about summary refs log tree commit diff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* fix broken wcwidth tablesRich Felker2012-06-201-7/+8
| | | | | | unicode char data has both "W" and "F" wide types and the old table only included the "W" ones. this omitted U+3000 (ideographic space) and all the wide-ascii, etc.
* support ld80 pseudo-denormal invalid bit patterns; treat them as nanRich Felker2012-06-201-2/+5
| | | | | this is silly, but it makes apps that read binary junk and interpret it as ld80 "safer", and it gets gnulib to stop replacing printf...
* fix ptsname_r to conform to the upcoming posix requirementsRich Felker2012-06-202-4/+13
| | | | it should return the error code rather than 0/-1 and setting errno.
* fix fwrite return value when full write does not succeedRich Felker2012-06-201-1/+1
|
* avoid cancellation in pcloseRich Felker2012-06-201-3/+4
| | | | | | | | | | | | | | at the point pclose might receive and act on cancellation, it has already invalidated the FILE passed to it. thus, per musl's QOI guarantees about cancellation and resource allocation/deallocation, it's not a candidate for cancellation. if it were required to be a cancellation point by posix, we would have to switch the order of deallocation, but somehow still close the pipe in order to trigger the child process to exit. i looked into doing this, but the logic gets ugly, and i'm not sure the semantics are conformant, so i'd rather just leave it alone unless there's a need to change it.
* fix invalid memory access in pcloseRich Felker2012-06-201-1/+2
|
* make popen cancellation-safeRich Felker2012-06-201-0/+7
| | | | | | | close was the only cancellation point called from popen, but it left popen with major resource leaks if any call to close got cancelled. the easiest, cheapest fix is just to use a non-cancellable close function.
* popen: handle issues with fd0/1 being closedRich Felker2012-06-201-3/+3
| | | | | also check for failure of dup2 and abort the child rather than reading/writing the wrong file.
* duplocale: don't crash when called with LC_GLOBAL_LOCALERich Felker2012-06-201-1/+1
| | | | | posix has resolved to add this usage; for now, we just avoid writing anything to the new locale object since it's not used anyway.
* make strerror_r behave nicer on failureRich Felker2012-06-201-2/+8
| | | | | | | if the buffer is too short, at least return a partial string. this is helpful if the caller is lazy and does not check for failure. care is taken to avoid writing anything if the buffer length is zero, and to always null-terminate when the buffer length is non-zero.
* fix another oob pointer arithmetic issue in printf floating pointRich Felker2012-06-201-1/+1
| | | | | | this one could never cause any problems unless the compiler/machine goes to extra trouble to break oob pointer arithmetic, but it's best to fix it anyway.
* minor perror behavior fixRich Felker2012-06-201-1/+1
| | | | patch by nsz
* fix localeconv values and implementationRich Felker2012-06-191-15/+28
| | | | | | | | dynamic-allocation of the structure is not valid; it can crash an application if malloc fails. since localeconv is not specified to have failure conditions, the object needs to have static storage duration. need to review whether all the values are right or not still..
* fix mistake in length test in getlogin_rRich Felker2012-06-191-1/+1
| | | | | this was actually dangerously wrong, but presumably nobody uses this broken function anymore anyway..
* fix dummied-out fsyncRich Felker2012-06-191-2/+1
| | | | | | | if we eventually have build options, it might be nice to make an option to dummy this out again, in case anybody needs a system-wide disable for disk/ssd-thrashing, etc. that some daemons do when logging...
* fix dummied-out fdatasyncRich Felker2012-06-191-1/+1
|
* fix pointer overflow bug in floating point printfRich Felker2012-06-191-3/+3
| | | | | | | | | | | | | | | | | | | | | large precision values could cause out-of-bounds pointer arithmetic in computing the precision cutoff (used to avoid expensive long-precision arithmetic when the result will be discarded). per the C standard, this is undefined behavior. one would expect that it works anyway, and in fact it did in most real-world cases, but it was randomly (depending on aslr) crashing in i386 binaries running on x86_64 kernels. this is because linux puts the userspace stack near 4GB (instead of near 3GB) when the kernel is 64-bit, leading to the out-of-bounds pointer arithmetic overflowing past the end of address space and giving a very low pointer value, which then compared lower than a pointer it should have been higher than. the new code rearranges the arithmetic so that no overflow can occur. while this bug could crash printf with memory corruption, it's unlikely to have security impact in real-world applications since the ability to provide an extremely large field precision value under attacker-control is required to trigger the bug.
* add vhangup syscall wrapperRich Felker2012-06-191-0/+8
| | | | | | request/patch by william haddonthethird, slightly modifed to add _GNU_SOURCE feature test macro so that the compiler can verify the prototype matches.
* add new stdio extension functions to make gnulib happyRich Felker2012-06-191-0/+24
| | | | | this is mildly ugly, but less ugly than gnulib trying to poke at the definition of the FILE structure...
