| blob | 1c927184658559d1bc238578e3918474da755de4 |
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <limits>
9 #if !defined(NDEBUG)
10 // In debug builds, we use RAW_CHECK() to print useful error messages, if
11 // SafeSPrintf() is called with broken arguments.
12 // As our contract promises that SafeSPrintf() can be called from any
13 // restricted run-time context, it is not actually safe to call logging
14 // functions from it; and we only ever do so for debug builds and hope for the
15 // best. We should _never_ call any logging function other than RAW_CHECK(),
16 // and we should _never_ include any logging code that is active in production
17 // builds. Most notably, we should not include these logging functions in
18 // unofficial release builds, even though those builds would otherwise have
19 // DCHECKS() enabled.
20 // In other words; please do not remove the #ifdef around this #include.
21 // Instead, in production builds we opt for returning a degraded result,
22 // whenever an error is encountered.
23 // E.g. The broken function call
24 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
25 // will print something like
26 // errno = 13, (%x)
27 // instead of
28 // errno = 13 (Access denied)
29 // In most of the anticipated use cases, that's probably the preferred
30 // behavior.
32 #define DEBUG_CHECK RAW_CHECK
33 #else
34 #define DEBUG_CHECK(x) do { if (x) { } } while (0)
35 #endif
40 // The code in this file is extremely careful to be async-signal-safe.
41 //
42 // Most obviously, we avoid calling any code that could dynamically allocate
43 // memory. Doing so would almost certainly result in bugs and dead-locks.
44 // We also avoid calling any other STL functions that could have unintended
45 // side-effects involving memory allocation or access to other shared
46 // resources.
47 //
48 // But on top of that, we also avoid calling other library functions, as many
49 // of them have the side-effect of calling getenv() (in order to deal with
50 // localization) or accessing errno. The latter sounds benign, but there are
51 // several execution contexts where it isn't even possible to safely read let
52 // alone write errno.
53 //
54 // The stated design goal of the SafeSPrintf() function is that it can be
55 // called from any context that can safely call C or C++ code (i.e. anything
56 // that doesn't require assembly code).
57 //
58 // For a brief overview of some but not all of the issues with async-signal-
59 // safety, refer to:
60 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
67 }
69 #if defined(NDEBUG)
70 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
71 // but C++ doesn't allow us to do that for constants. Instead, we have to
72 // use careful casting and shifting. We later use a COMPILE_ASSERT to
73 // verify that this worked correctly.
76 }
78 // For efficiency, we really need kSSizeMax to be a constant. But for unit
79 // tests, it should be adjustable. This allows us to verify edge cases without
80 // having to fill the entire available address space. As a compromise, we make
81 // kSSizeMax adjustable in debug builds, and then only compile that particular
82 // part of the unit test in debug builds.
85 }
90 }
94 }
95 }
101 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
102 // has |size| bytes of writable storage. It is the caller's responsibility
103 // to ensure that the buffer is at least one byte in size, so that it fits
104 // the trailing NUL that will be added by the destructor. The buffer also
105 // must be smaller or equal to kSSizeMax in size.
110 // The following assertion does not build on Mac and Android. This is because
111 // static_assert only works with compile-time constants, but mac uses
112 // libstdc++4.2 and android uses stlport, which both don't mark
113 // numeric_limits::max() as constexp. Likewise, MSVS2013's standard library
114 // also doesn't mark max() as constexpr yet. cl.exe supports static_cast but
115 // doesn't really implement constexpr yet so it doesn't complain, but clang
116 // does.
117 #if __cplusplus >= 201103 && !defined(OS_ANDROID) && !defined(OS_MACOSX) && \
118 !defined(OS_IOS) && !(defined(__clang__) && defined(OS_WIN))
121 kSSizeMax_is_the_max_value_of_an_ssize_t);
122 #endif
125 }
128 // The code calling the constructor guaranteed that there was enough space
129 // to store a trailing NUL -- and in debug builds, we are actually
130 // verifying this with DEBUG_CHECK()s in the constructor. So, we can
131 // always unconditionally write the NUL byte in the destructor. We do not
132 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
133 // including the NUL byte in its return code.
135 }
137 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
138 // caller can now stop adding more data, as GetCount() has reached its
139 // maximum possible value.
142 }
144 // Returns the number of bytes that would have been emitted to |buffer_|
145 // if it was sized sufficiently large. This number can be larger than
146 // |size_|, if the caller provided an insufficiently large output buffer.
147 // But it will never be bigger than |kSSizeMax-1|.
151 }
153 // Emits one |ch| character into the |buffer_| and updates the |count_| of
154 // characters that are currently supposed to be in the buffer.
155 // Returns "false", iff the buffer was already full.
