search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / base / strings / safe_sprintf_unittest.cc
blob98ecd24829bf9cdfc92d9d04d75749d7dbd26052
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/strings/safe_sprintf.h"
6
7 #include <stdio.h>
8 #include <string.h>
9
10 #include <limits>
11
12 #include "base/logging.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15
16 // Death tests on Android are currently very flaky. No need to add more flaky
17 // tests, as they just make it hard to spot real problems.
18 // TODO(markus): See if the restrictions on Android can eventually be lifted.
19 #if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID)
20 #define ALLOW_DEATH_TEST
21 #endif
22
23 namespace base {
24 namespace strings {
25
26 TEST(SafeSPrintfTest, Empty) {
27 char buf[2] = { 'X', 'X' };
28
29 // Negative buffer size should always result in an error.
30 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), ""));
31 EXPECT_EQ('X', buf[0]);
32 EXPECT_EQ('X', buf[1]);
33
34 // Zero buffer size should always result in an error.
35 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, ""));
36 EXPECT_EQ('X', buf[0]);
37 EXPECT_EQ('X', buf[1]);
38
39 // A one-byte buffer should always print a single NUL byte.
40 EXPECT_EQ(0, SafeSNPrintf(buf, 1, ""));
41 EXPECT_EQ(0, buf[0]);
42 EXPECT_EQ('X', buf[1]);
43 buf[0] = 'X';
44
45 // A larger buffer should leave the trailing bytes unchanged.
46 EXPECT_EQ(0, SafeSNPrintf(buf, 2, ""));
47 EXPECT_EQ(0, buf[0]);
48 EXPECT_EQ('X', buf[1]);
49 buf[0] = 'X';
50
51 // The same test using SafeSPrintf() instead of SafeSNPrintf().
52 EXPECT_EQ(0, SafeSPrintf(buf, ""));
53 EXPECT_EQ(0, buf[0]);
54 EXPECT_EQ('X', buf[1]);
55 buf[0] = 'X';
56 }
57
58 TEST(SafeSPrintfTest, NoArguments) {
59 // Output a text message that doesn't require any substitutions. This
60 // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does
61 // always add a trailing NUL; it always deduplicates '%' characters).
62 static const char text[] = "hello world";
63 char ref[20], buf[20];
64 memset(ref, 'X', sizeof(char) * arraysize(buf));
65 memcpy(buf, ref, sizeof(buf));
66
67 // A negative buffer size should always result in an error.
68 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text));
69 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
70
71 // Zero buffer size should always result in an error.
72 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text));
73 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
74
75 // A one-byte buffer should always print a single NUL byte.
76 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text));
77 EXPECT_EQ(0, buf[0]);
78 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
79 memcpy(buf, ref, sizeof(buf));
80
81 // A larger (but limited) buffer should always leave the trailing bytes
82 // unchanged.
83 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text));
84 EXPECT_EQ(text[0], buf[0]);
85 EXPECT_EQ(0, buf[1]);
86 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
87 memcpy(buf, ref, sizeof(buf));
88
89 // A unrestricted buffer length should always leave the trailing bytes
90 // unchanged.
91 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
92 SafeSNPrintf(buf, sizeof(buf), text));
93 EXPECT_EQ(std::string(text), std::string(buf));
94 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
95 sizeof(buf) - sizeof(text)));
96 memcpy(buf, ref, sizeof(buf));
97
98 // The same test using SafeSPrintf() instead of SafeSNPrintf().
99 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text));
100 EXPECT_EQ(std::string(text), std::string(buf));
101 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
102 sizeof(buf) - sizeof(text)));
103 memcpy(buf, ref, sizeof(buf));
104
105 // Check for deduplication of '%' percent characters.
