static: add format string and its args checking

tt_sprintf, tt_snprintf, and tt_vsnprintf now have compile-time checks for their arguments fitting the format string.
tarantool · Nov 30, 2021 · 871f5a7 · 871f5a7
1 parent fe61004
commit 871f5a7
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 8 deletions.
diff --git a/src/box/box.cc b/src/box/box.cc
@@ -1115,7 +1115,7 @@ box_check_memory_quota(const char *quota_name)
 		return size;
 	diag_set(ClientError, ER_CFG, quota_name,
 		 tt_sprintf("must be >= 0 and <= %zu, but it is %lld",
-		 QUOTA_MAX, size));
+			    QUOTA_MAX, (long long)size));
 	return -1;
 }
 

diff --git a/src/box/memtx_rtree.c b/src/box/memtx_rtree.c
@@ -409,8 +409,9 @@ memtx_rtree_index_new(struct memtx_engine *memtx, struct index_def *def)
 	    def->opts.dimension > RTREE_MAX_DIMENSION) {
 		diag_set(UnsupportedIndexFeature, def,
 			 tt_sprintf("dimension (%lld): must belong to "
-				    "range [%u, %u]", def->opts.dimension,
-				    1, RTREE_MAX_DIMENSION));
+				    "range [%u, %u]",
+				    (long long)def->opts.dimension, 1,
+				    RTREE_MAX_DIMENSION));
 		return NULL;
 	}
 

diff --git a/src/box/sql/func.c b/src/box/sql/func.c
@@ -992,8 +992,11 @@ func_round(struct sql_context *ctx, int argc, const struct Mem *argv)
 
 	double d = argv[0].u.r;
 	struct Mem *res = ctx->pOut;
-	if (n != 0)
-		return mem_set_double(res, atof(tt_sprintf("%.*f", n, d)));
+	if (n != 0) {
+		int precision = MIN(n, INT_MAX);
+		return mem_set_double(res, atof(tt_sprintf(
+			"%.*lf", precision, d)));
+	}
 	/*
 	 * DOUBLE values greater than 2^53 or less than -2^53 have no digits
 	 * after the decimal point.

diff --git a/src/box/sql/mem.c b/src/box/sql/mem.c
@@ -685,9 +685,9 @@ int_to_str0(struct Mem *mem)
 	assert((mem->type & (MEM_TYPE_INT | MEM_TYPE_UINT)) != 0);
 	const char *str;
 	if (mem->type == MEM_TYPE_UINT)
-		str = tt_sprintf("%llu", mem->u.u);
+		str = tt_sprintf("%llu", (unsigned long long)mem->u.u);
 	else
-		str = tt_sprintf("%lld", mem->u.i);
+		str = tt_sprintf("%lld", (long long)mem->u.i);
 	return mem_copy_str0(mem, str);
 }
 

diff --git a/src/box/sql/select.c b/src/box/sql/select.c
@@ -5091,7 +5091,7 @@ selectExpander(Walker * pWalker, Select * p)
 			/*
 			 * Rewrite old name with correct pointer.
 			 */
-			name = tt_sprintf("sql_sq_%llX", (void *)space);
+			name = tt_sprintf("sql_sq_%llX", (long long)space);
 			sprintf(space->def->name, "%s", name);
 			while (pSel->pPrior) {
 				pSel = pSel->pPrior;

diff --git a/src/lib/core/tt_static.h b/src/lib/core/tt_static.h
@@ -31,6 +31,7 @@
  * SUCH DAMAGE.
  */
 #include "small/static.h"
+#include "trivia/util.h"
 #include <string.h>
 #include <stdio.h>
 #include <stdarg.h>
@@ -72,6 +73,7 @@ tt_cstr(const char *str, size_t len)
  * Wrapper around vsnprintf() that prints the result to
  * the static buffer.
  */
+CFORMAT(printf, 2, 0)
 static inline const char *
 tt_vsnprintf(size_t size, const char *format, va_list ap)
 {
@@ -89,6 +91,7 @@ tt_vsnprintf(size_t size, const char *format, va_list ap)
 }
 
 /** @copydoc tt_vsnprintf() */
+CFORMAT(printf, 1, 2)
 static inline const char *
 tt_sprintf(const char *format, ...)
 {
@@ -103,6 +106,7 @@ tt_sprintf(const char *format, ...)
  * The same as tt_sprintf() but allows to specify more precise
  * string limits.
  */
+CFORMAT(printf, 2, 3)
 static inline const char *
 tt_snprintf(size_t size, const char *format, ...)
 {