musl/src/time, branch master musl - an implementation of the standard library for Linux-based systems fix incorrect access to tzname[] by strptime %Z conversion specifier 2026-03-30T19:57:10+00:00 Rich Felker dalias@aerifal.cx 2026-03-23T01:32:35+00:00 0572555dab1d1e10b5f7351a005ec588cab41e25 there are three issues here: 1. if tzset has not been called (explicitly or implicitly), the tzname[] array will contain null pointers, and the dereference to compare against them has undefined behavior (and will fault). 2. access to tzname[] was performed without the timezone lock held. this resulted in a data race if the timezone is concurrently changed from another thread. 3. due to unintended signedness of the types, the open-coded isalpha in the non-matching case was wrong and would continue past null termination. to fix the first two issues, the body of the %Z conversion is moved to __tz.c where it has access to locking, and null checks are added. there is probably an argument to be made that the equivalent of tzset should happen here, but POSIX does not specify that to happen, so in the absence of an interpretation adding such an allowance or requirement, it is not done. the third issue is fixed just by using the existing isalpha macro. 
there are three issues here:

1. if tzset has not been called (explicitly or implicitly), the
tzname[] array will contain null pointers, and the dereference to
compare against them has undefined behavior (and will fault).

2. access to tzname[] was performed without the timezone lock held.
this resulted in a data race if the timezone is concurrently changed
from another thread.

3. due to unintended signedness of the types, the open-coded isalpha
in the non-matching case was wrong and would continue past null
termination.

to fix the first two issues, the body of the %Z conversion is moved to
__tz.c where it has access to locking, and null checks are added.

there is probably an argument to be made that the equivalent of tzset
should happen here, but POSIX does not specify that to happen, so in
the absence of an interpretation adding such an allowance or
requirement, it is not done.

the third issue is fixed just by using the existing isalpha macro.
SIGEV_THREAD timers: re-block signals when reusing kernel thread 2024-12-13T11:41:54+00:00 Rich Felker dalias@aerifal.cx 2024-12-13T11:41:54+00:00 561cd07dff8003251729569e5539b00698941697 previously, we left any changes made by the application to the timer thread's signal mask active when resetting the thread state for reuse. not only did this violate the intended invariant that timer threads start with all signals blocked; it also allowed application code to execute in a thread that, formally, did not exist. and further, if the internal SIGTIMER signal became unblocked, it could also lead to missed timer expiration events. 
previously, we left any changes made by the application to the timer
thread's signal mask active when resetting the thread state for reuse.
not only did this violate the intended invariant that timer threads
start with all signals blocked; it also allowed application code to
execute in a thread that, formally, did not exist. and further, if the
internal SIGTIMER signal became unblocked, it could also lead to
missed timer expiration events.
SIGEV_THREAD timers: fix fatal signal if internal SIGTIMER becomes unblocked 2024-12-13T11:31:40+00:00 Rich Felker dalias@aerifal.cx 2024-12-13T11:31:40+00:00 47fa6e4fcc5f61c365c91a9bc90e7ed8b3a178ef commit 6ae2568bc2367b4d47e0ea1cb043fd56e697912f introduced a fatal signal condition if the internal timer signal used for SIGEV_THREAD timers is unblocked. this can happen whenever the application alters the signal mask with SIG_SETMASK, since sigset_t objects never include the bits used for implementation-internal signals. this patch effectively reverts the breakage by adding back a no-op signal handler. overruns will not be accounted if the timer signal becomes unblocked, but POSIX does not specify them except for SIGEV_SIGNAL timers anyway. 
commit 6ae2568bc2367b4d47e0ea1cb043fd56e697912f introduced a fatal
signal condition if the internal timer signal used for SIGEV_THREAD
timers is unblocked. this can happen whenever the application alters
the signal mask with SIG_SETMASK, since sigset_t objects never include
the bits used for implementation-internal signals.

this patch effectively reverts the breakage by adding back a no-op
signal handler.

overruns will not be accounted if the timer signal becomes unblocked,
but POSIX does not specify them except for SIGEV_SIGNAL timers anyway.
timer_create: replace pthread barrier with semaphores for thread start 2024-07-24T16:56:01+00:00 Rich Felker dalias@aerifal.cx 2024-07-24T16:41:04+00:00 cde213f9c3ac1aa168581222edee6a6642113323 our pthread barrier implementation reportedly has bugs that are could lead to malfunction or crash in timer_create. while this has not been reviewed to confirm, there have been past reports of pthread barrier bugs, and it seems likely that something is actually wrong. pthread barriers are an obscure primitive, and timer_create is the only place we are using them internally at present. even if they were working correctly, this means we are imposing linking of otherwise likely-dead code whenever timer_create is used. a pair of semaphores functions identically to a 2-waiter barrier except for destruction order properties. since the parent is responsible for the argument structure (including semaphores) lifetimes, the last operation on them in the timer thread must be posting to the parent. 
our pthread barrier implementation reportedly has bugs that are could
lead to malfunction or crash in timer_create. while this has not been
reviewed to confirm, there have been past reports of pthread barrier
bugs, and it seems likely that something is actually wrong.

