summaryrefslogtreecommitdiff
path: root/src/stdio
AgeCommit message (Collapse)AuthorLines
2012-10-18avoid raising spurious division-by-zero exception in printfRich Felker-1/+1
2012-10-18overhaul system() and popen() to use vfork; fix various related bugsRich Felker-24/+44
since we target systems without overcommit, special care should be taken that system() and popen(), like posix_spawn(), do not fail in processes whose commit charges are too high to allow ordinary forking. this in turn requires special precautions to ensure that the parent process's signal handlers do not end up running in the shared-memory child, where they could corrupt the state of the parent process. popen has also been updated to use pipe2, so it does not have a fd-leak race in multi-threaded programs. since pipe2 is missing on older kernels, (non-atomic) emulation has been added. some silly bugs in the old code should be gone too.
2012-09-29add 'e' modifier (close-on-exec) to fopen and fdopenRich Felker-2/+5
this feature will be in the next version of POSIX, and can be used internally immediately. there are many internal uses of fopen where close-on-exec is needed to fix bugs.
2012-09-29fix some more O_CLOEXEC/SOCK_CLOEXEC issuesRich Felker-1/+1
2012-09-06fix invalid implicit pointer conversion in gnulib-compat functionsRich Felker-1/+1
2012-09-06use restrict everywhere it's required by c99 and/or posix 2008Rich Felker-43/+43
to deal with the fact that the public headers may be used with pre-c99 compilers, __restrict is used in place of restrict, and defined appropriately for any supported compiler. we also avoid the form [restrict] since older versions of gcc rejected it due to a bug in the original c99 standard, and instead use the form *restrict.
2012-08-25implement "low hanging fruit" from C11Rich Felker-2/+2
based on Gregor's patch sent to the list. includes: - stdalign.h - removing gets in C11 mode - adding aligned_alloc and adjusting other functions to use it - adding 'x' flag to fopen for exclusive mode
2012-08-11add bsd fgetln functionRich Felker-0/+20
optimized to avoid allocation and return lines directly out of the stream buffer whenever possible.
2012-08-10minor but worthwhile optimization in printf: avoid expensive strspnRich Felker-4/+2
the strspn call was made for every format specifier and end-of-string, even though the expected return value was 1-2 for normal usage. replace with simple loop.
2012-08-10trivial optimization to printf: avoid wasted call frameRich Felker-1/+1
amusingly, this cuts more than 10% off the run time of printf("a"); on the machine i tested it on. sadly the same optimization is not possible for snprintf without duplicating all the pseudo-FILE setup code, which is not worth it.
2012-07-04putw is supposed to return 0 (not the value written) on successRich Felker-1/+1
this is not a standard but it's the traditional behavior and it's more useful because the caller can reliably detect errors.
2012-07-04make sure getw/putw agree with prototypes by defining _GNU_SOURCERich Felker-0/+2
2012-07-02fix missing function declarations for __stdio_exitRich Felker-0/+4
2012-06-20fix fwrite return value when full write does not succeedRich Felker-1/+1
2012-06-20avoid cancellation in pcloseRich Felker-3/+4
at the point pclose might receive and act on cancellation, it has already invalidated the FILE passed to it. thus, per musl's QOI guarantees about cancellation and resource allocation/deallocation, it's not a candidate for cancellation. if it were required to be a cancellation point by posix, we would have to switch the order of deallocation, but somehow still close the pipe in order to trigger the child process to exit. i looked into doing this, but the logic gets ugly, and i'm not sure the semantics are conformant, so i'd rather just leave it alone unless there's a need to change it.
2012-06-20fix invalid memory access in pcloseRich Felker-1/+2
2012-06-20make popen cancellation-safeRich Felker-0/+7
close was the only cancellation point called from popen, but it left popen with major resource leaks if any call to close got cancelled. the easiest, cheapest fix is just to use a non-cancellable close function.
2012-06-20popen: handle issues with fd0/1 being closedRich Felker-3/+3
also check for failure of dup2 and abort the child rather than reading/writing the wrong file.
2012-06-20fix another oob pointer arithmetic issue in printf floating pointRich Felker-1/+1
this one could never cause any problems unless the compiler/machine goes to extra trouble to break oob pointer arithmetic, but it's best to fix it anyway.
