Replace stringf() with a templated function which does compile-time format string checking.

Checking only happens at compile time if -std=c++20 (or greater) is enabled. Otherwise
the checking happens at run time.

This requires the format string to be a compile-time constant, so fix a few places
where that isn't true.

Author: rocallahan

backends/verilog/verilog_backend.cc

@@ -1163,9 +1163,9 @@ bool dump_cell_expr(std::ostream &f, std::string indent, RTLIL::Cell *cell)
 		dump_sigspec(f, cell->getPort(ID::Y));
 		f << stringf(" = ~((");
 		dump_cell_expr_port(f, cell, "A", false);
-		f << stringf(cell->type == ID($_AOI3_) ? " & " : " | ");
+		f << (cell->type == ID($_AOI3_) ? " & " : " | ");
 		dump_cell_expr_port(f, cell, "B", false);
-		f << stringf(cell->type == ID($_AOI3_) ? ") |" : ") &");
+		f << (cell->type == ID($_AOI3_) ? ") |" : ") &");
 		dump_attributes(f, "", cell->attributes, " ");
 		f << stringf(" ");
 		dump_cell_expr_port(f, cell, "C", false);
@@ -1178,13 +1178,13 @@ bool dump_cell_expr(std::ostream &f, std::string indent, RTLIL::Cell *cell)
 		dump_sigspec(f, cell->getPort(ID::Y));
 		f << stringf(" = ~((");
 		dump_cell_expr_port(f, cell, "A", false);
-		f << stringf(cell->type == ID($_AOI4_) ? " & " : " | ");
+		f << (cell->type == ID($_AOI4_) ? " & " : " | ");
 		dump_cell_expr_port(f, cell, "B", false);
-		f << stringf(cell->type == ID($_AOI4_) ? ") |" : ") &");
+		f << (cell->type == ID($_AOI4_) ? ") |" : ") &");
 		dump_attributes(f, "", cell->attributes, " ");
 		f << stringf(" (");
 		dump_cell_expr_port(f, cell, "C", false);
-		f << stringf(cell->type == ID($_AOI4_) ? " & " : " | ");
+		f << (cell->type == ID($_AOI4_) ? " & " : " | ");
 		dump_cell_expr_port(f, cell, "D", false);
 		f << stringf("));\n");
 		return true;
@@ -1407,7 +1407,7 @@ bool dump_cell_expr(std::ostream &f, std::string indent, RTLIL::Cell *cell)
 			if (!noattr)
 				f << stringf("%s" "  (* parallel_case *)\n", indent.c_str());
 			f << stringf("%s" "  casez (s)", indent.c_str());
-			f << stringf(noattr ? " // synopsys parallel_case\n" : "\n");
+			f << (noattr ? " // synopsys parallel_case\n" : "\n");
 		}
 
 		for (int i = 0; i < s_width; i++)

kernel/io.cc

@@ -384,4 +384,16 @@ std::string escape_filename_spaces(const std::string& filename)
 	return out;
 }
 
+void format_emit_no_conversions(std::string &result, std::string_view fmt)
+{
+	result.reserve(result.size() + fmt.size());
+	for (size_t i = 0; i < fmt.size(); ++i) {
+		char ch = fmt[i];
+		result.push_back(ch);
+		if (ch == '%' && i + 1 < fmt.size() && fmt[i + 1] == '%') {
+			++i;
+		}
+	}
+}
+
 YOSYS_NAMESPACE_END

kernel/io.h

@@ -1,5 +1,6 @@
 #include <string>
 #include <stdarg.h>
+#include <type_traits>
 #include "kernel/yosys_common.h"
 
 #ifndef YOSYS_IO_H
@@ -50,18 +51,307 @@ inline std::string vstringf(const char *fmt, va_list ap)
 #endif
 }
 
-std::string stringf(const char *fmt, ...) YS_ATTRIBUTE(format(printf, 1, 2));
+enum class ConversionSpecifier : char
+{
+	NONE,
+	// Specifier not understood/supported
+	ERROR,
+	// Consumes a "long long"
+	SIGNED_INT,
+	// Consumes a "unsigned long long"
+	UNSIGNED_INT,
+	// Consumes a "double"
+	DOUBLE,
+	// Consumes a "const char*"
+	CHAR_PTR,
+	// Consumes a "void*"
+	VOID_PTR,
+};
 
