helper/log: mark 'fmt' argument of alloc_*printf() as not NULL

Even after commit e12ceddd5e ("helper/log: mark `fmt` argument
of `alloc_vprintf()` as format string"), the GCC compiler still
reports that alloc_vprintf() could call vsnprintf() with a NULL
format parameter.

Inform the compiler that alloc_vprintf() cannot accept NULL as
format string.
Add an assert() in alloc_vprintf() so even compilers that do not
use the function attribute 'nonnull' will play safe.
While there, extend the same fixes to alloc_printf() too.

Change-Id: Idfa4fe9c6dfb2acfbf434c392237937ae03f0e8a
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Reported-by: Parshintsev Anatoly <anatoly.parshintsev@syntacore.com>
Reviewed-on: https://review.openocd.org/c/openocd/+/9166
Tested-by: jenkins
Reviewed-by: Anatoly P <anatoly.parshintsev@syntacore.com>

src/helper/log.c

@@ -354,6 +354,8 @@ char *alloc_vprintf(const char *fmt, va_list ap)
 	int len;
 	char *string;
 
+	assert(fmt);
+
 	/* determine the length of the buffer needed */
 	va_copy(ap_copy, ap);
 	len = vsnprintf(NULL, 0, fmt, ap_copy);

src/helper/log.h

@@ -15,6 +15,7 @@
 #define OPENOCD_HELPER_LOG_H
 
 #include <helper/command.h>
+#include <helper/compiler.h>
 
 /* To achieve C99 printf compatibility in MinGW, gnu_printf should be
  * used for __attribute__((format( ... ))), with GCC v4.4 or later
@@ -86,9 +87,9 @@ int log_add_callback(log_callback_fn fn, void *priv);
 int log_remove_callback(log_callback_fn fn, void *priv);
 
 char *alloc_vprintf(const char *fmt, va_list ap)
-	__attribute__ ((format (PRINTF_ATTRIBUTE_FORMAT, 1, 0)));
+	__attribute__ ((format (PRINTF_ATTRIBUTE_FORMAT, 1, 0))) __nonnull((1));
 char *alloc_printf(const char *fmt, ...)
-	__attribute__ ((format (PRINTF_ATTRIBUTE_FORMAT, 1, 2)));
+	__attribute__ ((format (PRINTF_ATTRIBUTE_FORMAT, 1, 2))) __nonnull((1));
 
 const char *find_nonprint_char(const char *buf, unsigned int buf_len);