2012-06-20minor perror behavior fixRich Felker-1/+1
patch by nsz
2012-06-19fix pointer overflow bug in floating point printfRich Felker-3/+3
large precision values could cause out-of-bounds pointer arithmetic in computing the precision cutoff (used to avoid expensive long-precision arithmetic when the result will be discarded). per the C standard, this is undefined behavior. one would expect that it works anyway, and in fact it did in most real-world cases, but it was randomly (depending on aslr) crashing in i386 binaries running on x86_64 kernels. this is because linux puts the userspace stack near 4GB (instead of near 3GB) when the kernel is 64-bit, leading to the out-of-bounds pointer arithmetic overflowing past the end of address space and giving a very low pointer value, which then compared lower than a pointer it should have been higher than. the new code rearranges the arithmetic so that no overflow can occur. while this bug could crash printf with memory corruption, it's unlikely to have security impact in real-world applications since the ability to provide an extremely large field precision value under attacker-control is required to trigger the bug.
2012-06-19add new stdio extension functions to make gnulib happyRich Felker-0/+24
this is mildly ugly, but less ugly than gnulib trying to poke at the definition of the FILE structure...
2012-06-19stdio: handle file position correctly at program exitRich Felker-3/+35
for seekable files, posix imposed requirements on the offset of the underlying open file description after a stream is closed. this was correctly handled (as a side effect of the unconditional fflush call) when streams were explicitly closed by fclose, but was not handled correctly at program exit time, where fflush(0) was being used. the weak symbol hackery is to pull in __stdio_exit if either of __toread or __towrite is used, but avoid calling it twice so we don't have to keep extra state. the new __stdio_exit is a streamlined fflush variant that avoids performing any unnecessary operations and which never unlocks the files or open file list, so we can be sure no other threads write new data to a stream's buffer after it's already flushed.
2012-06-19minor cleanup in fflushRich Felker-5/+1
2012-06-19remove flush hook cruft that was never used from stdioRich Felker-4/+0
there is no need/use for a flush hook. the write function serves this purpose already. i originally created the hook for implementing mem streams based on a mistaken reading of posix, and later realized it wasn't useful but never removed it until now.
2012-06-17change stdio_ext __freading/__fwriting semantics slightlyRich Felker-2/+2
the old behavior was to only consider a stream to be "reading" or "writing" if it had buffered, unread/unwritten data. this reportedly differs from the traditional behavior of these functions, which is essentially to return true as much as possible without creating the possibility that both __freading and __fwriting could return true. gnulib expects __fwriting to return true as soon as a file is opened write-only, and possibly expects other cases that depend on the traditional behavior. and since these functions exist mostly for gnulib (does anything else use them??), they should match the expected behavior to avoid even more ugly hacks and workarounds...
2012-06-17fdopen should set errno when it fails due to invalid mode stringRich Felker-1/+4
2012-06-08fix %ls breakage in last printf fixRich Felker-2/+2
signedness issue kept %ls with no precision from working at all
2012-06-08fix printf %ls with precision limit over-read issueRich Felker-2/+2
printf was not printing too many characters, but it was reading one too many wchar_t elements from the input. this could lead to crashes if running off the page, or spurious failure if the conversion of the extra wchar_t resulted in EILSEQ.
2012-06-07fix scanf bug reading literals after width-limited fieldRich Felker-0/+1
the field width limit was not being cleared before reading the literal, causing spurious failures in scanf in cases like "%2d:" scanning "00:".
2012-06-02add some ugly aliases for LSB ABI compatibilityRich Felker-0/+8
for some nonsensical reason, glibc's headers use inline functions that redirect some of the standard functions to ugly nonstandard names (and likewise for some of their nonstandard functions).
2012-05-25avoid using pthread cleanup push/pop in stdio when not neededRich Felker-6/+14
unfortunately in dynamic-linked programs, these macros cause pthread_self to be initialized, which costs a couple syscalls, and (much worse) would necessarily fail, crash, and burn on ancient (2.4 and earlier) kernels where setting up a thread pointer does not work. i'd like to do this in a more generic way that avoids all use of cleanup push/pop before pthread_self has been successfully called and avoids ugly if/else constructs like the one in this commit, but for now, this will suffice.
