OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 // | |
5 // Author: markus@chromium.org | |
6 | |
7 #include "base/strings/safe_string_printf.h" | |
8 | |
9 #include <limits> | |
10 | |
11 #if !defined(NDEBUG) | |
12 // In debug builds, we use RAW_CHECK() to print useful error messages, if | |
13 // SafeSPrintf() is called with broken arguments. | |
14 // As our contract promises that SafeSPrintf() can be called from any | |
15 // restricted run-time context, it is not actually safe to call logging | |
16 // functions from it; and we only ever do so for debug builds and hope for the | |
17 // best. We should _never_ call any logging function other than RAW_CHECK(), | |
18 // and we should _never_ include any logging code that is active in production | |
19 // builds. Most notably, we should not include these logging functions in | |
20 // unofficial release builds, even though those builds would otherwise have | |
21 // DCHECKS() enabled. | |
22 // In other words; please do not remove the #ifdef around this #include. | |
23 // Instead, in production builds we opt for returning a degraded result, | |
24 // whenever an error is encountered. | |
25 // E.g. The broken function call | |
26 // SafeSPrintf("errno = %d (%x)", errno, strerror(errno)) | |
27 // will print something like | |
28 // errno = 13, (%x) | |
29 // instead of | |
30 // errno = 13 (Access denied) | |
31 // In most of the anticipated use cases, that's probably the preferred | |
32 // behavior. | |
33 #include "base/logging.h" | |
34 #define DEBUG_CHECK RAW_CHECK | |
35 #else | |
36 #define DEBUG_CHECK(x) do { if (x) { } } while (0) | |
37 #endif | |
38 | |
39 namespace base { | |
40 namespace strings { | |
41 | |
42 // The code in this file is extremely careful to be async-signal-safe. | |
43 // | |
44 // Most obviously, we avoid calling any code that could dynamically allocate | |
45 // memory. Doing so would almost certainly result in bugs and dead-locks. | |
46 // We also avoid calling any other STL functions that could have unintended | |
47 // side-effects involving memory allocation or access to other shared | |
48 // resources. | |
49 // | |
50 // But on top of that, we also avoid calling other library functions, as many | |
51 // of them have the side-effect of calling getenv() (in order to deal with | |
52 // localization) or accessing errno. The latter sounds benign, but there are | |
53 // several execution contexts where it isn't even possible to safely read let | |
54 // alone write errno. | |
55 // | |
56 // The stated design goal of the SafeSPrintf() function is that it can be | |
57 // called from any context that can safely call C or C++ code (i.e. anything | |
58 // that doesn't require assembly code). | |
59 // | |
60 // For a brief overview of some but not all of the issues with async-signal- | |
61 // safety, refer to: | |
62 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html | |
63 | |
64 namespace { | |
65 const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1; | |
willchan no longer on Chromium
2013/08/15 07:36:18
No indentation needed
Markus (顧孟勤)
2013/08/15 08:20:46
Done.
| |
66 | |
67 const char kUpCaseHexDigits[] = "0123456789ABCDEF"; | |
68 const char kDownCaseHexDigits[] = "0123456789abcdef"; | |
69 } | |
70 | |
71 #if defined(NDEBUG) | |
willchan no longer on Chromium
2013/08/15 07:36:18
Why don't these preprocessor blocks just move into
Markus (顧孟勤)
2013/08/15 08:20:46
The #else clause has blocks that need to be in the
| |
72 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(), | |
73 // but C++ doesn't allow us to do that for constants. Instead, we have to | |
74 // use careful casting and shifting. We later use a COMPILE_ASSERT to | |
75 // verify that this worked correctly. | |
76 namespace { | |
77 const size_t kSSizeMax = kSSizeMaxConst; | |
78 } | |
79 #else // defined(NDEBUG) | |
80 // For efficiency, we really need kSSizeMax to be a constant. But for unit | |
81 // tests, it should be adjustable. This allows us to verify edge cases without | |
