base/debug/format.h - Issue 18656004: Added a new SafeSPrintf() function that implements snprintf() in an async-safe-fashion

Side by Side Diff: base/debug/format.h

Issue 18656004: Added a new SafeSPrintf() function that implements snprintf() in an async-safe-fashion (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Addressed Jeffrey's comments Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4 //

	5 // Author: markus@chromium.org

	6

	7 #ifndef BASE_DEBUG_FORMAT_H_

	8 #define BASE_DEBUG_FORMAT_H_

	9

	10 #include <stddef.h>

	11 #include <stdint.h>

	12 #include <stdlib.h>

	13

	14 #if defined(__unix__)

	15 // For ssize_t

	16 #include <unistd.h>

	17 #endif

	18

	19 #include "base/base_export.h"

	20 #include "base/basictypes.h"

	21

	22 namespace base {

	23 namespace debug {

	24

	25 #if defined(_MSC_VER)

	26 // Define ssize_t inside of our namespace.
	jln (very slow on Chromium) 2013/08/01 00:03:15 The comment is a bit misleading since this won't b The comment is a bit misleading since this won't be scoped to a namespace. This probably belongs in base/basictypes.h ?
	27 #if defined(_WIN64)

	28 typedef __int64 ssize_t;

	29 #else

	30 typedef long ssize_t;

	31 #endif

	32 #endif

	33

	34 // Format() is a type-safe and async-signal-safe version of snprintf().

	35 //

	36 // FormatN() is an alternative function signature that can be used when

	37 // not dealing with fixed-sized buffers. When possible, Format() should always

	38 // be used in favor of FormatN()
	jln (very slow on Chromium) 2013/08/01 00:03:15 s/in favor/instead/ ? s/in favor/instead/ ?
	39 //

	40 // These functions allow for formatting complicated messages from contexts that

	41 // require strict async-signal-safety. In fact, it is safe to call them from

	42 // any low-level execution context; even from contexts that have stricter

	43 // requirements than just async-signal-safety.

	44 //

	45 // The code currently only supports a subset of format characters:

	46 // %c, %d, %x, %X, %p, and %s.

	47 //

	48 // Format() aims to be as liberal as reasonably possible. Integer-like values

	49 // of arbitrary width can be passed to all of the format characters that expect

	50 // integers. Thus, it is explicitly legal to pass an "int" to "%c", and output

	51 // will automatically look at the LSB only. It is also explicitly legal to

	52 // pass either signed or unsigned values, and the format characters will

	53 // automatically interpret the arguments accordingly.

	54 //

	55 // It is still not legal to mix-and-match integer-like values with pointer

	56 // values. For instance, you cannot pass a pointer to %x, nor can you pass an

	57 // integer to %p.

	58 //

	59 // The one exception is "0" zero being accepted by "%p". This works-around

	60 // the problem of C++ defining NULL as an integer-like value.

	61 //

	62 // All format characters take an optional width parameter. This must be a

	63 // positive integer. For %d, %x, %X and %p, if the width starts with

	64 // a leading '0', padding is done with '0' instead of ' ' characters.

	65 //

	66 // There are a few features of snprintf-style format strings, that Format()

	67 // does not support at this time. If an actual user shows up, I would not be
	jln (very slow on Chromium) 2013/08/01 00:03:15 Could you try to phrase without the first person ? Could you try to phrase without the first person ?
	68 // opposed to adding support for these features. But that assumes that the

	69 // trade-offs between complexity and utility are favorable.

	70 //

	71 // For example, adding support for negative padding widths, for %n and for

	72 // octal numbers are all likely to be viewed positively.

	73 //

	74 // On the other hands, adding support for alternate forms, positional

	75 // arguments, grouping, wide characters, localization or floating point numbers

	76 // are all unlikely to ever be added.

	77 //

	78 // Format() and FormatN() mimicks the behavior of snprintf() and they return

	79 // the number of bytes needed to store the untruncated output. This does not

	80 // include the terminating NUL byte.

	81 //

	82 // They return -1, iff a fatal error happened. This typically can only happen,

	83 // if the buffer size is a) negative, b) zero (i.e. not even the NUL byte can

	84 // be written), or c) bigger than SSIZE_MAX.

