Added a new SafeSPrintf() function that implements snprintf() in an async-safe-fashion

base/strings/safe_sprintf.h

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_STRINGS_SAFE_SPRINTF_H_
+#define BASE_STRINGS_SAFE_SPRINTF_H_
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#if defined(__unix__)
+// For ssize_t
+#include <unistd.h>
+#endif
+
+#include "base/base_export.h"
+#include "base/basictypes.h"
+
+namespace base {
+namespace strings {
+
+#if defined(_MSC_VER)
+// Define ssize_t inside of our namespace.
+#if defined(_WIN64)
+typedef __int64 ssize_t;
+#else
+typedef long ssize_t;
+#endif
+#endif
+
+// SafeSPrintf() is a type-safe and async-signal-safe version of snprintf().

[rvargas (doing something else), 2013/08/15 19:57:57]

Can we be more specific (or more general? dunno) with the documentation?

I mean, async-signal-safe, while a very specific concept, is also a POSIX
concept so it would mean that this code should live on a _posix file, etc.

Maybe something on the lines of being completely thread and exception safe? Or
something about CRT dependency?

[Markus (顧孟勤), 2013/08/15 20:31:20]

This is just the one-line summary. If you keep reading two more paragraphs, I go
into more detail. Is that sufficient? Or do you prefer I write this differently.

I am certainly happy to take input, as it is always hard to write comments that
people who are unfamiliar with the code appreciate.

As a best case, I'd love if you gave the exact wording that you think would help
you. But I am happy to work that out myself, if you give more details on why the
one-line summary and following paragraphs don't work well.

[rvargas (doing something else), 2013/08/15 21:38:47]

Yeah, I like the explicit phrasing of "guaranteed to make no library or system
calls", which is a superset of async-signal-safe. The thing that I don't like
that much is that there are four mentions of async-ss and only one of the actual
guarantees of the code.

It's probably just nit picking, but I would be happier if the one line summary
(the first thing a random user should see) contained that bit about being self
contained code. I think it clears expectations right away (and self contained
code is the characteristic that we want to preserve on future additions to this
code, right?).

How about

SafeSPrintf() is a type-safe and completely self-contained version of
snprintf().

Or maybe saying right away that doesn't make library or system calls?

[Markus (顧孟勤), 2013/08/15 21:46:54]

Done.

OK, I tweaked the comments a little more. I liked your suggestion about
"completely self-contained". That certainly makes sense both for POSIX and for
Windows programmers :-)