pthread barriers are an obscure primitive, and timer_create is the
only place we are using them internally at present. even if they were
working correctly, this means we are imposing linking of otherwise
likely-dead code whenever timer_create is used.

a pair of semaphores functions identically to a 2-waiter barrier
except for destruction order properties. since the parent is
responsible for the argument structure (including semaphores)
lifetimes, the last operation on them in the timer thread must be
posting to the parent.
move __utc string object to its own translation unit 2024-07-23T16:01:41+00:00 Rich Felker dalias@aerifal.cx 2024-07-23T16:01:41+00:00 ef7d0ae21240eac9fc1e8088112bfb0fac507578 having it in __tz.c caused gmtime[_r] and timegm to pull in all of the time zone code despite having no need for it. 
having it in __tz.c caused gmtime[_r] and timegm to pull in all of the
time zone code despite having no need for it.
strptime: implement conversion specifiers adopted for next POSIX issue 2024-05-06T23:04:55+00:00 Rich Felker dalias@aerifal.cx 2024-05-06T22:40:23+00:00 fced99e93daeefb0192fd16304f978d4401d1d77 the %s conversion is added as the outcome of Austin Group tracker issue 169 and its unspecified behavior is clarified as the outcome of issue 1727. the %F, %g, %G, %u, %V, %z, and %Z conversions are added as the outcome of Austin Group tracker issue 879 for alignment with strftime and the behaviors of %u, %z, and %Z are defined as the outcome of issue 1727. at this time, the conversions with unspecified effects on struct tm are all left as parse-only no-ops. this may be changed at a later time, particularly for %s, if there is reasonable cross-implementation consensus outside the standards process on what the behavior should be. 
the %s conversion is added as the outcome of Austin Group tracker
issue 169 and its unspecified behavior is clarified as the outcome of
issue 1727.

the %F, %g, %G, %u, %V, %z, and %Z conversions are added as the
outcome of Austin Group tracker issue 879 for alignment with strftime
and the behaviors of %u, %z, and %Z are defined as the outcome of
issue 1727.

at this time, the conversions with unspecified effects on struct tm
are all left as parse-only no-ops. this may be changed at a later
time, particularly for %s, if there is reasonable cross-implementation
consensus outside the standards process on what the behavior should
be.
strftime: fix breakage in last change (uninitialized pointer access) 2024-02-16T14:33:03+00:00 Rich Felker dalias@aerifal.cx 2024-02-12T22:35:48+00:00 4a16ddf53e7c634169d0a649782f8a724611f263 commit f47a5d400b8ffa26cfc5b345dbff52fec94ac7f3 overlooked that strtoul was responsible for setting p to a const-laundered copy of the format string pointer f, even in the case where there was no number to parse. by making the call conditional on isdigit, that copy was lost. the logic here is a mess and should be cleaned up, but for now, this seems to be the least invasive change that undoes the breakage. 
commit f47a5d400b8ffa26cfc5b345dbff52fec94ac7f3 overlooked that
strtoul was responsible for setting p to a const-laundered copy of the
format string pointer f, even in the case where there was no number to
parse. by making the call conditional on isdigit, that copy was lost.

the logic here is a mess and should be cleaned up, but for now, this
seems to be the least invasive change that undoes the breakage.
strftime: don't attempt to parse field width without seeing a digit 2023-11-21T21:33:15+00:00 Rich Felker dalias@aerifal.cx 2023-11-21T21:33:15+00:00 f47a5d400b8ffa26cfc5b345dbff52fec94ac7f3 strtoul will consume leading whitespace or sign characters, which are not valid in this context, thereby accepting invalid field specifiers. so, avoid calling it unless there is a number to parse as the width. 
strtoul will consume leading whitespace or sign characters, which are
not valid in this context, thereby accepting invalid field specifiers.
so, avoid calling it unless there is a number to parse as the width.
__year_to_secs: fix dangling pointer 2023-11-06T18:29:07+00:00 Alex Xu (Hello71) alex_y_xu@yahoo.ca 2023-11-01T23:37:44+00:00 2d84486a08c57d00b647586b7cbe2dcec2728e81 The lifetime of the compound literal ends after the "if" statement's implicit block. gcc also warns about this. 
The lifetime of the compound literal ends after the "if" statement's
implicit block. gcc also warns about this.
timer_create: volatile static -> static volatile 2023-11-06T18:28:28+00:00 Alex Xu (Hello71) alex_y_xu@yahoo.ca 2023-11-01T23:37:08+00:00 c5459df18879dad8f5388480d588edbcbd1b7eb2 C11 6.11.5p1: > The placement of a storage-class specifier other than at the > beginning of the declaration specifiers in a declaration is an > obsolescent feature. gcc also warns about this. 
C11 6.11.5p1:

> The placement of a storage-class specifier other than at the
> beginning of the declaration specifiers in a declaration is an
> obsolescent feature.

gcc also warns about this.