These unmangled function pointers reside on the heap and could
be targeted by exploit writers, effectively bypassing libio vtable
validation. Instead, we ignore these pointers and always call
malloc or free.
In theory, this is a backwards-incompatible change, but using the
global heap instead of the user-supplied callback functions should
have little application impact. (The old libstdc++ implementation
exposed this functionality via a public, undocumented constructor
in its strstreambuf class.)
C99 specifies that the EOF condition on a file is "sticky": once EOF
has been encountered, all subsequent reads should continue to return
EOF until the file is closed or something clears the "end-of-file
indicator" (e.g. fseek, clearerr). This is arguably a change from
C89, where the wording was ambiguous; the BSDs always had sticky EOF,
but the System V lineage would attempt to read from the underlying fd
again. GNU libc has followed System V for as long as we've been
using libio, but nowadays C99 conformance and BSD compatibility are
more important than System V compatibility.
You might wonder if changing the _underflow impls is sufficient to
apply the C99 semantics to all of the many stdio functions that
perform input. It should be enough to cover all paths to _IO_SYSREAD,
and the only other functions that call _IO_SYSREAD are the _seekoff
impls, which is OK because seeking clears EOF, and the _xsgetn impls,
which, as far as I can tell, are unused within glibc.
The test programs in this patch use a pseudoterminal to set up the
necessary conditions. To facilitate this I added a new test-support
function that sets up a pair of pty file descriptors for you; it's
almost the same as BSD openpty, the only differences are that it
allocates the optionally-returned tty pathname with malloc, and that
it crashes if anything goes wrong.
[BZ #1190]
[BZ #19476]
* libio/fileops.c (_IO_new_file_underflow): Return EOF immediately
if the _IO_EOF_SEEN bit is already set; update commentary.
* libio/oldfileops.c (_IO_old_file_underflow): Likewise.
* libio/wfileops.c (_IO_wfile_underflow): Likewise.
* support/support_openpty.c, support/tty.h: New files.
* support/Makefile (libsupport-routines): Add support_openpty.
* libio/tst-fgetc-after-eof.c, wcsmbs/test-fgetwc-after-eof.c:
New test cases.
* libio/Makefile (tests): Add tst-fgetc-after-eof.
* wcsmbs/Makefile (tests): Add tst-fgetwc-after-eof.
This patch eliminates a number of #if 0 and #ifdef TODO blocks, macros
that are never used, macros that provide portability to substrates that
lack basic things like EINVAL and off_t, and other such debris.
I preserved IO_DEBUG and CHECK_FILE, even though as far as I can tell
IO_DEBUG is never defined and therefore CHECK_FILE never does
anything, because it seems like we might actually want to turn it _on_.
Installed stripped libraries and executables are unchanged, except,
again, that the line number of an assertion changes (this time it's
somewhere in fileops.c).
* libio/libio.h (_IO_pos_BAD, _IO_pos_0, _IO_pos_adjust):
Define here, unconditionally.
* libio/iolibio.h (_IO_pos_BAD): Don't define here.
* libio/libioP.h: Remove #if 0 blocks.
(_IO_pos_BAD, _IO_pos_0, _IO_pos_adjust): Don't define here.
(_IO_va_start, COERCE_FILE, MAYBE_SET_EINVAL): Don't define.
(CHECK_FILE): Don't use MAYBE_SET_EINVAL or COERCE_FILE. Fix style.
* libio/clearerr.c, libio/fputc.c, libio/getchar.c:
Assume weak_alias is always defined.
* libio/fileops.c, libio/genops.c, libio/oldfileops.c
* libio/oldpclose.c, libio/pclose.c, libio/wfileops.c:
Remove #if 0 and #ifdef TODO blocks.
Assume text_set_element is always defined.
* libio/iofdopen.c, libio/iogetdelim.c, libio/oldiofdopen.c
Use __set_errno (EINVAL) instead of MAYBE_SET_EINVAL.
* libio/tst-mmap-eofsync.c: Make #if 1 block unconditional.
This entirely mechanical (except for some indentation fixups) patch
replaces all uses of _IO_file_flags with _flags and removes the #define.
Installed stripped libraries and executables are unchanged by this patch.
* libio/libio.h (_IO_file_flags): Remove macro.
All uses changed to _flags.
This patch eliminates the "compatibility defines"
_IO_UNIFIED_JUMPTABLES (always defined to 1, used in a number of #ifs
which are therefore always false), _STDIO_USES_IOSTREAM (unused),
__HAVE_COLUMN (unused), _IO_BE (replaced with __glibc_unlikely), and
yet another redundant definition of EOF.
Installed stripped libraries are unchanged by this patch.
* libio/libio.h (_IO_UNIFIED_JUMPTABLES, _STDIO_USES_IOSTREAM)
(__HAVE_COLUMN, _IO_BE): Don't define.
(_IO_peekc_unlocked, _IO_getwc_unlocked, _IO_putwc_unlocked)
(_IO_fwide_maybe_incompatible): Use __glibc_unlikely.
* libio/libioP.h (EOF): Don't define.
* libio/iofdopen.c, libio/iofopen.c, libio/iopopen.c
* libio/iovdprintf.c, libio/oldiofdopen.c, libio/oldiofopen.c
* libio/oldiopopen.c, debug/vdprintf_chk.c: Remove #if block
testing _IO_UNIFIED_JUMPTABLES.
This patch mechanically removes all remaining uses, and the
definitions, of the following libio name aliases:
name replaced with
---- -------------
_IO_FILE FILE
_IO_fpos_t __fpos_t
_IO_fpos64_t __fpos64_t
_IO_size_t size_t
_IO_ssize_t ssize_t or __ssize_t
_IO_off_t off_t
_IO_off64_t off64_t
_IO_pid_t pid_t
_IO_uid_t uid_t
_IO_wint_t wint_t
_IO_va_list va_list or __gnuc_va_list
_IO_BUFSIZ BUFSIZ
_IO_cookie_io_functions_t cookie_io_functions_t
__io_read_fn cookie_read_function_t
__io_write_fn cookie_write_function_t
__io_seek_fn cookie_seek_function_t
__io_close_fn cookie_close_function_t
I used __fpos_t and __fpos64_t instead of fpos_t and fpos64_t because
the definitions of fpos_t and fpos64_t depend on the largefile mode.
