely to ever be added.
|
|
//
|
|
// SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
|
|
// return the number of bytes needed to store the untruncated output. This
|
|
// does *not* include the terminating NUL byte.
|
|
//
|
|
// They return -1, iff a fatal error happened. This typically can only happen,
|
|
// if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
|
|
// can be written). The return value can never be larger than SSIZE_MAX-1.
|
|
// This ensures that the caller can always add one to the signed return code
|
|
// in order to determine the amount of storage that needs to be allocated.
|
|
//
|
|
// While the code supports type checking and while it is generally very careful
|
|
// to avoid printing incorrect values, it tends to be conservative in printing
|
|
// as much as possible, even when given incorrect parameters. Typically, in
|
|
// case of an error, the format string will not be expanded. (i.e. something
|
|
// like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for
|
|
// the use of RAW_CHECK() in debug builds, though.
|
|
//
|
|
// Basic example:
|
|
// char buf[20];
|
|
// base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
|
|
//
|
|
// Example with dynamically sized buffer (async-signal-safe). This code won't
|
|
// work on Visual studio, as it requires dynamically allocating arrays on the
|
|
// stack. Consider picking a smaller value for |kMaxSize| if stack size is
|
|
// limited and known. On the other hand, if the parameters to SafeSNPrintf()
|
|
// are trusted and not controllable by the user, you can consider eliminating
|
|
// the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
|
|
// essentially a no-op that just illustrates how to implement an upper bound:
|
|
// const size_t kInitialSize = 128;
|
|
// const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
|
|
// size_t size = kInitialSize;
|
|
// for (;;) {
|
|
// char buf[size];
|
|
// size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1;
|
|
// if (sizeof(buf) < kMaxSize && size > kMaxSize) {
|
|
// size = kMaxSize;
|
|
// continue;
|
|
// } else if (size > sizeof(buf))
|
|
// continue;
|
|
// write(2, buf, size-1);
|
|
// break;
|
|
// }
|
|
|
|
namespace internal {
|
|
// Helpers that use C++ overloading, templates, and specializations to deduce
|
|
// and record type information from function arguments. This allows us to
|
|
// later write a type-safe version of snprintf().
|
|
|
|
struct Arg {
|
|
enum Type { INT, UINT, STRING, POINTER };
|
|
|
|
// Any integer-like value.
|
|
Arg(signed char c) : type(INT) {
|
|
integer.i = c;
|
|
integer.width = sizeof(char);
|
|
}
|
|
Arg(unsigned char c) : type(UINT) {
|
|
integer.i = c;
|
|
integer.width = sizeof(char);
|
|
}
|
|
Arg(signed short j) : type(INT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(short);
|
|
}
|
|
Arg(unsigned short j) : type(UINT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(short);
|
|
}
|
|
Arg(signed int j) : type(INT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(int);
|
|
}
|
|
Arg(unsigned int j) : type(UINT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(int);
|
|
}
|
|
Arg(signed long j) : type(INT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(long);
|
|
}
|
|
Arg(unsigned long j) : type(UINT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(long);
|
|
}
|
|
Arg(signed long long j) : type(INT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(long long);
|
|
}
|
|
Arg(unsigned long long j) : type(UINT) {
|
|
integer.i = j;
|
|
integer.width = sizeof(long long);
|
|
}
|
|
|
|
// A C-style text string.
|
|
Arg(const char* s) : str(s), type(STRING) { }
|
|
Arg(char* s) : str(s), type(STRING) { }
|
|
|
|
// Any pointer value that can be cast to a "void*".
|
|
template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { }
|
|
|
|
union {
|
|
// An integer-like value.
|
|
struct {
|
|
int64_t i;
|
|
unsigned char width;
|
|
} integer;
|
|
|
|
// A C-style text string.
|
|
const char* str;
|
|
|
|
// A pointer to an arbitrary object.
|
|
const void* ptr;
|
|
};
|
|
const enum Type type;
|
|
};
|
|
|
|
// This is the internal function that performs the actual formatting of
|
|
// an snprintf()-style format string.
|
|
BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
|
|
const Arg* args, size_t max_args);
|
|
|
|
#if !defined(NDEBUG)
|
|
// In debug builds, allow unit tests to artificially lower the kSSizeMax
|
|
// constant that is used as a hard upper-bound for all buffers. In normal
|
|
// use, this constant should always be std::numeric_limits<ssize_t>::max().
|
|
BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max);
|
|
BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest();
|
|
#endif
|
|
|
|
} // namespace internal
|
|
|
|
template<typename... Args>
|
|
ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
|
|
// Use Arg() object to record type information and then copy arguments to an
|
|
// array to make it easier to iterate over them.
|
|
const internal::Arg arg_array[] = { args... };
|
|
return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
|
|
}
|
|
|
|
template<size_t N, typename... Args>
|
|
ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
|
|
// Use Arg() object to record type information and then copy arguments to an
|
|
// array to make it easier to iterate over them.
|
|
const internal::Arg arg_array[] = { args... };
|
|
return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
|
|
}
|
|
|
|
// Fast-path when we don't actually need to substitute any arguments.
|
|
BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
|
|
template<size_t N>
|
|
inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
|
|
return SafeSNPrintf(buf, N, fmt);
|
|
}
|
|
|
|
} // namespace strings
|
|
} // namespace base
|
|
|
|
#endif // BASE_STRINGS_SAFE_SPRINTF_H_
|