base: remove internal use of format strings

Issue #2064

repos/base-linux/src/core/include/core_linux_syscalls.h

@@ -117,8 +117,7 @@ inline int lx_ioctl_irq(int fd, int irq)
  ** Process creation and destruction **
  **************************************/
 
-inline int lx_execve(const char *filename, char *const argv[],
-                     char *const envp[])
+inline int lx_execve(char const *filename, char const *argv[], char const *envp[])
 {
 	return (int)lx_syscall(SYS_execve, filename, argv, envp);
 }

repos/base-linux/src/core/include/resource_path.h

@@ -18,7 +18,7 @@
 #include <linux_syscalls.h>
 
 /* Genode includes */
-#include <base/snprintf.h>
+#include <util/string.h>
 
 /**
  * Return resource path for Genode
@@ -27,18 +27,8 @@
  */
 static inline char const *resource_path()
 {
-	struct Resource_path
-	{
-		char string[32];
-
-		Resource_path()
-		{
-			Genode::snprintf(string, sizeof(string), "/tmp/genode-%d", lx_getuid());
-		}
-	};
-
-	static Resource_path path;
-	return path.string;
+	static Genode::String<32> path("/tmp/genode-", lx_getuid());
+	return path.string();
 }
 
 #endif /* _CORE__INCLUDE__RESOURCE_PATH_H_ */

repos/base-linux/src/core/native_pd_component.cc

@@ -13,7 +13,6 @@
 
 /* Genode includes */
 #include <util/arg_string.h>
-#include <base/snprintf.h>
 #include <cpu/consts.h>
 
 /* core includes */
@@ -42,8 +41,8 @@ struct Execve_args_and_stack
 	struct Args
 	{
 		char const *filename;
-		char      **argv;
-		char      **envp;
+		char const **argv;
+		char const **envp;
 		Lx_sd       parent_sd;
 	};
 
@@ -111,8 +110,7 @@ void Native_pd_component::_start(Dataspace_component &ds)
 	const char *tmp_filename = "temporary_executable_elf_dataspace_file_for_execve";
 
 	/* we need 's' on stack to make it an lvalue with an lvalue member we use the pointer to */
-	Linux_dataspace::Filename s = ds.fname();
-	const char *filename = s.buf;
+	Linux_dataspace::Filename filename = ds.fname();
 
 	/*
 	 * In order to be executable via 'execve', a program must be represented as
@@ -121,11 +119,11 @@ void Native_pd_component::_start(Dataspace_component &ds)
 	 * the dataspace content into a temporary file whose path is passed to
 	 * 'execve()'.
 	 */
-	if (Genode::strcmp(filename, "") == 0) {
+	if (filename == "") {
 
 		filename = tmp_filename;
 
-		int tmp_binary_fd = lx_open(filename, O_CREAT | O_EXCL | O_WRONLY, S_IRWXU);
+		int tmp_binary_fd = lx_open(filename.string(), O_CREAT | O_EXCL | O_WRONLY, S_IRWXU);
 		if (tmp_binary_fd < 0) {
 			error("Could not create file '", filename, "'");
 			return; /* XXX reflect error to client */
@@ -141,30 +139,24 @@ void Native_pd_component::_start(Dataspace_component &ds)
 	}
 
 	/* pass parent capability as environment variable to the child */
-	enum { ENV_STR_LEN = 256 };
-	static char envbuf[5][ENV_STR_LEN];
-	Genode::snprintf(envbuf[1], ENV_STR_LEN, "parent_local_name=%lu",
-	                 _pd_session._parent.local_name());
-	Genode::snprintf(envbuf[2], ENV_STR_LEN, "DISPLAY=%s",
-	                 get_env("DISPLAY"));
-	Genode::snprintf(envbuf[3], ENV_STR_LEN, "HOME=%s",
-	                 get_env("HOME"));
-	Genode::snprintf(envbuf[4], ENV_STR_LEN, "LD_LIBRARY_PATH=%s",
-	                 get_env("LD_LIBRARY_PATH"));
-
-	char *env[] = { &envbuf[0][0], &envbuf[1][0], &envbuf[2][0],
-		&envbuf[3][0], &envbuf[4][0], 0 };
+	using Env_string = String<256>;
+	static Env_string env_strings[] {
+		{ "parent_local_name=", _pd_session._parent.local_name() },
+		{ "DISPLAY=",           get_env("DISPLAY") },
+		{ "HOME=",              get_env("HOME") },
+		{ "LD_LIBRARY_PATH=",   get_env("LD_LIBRARY_PATH") },
+	};
+	char const *env[] = { env_strings[0].string(), env_strings[1].string(),
+	                      env_strings[2].string(), env_strings[3].string(),
+	                      nullptr };
 
 	/* prefix name of Linux program (helps killing some zombies) */
-	char const *prefix = "[Genode] ";
-	char pname_buf[sizeof(_pd_session._label) + sizeof(prefix)];
-	snprintf(pname_buf, sizeof(pname_buf), "%s%s", prefix, _pd_session._label.string());
-	char *argv_buf[2];
-	argv_buf[0] = pname_buf;
-	argv_buf[1] = 0;
+	using Pname = String<Session::Label::capacity() + 9>;
+	Pname const pname("[Genode] ", _pd_session._label);
+	char const *argv_buf[] { pname.string(), nullptr };
 