106 EXPECT_EQ(1, SafeSPrintf(buf, "%%"));
107 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%"));
108 EXPECT_EQ(2, SafeSPrintf(buf, "%%X"));
109 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X"));
110 #if defined(NDEBUG)
111 EXPECT_EQ(1, SafeSPrintf(buf, "%"));
112 EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
113 EXPECT_EQ(2, SafeSPrintf(buf, "%X"));
114 EXPECT_EQ(3, SafeSPrintf(buf, "%%%X"));
115 #elif defined(ALLOW_DEATH_TEST)
116 EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'");
117 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
118 EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'");
119 EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'");
120 #endif
121 }
122
123 TEST(SafeSPrintfTest, OneArgument) {
124 // Test basic single-argument single-character substitution.
125 const char text[] = "hello world";
126 const char fmt[] = "hello%cworld";
127 char ref[20], buf[20];
128 memset(ref, 'X', sizeof(buf));
129 memcpy(buf, ref, sizeof(buf));
130
131 // A negative buffer size should always result in an error.
132 EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' '));
133 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
134
135 // Zero buffer size should always result in an error.
136 EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' '));
137 EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
138
139 // A one-byte buffer should always print a single NUL byte.
140 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
141 SafeSNPrintf(buf, 1, fmt, ' '));
142 EXPECT_EQ(0, buf[0]);
143 EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
144 memcpy(buf, ref, sizeof(buf));
145
146 // A larger (but limited) buffer should always leave the trailing bytes
147 // unchanged.
148 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
149 SafeSNPrintf(buf, 2, fmt, ' '));
150 EXPECT_EQ(text[0], buf[0]);
151 EXPECT_EQ(0, buf[1]);
152 EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
153 memcpy(buf, ref, sizeof(buf));
154
155 // A unrestricted buffer length should always leave the trailing bytes
156 // unchanged.
157 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
158 SafeSNPrintf(buf, sizeof(buf), fmt, ' '));
159 EXPECT_EQ(std::string(text), std::string(buf));
160 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
161 sizeof(buf) - sizeof(text)));
162 memcpy(buf, ref, sizeof(buf));
163
164 // The same test using SafeSPrintf() instead of SafeSNPrintf().
165 EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' '));
166 EXPECT_EQ(std::string(text), std::string(buf));
167 EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
168 sizeof(buf) - sizeof(text)));
169 memcpy(buf, ref, sizeof(buf));
170
171 // Check for deduplication of '%' percent characters.
172 EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0));
173 EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0));
174 EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0));
175 EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0));
176 EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0));
177 EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0));
178 #if defined(NDEBUG)
179 EXPECT_EQ(1, SafeSPrintf(buf, "%", 0));
180 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
181 #elif defined(ALLOW_DEATH_TEST)
182 EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch");
183 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
184 #endif
185 }
186
187 TEST(SafeSPrintfTest, MissingArg) {
188 #if defined(NDEBUG)
189 char buf[20];
190 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A'));
191 EXPECT_EQ("A%c", std::string(buf));
192 #elif defined(ALLOW_DEATH_TEST)
193 char buf[20];
194 EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args");
195 #endif
196 }
197
198 TEST(SafeSPrintfTest, ASANFriendlyBufferTest) {
199 // Print into a buffer that is sized exactly to size. ASAN can verify that
200 // nobody attempts to write past the end of the buffer.
201 // There is a more complicated test in PrintLongString() that covers a lot
202 // more edge case, but it is also harder to debug in case of a failure.
203 const char kTestString[] = "This is a test";
204 scoped_ptr<char[]> buf(new char[sizeof(kTestString)]);
205 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
206 SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString));
207 EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
208 EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
209 SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString));
210 EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
211 }
212
213 TEST(SafeSPrintfTest, NArgs) {
214 // Pre-C++11 compilers have a different code path, that can only print
215 // up to ten distinct arguments.
216 // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't
217 // have typos in the copy-n-pasted code that is needed to deal with various
218 // numbers of arguments.
