about summary refs log tree commit diff
Commit message (Collapse)AuthorAgeFilesLines
* implement open_memstreamRich Felker2011-09-032-0/+95
| | | | | this is the first attempt, and may have bugs. only minimal testing has been performed.
* fix missing prototypes/wrong signature for psiginfo, psignalRich Felker2011-09-022-1/+4
|
* fix broken FD_* macros on 64-bit targetsRich Felker2011-08-271-3/+3
| | | | | 1 is too small if int is 32-bit but unsigned long is 64-bit. be explicit and use 1UL.
* bring back ___environ symbol (3 underscores)Rich Felker2011-08-231-0/+1
| | | | | | its existence doesn't hurt anything, and dynamic-linked binaries using previous versions of musl were wrongly binding to it instead of __environ.
* use new a_crash() asm to optimize double-free handler.Rich Felker2011-08-231-2/+2
| | | | | | | gcc generates extremely bad code (7 byte immediate mov) for the old null pointer write approach. it should be generating something like "xor %eax,%eax ; mov %al,(%eax)". in any case, using a dedicated crashing opcode accomplishes the same thing in one byte.
* security hardening: ensure suid programs have valid stdin/out/errRich Felker2011-08-236-15/+52
| | | | | | | | | | | this behavior (opening fds 0-2 for a suid program) is explicitly allowed (but not required) by POSIX to protect badly-written suid programs from clobbering files they later open. this commit does add some cost in startup code, but the availability of auxv and the security flag will be useful elsewhere in the future. in particular auxv is needed for static-linked vdso support, which is still waiting to be committed (sorry nik!)
* in pathconf, -1, not 0, means unsupported.. syncio presumably works, too.Rich Felker2011-08-161-3/+3
|
* fix bogus pathconf result for file size bitsRich Felker2011-08-161-1/+1
|
* partially working strptimeRich Felker2011-08-161-148/+149
| | | | | | | | it's missing at least: - derived fields - week numbers - short year (without century) support - locale modifiers
* ldso: move the suid/secure check code closer to env/auxv processingRich Felker2011-08-161-7/+7
| | | | | | this does not change behavior, but the idea is to avoid letting other code build up between these two points, whereby the environment variables might get used before security it checked.
* honor AT_SECURE aux vector flagRich Felker2011-08-161-2/+2
|
* RTLD_NEXT supportRich Felker2011-08-164-3/+32
| | | | | the asm wrapper is needed to get the return address without compiler-specific extensions.
* LD_PRELOAD supportRich Felker2011-08-161-0/+20
|
* simplify and improve double-free checkRich Felker2011-08-151-2/+2
| | | | | | | | | | | | a valid mmapped block will have an even (actually aligned) "extra" field, whereas a freed chunk on the heap will always have an in-use neighbor. this fixes a potential bug if mmap ever allocated memory below the main program/brk (in which case it would be wrongly-detected as a double-free by the old code) and allows the double-free check to work for donated memory outside of the brk area (or, in the future, secondary heap zones if support for their creation is added).
* typo in macro definitions for x86_64Rich Felker2011-08-141-1/+1
|
* macro for pthread_equalRich Felker2011-08-142-1/+3
| | | | no sense bloating apps with a function call for an equality comparison...
* fix missing include in last commitRich Felker2011-08-131-0/+1
|
* fix clock() functionRich Felker2011-08-131-2/+7
| | | | | | | | | | it previously was returning the pseudo-monotonic-realtime clock returned by times() rather than process cputime. it also violated C namespace by pulling in times(). we now use clock_gettime() if available because times() has ridiculously bad resolution. still provide a fallback for ancient kernels without clock_gettime.
* implement forkallRich Felker2011-08-122-0/+67
| | | | | | | | | | | | this is a "nonstandard" function that was "rejected" by POSIX, but nonetheless had its behavior documented in the POSIX rationale for fork. it's present on solaris and possibly some other systems, and duplicates the whole calling process, not just a single thread. glibc does not have this function. it should not be used in programs intending to be portable, but may be useful for testing, checkpointing, etc. and it's an interesting (and quite small) example of the usefulness of the __synccall framework originally written to work around deficiencies in linux's setuid syscall.
* pthread and synccall cleanup, new __synccall_wait opRich Felker2011-08-124-7/+13
| | | | | | | | | fix up clone signature to match the actual behavior. the new __syncall_wait function allows a __synccall callback to wait for other threads to continue without returning, so that it can resume action after the caller finishes. this interface could be made significantly more general/powerful with minimal effort, but i'll wait to do that until it's actually useful for something.
* more efficient signal blocking for timer threadsRich Felker2011-08-121-4/+4
| | | | | due to the barrier, it's safe just to block signals in the new thread, rather than blocking and unblocking in the parent thread.