I used __ssize_t and __gnuc_va_list in a handful of headers where
namespace cleanliness might be relevant even though they're
internal-use-only. In all other cases, I used the public-namespace
name.
There are a tiny handful of places where I left a use of 'struct _IO_FILE'
alone, because it was being used together with 'struct _IO_FILE_plus'
or 'struct _IO_FILE_complete' in the same arithmetic expression.
Because this patch was almost entirely done with search and replace, I
may have introduced indentation botches. I did proofread the diff,
but I may have missed something.
The ChangeLog below calls out all of the places where this was not a
pure search-and-replace change.
Installed stripped libraries and executables are unchanged by this patch,
except that some assertions in vfscanf.c change line numbers.
* libio/libio.h (_IO_FILE): Delete; all uses changed to FILE.
(_IO_fpos_t): Delete; all uses changed to __fpos_t.
(_IO_fpos64_t): Delete; all uses changed to __fpos64_t.
(_IO_size_t): Delete; all uses changed to size_t.
(_IO_ssize_t): Delete; all uses changed to ssize_t or __ssize_t.
(_IO_off_t): Delete; all uses changed to off_t.
(_IO_off64_t): Delete; all uses changed to off64_t.
(_IO_pid_t): Delete; all uses changed to pid_t.
(_IO_uid_t): Delete; all uses changed to uid_t.
(_IO_wint_t): Delete; all uses changed to wint_t.
(_IO_va_list): Delete; all uses changed to va_list or __gnuc_va_list.
(_IO_BUFSIZ): Delete; all uses changed to BUFSIZ.
(_IO_cookie_io_functions_t): Delete; all uses changed to
cookie_io_functions_t.
(__io_read_fn): Delete; all uses changed to cookie_read_function_t.
(__io_write_fn): Delete; all uses changed to cookie_write_function_t.
(__io_seek_fn): Delete; all uses changed to cookie_seek_function_t.
(__io_close_fn): Delete: all uses changed to cookie_close_function_t.
* libio/iofopncook.c: Remove unnecessary forward declarations.
* libio/iolibio.h: Correct outdated commentary.
* malloc/malloc.c (__malloc_stats): Remove unnecessary casts.
* stdio-common/fxprintf.c (__fxprintf_nocancel):
Remove unnecessary casts.
* stdio-common/getline.c: Use _IO_getdelim directly.
Don't redefine ssize_t.
* stdio-common/printf_fp.c, stdio_common/printf_fphex.c
* stdio-common/printf_size.c: Don't redefine size_t or FILE.
Remove outdated comments.
* stdio-common/vfscanf.c: Don't redefine va_list.
As requested by Adhemerval, this patch removes some preprocessor
conditionals from the libio headers that were only relevant when
building libio outside glibc.
Installed stripped libraries and executables are unchanged by this
patch.
* libio/iolibio.h, libio/libioP.h: Remove extern "C".
* libio/libio.h: Remove __BEGIN_DECLS and __END_DECLS.
Remove preprocessor conditionals on _LIBC and __USE_GNU,
which are always true, and __cplusplus, which is always false.
Continuing the fixes for linknamespace and localplt test failures with
-Os that arise from functions not being inlined in that case, this
patch fixes such failures for putc_unlocked and fputc_unlocked.
libc_hidden_* are used for both functions, while namespace issues are
addressed by making putc_unlocked a weak alias of hidden
__putc_unlocked, which is called in the one place where namespace
issues arise (and defined as an inline function in include/stdio.h).
Tested for x86_64 (both without -Os to make sure that case continues
to work, and with -Os to make sure all the relevant linknamespace and
localplt test failures are resolved). This completes fixing the -Os
linknamespace failures (at least for x86_64); localplt failures remain
after this patch.
2018-02-19 Joseph Myers <joseph@codesourcery.com>
[BZ #15105]
[BZ #19463]
* libio/fputc_u.c (fputc_unlocked): Use libc_hidden_def.
* libio/putc_u.c (putc_unlocked): Rename to __putc_unlocked and
define as weak alias of __putc_unlocked. Use libc_hidden_weak.
* include/stdio.h [!_ISOMAC] (fputc_unlocked): Use
libc_hidden_proto.
[!_ISOMAC] (putc_unlocked): Likewise.
[!_ISOMAC] (__putc_unlocked): Declare as hidden function, and
define inline if [__USE_EXTERN_INLINES].
* misc/syslog.c (__vsyslog_chk): Call __putc_unlocked instead of
putc_unlocked.
Continuing the fixes for linknamespace and localplt test failures with
-Os that arise from functions not being inlined in that case, this
patch fixes such failures for getc_unlocked.
__getc_unlocked already exists; this patch makes it explicitly hidden,
calls it where needed for namespace reasons, adds an inline function
for it when inline functions are used and adds libc_hidden_proto /
libc_hidden_weak for getc_unlocked.
Tested for x86_64 (both without -Os to make sure that case continues
to work, and with -Os to make sure all the relevant linknamespace and
localplt test failures are resolved). Because of other such failures
that remain after this patch, neither of the bugs can yet be closed.
[BZ #15105]
[BZ #19463]
* libio/getc_u.c (getc_unlocked): Use libc_hidden_weak.
* include/stdio.h [!_ISOMAC] (__getc_unlocked): Use
attribute_hidden, and define inline if [__USE_EXTERN_INLINES].
[!_ISOMAC] (getc_unlocked): Use libc_hidden_proto.
* misc/getttyent.c (__getttyent): Call __getc_unlocked instead of
getc_unlocked.
* time/tzfile.c (__tzfile_read): Likewise.
Continuing the fixes for linknamespace and localplt test failures with
-Os that arise from functions not being inlined in that case, this
patch fixes such failures for ferror_unlocked.
The usual approach is followed of adding __ferror_unlocked (inlined
when ferror_unlocked is), making calls use it when required for
namespace reasons (only one such call), and using libc_hidden_proto /
libc_hidden_weak for the ferror_unlocked weak alias when only localplt
but not namespace issues are involved.