219 char buf[12];
220 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1));
221 EXPECT_EQ("\1", std::string(buf));
222 EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2));
223 EXPECT_EQ("\1\2", std::string(buf));
224 EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3));
225 EXPECT_EQ("\1\2\3", std::string(buf));
226 EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4));
227 EXPECT_EQ("\1\2\3\4", std::string(buf));
228 EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5));
229 EXPECT_EQ("\1\2\3\4\5", std::string(buf));
230 EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
231 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
232 EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
233 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
234 EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8));
235 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
236 EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c",
237 1, 2, 3, 4, 5, 6, 7, 8, 9));
238 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
239 EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c",
240 1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
241
242 // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf().
243 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
244 EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1));
245 EXPECT_EQ("\1", std::string(buf));
246 EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2));
247 EXPECT_EQ("\1\2", std::string(buf));
248 EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3));
249 EXPECT_EQ("\1\2\3", std::string(buf));
250 EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4));
251 EXPECT_EQ("\1\2\3\4", std::string(buf));
252 EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5));
253 EXPECT_EQ("\1\2\3\4\5", std::string(buf));
254 EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
255 EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
256 EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
257 EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
258 EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c",
259 1, 2, 3, 4, 5, 6, 7, 8));
260 EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
261 EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c",
262 1, 2, 3, 4, 5, 6, 7, 8, 9));
263 EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
264 EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c",
265 1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
266 EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
267 }
268
269 TEST(SafeSPrintfTest, DataTypes) {
270 char buf[40];
271
272 // Bytes
273 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1));
274 EXPECT_EQ("1", std::string(buf));
275 EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1));
276 EXPECT_EQ("255", std::string(buf));
277 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1));
278 EXPECT_EQ("1", std::string(buf));
279 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1));
280 EXPECT_EQ("-1", std::string(buf));
281 EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128));
282 EXPECT_EQ("-128", std::string(buf));
283
284 // Half-words
285 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1));
286 EXPECT_EQ("1", std::string(buf));
287 EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1));
288 EXPECT_EQ("65535", std::string(buf));
289 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1));
290 EXPECT_EQ("1", std::string(buf));
291 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1));
292 EXPECT_EQ("-1", std::string(buf));
293 EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768));
294 EXPECT_EQ("-32768", std::string(buf));
295
296 // Words
297 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1));
298 EXPECT_EQ("1", std::string(buf));
299 EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1));
300 EXPECT_EQ("4294967295", std::string(buf));
301 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1));
302 EXPECT_EQ("1", std::string(buf));
303 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1));
304 EXPECT_EQ("-1", std::string(buf));
305 // Work-around for an limitation of C90
306 EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1));
307 EXPECT_EQ("-2147483648", std::string(buf));
308
309 // Quads
310 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1));
311 EXPECT_EQ("1", std::string(buf));
312 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1));
313 EXPECT_EQ("18446744073709551615", std::string(buf));
314 EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1));
315 EXPECT_EQ("1", std::string(buf));
316 EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1));
317 EXPECT_EQ("-1", std::string(buf));
318 // Work-around for an limitation of C90
319 EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1));
320 EXPECT_EQ("-9223372036854775808", std::string(buf));
321
322 // Strings (both const and mutable).
323 EXPECT_EQ(4, SafeSPrintf(buf, "test"));
324 EXPECT_EQ("test", std::string(buf));
325 EXPECT_EQ(4, SafeSPrintf(buf, buf));
326 EXPECT_EQ("test", std::string(buf));
327
328 // Pointer
329 char addr[20];
330 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
331 SafeSPrintf(buf, "%p", buf);
332 EXPECT_EQ(std::string(addr), std::string(buf));
333 SafeSPrintf(buf, "%p", (const char *)buf);
334 EXPECT_EQ(std::string(addr), std::string(buf));
335 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf);
336 SafeSPrintf(buf, "%p", sprintf);
337 EXPECT_EQ(std::string(addr), std::string(buf));
338
339 // Padding for pointers is a little more complicated because of the "0x"
340 // prefix. Padding with '0' zeros is relatively straight-forward, but
341 // padding with ' ' spaces requires more effort.