* normal exit from timer thread should run dtors, restore cancel stateRich Felker2011-08-111-1/+1
|
* block signals in timer threadsRich Felker2011-08-111-0/+4
| | | | | | | if a timer thread leaves signals unblocked, any future attempt by the main thread to prevent the process from being terminated by blocking signals will fail, since the signal can still be delivered to the timer thread.
* condition variable signal/bcast need not wake unless there are waitersRich Felker2011-08-072-4/+4
|
* use weak aliase rather than weak reference for vdso clock_gettimeRich Felker2011-08-071-8/+12
| | | | | | | | this works around pcc's lack of working support for weak references, and in principle is nice because it gets us back to the stage where the only weak symbol feature we use is weak aliases, nothing else. having fewer dependencies on fancy linker features is a good thing.
* simplify unified timed wait code, drop support for newer methodRich Felker2011-08-071-31/+28
| | | | | | | | | | | | the new absolute-time-based wait kernelside was hard to get right and basically just code duplication. it could only improve "performance" when waiting, and even then, the improvement was just slight drop in cpu usage during a wait. actually, with vdso clock_gettime, the "old" way will be even faster than the "new" way if the time has already expired, since it will not invoke any syscalls. it can determine entirely in userspace that it needs to return ETIMEDOUT.
* add fast path for normal mutexes back to pthread_mutex_lockRich Felker2011-08-071-0/+3
|
* close should not be cancellable after "failing" with EINTRRich Felker2011-08-071-1/+2
| | | | | | | | | | | | | | | | | | normally we allow cancellation to be acted upon when a syscall fails with EINTR, since there is no useful status to report to the caller in this case, and the signal that caused the interruption was almost surely the cancellation request, anyway. however, unlike all other syscalls, close has actually performed its resource-deallocation function whenever it returns, even when it returned an error. if we allow cancellation at this point, the caller has no way of informing the program that the file descriptor was closed, and the program may later try to close the file descriptor again, possibly closing a different, newly-opened file. the workaround looks ugly (special-casing one syscall), but it's actually the case that close is the one and only syscall (at least among cancellation points) with this ugly property.
* ensure the compiler does not move around thread-register-based readsRich Felker2011-08-062-2/+2
| | | | | | if gcc decided to move this across a conditional that checks validity of the thread register, an invalid thread-register-based read could be performed and raise sigsegv.
* simplify multi-threaded errno, eliminate useless function pointerRich Felker2011-08-063-12/+5
|
* use weak aliases rather than function pointers to simplify some codeRich Felker2011-08-066-9/+20
|
* fix off-by-one bug in siglongjmp that caused unpredictable behaviorRich Felker2011-08-051-1/+1
| | | | | | | | | | if saved, signal mask would not be restored unless some low signals were masked. if not saved, signal mask could be wrongly restored to uninitialized values. in any, wrong mask would be restored. i believe this function was written for a very old version of the jmp_buf structure which did not contain a final 0 field for compatibility with siglongjmp, and never updated...
* further debloat cancellation handlersRich Felker2011-08-034-17/+30
| | | | | | | cleanup push and pop are also no-ops if pthread_exit is not reachable. this can make a big difference for library code which needs to protect itself against cancellation, but which is unlikely to actually be used in programs with threads/cancellation.
* missed detail in cancellation bloat fixRich Felker2011-08-031-1/+1
|
* fix static linking dependency bloat with cancellationRich Felker2011-08-035-14/+21
| | | | | | | previously, pthread_cleanup_push/pop were pulling in all of pthread_create due to dependency on the __pthread_unwind_next function. this was not needed, as cancellation cleanup handlers can never be called unless pthread_exit or pthread_cancel is reachable.
* implement if_nameindex and if_freenameindexRich Felker2011-08-032-0/+65
|
* overhaul rwlocks to address several issuesRich Felker2011-08-038-60/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | like mutexes and semaphores, rwlocks suffered from a race condition where the unlock operation could access the lock memory after another thread successfully obtained the lock (and possibly destroyed or unmapped the object). this has been fixed in the same way it was fixed for other lock types. in addition, the previous implementation favored writers over readers. in the absence of other considerations, that is the best behavior for rwlocks, and posix explicitly allows it. however posix also requires read locks to be recursive. if writers are favored, any attempt to obtain a read lock while a writer is waiting for the lock will fail, causing "recursive" read locks to deadlock. this can be avoided by keeping track of which threads already hold read locks, but doing so requires unbounded memory usage, and there must be a fallback case that favors readers in case memory allocation failed. and all of this must be synchronized. the cost, complexity, and risk of errors in getting it right is too great, so we simply favor readers. tracking of the owner of write locks has been removed, as it was not useful for anything. it could allow deadlock detection, but it's not clear to me that returning EDEADLK (which a buggy program is likely to ignore) is better than deadlocking; at least the latter behavior prevents further data corruption. a correct program cannot invoke this situation anyway. the reader count and write lock state, as well as the "last minute" waiter flag have all been combined into a single atomic lock. this means all state transitions for the lock are atomic compare-and-swap operations. this makes establishing correctness much easier and may improve performance. finally, some code duplication has been cleaned up. more is called for, especially the standard __timedwait idiom repeated in all locks.
