open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Require a C99-compliant snprintf(), and remove related workarounds.

Browse Source 
Since our substitute snprintf now returns a C99-compliant result,
there's no need anymore to have complicated code to cope with pre-C99
behavior.  We can just make configure substitute snprintf.c if it finds
that the system snprintf() is pre-C99.  (Note: I do not believe that
there are any platforms where this test will trigger that weren't
already being rejected due to our other C99-ish feature requirements for
snprintf.  But let's add the check for paranoia's sake.)  Then, simplify
the call sites that had logic to cope with the pre-C99 definition.

I also dropped some stuff that was being paranoid about the possibility
of snprintf overrunning the given buffer.  The only reports we've ever
heard of that being a problem were for Solaris 7, which is long dead,
and we've sure not heard any reports of these assertions triggering in
a long time.  So let's drop that complexity too.

Likewise, drop some code that wasn't trusting snprintf to set errno
when it returns -1.  That would be not-per-spec, and again there's
no real reason to believe it is a live issue, especially not for
snprintfs that pass all of configure's feature checks.

Discussion: https://postgr.es/m/17245.1534289329@sss.pgh.pa.us
pull/34/head
Tom Lane 7 years ago
parent 1eb9221585
commit e1d19c902e
6 changed files with 125 additions and 123 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 27
      config/c-library.m4
  2. 46
      configure
  3. 11
      configure.in
  4. 23
      src/backend/utils/misc/guc.c
  5. 73
      src/common/psprintf.c
  6. 68
      src/interfaces/libpq/pqexpbuffer.c

27
config/c-library.m4
Unescape View File

@ -238,6 +238,33 @@ int main()
AC_MSG_RESULT([$pgac_cv_snprintf_size_t_support]) AC_MSG_RESULT([$pgac_cv_snprintf_size_t_support])
])# PGAC_FUNC_SNPRINTF_SIZE_T_SUPPORT ])# PGAC_FUNC_SNPRINTF_SIZE_T_SUPPORT
# PGAC_FUNC_SNPRINTF_C99_RESULT
# -----------------------------
# Determine whether snprintf returns the desired buffer length when
# it overruns the actual buffer length. That's required by C99 and POSIX
# but ancient platforms don't behave that way, so we must test.
#
AC_DEFUN([PGAC_FUNC_SNPRINTF_C99_RESULT],
[AC_MSG_CHECKING([whether snprintf reports buffer overrun per C99])
AC_CACHE_VAL(pgac_cv_snprintf_c99_result,
[AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
#include <string.h>
int main()
{
char buf[10];
if (snprintf(buf, sizeof(buf), "12345678901234567890") != 20)
return 1;
return 0;
}]])],
[pgac_cv_snprintf_c99_result=yes],
[pgac_cv_snprintf_c99_result=no],
[pgac_cv_snprintf_c99_result=cross])
])dnl AC_CACHE_VAL
AC_MSG_RESULT([$pgac_cv_snprintf_c99_result])
])# PGAC_FUNC_SNPRINTF_C99_RESULT
# PGAC_TYPE_LOCALE_T # PGAC_TYPE_LOCALE_T
# ------------------ # ------------------

46
configure vendored
Unescape View File

@ -16142,7 +16142,7 @@ fi
# Run tests below here # Run tests below here
# -------------------- # --------------------
# Force use of our snprintf if system's doesn't do arg control # For NLS, force use of our snprintf if system's doesn't do arg control.
# See comment above at snprintf test for details. # See comment above at snprintf test for details.
if test "$enable_nls" = yes -a "$pgac_need_repl_snprintf" = no; then if test "$enable_nls" = yes -a "$pgac_need_repl_snprintf" = no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether snprintf supports argument control" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether snprintf supports argument control" >&5
@ -16436,6 +16436,50 @@ $as_echo "$pgac_cv_snprintf_size_t_support" >&6; }
fi fi
fi fi
# Force use of our snprintf if the system's doesn't handle buffer overrun
# as specified by C99.
if test "$pgac_need_repl_snprintf" = no; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether snprintf reports buffer overrun per C99" >&5
$as_echo_n "checking whether snprintf reports buffer overrun per C99... " >&6; }
if ${pgac_cv_snprintf_c99_result+:} false; then :
$as_echo_n "(cached) " >&6
else
if test "$cross_compiling" = yes; then :
pgac_cv_snprintf_c99_result=cross
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdio.h>
#include <string.h>
int main()
{
char buf[10];
if (snprintf(buf, sizeof(buf), "12345678901234567890") != 20)
return 1;
return 0;
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
pgac_cv_snprintf_c99_result=yes
else
pgac_cv_snprintf_c99_result=no
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $pgac_cv_snprintf_c99_result" >&5
$as_echo "$pgac_cv_snprintf_c99_result" >&6; }
if test "$pgac_cv_snprintf_c99_result" != yes; then
pgac_need_repl_snprintf=yes
fi
fi
# Now we have checked all the reasons to replace snprintf # Now we have checked all the reasons to replace snprintf
if test $pgac_need_repl_snprintf = yes; then if test $pgac_need_repl_snprintf = yes; then

