$ math/test-ldouble-pow
testing long double (without inline functions)
UBSAN: Undefined behaviour in ../sysdeps/ieee754/ldbl-96/s_roundl.c:75:28 left shift of 1 by 31 cannot be represented in type 'int'
Aborted
UBSAN: Undefined behaviour in ../sysdeps/ieee754/ldbl-96/s_llroundl.c:70:25 left shift of 4294967296 by 31 cannot be represented in type 'long long int'
The right shift is undefined if value overflow, but code is assuming
an arithmetic shift.
$ math/test-ldouble-roundeven
UBSAN: Undefined behaviour in ../sysdeps/ieee754/ldbl-96/s_roundl.c:75:28 left shift of 1 by 31 cannot be represented in type 'int'
Also adds the inputs that triggers it on isnan testcase.
UBSAN: Undefined behaviour in tst-sprofil.c:140:6 unsigned integer overflow: 2432902008176640000 + 7812407968270641256 cannot be represened in type 'long int'
Building with ubsan on 32 bit architecture, tst-ffs shows:
ffsll(0x4000000000000000) as expected 63
UBSAN: Undefined behaviour in ffsll.c:37:34 negation of 9223372036854775808 cannot be represented in type 'long long int'
Since the idea is to isolate the least significant bit, use unsigned
types.
stdio: Fix test-printf-ldbl-compat.c build with ubsan
On powercp64le with --enable-ubsan the build fails with:
In file included from ../include/bits/stdio2.h:1,
from ../libio/stdio.h:967,
from ../include/stdio.h:14,
from ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:21,
from ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ieee128.c:1:
In function ‘vfprintf’,
inlined from ‘do_test_call_varg’ at ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:56:3:
../libio/bits/stdio2.h:166:10: error: null format string [-Werror=format-overflow=]
166 | return __vfprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt, __ap);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘vsnprintf’,
inlined from ‘do_test_call_varg’ at ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:68:3:
../libio/bits/stdio2.h:100:10: error: null format string [-Werror=format-truncation=]
100 | return __builtin___vsnprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
101 | __glibc_objsize (__s), __fmt, __ap);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘fprintf’,
inlined from ‘do_test_call_rarg.constprop’ at ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:104:3:
../libio/bits/stdio2.h:111:10: error: null format string [-Werror=format-overflow=]
111 | return __fprintf_chk (__stream, __USE_FORTIFY_LEVEL - 1, __fmt,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
In function ‘printf’,
inlined from ‘do_test_call_rarg.constprop’ at ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:108:3:
../libio/bits/stdio2.h:118:10: error: null format string [-Werror=format-overflow=]
118 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘do_test_call_rarg.constprop’ at ../sysdeps/ieee754/ldbl-128ibm-compat/test-printf-ldbl-compat.c:112:3:
../libio/bits/stdio2.h:68:10: error: null format string [-Werror=format-truncation=]
68 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
69 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
70 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
UBSAN: Undefined behaviour in ../sysdeps/ieee754/float128/../ldbl-128/s_isnanl.c:29:30 negation of 9223372036854775808 cannot be represented in type 'long int'
UBSAN: Undefined behaviour in ../sysdeps/ieee754/float128/../ldbl-128/e_atan2l.c:68:9 unsigned integer overflow: 9223372036854775808 - 4611404543450677248 cannot be represened in type 'long int'
UBSAN: Undefined behaviour in jrand48_r.c:29:34 left shift of 41612 by 16 cannot be represented in type 'int'
UBSAN: Undefined behaviour in erand48_r.c:39:45 left shift of 3972 by 20 cannot be represented in type 'int'
Fix by casting to uint32_t for the shift operation.
powerpc: Use generic ilogb/ilogbf and refactor ilogbf128
The powerpc64 leverages the use of xsxexpdp and xsxexpqp for
for both ilogb/ilogbf for float, double, and float128 types.
However with the new generic ilogb/ilogbf, this is not really
a gain anymore.
On POWER9 with gcc-13, the xsxexpdp/xsxexpqp shows:
The xsxexpdp/xsxexpqp also adds some extra code size overhead since it
uses the generic ilogb/ilogbf for 0/inf/NaN handling. It is still kept
for float128, and this patch also optimizes it to avoid need to call
extra generic symbol to handle not number inputs.