2012-05-04fix uninitialized var in vfwprintf printing 0-prec stringRich Felker-1/+1
this could lead to spurious failures of wide printf functions
2012-04-19fix really bad breakage in strtol, etc.: failure to accept leading spacesRich Felker-1/+1
2012-04-17fix wide scanf's handling of input failure on %c, and simplify %[Rich Felker-5/+6
2012-04-17fix failure to distinguish input/match failure in wide %[ scanfRich Felker-2/+4
this also includes a related fix for vswscanf's read function, which was returning a spurious (uninitialized) character for empty strings.
2012-04-17fix over-read in %ls with non-wide scanfRich Felker-0/+1
2012-04-17fix broken %s and %[ with no width specifier in wide scanfRich Felker-3/+7
2012-04-17make wide scanf %[ respect widthRich Felker-2/+3
2012-04-17fix wide scanf to respect field width for stringsRich Felker-4/+7
2012-04-17fix some bugs in scanf %[ handling detected while writing the wide versionRich Felker-4/+4
2012-04-17introduce new wide scanf code and remove the last remnants of old scanfRich Felker-524/+312
at this point, strto* and all scanf family functions are using the new unified integer and floating point parser/converter code. the wide scanf is largely a wrapper for ordinary byte-based scanf; since numbers can only contain ascii characters, only strings need to be handled specially.
2012-04-17avoid depending on POSIX symbol in code used from plain C functionsRich Felker-1/+3
2012-04-17avoid null pointer dereference on %*p fields in scanfRich Felker-1/+1
2012-04-17also ensure that write buffer is bounded when __stdio_write returnsRich Felker-0/+1
assuming other code is correct, this should be a no-op, but better to be safe...
2012-04-17fix buffer overflow in vfprintf on long writes to unbuffered filesRich Felker-1/+2
vfprintf temporarily swaps in a local buffer (for the duration of the operation) when the target stream is unbuffered; this both simplifies the implementation of functions like dprintf (they don't need their own buffers) and eliminates the pathologically bad performance of writing the formatted output with one or more write syscalls per formatting field. in cases like dprintf where we are dealing with a virgin FILE structure, everything worked correctly. however for long-lived files (like stderr), it's possible that the buffer bounds were already set for the internal zero-size buffer. on the next write, __stdio_write would pick up and use the new buffer provided by vfprintf, but the bound (wend) field was still pointing at the internal zero-size buffer's end. this in turn allowed unbounded writes to the temporary buffer.
2012-04-16fix %lf, etc. with printfRich Felker-0/+2
the l prefix is redundant/no-op with printf, since default promotions always promote floats to double; however, it is valid, and printf was wrongly rejecting it.
2012-04-16new scanf implementation and corresponding integer parser/converterRich Felker-30/+343
advantages over the old code: - correct results for floating point (old code was bogus) - wide/regular scanf separated so scanf does not pull in wide code - well-defined behavior on integers that overflow dest type - support for %[a-b] ranges with %[ (impl-defined by widely used) - no intermediate conversion of fmt string to wide string - cleaner, easier to share code with strto* functions - better standards conformance for corner cases the old code remains in the source tree, as the wide versions of the scanf-family functions are still using it. it will be removed when no longer needed.
2012-03-13fix scanf handling of "0" (followed by immediate EOF) with "%x"Rich Felker-11/+6
other cases with %x were probably broken too. I would actually like to go ahead and replace this code in scanf with calls to the new __intparse framework, but for now this calls for a quick and unobtrusive fix without the risk of breaking other things.
2012-02-02make stdio open, read, and write operations cancellation pointsRich Felker-5/+28
it should be noted that only the actual underlying buffer flush and fill operations are cancellable, not reads from or writes to the buffer. this behavior is compatible with POSIX, which makes all cancellation points in stdio optional, and it achieves the goal of allowing cancellation of a thread that's "stuck" on IO (due to a non-responsive socket/pipe peer, slow/stuck hardware, etc.) without imposing any measurable performance cost.