[Source](http://blog.hostilefork.com/where-printf-rubber-meets-road/ "Permalink to c : Where the printf() Rubber Meets the Road")
# c : Where the printf() Rubber Meets the Road
![Feed Icon][1][RSS 1.0 XML Feed][2] available
# Where the printf() Rubber Meets the Road
* [Home][3]
* [c][4]
* Where the printf() Rubber Meets the Road
**Date:** 14-Mar-2010/19:52
**Tags:** [c][4], [stackexchange][5]
**Characters:** (none)
After ignoring StackOverflow for a while, I decided to check up on it a bit lately. Someone asked [a question][6] that's one of those kind of fundamental curiosity issues that I enjoy explaining. He said:
> I always thought that functions like printf() are in the last step defined using inline assembly. That deep into stdio.h is buried some asm code that actually tells CPU what to do. Something like in dos, first mov beginning of the string to some memory location or register and than call some int. But since x64 version of Visual Studio doesn't support inline assembler at all, it made me think that there are really no assembler-defined functions in C/C++. So, please, how is for example printf() defined in C/C++ without using assembler code? What actually executes the right software interrupt?
Obviously the answer is going to depend on the implementation. Yet I thought that with the open-sourced GNU C Library, it would be pretty straightforward to show how most of it is in C but it bottoms out at `syscall`. But it really was quite a maze to connect all the dots without doing any hand-waving! So I found that my explanation just kept growing until it was so long that a blog entry was a more fitting format.
So read on, fearless explorers, as we dig into the complicated answer to a seemingly simple question...
### First Steps
We'll of course start with the prototype for `printf`, which is defined in the file [libc/libio/stdio.h][7]
extern int printf (__const char *__restrict __format, ...);
You won't find the source code for a function called `printf`, however. Instead, in the file [/libc/stdio-common/printf.c][8] you'll find a little bit of code associated with a function called `__printf`:
int __printf (const char *format, ...)
{
va_list arg;
int done;
va_start (arg, format);
done = vfprintf (stdout, format, arg);
va_end (arg);
return done;
}
A macro in the same file sets up an association so that this function is defined as an alias for the non-underscored `printf`:
ldbl_strong_alias (__printf, printf);
It makes sense that `printf` would be a thin layer that calls `vfprintf` with `stdout`. Indeed, the meat of the formatting work is done in `vfprintf`, which you'll find in [libc/stdio-common/vfprintf.c][9]. It's quite a lengthy function, but you can see that it's still all in C!
### Deeper Down the Rabbit Hole...
`vfprintf` mysteriously calls `outchar` and `outstring`, which are weird macros defined in the same file:
#define outchar(Ch)
do
{
register const INT_T outc = (Ch);
if (PUTC (outc, s) == EOF || done == INT_MAX)
{
done = -1;
goto all_done;
}
++done;
}
while (0)
Sidestepping the question of why it's so weird, we see that it's dependent on the enigmatic `PUTC`, also in the same file:
#define PUTC(C, F) IO_putwc_unlocked (C, F)
When you get to the definition of `IO_putwc_unlocked` in [libc/libio/libio.h][10], you might start thinking that you no longer care how `printf` works:
But despite being a little hard to read, it's just doing buffered output. If there's enough room in the file pointer's buffer, then it will just stick the character into it...but if not, it calls `__woverflow`. Since the only option when you've run out of buffer is to flush to the screen (or whatever device your file pointer represents), we can hope to find the magic incantation there.
### Vtables in C?
If you guessed that we're going to hop through another frustrating level of indirection, you'd be right. Look in [libc/libio/wgenops.c][11] and you'll find the definition of `__woverflow`:
wint_t
__woverflow (f, wch)
_IO_FILE *f;
wint_t wch;
{
if (f->_mode == 0)
_IO_fwide (f, 1);
return _IO_OVERFLOW (f, wch);
}
Basically, file pointers are implemented in the GNU standard library as objects. They have data members but also function members which you can call with variations of the `JUMP` macro. In the file [libc/libio/libioP.h][12] you'll find a little documentation of this technique:
/* THE JUMPTABLE FUNCTIONS.
* The _IO_FILE type is used to implement the FILE type in GNU libc,
* as well as the streambuf class in GNU iostreams for C++.
* These are all the same, just used differently.
* An _IO_FILE (or FILE) object is allows followed by a pointer to
* a jump table (of pointers to functions). The pointer is accessed
* with the _IO_JUMPS macro. The jump table has a eccentric format,
* so as to be compatible with the layout of a C++ virtual function table.
* (as implemented by g++). When a pointer to a streambuf object is
* coerced to an (_IO_FILE*), then _IO_JUMPS on the result just
* happens to point to the virtual function table of the streambuf.
* Thus the _IO_JUMPS function table used for C stdio/libio does
* double duty as the virtual function table for C++ streambuf.
*
* The entries in the _IO_JUMPS function table (and hence also the
* virtual functions of a streambuf) are described below.
