Home | History | Annotate | Download | only in strings
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "base/strings/safe_sprintf.h"
      6 
      7 #include <errno.h>
      8 #include <string.h>
      9 
     10 #include <limits>
     11 
     12 #include "base/macros.h"
     13 #include "build/build_config.h"
     14 
     15 #if !defined(NDEBUG)
     16 // In debug builds, we use RAW_CHECK() to print useful error messages, if
     17 // SafeSPrintf() is called with broken arguments.
     18 // As our contract promises that SafeSPrintf() can be called from any
     19 // restricted run-time context, it is not actually safe to call logging
     20 // functions from it; and we only ever do so for debug builds and hope for the
     21 // best. We should _never_ call any logging function other than RAW_CHECK(),
     22 // and we should _never_ include any logging code that is active in production
     23 // builds. Most notably, we should not include these logging functions in
     24 // unofficial release builds, even though those builds would otherwise have
     25 // DCHECKS() enabled.
     26 // In other words; please do not remove the #ifdef around this #include.
     27 // Instead, in production builds we opt for returning a degraded result,
     28 // whenever an error is encountered.
     29 // E.g. The broken function call
     30 //        SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
     31 //      will print something like
     32 //        errno = 13, (%x)
     33 //      instead of
     34 //        errno = 13 (Access denied)
     35 //      In most of the anticipated use cases, that's probably the preferred
     36 //      behavior.
     37 #include "base/logging.h"
     38 #define DEBUG_CHECK RAW_CHECK
     39 #else
     40 #define DEBUG_CHECK(x) do { if (x) { } } while (0)
     41 #endif
     42 
     43 namespace base {
     44 namespace strings {
     45 
     46 // The code in this file is extremely careful to be async-signal-safe.
     47 //
     48 // Most obviously, we avoid calling any code that could dynamically allocate
     49 // memory. Doing so would almost certainly result in bugs and dead-locks.
     50 // We also avoid calling any other STL functions that could have unintended
     51 // side-effects involving memory allocation or access to other shared
     52 // resources.
     53 //
     54 // But on top of that, we also avoid calling other library functions, as many
     55 // of them have the side-effect of calling getenv() (in order to deal with
     56 // localization) or accessing errno. The latter sounds benign, but there are
     57 // several execution contexts where it isn't even possible to safely read let
     58 // alone write errno.
     59 //
     60 // The stated design goal of the SafeSPrintf() function is that it can be
     61 // called from any context that can safely call C or C++ code (i.e. anything
     62 // that doesn't require assembly code).
     63 //
     64 // For a brief overview of some but not all of the issues with async-signal-
     65 // safety, refer to:
     66 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
     67 
     68 namespace {
     69 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
     70 
     71 const char kUpCaseHexDigits[]   = "0123456789ABCDEF";
     72 const char kDownCaseHexDigits[] = "0123456789abcdef";
     73 }
     74 
     75 #if defined(NDEBUG)
     76 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
     77 // but C++ doesn't allow us to do that for constants. Instead, we have to
     78 // use careful casting and shifting. We later use a static_assert to
     79 // verify that this worked correctly.
     80 namespace {
     81 const size_t kSSizeMax = kSSizeMaxConst;
     82 }
     83 #else  // defined(NDEBUG)
     84 // For efficiency, we really need kSSizeMax to be a constant. But for unit
     85 // tests, it should be adjustable. This allows us to verify edge cases without
     86 // having to fill the entire available address space. As a compromise, we make
     87 // kSSizeMax adjustable in debug builds, and then only compile that particular
     88 // part of the unit test in debug builds.
     89 namespace {
     90 static size_t kSSizeMax = kSSizeMaxConst;
     91 }
     92 
     93 namespace internal {
     94 void SetSafeSPrintfSSizeMaxForTest(size_t max) {
     95   kSSizeMax = max;
     96 }
     97 
     98 size_t GetSafeSPrintfSSizeMaxForTest() {
     99   return kSSizeMax;
    100 }
    101 }
    102 #endif  // defined(NDEBUG)
    103 
    104 namespace {
    105 class Buffer {
    106  public:
    107   // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
    108   // has |size| bytes of writable storage. It is the caller's responsibility
    109   // to ensure that the buffer is at least one byte in size, so that it fits
    110   // the trailing NUL that will be added by the destructor. The buffer also
    111   // must be smaller or equal to kSSizeMax in size.