On same hardware (POWER9/gcc-13) it shows the improvement:
The new float and double implementation does not required an
extra function call and error handling uses math_err function,
which results in better performance on i386 as well.
With gcc-14 on AMD AMD Ryzen 9 5900X, master shows:
It removes the wrapper by moving the error/EDOM handling to an
out-of-line implementation (__math_invalidf_i/__math_invalidf_li).
Also, __glibc_unlikely is used on errors case since it helps
code generation on recent gcc.
* i386 and m68k requires to use the template version, since
both provide __ieee754_ilogb implementatations.
* loongarch uses a custom implementation as well.
* powerpc64le also has a custom implementation for POWER9, which
is also used for float and float128 version. The generic
e_ilogb.c implementation is moved on powerpc to keep the
current code as-is.
Checked on aarch64-linux-gnu and x86_64-linux-gnu.
It removes the wrapper by moving the error/EDOM handling to an
out-of-line implementation (__math_invalid_i/__math_invalid_li).
Also, __glibc_unlikely is used on errors case since it helps
code generation on recent gcc.
* i386 and m68k requires to use the template version, since
both provide __ieee754_ilogb implementatations.
* loongarch uses a custom implementation as well.
* powerpc64le also has a custom implementation for POWER9, which
is also used for float and float128 version. The generic
e_ilogb.c implementation is moved on powerpc to keep the
current code as-is.
Checked on aarch64-linux-gnu and x86_64-linux-gnu.
The subnormal exponent calculation invokes UB by left shifting the
signed expoenent to find the first leading bit. The implementation
also uses 32 bits operations, which generates suboptimal code in
64 bits architectures.
The patch reimplements ilogb using the math_config.h macros and
uses the new stdbit function to simplify the subnormal handling.
The ubsan triggers on elf/tst-tls-allocation-failure-static-patched:
UBSAN: Undefined behaviour in ../sysdeps/unix/sysv/linux/dl-early_allocate.c:58:16 pointer index expression with base 0x0000555578792000 overflowed to 0x8000555578792cc0
The function is called with a size larger than PTRDIFF_MAX, and
the addition than overflow. Fix it by limiting the size up to
PTRDIFF_MAX, like all other malloc functions.
[...]linkobj/libc_pic.a(setcontext.os): in function `__start_context':
[...]sysdeps/unix/sysv/linux/riscv/setcontext.S:111:(.text+0xc0): relocation
truncated to fit: R_RISCV_JAL against symbol `__GI_exit' defined in .text section
in [...]/linkobj/libc_pic.a(exit.os)
Using 'call' instead of 'j' works regardless whether UBSAN.
ubsan: Add initial support for -fsanitize=undefined
It is enabled through a new configure flag, --enable-ubsan, and
should be used for debugging and/or testing. Not all ubsan handlers
are implemented, only those generated/required by glibc libraries,
programs, and tests. Some extra handlers might be needed in future
C++ tests, and __ubsan_handle_dynamic_type_cache_miss also needs a
proper implementation.
The ubsan handlers are exported from ld.so since they are used on
all libraries and tests. This might interfere with ubsan from
compiler runtime (when programs are built with libubsan in shared
mode), and this is completely untested and/or not supported at the
moment.
There is no support for the UBSAN_OPTIONS environment variable,
although some options are supported through glibc.ubsan tunables.
Currently, glibc.ubsan.halt_on_errors can be used to avoid
the process halt when any UB handler is issued.
Using -fsanitize=undefined enables some extra compiler checks that
are not easily enabled through the libc-diag.h macro. For instance
on iconv/iconvconfig.c, gcc 14.2.1 shows:
In file included from ../include/bits/string_fortified.h:1,
from ../string/string.h:548,
from ../include/string.h:60,
from iconvconfig.c:32:
In function ‘strcpy’,
inlined from ‘write_output’ at iconvconfig.c:1033:7,
inlined from ‘main’ at iconvconfig.c:340:14:
../string/bits/string_fortified.h:81:10: error: ‘__builtin_memcpy’ offset [0, 7] is out of the bounds [0, 0] [-Werror=array-bounds=]
81 | return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../string/bits/string_fortified.h:81:10: error: ‘__builtin_memcpy’ offset [0, 7] is out of the bounds [0, 0] [-Werror=array-bounds=]
cc1: all warnings being treated as errors
Some extra code adjustments are required to fix such cases.
