| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
this seeme to be the bug that prevented enabling of private futex
support. i'm going to hold off on switching to private futexes until
after the next release, and until i get a chance to audit all
wait/wake calls to make sure they're using the correct private
argument, but with this change it should be safe to enable private
futex support.
|
|
|
|
|
| |
some features are not yet supported, and only minimal testing has been
performed. should be considered experimental at this point.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
null termination is only added when current size grows.
in update modes, null termination is not added if it does not fit
(i.e. it is not allowed to clobber data).
these rules make very little sense, but that's how it goes..
|
|
|
|
|
|
| |
read should not be allowed past "current size".
append mode should write at "current size", not buffer size.
null termination should not be written except when "current size" grows.
|
|
|
|
|
|
|
|
|
|
|
| |
this is not strictly required by the standard, but without it, there
is a race condition where cancellation arriving just before async
cancellation is enabled might not be acted upon. it is impossible for
a conforming application to work around this race condition since
calling pthread_testcancel after setting async cancellation mode is
not allowed (pthread_testcancel is not specified to be
async-cancel-safe). thus the implementation should be responsible for
eliminating the race, from a quality-of-implementation standpoint.
|
| |
|
|
|
|
|
|
| |
disallow seek past end of buffer (per posix)
fix position accounting to include data buffered for read
don't set eof flag when no data was requested
|
|
|
|
|
| |
the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.
|
| |
|
|
|
|
|
|
| |
the expression -off is not safe in case off is the most-negative
value. instead apply - to base which is known to be non-negative and
bounded within sanity.
|
|
|
|
| |
testing so far has been minimal. may need further work.
|
| |
|
|
|
|
|
|
| |
not heavily tested, but it seems to be correct, including the odd
behavior that seeking is in terms of wide character count. this
precludes any simple buffering, so we just make the stream unbuffered.
|
|
|
|
|
| |
the return address was being truncated to 32 bits, preventing the
dlsym code from determining which module contains the calling code.
|
|
|
|
|
| |
this is the first attempt, and may have bugs. only minimal testing has
been performed.
|
| |
|
|
|
|
|
| |
1 is too small if int is 32-bit but unsigned long is 64-bit. be
explicit and use 1UL.
|
|
|
|
|
|
| |
its existence doesn't hurt anything, and dynamic-linked binaries using
previous versions of musl were wrongly binding to it instead of
__environ.
|
|
|
|
|
|
|
| |
gcc generates extremely bad code (7 byte immediate mov) for the old
null pointer write approach. it should be generating something like
"xor %eax,%eax ; mov %al,(%eax)". in any case, using a dedicated
crashing opcode accomplishes the same thing in one byte.
|
|
|
|
|
|
|
|
|
|
|
| |
this behavior (opening fds 0-2 for a suid program) is explicitly
allowed (but not required) by POSIX to protect badly-written suid
programs from clobbering files they later open.
this commit does add some cost in startup code, but the availability
of auxv and the security flag will be useful elsewhere in the future.
in particular auxv is needed for static-linked vdso support, which is
still waiting to be committed (sorry nik!)
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
it's missing at least:
- derived fields
- week numbers
- short year (without century) support
- locale modifiers
|
|
|
|
|
|
| |
this does not change behavior, but the idea is to avoid letting other
code build up between these two points, whereby the environment
variables might get used before security it checked.
|
| |
|
|
|
|
|
| |
the asm wrapper is needed to get the return address without
compiler-specific extensions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
a valid mmapped block will have an even (actually aligned) "extra"
field, whereas a freed chunk on the heap will always have an in-use
neighbor.
this fixes a potential bug if mmap ever allocated memory below the
main program/brk (in which case it would be wrongly-detected as a
double-free by the old code) and allows the double-free check to work
for donated memory outside of the brk area (or, in the future,
secondary heap zones if support for their creation is added).
|
| |
|
|
|
|
| |
no sense bloating apps with a function call for an equality comparison...
|
| |
|
|
|
|
|
|
|
|
|
|
| |
it previously was returning the pseudo-monotonic-realtime clock
returned by times() rather than process cputime. it also violated C
namespace by pulling in times().
we now use clock_gettime() if available because times() has
ridiculously bad resolution. still provide a fallback for ancient
kernels without clock_gettime.
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is a "nonstandard" function that was "rejected" by POSIX, but
nonetheless had its behavior documented in the POSIX rationale for
fork. it's present on solaris and possibly some other systems, and
duplicates the whole calling process, not just a single thread. glibc
does not have this function. it should not be used in programs
intending to be portable, but may be useful for testing,
checkpointing, etc. and it's an interesting (and quite small) example
of the usefulness of the __synccall framework originally written to
work around deficiencies in linux's setuid syscall.
|
|
|
|
|
|
|
|
|
| |
fix up clone signature to match the actual behavior. the new
__syncall_wait function allows a __synccall callback to wait for other
threads to continue without returning, so that it can resume action
after the caller finishes. this interface could be made significantly
more general/powerful with minimal effort, but i'll wait to do that
until it's actually useful for something.
|
|
|
|
|
| |
due to the barrier, it's safe just to block signals in the new thread,
rather than blocking and unblocking in the parent thread.
|
| |
|
|
|
|
|
|
|
| |
if a timer thread leaves signals unblocked, any future attempt by the
main thread to prevent the process from being terminated by blocking
signals will fail, since the signal can still be delivered to the
timer thread.
|
| |
|
|
|
|
|
|
|
|
| |
this works around pcc's lack of working support for weak references,
and in principle is nice because it gets us back to the stage where
the only weak symbol feature we use is weak aliases, nothing else.
having fewer dependencies on fancy linker features is a good thing.
|
|
|
|
|
|
|
|
|
|
|
|
| |
the new absolute-time-based wait kernelside was hard to get right and
basically just code duplication. it could only improve "performance"
when waiting, and even then, the improvement was just slight drop in
cpu usage during a wait.
actually, with vdso clock_gettime, the "old" way will be even faster
than the "new" way if the time has already expired, since it will not
invoke any syscalls. it can determine entirely in userspace that it
needs to return ETIMEDOUT.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
normally we allow cancellation to be acted upon when a syscall fails
with EINTR, since there is no useful status to report to the caller in
this case, and the signal that caused the interruption was almost
surely the cancellation request, anyway.
however, unlike all other syscalls, close has actually performed its
resource-deallocation function whenever it returns, even when it
returned an error. if we allow cancellation at this point, the caller
has no way of informing the program that the file descriptor was
closed, and the program may later try to close the file descriptor
again, possibly closing a different, newly-opened file.
the workaround looks ugly (special-casing one syscall), but it's
actually the case that close is the one and only syscall (at least
among cancellation points) with this ugly property.
|
|
|
|
|
|
| |
if gcc decided to move this across a conditional that checks validity
of the thread register, an invalid thread-register-based read could be
performed and raise sigsegv.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
if saved, signal mask would not be restored unless some low signals
were masked. if not saved, signal mask could be wrongly restored to
uninitialized values. in any, wrong mask would be restored.
i believe this function was written for a very old version of the
jmp_buf structure which did not contain a final 0 field for
compatibility with siglongjmp, and never updated...
|
|
|
|
|
|
|
| |
cleanup push and pop are also no-ops if pthread_exit is not reachable.
this can make a big difference for library code which needs to protect
itself against cancellation, but which is unlikely to actually be used
in programs with threads/cancellation.
|
| |
|