    112   Buffer(char* buffer, size_t size)
    113       : buffer_(buffer),
    114         size_(size - 1),  // Account for trailing NUL byte
    115         count_(0) {
    116 // MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
    117 // supports static_cast but doesn't really implement constexpr yet so it doesn't
    118 // complain, but clang does.
    119 #if __cplusplus >= 201103 && !(defined(__clang__) && defined(OS_WIN))
    120     static_assert(kSSizeMaxConst ==
    121                       static_cast<size_t>(std::numeric_limits<ssize_t>::max()),
    122                   "kSSizeMaxConst should be the max value of an ssize_t");
    123 #endif
    124     DEBUG_CHECK(size > 0);
    125     DEBUG_CHECK(size <= kSSizeMax);
    126   }
    127 
    128   ~Buffer() {
    129     // The code calling the constructor guaranteed that there was enough space
    130     // to store a trailing NUL -- and in debug builds, we are actually
    131     // verifying this with DEBUG_CHECK()s in the constructor. So, we can
    132     // always unconditionally write the NUL byte in the destructor.  We do not
    133     // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
    134     // including the NUL byte in its return code.
    135     *GetInsertionPoint() = '\000';
    136   }
    137 
    138   // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
    139   // caller can now stop adding more data, as GetCount() has reached its
    140   // maximum possible value.
    141   inline bool OutOfAddressableSpace() const {
    142     return count_ == static_cast<size_t>(kSSizeMax - 1);
    143   }
    144 
    145   // Returns the number of bytes that would have been emitted to |buffer_|
    146   // if it was sized sufficiently large. This number can be larger than
    147   // |size_|, if the caller provided an insufficiently large output buffer.
    148   // But it will never be bigger than |kSSizeMax-1|.
    149   inline ssize_t GetCount() const {
    150     DEBUG_CHECK(count_ < kSSizeMax);
    151     return static_cast<ssize_t>(count_);
    152   }
    153 
    154   // Emits one |ch| character into the |buffer_| and updates the |count_| of
    155   // characters that are currently supposed to be in the buffer.
    156   // Returns "false", iff the buffer was already full.
    157   // N.B. |count_| increases even if no characters have been written. This is
    158   // needed so that GetCount() can return the number of bytes that should
    159   // have been allocated for the |buffer_|.
    160   inline bool Out(char ch) {
    161     if (size_ >= 1 && count_ < size_) {
    162       buffer_[count_] = ch;
    163       return IncrementCountByOne();
    164     }
    165     // |count_| still needs to be updated, even if the buffer has been
    166     // filled completely. This allows SafeSPrintf() to return the number of
    167     // bytes that should have been emitted.
    168     IncrementCountByOne();
    169     return false;
    170   }
    171 
    172   // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
    173   // |count_| will also be incremented by the number of bytes that were meant
    174   // to be emitted. The |pad| character is typically either a ' ' space
    175   // or a '0' zero, but other non-NUL values are legal.
    176   // Returns "false", iff the the |buffer_| filled up (i.e. |count_|
    177   // overflowed |size_|) at any time during padding.
    178   inline bool Pad(char pad, size_t padding, size_t len) {
    179     DEBUG_CHECK(pad);
    180     DEBUG_CHECK(padding <= kSSizeMax);
    181     for (; padding > len; --padding) {
    182       if (!Out(pad)) {
    183         if (--padding) {
    184           IncrementCount(padding-len);
    185         }
    186         return false;
    187       }
    188     }
    189     return true;
    190   }
    191 
    192   // POSIX doesn't define any async-signal-safe function for converting
    193   // an integer to ASCII. Define our own version.
    194   //
    195   // This also gives us the ability to make the function a little more
    196   // powerful and have it deal with |padding|, with truncation, and with
    197   // predicting the length of the untruncated output.
    198   //
    199   // IToASCII() converts an integer |i| to ASCII.
    200   //
    201   // Unlike similar functions in the standard C library, it never appends a
    202   // NUL character. This is left for the caller to do.
    203   //
    204   // While the function signature takes a signed int64_t, the code decides at
    205   // run-time whether to treat the argument as signed (int64_t) or as unsigned
    206   // (uint64_t) based on the value of |sign|.
    207   //
    208   // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
    209   // a |sign|. Otherwise, |i| is treated as unsigned.
    210   //
    211   // For bases larger than 10, |upcase| decides whether lower-case or upper-
    212   // case letters should be used to designate digits greater than 10.
    213   //
    214   // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
    215   // be positive and will always be applied to the left of the output.