 	_execve_args_and_stack().args = Execve_args_and_stack::Args {
-		.filename  = filename,
+		.filename  = filename.string(),
 		.argv      = argv_buf,
 		.envp      = env,
 		.parent_sd = Capability_space::ipc_cap_data(_pd_session._parent).dst.socket
@@ -173,8 +165,8 @@ void Native_pd_component::_start(Dataspace_component &ds)
 	_pid = lx_create_process((int (*)())_exec_child,
 	                         _execve_args_and_stack().initial_sp());
 
-	if (Genode::strcmp(filename, tmp_filename) == 0)
-		lx_unlink(filename);
+	if (filename == tmp_filename)
+		lx_unlink(filename.string());
 }
 
 

repos/base-linux/src/core/ram_dataspace_support.cc

@@ -14,9 +14,6 @@
 /* glibc includes */
 #include <fcntl.h>
 
-/* Genode includes */
-#include <base/snprintf.h>
-
 /* local includes */
 #include <ram_dataspace_factory.h>
 #include <resource_path.h>
@@ -35,12 +32,11 @@ static int ram_ds_cnt = 0;  /* counter for creating unique dataspace IDs */
 
 void Ram_dataspace_factory::_export_ram_ds(Dataspace_component &ds)
 {
-	char fname[Linux_dataspace::FNAME_LEN];
+	Linux_dataspace::Filename const fname(resource_path(), "/ds-", ram_ds_cnt++);
 
 	/* create file using a unique file name in the resource path */
-	snprintf(fname, sizeof(fname), "%s/ds-%d", resource_path(), ram_ds_cnt++);
-	lx_unlink(fname);
-	int const fd = lx_open(fname, O_CREAT|O_RDWR|O_TRUNC|LX_O_CLOEXEC, S_IRWXU);
+	lx_unlink(fname.string());
+	int const fd = lx_open(fname.string(), O_CREAT|O_RDWR|O_TRUNC|LX_O_CLOEXEC, S_IRWXU);
 	lx_ftruncate(fd, ds.size());
 
 	/* remember file descriptor in dataspace component object */
@@ -52,7 +48,7 @@ void Ram_dataspace_factory::_export_ram_ds(Dataspace_component &ds)
 	 * gone (i.e., an open file descriptor referring to the file). A process
 	 * w/o the right file descriptor won't be able to open and access the file.
 	 */
-	lx_unlink(fname);
+	lx_unlink(fname.string());
 }
 
 

repos/base-linux/src/core/spec/linux/dataspace_component.cc

@@ -21,13 +21,10 @@
 
 /* Genode includes */
 #include <linux_dataspace/linux_dataspace.h>
-#include <util/arg_string.h>
-#include <util/misc_math.h>
-#include <root/root.h>
 #include <base/session_label.h>
 
 /* local includes */
-#include "dataspace_component.h"
+#include <dataspace_component.h>
 
 using namespace Core;
 
@@ -35,17 +32,15 @@ using namespace Core;
 Linux_dataspace::Filename Dataspace_component::_file_name(const char *args)
 {
 	Session_label const label = label_from_args(args);
-	Linux_dataspace::Filename fname;
-
-	if (label.last_element().length() > sizeof(fname.buf)) {
+	if (label.last_element().length() > Linux_dataspace::Filename::capacity()) {
 		error("file name too long: ", label.last_element());
 		throw Service_denied();
 	}
 
-	copy_cstring(fname.buf, label.last_element().string(), sizeof(fname.buf));
+	Linux_dataspace::Filename const fname = label.last_element();
 
 	/* only files inside the current working directory are allowed */
-	for (const char *c = fname.buf; *c; ++c)
+	for (const char *c = fname.string(); *c; ++c)
 		if (*c == '/') throw Service_denied();
 
 	return fname;
@@ -55,7 +50,7 @@ Linux_dataspace::Filename Dataspace_component::_file_name(const char *args)
 size_t Dataspace_component::_file_size()
 {
 	Genode::uint64_t size = 0;
-	if (lx_stat_size(_fname.buf, size) < 0)
+	if (lx_stat_size(_fname.string(), size) < 0)
 		throw Service_denied();
 
 	return align_addr((size_t)size, 12);
@@ -67,7 +62,7 @@ Dataspace_component::Dataspace_component(const char *args)
 	_fname(_file_name(args)),
 	_size(_file_size()),
 	_addr(0),
-	_cap(_fd_to_cap(lx_open(_fname.buf, O_RDONLY | LX_O_CLOEXEC, S_IRUSR | S_IXUSR))),
+	_cap(_fd_to_cap(lx_open(_fname.string(), O_RDONLY | LX_O_CLOEXEC, S_IRUSR | S_IXUSR))),
 	_writeable(false),
 	_owner(0)
 { }
@@ -79,5 +74,4 @@ Dataspace_component::Dataspace_component(size_t size, addr_t, addr_t phys_addr,
 	_size(size), _addr(phys_addr), _cap(), _writeable(false), _owner(_owner)
 {
 	warning("Should only be used for IOMEM and not within Linux.");
-	_fname.buf[0] = 0;
 }