156 // N.B. |count_| increases even if no characters have been written. This is
157 // needed so that GetCount() can return the number of bytes that should
158 // have been allocated for the |buffer_|.
163 }
164 // |count_| still needs to be updated, even if the buffer has been
165 // filled completely. This allows SafeSPrintf() to return the number of
166 // bytes that should have been emitted.
169 }
171 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
172 // |count_| will also be incremented by the number of bytes that were meant
173 // to be emitted. The |pad| character is typically either a ' ' space
174 // or a '0' zero, but other non-NUL values are legal.
175 // Returns "false", iff the the |buffer_| filled up (i.e. |count_|
176 // overflowed |size_|) at any time during padding.
185 }
187 }
188 }
190 }
192 // POSIX doesn't define any async-signal-safe function for converting
193 // an integer to ASCII. Define our own version.
194 //
195 // This also gives us the ability to make the function a little more
196 // powerful and have it deal with |padding|, with truncation, and with
197 // predicting the length of the untruncated output.
198 //
199 // IToASCII() converts an integer |i| to ASCII.
200 //
201 // Unlike similar functions in the standard C library, it never appends a
202 // NUL character. This is left for the caller to do.
203 //
204 // While the function signature takes a signed int64_t, the code decides at
205 // run-time whether to treat the argument as signed (int64_t) or as unsigned
206 // (uint64_t) based on the value of |sign|.
207 //
208 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
209 // a |sign|. Otherwise, |i| is treated as unsigned.
210 //
211 // For bases larger than 10, |upcase| decides whether lower-case or upper-
212 // case letters should be used to designate digits greater than 10.
213 //
214 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
215 // be positive and will always be applied to the left of the output.
216 //
217 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
218 // the left of |padding|, if |pad| is '0'; and to the right of |padding|
219 // if |pad| is ' '.
220 //
221 // Returns "false", if the |buffer_| overflowed at any time.
226 // Increments |count_| by |inc| unless this would cause |count_| to
227 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
228 // it then clamps |count_| to |kSSizeMax-1|.
230 // "inc" is either 1 or a "padding" value. Padding is clamped at
231 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
232 // the range 1..kSSizeMax-1.
233 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
234 // integer overflows.
242 }
243 }
245 // Convenience method for the common case of incrementing |count_| by one.
248 }
250 // Return the current insertion point into the buffer. This is typically
251 // at |buffer_| + |count_|, but could be before that if truncation
252 // happened. It always points to one byte past the last byte that was
253 // successfully placed into the |buffer_|.
258 }
260 }
262 // User-provided buffer that will receive the fully formatted output string.
265 // Number of bytes that are available in the buffer excluding the trailing
266 // NUL byte that will be added by the destructor.
269 // Number of bytes that would have been emitted to the buffer, if the buffer
270 // was sufficiently big. This number always excludes the trailing NUL byte
271 // and it is guaranteed to never grow bigger than kSSizeMax-1.
275 };
280 // Sanity check for parameters. None of these should ever fail, but see
281 // above for the rationale why we can't call CHECK().
290 // Handle negative numbers, if the caller indicated that |i| should be
291 // treated as a signed number; otherwise treat |i| as unsigned (even if the
292 // MSB is set!)
293 // Details are tricky, because of limited data-types, but equivalent pseudo-
294 // code would look like:
295 // if (sign && i < 0)
296 // prefix = "-";
297 // num = abs(i);
303 // Turn our number positive.
305 // The most negative integer needs special treatment.
309 // "Normal" negative numbers are easy.
311 }
314 }
316 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
317 // make the prefix accessible in reverse order, so that we can later output
318 // it right between padding and the number.
319 // We cannot choose the easier approach of just reversing the number, as that
320 // fails in situations where we need to truncate numbers that have padding
321 // and/or prefixes.
328 }
330 }
334 }
335 }
340 // Loop until we have converted the entire number. Output at least one
341 // character (i.e. '0').
346 // Make sure there is still enough space left in our output buffer.
349 // It is rare that we need to output a partial number. But if asked
350 // to do so, we will still make sure we output the correct number of
351 // leading digits.
352 // Since we are generating the digits in reverse order, we actually
353 // have to discard digits in the order that we have already emitted
354 // them. This is essentially equivalent to:
355 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
360 }
364 // Need to increment either |count_| or |discarded| to make progress.
365 // The latter is more efficient, as it eventually triggers fast
366 // handling of padding. But we have to ensure we don't accidentally
367 // change the overall state (i.e. switch the state-machine from
368 // discarding to non-discarding). |count_| needs to always stay
369 // bigger than |size_|.
372 }
373 }
375 // Output the next digit and (if necessary) compensate for the most
376 // negative integer needing special treatment. This works because,
377 // no matter the bit width of the integer, the lowest-most decimal
378 // integer always ends in 2, 4, 6, or 8.