82 // having to fill the entire available address space. As a compromise, we make | |
83 // kSSizeMax adjustable in debug builds, and then only compile that particular | |
84 // part of the unit test in debug builds. | |
85 namespace { | |
86 static size_t kSSizeMax = kSSizeMaxConst; | |
87 } | |
88 | |
89 namespace internal { | |
90 void SetSafeSPrintfSSizeMax(size_t max) { | |
91 kSSizeMax = max; | |
92 } | |
93 | |
94 size_t GetSafeSPrintfSSizeMax() { | |
95 return kSSizeMax; | |
96 } | |
97 } | |
98 #endif // defined(NDEBUG) | |
99 | |
100 namespace { | |
101 class Buffer { | |
102 public: | |
103 // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It | |
104 // has |size| bytes of writable storage. It is the caller's responsibility | |
105 // to ensure that the buffer is at least one byte in size, so that it fits | |
106 // the trailing NUL that will be added by the destructor. The buffer also | |
107 // must be smaller or equal to kSSizeMax in size. | |
108 Buffer(char* buffer, size_t size) | |
109 : buffer_(buffer), | |
110 size_(size - 1), // Account for trailing NUL byte | |
111 count_(0) { | |
112 // This test should work on all C++11 compilers, but apparently something is | |
113 // not working on all versions of clang just yet (e.g. on Mac, IOS, and | |
114 // Android). We are conservative and exclude all of clang for the time being. | |
115 // TODO(markus): Check if this restriction can be lifted. | |
116 #if __cplusplus >= 201103 && !defined(__clang__) | |
117 COMPILE_ASSERT(kSSizeMaxConst == std::numeric_limits<ssize_t>::max(), | |
118 kSSizeMax_is_the_max_value_of_an_ssize_t); | |
119 #endif | |
120 DEBUG_CHECK(size > 0); | |
121 DEBUG_CHECK(size <= kSSizeMax); | |
122 } | |
123 | |
124 ~Buffer() { | |
125 // The code calling the constructor guaranteed that there was enough space | |
126 // to store a trailing NUL -- and in debug builds, we are actually | |
127 // verifying this with DEBUG_CHECK()s in the constructor. So, we can | |
128 // always unconditionally write the NUL byte in the destructor. We do not | |
129 // need to adjust the count_, as SafeSPrintf() copies snprintf() in not | |
130 // including the NUL byte in its return code. | |
131 *GetInsertionPoint() = '\000'; | |
132 } | |
133 | |
134 // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The | |
135 // caller can now stop adding more data, as GetCount() has reached its | |
136 // maximum possible value. | |
137 inline bool OutOfAddressableSpace() const { | |
138 return count_ == static_cast<size_t>(kSSizeMax - 1); | |
139 } | |
140 | |
141 // Returns the number of bytes that would have been emitted to |buffer_| | |
142 // if it was sized sufficiently large. This number can be larger than | |
143 // |size_|, if the caller provided an insufficiently large output buffer. | |
144 // But it will never be bigger than |kSSizeMax-1|. | |
145 inline ssize_t GetCount() const { | |
146 DEBUG_CHECK(count_ < kSSizeMax); | |
147 return static_cast<ssize_t>(count_); | |
148 } | |
149 | |
150 // Emits one |ch| character into the |buffer_| and updates the |count_| of | |
151 // characters that are currently supposed to be in the buffer. | |
152 // Returns "false", iff the buffer was already full. | |
153 // N.B. |count_| increases even if no characters have been written. This is | |
154 // needed so that GetCount() can return the number of bytes that should | |
155 // have been allocated for the |buffer_|. | |
156 inline bool Out(char ch) { | |
157 if (size_ >= 1 && count_ < size_) { | |
158 buffer_[count_] = ch; | |
159 return IncrementCountByOne(); | |
160 } | |
161 // |count_| still needs to be updated, even if the buffer has been | |
162 // filled completely. This allows SafeSPrintf() to return the number of | |
163 // bytes that should have been emitted. | |
164 IncrementCountByOne(); | |
165 return false; | |
166 } | |
167 | |
168 // Inserts |padding|-|len| bytes worth of padding into the |buffer_|. | |
169 // |count_| will also be incremented by the number of bytes that were meant | |
170 // to be emitted. The |pad| character is typically either a ' ' space | |
