1 // Copyright 2013 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef BASE_STRINGS_SAFE_SPRINTF_H_
6 #define BASE_STRINGS_SAFE_SPRINTF_H_
7
8 #include <stddef.h>
9 #include <stdint.h>
10 #include <stdlib.h>
11
12 #include "base/memory/raw_ptr_exclusion.h"
13 #include "build/build_config.h"
14
15 #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
16 // For ssize_t
17 #include <unistd.h>
18 #endif
19
20 #include "base/base_export.h"
21
22 namespace base {
23 namespace strings {
24
25 #if defined(COMPILER_MSVC)
26 // Define ssize_t inside of our namespace.
27 #if defined(_WIN64)
28 typedef __int64 ssize_t;
29 #else
30 typedef long ssize_t;
31 #endif
32 #endif
33
34 // SafeSPrintf() is a type-safe and completely self-contained version of
35 // snprintf().
36 //
37 // SafeSNPrintf() is an alternative function signature that can be used when
38 // not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
39 // always be used instead of SafeSNPrintf()
40 //
41 // These functions allow for formatting complicated messages from contexts that
42 // require strict async-signal-safety. In fact, it is safe to call them from
43 // any low-level execution context, as they are guaranteed to make no library
44 // or system calls. It deliberately never touches "errno", either.
45 //
46 // The only exception to this rule is that in debug builds the code calls
47 // RAW_CHECK() to help diagnose problems when the format string does not
48 // match the rest of the arguments. In release builds, no CHECK()s are used,
49 // and SafeSPrintf() instead returns an output string that expands only
50 // those arguments that match their format characters. Mismatched arguments
51 // are ignored.
52 //
53 // The code currently only supports a subset of format characters:
54 // %c, %o, %d, %x, %X, %p, and %s.
55 //
56 // SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
57 // values of arbitrary width can be passed to all of the format characters
58 // that expect integers. Thus, it is explicitly legal to pass an "int" to
59 // "%c", and output will automatically look at the LSB only. It is also
60 // explicitly legal to pass either signed or unsigned values, and the format
61 // characters will automatically interpret the arguments accordingly.
62 //
63 // It is still not legal to mix-and-match integer-like values with pointer
64 // values. For instance, you cannot pass a pointer to %x, nor can you pass an
65 // integer to %p.
66 //
67 // The one exception is "0" zero being accepted by "%p". This works-around
68 // the problem of C++ defining NULL as an integer-like value.
69 //
70 // All format characters take an optional width parameter. This must be a
71 // positive integer. For %d, %o, %x, %X and %p, if the width starts with
72 // a leading '0', padding is done with '0' instead of ' ' characters.
73 //
74 // There are a few features of snprintf()-style format strings, that
75 // SafeSPrintf() does not support at this time.
76 //
77 // If an actual user showed up, there is no particularly strong reason they
78 // couldn't be added. But that assumes that the trade-offs between complexity
79 // and utility are favorable.
80 //
81 // For example, adding support for negative padding widths, and for %n are all
82 // likely to be viewed positively. They are all clearly useful, low-risk, easy
83 // to test, don't jeopardize the async-signal-safety of the code, and overall
84 // have little impact on other parts of SafeSPrintf() function.
85 //
86 // On the other hands, adding support for alternate forms, positional
87 // arguments, grouping, wide characters, localization or floating point numbers
88 // are all unlikely to ever be added.
89 //
90 // SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
91 // return the number of bytes needed to store the untruncated output. This
92 // does *not* include the terminating NUL byte.
93 //
94 // They return -1, iff a fatal error happened. This typically can only happen,
95 // if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
96 // can be written). The return value can never be larger than SSIZE_MAX-1.
97 // This ensures that the caller can always add one to the signed return code
98 // in order to determine the amount of storage that needs to be allocated.
99 //
100 // While the code supports type checking and while it is generally very careful
101 // to avoid printing incorrect values, it tends to be conservative in printing
102 // as much as possible, even when given incorrect parameters. Typically, in
103 // case of an error, the format string will not be expanded. (i.e. something
104 // like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for
105 // the use of RAW_CHECK() in debug builds, though.