11
configure.in
Unescape View File

@ -1806,7 +1806,7 @@ for the exact reason.]])],
# Run tests below here # Run tests below here
# -------------------- # --------------------
# Force use of our snprintf if system's doesn't do arg control # For NLS, force use of our snprintf if system's doesn't do arg control.
# See comment above at snprintf test for details. # See comment above at snprintf test for details.
if test "$enable_nls" = yes -a "$pgac_need_repl_snprintf" = no; then if test "$enable_nls" = yes -a "$pgac_need_repl_snprintf" = no; then
PGAC_FUNC_SNPRINTF_ARG_CONTROL PGAC_FUNC_SNPRINTF_ARG_CONTROL
@ -1858,6 +1858,15 @@ if test "$pgac_need_repl_snprintf" = no; then
fi fi
fi fi
# Force use of our snprintf if the system's doesn't handle buffer overrun
# as specified by C99.
if test "$pgac_need_repl_snprintf" = no; then
PGAC_FUNC_SNPRINTF_C99_RESULT
if test "$pgac_cv_snprintf_c99_result" != yes; then
pgac_need_repl_snprintf=yes
fi
fi
# Now we have checked all the reasons to replace snprintf # Now we have checked all the reasons to replace snprintf
if test $pgac_need_repl_snprintf = yes; then if test $pgac_need_repl_snprintf = yes; then
AC_DEFINE(USE_REPL_SNPRINTF, 1, [Use replacement snprintf() functions.]) AC_DEFINE(USE_REPL_SNPRINTF, 1, [Use replacement snprintf() functions.])

23
src/backend/utils/misc/guc.c
Unescape View File

@ -9441,26 +9441,19 @@ do_serialize(char **destptr, Size *maxbytes, const char *fmt,...)
if (*maxbytes <= 0) if (*maxbytes <= 0)
elog(ERROR, "not enough space to serialize GUC state"); elog(ERROR, "not enough space to serialize GUC state");
errno = 0;
va_start(vargs, fmt); va_start(vargs, fmt);
n = vsnprintf(*destptr, *maxbytes, fmt, vargs); n = vsnprintf(*destptr, *maxbytes, fmt, vargs);
va_end(vargs); va_end(vargs);
/* if (n < 0)
* Cater to portability hazards in the vsnprintf() return value just like
* appendPQExpBufferVA() does. Note that this requires an extra byte of
* slack at the end of the buffer. Since serialize_variable() ends with a
* do_serialize_binary() rather than a do_serialize(), we'll always have
* that slack; estimate_variable_size() need not add a byte for it.
*/
if (n < 0 || n >= *maxbytes - 1)
{ {
if (n < 0 && errno != 0 && errno != ENOMEM) /* Shouldn't happen. Better show errno description. */
/* Shouldn't happen. Better show errno description. */ elog(ERROR, "vsnprintf failed: %m");
elog(ERROR, "vsnprintf failed: %m"); }
else if (n >= *maxbytes)
elog(ERROR, "not enough space to serialize GUC state"); {
/* This shouldn't happen either, really. */
elog(ERROR, "not enough space to serialize GUC state");
} }
/* Shift the destptr ahead of the null terminator */ /* Shift the destptr ahead of the null terminator */