171 // or a '0' zero, but other non-NUL values are legal. | |
172 // Returns "false", iff the the |buffer_| filled up (i.e. |count_| | |
173 // overflowed |size_|) at any time during padding. | |
174 inline bool Pad(char pad, size_t padding, size_t len) { | |
175 DEBUG_CHECK(pad); | |
176 DEBUG_CHECK(padding >= 0 && padding <= kSSizeMax); | |
177 DEBUG_CHECK(len >= 0); | |
178 for (; padding > len; --padding) { | |
179 if (!Out(pad)) { | |
180 if (--padding) { | |
181 IncrementCount(padding-len); | |
182 } | |
183 return false; | |
184 } | |
185 } | |
186 return true; | |
187 } | |
188 | |
189 // POSIX doesn't define any async-signal-safe function for converting | |
190 // an integer to ASCII. Define our own version. | |
191 // | |
192 // This also gives us the ability to make the function a little more | |
193 // powerful and have it deal with |padding|, with truncation, and with | |
194 // predicting the length of the untruncated output. | |
195 // | |
196 // IToASCII() converts an integer |i| to ASCII. | |
197 // | |
198 // Unlike similar functions in the standard C library, it never appends a | |
199 // NUL character. This is left for the caller to do. | |
200 // | |
201 // While the function signature takes a signed int64_t, the code decides at | |
202 // run-time whether to treat the argument as signed (int64_t) or as unsigned | |
203 // (uint64_t) based on the value of |sign|. | |
204 // | |
205 // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have | |
206 // a |sign|. Otherwise, |i| is treated as unsigned. | |
207 // | |
208 // For bases larger than 10, |upcase| decides whether lower-case or upper- | |
209 // case letters should be used to designate digits greater than 10. | |
210 // | |
211 // Padding can be done with either '0' zeros or ' ' spaces. Padding has to | |
212 // be positive and will always be applied to the left of the output. | |
213 // | |
214 // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to | |
215 // the left of |padding|, if |pad| is '0'; and to the right of |padding| | |
216 // if |pad| is ' '. | |
217 // | |
218 // Returns "false", if the |buffer_| overflowed at any time. | |
219 bool IToASCII(bool sign, bool upcase, int64_t i, int base, | |
220 char pad, size_t padding, const char* prefix); | |
221 | |
222 private: | |
223 // Increments |count_| by |inc| unless this would cause |count_| to | |
224 // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected; | |
225 // it then clamps |count_| to |kSSizeMax-1|. | |
226 inline bool IncrementCount(size_t inc) { | |
227 // "inc" is either 1 or a "padding" value. Padding is clamped at | |
228 // run-time to at most kSSizeMax-1. So, we know that "inc" is always in | |
229 // the range 1..kSSizeMax-1. | |
230 // This allows us to compute "kSSizeMax - 1 - inc" without incurring any | |
231 // integer overflows. | |
232 DEBUG_CHECK(inc <= kSSizeMax - 1); | |
233 if (count_ > kSSizeMax - 1 - inc) { | |
234 count_ = kSSizeMax - 1; | |
235 return false; | |
236 } else { | |
237 count_ += inc; | |
238 return true; | |
239 } | |
240 } | |
241 | |
242 // Convenience method for the common case of incrementing |count_| by one. | |
243 inline bool IncrementCountByOne() { | |
244 return IncrementCount(1); | |
245 } | |
246 | |
247 // Return the current insertion point into the buffer. This is typically | |
248 // at |buffer_| + |count_|, but could be before that if truncation | |
249 // happened. It always points to one byte past the last byte that was | |
250 // successfully placed into the |buffer_|. | |
251 inline char* GetInsertionPoint() const { | |
252 size_t idx = count_; | |
253 if (idx > size_) { | |
254 idx = size_; | |
255 } | |
256 return buffer_ + idx; | |
257 } | |
258 | |
259 // User-provided buffer that will receive the fully formatted output string. | |
260 char* buffer_; | |
261 | |
262 // Number of bytes that are available in the buffer excluding the trailing | |
263 // NUL byte that will be added by the destructor. | |
264 const size_t size_; | |
265 | |