-inline std::string stringf(const char *fmt, ...)
+constexpr ConversionSpecifier parse_conversion_specifier(char ch)
 {
-	std::string string;
-	va_list ap;
+	switch (ch) {
+	case 'd':
+	case 'i':
+		return ConversionSpecifier::SIGNED_INT;
+	case 'o':
+	case 'u':
+	case 'x':
+	case 'X':
+	case 'c':
+	case 'm':
+		return ConversionSpecifier::UNSIGNED_INT;
+	case 'e':
+	case 'E':
+	case 'f':
+	case 'F':
+	case 'g':
+	case 'G':
+	case 'a':
+	case 'A':
+		return ConversionSpecifier::DOUBLE;
+	case 's':
+		return ConversionSpecifier::CHAR_PTR;
+	case 'p':
+		return ConversionSpecifier::VOID_PTR;
+	case '$': // positional parameters
+	case 'n':
+	case 'S':
+		return ConversionSpecifier::ERROR;
+	default:
+		return ConversionSpecifier::NONE;
+	}
+}
+
+// Describes a printf-style format conversion specifier found in a format string.
+struct FoundFormatSpec
+{
+	// The start offset of the conversion spec in the format string.
+	int start;
+	// The end offset of the conversion spec in the format string.
+	int end;
+	ConversionSpecifier spec;
+	// Number of int args consumed by '*' dynamic width/precision args.
+	uint8_t num_dynamic_ints;
+};
+
+// Returns the next format conversion specifier (starting with '%').
+// Returns ConversionSpecifier::NONE if there isn't a format conversion specifier.
+constexpr FoundFormatSpec find_next_format_spec(std::string_view fmt, int fmt_start)
+{
+	int index = fmt_start;
+	int fmt_size = static_cast<int>(fmt.size());
+	while (index < fmt_size) {
+		if (fmt[index] != '%') {
+			++index;
+			continue;
+		}
+		int p = index + 1;
+		uint8_t num_dynamic_ints = 0;
+		while (true) {
+			if (p == fmt_size) {
+				return {0, 0, ConversionSpecifier::NONE, 0};
+			}
+			if (fmt[p] == '%') {
+				index = p + 1;
+				break;
+			}
+			if (fmt[p] == '*') {
+				if (num_dynamic_ints >= 2) {
+					return {0, 0, ConversionSpecifier::ERROR, 0};
+				}
+				++num_dynamic_ints;
+			}
+			ConversionSpecifier spec = parse_conversion_specifier(fmt[p]);
+			if (spec != ConversionSpecifier::NONE) {
+				return {index, p + 1, spec, num_dynamic_ints};
+			}
+			++p;
+		}
+	}
+	return {0, 0, ConversionSpecifier::NONE, 0};
+}
 