* stdio: handle file position correctly at program exitRich Felker2012-06-194-6/+40
| | | | | | | | | | | | | | | | for seekable files, posix imposed requirements on the offset of the underlying open file description after a stream is closed. this was correctly handled (as a side effect of the unconditional fflush call) when streams were explicitly closed by fclose, but was not handled correctly at program exit time, where fflush(0) was being used. the weak symbol hackery is to pull in __stdio_exit if either of __toread or __towrite is used, but avoid calling it twice so we don't have to keep extra state. the new __stdio_exit is a streamlined fflush variant that avoids performing any unnecessary operations and which never unlocks the files or open file list, so we can be sure no other threads write new data to a stream's buffer after it's already flushed.
* minor cleanup in fflushRich Felker2012-06-191-5/+1
|
* remove flush hook cruft that was never used from stdioRich Felker2012-06-193-5/+1
| | | | | | | there is no need/use for a flush hook. the write function serves this purpose already. i originally created the hook for implementing mem streams based on a mistaken reading of posix, and later realized it wasn't useful but never removed it until now.
* fix multiple iconv bugs reading utf-16/32 and wchar_tRich Felker2012-06-181-8/+8
|
* fix iconv dest utf-16: unavailable chars must be replaced; EILSEQ is wrongRich Felker2012-06-181-2/+2
|
* fix erroneous utf-16 encoding with surrogates in iconvRich Felker2012-06-181-0/+1
| | | | apparently this was never tested before.
* change stdio_ext __freading/__fwriting semantics slightlyRich Felker2012-06-171-2/+2
| | | | | | | | | | | | | | the old behavior was to only consider a stream to be "reading" or "writing" if it had buffered, unread/unwritten data. this reportedly differs from the traditional behavior of these functions, which is essentially to return true as much as possible without creating the possibility that both __freading and __fwriting could return true. gnulib expects __fwriting to return true as soon as a file is opened write-only, and possibly expects other cases that depend on the traditional behavior. and since these functions exist mostly for gnulib (does anything else use them??), they should match the expected behavior to avoid even more ugly hacks and workarounds...
* fdopen should set errno when it fails due to invalid mode stringRich Felker2012-06-171-1/+4
|
* direct syscall to open in __init_security needs O_LARGEFILERich Felker2012-06-141-1/+1
| | | | | it probably does not matter for /dev/null, but this should be done consistently anyway.
* reorder exit code to defer stdio flush until after dtorsRich Felker2012-06-141-4/+1
| | | | | | | | | | this is required in case dtors use stdio. also remove the old comments; one was cruft from when the code used to be using function pointers and conditional calls, and has little motivation now that we're using weak symbols. the other was just complaining about having to support dtors even though the cost was made essentially zero in the non-use case by the way it's done here.
* add timegm function (inverse of gmtime), nonstandardRich Felker2012-06-131-0/+9
|
* add init_module/delete_module syscall wrappersRich Felker2012-06-131-0/+11
| | | | | | | these are not exposed publicly in any header, but the few programs that use them (modutils/kmod, etc.) are declaring the functions themselves rather than making the syscalls directly, and it doesn't really hurt to have them (same as the capset junk).
* add (currently stubbed due to stubbed strverscmp) versionsort functionRich Felker2012-06-131-0/+8
| | | | | | | | | | | based on patch by Emil Renner Berthing, with minor changes to dirent.h for LFS64 and organization of declarations this code should work unmodified once a real strverscmp is added, but I've been hesitant to add it because the GNU strverscmp behavior is harmful in a lot of cases (for instance if you have numeric filenames in hex). at some point I plan on trying to design a variant of the algorithm that behaves better on a mix of filename styles.
* add deprecated capabilities functionsRich Felker2012-06-131-0/+11
| | | | | | | these were left in glibc for binary compatibility after the public part of the interface was removed, and libcap kept using them (with its own copy of the header files) rather than just making the syscalls directly. might as well add them since they're so small...
* fix char signedness bug (arm-specific) in dynamic linkerRich Felker2012-06-091-1/+1
|
* add pthread_attr_setstack interface (and get)Rich Felker2012-06-094-10/+39
| | | | | | | | | | | | | i originally omitted these (optional, per POSIX) interfaces because i considered them backwards implementation details. however, someone later brought to my attention a fairly legitimate use case: allocating thread stacks in memory that's setup for sharing and/or fast transfer between CPU and GPU so that the thread can move data to a GPU directly from automatic-storage buffers without having to go through additional buffer copies. perhaps there are other situations in which these interfaces are useful too.