266 // Number of bytes that would have been emitted to the buffer, if the buffer | |
267 // was sufficiently big. This number always excludes the trailing NUL byte | |
268 // and it is guaranteed to never grow bigger than kSSizeMax-1. | |
269 size_t count_; | |
270 | |
271 DISALLOW_COPY_AND_ASSIGN(Buffer); | |
272 }; | |
273 | |
274 | |
275 bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base, | |
276 char pad, size_t padding, const char* prefix) { | |
277 // Sanity check for parameters. None of these should ever fail, but see | |
278 // above for the rationale why we can't call CHECK(). | |
279 DEBUG_CHECK(base >= 2); | |
280 DEBUG_CHECK(base <= 16); | |
281 DEBUG_CHECK(!sign || base == 10); | |
282 DEBUG_CHECK(pad == '0' || pad == ' '); | |
283 DEBUG_CHECK(padding >= 0); | |
284 DEBUG_CHECK(padding <= kSSizeMax); | |
285 DEBUG_CHECK(!(sign && prefix && *prefix)); | |
286 | |
287 // Handle negative numbers, if the caller indicated that |i| should be | |
288 // treated as a signed number; otherwise treat |i| as unsigned (even if the | |
289 // MSB is set!) | |
290 // Details are tricky, because of limited data-types, but equivalent pseudo- | |
291 // code would look like: | |
292 // if (sign && i < 0) | |
293 // prefix = "-"; | |
294 // num = abs(i); | |
295 int minint = 0; | |
296 uint64_t num; | |
297 if (sign && i < 0) { | |
298 prefix = "-"; | |
299 | |
300 // Turn our number positive. | |
301 if (i == std::numeric_limits<int64_t>::min()) { | |
302 // The most negative integer needs special treatment. | |
303 minint = 1; | |
304 num = static_cast<uint64_t>(-(i + 1)); | |
305 } else { | |
306 // "Normal" negative numbers are easy. | |
307 num = static_cast<uint64_t>(-i); | |
308 } | |
309 } else { | |
310 num = static_cast<uint64_t>(i); | |
311 } | |
312 | |
313 // If padding with '0' zero, emit the prefix or '-' character now. Otherwise, | |
314 // make the prefix accessible in reverse order, so that we can later output | |
315 // it right between padding and the number. | |
316 // We cannot choose the easier approach of just reversing the number, as that | |
317 // fails in situations where we need to truncate numbers that have padding | |
318 // and/or prefixes. | |
319 const char* reverse_prefix = NULL; | |
320 if (prefix && *prefix) { | |
321 if (pad == '0') { | |
322 while (*prefix) { | |
323 if (padding) { | |
324 --padding; | |
325 } | |
326 Out(*prefix++); | |
327 } | |
328 prefix = NULL; | |
329 } else { | |
330 for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) { | |
331 } | |
332 } | |
333 } else | |
334 prefix = NULL; | |
335 const size_t prefix_length = reverse_prefix - prefix; | |
336 | |
337 // Loop until we have converted the entire number. Output at least one | |
338 // character (i.e. '0'). | |
339 size_t start = count_; | |
340 size_t discarded = 0; | |
341 bool started = false; | |
342 do { | |
343 // Make sure there is still enough space left in our output buffer. | |
344 if (count_ >= size_) { | |
345 if (start < size_) { | |
346 // It is rare that we need to output a partial number. But if asked | |
347 // to do so, we will still make sure we output the correct number of | |
348 // leading digits. | |
349 // Since we are generating the digits in reverse order, we actually | |
350 // have to discard digits in the order that we have already emitted | |
351 // them. This is essentially equivalent to: | |
352 // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1) | |
353 for (char* move = buffer_ + start, *end = buffer_ + size_ - 1; | |
354 move < end; | |
355 ++move) { | |
356 *move = move[1]; | |
357 } | |
358 ++discarded; | |
359 --count_; | |
360 } else if (count_ - size_ > 1) { | |
361 // Need to increment either |count_| or |discarded| to make progress. | |
362 // The latter is more efficient, as it eventually triggers fast | |
363 // handling of padding. But we have to ensure we don't accidentally | |
364 // change the overall state (i.e. switch the state-machine from | |
365 // discarding to non-discarding). |count_| needs to always stay | |
