Update mk.conf(5) with the rump variables from
- lib/librumpuser/README.compileopts
- sys/rump/README.compileopts
Add cross-references back to mk.conf(5) in those files.
Ensure that the Default: is listed last in a description,
for consistency with the convention in this file.
Front ends:
- aligned_alloc
- calloc
- posix_memalign
Fork hooks:
- _malloc_prefork
- _malloc_postfork
- _malloc_postfork_child
Otherwise these will pull in the jemalloc definitions from libc,
which (a) defeats the purpose, and (b) won't work correctly with
fork and threads.
Thanks to kre@ and the thread on tech-userlevel for pointing me in
the right direction to making this actually work to override
jemalloc:
https://mail-index.netbsd.org/tech-userlevel/2023/06/30/msg013957.html
Note: libbsdmalloc doesn't set errno=ENOMEM on malloc failure, but
these front ends do (even aligned_alloc, which is from C11, which
doesn't define ENOMEM at all, but this pacifies our aligned_alloc
tests in t_posix_memalign.c). Might want to fix that.
XXX pullup-10
Make supportable promises. Omit needless verbiage. Give caveats
with cross-references to entropy(7). Emphasize that security is
necessarily relative to system configuration.
XXX pullup-10
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.htmlhttps://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
On second thought, convert the list of type flags back to -tag, but
don't make it -compact. This way it's easier to see that it's related
to the list above.
Rename compiler-warning-disable variables from
GCC_NO_warning
to
CC_WNO_warning
where warning is the full warning name as used by the compiler.
GCC_NO_IMPLICIT_FALLTHRU is CC_WNO_IMPLICIT_FALLTHROUGH
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
Provide a single variable
CC_WNO_ADDRESS_OF_PACKED_MEMBER
with options for both clang and gcc, to replace
CLANG_NO_ADDR_OF_PACKED_MEMBER
CC_NO_ADDR_OF_PACKED_MEMBER
GCC_NO_ADDR_OF_PACKED_MEMBER
Using the convention CC_compilerflag, where compilerflag
is based on the full compiler flag name.
List all alternative forms recognized by string_to_flags(3).
Both "dump" and "nonodump" are the negative of "nodump".
string_to_flags does not recognize "snap".
Provide xrefs for flag descriptions where applicable.
This is now distinct from pthread__smt_pause, which is for spin lock
backoff with no paired wakeup.
On Arm, there is a single-bit event register per CPU, and there are two
instructions to manage it:
- wfe, wait for event -- if event register is clear, enter low power
mode and wait until event register is set; then exit low power mode
and clear event register
- sev, signal event -- sets event register on all CPUs (other
circumstances like interrupts also set the event register and cause
wfe to wake)
These can be used to reduce the power consumption of spinning for a
lock, but only if they are actually paired -- if there's no sev, wfe
might hang indefinitely. Currently only pthread_spin(3) actually
pairs them; the other lock primitives (internal lock, mutex, rwlock)
do not -- they have spin lock backoff loops, but no corresponding
wakeup to cancel a wfe.
It may be worthwhile to teach the other lock primitives to pair
wfe/sev, but that requires some performance measurement to verify
it's actually worthwhile. So for now, we just make sure not to use
wfe when there's no sev, and keep everything else the same -- this
should fix severe performance degredation in libpthread on Arm
without hurting anything else.
No change in the generated code on amd64 and i386. No change in the
generated code for pthread_spin.c on arm and aarch64 -- changes only
the generated code for pthread_lock.c, pthread_mutex.c, and
pthread_rwlock.c, as intended.
PR port-arm/57437
XXX pullup-10
No functional change intended -- just safer to do it this way in case
the macros are used in if branches or comma expressions.
PR port-arm/57437 (pthread__smt_pause/wake issue)
XXX pullup-10
endian machines. When long double support was added, the old code was kept
for the regular double code. This code was never used because WIDE_DOUBLE
was always defined in the Makefile. Remove that old code, and conditionalize
the WIDE_DOUBLE code based on if long doubles are different than doubles on
the specific platform.
This is the size of dst, not of src. The size of src is determined
by the address family.
Fix markup while here: .Fa for function arguments, not .Ar which is
for command arguments.
And make the tests work, and exercise all lengths up to 100.
Evidently the previous definition, presumably tightly optimized for
1980s-era compilers and CPUs, was too hard to understand, because it
was incorrectly tested for two decades and broken for years.
PR lib/57141
XXX pullup-8
XXX pullup-9
XXX pullup-10
the number of bytes to add - for multibyte characters n will be > 1.