342 sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf);
343 SafeSPrintf(buf, "%019p", buf);
344 EXPECT_EQ(std::string(addr), std::string(buf));
345 sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
346 memset(addr, ' ',
347 (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1,
348 addr, strlen(addr)+1) - addr);
349 SafeSPrintf(buf, "%19p", buf);
350 EXPECT_EQ(std::string(addr), std::string(buf));
351 }
352
353 namespace {
354 void PrintLongString(char* buf, size_t sz) {
355 // Output a reasonably complex expression into a limited-size buffer.
356 // At least one byte is available for writing the NUL character.
357 CHECK_GT(sz, static_cast<size_t>(0));
358
359 // Allocate slightly more space, so that we can verify that SafeSPrintf()
360 // never writes past the end of the buffer.
361 scoped_ptr<char[]> tmp(new char[sz+2]);
362 memset(tmp.get(), 'X', sz+2);
363
364 // Use SafeSPrintf() to output a complex list of arguments:
365 // - test padding and truncating %c single characters.
366 // - test truncating %s simple strings.
367 // - test mismatching arguments and truncating (for %d != %s).
368 // - test zero-padding and truncating %x hexadecimal numbers.
369 // - test outputting and truncating %d MININT.
370 // - test outputting and truncating %p arbitrary pointer values.
371 // - test outputting, padding and truncating NULL-pointer %s strings.
372 char* out = tmp.get();
373 size_t out_sz = sz;
374 size_t len;
375 for (scoped_ptr<char[]> perfect_buf;;) {
376 size_t needed = SafeSNPrintf(out, out_sz,
377 #if defined(NDEBUG)
378 "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "",
379 #else
380 "A%2cong %s: %%d %010X %d %p%7s", 'l', "string",
381 #endif
382 0xDEADBEEF, std::numeric_limits<intptr_t>::min(),
383 PrintLongString, static_cast<char*>(NULL)) + 1;
384
385 // Various sanity checks:
386 // The numbered of characters needed to print the full string should always
387 // be bigger or equal to the bytes that have actually been output.
388 len = strlen(tmp.get());
389 CHECK_GE(needed, len+1);
390
391 // The number of characters output should always fit into the buffer that
392 // was passed into SafeSPrintf().
393 CHECK_LT(len, out_sz);
394
395 // The output is always terminated with a NUL byte (actually, this test is
396 // always going to pass, as strlen() already verified this)
397 EXPECT_FALSE(tmp[len]);
398
399 // ASAN can check that we are not overwriting buffers, iff we make sure the
400 // buffer is exactly the size that we are expecting to be written. After
401 // running SafeSNPrintf() the first time, it is possible to compute the
402 // correct buffer size for this test. So, allocate a second buffer and run
403 // the exact same SafeSNPrintf() command again.
404 if (!perfect_buf.get()) {
405 out_sz = std::min(needed, sz);
406 out = new char[out_sz];
407 perfect_buf.reset(out);
408 } else {
409 break;
410 }
411 }
412
413 // All trailing bytes are unchanged.
414 for (size_t i = len+1; i < sz+2; ++i)
415 EXPECT_EQ('X', tmp[i]);
416
417 // The text that was generated by SafeSPrintf() should always match the
418 // equivalent text generated by sprintf(). Please note that the format
419 // string for sprintf() is not complicated, as it does not have the
420 // benefit of getting type information from the C++ compiler.
421 //
422 // N.B.: It would be so much cleaner to use snprintf(). But unfortunately,
423 // Visual Studio doesn't support this function, and the work-arounds
424 // are all really awkward.
