tags:

views:

164

answers:

3

Bearing in mind the answers given to a question about a safer formatting library for C, I'm wondering whether there is a safe C formatting library?

What I mean is:

  • there's no possibility to mismatch the format string from the arguments
  • there's no possibility to crash by passing the wrong type
  • there're no platform-dependent aspects

Please don't answer about the Microsoft Safe String Library, or libraries that are less unsafe but still not totally safe, as I'm aware of these, and they don't satisfy the requirements for total safety.

Thanks in advance

+6  A: 

You're writing in C. C is not type-safe. You cannot avoid undefined behaviour if you pass an int* instead of a char*. There's no such thing as "there's no possibility" if your variables are not statically type checked / tagged for runtime checking.

If you have something that produces warnings, that's quite good already...

If you really need or want safety, you may want to have a look at cyclone (C dialect), or some completely different languages.

viraptor
+1 for x-ref to Cyclone. Interesting.
Jonathan Leffler
+1: I love Cyclone!
Anthony Cuozzo
+4  A: 

there's no possibility to mismatch the format string from the arguments

If you want a format string, without special compiler support you basically can't do it. That said, you could have a safe formatting library in C if you forgo the format string. I'm not aware of any, but I would not be surprised if they existed.

One could have an interface like:

typedef ... FORMATTER;

FORMATTER create_formatter();
int fmt_add_string_default(FORMATTER f, const char *s);
int fmt_add_string(FORMATTER f, const char *s, int maxlength, const char fill, enum fmt_alignment align);
...
int fmt_add_decimal_default(FORMATTER f, int d);
... // you get the idea
int fmt_write_result(FORMATTER f, char *out, int out_length);
void destroy_formatter(FORMATTER f);

Something like this would be perfectly safe, if a bit verbose.

Logan Capaldo
It still doesn't meet his impossible requirements, tho. e.g., if the string in fmt_add_string_default is a bad pointer, the app will almost certainly still crash.
Jason Coco
Well a bad pointer isn't (necessarily) the same thing as passing the wrong type. An interface like the one I've described will prevent the "oops, put the int where I meant to put the char*" which the printf family doesn't. I assume that's what he meant by "there's no possibility to crash by passing the wrong type". You can of course always suborn these things through casts, what have you, but then the answer becomes useless ("Go use a different language."). I chose to interpret it as "What's the safest you can get without changing the programming language."
Logan Capaldo
Yeah, I understand that, but the answer is go use another language. His requirements preclude using C.
Jason Coco
+1  A: 

No, because whatever "safety" you introduce can be suborned by the language. It's like building your castle on sand - it doesn't matter how good the castle is, it can still be made to fall if you dig out the sand from underneath it.

There is no mechanism in C to enforce specific parameter types, nor should there be.

If people don't use your tools as they're meant to, that's their own problem, in my opinion. You're not supposed to be providing software to three-year-olds - they're expected to have some modicum of intelligence.

paxdiablo