* timedwait: play it safe for nowRich Felker2011-08-031-1/+1
| | | | | it's unclear whether EINVAL or ENOSYS is used when the operation is not supported, so check for both...
* fix stubbed-out reboot callRich Felker2011-08-021-3/+2
|
* correctly handle old kernels without FUTEX_WAIT_BITSETRich Felker2011-08-021-1/+1
| | | | | | | | futex returns EINVAL, not ENOSYS, when op is not supported. unfortunately this looks just like EINVAL from other causes, and we end up running the fallback code and getting EINVAL again. fortunately this case should be rare since correct code should not generate EINVAL anyway.
* fix sem_timedwait bug introduced in timedwait unificationRich Felker2011-08-021-0/+1
| | | | | this dec used to be performed by the cancellation handler, which was called when popped.
* unify and overhaul timed futex waitsRich Felker2011-08-0210-53/+56
| | | | | | | | | | | | | | new features: - FUTEX_WAIT_BITSET op will be used for timed waits if available. this saves a call to clock_gettime. - error checking for the timespec struct is now inside __timedwait so it doesn't need to be duplicated everywhere. cond_timedwait still needs to duplicate it to avoid unlocking the mutex, though. - pushing and popping the cancellation handler is delegated to __timedwait, and cancellable/non-cancellable waits are unified.
* avoid accessing mutex memory after atomic unlockRich Felker2011-08-024-34/+31
| | | | | | | this change is needed to fix a race condition and ensure that it's possible to unlock and destroy or unmap the mutex as soon as pthread_mutex_lock succeeds. POSIX explicitly gives such an example in the rationale and requires an implementation to allow such usage.
* fix breakage in cancellation due to signal functions overhaulRich Felker2011-08-021-1/+7
| | | | sigaddset was not accepting SIGCANCEL as a valid signal number.
* overhaul posix semaphores to fix destructability raceRich Felker2011-08-023-27/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the race condition these changes address is described in glibc bug report number 12674: http://sourceware.org/bugzilla/show_bug.cgi?id=12674 up until now, musl has shared the bug, and i had not been able to figure out how to eliminate it. in short, the problem is that it's not valid for sem_post to inspect the waiters count after incrementing the semaphore value, because another thread may have already successfully returned from sem_wait, (rightly) deemed itself the only remaining user of the semaphore, and chosen to destroy and free it (or unmap the shared memory it's stored in). POSIX is not explicit in blessing this usage, but it gives a very explicit analogous example with mutexes (which, in musl and glibc, also suffer from the same race condition bug) in the rationale for pthread_mutex_destroy. the new semaphore implementation augments the waiter count with a redundant waiter indication in the semaphore value itself, representing the presence of "last minute" waiters that may have arrived after sem_post read the waiter count. this allows sem_post to read the waiter count prior to incrementing the semaphore value, rather than after incrementing it, so as to avoid accessing the semaphore memory whatsoever after the increment takes place. a similar, but much simpler, fix should be possible for mutexes and other locking primitives whose usage rules are stricter than semaphores.
* fix wrong messages in gai_strerrorRich Felker2011-08-011-0/+2
| | | | i had missed the fact that a couple values were unassigned...
* port numbers should always be interpreted as decimalRich Felker2011-08-011-1/+1
| | | | | | | | | | | per POSIX and RFC 3493: If the specified address family is AF_INET, AF_INET6, or AF_UNSPEC, the service can be specified as a string specifying a decimal port number. 021 is a valid decimal number, therefore, interpreting it as octal seems to be non-conformant.
* fix crash in dns code with new stdio locking codeRich Felker2011-08-011-0/+1
|
* consistency: use struct __ucontext instead of ucontext_t in prototypesRich Felker2011-07-311-1/+1
| | | | | this is necessary to avoid build errors if feature test macros are not properly defined when including ucontext.h
* fix race condition in sigqueueRich Felker2011-07-301-2/+8
| | | | | | | | | | | | | | | this race is fundamentally due to linux's bogus requirement that userspace, rather than kernelspace, fill in the siginfo structure. an intervening signal handler that calls fork could cause both the parent and child process to send signals claiming to be from the parent, which could in turn have harmful effects depending on what the recipient does with the signal. we simply block all signals for the interval between getuid and sigqueue syscalls (much like what raise() does already) to prevent the race and make the getuid/sigqueue pair atomic. this will be a non-issue if linux is fixed to validate the siginfo structure or fill it in from kernelspace.