This preliminary support is still incomplete:
* Not all targets are supported, nor have I checked the test suitei
on all successful targets. Also, I only checked with limited gcc
versions (only gcc 14.2.1 and for some targets 15.0.0).
Currently --enable-ubsan builds on Linux for aarch64, arm, hppa,
i686, powerpc64, microblaze, mips64, loongarch64, sparc, s390x, and
x86_64.
* The instrumentation is disabled on rltd.c, although it is enabled
on other loaders functions.
* A lot of test cases show failures due to UB.
Also, gcc-14 triggers an ICE building math routines. gcc-15
works correctly.
Collin Funk [Mon, 5 May 2025 02:31:34 +0000 (19:31 -0700)]
nss: remove undefined behavior and optimize getaddrinfo
On x86-64 and compiling with -O2 using stdc_leading_zeros compiles to
the bsr instruction. The fls function removed by this patch is inlined
but still loops while checking each bit individually.
* nss/getaddrinfo.c: Include <stdbit.h>.
(fls): Remove function. This function contains a left shift of 31 on an
'int' which is undefined.
(rfc3484_sort): Use stdc_leading_zeros instead of fls.
These routines are not extensively used (gnulib documentation even
recommend use a replacement [1]), and there is already a POWER8
version that uses proper vectorized instructions.
DJ Delorie [Sat, 3 May 2025 00:51:18 +0000 (20:51 -0400)]
manual: add more pthread functions
Add stubs and partial docs for many undocumented pthreads functions.
While neither exhaustive nor complete, gives minimal usage docs
for many functions and expands the pthreads chapters, making it
easier to continue improving this section in the future.
Stefan Liebler [Tue, 29 Apr 2025 11:28:58 +0000 (13:28 +0200)]
S390: Add new s390 platform z17.
The glibc-hwcaps subdirectories are extended by "z17". Libraries are loaded if
the z17 facility bits are active:
- Miscellaneous-instruction-extensions facility 4
- Vector-enhancements-facility 3
- Vector-Packed-Decimal-Enhancement Facility 3
- CPU: Concurrent-Functions Facility
tst-glibc-hwcaps.c is extended in order to test z17 via new marker6.
In case of running on a z17 with a kernel not recognizing z17 yet,
AT_PLATFORM will be z900 but vector-bit in AT_HWCAP is set. This situation
is now recognized and this testcase does not fail.
A fatal glibc error is dumped if glibc was build with architecture
level set for z17, but run on an older machine (See dl-hwcap-check.h).
Note, you might get an SIGILL before this check if you don't use:
configure --with-rtld-early-cflags=-march=<older-machine>
ld.so --list-diagnostics now also dumps information about s390.cpu_features.
Independent from z17, the s390x kernel won't introduce new HWCAP-Bits if there
is no special handling needed in kernel itself. For z17, we don't have new
HWCAP flags, but have to check the facility bits retrieved by
stfle-instruction.
Instead of storing all the stfle-bits (currently four 64bit values) in the
cpu_features struct, we now only store those bits, which are needed within
glibc itself. Note that we have this list twice, one with original values and
the other one which can be filtered with GLIBC_TUNABLES=glibc.cpu.hwcaps.
Those new fields are stored in so far reserved space in cpu_features struct.
Thus processes started in between the update of glibc package and we e.g. have
a new ld.so and an old libc.so, won't crash. The glibc internal ifunc-resolvers
would not select the best optimized variant.
The users of stfle-bits are also updated:
- parsing of GLIBC_TUNABLES=glibc.cpu.hwcaps
- glibc internal ifunc-resolvers
- __libc_ifunc_impl_list
- sysconf
Joseph Myers [Thu, 1 May 2025 22:28:59 +0000 (22:28 +0000)]
Correct test descriptors in libm-test-pown.inc
While working on implementing compoundn, I noticed that
libm-test-pown.inc was wrongly using TEST_ff_f and AUTO_TESTS_ff_f
when the actual types involved meant fL_f should be used instead of
ff_f; fix to use the correct descriptor strings for pown. (These
strings affect how gen-libm-test.py generates a C file in some cases.
The structure type test_fL_f_data for expected results and the use of
RUN_TEST_LOOP_fL_f in the ALL_RM_TEST call were already correct.)
Tested for x86_64. The generated libm-test-pown.c was actually
unchanged, but the old descriptor strings were still logically
incorrect.