Fix __slk_draw to pass in the actual length of the label instead of
the default label length because wide characters may make the
actual string length longer than the slk display length.
Although tzcode still works with C89, bugs found in recent routine
maintenance indicate that bitrot has set in and that in practice
C89 is no longer used to build tzcode. As it is a maintenance
burden, support for C89 is planned to be removed soon. Instead,
please use compilers compatible with C99, C11, C17, or C23.
timegm, which tzcode implemented in 1989, will finally be
standardized 34 years later as part of C23, so timegm is now
supported even if STD_INSPIRED is not defined.
Fix bug in zdump's tzalloc emulation on hosts that lack tm_zone.
(Problem reported by Đoàn Trần Công Danh.)
Fix bug in zic on hosts where malloc(0) yields NULL on success.
(Problem reported by Tim McBrayer for AIX 6.1.)
Fix zic configuration to avoid linkage failures on some platforms.
(Problems reported by Gilmore Davidson and Igor Ivanov.)
Work around MS-Windows nmake incompatibility with POSIX.
(Problem reported by Manuela Friedrich.)
Port mktime and strftime to debugging platforms where accessing
uninitialized data has undefined behavior (strftime problem
reported by Robert Elz).
Check more carefully for unlikely integer overflows, preferring
C23 <stdckdint.h> to overflow checking by hand, as the latter has
had obscure bugs.
The first paragraph could use some rewording. While BRE may be
obsolete, it's still the default for regcomp(3) and the default for
grep(1), sed(1), etc.
Use .Rv where possible. Some manual pages claimed that the error "is
returned", but RTFS and some quick testing indicate that this is wrong.
The commit message from 2003 says that:
Note our current implementation mis-matches [man pages] slightly
(error codes are stuffed into errno, where they should simply be
returned by these calls). This will be addressed shortly.
That hasn't happened in the 20 years, so we might as well make the man
pages reflect the reality.
While here, don't claim that null pointer is zero.
We should probably just pick the wording from POSIX, but that yak is a
bit too big for me to shave at the moment.
on virtscr and curscr because the indexes past are supposed to be
one *past* the last matching line (they may actually match if the line is
at the bottom of the screen). Iff they don't match reduce the scroll
region size by one so we don't scroll non-matching lines, also check
if the region is then 0 after the decrement and just return if it was.
This fixes observed behviour in the PR. Allow the cursor to be
moved one past the EOL, if postitioned here then set ISPASTEOL.
also protect out of range access if win->cury is past maxy.
Changes to code
zic now supports links to links regardless of input line order.
For example, if Australia/Sydney is a Zone, the lines
Link Australia/Canberra Australia/ACT
Link Australia/Sydney Australia/Canberra
now work correctly, even though the shell commands
ln Australia/Canberra Australia/ACT
ln Australia/Sydney Australia/Canberra
would fail because the first command attempts to use a link
Australia/Canberra that does not exist until after the second
command is executed. Previously, zic had unspecified behavior if
a Link line's target was another link, and zic often misbehaved if
a Link line's target was a later Link line.
Fix line number in zic's diagnostic for a link to a link.
Fix a bug that caused localtime to mishandle timestamps starting
in the year 2438 when reading data generated by 'zic -b fat' when
distant-future DST transitions occur at times given in standard
time or in UT, not the usual case of local time. This occurs when
the corresponding .zi Rule lines specify DST transitions with TO
columns of 'max' and AT columns that end in 's' or 'u'. The
number 2438 comes from the 32-bit limit in the year 2038, plus the
400-year Gregorian cycle. (Problem reported by Bradley White.)
On glibc 2.34 and later, which optionally supports 64-bit time_t
on platforms like x86 where time_t was traditionally 32 bits,
default time_t to 64 instead of 32 bits. This lets functions like
localtime support timestamps after the year 2038, and fixes
year-2038 problems in zic when accessing files dated after 2038.
To continue to limit time_t to 32 bits on these platforms, use
"make CFLAGS='-D_TIME_BITS=32'".
In C code, do not enable large-file support on platforms like AIX
and macOS that no longer need it now that tzcode does not use
off_t or related functions like 'stat'. Large-file support is
still enabled by default on GNU/Linux, as it is needed for 64-bit
time_t support.