Tested for x86_64 (both without -Os to make sure that case continues
to work, and with -Os to make sure all the relevant linknamespace and
localplt test failures are resolved). Because of other such failures
that remain after this patch, neither of the bugs can yet be closed.
[BZ #15105]
[BZ #19463]
* libio/ferror_u.c (ferror_unlocked): Rename to __ferror_unlocked
and define as weak alias of __ferror_unlocked. Use
libc_hidden_weak.
* include/stdio.h [!_ISOMAC] (ferror_unlocked): Use
libc_hidden_proto.
[!_ISOMAC] (__ferror_unlocked) New declaration, and inline
function if [__USE_EXTERN_INLINES].
* time/getdate.c (__getdate_r): Call __ferror_unlocked instead of
ferror_unlocked.
Among other localplt test failures when building with -Os, there are
libc.so PLT references for fputs. fputs calls normally get redirected
to _IO_fputs by a macro in include/stdio.h (and _IO_fputs in turn uses
libc_hidden_proto), but GCC can convert an fprintf call with a
constant string argument into an fputs call, which of course is then
unaffected by the macro redirection. (I don't know why this issue
only appears with -Os.)
This patch duly adds a use of libc_hidden_proto for fputs. I see no
obvious reason why the fputs macro redirection is needed at all, but
this patch does not change it.
Tested for x86_64 (both that it removes this particular localplt
failure for -Os - but other such failures remain so the bug can't yet
be closed - and that the testsuite continues to pass without -Os).
[BZ #15105]
* include/stdio.h [!_ISOMAC && IS_IN (libc)] (fputs): Use
libc_hidden_proto.
* libio/iofputs.c (fputs): Use libc_hidden_weak.
Continuing the fixes for linknamespace and localplt test failures with
-Os that arise from functions not being inlined in that case, this
patch fixes such failures for feof_unlocked.
The usual approach is followed of adding __feof_unlocked (inlined when
feof_unlocked is), making calls use it when required for namespace
reasons, and using libc_hidden_proto / libc_hidden_weak for the
feof_unlocked weak alias when only localplt but not namespace issues
are involved. In the case of getaddrinfo.c, use of __feof_unlocked
needs to be conditional since that code is also used in nscd (where
__feof_unlocked is not available).
Tested for x86_64 (both without -Os to make sure that case continues
to work, and with -Os to make sure all the relevant linknamespace and
localplt test failures are resolved). Because of other such failures
that remain after this patch, neither of the bugs can yet be closed.
[BZ #15105]
[BZ #19463]
* libio/feof_u.c (feof_unlocked): Rename to __feof_unlocked and
define as weak alias of __feof_unlocked. Use libc_hidden_weak.
* include/stdio.h (feof_unlocked): Use libc_hidden_proto.
(__feof_unlocked): New declaration, and inline function if
[__USE_EXTERN_INLINES].
* iconv/gconv_conf.c (read_conf_file): Call __feof_unlocked
instead of feof_unlocked.
* intl/localealias.c [_LIBC] (FEOF): Likewise.
* nss/nsswitch.c (nss_parse_file): Likewise.
* sysdeps/unix/sysv/linux/readonly-area.c (__readonly_area):
Likewise.
* time/getdate.c (__getdate_r): Likewise.
* sysdeps/posix/getaddrinfo.c [IS_IN (libc)] (feof_unlocked):
Define as macro to call __feof_unlocked.
Nearly everything in _G_config.h is either junk or more appropriately
defined elsewhere:
* _G_fpos_t, _G_fpos64_t, and _G_BUFSIZ are already completely unused.
* All remaining uses of _G_va_list have been changed to __gnuc_va_list.
* The definition of _G_HAVE_ST_BLKSIZE/_IO_HAVE_ST_BLKSIZE has
been inlined into its sole use.
* The complete definition of _G_iconv_t has been moved to libio.h and
renamed _IO_iconv_t (all actual users used that name).
* _G_IO_IO_FILE_VERSION is vestigial; some code cares whether
_IO_stdin_used exists, but nothing looks at its value. I've
preserved the value as a hardwired constant in csu/init.c.
This means csu/init.c no longer needs to include anything.
* Many of the headers included by _G_config.h were already being
included directly by either either libio.h or stdio.h; the
remaining ones were moved to libio.h.
* _G_HAVE_MREMAP is still relevant, because mremap genuinely is a
Linux extension; it's not in POSIX and as far as I can tell it's
not available on the Hurd either. I also preserved _G_HAVE_MMAP,
since it's conceivable someone would want to port glibc to a
MMU-less, mmap-less environment in the future. Both are now always
defined to 1/0 as is the current convention, instead of the older
1/undef convention. These are the only symbols still defined in
_G_config.h.
* The actual inclusion of _G_config.h moves from libio.h to libioP.h,
as this is where a potential override of _G_HAVE_MMAP happens.
* The #ifdef logic in libioP.h controlling _IO_JUMPS_OFFSET has been
simplified.
After this patch, the only surviving _G_ symbols are the struct tag
names _G_fpos_t and _G_fpos64_t, which are preserved for the sake of
C++ mangled names in applications, and _G_HAVE_MMAP and _G_HAVE_MREMAP,
which do not seem worth renaming.
Installed stripped libraries are unchanged by this patch.
* bits/_G_config.h: Move back to sysdeps/generic/_G_config.h.
Delete all contents except for definitions of _G_HAVE_MMAP and
_G_HAVE_MREMAP. Add commentary explaining those two symbols.
* sysdeps/unix/sysv/linux/bits/_G_config.h: Move back to
sysdeps/unix/sysv/linux/_G_config.h. Make same content
change as above.
* libio/libio.h: Don't include bits/_G_config.h here.
Include stddef.h with __need_wchar_t defined. Include
bits/types/__mbstate_t.h, bits/types/wint_t.h, and gconv.h.
Define _IO_iconv_t here, directly.
Don't define _IO_HAVE_ST_BLKSIZE.
* libio/libioP.h: Include _G_config.h here. Move include of
shlib-compat.h up with rest of includes. Simplify conditionals
controlling definition of _IO_JUMPS_OFFSET.
* csu/init.c: Remove always-true #if around entire file.
Don't include stdio.h. Set _IO_stdin_used to hardwired
constant 0x20001, and update commentary.