425 char ref[256];
426 CHECK_LE(sz, sizeof(ref));
427 sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>",
428 static_cast<long long>(std::numeric_limits<intptr_t>::min()),
429 static_cast<unsigned long long>(
430 reinterpret_cast<uintptr_t>(PrintLongString)));
431 ref[sz-1] = '\000';
432
433 #if defined(NDEBUG)
434 const size_t kSSizeMax = std::numeric_limits<ssize_t>::max();
435 #else
436 const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest();
437 #endif
438
439 // Compare the output from SafeSPrintf() to the one from sprintf().
440 EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get()));
441
442 // We allocated a slightly larger buffer, so that we could perform some
443 // extra sanity checks. Now that the tests have all passed, we copy the
444 // data to the output buffer that the caller provided.
445 memcpy(buf, tmp.get(), len+1);
446 }
447
448 #if !defined(NDEBUG)
449 class ScopedSafeSPrintfSSizeMaxSetter {
450 public:
451 ScopedSafeSPrintfSSizeMaxSetter(size_t sz) {
452 old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest();
453 internal::SetSafeSPrintfSSizeMaxForTest(sz);
454 }
455
456 ~ScopedSafeSPrintfSSizeMaxSetter() {
457 internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_);
458 }
459
460 private:
461 size_t old_ssize_max_;
462
463 DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter);
464 };
465 #endif
466
467 } // anonymous namespace
468
469 TEST(SafeSPrintfTest, Truncation) {
470 // We use PrintLongString() to print a complex long string and then
471 // truncate to all possible lengths. This ends up exercising a lot of
472 // different code paths in SafeSPrintf() and IToASCII(), as truncation can
473 // happen in a lot of different states.
474 char ref[256];
475 PrintLongString(ref, sizeof(ref));
476 for (size_t i = strlen(ref)+1; i; --i) {
477 char buf[sizeof(ref)];
478 PrintLongString(buf, i);
479 EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
480 }
481
482 // When compiling in debug mode, we have the ability to fake a small
483 // upper limit for the maximum value that can be stored in an ssize_t.
484 // SafeSPrintf() uses this upper limit to determine how many bytes it will
485 // write to the buffer, even if the caller claimed a bigger buffer size.
486 // Repeat the truncation test and verify that this other code path in
487 // SafeSPrintf() works correctly, too.
488 #if !defined(NDEBUG)
489 for (size_t i = strlen(ref)+1; i > 1; --i) {
490 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i);
491 char buf[sizeof(ref)];
492 PrintLongString(buf, sizeof(buf));
493 EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
494 }
495
496 // kSSizeMax is also used to constrain the maximum amount of padding, before
497 // SafeSPrintf() detects an error in the format string.
498 ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100);
499 char buf[256];
500 EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' '));
501 EXPECT_EQ(std::string(99, ' '), std::string(buf));
502 *buf = '\000';
503 #if defined(ALLOW_DEATH_TEST)
504 EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding");
505 #endif
506 EXPECT_EQ(0, *buf);
507 #endif
508 }
509
510 TEST(SafeSPrintfTest, Padding) {
511 char buf[40], fmt[40];
512
513 // Chars %c
514 EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A'));
515 EXPECT_EQ("A", std::string(buf));
516 EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A'));
517 EXPECT_EQ(" A", std::string(buf));
518 EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A'));
519 EXPECT_EQ(" A", std::string(buf));
520 EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A'));
521 EXPECT_EQ("%-2c", std::string(buf));
522 SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1);
523 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A'));
524 SafeSPrintf(fmt, "%%%dc",
525 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
526 #if defined(NDEBUG)
527 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A'));
528 EXPECT_EQ("%c", std::string(buf));
529 #elif defined(ALLOW_DEATH_TEST)
530 EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding");
531 #endif
532
533 // Octal %o
534 EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1));
535 EXPECT_EQ("1", std::string(buf));
536 EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1));
537 EXPECT_EQ(" 1", std::string(buf));
538 EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1));
539 EXPECT_EQ("01", std::string(buf));
540 EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1));
541 EXPECT_EQ(" 37777777777", std::string(buf));
542 EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1));