366 // bigger than |size_|. | |
367 --count_; | |
368 ++discarded; | |
369 } | |
370 } | |
371 | |
372 // Output the next digit and (if necessary) compensate for the most | |
373 // negative integer needing special treatment. This works because, | |
374 // no matter the bit width of the integer, the lowest-most decimal | |
375 // integer always ends in 2, 4, 6, or 8. | |
376 if (!num && started) { | |
377 if (reverse_prefix > prefix) { | |
378 Out(*--reverse_prefix); | |
379 } else { | |
380 Out(pad); | |
381 } | |
382 } else { | |
383 started = true; | |
384 Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]); | |
385 } | |
386 | |
387 minint = 0; | |
388 num /= base; | |
389 | |
390 // Add padding, if requested. | |
391 if (padding > 0) { | |
392 --padding; | |
393 | |
394 // Performance optimization for when we are asked to output excessive | |
395 // padding, but our output buffer is limited in size. Even if we output | |
396 // a 64bit number in binary, we would never write more than 64 plus | |
397 // prefix non-padding characters. So, once this limit has been passed, | |
398 // any further state change can be computed arithmetically; we know that | |
399 // by this time, our entire final output consists of padding characters | |
400 // that have all already been output. | |
401 if (discarded > 8*sizeof(num) + prefix_length) { | |
402 IncrementCount(padding); | |
403 padding = 0; | |
404 } | |
405 } | |
406 } while (num || padding || (reverse_prefix > prefix)); | |
407 | |
408 // Conversion to ASCII actually resulted in the digits being in reverse | |
409 // order. We can't easily generate them in forward order, as we can't tell | |
410 // the number of characters needed until we are done converting. | |
411 // So, now, we reverse the string (except for the possible '-' sign). | |
412 char* front = buffer_ + start; | |
413 char* back = GetInsertionPoint(); | |
414 while (--back > front) { | |
415 char ch = *back; | |
416 *back = *front; | |
417 *front++ = ch; | |
418 } | |
419 | |
420 IncrementCount(discarded); | |
421 return !discarded; | |
422 } | |
423 | |
424 } // anonymous namespace | |
425 | |
426 ssize_t internal::SafeSNPrintf(char* buf, size_t sz, const char* fmt, | |
willchan no longer on Chromium
2013/08/15 07:36:18
Hah, news to me that this syntax of namespace::fn
Markus (顧孟勤)
2013/08/15 08:20:46
Done.
It hadn't even occurred to me that this was
| |
427 const Arg* args, const size_t max_args) { | |
428 // Make sure that at least one NUL byte can be written, and that the buffer | |
429 // never overflows kSSizeMax. Not only does that use up most or all of the | |
430 // address space, it also would result in a return code that cannot be | |
431 // represented. | |
432 if (static_cast<ssize_t>(sz) < 1) { | |
433 return -1; | |
434 } else if (sz > kSSizeMax) { | |
435 sz = kSSizeMax; | |
436 } | |
437 | |
438 // Iterate over format string and interpret '%' arguments as they are | |
439 // encountered. | |
440 Buffer buffer(buf, sz); | |
441 size_t padding; | |
442 char pad; | |
443 for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) { | |
444 if (*fmt++ == '%') { | |
445 padding = 0; | |
446 pad = ' '; | |
447 char ch = *fmt++; | |
448 format_character_found: | |
449 switch (ch) { | |
450 case '0': case '1': case '2': case '3': case '4': | |
451 case '5': case '6': case '7': case '8': case '9': | |
452 // Found a width parameter. Convert to an integer value and store in | |
453 // "padding". If the leading digit is a zero, change the padding | |
454 // character from a space ' ' to a zero '0'. | |
455 pad = ch == '0' ? '0' : ' '; | |
456 for (;;) { | |
457 // The maximum allowed padding fills all the available address | |
458 // space and leaves just enough space to insert the trailing NUL. | |
459 const size_t max_padding = kSSizeMax - 1; | |
460 if (padding > max_padding/10 || | |
461 10*padding > max_padding - (ch - '0')) { | |
462 DEBUG_CHECK(padding <= max_padding/10 && | |
463 10*padding <= max_padding - (ch - '0')); | |