    216   //
    217   // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
    218   // the left of |padding|, if |pad| is '0'; and to the right of |padding|
    219   // if |pad| is ' '.
    220   //
    221   // Returns "false", if the |buffer_| overflowed at any time.
    222   bool IToASCII(bool sign, bool upcase, int64_t i, int base,
    223                 char pad, size_t padding, const char* prefix);
    224 
    225  private:
    226   // Increments |count_| by |inc| unless this would cause |count_| to
    227   // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
    228   // it then clamps |count_| to |kSSizeMax-1|.
    229   inline bool IncrementCount(size_t inc) {
    230     // "inc" is either 1 or a "padding" value. Padding is clamped at
    231     // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
    232     // the range 1..kSSizeMax-1.
    233     // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
    234     // integer overflows.
    235     DEBUG_CHECK(inc <= kSSizeMax - 1);
    236     if (count_ > kSSizeMax - 1 - inc) {
    237       count_ = kSSizeMax - 1;
    238       return false;
    239     } else {
    240       count_ += inc;
    241       return true;
    242     }
    243   }
    244 
    245   // Convenience method for the common case of incrementing |count_| by one.
    246   inline bool IncrementCountByOne() {
    247     return IncrementCount(1);
    248   }
    249 
    250   // Return the current insertion point into the buffer. This is typically
    251   // at |buffer_| + |count_|, but could be before that if truncation
    252   // happened. It always points to one byte past the last byte that was
    253   // successfully placed into the |buffer_|.
    254   inline char* GetInsertionPoint() const {
    255     size_t idx = count_;
    256     if (idx > size_) {
    257       idx = size_;
    258     }
    259     return buffer_ + idx;
    260   }
    261 
    262   // User-provided buffer that will receive the fully formatted output string.
    263   char* buffer_;
    264 
    265   // Number of bytes that are available in the buffer excluding the trailing
    266   // NUL byte that will be added by the destructor.
    267   const size_t size_;
    268 
    269   // Number of bytes that would have been emitted to the buffer, if the buffer
    270   // was sufficiently big. This number always excludes the trailing NUL byte
    271   // and it is guaranteed to never grow bigger than kSSizeMax-1.
    272   size_t count_;
    273 
    274   DISALLOW_COPY_AND_ASSIGN(Buffer);
    275 };
    276 
    277 
    278 bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base,
    279                       char pad, size_t padding, const char* prefix) {
    280   // Sanity check for parameters. None of these should ever fail, but see
    281   // above for the rationale why we can't call CHECK().
    282   DEBUG_CHECK(base >= 2);
    283   DEBUG_CHECK(base <= 16);
    284   DEBUG_CHECK(!sign || base == 10);
    285   DEBUG_CHECK(pad == '0' || pad == ' ');
    286   DEBUG_CHECK(padding <= kSSizeMax);
    287   DEBUG_CHECK(!(sign && prefix && *prefix));
    288 
    289   // Handle negative numbers, if the caller indicated that |i| should be
    290   // treated as a signed number; otherwise treat |i| as unsigned (even if the
    291   // MSB is set!)
    292   // Details are tricky, because of limited data-types, but equivalent pseudo-
    293   // code would look like:
    294   //   if (sign && i < 0)
    295   //     prefix = "-";
    296   //   num = abs(i);
    297   int minint = 0;
    298   uint64_t num;
    299   if (sign && i < 0) {
    300     prefix = "-";
    301 
    302     // Turn our number positive.
    303     if (i == std::numeric_limits<int64_t>::min()) {
    304       // The most negative integer needs special treatment.
    305       minint = 1;
    306       num = static_cast<uint64_t>(-(i + 1));
    307     } else {
    308       // "Normal" negative numbers are easy.
    309       num = static_cast<uint64_t>(-i);
    310     }
    311   } else {
    312     num = static_cast<uint64_t>(i);
    313   }
    314 
    315   // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
    316   // make the prefix accessible in reverse order, so that we can later output
    317   // it right between padding and the number.
    318   // We cannot choose the easier approach of just reversing the number, as that
    319   // fails in situations where we need to truncate numbers that have padding
    320   // and/or prefixes.
    321   const char* reverse_prefix = NULL;
    322   if (prefix && *prefix) {
    323     if (pad == '0') {
    324       while (*prefix) {
    325         if (padding) {
    326           --padding;
    327         }
    328         Out(*prefix++);
    329       }
    330       prefix = NULL;
    331     } else {
    332       for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
    333       }
    334     }
    335   } else
    336     prefix = NULL;
    337   const size_t prefix_length = reverse_prefix - prefix;
    338 
    339   // Loop until we have converted the entire number. Output at least one
    340   // character (i.e. '0').
