// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef BASE_STRINGS_SAFE_SPRINTF_H_ #define BASE_STRINGS_SAFE_SPRINTF_H_ #include "build/build_config.h" #include <stddef.h> #include <stdint.h> #include <stdlib.h> #if defined(OS_POSIX) || defined(OS_FUCHSIA) // For ssize_t #include <unistd.h> #endif #include "base/base_export.h" namespace base { namespace strings { #if defined(COMPILER_MSVC) // Define ssize_t inside of our namespace. #if defined(_WIN64) typedef __int64 ssize_t; #else typedef long ssize_t; #endif #endif // SafeSPrintf() is a type-safe and completely self-contained version of // snprintf(). // // SafeSNPrintf() is an alternative function signature that can be used when // not dealing with fixed-sized buffers. When possible, SafeSPrintf() should // always be used instead of SafeSNPrintf() // // These functions allow for formatting complicated messages from contexts that // require strict async-signal-safety. In fact, it is safe to call them from // any low-level execution context, as they are guaranteed to make no library // or system calls. It deliberately never touches "errno", either. // // The only exception to this rule is that in debug builds the code calls // RAW_CHECK() to help diagnose problems when the format string does not // match the rest of the arguments. In release builds, no CHECK()s are used, // and SafeSPrintf() instead returns an output string that expands only // those arguments that match their format characters. Mismatched arguments // are ignored. // // The code currently only supports a subset of format characters: // %c, %o, %d, %x, %X, %p, and %s. // // SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like // values of arbitrary width can be passed to all of the format characters // that expect integers. Thus, it is explicitly legal to pass an "int" to // "%c", and output will automatically look at the LSB only. It is also // explicitly legal to pass either signed or unsigned values, and the format // characters will automatically interpret the arguments accordingly. // // It is still not legal to mix-and-match integer-like values with pointer // values. For instance, you cannot pass a pointer to %x, nor can you pass an // integer to %p. // // The one exception is "0" zero being accepted by "%p". This works-around // the problem of C++ defining NULL as an integer-like value. // // All format characters take an optional width parameter. This must be a // positive integer. For %d, %o, %x, %X and %p, if the width starts with // a leading '0', padding is done with '0' instead of ' ' characters. // // There are a few features of snprintf()-style format strings, that // SafeSPrintf() does not support at this time. // // If an actual user showed up, there is no particularly strong reason they // couldn't be added. But that assumes that the trade-offs between complexity // and utility are favorable. // // For example, adding support for negative padding widths, and for %n are all // likely to be viewed positively. They are all clearly useful, low-risk, easy // to test, don't jeopardize the async-signal-safety of the code, and overall // have little impact on other parts of SafeSPrintf() function. // // On the other hands, adding support for alternate forms, positional // arguments, grouping, wide characters, localization or floating point numbers // are all unlikely to ever be added. // // SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they // return the number of bytes needed to store the untruncated output. This // does *not* include the terminating NUL byte. // // They return -1, iff a fatal error happened. This typically can only happen, // if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte // can be written). The return value can never be larger than SSIZE_MAX-1. // This ensures that the caller can always add one to the signed return code // in order to determine the amount of storage that needs to be allocated. // // While the code supports type checking and while it is generally very careful // to avoid printing incorrect values, it tends to be conservative in printing // as much as possible, even when given incorrect parameters. Typically, in // case of an error, the format string will not be expanded. (i.e. something // like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for // the use of RAW_CHECK() in debug builds, though. // // Basic example: // char buf[20]; // base::strings::SafeSPrintf(buf, "The answer: %2d", 42); // // Example with dynamically sized buffer (async-signal-safe). This code won't // work on Visual studio, as it requires dynamically allocating arrays on the // stack. Consider picking a smaller value for |kMaxSize| if stack size is // limited and known. On the other hand, if the parameters to SafeSNPrintf() // are trusted and not controllable by the user, you can consider eliminating // the check for |kMaxSize| altogether. The current value of SSIZE_MAX is // essentially a no-op that just illustrates how to implement an upper bound: // const size_t kInitialSize = 128; // const size_t kMaxSize = std::numeric_limits<ssize_t>::max(); // size_t size = kInitialSize; // for (;;) { // char buf[size]; // size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1; // if (sizeof(buf) < kMaxSize && size > kMaxSize) { // size = kMaxSize; // continue; // } else if (size > sizeof(buf)) // continue; // write(2, buf, size-1); // break; // } namespace internal { // Helpers that use C++ overloading, templates, and specializations to deduce // and record type information from function arguments. This allows us to // later write a type-safe version of snprintf(). struct Arg { enum Type { INT, UINT, STRING, POINTER }; // Any integer-like value. Arg(signed char c) : type(INT) { integer.i = c; integer.width = sizeof(char); } Arg(unsigned char c) : type(UINT) { integer.i = c; integer.width = sizeof(char); } Arg(signed short j) : type(INT) { integer.i = j; integer.width = sizeof(short); } Arg(unsigned short j) : type(UINT) { integer.i = j; integer.width = sizeof(short); } Arg(signed int j) : type(INT) { integer.i = j; integer.width = sizeof(int); } Arg(unsigned int j) : type(UINT) { integer.i = j; integer.width = sizeof(int); } Arg(signed long j) : type(INT) { integer.i = j; integer.width = sizeof(long); } Arg(unsigned long j) : type(UINT) { integer.i = j; integer.width = sizeof(long); } Arg(signed long long j) : type(INT) { integer.i = j; integer.width = sizeof(long long); } Arg(unsigned long long j) : type(UINT) { integer.i = j; integer.width = sizeof(long long); } // A C-style text string. Arg(const char* s) : str(s), type(STRING) { } Arg(char* s) : str(s), type(STRING) { } // Any pointer value that can be cast to a "void*". template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { } union { // An integer-like value. struct { int64_t i; unsigned char width; } integer; // A C-style text string. const char* str; // A pointer to an arbitrary object. const void* ptr; }; const enum Type type; }; // This is the internal function that performs the actual formatting of // an snprintf()-style format string. BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args, size_t max_args); #if !defined(NDEBUG) // In debug builds, allow unit tests to artificially lower the kSSizeMax // constant that is used as a hard upper-bound for all buffers. In normal // use, this constant should always be std::numeric_limits<ssize_t>::max(). BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max); BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest(); #endif } // namespace internal template<typename... Args> ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) { // Use Arg() object to record type information and then copy arguments to an // array to make it easier to iterate over them. const internal::Arg arg_array[] = { args... }; return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args)); } template<size_t N, typename... Args> ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) { // Use Arg() object to record type information and then copy arguments to an // array to make it easier to iterate over them. const internal::Arg arg_array[] = { args... }; return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args)); } // Fast-path when we don't actually need to substitute any arguments. BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt); template<size_t N> inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) { return SafeSNPrintf(buf, N, fmt); } } // namespace strings } // namespace base #endif // BASE_STRINGS_SAFE_SPRINTF_H_