+//
+// SafeSNPrintf() is an alternative function signature that can be used when
+// not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
+// always be used instead of SafeSNPrintf()
+//
+// These functions allow for formatting complicated messages from contexts that
+// require strict async-signal-safety. In fact, it is safe to call them from
+// any low-level execution context, as they are guaranteed to make no library
+// or system calls.
+//
+// The only exception to this rule is that in debug builds the code calls
+// RAW_CHECK() to help diagnose problems when the format string does not
+// match the rest of the arguments. In release builds, no CHECK()s are used,
+// and SafeSPrintf() instead returns an output string that expands only
+// those arguments that match their format characters. Mismatched arguments
+// are ignored.
+//
+// The code currently only supports a subset of format characters:
+//   %c, %o, %d, %x, %X, %p, and %s.
+//
+// SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
+// values of arbitrary width can be passed to all of the format characters
+// that expect integers. Thus, it is explicitly legal to pass an "int" to
+// "%c", and output will automatically look at the LSB only. It is also
+// explicitly legal to pass either signed or unsigned values, and the format
+// characters will automatically interpret the arguments accordingly.
+//
+// It is still not legal to mix-and-match integer-like values with pointer
+// values. For instance, you cannot pass a pointer to %x, nor can you pass an
+// integer to %p.
+//
+// The one exception is "0" zero being accepted by "%p". This works-around
+// the problem of C++ defining NULL as an integer-like value.
+//
+// All format characters take an optional width parameter. This must be a
+// positive integer. For %d, %o, %x, %X and %p, if the width starts with
+// a leading '0', padding is done with '0' instead of ' ' characters.
+//
+// There are a few features of snprintf()-style format strings, that
+// SafeSPrintf() does not support at this time.
+//
+// If an actual user showed up, there is no particularly strong reason they
+// couldn't be added. But that assumes that the trade-offs between complexity
+// and utility are favorable.
+//
+// For example, adding support for negative padding widths, and for %n are all
+// likely to be viewed positively. They are all clearly useful, low-risk, easy
+// to test, don't jeopardize the async-signal-safety of the code, and overall
+// have little impact on other parts of SafeSPrintf() function.
+//
+// On the other hands, adding support for alternate forms, positional
+// arguments, grouping, wide characters, localization or floating point numbers
+// are all unlikely to ever be added.
+//
+// SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
+// return the number of bytes needed to store the untruncated output. This
+// does *not* include the terminating NUL byte.
+//
+// They return -1, iff a fatal error happened. This typically can only happen,
+// if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
+// can be written). The return value can never be larger than SSIZE_MAX-1.
+// This ensures that the caller can always add one to the signed return code
+// in order to determine the amount of storage that needs to be allocated.
+//
+// While the code supports type checking and while it is generally very careful
+// to avoid printing incorrect values, it tends to be conservative in printing
+// as much as possible, even when given incorrect parameters. Typically, in
+// case of an error, the format string will not be expanded. (i.e. something
+// like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for
+// the use of RAW_CHECK() in debug builds, though.
+//
+// The pre-C++11 version cannot handle more than ten arguments.
+//
+// Basic example:
+//   char buf[20];
+//   base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
+//
+// Example with dynamically sized buffer (async-signal-safe). This code won't
+// work on Visual studio, as it requires dynamically allocating arrays on the
+// stack. Consider picking a smaller value for |kMaxSize| if stack size is
+// limited and known. On the other hand, if the parameters to SafeSNPrintf()
+// are trusted and not controllable by the user, you can consider eliminating
+// the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
+// essentially a no-op that just illustrates how to implement an upper bound:
+//   const size_t kInitialSize = 128;
+//   const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
+//   size_t sz = kInitialSize;

[rvargas (doing something else), 2013/08/15 19:57:57]

nit: I know this is just an example, but do you mind using a regular variable
name?

[Markus (顧孟勤), 2013/08/15 20:31:20]

I renamed it to "size". Is that better?

[rvargas (doing something else), 2013/08/15 21:38:47]

Totally :)

+//   for (;;) {
+//     char buf[sz];
+//     sz = SafeSNPrintf(buf, sz, "Error message \"%s\"\n", err) + 1;
+//     if (sizeof(buf) < kMaxSize && sz > kMaxSize) {
+//       sz = kMaxSize;
+//       continue;
+//     } else if (sz > sizeof(buf))
+//       continue;
+//     write(2, buf, sz-1);
+//     break;
+//   }
+
+namespace internal {
+// Helpers that use C++ overloading, templates, and specializations to deduce
+// and record type information from function arguments. This allows us to
+// later write a type-safe version of snprintf().
+
+struct Arg {
+  enum Type { INT, UINT, STRING, POINTER };
+
+  // Any integer-like value.
+  Arg(signed char c)        : i(c), width(sizeof(char)),      type(INT)  { }
+  Arg(unsigned char c)      : i(c), width(sizeof(char)),      type(UINT) { }
+  Arg(signed short j)       : i(j), width(sizeof(short)),     type(INT)  { }
+  Arg(unsigned short j)     : i(j), width(sizeof(short)),     type(UINT) { }
+  Arg(signed int j)         : i(j), width(sizeof(int)),       type(INT)  { }
+  Arg(unsigned int j)       : i(j), width(sizeof(int)),       type(UINT) { }
+  Arg(signed long j)        : i(j), width(sizeof(long)),      type(INT)  { }
+  Arg(unsigned long j)      : i(j), width(sizeof(long)),      type(UINT) { }
+  Arg(signed long long j)   : i(j), width(sizeof(long long)), type(INT)  { }
+  Arg(unsigned long long j) : i(j), width(sizeof(long long)), type(UINT) { }
+
+  // A C-style text string.
+  Arg(const char* s) : str(s), type(STRING) { }
+  Arg(char* s)       : str(s), type(STRING) { }
+
+  // Any pointer value that can be cast to a "void*".
+  template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { }
+
+  union {
+    // An integer-like value.
+    struct {
+      int64_t       i;
+      unsigned char width;
+    };
+
+    // A C-style text string.
+    const char* str;
+
+    // A pointer to an arbitrary object.
+    const void* ptr;
+  };
+  const enum Type type;
+};
+
+// This is the internal function that performs the actual formatting of
+// an snprintf()-style format string.
+BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
+                            const Arg* args, size_t max_args);
+
+#if !defined(NDEBUG)
+// In debug builds, allow unit tests to artificially lower the kSSizeMax
+// constant that is used as a hard upper-bound for all buffers. In normal
+// use, this constant should always be std::numeric_limits<ssize_t>::max().
+BASE_EXPORT void SetSafeSPrintfSSizeMax(size_t max);