    341   size_t start = count_;
    342   size_t discarded = 0;
    343   bool started = false;
    344   do {
    345     // Make sure there is still enough space left in our output buffer.
    346     if (count_ >= size_) {
    347       if (start < size_) {
    348         // It is rare that we need to output a partial number. But if asked
    349         // to do so, we will still make sure we output the correct number of
    350         // leading digits.
    351         // Since we are generating the digits in reverse order, we actually
    352         // have to discard digits in the order that we have already emitted
    353         // them. This is essentially equivalent to:
    354         //   memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
    355         for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
    356              move < end;
    357              ++move) {
    358           *move = move[1];
    359         }
    360         ++discarded;
    361         --count_;
    362       } else if (count_ - size_ > 1) {
    363         // Need to increment either |count_| or |discarded| to make progress.
    364         // The latter is more efficient, as it eventually triggers fast
    365         // handling of padding. But we have to ensure we don't accidentally
    366         // change the overall state (i.e. switch the state-machine from
    367         // discarding to non-discarding). |count_| needs to always stay
    368         // bigger than |size_|.
    369         --count_;
    370         ++discarded;
    371       }
    372     }
    373 
    374     // Output the next digit and (if necessary) compensate for the most
    375     // negative integer needing special treatment. This works because,
    376     // no matter the bit width of the integer, the lowest-most decimal
    377     // integer always ends in 2, 4, 6, or 8.
    378     if (!num && started) {
    379       if (reverse_prefix > prefix) {
    380         Out(*--reverse_prefix);
    381       } else {
    382         Out(pad);
    383       }
    384     } else {
    385       started = true;
    386       Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]);
    387     }
    388 
    389     minint = 0;
    390     num /= base;
    391 
    392     // Add padding, if requested.
    393     if (padding > 0) {
    394       --padding;
    395 
    396       // Performance optimization for when we are asked to output excessive
    397       // padding, but our output buffer is limited in size.  Even if we output
    398       // a 64bit number in binary, we would never write more than 64 plus
    399       // prefix non-padding characters. So, once this limit has been passed,
    400       // any further state change can be computed arithmetically; we know that
    401       // by this time, our entire final output consists of padding characters
    402       // that have all already been output.
    403       if (discarded > 8*sizeof(num) + prefix_length) {
    404         IncrementCount(padding);
    405         padding = 0;
    406       }
    407     }
    408   } while (num || padding || (reverse_prefix > prefix));
    409 
    410   // Conversion to ASCII actually resulted in the digits being in reverse
    411   // order. We can't easily generate them in forward order, as we can't tell
    412   // the number of characters needed until we are done converting.
    413   // So, now, we reverse the string (except for the possible '-' sign).
    414   char* front = buffer_ + start;
    415   char* back = GetInsertionPoint();
    416   while (--back > front) {
    417     char ch = *back;
    418     *back = *front;
    419     *front++ = ch;
    420   }
    421 
    422   IncrementCount(discarded);
    423   return !discarded;
    424 }
    425 
    426 }  // anonymous namespace
    427 
    428 namespace internal {
    429 
    430 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
    431                      const size_t max_args) {
    432   // Make sure that at least one NUL byte can be written, and that the buffer
    433   // never overflows kSSizeMax. Not only does that use up most or all of the
    434   // address space, it also would result in a return code that cannot be
    435   // represented.
    436   if (static_cast<ssize_t>(sz) < 1) {
    437     return -1;
    438   } else if (sz > kSSizeMax) {
    439     sz = kSSizeMax;
    440   }
    441 
    442   // Iterate over format string and interpret '%' arguments as they are
    443   // encountered.
    444   Buffer buffer(buf, sz);
    445   size_t padding;
    446   char pad;
    447   for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
    448     if (*fmt++ == '%') {
    449       padding = 0;
    450       pad = ' ';
    451       char ch = *fmt++;
    452     format_character_found:
    453       switch (ch) {
    454       case '0': case '1': case '2': case '3': case '4':
    455       case '5': case '6': case '7': case '8': case '9':
    456         // Found a width parameter. Convert to an integer value and store in
    457         // "padding". If the leading digit is a zero, change the padding
    458         // character from a space ' ' to a zero '0'.