-	va_start(ap, fmt);
-	string = vstringf(fmt, ap);
+template <typename... Args>
+constexpr typename std::enable_if<sizeof...(Args) == 0>::type
+check_format(std::string_view fmt, int fmt_start, FoundFormatSpec*, uint8_t)
+{
+	FoundFormatSpec found = find_next_format_spec(fmt, fmt_start);
+	if (found.spec != ConversionSpecifier::NONE) {
+		YOSYS_ABORT("More format conversion specifiers than arguments");
+	}
+}
+
+// Check that the format string `fmt.substr(fmt_start)` is valid for the given type arguments.
+// Fills `specs` with the FoundFormatSpecs found in the format string.
+// `int_args_consumed` is the number of int arguments already consumed to satisfy the
+// dynamic width/precision args for the next format conversion specifier.
+template <typename Arg, typename... Args>
+constexpr void check_format(std::string_view fmt, int fmt_start, FoundFormatSpec* specs,
+        uint8_t int_args_consumed)
+{
+	FoundFormatSpec found = find_next_format_spec(fmt, fmt_start);
+	if (found.num_dynamic_ints > int_args_consumed) {
+		// We need to consume at least one more int for the dynamic
+		// width/precision of this format conversion specifier.
+		if constexpr (!std::is_convertible_v<Arg, int>) {
+			YOSYS_ABORT("Expected dynamic int argument");
+		}
+		check_format<Args...>(fmt, fmt_start, specs, int_args_consumed + 1);
+		return;
+	}
+	switch (found.spec) {
+	case ConversionSpecifier::NONE:
+		YOSYS_ABORT("Expected format conversion specifier for argument");
+		break;
+	case ConversionSpecifier::ERROR:
+		YOSYS_ABORT("Found unsupported format conversion specifier");
+		break;
+	case ConversionSpecifier::SIGNED_INT:
+		if constexpr (!std::is_convertible_v<Arg, long long>) {
+			YOSYS_ABORT("Expected type convertible to signed integer");
+		}
+		*specs = found;
+		break;
+	case ConversionSpecifier::UNSIGNED_INT:
+		if constexpr (!std::is_convertible_v<Arg, unsigned long long>) {
+			YOSYS_ABORT("Expected type convertible to unsigned integer");
+		}
+		*specs = found;
+		break;
+	case ConversionSpecifier::DOUBLE:
+		if constexpr (!std::is_convertible_v<Arg, double>) {
+			YOSYS_ABORT("Expected type convertible to double");
+		}
+		*specs = found;
+		break;
+	case ConversionSpecifier::CHAR_PTR:
+		if constexpr (!std::is_convertible_v<Arg, const char *>) {
+			YOSYS_ABORT("Expected type convertible to char *");
+		}
+		*specs = found;
+		break;
+	case ConversionSpecifier::VOID_PTR:
+		if constexpr (!std::is_convertible_v<Arg, const void *>) {
+			YOSYS_ABORT("Expected pointer type");
+		}
+		*specs = found;
+		break;
+	}
+	check_format<Args...>(fmt, found.end, specs + 1, 0);
+}
+
+inline std::string string_view_stringf(std::string_view spec, ...)
+{
+	va_list ap;
+	va_start(ap, spec);
+	std::string result = vstringf(std::string(spec).c_str(), ap);
 	va_end(ap);
+	return result;
+}
 