543 EXPECT_EQ("037777777777", std::string(buf));
544 EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL));
545 EXPECT_EQ(" 1777777777777777777777", std::string(buf));
546 EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL));
547 EXPECT_EQ("01777777777777777777777", std::string(buf));
548 EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111));
549 EXPECT_EQ("111", std::string(buf));
550 EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1));
551 EXPECT_EQ("%-2o", std::string(buf));
552 SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1);
553 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
554 SafeSNPrintf(buf, 4, fmt, 1));
555 EXPECT_EQ(" ", std::string(buf));
556 SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1);
557 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
558 SafeSNPrintf(buf, 4, fmt, 1));
559 EXPECT_EQ("000", std::string(buf));
560 SafeSPrintf(fmt, "%%%do",
561 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
562 #if defined(NDEBUG)
563 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
564 EXPECT_EQ("%o", std::string(buf));
565 #elif defined(ALLOW_DEATH_TEST)
566 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
567 #endif
568
569 // Decimals %d
570 EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1));
571 EXPECT_EQ("1", std::string(buf));
572 EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1));
573 EXPECT_EQ(" 1", std::string(buf));
574 EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1));
575 EXPECT_EQ("01", std::string(buf));
576 EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1));
577 EXPECT_EQ(" -1", std::string(buf));
578 EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1));
579 EXPECT_EQ("-01", std::string(buf));
580 EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111));
581 EXPECT_EQ("111", std::string(buf));
582 EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111));
583 EXPECT_EQ("-111", std::string(buf));
584 EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1));
585 EXPECT_EQ("%-2d", std::string(buf));
586 SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1);
587 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
588 SafeSNPrintf(buf, 4, fmt, 1));
589 EXPECT_EQ(" ", std::string(buf));
590 SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1);
591 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
592 SafeSNPrintf(buf, 4, fmt, 1));
593 EXPECT_EQ("000", std::string(buf));
594 SafeSPrintf(fmt, "%%%dd",
595 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
596 #if defined(NDEBUG)
597 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
598 EXPECT_EQ("%d", std::string(buf));
599 #elif defined(ALLOW_DEATH_TEST)
600 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
601 #endif
602
603 // Hex %X
604 EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1));
605 EXPECT_EQ("1", std::string(buf));
606 EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1));
607 EXPECT_EQ(" 1", std::string(buf));
608 EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1));
609 EXPECT_EQ("01", std::string(buf));
610 EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1));
611 EXPECT_EQ(" FFFFFFFF", std::string(buf));
612 EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1));
613 EXPECT_EQ("0FFFFFFFF", std::string(buf));
614 EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL));
615 EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf));
616 EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL));
617 EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf));
618 EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111));
619 EXPECT_EQ("111", std::string(buf));
620 EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1));
621 EXPECT_EQ("%-2X", std::string(buf));
622 SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1);
623 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
624 SafeSNPrintf(buf, 4, fmt, 1));
625 EXPECT_EQ(" ", std::string(buf));
626 SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1);
627 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
628 SafeSNPrintf(buf, 4, fmt, 1));
629 EXPECT_EQ("000", std::string(buf));
630 SafeSPrintf(fmt, "%%%dX",
631 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
632 #if defined(NDEBUG)
633 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
634 EXPECT_EQ("%X", std::string(buf));
635 #elif defined(ALLOW_DEATH_TEST)
636 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
637 #endif
638
639 // Pointer %p
640 EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1));
641 EXPECT_EQ("0x1", std::string(buf));
642 EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1));
