Commit Graph

1926 Commits

Author SHA1 Message Date
Rich Felker 17aef0b41e prevent shmget from allocating objects that overflow ptrdiff_t
rather than returning an error, we have to increase the size argument
so high that the kernel will have no choice but to fail. this is
because POSIX only permits the EINVAL error for size errors when a new
shared memory segment would be created; if it already exists, the size
argument must be ignored. unfortunately Linux is non-conforming in
this regard, but I want to keep the code correct in userspace anyway
so that if/when Linux is fixed, the behavior applications see will be
conforming.
2013-06-29 00:02:38 -04:00
Rich Felker 062f40ef3e work around wrong kernel type for sem_nsems member of struct semid_ds
rejecting invalid values for n is fine even in the case where a new
sem will not be created, since the kernel does its range checks on n
even in this case as well.

by default, the kernel will bound the limit well below USHRT_MAX
anyway, but it's presumably possible that an administrator could
override this limit and break things.
2013-06-28 23:57:58 -04:00
Rich Felker 553d566c3f add missing type shmatt_t in sys/shm.h
this type is not really intended to be used; it's just there to allow
implementations to choose the type for the shm_nattch member of
struct shmid_sh, presumably since historical implementations disagreed
on the type. in any case, it needs to be there, so now it is.
2013-06-28 23:39:50 -04:00
Rich Felker aea7919032 implement week-based-year year numbers in strftime
in the process, I refactored the week-number code so it can be used by
the week-based-year formats to determine year adjustments at the
boundary values. this also improves indention/code readability.
2013-06-28 12:38:42 -04:00
Rich Felker 062446a85d fix breakage in last commit to strftime due to missing INT_MAX
that's what I get for changing a hard-coded threshold to a proper
non-magic-number without testing.
2013-06-28 12:12:55 -04:00
Rich Felker c5faf1bf09 implement week numbers and half of the week-based-year logic for strftime
output for plain week numbers (%U and %W) has been sanity-checked, and
output for the week-based-year week numbers (%V) has been checked
extensively against known-good data for the full non-negative range of
32-bit time_t.

year numbers for week-based years (%g and %G) are not yet implemented.
2013-06-28 12:03:58 -04:00
Rich Felker 1e2281b835 minor compatibility fixes in utmp.h and fixing mismatch with paths.h
the pathnames prefixed with /dev/null/ are guaranteed never to be
valid. the previous use of /dev/null alone was mildly dangerous in
that bad software might attempt to unlink the name when it found a
non-regular file there and create a new file.
2013-06-27 20:00:29 -04:00
Rich Felker 3cd6f5229f disallow creation of objects larger than PTRDIFF_MAX via mmap
internally, other parts of the library assume sizes don't overflow
ssize_t and/or ptrdiff_t, and the way this assumption is made valid is
by preventing creating of such large objects. malloc already does so,
but the check was missing from mmap.

this is also a quality of implementation issue: even if the
implementation internally could handle such objects, applications
could inadvertently invoke undefined behavior by subtracting pointers
within an object. it is very difficult to guard against this in
applications, so a good implementation should simply ensure that it
does not happen.
2013-06-27 12:48:59 -04:00
Rich Felker b17c75a4d5 fix syscall argument bug in pthread_getschedparam
the address of the pointer to the sched param, rather than the
pointer, was being passed to the kernel.
2013-06-26 22:02:23 -04:00
Rich Felker 7c20a11801 fix temp file leak in sem_open on successful creation of new semaphore 2013-06-26 21:41:51 -04:00
Rich Felker a033cd22aa fix bug whereby sem_open leaked its own internal slots on failure 2013-06-26 21:39:15 -04:00
Rich Felker 52d4444f8e in sem_open, don't leak vm mapping if fstat fails
fstat should not fail under normal circumstances, so this fix is
mostly theoretical.
2013-06-26 21:35:56 -04:00
Rich Felker 21088aee2e fix failure of pthread_setschedparam to pass correct param to kernel
the address of the pointer, rather than the pointer, was being passed.
this was probably a copy-and-paste error from corresponding get code.
2013-06-26 21:34:44 -04:00
Rich Felker f03db4bdff document in sysconf and unistd.h that per-thread cpu clocks exist 2013-06-26 19:43:24 -04:00
Rich Felker 6a4cfbdbe7 fix iconv conversion to legacy 8bit codepages
this seems to have been a simple copy-and-paste error from the code
for converting from legacy codepages.
2013-06-26 14:27:45 -04:00
Rich Felker 59b481d970 remove useless conditional before free from dynamic linker path code 2013-06-26 10:51:36 -04:00
Rich Felker 11bc173765 fix dynamic linker handling of empty path file or error reading path file
previously, the path string was being used despite being invalid. with
this change, empty path file or error reading the path file is treated
as an empty path. this is preferable to falling back to a default
path, so that attacks to prevent reading of the path file could not
result in loading incorrect and possibly dangerous (outdated or
mismatching ABI) libraries from.