384 }
388 }
393 // Add padding, if requested.
397 // Performance optimization for when we are asked to output excessive
398 // padding, but our output buffer is limited in size. Even if we output
399 // a 64bit number in binary, we would never write more than 64 plus
400 // prefix non-padding characters. So, once this limit has been passed,
401 // any further state change can be computed arithmetically; we know that
402 // by this time, our entire final output consists of padding characters
403 // that have all already been output.
407 }
408 }
411 // Conversion to ASCII actually resulted in the digits being in reverse
412 // order. We can't easily generate them in forward order, as we can't tell
413 // the number of characters needed until we are done converting.
414 // So, now, we reverse the string (except for the possible '-' sign).
421 }
425 }
433 // Make sure that at least one NUL byte can be written, and that the buffer
434 // never overflows kSSizeMax. Not only does that use up most or all of the
435 // address space, it also would result in a return code that cannot be
436 // represented.
441 }
443 // Iterate over format string and interpret '%' arguments as they are
444 // encountered.
453 format_character_found:
457 // Found a width parameter. Convert to an integer value and store in
458 // "padding". If the leading digit is a zero, change the padding
459 // character from a space ' ' to a zero '0'.
462 // The maximum allowed padding fills all the available address
463 // space and leaves just enough space to insert the trailing NUL.
469 // Integer overflow detected. Skip the rest of the width until
470 // we find the format character, then do the normal error handling.
471 padding_overflow:
474 }
477 }
479 }
482 // This doesn't happen for "sane" values of kSSizeMax. But once
483 // kSSizeMax gets smaller than about 10, our earlier range checks
484 // are incomplete. Unittests do trigger this artificial corner
485 // case.
488 }
491 // Reached the end of the width parameter. This is where the format
492 // character is found.
494 }
495 }
498 // Check that there are arguments left to be inserted.
502 }
504 // Check that the argument has the expected type.
509 }
511 // Apply padding, if needed.
514 // Convert the argument to an ASCII character and output it.
518 }
526 // Check that there are arguments left to be inserted.
530 }
536 // Check that the argument has the expected type.
540 }
544 // The Arg() constructor automatically performed sign expansion on
545 // signed parameters. This is great when outputting a %d decimal
546 // number, but can result in unexpected leading 0xFF bytes when
547 // outputting a %x hexadecimal number. Mask bits, if necessary.
548 // We have to do this here, instead of in the Arg() constructor, as
549 // the Arg() constructor cannot tell whether we will output a %d
550 // or a %x. Only the latter should experience masking.
553 }
554 }
556 // Pointer values require an actual pointer or a string.
568 }
570 // Pointers always include the "0x" prefix.
572 }
574 // Use IToASCII() to convert to ASCII representation. For decimal
575 // numbers, optionally print a sign. For hexadecimal numbers,
576 // distinguish between upper and lower case. %p addresses are always
577 // printed as upcase. Supports base 8, 10, and 16. Prints padding
578 // and/or prefixes, if so requested.
585 // Check that there are arguments left to be inserted.
589 }
591 // Check that the argument has the expected type.
602 }
604 // Apply padding, if needed. This requires us to first check the
605 // length of the string that we are outputting.
610 }
612 }
614 // Printing a string involves nothing more than copying it into the
615 // output buffer and making sure we don't output more bytes than
616 // available space; Out() takes care of doing that.
619 }
622 // Quoted percent '%' character.
624 fail_to_expand:
625 // C++ gives us tools to do type checking -- something that snprintf()
626 // could never really do. So, whenever we see arguments that don't
627 // match up with the format string, we refuse to output them. But
628 // since we have to be extremely conservative about being async-
629 // signal-safe, we are limited in the type of error handling that we
630 // can do in production builds (in debug builds we can use
631 // DEBUG_CHECK() and hope for the best). So, all we do is pass the
632 // format string unchanged. That should eventually get the user's
633 // attention; and in the meantime, it hopefully doesn't lose too much
634 // data.
636 // Unknown or unsupported format character. Just copy verbatim to
637 // output.
642 }
645 }
647 copy_verbatim:
649 }
650 }
651 end_of_format_string:
652 end_of_output_buffer:
654 }
659 // Make sure that at least one NUL byte can be written, and that the buffer
660 // never overflows kSSizeMax. Not only does that use up most or all of the
661 // address space, it also would result in a return code that cannot be
662 // represented.
667 }
671 // In the slow-path, we deal with errors by copying the contents of
672 // "fmt" unexpanded. This means, if there are no arguments passed, the
673 // SafeSPrintf() function always degenerates to a version of strncpy() that
674 // de-duplicates '%' characters.
681 }
682 }
684 }