    459         pad = ch == '0' ? '0' : ' ';
    460         for (;;) {
    461           // The maximum allowed padding fills all the available address
    462           // space and leaves just enough space to insert the trailing NUL.
    463           const size_t max_padding = kSSizeMax - 1;
    464           if (padding > max_padding/10 ||
    465               10*padding > max_padding - (ch - '0')) {
    466             DEBUG_CHECK(padding <= max_padding/10 &&
    467                         10*padding <= max_padding - (ch - '0'));
    468             // Integer overflow detected. Skip the rest of the width until
    469             // we find the format character, then do the normal error handling.
    470           padding_overflow:
    471             padding = max_padding;
    472             while ((ch = *fmt++) >= '0' && ch <= '9') {
    473             }
    474             if (cur_arg < max_args) {
    475               ++cur_arg;
    476             }
    477             goto fail_to_expand;
    478           }
    479           padding = 10*padding + ch - '0';
    480           if (padding > max_padding) {
    481             // This doesn't happen for "sane" values of kSSizeMax. But once
    482             // kSSizeMax gets smaller than about 10, our earlier range checks
    483             // are incomplete. Unittests do trigger this artificial corner
    484             // case.
    485             DEBUG_CHECK(padding <= max_padding);
    486             goto padding_overflow;
    487           }
    488           ch = *fmt++;
    489           if (ch < '0' || ch > '9') {
    490             // Reached the end of the width parameter. This is where the format
    491             // character is found.
    492             goto format_character_found;
    493           }
    494         }
    495         break;
    496       case 'c': {  // Output an ASCII character.
    497         // Check that there are arguments left to be inserted.
    498         if (cur_arg >= max_args) {
    499           DEBUG_CHECK(cur_arg < max_args);
    500           goto fail_to_expand;
    501         }
    502 
    503         // Check that the argument has the expected type.
    504         const Arg& arg = args[cur_arg++];
    505         if (arg.type != Arg::INT && arg.type != Arg::UINT) {
    506           DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
    507           goto fail_to_expand;
    508         }
    509 
    510         // Apply padding, if needed.
    511         buffer.Pad(' ', padding, 1);
    512 
    513         // Convert the argument to an ASCII character and output it.
    514         char as_char = static_cast<char>(arg.integer.i);
    515         if (!as_char) {
    516           goto end_of_output_buffer;
    517         }
    518         buffer.Out(as_char);
    519         break; }
    520       case 'd':    // Output a possibly signed decimal value.
    521       case 'o':    // Output an unsigned octal value.
    522       case 'x':    // Output an unsigned hexadecimal value.
    523       case 'X':
    524       case 'p': {  // Output a pointer value.
    525         // Check that there are arguments left to be inserted.
    526         if (cur_arg >= max_args) {
    527           DEBUG_CHECK(cur_arg < max_args);
    528           goto fail_to_expand;
    529         }
    530 
    531         const Arg& arg = args[cur_arg++];
    532         int64_t i;
    533         const char* prefix = NULL;
    534         if (ch != 'p') {
    535           // Check that the argument has the expected type.
    536           if (arg.type != Arg::INT && arg.type != Arg::UINT) {
    537             DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
    538             goto fail_to_expand;
    539           }
    540           i = arg.integer.i;
    541 
    542           if (ch != 'd') {
    543             // The Arg() constructor automatically performed sign expansion on
    544             // signed parameters. This is great when outputting a %d decimal
    545             // number, but can result in unexpected leading 0xFF bytes when
    546             // outputting a %x hexadecimal number. Mask bits, if necessary.
    547             // We have to do this here, instead of in the Arg() constructor, as
    548             // the Arg() constructor cannot tell whether we will output a %d
    549             // or a %x. Only the latter should experience masking.
    550             if (arg.integer.width < sizeof(int64_t)) {
    551               i &= (1LL << (8*arg.integer.width)) - 1;
    552             }
    553           }
    554         } else {
    555           // Pointer values require an actual pointer or a string.
    556           if (arg.type == Arg::POINTER) {
    557             i = reinterpret_cast<uintptr_t>(arg.ptr);
    558           } else if (arg.type == Arg::STRING) {
    559             i = reinterpret_cast<uintptr_t>(arg.str);
    560           } else if (arg.type == Arg::INT &&
    561                      arg.integer.width == sizeof(NULL) &&
    562                      arg.integer.i == 0) {  // Allow C++'s version of NULL
    563             i = 0;
    564           } else {
    565             DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
    566             goto fail_to_expand;
    567           }
    568 
    569           // Pointers always include the "0x" prefix.