73
src/common/psprintf.c
Unescape View File

@ -77,7 +77,7 @@ psprintf(const char *fmt,...)
* pvsnprintf * pvsnprintf
* *
* Attempt to format text data under the control of fmt (an sprintf-style * Attempt to format text data under the control of fmt (an sprintf-style
* format string) and insert it into buf (which has length len, len > 0). * format string) and insert it into buf (which has length len).
* *
* If successful, return the number of bytes emitted, not counting the * If successful, return the number of bytes emitted, not counting the
* trailing zero byte. This will always be strictly less than len. * trailing zero byte. This will always be strictly less than len.
@ -89,14 +89,11 @@ psprintf(const char *fmt,...)
* Other error cases do not return, but exit via elog(ERROR) or exit(). * Other error cases do not return, but exit via elog(ERROR) or exit().
* Hence, this shouldn't be used inside libpq. * Hence, this shouldn't be used inside libpq.
* *
* This function exists mainly to centralize our workarounds for
* non-C99-compliant vsnprintf implementations. Generally, any call that
* pays any attention to the return value should go through here rather
* than calling snprintf or vsnprintf directly.
*
* Note that the semantics of the return value are not exactly C99's. * Note that the semantics of the return value are not exactly C99's.
* First, we don't promise that the estimated buffer size is exactly right; * First, we don't promise that the estimated buffer size is exactly right;
* callers must be prepared to loop multiple times to get the right size. * callers must be prepared to loop multiple times to get the right size.
* (Given a C99-compliant vsnprintf, that won't happen, but it is rumored
* that some implementations don't always return the same value ...)
* Second, we return the recommended buffer size, not one less than that; * Second, we return the recommended buffer size, not one less than that;
* this lets overflow concerns be handled here rather than in the callers. * this lets overflow concerns be handled here rather than in the callers.
*/ */
@ -105,28 +102,10 @@ pvsnprintf(char *buf, size_t len, const char *fmt, va_list args)
{ {
int nprinted; int nprinted;
Assert(len > 0);
errno = 0;
/*
* Assert check here is to catch buggy vsnprintf that overruns the
* specified buffer length. Solaris 7 in 64-bit mode is an example of a
* platform with such a bug.
*/
#ifdef USE_ASSERT_CHECKING
buf[len - 1] = '\0';
#endif
nprinted = vsnprintf(buf, len, fmt, args); nprinted = vsnprintf(buf, len, fmt, args);
Assert(buf[len - 1] == '\0'); /* We assume failure means the fmt is bogus, hence hard failure is OK */
if (unlikely(nprinted < 0))
/*
* If vsnprintf reports an error other than ENOMEM, fail. The possible
* causes of this are not user-facing errors, so elog should be enough.
*/
if (nprinted < 0 && errno != 0 && errno != ENOMEM)
{ {
#ifndef FRONTEND #ifndef FRONTEND
elog(ERROR, "vsnprintf failed: %m"); elog(ERROR, "vsnprintf failed: %m");
@ -136,42 +115,21 @@ pvsnprintf(char *buf, size_t len, const char *fmt, va_list args)
#endif #endif
} }
/* if ((size_t) nprinted < len)
* Note: some versions of vsnprintf return the number of chars actually
* stored, not the total space needed as C99 specifies. And at least one
* returns -1 on failure. Be conservative about believing whether the
* print worked.
*/
if (nprinted >= 0 && (size_t) nprinted < len - 1)
{ {
/* Success. Note nprinted does not include trailing null. */ /* Success. Note nprinted does not include trailing null. */
return (size_t) nprinted; return (size_t) nprinted;
} }
if (nprinted >= 0 && (size_t) nprinted > len)
{
/*
* This appears to be a C99-compliant vsnprintf, so believe its
* estimate of the required space. (If it's wrong, the logic will
* still work, but we may loop multiple times.) Note that the space
* needed should be only nprinted+1 bytes, but we'd better allocate
* one more than that so that the test above will succeed next time.
*
* In the corner case where the required space just barely overflows,
* fall through so that we'll error out below (possibly after
* looping).
*/
if ((size_t) nprinted <= MaxAllocSize - 2)
return nprinted + 2;
}
/* /*
* Buffer overrun, and we don't know how much space is needed. Estimate * We assume a C99-compliant vsnprintf, so believe its estimate of the
* twice the previous buffer size, but not more than MaxAllocSize; if we * required space, and add one for the trailing null. (If it's wrong, the
* are already at MaxAllocSize, choke. Note we use this palloc-oriented * logic will still work, but we may loop multiple times.)
* overflow limit even when in frontend. *
* Choke if the required space would exceed MaxAllocSize. Note we use
* this palloc-oriented overflow limit even when in frontend.
*/ */
if (len >= MaxAllocSize) if (unlikely((size_t) nprinted > MaxAllocSize - 1))
{ {
#ifndef FRONTEND #ifndef FRONTEND
ereport(ERROR, ereport(ERROR,
@ -183,8 +141,5 @@ pvsnprintf(char *buf, size_t len, const char *fmt, va_list args)
#endif #endif
} }
if (len >= MaxAllocSize / 2) return nprinted + 1;
return MaxAllocSize;
return len * 2;
} }

