ansaurus

Question

how to help programmer write safe and correct printf calls in C?

Answer 1

+1 A:

The best luck I had was to use tools like lint or splint and pitch an absolute fit when stuff was not passing 100%. Combined with some sort of code inspection (to handle cases where the warnings are being rightfully suppressed), this was enough to get the job done, though it was definitely not an ideal solution.

Hank Gay 2009-12-28 14:58:27

Nice but that's my starting point. That's after-the-fact (after programmer has typed the erroneous printf call). I'm looking for prevention -- preventing erroneous printf calls from being typed.

talkaboutquality 2009-12-28 15:16:27

From being typed or from being compiled? if the former, that's impossible. If the latter, one could integrate lint like tools into the build system such that if they failed it would be treated as a build break.

Logan Capaldo 2009-12-28 15:45:59

@Logan if you have a CI system, that is 100% the way to go.

Hank Gay 2009-12-28 15:52:52

From being typed. Nothing is impossible. Just have to think harder. That's why I'm asking on stackoverflow.

talkaboutquality 2009-12-30 09:21:15

If nothing is impossible, than typing an incorrect printf is not impossible no matter how good the check ;).

Logan Capaldo 2010-01-02 07:10:48

Answer 2

A:

It's not an easy problem to solve. If you are going to be writing specific patterns (like, say, "%s: %d", you can use a macro or (preferably) a wrapper function. It will not be possible to duplicate the functionality of printf() without duplicating the complexity.

Code editors will find it difficult to check, since determining value types (which is necessary to avoid mismatches) requires parsing the C program. It's possible for the C compiler itself to warn, but not many do (I'd like it if they did).

C++ avoids the problem with iostreams, which take advantage of operator overloading, but that's not an option in C.

One rule I can give is not to print out a string variable like printf(string);. Always use printf(%s, string); instead, since that avoids hard-to-find bugs if there's a percent sign in the string.

David Thornley 2009-12-28 15:00:42

I wouldn't mind "duplicating the complexity" if I could export that complexity out of printf and its use to the wrapper, and then get that wrapper right once and for all.Regarding the rule, good point, but I don't think it catches a very broad sub-class of errors. True that one shouldn't omit the format specifier altogether, but when putting it in, it's so often right in the middle of constant text, as in printf("The software had a %s problem on line %d",sProblemType,iProblemLineNumber).

talkaboutquality 2009-12-28 15:15:25

Regarding code editors' checking, if I combine that with @Hank Gay's answer, one could put lint in the background running all the time. That's closer to prevention but still not quite. Looking for an outside-the-box answer to the question.

talkaboutquality 2009-12-28 15:18:38

Answer 3

+7 A:

gcc provides -Wformat to warn about printf/scanf/strftime/strfmon format errors.

$ gcc -Wformat -c -o test.o test.c
test.c: In function ‘main’:
test.c:5: warning: format ‘%s’ expects type ‘char *’,
          but argument 2 has type ‘int’
$ cat test.c
#include <stdio.h>

int main(int argc, const char *argv[])
{
     printf("%s\n", 0);
     return 0;
}

rq 2009-12-28 15:14:36

Note also that `-Wformat` is included in `-Wall`. I generally try to compile all of my code with `-Wall -Werror`, and then exclude any warnings that are actually spurious; it leads to much cleaner code and makes you actually notice when you get new warnings in a big project.

Brian Campbell 2009-12-28 17:08:34

I clarified my question. Emphasis on "while typing" and clarification that these are "printf-like" functions. Yes, we know about printf compiler warning flags. For printf-like functions, we need to use preprocessor attributes to tell gcc that our functions are like printf. Similarly for lint. We're using these solutions but they are after-the-fact.

talkaboutquality 2009-12-30 09:18:05

@talkaboutquality: I assume you mean function attributes, which don't have anything to do with the preprocessor (http://gcc.gnu.org/onlinedocs/gcc-4.4.1/gcc/Function-Attributes.html#Function-Attributes)

Hasturkun 2009-12-30 10:23:48

In that case: use Java and an IDE like Eclipse or Netbeans. It's really the only way if you want as-you-type error flagging. The C preprocessor and C++'s "impossible" grammar means this is DOA for C IDEs.

rq 2009-12-30 13:54:49

Answer 4

+2 A:

Use a compiler which can check types and format of a printf(). Most modern compilers should be able to do it. For GCC, -Wall is your friend (or -Wformat if you want just the format checks). See the warning options for details.

Other than that, your only option is to add a #define printf ILLEGAL_DO_NOT_USE to a common header file of your projects and supply a different function that does the same job in a safe way. Good luck with that approach ;)

[EDIT] Your issue is that C can't attach type information to something passed as a parameter by itself. So what you could do is something along these lines:

safe_printf_like_function("%d %s %c\n", INT_TYPE(value), STRING_TYPE(s), CHAR_TYPE(c));

The macros must contain casts to the type (so the compiler can notice that the type is wrong as you pass it in) plus it must expand to something that carries the type information.

Drawback: Any C programmer is going to scream out in anguish if you present them such an API. C just isn't meant to be this way. C is unsafe. Period. It's meant to be unsafe. By design, habit and tradition. If you want a safety net, C is not for you.

That said, you can achieve a certain level of safety in C but at a cost: You must forbid the use of varargs anywhere in the code. Pointers and arrays must be wrapped in code that checks sizes, etc. So yeah, it's possible but it's not C anymore.

Face it, C is from 1972. It's ancient and it shows. For almost 35 years, no one managed to find a clever way to make C safe (see C++ for an attempt and the amount of success you can expect).

Aaron Digulla 2009-12-28 15:15:13

I clarified my question. Emphasis on "while typing" and clarification that these are "printf-like" functions. We know about printf compiler warning flags. For printf-like functions, we use preprocessor attributes to tell gcc our functions are like printf. Same for lint. We're using these solutions but they are after-the-fact.Good idea on how to forbid a given function, in a compiler-independent way. But, given my clarification, our problem is not forbidding use of printf and replacing it with wrapper functions. We already have wrapper functions. It's making using them less error-prone.

talkaboutquality 2009-12-30 09:20:28

I've edited my answer. In short: What you have is the best you can get.

Aaron Digulla 2009-12-30 09:47:31

LOL I guess I was hoping against hope. Maybe the best we can do is using computer speed (Moore's law) to make after-the-fact tests (compiler, lint) run all the time in the background to continuously highlight typing and coding errors. Thanks for your thorough answer.

talkaboutquality 2009-12-30 19:20:32

Well, there are new languages which are much better at this. Just have a look at Groovy or Python. Granted, they are slow today but JIT compilers get better every day which means all programs written in these languages get faster with every improvement of the VM (which isn't true for C).

Aaron Digulla 2009-12-30 21:44:31

Answer 5

+2 A:

In GCC, there's a built in way to prevent use of functions:

#pragma GCC poison printf

It's better than "-Wall" because it's an error, not an warning. I've no idea how printf would be replaced - maybe by lots of specialized functions.

See GCC pragmas

diciu 2009-12-28 15:47:30

ansaurus

tags:

views:

answers:

how to help programmer write safe and correct printf calls in C?

related questions