464 // Integer overflow detected. Skip the rest of the width until | |
465 // we find the format character, then do the normal error handling. | |
466 padding_overflow: | |
467 padding = max_padding; | |
468 while ((ch = *fmt++) >= '0' && ch <= '9') { | |
469 } | |
470 if (cur_arg < max_args) { | |
471 ++cur_arg; | |
472 } | |
473 goto fail_to_expand; | |
474 } | |
475 padding = 10*padding + ch - '0'; | |
476 if (padding > max_padding) { | |
477 // This doesn't happen for "sane" values of kSSizeMax. But once | |
478 // kSSizeMax gets smaller than about 10, our earlier range checks | |
479 // are incomplete. Unittests do trigger this artificial corner | |
480 // case. | |
481 DEBUG_CHECK(padding <= max_padding); | |
482 goto padding_overflow; | |
483 } | |
484 ch = *fmt++; | |
485 if (ch < '0' || ch > '9') { | |
486 // Reached the end of the width parameter. This is where the format | |
487 // character is found. | |
488 goto format_character_found; | |
489 } | |
490 } | |
491 break; | |
492 case 'c': { // Output an ASCII character. | |
493 // Check that there are arguments left to be inserted. | |
494 if (cur_arg >= max_args) { | |
495 DEBUG_CHECK(cur_arg < max_args); | |
496 goto fail_to_expand; | |
497 } | |
498 | |
499 // Check that the argument has the expected type. | |
500 const Arg& arg = args[cur_arg++]; | |
501 if (arg.type_ != Arg::INT && | |
502 arg.type_ != Arg::UINT) { | |
503 DEBUG_CHECK(arg.type_ == Arg::INT || | |
504 arg.type_ == Arg::UINT); | |
505 goto fail_to_expand; | |
506 } | |
507 | |
508 // Apply padding, if needed. | |
509 buffer.Pad(' ', padding, 1); | |
510 | |
511 // Convert the argument to an ASCII character and output it. | |
512 char ch = static_cast<char>(arg.i_); | |
513 if (!ch) { | |
514 goto end_of_output_buffer; | |
515 } | |
516 buffer.Out(ch); | |
517 break; } | |
518 case 'd': // Output a possibly signed decimal value. | |
519 case 'o': // Output an unsigned octal value. | |
520 case 'x': // Output an unsigned hexadecimal value. | |
521 case 'X': | |
522 case 'p': { // Output a pointer value. | |
523 // Check that there are arguments left to be inserted. | |
524 if (cur_arg >= max_args) { | |
525 DEBUG_CHECK(cur_arg < max_args); | |
526 goto fail_to_expand; | |
527 } | |
528 | |
529 const Arg& arg = args[cur_arg++]; | |
530 int64_t i; | |
531 const char* prefix = NULL; | |
532 if (ch != 'p') { | |
533 // Check that the argument has the expected type. | |
534 if (arg.type_ != Arg::INT && | |
535 arg.type_ != Arg::UINT) { | |
536 DEBUG_CHECK(arg.type_ == Arg::INT || | |
537 arg.type_ == Arg::UINT); | |
538 goto fail_to_expand; | |
539 } | |
540 i = arg.i_; | |
541 | |
542 if (ch != 'd') { | |
543 // The Arg() constructor automatically performed sign expansion on | |
544 // signed parameters. This is great when outputting a %d decimal | |
545 // number, but can result in unexpected leading 0xFF bytes when | |
546 // outputting a %x hexadecimal number. Mask bits, if necessary. | |
547 // We have to do this here, instead of in the Arg() constructor, as | |
548 // the Arg() constructor cannot tell whether we will output a %d | |
549 // or a %x. Only the latter should experience masking. | |
550 if (arg.width_ < sizeof(int64_t)) { | |
551 i &= (1LL << (8*arg.width_)) - 1; | |
552 } | |
553 } | |
554 } else { | |
555 // Pointer values require an actual pointer or a string. | |
556 if (arg.type_ == Arg::POINTER) { | |
557 i = reinterpret_cast<uintptr_t>(arg.ptr_); | |
558 } else if (arg.type_ == Arg::STRING) { | |
559 i = reinterpret_cast<uintptr_t>(arg.s_); | |
560 } else if (arg.type_ == Arg::INT && arg.width_ == sizeof(void *) && | |
561 arg.i_ == 0) { // Allow C++'s version of NULL | |
562 i = 0; | |
563 } else { | |
564 DEBUG_CHECK(arg.type_ == Arg::POINTER || | |
565 arg.type_ == Arg::STRING); | |
566 goto fail_to_expand; | |
567 } | |
568 | |
569 // Pointers always include the "0x" prefix. | |
570 prefix = "0x"; | |
571 } | |
572 | |
573 // Use IToASCII() to convert to ASCII representation. For decimal | |
574 // numbers, optionally print a sign. For hexadecimal numbers, | |