643 EXPECT_EQ(" 0x1", std::string(buf));
644 EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1));
645 EXPECT_EQ("0x01", std::string(buf));
646 EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111));
647 EXPECT_EQ("0x111", std::string(buf));
648 EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1));
649 EXPECT_EQ("%-2p", std::string(buf));
650 SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1);
651 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
652 SafeSNPrintf(buf, 4, fmt, (void*)1));
653 EXPECT_EQ(" ", std::string(buf));
654 SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1);
655 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
656 SafeSNPrintf(buf, 4, fmt, (void*)1));
657 EXPECT_EQ("0x0", std::string(buf));
658 SafeSPrintf(fmt, "%%%dp",
659 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
660 #if defined(NDEBUG)
661 EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
662 EXPECT_EQ("%p", std::string(buf));
663 #elif defined(ALLOW_DEATH_TEST)
664 EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
665 #endif
666
667 // String
668 EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A"));
669 EXPECT_EQ("A", std::string(buf));
670 EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A"));
671 EXPECT_EQ(" A", std::string(buf));
672 EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A"));
673 EXPECT_EQ(" A", std::string(buf));
674 EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA"));
675 EXPECT_EQ("AAA", std::string(buf));
676 EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A"));
677 EXPECT_EQ("%-2s", std::string(buf));
678 SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1);
679 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
680 SafeSNPrintf(buf, 4, fmt, "A"));
681 EXPECT_EQ(" ", std::string(buf));
682 SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1);
683 EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
684 SafeSNPrintf(buf, 4, fmt, "A"));
685 EXPECT_EQ(" ", std::string(buf));
686 SafeSPrintf(fmt, "%%%ds",
687 static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
688 #if defined(NDEBUG)
689 EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A"));
690 EXPECT_EQ("%s", std::string(buf));
691 #elif defined(ALLOW_DEATH_TEST)
692 EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding");
693 #endif
694 }
695
696 TEST(SafeSPrintfTest, EmbeddedNul) {
697 char buf[] = { 'X', 'X', 'X', 'X' };
698 EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0));
699 EXPECT_EQ(' ', buf[0]);
700 EXPECT_EQ(' ', buf[1]);
701 EXPECT_EQ(0, buf[2]);
702 EXPECT_EQ('X', buf[3]);
703
704 // Check handling of a NUL format character. N.B. this takes two different
705 // code paths depending on whether we are actually passing arguments. If
706 // we don't have any arguments, we are running in the fast-path code, that
707 // looks (almost) like a strncpy().
708 #if defined(NDEBUG)
709 EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
710 EXPECT_EQ("%%", std::string(buf));
711 EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
712 EXPECT_EQ("%%", std::string(buf));
713 #elif defined(ALLOW_DEATH_TEST)
714 EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
715 EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
716 #endif
717 }
718
719 TEST(SafeSPrintfTest, EmitNULL) {
720 char buf[40];
721 #if defined(__GNUC__)
722 #pragma GCC diagnostic push
723 #pragma GCC diagnostic ignored "-Wconversion-null"
724 #endif
725 EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL));
726 EXPECT_EQ("0", std::string(buf));
727 EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL));
728 EXPECT_EQ("0x0", std::string(buf));
729 EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL));
730 EXPECT_EQ("<NULL>", std::string(buf));
731 #if defined(__GCC__)
732 #pragma GCC diagnostic pop
733 #endif
734 }
735
736 TEST(SafeSPrintfTest, PointerSize) {
737 // The internal data representation is a 64bit value, independent of the
738 // native word size. We want to perform sign-extension for signed integers,
739 // but we want to avoid doing so for pointer types. This could be a
740 // problem on systems, where pointers are only 32bit. This tests verifies
741 // that there is no such problem.
742 char *str = reinterpret_cast<char *>(0x80000000u);
743 void *ptr = str;
744 char buf[40];
745 EXPECT_EQ(10, SafeSPrintf(buf, "%p", str));
746 EXPECT_EQ("0x80000000", std::string(buf));
747 EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr));
748 EXPECT_EQ("0x80000000", std::string(buf));
749 }
750
751 } // namespace strings
752 } // namespace base