* include/stdio.h, sysdeps/ieee754/ldbl-opt/nldbl-compat.h:
Replace all uses of _G_va_list with __gnuc_va_list.
* libio/filedoalloc.c: Use #if defined _STATBUF_ST_BLKSIZE
instead of #if _IO_HAVE_ST_BLKSIZE.
* libio/fileops.c: Test _G_HAVE_MREMAP with #if, not #ifdef.
* libio/iofdopen.c, libio/iofopen.c: Test _G_HAVE_MMAP with #if,
not #ifdef.
We can't go very far with libio cleanups as long as we still have
_IO_MTSAFE_IO, and I am not tackling that in this patch series,
but we can at least make the maze of stdio-related headers a
little less complicated.
In this patch, libio.h moves back out of bits/ into the top level of
the libio subdirectory, and is merged with libio/bits/libio-ldbl.h
(which also used to be installed) and include/libio.h. Since almost
no files include libio.h directly, this is quite straightforward.
libio.h is now always used with _LIBC defined, so all of the _LIBC ||
_GLIBCPP_USE_WCHAR_T conditionals are unnecessary. Similarly, the
ifdef nest surrounding the definition of _IO_fwide_maybe_incompatible
can collapse down to a single SHLIB_COMPAT check. I also took the
opportunity to add some checks for configuration botches to libio.h.
Installed stripped libraries are unchanged by this patch.
* libio/bits/libio.h: Move back to libio/libio.h and adjust
multiple-include guard to match.
Merge contents of libio/bits/libio-ldbl.h and include/libio.h
into this file.
Remove preprocessor conditionals that are always true and/or
redundant to other preprocessor conditionals in the same nest.
Include shlib-compat.h unconditionally.
Error out if _LIBC is not defined, or if _ISOMAC is defined,
or if _IO_MTSAFE_IO is defined but _IO_lock_t_defined is not
defined after including stdio.h.
Use __BEGIN_DECLS/__END_DECLS.
* libio/bits/libio-ldbl.h, include/bits/libio.h: Delete file.
* include/stdio.h, libio/iolibio.h, libio/libioP.h: Include
libio.h as <libio/libio.h> rather than as <bits/libio.h>.
We shipped 2.27 with libio.h and _G_config.h still installed but
issuing warnings when used. Let's stop installing them early in 2.28
so that we have plenty of time to think of another plan if there are
problems.
The public stdio.h had a genuine dependency on libio.h for the
complete definitions of FILE and cookie_io_functions_t, and a genuine
dependency on _G_config.h for the complete definitions of fpos_t and
fpos64_t; these are moved to single-type headers.
bits/types/struct_FILE.h also provides a handful of accessor and
bitflags macros so that code is not duplicated between bits/stdio.h
and libio.h. All the other _IO_ and _G_ names used by the public
stdio.h can be replaced with either public names or __-names.
In order to minimize the risk of breaking our own compatibility code,
bits/types/struct_FILE.h preserves the _IO_USE_OLD_IO_FILE mechanism
exactly as it was in libio.h, but you have to define _LIBC to use it,
or it'll error out. Similarly, _IO_lock_t_defined is preserved
exactly, but will error out if used without defining _LIBC.
Internally, include/stdio.h continues to include libio.h, and libio.h
scrupulously provides every _IO_* and _G_* name that it always did,
perhaps now defined in terms of the public names. This is how this
patch avoids touching dozens of files throughout glibc and becoming
entangled with the _IO_MTSAFE_IO mess. The remaining patches in this
series eliminate most of the _G_ names.
Tested on x86_64-linux; in addition to the test suite, I installed the
library in a sysroot and verified that a simple program that uses
stdio.h could be compiled against the installed library, and I also
verified that installed stripped libraries are unchanged.
* libio/bits/types/__fpos_t.h, libio/bits/types/__fpos64_t.h:
New single-type headers split from _G_config.h.
* libio/bits/types/cookie_io_functions_t.h
* libio/bits/types/struct_FILE.h
New single-type headers split from libio.h.
* libio/Makefile: Install the above new headers. Don't install
libio.h, _G_config.h, bits/libio.h, bits/_G_config.h, or
bits/libio-ldbl.h.
* libio/_G_config.h, libio/libio.h: Delete file.
* libio/bits/libio.h: Remove improper-inclusion guard.
Include stdio.h and don't repeat anything that it does.
Define _IO_fpos_t as __fpos_t, _IO_fpos64_t as __fpos64_t,
_IO_BUFSIZ as BUFSIZ, _IO_va_list as __gnuc_va_list,
__io_read_fn as cookie_read_function_t,
__io_write_fn as cookie_write_function_t,
__io_seek_fn as cookie_seek_function_t,
__io_close_fn as cookie_close_function_t,
and _IO_cookie_io_functions_t as cookie_io_functions_t.
Define _STDIO_USES_IOSTREAM, __HAVE_COLUMN, and _IO_file_flags
here, in the "compatibility defines" section. Remove an #if 0
block. Use the "body" macros from bits/types/struct_FILE.h to
define _IO_getc_unlocked, _IO_putc_unlocked, _IO_feof_unlocked,
and _IO_ferror_unlocked.
Move prototypes of __uflow and __overflow...
* libio/stdio.h: ...here. Don't include bits/libio.h.
Don't define _STDIO_USES_IOSTREAM. Get __gnuc_va_list
directly from stdarg.h. Include bits/types/__fpos_t.h,
bits/types/__fpos64_t.h, bits/types/struct_FILE.h,
and, when __USE_GNU, bits/types/cookie_io_functions_t.h.
Use __gnuc_va_list, not _G_va_list; __fpos_t, not _G_fpos_t;
__fpos64_t, not _G_fpos64_t; FILE, not struct _IO_FILE;
cookie_io_functions_t, not _IO_cookie_io_functions_t;
__ssize_t, not _IO_ssize_t. Unconditionally define
BUFSIZ as 8192 and EOF as (-1).
* libio/bits/stdio.h: Add multiple-include guard. Use the "body"
macros from bits/types/struct_FILE.h instead of _IO_* macros
from libio.h; use __gnuc_va_list instead of va_list and __ssize_t
instead of _IO_ssize_t.
* libio/bits/stdio2.h: Similarly.