	85 //

	86 // While the code supports type checking and while it is generally very careful

	87 // to avoid printing incorrect values, it tends to be conservative in printing

	88 // as much as possible, even when given incorrect parameters. Typically, in

	89 // case of an error, the format string will not be expanded. (i.e. something

	90 // like Format(buf, "%p %d", 1, 2) results in "%p 2").

	91 //

	92 // The pre-C++11 version cannot handle more than ten arguments.

	93 //

	94 // Basic example:

	95 // char buf[20];

	96 // base::debug::Format(buf, "The answer: %2d", 42);

	97 //

	98 // Example with dynamically sized buffer (async-signal-safe); this code won't

	99 // work on Visual studio, as it requires dynamically allocating arrays on the

	100 // stack:

	101 // const size_t kInitialSize = 128;

	102 // size_t sz = kInitialSize;

	103 // for (;;) {

	104 // char buf[sz];
	jln (very slow on Chromium) 2013/08/01 00:03:15 I'm a bit uneasy with recommending such a pattern. I'm a bit uneasy with recommending such a pattern. Most stack overflows are harmless for security, but it may not always be the case (at least it allows to DoS). This should at least state that "err" has to be trusted input. Recognizing trusted input is much harder than it seems most of the time, so I'm worried about this pattern.
	105 // sz = FormatN(buf, sz, "Error message \"%s\"\n", err) + 1;

	106 // if (sz > sizeof(buf))

	107 // continue;

	108 // write(2, buf, sz-1);

	109 // break;

	110 // }

	111

	112 namespace internal {

	113 // Helpers that use C++ overloading, templates, and specializations to deduce

	114 // and record type information from function arguments. This allows us to

	115 // later write a type-safe version of snprintf().

	116

	117 struct Arg {

	118 // Any integer-like value.

	119 Arg(signed char c) : i_(c), width_(sizeof(char)), type_(INT) { }

	120 Arg(unsigned char c) : i_(c), width_(sizeof(char)), type_(UINT) { }

	121 Arg(signed short i) : i_(i), width_(sizeof(short)), type_(INT) { }

	122 Arg(unsigned short i) : i_(i), width_(sizeof(short)), type_(UINT) { }

	123 Arg(signed int i) : i_(i), width_(sizeof(int)), type_(INT) { }

	124 Arg(unsigned int i) : i_(i), width_(sizeof(int)), type_(UINT) { }

	125 Arg(signed long i) : i_(i), width_(sizeof(long)), type_(INT) { }

	126 Arg(unsigned long i) : i_(i), width_(sizeof(long)), type_(UINT) { }

	127 Arg(signed long long i) : i_(i), width_(sizeof(long long)),

	128 type_(INT) { }

	129 Arg(unsigned long long i) : i_(i), width_(sizeof(long long)),

	130 type_(UINT) { }

	131

	132 // A C-style text string.

	133 Arg(const char* s) : s_(s), type_(STRING) { }

	134 Arg(char* s) : s_(s), type_(STRING) { }

	135

	136 // Any pointer value that can be cast to a "void*".

	137 template<class T> Arg(T* ptr) : ptr_((void*)ptr), type_(POINTER) { }

	138

	139 union {

	140 // An integer-like value.

	141 struct {

	142 int64_t i_;

	143 unsigned char width_;

	144 };

	145

	146 // A C-style text string.

	147 const char* s_;

	148

	149 // A pointer to an arbitrary object.

	150 const void* ptr_;

	151 };

	152 const enum { INT, UINT, STRING, POINTER } type_;
	jln (very slow on Chromium) 2013/08/01 00:03:15 Typedefs and enum should be first, please look at Typedefs and enum should be first, please look at the "Declaration order" in the style guide.
	153 };

	154

	155 // This is the internal function that performs the actual formatting of

	156 // an snprintf()-style format string.

	157 BASE_EXPORT ssize_t FormatN(char* buf, size_t sz, const char* fmt,

	158 const Arg* args, size_t max_args);

	159 } // namespace internal

	160

	161 #if __cplusplus >= 201103 // C++11

	162

	163 template<typename... Args>

	164 ssize_t FormatN(char* buf, size_t N, const char* fmt, Args... args) {

	165 // Use Arg() object to record type information and then copy arguments to an

	166 // array to make it easier to iterate over them.

	167 const internal::Arg arg_array[] = { args... };

	168 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	169 }

	170

	171 template<size_t N, typename... Args>

	172 ssize_t Format(char (&buf)[N], const char* fmt, Args... args) {

	173 // Use Arg() object to record type information and then copy arguments to an

	174 // array to make it easier to iterate over them.