the code to strip the final newline has also been removed; now that
newline is accepted as a delimiter, it's harmless to leave it in
place.
2013-06-26 10:17:29 -04:00
Rich Felker a3e2f3c2b1 respect iso c namespace in stdio.h and wchar.h regarding va_list
despite declaring functions that take arguments of type va_list, these
headers are not permitted by the c standard to expose the definition
of va_list, so an alias for the type must be used. the name
__isoc_va_list was chosen to convey that the purpose of this alternate
name is for iso c conformance, and to avoid the multitude of names
which gcc mangles with its hideous "fixincludes" monstrosity, leading
to serious header breakage if these "fixes" are run.
2013-06-25 22:26:20 -04:00
Rich Felker 8813c956e5 make newline-delimited dynamic linker path file actually work
apparently the original commit was never tested properly, since
getline was only ever reading one line. the intent was to read the
entire file, so use getdelim with the null byte as delimiter as a
cheap way to read a whole file into memory.
2013-06-25 21:39:35 -04:00
Rich Felker e40f48a421 implement inet_lnaof, inet_netof, and inet_makeaddr
also move all legacy inet_* functions into a single file to avoid
wasting object file and compile time overhead on them.

the added functions are legacy interfaces for working with classful
ipv4 network addresses. they have no modern usefulness whatsoever, but
some programs unconditionally use them anyway, and they're tiny.
2013-06-25 21:35:49 -04:00
Rich Felker 83966b369d add ether_aton[_r] and ether_ntoa[_r] functions
based on patch by Strake with minor stylistic changes, and combined
into a single file. this patch remained open for a long time due to
some question as to whether ether_aton would be better implemented in
terms of sscanf, and it's time something was committed, so here it is.
2013-06-25 21:15:27 -04:00
Rich Felker ef5507867b fix scanf %c conversion wrongly storing a terminating null byte
this seems to have been a regression from the refactoring which added
the 'm' modifier.
2013-06-22 17:23:45 -04:00
Rich Felker c20804500d fix major scanf breakage with unbuffered streams, fmemopen, etc.
the shgetc api, used internally in scanf and int/float scanning code
to handle field width limiting and pushback, was designed assuming
that pushback could be achieved via a simple decrement on the file
buffer pointer. this only worked by chance for regular FILE streams,
due to the linux readv bug workaround in __stdio_read which moves the
last requested byte through the buffer rather than directly back to
the caller. for unbuffered streams and streams not using __stdio_read
but some other underlying read function, the first character read
could be completely lost, and replaced by whatever junk happened to be
in the unget buffer.

to fix this, simply have shgetc, when it performs an underlying read
operation on the stream, store the character read at the -1 offset
from the read buffer pointer. this is valid even for unbuffered
streams, as they have an unget buffer located just below the start of
the zero-length buffer. the check to avoid storing the character when
it is already there is to handle the possibility of read-only buffers.
no application-exposed FILE types are allowed to use read-only
buffers, but sscanf and strto* may use them internally when calling
functions which use the shgetc api.
2013-06-22 17:11:17 -04:00
Rich Felker a494171a5a fix invalid access in aio notification
issue found and patch provided by Jens Gustedt. after the atomic store
to the error code field of the aiocb, the application is permitted to
free or reuse the storage, so further access is invalid. instead, use
the local copy that was already made.
2013-06-16 10:39:02 -04:00
Rich Felker 8600849d74 fix uninitialized variable in lio (aio) code 2013-06-16 01:40:17 -04:00
Rich Felker 20d01d83b5 improve the quality of output from rand_r
due to the interface requirement of having the full state contained in
a single object of type unsigned int, it is difficult to provide a
reasonable-quality implementation; most good PRNGs are immediately
ruled out because they need larger state. the old rand_r gave very
poor output (very short period) in its lower bits; normally, it's
desirable to throw away the low bits (as in rand()) when using a LCG,
but this is not possible since the state is only 32 bits and we need
31 bits of output.

glibc's rand_r uses the same LCG as musl's, but runs it for 3
iterations and only takes 10-11 bits from each iteration to construct
the output value. this partially fixes the period issue, but
introduces bias: not all outputs have the same frequency, and many do
not appear at all. with such a low period, the bias is likely to be
observable.