    570           prefix = "0x";
    571         }
    572 
    573         // Use IToASCII() to convert to ASCII representation. For decimal
    574         // numbers, optionally print a sign. For hexadecimal numbers,
    575         // distinguish between upper and lower case. %p addresses are always
    576         // printed as upcase. Supports base 8, 10, and 16. Prints padding
    577         // and/or prefixes, if so requested.
    578         buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
    579                         ch != 'x', i,
    580                         ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
    581                         pad, padding, prefix);
    582         break; }
    583       case 's': {
    584         // Check that there are arguments left to be inserted.
    585         if (cur_arg >= max_args) {
    586           DEBUG_CHECK(cur_arg < max_args);
    587           goto fail_to_expand;
    588         }
    589 
    590         // Check that the argument has the expected type.
    591         const Arg& arg = args[cur_arg++];
    592         const char *s;
    593         if (arg.type == Arg::STRING) {
    594           s = arg.str ? arg.str : "<NULL>";
    595         } else if (arg.type == Arg::INT && arg.integer.width == sizeof(NULL) &&
    596                    arg.integer.i == 0) {  // Allow C++'s version of NULL
    597           s = "<NULL>";
    598         } else {
    599           DEBUG_CHECK(arg.type == Arg::STRING);
    600           goto fail_to_expand;
    601         }
    602 
    603         // Apply padding, if needed. This requires us to first check the
    604         // length of the string that we are outputting.
    605         if (padding) {
    606           size_t len = 0;
    607           for (const char* src = s; *src++; ) {
    608             ++len;
    609           }
    610           buffer.Pad(' ', padding, len);
    611         }
    612 
    613         // Printing a string involves nothing more than copying it into the
    614         // output buffer and making sure we don't output more bytes than
    615         // available space; Out() takes care of doing that.
    616         for (const char* src = s; *src; ) {
    617           buffer.Out(*src++);
    618         }
    619         break; }
    620       case '%':
    621         // Quoted percent '%' character.
    622         goto copy_verbatim;
    623       fail_to_expand:
    624         // C++ gives us tools to do type checking -- something that snprintf()
    625         // could never really do. So, whenever we see arguments that don't
    626         // match up with the format string, we refuse to output them. But
    627         // since we have to be extremely conservative about being async-
    628         // signal-safe, we are limited in the type of error handling that we
    629         // can do in production builds (in debug builds we can use
    630         // DEBUG_CHECK() and hope for the best). So, all we do is pass the
    631         // format string unchanged. That should eventually get the user's
    632         // attention; and in the meantime, it hopefully doesn't lose too much
    633         // data.
    634       default:
    635         // Unknown or unsupported format character. Just copy verbatim to
    636         // output.
    637         buffer.Out('%');
    638         DEBUG_CHECK(ch);
    639         if (!ch) {
    640           goto end_of_format_string;
    641         }
    642         buffer.Out(ch);
    643         break;
    644       }
    645     } else {
    646   copy_verbatim:
    647     buffer.Out(fmt[-1]);
    648     }
    649   }
    650  end_of_format_string:
    651  end_of_output_buffer:
    652   return buffer.GetCount();
    653 }
    654 
    655 }  // namespace internal
    656 
    657 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
    658   // Make sure that at least one NUL byte can be written, and that the buffer
    659   // never overflows kSSizeMax. Not only does that use up most or all of the
    660   // address space, it also would result in a return code that cannot be
    661   // represented.
    662   if (static_cast<ssize_t>(sz) < 1) {
    663     return -1;
    664   } else if (sz > kSSizeMax) {
    665     sz = kSSizeMax;
    666   }
    667 
    668   Buffer buffer(buf, sz);
    669 
    670   // In the slow-path, we deal with errors by copying the contents of
    671   // "fmt" unexpanded. This means, if there are no arguments passed, the
    672   // SafeSPrintf() function always degenerates to a version of strncpy() that
    673   // de-duplicates '%' characters.
    674   const char* src = fmt;
    675   for (; *src; ++src) {
    676     buffer.Out(*src);
    677     DEBUG_CHECK(src[0] != '%' || src[1] == '%');
    678     if (src[0] == '%' && src[1] == '%') {
    679       ++src;
    680     }
    681   }
    682   return buffer.GetCount();
    683 }
    684 
    685 }  // namespace strings
    686 }  // namespace base
    687