	175 const internal::Arg arg_array[] = { args... };

	176 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	177 }

	178

	179 #else // Pre-C++11

	180

	181 // TODO(markus): C++11 has a much more concise and readable solution for

	182 // expressing what we are doing here. Delete the fall-back code for older

	183 // compilers as soon as we have fully switched to C++11
	jln (very slow on Chromium) 2013/08/01 00:03:15 Nit: final dot. Nit: final dot.
	184

	185 template<class T0, class T1, class T2, class T3, class T4,

	186 class T5, class T6, class T7, class T8, class T9>

	187 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	188 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	189 T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {

	190 // Use Arg() object to record type information and then copy arguments to an

	191 // array to make it easier to iterate over them.

	192 const internal::Arg arg_array[] = {

	193 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9

	194 };

	195 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	196 }

	197

	198 template<size_t N,

	199 class T0, class T1, class T2, class T3, class T4,

	200 class T5, class T6, class T7, class T8, class T9>

	201 ssize_t Format(char (&buf)[N], const char* fmt,

	202 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	203 T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {

	204 // Use Arg() object to record type information and then copy arguments to an

	205 // array to make it easier to iterate over them.

	206 const internal::Arg arg_array[] = {

	207 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9

	208 };

	209 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	210 }

	211

	212 template<class T0, class T1, class T2, class T3, class T4,

	213 class T5, class T6, class T7, class T8>

	214 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	215 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	216 T5 arg5, T6 arg6, T7 arg7, T8 arg8) {

	217 // Use Arg() object to record type information and then copy arguments to an

	218 // array to make it easier to iterate over them.

	219 const internal::Arg arg_array[] = {

	220 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8

	221 };

	222 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	223 }

	224

	225 template<size_t N,

	226 class T0, class T1, class T2, class T3, class T4, class T5,

	227 class T6, class T7, class T8>

	228 ssize_t Format(char (&buf)[N], const char* fmt,

	229 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	230 T5 arg5, T6 arg6, T7 arg7, T8 arg8) {

	231 // Use Arg() object to record type information and then copy arguments to an

	232 // array to make it easier to iterate over them.

	233 const internal::Arg arg_array[] = {

	234 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8

	235 };

	236 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	237 }

	238

	239 template<class T0, class T1, class T2, class T3, class T4, class T5,

	240 class T6, class T7>

	241 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	242 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	243 T5 arg5, T6 arg6, T7 arg7) {

	244 // Use Arg() object to record type information and then copy arguments to an

	245 // array to make it easier to iterate over them.

	246 const internal::Arg arg_array[] = {

	247 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7

	248 };

	249 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	250 }

	251

	252 template<size_t N,

	253 class T0, class T1, class T2, class T3, class T4, class T5,

	254 class T6, class T7>

	255 ssize_t Format(char (&buf)[N], const char* fmt,

	256 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	257 T5 arg5, T6 arg6, T7 arg7) {

	258 // Use Arg() object to record type information and then copy arguments to an

	259 // array to make it easier to iterate over them.

	260 const internal::Arg arg_array[] = {

	261 arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7

	262 };

	263 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	264 }

	265

	266 template<class T0, class T1, class T2, class T3, class T4, class T5,

	267 class T6>

	268 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	269 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,

	270 T5 arg5, T6 arg6) {

	271 // Use Arg() object to record type information and then copy arguments to an

	272 // array to make it easier to iterate over them.

	273 const internal::Arg arg_array[] = {

	274 arg0, arg1, arg2, arg3, arg4, arg5, arg6

	275 };

	276 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	277 }

	278

	279 template<size_t N,

	280 class T0, class T1, class T2, class T3, class T4, class T5,

	281 class T6>

	282 ssize_t Format(char (&buf)[N], const char* fmt,

	283 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5, T6 arg6) {

	284 // Use Arg() object to record type information and then copy arguments to an

	285 // array to make it easier to iterate over them.

	286 const internal::Arg arg_array[] = {

	287 arg0, arg1, arg2, arg3, arg4, arg5, arg6

	288 };

	289 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	290 }

	291

	292 template<class T0, class T1, class T2, class T3, class T4, class T5>

	293 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	294 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {

	295 // Use Arg() object to record type information and then copy arguments to an

	296 // array to make it easier to iterate over them.

