Unfortunately, we can't quite use strptime as a black box to detect
the cases that triggered undefined behaviour, because strptime just
fails in that case anyway since the number that would go in .tm_year
is far out of the representable range.
PR lib/58041
Previously, an unsigned operation that had a negative result went
undetected in a few cases. Now, all results that are not representable
by their type are considered overflows.
The implementation of signed shift-right had been wrong for a few
commits.
Repurpose message 362, as the previous version was redundant since null
bytes in old-style formats are already covered by message 371 (bit
position out of range) and 377 (redundant '\0' at the end).
The functions snprintb and snprintb_m are specific to NetBSD, and their
format strings are tricky to get correct. Provide some assistance in
catching the most common mistakes.
Always write the value to be formatted in hexadecimal, to make it easily
distinguishable from the buffer size and maximum line length.
Use consistent wording in the comments of the test cases. Be stricter
about mistakes in a format.
Fix some wrong numbers in the snprintb_m tests for limited line length.
Previously, these descriptions were only allowed on platforms where
plain 'char' is unsigned. On platforms where plain 'char' is signed,
they invoked undefined behavior or terminated the output early.
Always null-terminate the output in the buffer, even in error cases. The
wording in the manual page has been promising this since 2008. For
snprintb_m, ensure that the output is terminated with two null
characters, to gracefully handle situations in which the caller does not
check whether snprintb returned an error.
If the buffer size is zero, allow the buffer to be a null pointer,
analogous to snprintf.
Fix an out-of-bounds memory read if the bitfmt ends with a '*' directive
(since today).
In the tests, merge the helper functions for snprintb, snprintb_m, as
they were similar enough.
Fix a few 'line_max exceeded' tests, ensuring that they output a '#'
marker, and that the 'complete' tests don't.
Previously, these invoked undefined behavior, now they lead to an early
return. An example of out-of-bounds bit number is in SCZ_PCICTRL_BITS.
Bit fields that extend beyond the msb are still allowed.
Allow 'f' and 'F' to have fields that are 64 bits wide. This only makes
sense when the field starts at bit 0.
Remove the unused 'val_len', it was only needed before snprintb.c 1.20.
The manual page promises that the 'max' argument limits the length of
the generated strings, so don't generate any strings that are longer
than that limit. Mark incomplete strings with a trailing '#' to make
them easily recognizable.
Before t_snprintb.c 1.20, the buffer size was required to be greater
than zero. Allowing the buffer size to be zero led to buf[-1] being
checked. On amd64, that byte happened to be 0, on i386 it didn't.
Fixes PR lib/57951.
longjmp evidently doesn't reset the state of whether the process is
executing on the alternate signal stack. So when we re-enter the
signal handler, the alternate stack appears to be still in use, and
the system chooses the original stack for the second call to the
signal handler -- which trips our assertion asking to verify that the
signal handler is always using an alternate stack.
Not strictly necessary for the signal handler to use an alternate
stack on re-entry, but this makes it clearer that the signal handler
itself is always using the alternate stack so we can verify that the
interrupted code is _not_ in the signal handler.
With this change, the test now passes on aarch64.
PR lib/57946
But only by code inspection; it appears to have another problem: on
re-entry, the signal handler is called on the normal stack, not on
the alternate signal stack.
PR lib/57946
Due to the check that any bytes beyond the expected output must be
unmodified, there's no need anymore to explicitly write the "ZZZ" at the
end of the expected output. While here, remove the redundant trailing
"\0".
Add more tests to cover possible situations where an out-of-bounds write
may have occurred. In some cases, the line length specified in
snprintb_m is exceeded.
In the previous commit, I had accidentally only run the tests for
snprintb_m but not those for snprintb, thereby missing a newly
introduced bug that would not null-terminate the resulting strings.
Add more tests to cover similar situations in which the buffer is too
small to contain the complete output.
The debug output contained too many newlines.
The buffer functions were built into lint2 even though they weren't
used.
Enable the query for invisible characters in string literals, to make
sure that a newline in a string literal does not trigger that query.
For now, the chronologic order is not enforced but has to be established
manually, for example by removing all 'expect' comment lines and
regenerating them with 'accept.sh -u'.
While here, clean up a few instances that came up when regenerating the
'expect' comments, such as wrong indentation or needless deviation from
the 'expect+1' form.
Test all number bases (octal, decimal, hexadecimal), in both old-style
and new-style formats, as well as small buffer sizes.
Document working edge cases such as empty descriptions or descriptions
containing spaces, as well as situations that invoke undefined behavior.
Add comments to the individual test cases, as reading the actual format
strings takes more time.
In case of a failure, print the details of the test case, including file
and line number of the actual test data. Do not write the format strings
directly to the output, as they contain non-printable bytes and embedded
null bytes.
After a failed test case, continue with the others.
Lay out the format strings according to their structure, to make them
more readable. Remove redundant "\0" at the end of the new-style format
strings.
Fix an off-by-one error in the test data: 0xf is FIFTEEN, not SIXTEEN.
Add a test for performing a restricted subset of rot13 in the format
string, to explore the limits of snprintb formatting.
What's still missing are tests for edge cases and error cases.
Except etc and xetc, which likely won't match for reasons that aren't
great, like etc including empty log files which in an installed
system have probably changed.
This test will probably fail, but we should make sure it doesn't!
PR misc/57877
It was confusing to have two kinds of "symbol type" (s_type and s_symt),
so rename all related identifiers to be more distinctive.
No functional change.
rillig