-	return string;
+// Emit the string representation of `arg` by converting it to type `T` and passing
+// it to `vstringf()` via `string_view_stringf()`, then appending to `result`.
+// If `arg` can't be converted to `T` then abort; `check_format()` should guarantee
+// this doesn't happen, but the C++ compiler doesn't know that.
+template <typename Arg, typename T>
+inline void format_emit_type(std::string &result, std::string_view spec, int *dynamic_ints,
+	uint8_t num_dynamic_ints, const Arg &arg)
+{
+	if constexpr (std::is_convertible_v<Arg, T>) {
+		T v = arg;
+		switch (num_dynamic_ints) {
+		case 0:
+			result += string_view_stringf(spec, v);
+			return;
+		case 1:
+			result += string_view_stringf(spec, dynamic_ints[0], v);
+			return;
+		case 2:
+			result += string_view_stringf(spec, dynamic_ints[0], dynamic_ints[1], v);
+			return;
+		}
+	}
+	YOSYS_ABORT("Internal error");
+}
+
+// Emit the string representation of `arg` according to the given `FoundFormatSpec`,
+// appending it to `result`.
+template <typename Arg>
+inline void format_emit_one(std::string &result, std::string_view fmt, const FoundFormatSpec &ffspec,
+	int *dynamic_ints, const Arg& arg)
+{
+	std::string_view spec = fmt.substr(ffspec.start, ffspec.end - ffspec.start);
+	int num_dynamic_ints = ffspec.num_dynamic_ints;
+	switch (ffspec.spec) {
+	case ConversionSpecifier::SIGNED_INT:
+		format_emit_type<Arg, long long>(result, spec, dynamic_ints, num_dynamic_ints, arg);
+		return;
+	case ConversionSpecifier::UNSIGNED_INT:
+		format_emit_type<Arg, unsigned long long>(result, spec, dynamic_ints, num_dynamic_ints, arg);
+		return;
+	case ConversionSpecifier::DOUBLE:
+		format_emit_type<Arg, double>(result, spec, dynamic_ints, num_dynamic_ints, arg);
+		return;
+	case ConversionSpecifier::CHAR_PTR:
+		format_emit_type<Arg, const char *>(result, spec, dynamic_ints, num_dynamic_ints, arg);
+		return;
+	case ConversionSpecifier::VOID_PTR:
+		format_emit_type<Arg, void *>(result, spec, dynamic_ints, num_dynamic_ints, arg);
+		return;
+	default:
+		break;
+	}
+	YOSYS_ABORT("Internal error");
+}
+
+// Append the format string `fmt` to `result`, assuming there are no format conversion
+// specifiers other than "%%" and therefore no arguments. Unescape "%%".
+void format_emit_no_conversions(std::string &result, std::string_view fmt);
+
+inline void format_emit(std::string &result, std::string_view fmt, int fmt_start,
+	const FoundFormatSpec*, int*, uint8_t)
+{
+	format_emit_no_conversions(result, fmt.substr(fmt_start));
+}
+// Format `args` according to `fmt` (starting at `fmt_start`) and `specs` and append to `result`.
+// `num_dynamic_ints` in `dynamic_ints[]` have already been collected to provide as
+// dynamic width/precision args for the next format conversion specifier.
+template <typename Arg, typename... Args>
+inline void format_emit(std::string &result, std::string_view fmt, int fmt_start,
+	const FoundFormatSpec* specs, int *dynamic_ints, uint8_t num_dynamic_ints,
+	const Arg &arg, const Args &... args)
+{
+	if (specs->num_dynamic_ints > num_dynamic_ints) {
+		// Collect another int for the dynamic width precision/args
+		// for the next format conversion specifier.
+		if constexpr (std::is_convertible_v<Arg, int>) {
+			dynamic_ints[num_dynamic_ints] = arg;
+		} else {
+			YOSYS_ABORT("Internal error");
+		}
+		format_emit(result, fmt, fmt_start, specs, dynamic_ints,
+		            num_dynamic_ints + 1, args...);
+		return;
+	}
+	format_emit_no_conversions(result, fmt.substr(fmt_start, specs->start - fmt_start));
+	format_emit_one(result, fmt, *specs, dynamic_ints, arg);
+	format_emit(result, fmt, specs->end, specs + 1, dynamic_ints, 0, args...);
+}
+
+// This class parses format strings to build a list of `FoundFormatSpecs` in `specs`.
+// When the compiler supports `consteval` (C++20), this parsing happens at compile time and
+// type errors will be reported at compile time. Otherwise the parsing happens at
+// runtime and type errors will trigger an `abort()` at runtime.
+template <typename... Args>
+class FmtString
+{
+public:
+	// Implicit conversion from const char * means that users can pass
+	// C string constants which are automatically parsed.
+	YOSYS_CONSTEVAL FmtString(const char *p) : fmt(p)
+	{
+		check_format<Args...>(fmt, 0, specs, 0);
+	}
+	std::string format(const Args &... args)
+	{
+		std::string result;
+		int dynamic_ints[2];
+		format_emit(result, fmt, 0, specs, dynamic_ints, 0, args...);
+		return result;
+	}
+private:
+	std::string_view fmt;
+	FoundFormatSpec specs[sizeof...(Args)] = {};
+};
+
+template <typename T> struct WrapType { using type = T; };
+template <typename T> using TypeIdentity = typename WrapType<T>::type;
+
+template <typename... Args>
+inline std::string stringf(FmtString<TypeIdentity<Args>...> fmt, Args... args)
+{
+	return fmt.format(args...);
 }
 
 int readsome(std::istream &f, char *s, int n);

kernel/yosys_common.h

@@ -134,6 +134,14 @@
 #  define YS_COLD
 #endif
 
+#ifdef __cpp_consteval
+#define YOSYS_CONSTEVAL consteval
+#else
+#define YOSYS_CONSTEVAL
+#endif
+
+#define YOSYS_ABORT(s) abort()
+
 #include "kernel/io.h"
 
 YOSYS_NAMESPACE_BEGIN