106 //
107 // Basic example:
108 // char buf[20];
109 // base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
110 //
111 // Example with dynamically sized buffer (async-signal-safe). This code won't
112 // work on Visual studio, as it requires dynamically allocating arrays on the
113 // stack. Consider picking a smaller value for |kMaxSize| if stack size is
114 // limited and known. On the other hand, if the parameters to SafeSNPrintf()
115 // are trusted and not controllable by the user, you can consider eliminating
116 // the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
117 // essentially a no-op that just illustrates how to implement an upper bound:
118 // const size_t kInitialSize = 128;
119 // const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
120 // size_t size = kInitialSize;
121 // for (;;) {
122 // char buf[size];
123 // size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1;
124 // if (sizeof(buf) < kMaxSize && size > kMaxSize) {
125 // size = kMaxSize;
126 // continue;
127 // } else if (size > sizeof(buf))
128 // continue;
129 // write(2, buf, size-1);
130 // break;
131 // }
132
133 namespace internal {
134 // Helpers that use C++ overloading, templates, and specializations to deduce
135 // and record type information from function arguments. This allows us to
136 // later write a type-safe version of snprintf().
137
138 struct Arg {
139 enum Type { INT, UINT, STRING, POINTER };
140
141 // Any integer-like value.
ArgArg142 Arg(signed char c) : type(INT) {
143 integer.i = c;
144 integer.width = sizeof(char);
145 }
ArgArg146 Arg(unsigned char c) : type(UINT) {
147 integer.i = c;
148 integer.width = sizeof(char);
149 }
ArgArg150 Arg(signed short j) : type(INT) {
151 integer.i = j;
152 integer.width = sizeof(short);
153 }
ArgArg154 Arg(unsigned short j) : type(UINT) {
155 integer.i = j;
156 integer.width = sizeof(short);
157 }
ArgArg158 Arg(signed int j) : type(INT) {
159 integer.i = j;
160 integer.width = sizeof(int);
161 }
ArgArg162 Arg(unsigned int j) : type(UINT) {
163 integer.i = j;
164 integer.width = sizeof(int);
165 }
ArgArg166 Arg(signed long j) : type(INT) {
167 integer.i = j;
168 integer.width = sizeof(long);
169 }
ArgArg170 Arg(unsigned long j) : type(UINT) {
171 integer.i = static_cast<int64_t>(j);
172 integer.width = sizeof(long);
173 }
ArgArg174 Arg(signed long long j) : type(INT) {
175 integer.i = j;
176 integer.width = sizeof(long long);
177 }
ArgArg178 Arg(unsigned long long j) : type(UINT) {
179 integer.i = static_cast<int64_t>(j);
180 integer.width = sizeof(long long);
181 }
182
183 // A C-style text string.
ArgArg184 Arg(const char* s) : str(s), type(STRING) { }
ArgArg185 Arg(char* s) : str(s), type(STRING) { }
186
187 // Any pointer value that can be cast to a "void*".
ArgArg188 template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { }
189
190 union {
191 // An integer-like value.
192 struct {
193 int64_t i;
194 unsigned char width;
195 } integer;
196
197 // A C-style text string.
198 const char* str;
199
200 // A pointer to an arbitrary object.
201 // This field is not a raw_ptr<> because it was filtered by the rewriter
202 // for: #union
203 RAW_PTR_EXCLUSION const void* ptr;
204 };
205 const enum Type type;
206 };
207
208 // This is the internal function that performs the actual formatting of
209 // an snprintf()-style format string.
210 BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
211 const Arg* args, size_t max_args);
212
213 #if !defined(NDEBUG)
214 // In debug builds, allow unit tests to artificially lower the kSSizeMax
215 // constant that is used as a hard upper-bound for all buffers. In normal
216 // use, this constant should always be std::numeric_limits<ssize_t>::max().
217 BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max);
218 BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest();
219 #endif
220
221 } // namespace internal
222
223 template<typename... Args>
SafeSNPrintf(char * buf,size_t N,const char * fmt,Args...args)224 ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
225 // Use Arg() object to record type information and then copy arguments to an
226 // array to make it easier to iterate over them.
227 const internal::Arg arg_array[] = { args... };
228 return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
229 }
230
231 template<size_t N, typename... Args>
SafeSPrintf(char (& buf)[N],const char * fmt,Args...args)232 ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
233 // Use Arg() object to record type information and then copy arguments to an
234 // array to make it easier to iterate over them.
235 const internal::Arg arg_array[] = { args... };
236 return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
237 }
238
239 // Fast-path when we don't actually need to substitute any arguments.
240 BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
241 template<size_t N>
SafeSPrintf(char (& buf)[N],const char * fmt)242 inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
243 return SafeSNPrintf(buf, N, fmt);
244 }
245
246 } // namespace strings
247 } // namespace base
248
249 #endif // BASE_STRINGS_SAFE_SPRINTF_H_
250