Inline tcache_try_malloc into calloc since it is the only caller. Also fix
usize2tidx and use it in __libc_malloc, __libc_calloc and _mid_memalign.
The result is simpler, cleaner code.
nptl: Fix pthread_getattr_np when modules with execstack are allowed (BZ 32897)
The BZ 32653 fix (12a497c716f0a06be5946cabb8c3ec22a079771e) kept the
stack pointer zeroing from make_main_stack_executable on
_dl_make_stack_executable. However, previously the 'stack_endp'
pointed to temporary variable created before the call of
_dl_map_object_from_fd; while now we use the __libc_stack_end
directly.
Since pthread_getattr_np relies on correct __libc_stack_end, if
_dl_make_stack_executable is called (for instance, when
glibc.rtld.execstack=2 is set) __libc_stack_end will be set to zero,
and the call will always fail.
The __libc_stack_end zero was used a mitigation hardening, but since 52a01100ad011293197637e42b5be1a479a2f4ae it is used solely on
pthread_getattr_np code. So there is no point in zeroing anymore.
Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Sam James <sam@gentoo.org>
Julian Zhu [Fri, 8 Nov 2024 13:41:43 +0000 (21:41 +0800)]
RISC-V: Use builtin for ffs and ffsll while supported extension available
Hardware ctz instructions are available in the RISC-V Zbb and XTheadBb extension. With special `-march` flags defined, we can generate more simplified code compared to the generic implementation of `ffs`/`ffsll`.
The __printf_fp_buffer_1 issues count_leading_zeros with 0 argument,
which might leads to call __builtin_ctz depending of the ABI.
Replace with stdbit.h function instead.
Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Paul Eggert <eggert@cs.ucla.edu>
benchtest: Correct shell script related to bench-malloc-thread
This patch changes the shell script that selects which arguments are used
for the execution of bench-malloc-thread.
The problem seems to have been introduced in commit:
With current condition, the following error "/bin/sh: 3: [[: not found"
occurs when executing `make bench BENCHSET="malloc-thread"` and the else
path is taken, using incorrect arguments for bench test execution.
H. Peter Anvin [Fri, 25 Apr 2025 05:30:59 +0000 (07:30 +0200)]
linux/termio: remove <termio.h> and struct termio
The <termio.h> interface is absolutely ancient: it was obsoleted by
<termios.h> already in the first version of POSIX (1988) and thus
predates the very first version of Linux. Unfortunately, some constant
macros are used both by <termio.h> and <termios.h>; particularly
problematic is the baud rate constants since the termio interface
*requires* that the baud rate is set via an enumeration as part of
c_cflag.
In preparation of revamping the termios interface to support the
arbitrary baud rate capability that the Linux kernel has supported
since 2008, remove <termio.h> in the hope that no one still uses this
archaic interface.
Note that there is no actual code in glibc to support termio: it is
purely an unabstracted ioctl() interface.
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
elf: tst-audit10: split AVX512F code into dedicated functions [BZ #32882]
"Recent" GCC versions (since commit fc62716fe8d1, backported to stable
branches) emit a vzeroupper instruction at the end of functions
containing AVX instructions. This causes the tst-audit10 test to fail
on CPUs lacking AVX instructions, despite the AVX512F check. The crash
occurs in the pltenter function of tst-auditmod10b.c.
Fix that by moving the code guarded by the check_avx512 function into
specific functions using the target ("avx512f") attribute. Note that
since commit 5359c3bc91cc ("x86-64: Remove compiler -mavx512f check") it
is safe to assume that the compiler has AVX512F support, thus the
__AVX512F__ checks can be dropped.
Joseph Myers [Tue, 22 Apr 2025 17:00:34 +0000 (17:00 +0000)]
Add AT_* constants from Linux 6.12
Linux 6.12 adds AT_RENAME_* aliases for RENAME_* flags for renameat2,
and also AT_HANDLE_MNT_ID_UNIQUE. Add the first set of aliases to
stdio.h alongside the RENAME_* names, and AT_HANDLE_MNT_ID_UNIQUE to
bits/fcntl-linux.h.