575 // distinguish between upper and lower case. %p addresses are always | |
576 // printed as upcase. Supports base 8, 10, and 16. Prints padding | |
577 // and/or prefixes, if so requested. | |
578 buffer.IToASCII(ch == 'd' && arg.type_ == Arg::INT, | |
579 ch != 'x', i, | |
580 ch == 'o' ? 8 : ch == 'd' ? 10 : 16, | |
581 pad, padding, prefix); | |
582 break; } | |
583 case 's': { | |
584 // Check that there are arguments left to be inserted. | |
585 if (cur_arg >= max_args) { | |
586 DEBUG_CHECK(cur_arg < max_args); | |
587 goto fail_to_expand; | |
588 } | |
589 | |
590 // Check that the argument has the expected type. | |
591 const Arg& arg = args[cur_arg++]; | |
592 const char *s; | |
593 if (arg.type_ == Arg::STRING) | |
594 s = arg.s_ ? arg.s_ : "<NULL>"; | |
595 else if (arg.type_ == Arg::INT && arg.width_ == sizeof(void *) && | |
596 arg.i_ == 0) { // Allow C++'s version of NULL | |
597 s = "<NULL>"; | |
598 } else { | |
599 DEBUG_CHECK(arg.type_ == Arg::STRING); | |
600 goto fail_to_expand; | |
601 } | |
602 | |
603 // Apply padding, if needed. This requires us to first check the | |
604 // length of the string that we are outputting. | |
605 if (padding) { | |
606 size_t len = 0; | |
607 for (const char* src = s; *src++; ) { | |
608 ++len; | |
609 } | |
610 buffer.Pad(' ', padding, len); | |
611 } | |
612 | |
613 // Printing a string involves nothing more than copying it into the | |
614 // output buffer and making sure we don't output more bytes than | |
615 // available space; Out() takes care of doing that. | |
616 for (const char* src = s; *src; ) { | |
617 buffer.Out(*src++); | |
618 } | |
619 break; } | |
620 case '%': | |
621 // Quoted percent '%' character. | |
622 goto copy_verbatim; | |
623 fail_to_expand: | |
624 // C++ gives us tools to do type checking -- something that snprintf() | |
625 // could never really do. So, whenever we see arguments that don't | |
626 // match up with the format string, we refuse to output them. But | |
627 // since we have to be extremely conservative about being async- | |
628 // signal-safe, we are limited in the type of error handling that we | |
629 // can do in production builds (in debug builds we can use | |
630 // DEBUG_CHECK() and hope for the best). So, all we do is pass the | |
631 // format string unchanged. That should eventually get the user's | |
632 // attention; and in the meantime, it hopefully doesn't lose too much | |
633 // data. | |
634 default: | |
635 // Unknown or unsupported format character. Just copy verbatim to | |
636 // output. | |
637 buffer.Out('%'); | |
638 DEBUG_CHECK(ch); | |
639 if (!ch) { | |
640 goto end_of_format_string; | |
641 } | |
642 buffer.Out(ch); | |
643 break; | |
644 } | |
645 } else { | |
646 copy_verbatim: | |
647 buffer.Out(fmt[-1]); | |
648 } | |
649 } | |
650 end_of_format_string: | |
651 end_of_output_buffer: | |
652 return buffer.GetCount(); | |
653 } | |
654 | |
655 ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) { | |
656 // Make sure that at least one NUL byte can be written, and that the buffer | |
657 // never overflows kSSizeMax. Not only does that use up most or all of the | |
658 // address space, it also would result in a return code that cannot be | |
659 // represented. | |
660 if (static_cast<ssize_t>(sz) < 1) { | |
661 return -1; | |
662 } else if (sz > kSSizeMax) { | |
663 sz = kSSizeMax; | |
664 } | |
665 | |
666 Buffer buffer(buf, sz); | |
667 | |
668 // In the slow-path, we deal with errors by copying the contents of | |
669 // "fmt" unexpanded. This means, if there are no arguments passed, the | |
670 // SafeSPrintf() function always degenerates to a version of strncpy() that | |
671 // de-duplicates '%' characters. | |
672 const char* src = fmt; | |
673 for (; *src; ++src) { | |
674 buffer.Out(*src); | |
675 DEBUG_CHECK(src[0] != '%' || src[1] == '%'); | |
676 if (src[0] == '%' && src[1] == '%') { | |
677 ++src; | |
678 } | |
679 } | |
680 return buffer.GetCount(); | |
681 } | |
682 | |
683 } // namespace strings | |
684 } // namespace base | |
OLD | NEW |