1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BASE_STRINGS_SAFE_SPRINTF_H_ 6 #define BASE_STRINGS_SAFE_SPRINTF_H_ 7 8 #include "build/build_config.h" 9 10 #include <stddef.h> 11 #include <stdint.h> 12 #include <stdlib.h> 13 14 #if defined(OS_POSIX) 15 // For ssize_t 16 #include <unistd.h> 17 #endif 18 19 #include "base/base_export.h" 20 21 namespace base { 22 namespace strings { 23 24 #if defined(_MSC_VER) 25 // Define ssize_t inside of our namespace. 26 #if defined(_WIN64) 27 typedef __int64 ssize_t; 28 #else 29 typedef long ssize_t; 30 #endif 31 #endif 32 33 // SafeSPrintf() is a type-safe and completely self-contained version of 34 // snprintf(). 35 // 36 // SafeSNPrintf() is an alternative function signature that can be used when 37 // not dealing with fixed-sized buffers. When possible, SafeSPrintf() should 38 // always be used instead of SafeSNPrintf() 39 // 40 // These functions allow for formatting complicated messages from contexts that 41 // require strict async-signal-safety. In fact, it is safe to call them from 42 // any low-level execution context, as they are guaranteed to make no library 43 // or system calls. It deliberately never touches "errno", either. 44 // 45 // The only exception to this rule is that in debug builds the code calls 46 // RAW_CHECK() to help diagnose problems when the format string does not 47 // match the rest of the arguments. In release builds, no CHECK()s are used, 48 // and SafeSPrintf() instead returns an output string that expands only 49 // those arguments that match their format characters. Mismatched arguments 50 // are ignored. 51 // 52 // The code currently only supports a subset of format characters: 53 // %c, %o, %d, %x, %X, %p, and %s. 54 // 55 // SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like 56 // values of arbitrary width can be passed to all of the format characters 57 // that expect integers. Thus, it is explicitly legal to pass an "int" to 58 // "%c", and output will automatically look at the LSB only. It is also 59 // explicitly legal to pass either signed or unsigned values, and the format 60 // characters will automatically interpret the arguments accordingly. 61 // 62 // It is still not legal to mix-and-match integer-like values with pointer 63 // values. For instance, you cannot pass a pointer to %x, nor can you pass an 64 // integer to %p. 65 // 66 // The one exception is "0" zero being accepted by "%p". This works-around 67 // the problem of C++ defining NULL as an integer-like value. 68 // 69 // All format characters take an optional width parameter. This must be a 70 // positive integer. For %d, %o, %x, %X and %p, if the width starts with 71 // a leading '0', padding is done with '0' instead of ' ' characters. 72 // 73 // There are a few features of snprintf()-style format strings, that 74 // SafeSPrintf() does not support at this time. 75 // 76 // If an actual user showed up, there is no particularly strong reason they 77 // couldn't be added. But that assumes that the trade-offs between complexity 78 // and utility are favorable. 79 // 80 // For example, adding support for negative padding widths, and for %n are all 81 // likely to be viewed positively. They are all clearly useful, low-risk, easy 82 // to test, don't jeopardize the async-signal-safety of the code, and overall 83 // have little impact on other parts of SafeSPrintf() function. 84 // 85 // On the other hands, adding support for alternate forms, positional 86 // arguments, grouping, wide characters, localization or floating point numbers 87 // are all unlikely to ever be added. 88 // 89 // SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they 90 // return the number of bytes needed to store the untruncated output. This 91 // does *not* include the terminating NUL byte. 92 // 93 // They return -1, iff a fatal error happened. This typically can only happen, 94 // if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte 95 // can be written). The return value can never be larger than SSIZE_MAX-1. 96 // This ensures that the caller can always add one to the signed return code 97 // in order to determine the amount of storage that needs to be allocated. 98 // 99 // While the code supports type checking and while it is generally very careful 100 // to avoid printing incorrect values, it tends to be conservative in printing 101 // as much as possible, even when given incorrect parameters. Typically, in 102 // case of an error, the format string will not be expanded. (i.e. something 103 // like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for 104 // the use of RAW_CHECK() in debug builds, though. 