I tried many approaches to "fix" rand_r, and the simplest I found
which made it pass the "dieharder" tests was applying this
transformation to the output. the "temper" function is taken from
mersenne twister, where it seems to have been chosen for some rigorous
properties; here, the only formal property I'm using is that it's
one-to-one and thus avoids introducing bias.

should further deficiencies in rand_r be reported, the obvious "best"
solution is applying a 32-bit cryptographic block cipher in CTR mode.
I identified several possible ciphers that could be used directly or
adapted, but as they would be a lot slower and larger, I do not see a
justification for using them unless the current rand_r proves
deficient for some real-world use.
2013-06-12 18:20:48 -04:00
Rich Felker 4191d24476 add clock id macros for a number of new(ish) Linux-specific clocks
arguably CLOCK_MONOTONIC should be redirected to CLOCK_BOOTTIME with a
fallback for old kernels that don't support it, since Linux's
CLOCK_BOOTTIME semantics seem to match the spirit of the POSIX
requirements for CLOCK_MONOTONIC better than Linux's version of
CLOCK_MONOTONIC does. however, this is a change that would require
further discussion and research, so for now, I'm simply making them
all available.
2013-06-08 11:42:52 -04:00
Rich Felker 0173990284 fix the type of CLOCKS_PER_SEC to match new clock_t type
originally it was right on 32-bit archs and wrong on 64-bit, but after
recent changes it was wrong everywhere. with this commit, it's now
right everywhere.
2013-06-08 11:40:27 -04:00
Rich Felker ea200e38bd support cputime clocks for processes/threads other than self
apparently these features have been in Linux for a while now, so it
makes sense to support them. the bit twiddling seems utterly illogical
and wasteful, especially the negation, but that's how the kernel folks
chose to encode pids/tids into the clock id.
2013-06-08 11:36:41 -04:00
Szabolcs Nagy 0996faa3d7 prng: make rand_r have 2^32 period instead of 2^31
this is a minor fix to increase the period of the obsolete rand_r a bit.
an include header in __rand48_step.c is fixed as well.
2013-06-08 13:49:12 +00:00
Szabolcs Nagy c79cd27e9e prng: fix rand() to give good sequence with small state
some applications rely on the low bits of rand() to be reasonably good
quality prng, so now it fixed by using the top bits of a 64 bit LCG,
this is simple, has small state and passes statistical tests.
D.E. Knuth attributes the multiplier to C.E. Haynes in TAOCP Vol2 3.3.4
2013-06-08 13:31:10 +00:00
Rich Felker fd1d7be35f fix mixup in previous change to gcc wrapper 2013-06-07 10:18:07 -04:00
Rich Felker c161356002 make gcc-specific headers (intrinsics, etc.) available with wrapper
they are intentionally listed after the libc include directory so that
the gcc float.h, etc. don't get used in place of the libc ones.
2013-06-07 10:13:07 -04:00
Rich Felker f7244d205f improve handling of nonstandard fields in struct tm
defining tm_gmtoff and tm_zone as macros was breaking some application
code that used these names for its own purposes.
2013-06-07 09:54:45 -04:00
Rich Felker e039db27c2 implement 'm' modifier for wide scanf variants 2013-06-06 00:26:17 -04:00
Rich Felker 16a1e0365d implement the 'm' (malloc) modifier for scanf
this commit only covers the byte-based scanf-family functions. the
wide functions still lack support for the 'm' modifier.
2013-06-05 18:18:41 -04:00
Rich Felker de80ea9f1c refactor wide-char scanf string handling
this brings the wide version of the code into alignment with the
byte-based version, in preparation for adding support for the m
(malloc) modifier.
2013-06-05 16:53:26 -04:00
Rich Felker 1ab59de81e simplify some logic in scanf and remove redundant invalid-format check 2013-06-04 16:22:02 -04:00
Rich Felker f18846dd3a refactor scanf core to use common code path for all string formats
the concept here is that %s and %c are essentially special-cases of
%[, with some minimal additional special-casing.