Samuel Thibault [Mon, 21 Apr 2025 20:21:17 +0000 (22:21 +0200)]
hurd: Make symlink return EEXIST on existing target directory
8ef17919509e ("hurd: Fix EINVAL error on linking to a slash-trailing path
[BZ #32569]) made symlink return ENOTDIR, but the gnulib testsuite does
not recognize it for such a situation, and EEXIST is indeed more
comprehensible to users.
Samuel Thibault [Mon, 21 Apr 2025 17:42:27 +0000 (19:42 +0200)]
hurd: Do not restore xstate when it is not initialized
If the process has never used fp before getting a signal, xstate is set
(and thus the x87 state is not initialized) but xstate->initialized is still
0, and we should not restore anything.
Luca Dariz [Wed, 19 Mar 2025 17:11:18 +0000 (18:11 +0100)]
hurd: save xstate during signal handling
* hurd/Makefile: add new tests
* hurd/test-sig-rpc-interrupted.c: check xstate save and restore in
the case where a signal is delivered to a thread which is waiting
for an rpc. This test implements the rpc interruption protocol used
by the hurd servers. It was so far passing on Debian thanks to the
local-intr-msg-clobber.diff patch, which is now obsolete.
* hurd/test-sig-xstate.c: check xstate save and restore in the case
where a signal is delivered to a running thread, making sure that
the xstate is modified in the signal handler.
* hurd/test-xstate.h: add helpers to test xstate
* sysdeps/mach/hurd/i386/bits/sigcontext.h: add xstate to the
sigcontext structure.
+ sysdeps/mach/hurd/i386/sigreturn.c: restore xstate from the saved
context
* sysdeps/mach/hurd/x86/trampoline.c: save xstate if
supported. Otherwise we fall back to the previous behaviour of
ignoring xstate.
* sysdeps/mach/hurd/x86_64/bits/sigcontext.h: add xstate to the
sigcontext structure.
* sysdeps/mach/hurd/x86_64/sigreturn.c: restore xstate from the saved
context
Signed-off-by: Luca Dariz <luca@orpolo.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-ID: <20250319171118.142163-1-luca@orpolo.org>
This patch moves any calls of tcache_init away after tcache hot paths.
Since there is no reason to initialize tcaches in the hot path and since
we need to be able to check tcache != NULL in any case, because of
tcache_thread_shutdown function, moving tcache_init away from hot path
can only be beneficial.
The patch also removes the initialization of tcaches within the
__libc_free call. It only makes sense to initialize tcaches for the
thread after it calls one of the allocation functions. Also the patch
removes the save/restore of errno from tcache_init code, as it is no
longer needed.
Andrew Pinski [Fri, 21 Feb 2025 23:13:53 +0000 (15:13 -0800)]
aarch64: Add back non-temporal load/stores from oryon-1's memset
I misunderstood the recommendation from the hardware team about non-temporal
load/stores. It is still recommended to use them in memset for large sizes. It
was not recommended for their use with device memory and memset is already
not valid to be used with device memory.
This reverts commit e6590f0c86632c36c9a784cf96075f4be2e920d2. Signed-off-by: Andrew Pinski <quic_apinski@quicinc.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Andrew Pinski [Fri, 21 Feb 2025 23:10:18 +0000 (15:10 -0800)]
aarch64: Add back non-temporal load/stores from oryon-1's memcpy
I misunderstood the recommendation from the hardware team about non-temporal
load/stores. It is still recommended to use them in memcpy for large sizes. It
was not recommended for their use with device memory and memcpy is already
not valid to be use with device memory.
This reverts commit eb5eeb47403e0a91de834868e501b4d62b8d2cb9. Signed-off-by: Andrew Pinski <quic_apinski@quicinc.com> Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Wilco Dijkstra [Mon, 31 Mar 2025 12:19:06 +0000 (12:19 +0000)]
malloc: Use tailcalls in __libc_free
Use tailcalls to avoid the overhead of a frame on the free fastpath.
Move tcache initialization to _int_free_chunk(). Add malloc_printerr_tail()
which can be tailcalled without forcing a frame like no-return functions.
Change tcache_double_free_verify() to retry via __libc_free() after clearing
the key.
Wilco Dijkstra [Mon, 31 Mar 2025 11:44:02 +0000 (11:44 +0000)]
malloc: Improve free checks
The checks on size can be merged and use __builtin_add_overflow. Since
tcache only handles small sizes (and rejects sizes < MINSIZE), delay this
check until after tcache.
projects / thirdparty / glibc.git / log
