how to help programmer write safe and correct printf calls in C?
[Updated organization and content for clarity]
The Real Question
What would be a good way, for C, to help a programmer, while s/he's typing, write safe and correct calls to project-specific printf-like debugging functions?
C macros? C wrapper functions? Code editor macros or templates? Other?
Background Questions and Answers
Much software uses printf or printf-like functions for debugging, either ad-hoc when there's a problem, or for debug logs. And yet it's error-prone.
Q1: How do we know?
A1: Static analyzers have categories for printf-mismatch errors -- it's a common class of errors -- and I often see those tools call out those warnings on C code.Q2: What are the sub-classes of this error?
A2: Mainly, wrong format specifier, and wrong number of format specifiers. Often the real error is the converse: wrong variable type, or wrong number of variables for print-out.Q3: Why do we care?
A3: At best, causes wrong logging information and impedes debugging. At worst, crashes the software.Q4: Has anyone tried to do anything about this problem?
A4: Sure, though I haven't seen any for C (as opposed to C++ or other), for example:http://www.ddj.com/cpp/184401999?pgno=1 http://mi.eng.cam.ac.uk/~er258/cvd/tag/html/group__printf.html
What's missing for me in these offerings and others, besides the fact that right now I'm looking at a product written in C and need to solve the problem for C, is that they are after-the-fact solutions. They can avoid crashes, and can provide warning explanations of what went wrong, and that something went wrong, but they certainly can't guess what the programmer's intention was (see esp. Q&A #2 above).
Q5: Why is using printf so error-prone?
A5: Because writing a printf call requires the programmer to mix types and numbers of variables, format specifiers, free text string constants, an开发者_运维问答d punctuation -- all of which look very similar to each other -- on one line together.gcc provides -Wformat
to warn about printf/scanf/strftime/strfmon format errors.
$ gcc -Wformat -c -o test.o test.c
test.c: In function ‘main’:
test.c:5: warning: format ‘%s’ expects type ‘char *’,
but argument 2 has type ‘int’
$ cat test.c
#include <stdio.h>
int main(int argc, const char *argv[])
{
printf("%s\n", 0);
return 0;
}
In GCC, there's a built in way to prevent use of functions:
#pragma GCC poison printf
It's better than "-Wall" because it's an error, not an warning. I've no idea how printf would be replaced - maybe by lots of specialized functions.
See GCC pragmas
Use a compiler which can check types and format of a printf()
. Most modern compilers should be able to do it. For GCC, -Wall
is your friend (or -Wformat
if you want just the format checks). See the warning options for details.
Other than that, your only option is to add a #define printf ILLEGAL_DO_NOT_USE
to a common header file of your projects and supply a different function that does the same job in a safe way. Good luck with that approach ;)
[EDIT] Your issue is that C can't attach type information to something passed as a parameter by itself. So what you could do is something along these lines:
safe_printf_like_function("%d %s %c\n", INT_TYPE(value), STRING_TYPE(s), CHAR_TYPE(c));
The macros must contain casts to the type (so the compiler can notice that the type is wrong as you pass it in) plus it must expand to something that carries the type information.
Drawback: Any C programmer is going to scream out in anguish if you present them such an API. C just isn't meant to be this way. C is unsafe. Period. It's meant to be unsafe. By design, habit and tradition. If you want a safety net, C is not for you.
That said, you can achieve a certain level of safety in C but at a cost: You must forbid the use of varargs anywhere in the code. Pointers and arrays must be wrapped in code that checks sizes, etc. So yeah, it's possible but it's not C anymore.
Face it, C is from 1972. It's ancient and it shows. For almost 35 years, no one managed to find a clever way to make C safe (see C++ for an attempt and the amount of success you can expect).
The best luck I had was to use tools like lint
or splint
and pitch an absolute fit when stuff was not passing 100%. Combined with some sort of code inspection (to handle cases where the warnings are being rightfully suppressed), this was enough to get the job done, though it was definitely not an ideal solution.
It's not an easy problem to solve. If you are going to be writing specific patterns (like, say, "%s: %d"
, you can use a macro or (preferably) a wrapper function. It will not be possible to duplicate the functionality of printf()
without duplicating the complexity.
Code editors will find it difficult to check, since determining value types (which is necessary to avoid mismatches) requires parsing the C program. It's possible for the C compiler itself to warn, but not many do (I'd like it if they did).
C++ avoids the problem with iostreams, which take advantage of operator overloading, but that's not an option in C.
One rule I can give is not to print out a string variable like printf(string);
. Always use printf(%s, string);
instead, since that avoids hard-to-find bugs if there's a percent sign in the string.
精彩评论