printf: Fix up %p to %pP

In order to avoid landmines later with future extensions to %p,
disallow %p by itself. The danger is that we'll have something
like: printf("%pFOO", myptr), and then later will add a %pF
extension, but miss this printf (maybe the string is split, maybe
it's just missed).

Missing a conversion during extension is worse than just seeing a
print like <ptr_val>OO, since %pF likely reaches through the
pointer and interprets its contents according to whatever F means.

Convert existing uses of %p to %pP, so they're explicitly printing
a pointer value, giving us flexibility to extend in the future.

BUG=chromium:984041
TEST=make -j buildall
BRANCH=None

Cq-Depend:chrome-internal:1560879
Change-Id: I36a4bee8d41cb9a6139171f8de0d8f2f19468132
Signed-off-by: Evan Green <evgreen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1730604
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>

1 files changed, 13 insertions, 1 deletions

diff --git a/test/printf.c b/test/printf.c
index 7e857dd55c..cf20be7b31 100644
--- a/test/printf.c
+++ b/test/printf.c
@@ -196,8 +196,20 @@ test_static int test_vsnprintf_pointers(void)
 {
 	void *ptr = (void *)0x55005E00;
 
-	T(expect_success("55005e00",  "%p",      ptr));
+	T(expect_success("55005e00",  "%pP",     ptr));
 	T(expect_success(err_str,     "%P",      ptr));
+	/* %p by itself is invalid */
+	T(expect(EC_ERROR_INVAL, NO_BYTES_TOUCHED,
+		 /* given -1 as output size limit */
+		 false, -1, "%p"));
+	/* %p with an unknown suffix is invalid */
+	T(expect(EC_ERROR_INVAL, NO_BYTES_TOUCHED,
+		 /* given -1 as output size limit */
+		 false, -1, "%p "));
+	/* %p with an unknown suffix is invalid */
+	T(expect(EC_ERROR_INVAL, NO_BYTES_TOUCHED,
+		 /* given -1 as output size limit */
+		 false, -1, "%pQ"));
 	return EC_SUCCESS;
 }