* libio/iolibio.h: Add multiple-include guard.
Include bits/libio.h after stdio.h.
* libio/libioP.h: Add multiple-include guard.
Include stdio.h and bits/libio.h before iolibio.h.
* include/bits/types/__fpos_t.h, include/bits/types/__fpos64_t.h
* include/bits/types/cookie_io_functions_t.h
* include/bits/types/struct_FILE.h: New wrappers.
* bits/_G_config.h, sysdeps/unix/sysv/linux/_G_config.h:
Get definitions of _G_fpos_t and _G_fpos64_t from
bits/types/__fpos_t.h and bits/types/__fpos64_t.h
respectively. Remove improper-inclusion guards.
* conform/data/stdio.h-data: Update expectations of va_list.
* scripts/check-installed-headers.sh: Remove special case for
libio.h and _G_config.h.
The getc and putc macros in the public stdio.h expand to call _IO_getc
and _IO_putc respectively. As _IO_getc, fgetc, and getc are all aliases
for the same function, and _IO_putc, fputc, and putc are also all aliases
for the same function, the macros are pointless. The C standard does
not require getc and putc to be macros, so let's just not have macros.
All four symbols are exported from libc.so at the same, ancient symbol
version, so there should be no risks for binary compatibility. Similarly,
the getchar and putchar inlines in bits/stdio.h forward to getc and putc
instead of their _IO_ aliases.
As a change from longstanding historical practice, this does seem
like it might break _something_, so there is a note in NEWS, which
is also a convenient place to advise people that if they thought getc
and putc had reduced per-character overhead they should consider using
getc_unlocked and putc_unlocked instead. (These are also not macros,
but when optimizing, they are inlines.)
* libio/stdio.h: Don't define getc or putc as macros.
* libio/bits/stdio.h (getchar, putchar): Use getc and putc,
not _IO_getc and _IO_putc.
The patch which moved libio.h proper into the bits directory also
changed the name of its guard macro, and I neglected to check whether
anything depended on that name. It turns out that there is a
conditionally-used bits header that looks at it; this broke the libgcc
build on at least sparc64-*-* and sparcv9-*-*.
* libio/bits/libio-ldbl.h: Correct check for improper
inclusion. Add own multiple include guard.
libio.h was originally the header for a set of supported GNU
extensions, but they have not been maintained as such in many years,
they are now standing in the way of improvements to stdio, and we
don't think there are any remaining external users. _G_config.h was
never intended for public use, but predates the bits convention.
Move both of these headers into the bits directory and provide stubs
at top level which issue deprecation warnings.
The contents of (bits/)libio.h and (bits/)_G_config.h are still
exposed to external software via stdio.h; changing that requires more
complex surgery than I have time to attempt right now.
* libio/libio.h, libio/_G_config.h: New stub headers which issue a
deprecation warning and then include <bits/libio.h>, <bits/_G_config.h>
respectively.
* libio/libio.h: Rename the original version of this file to
libio/bits/libio.h. Error out if not included by stdio.h or the
stub libio.h.
* include/libio.h: Move to include/bits. Forward to libio/bits/libio.h.
* sysdeps/generic/_G_config.h: Move to top-level bits/. Error out
if not included by bits/libio.h or the stub _G_config.h.
* sysdeps/unix/sysv/linux/_G_config.h: Move to
sysdeps/unix/sysv/linux/bits. Error out if not included by
bits/libio.h or the stub _G_config.h.
* libio/stdio.h: Include bits/libio.h, not libio.h.
* libio/Makefile: Install bits/libio.h and bits/_G_config.h as
well as libio.h and _G_config.h.
* csu/init.c, libio/fmemopen.c, libio/iolibio.h, libio/oldfmemopen.c
* libio/strfile.h, stdio-common/vfscanf.c
* sysdeps/pthread/flockfile.c, sysdeps/pthread/funlockfile.c
Include stdio.h, not _G_config.h nor libio.h.
* libio/iofgetpos.c: Also rename fgetpos64 out of the way.
* libio/iofsetpos.c: Also rename fsetpos64 out of the way.
* scripts/check-installed-headers.sh: Skip libio.h and _G_config.h.
GLRO (_rtld_global_ro) is read-only after initialization and can
therefore not be patched at run time, unlike the hook table addresses
and their contents, so this is a desirable hardening feature.
The hooks are only needed if ld.so has not been initialized, and this
happens only after static dlopen (dlmopen uses a single ld.so object
across all namespaces).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Some libio operations fail to correctly free the backup area (created
by _IO_{w}default_pbackfail on unget{w}c) resulting in either invalid
buffer free operations or memory leaks.
For instance, on the example provided by BZ#22415 a following
fputc after a fseek to rewind the stream issues an invalid free on
the buffer. It is because although _IO_file_overflow correctly
(from fputc) correctly calls _IO_free_backup_area, the
_IO_new_file_seekoff (called by fseek) updates the FILE internal
pointers without first free the backup area (resulting in invalid
values in the internal pointers).
The wide version also shows an issue, but instead of accessing invalid
pointers it leaks the backup memory on fseek/fputwc operation.
Checked on x86_64-linux-gnu and i686-linux-gnu.
* libio/Makefile (tests): Add tst-bz22415.
(tst-bz22415-ENV): New rule.
(generated): Add tst-bz22415.mtrace and tst-bz22415.check.
(tests-special): Add tst-bz22415-mem.out.
($(objpfx)tst-bz22415-mem.out): New rule.
* libio/fileops.c (_IO_new_file_seekoff): Call _IO_free_backup_area
in case of a successful seek operation.
* libio/wfileops.c (_IO_wfile_seekoff): Likewise.
(_IO_wfile_overflow): Call _IO_free_wbackup_area in case a write
buffer is required.
* libio/tst-bz22415.c: New test.
Hide internal __fopen_maybe_mmap function to allow direct access within
libc.so and libc.a without using GOT nor PLT.
[BZ #18822]
* libio/iolibio.h (__fopen_maybe_mmap): Add attribute_hidden.
Mark __ptsname_internal, __mktime_internal and __fopen_internal with
attribute_hidden to allow direct access to them within libc.so and
libc.a without using GOT nor PLT.