In C code, prefer C23 keywords to pre-C23 macros for alignof,
bool, false, and true. Also, use the following C23 features if
available: __has_include, unreachable.
zic no longer works around Qt bug 53071, as the relevant Qt
releases have been out of support since 2019. This change affects
only fat TZif files, as thin files never had the workaround.
zdump no longer modifies the environ vector when compiled on
platforms lacking tm_zone or when compiled with -DUSE_LTZ=0.
This avoid undefined behavior on POSIX platforms.
reallocarray() will be part of the next POSIX release, see
https://austingroupbugs.net/view.php?id=1218
adapt an errno value to match POSIX expectations
As discussed on tech-userlevel
(meaningless macro in mdoc) followed by the first line of the
real BUGS section somehow ended up inserted after the first
word of the STANDARDS section. Delete the noise.
- plod now correctly accounts for wide characters when plodding
- use erase line when in color mode if the terminal has the capability
- ensure that the CA_CONTINUATION flag is applied consistently to the
subsequent characters in a wide character.
- fix a bunch of refresh bugs that caused inconsistent placement of
wide characters.
The old definitions in qp.c being all grouped together in one file
causes problems when static linking with libgcc (i.e. cc --static-libgcc)
due to functions like __trunctfdf2 conflicting with libgcc, as seen in
PR 57021
We can also add some missing functions like __fixdfti for converting
a double to an int128_t, the lack of which is currently preventing webkit
from linking on aarch64, as seen in PR 57022
Unclear to me if libc is the right place for these functions, but
we can avoid breaking compatibility right now and maintain the status
quo while avoiding some obvious immediate problems.
nm output for libc shows no functions being removed by this change.
Some flags are now accepted, others are still ignored. (E.g., other
BSDs would return EINVAL if O_RDWR wasn't passed, and we now accept
O_NONBLOCK but not O_CLOEXEC.)
This doesn't affect the calls to the atfork handlers -- it only
protects access to the lists of handlers from interruption by a
signal, in case the signal handler calls fork(2).
The NetBSD implementation differs from other BSDs in that it does not
return EINVAL if invalid oflags are submitted, since it completely
ignores them. This is surprising to upstream projects that may expect
otherwise.
Work around a bug in onetrueawk that broke commands like
'make traditional_tarballs' on FreeBSD, macOS, etc.
(Problem reported by Deborah Goldsmith.)
Add code to tzselect that uses experimental structured comments in
zone1970.tab to clarify whether Zones like Africa/Abidjan and
Europe/Istanbul cross continent or ocean boundaries.
(Inspired by a problem reported by Peter Krefting.)
Fix bug with 'zic -d /a/b/c' when /a is unwritable but the
directory /a/b already exists.
Remove zoneinfo2tdf.pl, as it was unused and triggered false
malware alarms on some email servers.
zic has a new option '-R @N' to output explicit transitions < N.
(Need suggested by Almaz Mingaleev.)
'zic -r @N' no longer outputs bad data when N < first transition.
(Problem introduced in 2021d and reported by Peter Krefting.)
zic now checks its input for NUL bytes and unterminated lines, and
now supports input line lengths up to 2048 (not 512) bytes.
gmtime and related code now use the abbreviation "UTC" not "GMT".
POSIX is being revised to require this.
When tzset and related functions set vestigial static variables
like tzname, they now prefer specified timestamps to unspecified ones.
(Problem reported by Almaz Mingaleev.)
zic no longer complains "can't determine time zone abbreviation to
use just after until time" when a transition to a new standard
time occurs simultanously with the first DST fallback transition.
For now this builds the C version, for completeness, so
that e.g. lang/ocaml can be configured & built. However,
googling reveals that powerpc does have a "fused multiply add"
instruction, ref.
https://www.ibm.com/docs/en/aix/7.1?topic=set-fmadd-fma-floating-multiply-add-instruction
so this could probably be taken advantage of for a more
optimized version.
to __cerror so if the ptrace syscall fails we can call __cerror again with
the correct %r19 value.
Do this even though the call of __cerror doesn't go via the PLT because
__cerror calls __errno which does.
Analysis and fix from Tom Lane in
port-hppa/56864: hppa: ptrace(2) dumps core when returning an error
I changed the location of where %r19 is stored on the stack to follow the
ABI.
Patch from chs@. Comment explaining the story by me. This patch may
not be optimal -- maybe it would be better in pthread__init, or
better for rtld to call _lwp_unpark after _lwp_park in the contened
case -- but we've tested this version and it's annoying to reproduce,
so let's take this version and worry about testing improvements
later.