aside from simplifying the code and reducing the number of complex
code-paths that would need changing to make optimizations later, the
main purpose of this change is to simplify addition of the 'm'
modifier which causes scanf to allocate storage for the string being
read.
2013-06-04 16:09:36 -04:00
Rich Felker a6d272127b align stack properly for calling global ctors/dtors on x86[_64]
failure to do so was causing crashes on x86_64 when ctors used SSE,
which was first observed when ctors called variadic functions due to
the SSE prologue code inserted into every variadic function.
2013-06-03 17:32:42 -04:00
Rich Felker 44b4d09fc0 ensure that thread dtv pointer is never null to optimize __tls_get_addr 2013-06-03 16:35:59 -04:00
Rich Felker d926565355 Merge remote-tracking branch 'nsz/review' 2013-05-26 18:22:12 -04:00
Szabolcs Nagy 31ff797787 fix the prototype of settimeofday to follow the original BSD declaration 2013-05-26 16:01:38 +00:00
Szabolcs Nagy 41c34d188a fix ioctl _IOR, _IOW, etc macros to avoid signed overflow (2<<30) 2013-05-26 15:49:08 +00:00
Szabolcs Nagy a6367a17d5 on x86_64 use long instead of long long for 64bit posix types
following glibc use the lowest rank 64bit integer type for ino_t etc.
this is eg. useful for printf format compatibility
2013-05-26 15:43:17 +00:00
Rich Felker 5e642b5a23 change underlying type of clock_t to be uniform and match ABI
previously we were using an unsigned type on 32-bit systems so that
subtraction would be well-defined when it wrapped, but since wrapping
is non-conforming anyway (when clock() overflows, it has to return -1)
the only use of unsigned would be to buy a little bit more time before
overflow. this does not seem worth having the type vary per-arch
(which leads to more arch-specific bugs) or disagree with the ABI musl
(mostly) follows.
2013-05-23 20:38:51 -04:00
Rich Felker 05453b37fc fix overflow behavior of clock() function
per Austin Group interpretation for issue #686, which cites the
requirements of ISO C, clock() cannot wrap. if the result is not
representable, it must return (clock_t)-1. in addition, the old code
was performing wrapping via signed overflow and thus invoking
undefined behavior.

since it seems impossible to accurately check for overflow with the
old times()-based fallback code, I have simply dropped the fallback
code for now, thus always returning -1 on ancient systems. if there's
a demand for making it work and somebody comes up with a way, it could
be reinstated, but the clock() function is essentially useless on
32-bit system anyway (it overflows in less than an hour).

it should be noted that I used LONG_MAX rather than ULONG_MAX, despite
32-bit archs using an unsigned type for clock_t. this discrepency with
the glibc/LSB type definitions will be fixed now; since wrapping of
clock_t is no longer supported, there's no use in it being unsigned.
2013-05-23 14:31:02 -04:00
Szabolcs Nagy 1e5eb73545 math: add fma TODO comments about the underflow issue
The underflow exception is not raised correctly in some
cornercases (see previous fma commit), added comments
with examples for fmaf, fmal and non-x86 fma.

In fmaf store the result before returning so it has the
correct precision when FLT_EVAL_METHOD!=0
2013-05-19 14:43:32 +00:00
Szabolcs Nagy ffd8ac2dd5 math: fix two fma issues (only affects non-nearest rounding mode, x86)
1) in downward rounding fma(1,1,-1) should be -0 but it was 0 with
gcc, the code was correct but gcc does not support FENV_ACCESS ON
so it used common subexpression elimination where it shouldn't have.
now volatile memory access is used as a barrier after fesetround.

2) in directed rounding modes there is no double rounding issue
so the complicated adjustments done for nearest rounding mode are
not needed. the only exception to this rule is raising the underflow
flag: assume "small" is an exactly representible subnormal value in
double precision and "verysmall" is a much smaller value so that
	(long double)(small plus verysmall) == small
then
	(double)(small plus verysmall)
raises underflow because the result is an inexact subnormal, but
	(double)(long double)(small plus verysmall)
does not because small is not a subnormal in long double precision
and it is exact in double precision.
now this problem is fixed by checking inexact using fenv when the
result is subnormal
2013-05-19 12:13:08 +00:00
Rich Felker 83af1dd65a Merge remote-tracking branch 'nsz/review' 2013-05-18 12:06:42 -04:00