[BZ #18822]
* include/stdlib.h (__ptsname_internal): Add attribute_hidden.
* include/time.h (__mktime_internal): Likewise.
* libio/iolibio.h (__fopen_internal): Likewise.
“Bengali” still remained in some comments in the bn_BD locale file,
in iso-639.def and in a test input file. Change it there as well.
“Bangla” is now used as the English name for this language in CLDR.
[BZ #14925]
* libio/tst-widetext.input: Change “Bengali” to “Bangla”.
* locale/iso-639.def: Change “Bengali” to “Bangla”.
* localedata/locales/bn_BD: “Bengali” was still used in some
comments. Change it to “Bangla”.
This patch consolidates all the non cancellable waitpid calls to use
the __waitpid_nocancel identifier. For non cancellable targets it will
be just a macro to call the default respective symbol while on Linux
will be a internal one.
Checked on x86_64-linux-gnu, x86_64-linux-gnu-x32, and i686-linux-gnu.
* libio/ioopen.c (_IO_waitpid): Replace waitpid_not_cancel with
__waitpid_nocancel.
* sysdeps/generic/not-cancel.h (waitpid_not_cancel): Remove macro.
(__waitpid_nocancel): New macro.
* sysdeps/unix/sysv/linux/not-cancel.h (waitpid_not_cancel): Remove
macro.
(__waitpid_nocancel): Replace macro with a function.
* sysdeps/unix/sysv/linux/waitpid.c (__waitpid_nocancel): New
function.
This patch consolidates all the non cancellable write calls to use
the __write_nocancel identifier. For non cancellable targets it will
be just a macro to call the default respective symbol while on Linux
will be a internal one.
Checked on x86_64-linux-gnu, x86_64-linux-gnu-x32, and i686-linux-gnu.
* sysdeps/generic/not-cancel.h (write_not_cancel): Remove macro.
(__write_nocancel): New macro.
* sysdeps/unix/sysv/linux/not-cancel.h (__write_nocancel):
Rewrite as a function prototype.
(write_not_cancel): Remove macro.
* sysdeps/unix/sysv/linux/write.c (__write_nocancel): New function.
* gmon/gmon.c (ERR): Replace write_not_cancel with __write_nocancel.
(write_gmon): Likewise.
* libio/fileops.c (_IO_new_file_write): Likewise.
* login/utmp_file.c (pututline_file): Likewise.
(updwtmp_file): Likewise.
* stdio-common/psiginfo.c (psiginfo): Likewise.
* sysdeps/posix/spawni.c (__spawni_child): Likewise.
* sysdeps/unix/sysv/linux/gethostid.c (sethostid): Likewise.
* sysdeps/unix/sysv/linux/libc_fatal.c (backtrace_and_maps):
Likewise.
* sysdeps/unix/sysv/linux/pthread_setname.c (pthread_setname_np):
Likewise.
This patch consolidates all the non cancellable read calls to use
the __read_nocancel identifier. For non cancellable targets it will
be just a macro to call the default respective symbol while on Linux
will be a internal one.
Also, since it is used on libcrypto it is also exported in GLIBC_PRIVATE
namespace.
Checked on x86_64-linux-gnu, x86_64-linux-gnu-x32, and i686-linux-gnu.
* sysdeps/generic/not-cancel.h (read_not_cancel): Remove macro.
(__read_nocancel): New macro.
* sysdeps/unix/sysv/linux/Versions (libc) [GLIBC_PRIVATE]: Add
__read_nocancel.
* sysdeps/unix/sysv/linux/not-cancel.h (__read_nocancel): Remove
macro.
(__read_nocancel): New prototype.
* sysdeps/unix/sysv/linux/read.c (__read_nocancel): New function.
* catgets/open_catalog.c (__open_catalog): Replace read_not_cancel
with __read_nocancel.
* intl/loadmsgcat.c (read): Likewise.
* libio/fileops.c (_IO_file_read): Likewise.
* locale/loadlocale.c (_nl_load_locale): Likewise.
* login/utmp_file.c (getutent_r_file): Likewise.
(internal_getut_r): Likewise.
(getutline_r_file): Likewise.
* sysdeps/unix/sysv/linux/fips-private.h (fips_enable_p): Likewise.
* sysdeps/unix/sysv/linux/gethostid.c (gethostid): Likewise.
* sysdeps/unix/sysv/linux/getloadavg.c (getloadavg): Likewise.
* sysdeps/unix/sysv/linux/getlogin_r.c (__getlogin_r_loginuid):
Likewise.
* sysdeps/unix/sysv/linux/getsysstats.c (next_line): Likewise.
* sysdeps/unix/sysv/linux/i386/smp.h (is_smp_system): Likewise.
* sysdeps/unix/sysv/linux/ia64/has_cpuclock.c (has_cpuclock):
Likewise.
* sysdeps/unix/sysv/linux/libc_fatal.c (backtrace_and_maps):
Likewise.
* sysdeps/unix/sysv/linux/malloc-sysdep.h (check_may_shrink_heap):
Likewise.
* sysdeps/unix/sysv/linux/pthread_getname.c (pthread_getname_np):
Likewise.
* sysdeps/unix/sysv/linux/sysconf.c (__sysconf): Likewise.
Single thread optimization is valid if at thread creation time the
optimization can be disabled. This is in principle true for all
stream objects that user code can access (and thus needs locking),
using the same internal list as fflush(0) uses. However in glibc
open_memstream is not on that list (BZ 21735) so the optimization
has to be disabled.
* libio/memstream.c (__open_memstream): Set _IO_FLAGS2_NEED_LOCK.
* libio/wmemstream.c (open_wmemstream): Likewise.
* nptl/tst-memstream.c: New.
Locking overhead can be significant in some stdio operations
that are common in single threaded applications.
This patch adds the _IO_FLAGS2_NEED_LOCK flag to indicate if
an _IO_FILE object needs to be locked and some of the stdio
functions just jump to their _unlocked variant when not. The
flag is set on all _IO_FILE objects when the first thread is
created. A new GLIBC_PRIVATE libc symbol, _IO_enable_locks,
was added to do this from libpthread.
The optimization can be applied to more stdio functions,
currently it is only applied to single flag check or single
non-wide-char standard operations. The flag should probably
be never set for files with _IO_USER_LOCK, but that's just a
further optimization, not a correctness requirement.