68
src/interfaces/libpq/pqexpbuffer.c
Unescape View File

@ -295,76 +295,50 @@ appendPQExpBufferVA(PQExpBuffer str, const char *fmt, va_list args)
*/ */
if (str->maxlen > str->len + 16) if (str->maxlen > str->len + 16)
{ {
/* avail = str->maxlen - str->len;
* Note: we intentionally leave one byte unused, as a guard against
* old broken versions of vsnprintf.
*/
avail = str->maxlen - str->len - 1;
errno = 0;
nprinted = vsnprintf(str->data + str->len, avail, fmt, args); nprinted = vsnprintf(str->data + str->len, avail, fmt, args);
/* /*
* If vsnprintf reports an error other than ENOMEM, fail. * If vsnprintf reports an error, fail (we assume this means there's
* something wrong with the format string).
*/ */
if (nprinted < 0 && errno != 0 && errno != ENOMEM) if (unlikely(nprinted < 0))
{ {
markPQExpBufferBroken(str); markPQExpBufferBroken(str);
return true; return true;
} }
/* if ((size_t) nprinted < avail)
* Note: some versions of vsnprintf return the number of chars
* actually stored, not the total space needed as C99 specifies. And
* at least one returns -1 on failure. Be conservative about
* believing whether the print worked.
*/
if (nprinted >= 0 && (size_t) nprinted < avail - 1)
{ {
/* Success. Note nprinted does not include trailing null. */ /* Success. Note nprinted does not include trailing null. */
str->len += nprinted; str->len += nprinted;
return true; return true;
} }
if (nprinted >= 0 && (size_t) nprinted > avail) /*
{ * We assume a C99-compliant vsnprintf, so believe its estimate of the
/* * required space, and add one for the trailing null. (If it's wrong,
* This appears to be a C99-compliant vsnprintf, so believe its * the logic will still work, but we may loop multiple times.)
* estimate of the required space. (If it's wrong, the logic will *
* still work, but we may loop multiple times.) Note that the * Choke if the required space would exceed INT_MAX, since str->maxlen
* space needed should be only nprinted+1 bytes, but we'd better * can't represent more than that.
* allocate one more than that so that the test above will succeed */
* next time. if (unlikely(nprinted > INT_MAX - 1))
*
* In the corner case where the required space just barely
* overflows, fail.
*/
if (nprinted > INT_MAX - 2)
{
markPQExpBufferBroken(str);
return true;
}
needed = nprinted + 2;
}
else
{ {
/* markPQExpBufferBroken(str);
* Buffer overrun, and we don't know how much space is needed. return true;
* Estimate twice the previous buffer size, but not more than
* INT_MAX.
*/
if (avail >= INT_MAX / 2)
needed = INT_MAX;
else
needed = avail * 2;
} }
needed = nprinted + 1;
} }
else else
{ {
/* /*
* We have to guess at how much to enlarge, since we're skipping the * We have to guess at how much to enlarge, since we're skipping the
* formatting work. * formatting work. Fortunately, because of enlargePQExpBuffer's
* preference for power-of-2 sizes, this number isn't very sensitive;
* the net effect is that we'll double the buffer size before trying
* to run vsnprintf, which seems sensible.
*/ */
needed = 32; needed = 32;
} }

Write Preview
Loading…
Cancel
Save