105 // 106 // Basic example: 107 // char buf[20]; 108 // base::strings::SafeSPrintf(buf, "The answer: %2d", 42); 109 // 110 // Example with dynamically sized buffer (async-signal-safe). This code won't 111 // work on Visual studio, as it requires dynamically allocating arrays on the 112 // stack. Consider picking a smaller value for |kMaxSize| if stack size is 113 // limited and known. On the other hand, if the parameters to SafeSNPrintf() 114 // are trusted and not controllable by the user, you can consider eliminating 115 // the check for |kMaxSize| altogether. The current value of SSIZE_MAX is 116 // essentially a no-op that just illustrates how to implement an upper bound: 117 // const size_t kInitialSize = 128; 118 // const size_t kMaxSize = std::numeric_limits<ssize_t>::max(); 119 // size_t size = kInitialSize; 120 // for (;;) { 121 // char buf[size]; 122 // size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1; 123 // if (sizeof(buf) < kMaxSize && size > kMaxSize) { 124 // size = kMaxSize; 125 // continue; 126 // } else if (size > sizeof(buf)) 127 // continue; 128 // write(2, buf, size-1); 129 // break; 130 // } 131 132 namespace internal { 133 // Helpers that use C++ overloading, templates, and specializations to deduce 134 // and record type information from function arguments. This allows us to 135 // later write a type-safe version of snprintf(). 136 137 struct Arg { 138 enum Type { INT, UINT, STRING, POINTER }; 139 140 // Any integer-like value. 141 Arg(signed char c) : type(INT) { 142 integer.i = c; 143 integer.width = sizeof(char); 144 } 145 Arg(unsigned char c) : type(UINT) { 146 integer.i = c; 147 integer.width = sizeof(char); 148 } 149 Arg(signed short j) : type(INT) { 150 integer.i = j; 151 integer.width = sizeof(short); 152 } 153 Arg(unsigned short j) : type(UINT) { 154 integer.i = j; 155 integer.width = sizeof(short); 156 } 157 Arg(signed int j) : type(INT) { 158 integer.i = j; 159 integer.width = sizeof(int); 160 } 161 Arg(unsigned int j) : type(UINT) { 162 integer.i = j; 163 integer.width = sizeof(int); 164 } 165 Arg(signed long j) : type(INT) { 166 integer.i = j; 167 integer.width = sizeof(long); 168 } 169 Arg(unsigned long j) : type(UINT) { 170 integer.i = j; 171 integer.width = sizeof(long); 172 } 173 Arg(signed long long j) : type(INT) { 174 integer.i = j; 175 integer.width = sizeof(long long); 176 } 177 Arg(unsigned long long j) : type(UINT) { 178 integer.i = j; 179 integer.width = sizeof(long long); 180 } 181 182 // A C-style text string. 183 Arg(const char* s) : str(s), type(STRING) { } 184 Arg(char* s) : str(s), type(STRING) { } 185 186 // Any pointer value that can be cast to a "void*". 187 template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { } 188 189 union { 190 // An integer-like value. 191 struct { 192 int64_t i; 193 unsigned char width; 194 } integer; 195 196 // A C-style text string. 197 const char* str; 198 199 // A pointer to an arbitrary object. 200 const void* ptr; 201 }; 202 const enum Type type; 203 }; 204 205 // This is the internal function that performs the actual formatting of 206 // an snprintf()-style format string. 207 BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, 208 const Arg* args, size_t max_args); 209 210 #if !defined(NDEBUG) 211 // In debug builds, allow unit tests to artificially lower the kSSizeMax 212 // constant that is used as a hard upper-bound for all buffers. In normal 213 // use, this constant should always be std::numeric_limits<ssize_t>::max(). 214 BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max); 215 BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest(); 216 #endif 217 218 } // namespace internal 219 220 template<typename... Args> 221 ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) { 222 // Use Arg() object to record type information and then copy arguments to an 223 // array to make it easier to iterate over them. 224 const internal::Arg arg_array[] = { args... }; 225 return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args)); 226 } 227 228 template<size_t N, typename... Args> 229 ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) { 230 // Use Arg() object to record type information and then copy arguments to an 231 // array to make it easier to iterate over them. 232 const internal::Arg arg_array[] = { args... }; 233 return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args)); 234 } 235 236 // Fast-path when we don't actually need to substitute any arguments. 237 BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt); 238 template<size_t N> 239 inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) { 240 return SafeSNPrintf(buf, N, fmt); 241 } 242 243 } // namespace strings 244 } // namespace base 245 246 #endif // BASE_STRINGS_SAFE_SPRINTF_H_ 247