The optimization is valid in a single thread because stdio
operations are non-as-safe (so lock state is not observable
from a signal handler) and stdio locks are recursive (so lock
state is not observable via deadlock). The optimization is not
valid if a thread may be created while an stdio lock is taken
and thus it should be disabled if any user code may run during
an stdio operation (interposed malloc, printf hooks, etc).
This makes the optimization more complicated for some stdio
operations (e.g. printf), but those are bigger and thus less
important to optimize so this patch does not try to do that.
* libio/libio.h (_IO_FLAGS2_NEED_LOCK, _IO_need_lock): Define.
* libio/libioP.h (_IO_enable_locks): Declare.
* libio/Versions (_IO_enable_locks): New symbol.
* libio/genops.c (_IO_enable_locks): Define.
(_IO_old_init): Initialize flags2.
* libio/feof.c.c (_IO_feof): Avoid locking when not needed.
* libio/ferror.c (_IO_ferror): Likewise.
* libio/fputc.c (fputc): Likewise.
* libio/putc.c (_IO_putc): Likewise.
* libio/getc.c (_IO_getc): Likewise.
* libio/getchar.c (getchar): Likewise.
* libio/ioungetc.c (_IO_ungetc): Likewise.
* nptl/pthread_create.c (__pthread_create_2_1): Enable stdio locks.
* libio/iofopncook.c (_IO_fopencookie): Enable locking for the file.
* sysdeps/pthread/flockfile.c (__flockfile): Likewise.
wint_t is a little finicky because it might be defined by stddef.h, which
belongs to the compiler.
In addition to the _types_, a bunch of other declarations shared between
wctype.h and wchar.h are factored out to their own header.
* libio/bits/types/FILE.h, libio/bits/types/__FILE.h
* wcsmbs/bits/types/mbstate_t.h, wcsmbs/bits/types/__mbstate_t.h
* wcsmbs/bits/types/wint_t.h: New single-type definition files.
* wctype/bits/wctype-wchar.h: New file holding declarations shared
between wctype.h and wchar.h.
* libio/Makefile, wcsmbs/Makefile, wctype/Makefile:
Install them.
* include/bits/types/FILE.h, include/bits/types/__FILE.h
* include/bits/types/mbstate_t.h, include/bits/types/__mbstate_t.h
* include/bits/types/wint_t.h, include/bits/wcsmbs-wchar.h:
New wrappers.
* include/stdio.h, include/wchar.h, include/wctype.h:
No need to handle __need macros.
* grp/grp.h, gshadow/gshadow.h, hurd/hurd.h, iconv/gconv.h
* libio/stdio.h, mach/mach.h, misc/mntent.h, pwd/pwd.h
* shadow/shadow.h, stdio-common/printf.h, wcsmbs/uchar.h
* wcsmbs/wchar.h, wctype/wctype.h
* sysdeps/generic/_G_config.h, sysdeps/unix/sysv/linux/_G_config.h
Use the new files instead of __need macros.
As described in BZ#21398 (close as dup of 21393) report current
freopen implementation fails when one tries to freopen STDIN_FILENO,
STDOUT_FILENO, or STDERR_FILENO. Although on bug report the
discussion leads to argue if a close followed by a freopen on the
standard file is a valid operation, the underlying issue is not
really the check for dup3 returned value, but rather calling it
if the returned file descriptor is equal as the input one.
So for a quality of implementation this patch avoid calling dup3
for the aforementioned case. It also adds a dup3 error case check
for the two possible failures, with one being Linux only: EINTR and
EBUSY. The EBUSY issue is better explained on this stackoverflow
thread [1], but in a short it is due the internal Linux
implementation which allows a race condition window for dup2 due
the logic dissociation of file descriptor allocation and actual
VFS 'install' operation. For both outliers failures all allocated
memory is freed and a NULL FILE* is returned.
With this patch the example on BZ#21398 is now actually possible
(I used as the testcase for the bug report). Checked on
x86_64-linux-gnu.
[BZ #21393]
* libio/freopen.c (freopen): Avoid dup already opened file descriptor
and add a check for dup3 failure.
* libio/freopen64.c (freopen64): Likewise.
* libio/tst-freopen.c (do_test): Rename to do_test_basic and use
libsupport.
(do_test_bz21398): New test.
* manual/stdio.texi (freopen): Add documentation of EBUSY failure.
[1] http://stackoverflow.com/questions/23440216/race-condition-when-using-dup2
_IO_MTSAFE_IO controls whether stdio is *built* with support for
multithreading. In the distant past it might also have worked as a
feature selection macro, allowing library *users* to select
thread-safe or lock-free stdio at application build time, I haven't
done the archaeology. Nowadays, defining _IO_MTSAFE_IO while using
the installed headers, or in _ISOMAC mode, will cause libio.h to throw
syntax errors.
This patch removes _IO_MTSAFE_IO from the public headers
(specifically, from libio/libio.h). The most important thing it
controlled in there was whether libio.h defines _IO_lock_t itself or
expects stdio-lock.h to have done it, and we do still need a
inter-header communication macro for that, because stdio-lock.h can
only define _IO_lock_t as a typedef. I've invented
_IO_lock_t_defined, which is defined by both versions of stdio-lock.h.
_IO_MTSAFE_IO also controlled the definitions of a handful of macros
that _might_ count as part of the public libio.h interface. They are
now unconditionally given their non-_IO_MTSAFE_IO definition in
libio/libio.h, and include/libio.h redefines them with the
_IO_MTSAFE_IO definition. This should minimize the odds of breaking
old software that actually uses those macros.
I suspect that this entire mechanism is vestigial, and that glibc
won't build anymore if you *don't* define _IO_MTSAFE_IO, but that's
another patchset. The bulk of libio.h is internal-use-only stuff that
no longer makes sense to expose (libstdc++ gave up on making a FILE
the same object as a C++ filebuf *decades* ago) but that, too, is
another patchset.
* libio/libio.h: Condition dummy definition of _IO_lock_t on
_IO_lock_t_defined, not _IO_MTSAFE_IO. Unconditionally use the
non-_IO_MTSAFE_IO definitions for _IO_peekc, _IO_flockfile,
_IO_funlockfile, and _IO_ftrylockfile. Only define
_IO_cleanup_region_start and _IO_cleanup_region_end if not
already defined.