[rvargas (doing something else), 2013/08/15 19:57:57]

If these are use only for tests they should be named FooForTest.
Why debug only? Having tests do the same on debug and release is a good thing
(but I have not looked at the tests so there may be a good reason there to do
something different for debug builds).

[Markus (顧孟勤), 2013/08/15 20:31:20]

Ah, learned something new :-) I had seen other code use the "internal" namespace
without the "...ForTest". So, that's what I did as well. But of course, your
suggestion makes even more sense.


[ gory details and policy decisions ahead; feel free to skip ]

As for the "debug-builds-only issue", you are touching a tricky topic. Our API
guarantees that we never make any library or system calls and that we don't even
touch "errno", as there are certainly users who would not be able to tolerate
any of these. On the other hand, for debugging purposes, we would really like to
use CHECK() (or more likely, RAWCHECK()).

We finally compromised. In debug builds, we call RAWCHECK() if things look
really wrong. For many developers, this is going to result in better diagnostics
than just continuing. For some developers, it results in hangs or crashes, but
for a pure debug build that's tolerable.

For production builds, none of this is really an option. We just don't have a
way to report exceptional error conditions, as that would violate the promise
that we make in our API description. Instead, we specify a well-defined behavior
for how we return "degraded" results. See the comments above on: not expanding
arguments that have mismatching types.

In practice, this is actually quite desirable behavior for many users. E.g.
SafeSPrintf() might be used in the implementation of a crash reporting API. In
that case, a degraded result is still useful at pointing to the root cause of
the crash. But a crash report from inside SafeSPrintf() wouldn't be.

The upshot of all of this is that our unittests need to test two slightly
different error handling paths depending on whether they are build as a release
or as a debug build.

[rvargas (doing something else), 2013/08/15 21:38:47]

I suspected something along those lines... I saw the RAWCHECK code, and it makes
sense to be more helpful in debug builds. So if the tests are making sure the
debug code works that is fine. It was easier to ask :)

Isn't it possible to double check the intended (release) behavior when
simulating a lower limit? Maybe that doesn't make sense, and/or the test
coverage is good enough as is... there is value in not having code compiled into
the released product :)

In any case, I'm happy with your decision.

+BASE_EXPORT size_t GetSafeSPrintfSSizeMax();
+#endif
+
+}  // namespace internal
+
+#if __cplusplus >= 201103  // C++11
+
+template<typename... Args>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { args... };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, typename... Args>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { args... };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+#else  // Pre-C++11
+
+// TODO(markus): C++11 has a much more concise and readable solution for
+//   expressing what we are doing here. Delete the fall-back code for older
+//   compilers as soon as we have fully switched to C++11.
+
+template<class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8, class T9>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8, class T9>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7, T8 arg8) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7, class T8>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7, T8 arg8) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5,
+                    T6 arg6) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2, class T3, class T4>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1,
+                    T2 arg2, T3 arg3, T4 arg4) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2, class T3>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1,
+                    T2 arg2) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, T0 arg0, T1 arg1) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, T0 arg0) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+#endif
+
+// Fast-path when we don't actually need to substitute any arguments.
+BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
+template<size_t N>
+inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
+  return SafeSNPrintf(buf, N, fmt);
+}
+
+}  // namespace strings
+}  // namespace base
+
+#endif  // BASE_STRINGS_SAFE_SPRINTF_H_