* The first parameter of each function entry is the _IO_FILE/streambuf
* object being acted on (i.e. the 'this' parameter).
*/
So when we find `IO_OVERFLOW` in [libc/libio/genops.c][13], we find it's a macro which calls a "1-parameter" `__overflow` method on the file pointer:
There's also a #define which equates `_IO_new_file_overflow` with `_IO_file_overflow`, and the former is defined in the same source file.
Note `INTUSE` is just a macro which marks functions that are for internal use, it doesn't mean anything like "this function uses an interrupt")
### Are we there yet?!
The source code for `_IO_new_file_overflow` does a bunch more buffer manipulation, but it does call `_IO_do_flush`:
#define _IO_do_flush(_f)
INTUSE(_IO_do_write)(_f, (_f)->_IO_write_base,
(_f)->_IO_write_ptr-(_f)->_IO_write_base)
We're now at a point where `_IO_do_write` is probably where the rubber actually meets the road: an _unbuffered_, _actual_, _direct_ write to an I/O device. At least we can hope! It is mapped by a macro to `_IO_new_do_write` and we have this:
static
_IO_size_t
new_do_write (fp, data, to_do)
_IO_FILE *fp;
const char *data;
_IO_size_t to_do;
{
_IO_size_t count;
if (fp->_flags & _IO_IS_APPENDING)
/* On a system without a proper O_APPEND implementation,
you would need to sys_seek(0, SEEK_END) here, but is
is not needed nor desirable for Unix- or Posix-like systems.
Instead, just indicate that offset (before and after) is
So inside of the `do_write` we call the `write` method on the file pointer. We know from our jump table above that is mapped to `_IO_new_file_write`, so what's that do?
_IO_ssize_t
_IO_new_file_write (f, data, n)
_IO_FILE *f;
const void *data;
_IO_ssize_t n;
{
_IO_ssize_t to_do = n;
while (to_do > 0)
{
_IO_ssize_t count = (__builtin_expect (f->_flags2
& _IO_FLAGS2_NOTCANCEL, 0)
? write_not_cancel (f->_fileno, data, to_do)
: write (f->_fileno, data, to_do));
if (count <0)
{
f->_flags |= _IO_ERR_SEEN;
break;
}
to_do -= count;
data = (void *) ((char *) data + count);
}
n -= to_do;
if (f->_offset >= 0)
f->_offset += n;
return n;
}
Now it just calls `write`! Well where is the implementation for that? You'll find `write` in [libc/posix/unistd.h][15]:
/* Write N bytes of BUF to FD. Return the number written, or -1.
This function is a cancellation point and therefore not marked with
Note `__wur` is a macro for `__attribute__ ((__warn_unused_result__))`
### Functions Generated From a Table
That's only a prototype for `write`. You won't find a write.c file for Linux in the GNU standard library. Instead, you'll find platform-specific methods of connecting to the OS write function in various ways, all in the [libc/sysdeps/][16] directory.
We'll keep following along with how Linux does it. There is a file called [sysdeps/unix/syscalls.list][17] which is used to generate the `write` function automatically. The relevant data from the table is:
* **File name:** write
* **Caller:** "-" _(i.e. Not Applicable)_
* **Syscall name:** write
* **Args:** Ci:ibn
* **Strong name:** __libc_write
* **Weak names: ** __write, write
Not all that mysterious, except for the **Ci:ibn**. The C means "cancellable". The colon separates the return type from the argument types, and if you want a deeper explanation of what they mean then you can see the comment in the shell script which generates the code, [libc/sysdeps/unix/make-syscalls.sh][18].
So now we're expecting to be able to link against a function called `__libc_write` which is generated by this shell script. But what's being generated? Some C code which implements write via a macro called `SYS_ify`, which you'll find in [sysdeps/unix/sysdep.h][19]
#define SYS_ify(syscall_name) __NR_##syscall_name
Ah, good old token-pasting :P. So basically, the implementation of this `__libc_write` becomes nothing more than a proxy invocation of the `syscall` function with a parameter named `__NR_write`, and the other arguments.
### Where The Sidewalk Ends...
I know this has been a fascinating journey, but now we're at the end of GNU libc. That number `__NR_write` is defined by Linux. For 32-bit X86 architectures it will get you to [linux/arch/x86/include/asm/unistd_32.h][20]:
#define __NR_write 4
This is the final step where the "rubber meets the road", but how it is done is system-dependent. That would make an article in itself, but we've found where the rubber meets the road. What you want to read up on to go further is this thing called ["syscall"][21].
[BIL 2010 PARTICIPANTS - WELCOME][22]
[When should one use const_cast, anyway?][23]
![Business Card from SXSW][24]
Copyright (c) 2007-2015 hostilefork.com
Project names and graphic designs are All Rights Reserved, unless otherwise noted. Software codebases are governed by licenses included in their distributions. Posts on [blog.hostilefork.com][25] are licensed under the Creative Commons [BY-NC-SA 4.0][26] license, and may be excerpted or adapted under the terms of that license for noncommercial purposes.