* fix scanning of "-0x" pseudo-hex float (must give negative zero)Rich Felker2012-06-081-1/+1
|
* fix %ls breakage in last printf fixRich Felker2012-06-081-2/+2
| | | | signedness issue kept %ls with no precision from working at all
* fix printf %ls with precision limit over-read issueRich Felker2012-06-081-2/+2
| | | | | | | printf was not printing too many characters, but it was reading one too many wchar_t elements from the input. this could lead to crashes if running off the page, or spurious failure if the conversion of the extra wchar_t resulted in EILSEQ.
* fix scanf bug reading literals after width-limited fieldRich Felker2012-06-071-0/+1
| | | | | | the field width limit was not being cleared before reading the literal, causing spurious failures in scanf in cases like "%2d:" scanning "00:".
* treat failure of mprotect in map_library as a fatal load failureRich Felker2012-06-061-9/+9
| | | | | | | | | | | | | | | | | | | | the error will propagate up and be printed to the user at program start time; at runtime, dlopen will just fail and leave a message for dlerror. previously, if mprotect failed, subsequent attempts to perform relocations would crash the program. this was resulting in an increasing number of false bug reports on grsec systems where rwx permission is not possible in cases where users were wrongly attempting to use non-PIC code in shared libraries. supporting that usage is in theory possible, but the x86_64 toolchain does not even support textrels, and the cost of keeping around the necessary information to handle textrels without rwx permissions is disproportionate to the benefit (which is essentially just supporting broken library setups on grsec machines). also, i unified the error-out code in map_library now that there are 3 places from which munmap might have to be called.
* fix ctype abi junk (pointer should point to 0 slot, not -128 slot)Rich Felker2012-06-053-3/+3
|
* ensure that abort always worksRich Felker2012-06-021-0/+2
| | | | | | | | | | | | | | | | Per POSIX, "The abort() function shall cause abnormal process termination to occur, unless the signal SIGABRT is being caught and the signal handler does not return." If SIGABRT is blocked or if a signal handler is installed and does return, abort is still required to cause abnormal program termination. We cannot use a_crash() to do this, since a SIGILL handler could also be installed (and might even longjmp out of the abort, not expecting to be invoked from within abort), nor can we rely on resetting the signal handler and re-raising the signal (this has race conditions in multi-threaded programs). On the other hand, SIGKILL is a perfectly safe, unblockable way to obtain abnormal program termination, and it requires no ugly loop-and-retry logic.
* add some ugly aliases for LSB ABI compatibilityRich Felker2012-06-027-0/+8
| | | | | | for some nonsensical reason, glibc's headers use inline functions that redirect some of the standard functions to ugly nonstandard names (and likewise for some of their nonstandard functions).
* increase default thread stack size to 80kRich Felker2012-06-021-1/+1
| | | | | | | | | | | | | | | | I've been looking for data that would suggest a good default, and since little has shown up, i'm doing this based on the limited data I have. the value 80k is chosen to accommodate 64k of application data (which happens to be the size of the buffer in git that made it crash without a patch to call pthread_attr_setstacksize) plus the max stack usage of most libc functions (with a few exceptions like crypt, which will be fixed soon to avoid excessive stack usage, and [n]ftw, which inherently uses a fair bit in recursive directory searching). if further evidence emerges suggesting that the default should be larger, I'll consider changing it again, but I'd like to avoid it getting too large to avoid the issues of large commit charge and rapid address space exhaustion on 32-bit machines.
* remove implementation-reserved bits when saving signal maskRich Felker2012-06-021-1/+11
| | | | | | | | this fix is necessary because a program could be started with some of the implementation-reserved signals masked (e.g. due to exec having been called from a signal handler, or from a non-musl program) and then could obtain an invalid-to-use-later sigset_t as the old/saved signal mask.
* remove no-longer-needed unblocking of signals in pthread_createRich Felker2012-06-021-1/+0
| | | | | | | this action is now performed in pthread_self initialization; it must be performed there in case the first call to pthread_create is from a signal handler, in which case the old signal mask could be restored on return from the signal.
* add LSB abi junk for ctype functionsRich Felker2012-06-023-0/+104
| | | | | | | | this should be the last major fix needed to support running glibc-linked conforming POSIX programs with musl in place of glibc, as long as musl provides the features they need and they don't use pthread cancellation (which is implemented as c++ exceptions in glibc, and fundamentally incompatible with musl).
* use fistpll mnemonic instead of fistpq (more widely supported) on x86_64 tooRich Felker2012-06-021-1/+1
| | | | | this was fixed previously on i386 but the corresponding code on x86_64 was missed.
* add LSB ABI __xstat, etc. junkRich Felker2012-05-314-0/+36
|
* enable LARGEFILE64 aliasesRich Felker2012-05-312-4/+1
| | | | | | | | these will NOT be used when compiling with -D_LARGEFILE64_SOURCE on musl; instead, they exist in the hopes of eventually being able to run some glibc-linked apps with musl sitting in place of glibc. also remove the (apparently incorrect) fcntl alias.