Added a new SafeSPrintf() function that implements snprintf() in an async-safe-fashion

base/strings/safe_string_printf.h

Index: base/strings/safe_string_printf.h
diff --git a/base/strings/safe_string_printf.h b/base/strings/safe_string_printf.h
new file mode 100644
index 0000000000000000000000000000000000000000..b23bc6fb76742f8514478ee6ec65f65e5e4ed43b
--- /dev/null
+++ b/base/strings/safe_string_printf.h
@@ -0,0 +1,434 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Author: markus@chromium.org

[willchan no longer on Chromium, 2013/08/15 07:36:18]

Is this a google3 holdover? We don't really do this in Chromium code.

[Markus (顧孟勤), 2013/08/15 08:20:46]

Done.

I had originally intended to only implement a relatively small subset of
sprintf() and encourage users to contact me, if they needed more features. This
was an attempt to reduce code complexity for potentially security-sensitive
code.

But after I tried switching some existing code over to using these new
SafeSPrintf() functions, I discovered that a much larger set of format
characters needs to be supported from day one. So, now, there really isn't a
good reason to ask users to directly contact me. I just implemented most of the
common features.

Thanks for catching this.

+
+#ifndef BASE_STRINGS_SAFE_STRING_PRINTF_H_
+#define BASE_STRINGS_SAFE_STRING_PRINTF_H_
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#if defined(__unix__)
+// For ssize_t
+#include <unistd.h>
+#endif
+
+#include "base/base_export.h"
+#include "base/basictypes.h"
+
+namespace base {
+namespace strings {
+
+#if defined(_MSC_VER)
+// Define ssize_t inside of our namespace.
+#if defined(_WIN64)
+typedef __int64 ssize_t;
+#else
+typedef long ssize_t;
+#endif
+#endif
+
+// SafeSPrintf() is a type-safe and async-signal-safe version of snprintf().
+//
+// SafeSNPrintf() is an alternative function signature that can be used when
+// not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
+// always be used instead of SafeSNPrintf()
+//
+// These functions allow for formatting complicated messages from contexts that
+// require strict async-signal-safety. In fact, it is safe to call them from
+// any low-level execution context; even from contexts that have stricter
+// requirements than just async-signal-safety.

[willchan no longer on Chromium, 2013/08/15 07:36:18]

Is there a reason you don't say what you did in email: "It is guaranteed to not
make any library or system calls whatsoever."? I'm not sure this last clause of
"stricter requirements than just async-signal-safety" is useful, since without
specifying what requirements it satisfies, I don't think you can know to use
this code.

[Markus (顧孟勤), 2013/08/15 08:20:46]

Done.

Does this sound better now?

+//
+// The code currently only supports a subset of format characters:
+//   %c, %o, %d, %x, %X, %p, and %s.
+//
+// SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
+// values of arbitrary width can be passed to all of the format characters
+// that expect integers. Thus, it is explicitly legal to pass an "int" to
+// "%c", and output will automatically look at the LSB only. It is also
+// explicitly legal to pass either signed or unsigned values, and the format
+// characters will automatically interpret the arguments accordingly.
+//
+// It is still not legal to mix-and-match integer-like values with pointer
+// values. For instance, you cannot pass a pointer to %x, nor can you pass an
+// integer to %p.
+//
+// The one exception is "0" zero being accepted by "%p". This works-around
+// the problem of C++ defining NULL as an integer-like value.
+//
+// All format characters take an optional width parameter. This must be a
+// positive integer. For %d, %o, %x, %X and %p, if the width starts with
+// a leading '0', padding is done with '0' instead of ' ' characters.
+//
+// There are a few features of snprintf()-style format strings, that
+// SafeSPrintf() does not support at this time.
+//
+// If an actual user showed up, there is no particularly strong reason they
+// couldn't be added. But that assumes that the trade-offs between complexity
+// and utility are favorable.
+//
+// For example, adding support for negative padding widths, and for %n are all
+// likely to be viewed positively. They are all clearly useful, low-risk, easy
+// to test, don't jeopardize the async-signal-safety of the code, and overall
+// have little impact on other parts of SafeSPrintf() function.
+//
+// On the other hands, adding support for alternate forms, positional
+// arguments, grouping, wide characters, localization or floating point numbers
+// are all unlikely to ever be added.
+//
+// SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
+// return the number of bytes needed to store the untruncated output. This
+// does *not* include the terminating NUL byte.
+//
+// They return -1, iff a fatal error happened. This typically can only happen,
+// if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
+// can be written). The return value can never be larger than SSIZE_MAX-1.
+// This ensures that the caller can always add one to the signed return code
+// in order to determine the amount of storage that needs to be allocated.
+//
+// While the code supports type checking and while it is generally very careful
+// to avoid printing incorrect values, it tends to be conservative in printing
+// as much as possible, even when given incorrect parameters. Typically, in
+// case of an error, the format string will not be expanded. (i.e. something
+// like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2").
+//
+// The pre-C++11 version cannot handle more than ten arguments.
+//
+// Basic example:
+//   char buf[20];
+//   base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
+//
+// Example with dynamically sized buffer (async-signal-safe). This code won't
+// work on Visual studio, as it requires dynamically allocating arrays on the
+// stack. Consider picking a smaller value for |kMaxSize| if stack size is
+// limited and known. On the other hand, if the parameters to SafeSNPrintf()
+// are trusted and not controllable by the user, you can consider eliminating
+// the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
+// essentially a no-op that just illustrates how to implement an upper bound:
+//   const size_t kInitialSize = 128;
+//   const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
+//   size_t sz = kInitialSize;
+//   for (;;) {
+//     char buf[sz];
+//     sz = SafeSNPrintf(buf, sz, "Error message \"%s\"\n", err) + 1;
+//     if (sizeof(buf) < kMaxSize && sz > kMaxSize) {
+//       sz = kMaxSize;
+//       continue;
+//     } else if (sz > sizeof(buf))
+//       continue;
+//     write(2, buf, sz-1);
+//     break;
+//   }
+
+namespace internal {
+  // Helpers that use C++ overloading, templates, and specializations to deduce

[willchan no longer on Chromium, 2013/08/15 07:36:18]

Google C++ style does not indent code within namespaces.