* include/libio.h: If _IO_MTSAFE_IO is defined, redefine
_IO_peekc, _IO_flockfile, _IO_funlockfile, and _IO_ftrylockfile
appropriately.
* sysdeps/generic/stdio-lock.h, sysdeps/nptl/stdio-lock.h:
Define _IO_lock_t_defined after defining _IO_lock_t.
__need_getopt is misnamed; what it really means is "we want only the
getopt features specified in POSIX, not the GNU extensions". Because
this code is shared with gnulib, it winds up being cleanest to split
getopt.h into *four* headers. getopt_core.h and getopt_ext.h will
be shared with gnulib, getopt_posix.h will be just for glibc, and
each project will have its own copy of getopt.h.
* posix/bits/getopt_core.h, posix/bits/getopt_ext.h:
New files, intended to be shared with gnulib.
* posix/bits/getopt_posix.h:
New file, not intended to be shared with gnulib.
* posix/getopt.h: Now just includes features.h,
bits/getopt_core.h, and bits/getopt_ext.h. Will
no longer be shared with gnulib.
* include/bits/getopt_core.h, include/bits/getopt_ext.h
* include/bits/getopt_posix.h: New wrappers.
* posix/Makefile: Install new headers.
* posix/unistd.h, libio/stdio.h:
Include bits/getopt_posix.h instead of getopt.h.
glibc headers include some code (not particularly consistent or
systematic) to put various declarations in C++ namespaces std and
__c99, if _GLIBCPP_USE_NAMESPACES is defined.
As noted in <https://gcc.gnu.org/ml/libstdc++/2017-03/msg00025.html>,
this macro was removed from libstdc++ in 2000. I don't expect
compilation with such old versions of libstdc++ to work with current
glibc headers anyway (whereas old *binaries* are expected to stay
working with current glibc); this patch (which should be a no-op with
any libstdc++ version postdating that removal) removes all this code
from the glibc headers.
The begin-end-check.pl test, whose comments say it is about checking
these namespace macro calls, is also removed. The code in that test
would have covered __BEGIN_DECLS / __END_DECLS as well, but if those
weren't properly matched it would show up with the
check-installed-headers-cxx tests, so I don't think there is an actual
use for keeping begin-end-check.pl with the namespace code removed.
Tested for x86_64 and x86 (testsuite, and that installed stripped
shared libraries are unchanged by the patch).
* misc/sys/cdefs.h (__BEGIN_NAMESPACE_STD): Remove macro.
(__END_NAMESPACE_STD): Likewise.
(__USING_NAMESPACE_STD): Likewise.
(__BEGIN_NAMESPACE_C99): Likewise.
(__END_NAMESPACE_C99): Likewise.
(__USING_NAMESPACE_C99): Likewise.
* math/math.h (_Mdouble_BEGIN_NAMESPACE): Do not define and
undefine macro.
(_Mdouble_END_NAMESPACE): Likewise.
* ctype/ctype.h: Do not handle C++ namespaces.
* libio/bits/stdio-ldbl.h: Likewise.
* libio/stdio.h: Likewise.
* locale/locale.h: Likewise.
* math/bits/mathcalls.h: Likewise.
* setjmp/setjmp.h: Likewise.
* signal/signal.h: Likewise.
* stdlib/bits/stdlib-float.h: Likewise.
* stdlib/bits/stdlib-ldbl.h: Likewise.
* stdlib/stdlib.h: Likewise.
* string/string.h: Likewise.
* sysdeps/x86/fpu/bits/mathinline.h: Likewise.
* time/bits/types/clock_t.h: Likewise.
* time/bits/types/struct_tm.h: Likewise.
* time/bits/types/time_t.h: Likewise.
* time/time.h: Likewise.
* wcsmbs/bits/wchar-ldbl.h: Likewise.
* wcsmbs/uchar.h: Likewise.
* wcsmbs/wchar.h: Likewise.
[_GLIBCPP_USE_NAMESPACES] (wint_t): Remove conditional definition.
* wctype/wctype.h: Do not handle C++ namespaces.
* scripts/begin-end-check.pl: Remove.
* Makefile (installed-headers): Likewise.
(tests-special): Do not add $(objpfx)begin-end-check.out.
($(objpfx)begin-end-check.out): Remove.
gets has the dubious honor of being the only C89 library feature that
has been completely removed from the current C and C++ standards.
glibc follows suit by not declaring it in _GNU_SOURCE mode either,
but it remains present in older compatibility modes. Internally,
two test cases need to see stdio.h make the declaration, but all our
internal code is of course compiled under _GNU_SOURCE. This is currently
kludged by duplicating the gets declaration, fortify wrapper and all,
in include/stdio.h. Also, the conditional in the public headers for
deciding when to declare gets is complicated and repeated in two places.
This patch adds a new macro to features.h that encapsulates the
complicated rule for when to declare gets. stdio.h and bits/stdio2.h
then simply test __GLIBC_USE (DEPRECATED_GETS), and instead of having
a duplicate gets declaration in include/stdio.h, debug/tst-chk1.c and
stdio-common/tst-gets.c can force gets to be declared.
* include/features.h (__GLIBC_USE_DEPRECATED_GETS): New macro.
* libio/stdio.h, libio/bits/stdio2.h: Condition gets on
__GLIBC_USE (DEPRECATED_GETS). Update comments to indicate
gets was removed from C++ in C++14.
* include/stdio.h: Remove redundant declaration of gets.
* debug/tst-chk1.c, stdio-common/tst-gets.c: Force gets to
be declared, since we are testing it.
* stdio-common/Makefile (tst-gets.c): Compile with
-Wno-deprecated-declarations.
* debug/Makefile (tst-chk1.c, tst-chk2.c, tst-chk3.c, tst-chk4.cc)
(tst-chk5.cc, tst-chk6.cc, tst-lfschk1.c, tst-lfschk2.c)
(tst-lfschk3.c, tst-lfschk4.cc, tst-lfschk5.cc, tst-lfschk6.cc):
Compile with -Wno-deprecated-declarations.