	297 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };

	298 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	299 }

	300

	301 template<size_t N,

	302 class T0, class T1, class T2, class T3, class T4, class T5>

	303 ssize_t Format(char (&buf)[N], const char* fmt,

	304 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {

	305 // Use Arg() object to record type information and then copy arguments to an

	306 // array to make it easier to iterate over them.

	307 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };

	308 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	309 }

	310

	311 template<class T0, class T1, class T2, class T3, class T4>

	312 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	313 T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4) {

	314 // Use Arg() object to record type information and then copy arguments to an

	315 // array to make it easier to iterate over them.

	316 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };

	317 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	318 }

	319

	320 template<size_t N, class T0, class T1, class T2, class T3, class T4>

	321 ssize_t Format(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1,

	322 T2 arg2, T3 arg3, T4 arg4) {

	323 // Use Arg() object to record type information and then copy arguments to an

	324 // array to make it easier to iterate over them.

	325 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };

	326 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	327 }

	328

	329 template<class T0, class T1, class T2, class T3>

	330 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	331 T0 arg0, T1 arg1, T2 arg2, T3 arg3) {

	332 // Use Arg() object to record type information and then copy arguments to an

	333 // array to make it easier to iterate over them.

	334 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };

	335 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	336 }

	337

	338 template<size_t N, class T0, class T1, class T2, class T3>

	339 ssize_t Format(char (&buf)[N], const char* fmt,

	340 T0 arg0, T1 arg1, T2 arg2, T3 arg3) {

	341 // Use Arg() object to record type information and then copy arguments to an

	342 // array to make it easier to iterate over them.

	343 const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };

	344 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	345 }

	346

	347 template<class T0, class T1, class T2>

	348 ssize_t FormatN(char* buf, size_t N, const char* fmt,

	349 T0 arg0, T1 arg1, T2 arg2) {

	350 // Use Arg() object to record type information and then copy arguments to an

	351 // array to make it easier to iterate over them.

	352 const internal::Arg arg_array[] = { arg0, arg1, arg2 };

	353 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	354 }

	355

	356 template<size_t N, class T0, class T1, class T2>

	357 ssize_t Format(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1, T2 arg2) {

	358 // Use Arg() object to record type information and then copy arguments to an

	359 // array to make it easier to iterate over them.

	360 const internal::Arg arg_array[] = { arg0, arg1, arg2 };

	361 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	362 }

	363

	364 template<class T0, class T1>

	365 ssize_t FormatN(char* buf, size_t N, const char* fmt, T0 arg0, T1 arg1) {

	366 // Use Arg() object to record type information and then copy arguments to an

	367 // array to make it easier to iterate over them.

	368 const internal::Arg arg_array[] = { arg0, arg1 };

	369 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	370 }

	371

	372 template<size_t N, class T0, class T1>

	373 ssize_t Format(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1) {

	374 // Use Arg() object to record type information and then copy arguments to an

	375 // array to make it easier to iterate over them.

	376 const internal::Arg arg_array[] = { arg0, arg1 };

	377 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	378 }

	379

	380 template<class T0>

	381 ssize_t FormatN(char* buf, size_t N, const char* fmt, T0 arg0) {

	382 // Use Arg() object to record type information and then copy arguments to an

	383 // array to make it easier to iterate over them.

	384 const internal::Arg arg_array[] = { arg0 };

	385 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	386 }

	387

	388 template<size_t N, class T0>

	389 ssize_t Format(char (&buf)[N], const char* fmt, T0 arg0) {

	390 // Use Arg() object to record type information and then copy arguments to an

	391 // array to make it easier to iterate over them.

	392 const internal::Arg arg_array[] = { arg0 };

	393 return internal::FormatN(buf, N, fmt, arg_array, arraysize(arg_array));

	394 }

	395 #endif

	396

	397 // Fast-path when we don't actually need to substitute any arguments.

	398 BASE_EXPORT ssize_t FormatN(char* buf, size_t N, const char* fmt);

	399 template<size_t N>

	400 inline ssize_t Format(char (&buf)[N], const char* fmt) {

	401 return FormatN(buf, N, fmt);

	402 }

	403

	404 } // namespace debug

	405 } // namespace base

	406

	407 #endif // BASE_DEBUG_FORMAT_H_

OLD	NEW

« no previous file with comments | « base/base.gypi ('k') | base/debug/format.cc » ('j') | base/debug/format.cc » ('J')