[Markus (顧孟勤), 2013/08/15 08:20:46]

Done.

+  // and record type information from function arguments. This allows us to
+  // later write a type-safe version of snprintf().
+
+  struct Arg {
+    enum Type { INT, UINT, STRING, POINTER };
+
+    // Any integer-like value.
+    Arg(signed char c)        : i_(c), width_(sizeof(char)),  type_(INT)  { }
+    Arg(unsigned char c)      : i_(c), width_(sizeof(char)),  type_(UINT) { }
+    Arg(signed short i)       : i_(i), width_(sizeof(short)), type_(INT)  { }
+    Arg(unsigned short i)     : i_(i), width_(sizeof(short)), type_(UINT) { }
+    Arg(signed int i)         : i_(i), width_(sizeof(int)),   type_(INT)  { }
+    Arg(unsigned int i)       : i_(i), width_(sizeof(int)),   type_(UINT) { }
+    Arg(signed long i)        : i_(i), width_(sizeof(long)),  type_(INT)  { }
+    Arg(unsigned long i)      : i_(i), width_(sizeof(long)),  type_(UINT) { }
+    Arg(signed long long i)   : i_(i), width_(sizeof(long long)),
+                                                              type_(INT)  { }
+    Arg(unsigned long long i) : i_(i), width_(sizeof(long long)),
+                                                              type_(UINT) { }
+
+    // A C-style text string.
+    Arg(const char* s) : s_(s), type_(STRING) { }
+    Arg(char* s)       : s_(s), type_(STRING) { }
+
+    // Any pointer value that can be cast to a "void*".
+    template<class T> Arg(T* ptr) : ptr_((void*)ptr), type_(POINTER) { }
+
+    union {
+      // An integer-like value.
+      struct {
+        int64_t       i_;

[willchan no longer on Chromium, 2013/08/15 07:36:18]

No trailing underscores. Please see
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Variab...
which says "Data members in structs should be named like regular variables
without the trailing underscores that data members in classes have."

[Markus (顧孟勤), 2013/08/15 08:20:46]

Done.

+        unsigned char width_;
+      };
+
+      // A C-style text string.
+      const char* s_;
+
+      // A pointer to an arbitrary object.
+      const void* ptr_;
+    };
+    const enum Type type_;
+  };
+
+  // This is the internal function that performs the actual formatting of
+  // an snprintf()-style format string.
+  BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
+                              const Arg* args, size_t max_args);
+
+#if !defined(NDEBUG)
+  // In debug builds, allow unit tests to artificially lower the kSSizeMax
+  // constant that is used as a hard upper-bound for all buffers. In normal
+  // use, this constant should always be std::numeric_limits<ssize_t>::max().
+  BASE_EXPORT void SetSafeSPrintfSSizeMax(size_t max);
+  BASE_EXPORT size_t GetSafeSPrintfSSizeMax();
+#endif
+
+}  // namespace internal
+
+#if __cplusplus >= 201103  // C++11
+
+template<typename... Args>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { args... };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, typename... Args>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { args... };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+#else  // Pre-C++11
+
+// TODO(markus): C++11 has a much more concise and readable solution for
+//   expressing what we are doing here. Delete the fall-back code for older
+//   compilers as soon as we have fully switched to C++11.
+
+template<class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8, class T9>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8, class T9>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7, T8 arg8, T9 arg9) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4,
+         class T5, class T6, class T7, class T8>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7, T8 arg8) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7, class T8>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7, T8 arg8) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6, T7 arg7) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6, class T7>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                    T5 arg5, T6 arg6, T7 arg7) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6, arg7
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
+                     T5 arg5, T6 arg6) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5,
+         class T6>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5,
+                    T6 arg6) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = {
+    arg0, arg1, arg2, arg3, arg4, arg5, arg6
+  };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4, class T5>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N,
+         class T0, class T1, class T2, class T3, class T4, class T5>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4, arg5 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3, class T4>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2, class T3, class T4>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1,
+                    T2 arg2, T3 arg3, T4 arg4) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3, arg4 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2, class T3>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2, T3 arg3) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2, class T3>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt,
+                    T0 arg0, T1 arg1, T2 arg2, T3 arg3) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2, arg3 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1, class T2>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt,
+                     T0 arg0, T1 arg1, T2 arg2) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1, class T2>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1,
+                    T2 arg2) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1, arg2 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0, class T1>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, T0 arg0, T1 arg1) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0, class T1>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0, T1 arg1) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0, arg1 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<class T0>
+ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, T0 arg0) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+
+template<size_t N, class T0>
+ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, T0 arg0) {
+  // Use Arg() object to record type information and then copy arguments to an
+  // array to make it easier to iterate over them.
+  const internal::Arg arg_array[] = { arg0 };
+  return internal::SafeSNPrintf(buf, N, fmt, arg_array, arraysize(arg_array));
+}
+#endif
+
+// Fast-path when we don't actually need to substitute any arguments.
+BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
+template<size_t N>
+inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
+  return SafeSNPrintf(buf, N, fmt);
+}
+
+}  // namespace strings
+}  // namespace base
+
+#endif  // BASE_STRINGS_SAFE_STRING_PRINTF_H_