This was introduced two years ago when the getrandom/getentropy API
question was still open, and removed because the discussion was
ongoing. Now getentropy is more widely adopted and soon to be in
POSIX. So reintroduce the symbol into libc since we'll be keeping it
anyway. Discussion of details of the semantics, as interpreted by
NetBSD, is ongoing, but the symbol needs to get in before the
netbsd-10 branch. The draft POSIX text is
(https://www.opengroup.org/austin/docs/austin_1110.pdf):
SYNOPSIS
#include <unistd.h>
int getentropy(void *buffer, size_t length);
DESCRIPTION
The getentropy() function shall write length bytes of data
starting at the location pointed to by buffer. The output
shall be unpredictable high quality random data, generated by
a cryptographically secure pseudo-random number
generator. The maximum permitted value for the length
argument is given by the {GETENTROPY_MAX} symbolic constant
defined in <limits.h>.
RETURN VALUES
Upon successful completion, getentropy() shall return 0;
otherwise, -1 shall be retunred and errno set to indicate the
error.
ERRORS
The getentropy() function shall fail if:
[EINVAL] The value of length is greater than
{GETENTROPY_MAX}.
The getentropy() function may fail if:
[ENOSYS] The system does not provide the necessary
source of entropy.
RATIONALE
The getentropy() function is not a cancellation point.
Minor changes from the previous introduction of getentropy into libc:
- Return EINVAL, not EIO, on buflen > 256.
- Define GETENTROPY_MAX in limits.h.
The declaration of getentropy in unistd.h and definition of
GETENTROPY_MAX in limits.h are currently conditional on
_NETBSD_SOURCE. When the next revision of POSIX is finalized, we can
expose them also under _POSIX_C_SOURCE > 20yymmL as usual -- and this
can be done as a pullup without breaking existing compiled programs.
strictly-aligned versions of memcmp(3), bcopy(3), memcpy(3), and
memmove(3).
This is used for 403 by ld.so.conf with machdep.no_unaligned variable.
With this library, unaligned memory accesses are significantly reduced
for 403 (from several hundreds to few tens per sec under heavy load);
only ld.elf_so (typically few times per fork) and statically-linked
binaries do such access.
with strictly-aligned versions.
Now all 32-bit powerpc ports share the same libc binary.
This change together with the preceding similar change in libkern slightly
improve performance for DHT (ibm4xx/405GP) and RB800 (MPC8533E).
See changes in bytebench scores:
- DHT https://gist.github.com/rokuyama/301063355de9733bea515b84ef574c0a
- RB800 https://gist.github.com/rokuyama/60ad665d367d6d110b79ec44707f39ff
Improvements may be negligible, but this does not cause performance
regressions at least.
This hack was for 403, but unaligned memory access is now emulated by
kernel. This should result in serious performance regression for 403.
We will provide strictly-aligned versions by ld.so.conf.
Seen on netbsd-9 built xscreensaver running on a current system.
Whatever triggered this should also be fixed, but in the meantime
we can improve the behaviour from "Segmentation Fault"
PR toolchain/56771
Fix profiling on CPUs that do not support unaligned memory access;
Allocate objects (referenced from struct gmonparam) with proper
alignments.
For monstartup(), objects are allocated on heap. Break is not
guaranteed to be aligned at all, unlike stack pointer.
For _m_gmon_alloc(), objects are allocated on anonymous memory.
p->tos is not aligned properly in general.
This fixes quasi-random crashes for *_profile tests, at least on
SH-4 and PowerPC 403 [1]. Also, no regression is observed for
others as far as I can see.
This change does not cause any ABI breakage, as long as application
uses proper pointers; use p->tos instead of evil pointer arithmetic
like (struct tostruct *)((char *)p->froms + p->fromssize) [2].
[1] Timeout should be increased for some tests. "pic" variants
still fail as expected. Dynamically-linked binaries also crash in
rtld for SH-4, but this seems different problem...
[2] This example did not work even before, since the order of
froms[] and tos[] is reversed depending on which of monstartup() or
_m_gmon_alloc() is used for allocation.
same as the old one. This prevents excessive redraws in some
applications.
* Fix bug introduced when wbkgrndset was fixed, we cannot blindly
replace any instance of the old background character with the new one
because some of those characters were put there by the application
leading to display corruption. So flag characters as background when
they are erased and only update the flagged characters when setting
the background.
* Fix bkgrndset so that it actually sets the background character in
in line with the SUSv2 specification.
* Add an internal function to copy a complex character
* Make the previously static celleq function into a libcurses private
function so that it can be called in other files.