119 Commits

Author SHA1 Message Date
Conrad Meyer
672e12255d rand(3): Replace implementation with one backed by random(3) algorithm
rand(3)'s standard C API is extremely limiting, but we can do better
than the historical 32-bit state Park-Miller LCG we've shipped since
2001: r73156.

The justification provided at the time for not using random(3) was that
rand_r(3) could not be made to use the same algorithm.  That is still
true.  However, the irrelevance of rand_r(3) is increasingly obvious.
Since that time, POSIX has marked the interface obsolescent.  rand_r(3)
never became part of the standard C library.  If not for API
compatibility reasons, I would just remove rand_r(3) entirely.

So, I do not believe it is a problem for rand_r(3) and rand(3) to
diverge.

The 12 ABI is maintained with compatibility definitions, but this
revision does subtly change the API of rand(3).  The sequences of
pseudorandom numbers produced in programs built against new versions of
libc will differ from programs built against prior versions of libc.

Reviewed by:	kevans, markm
MFC after:	no
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D23290
2020-02-01 20:33:23 +00:00
Edward Tomasz Napierala
0d2fabfc04 Add qsort_s(3). Apart from the constraints, it also makes it easier
to port software written for Linux variant of qsort_r(3).

Reviewed by:	kib, arichardson
MFC after:	2 weeks
Relnotes:	yes
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D23174
2020-01-20 11:40:07 +00:00
Conrad Meyer
482f0c0255 Revert r355760, r355759
And remove the inline/deprecated attribute use entirely in stdlib.h, from
r355747.  The intent was to provide a buildable API transitionary period, but
clearly that was counter-productive.

Reported by:	delphij, imp, others
2019-12-15 17:33:26 +00:00
Conrad Meyer
215332ffe7 cdefs: Add __deprecated(message) function attribute macro
The legacy version of GCC4 currently in base does not support the
parameterized form of this function attribute, as recent introduced in
stdlib.h (r355747).

As we have done for other function attributes with similar compatibility
problems, add a version-compatibile definition in sys/cdefs.h.  Note that
Clang defines itself to be GCC 4, so one must check for __clang__ in
addition to __GNUC__ version.  On legacy GCC 4, the macro expands to just
the __deprecated__ attribute; on modern GCC or Clang, the macro expands to
the parameterized variant with the message.

Ignoring legacy or unsupported compilers, the macro is also beneficial in
that it is a bit more ergonomic than the full
__attribute__((__deprecated__())) boilerplate.

Reported by:	CI (but not tinderbox); imp and others
Reviewed by:	imp
Differential Revision:	https://reviews.freebsd.org/D22817
2019-12-14 21:52:49 +00:00
Conrad Meyer
c62ff2800b Deprecate sranddev(3) API
It serves no useful purpose and wasn't as popular as its equally meritless
cousin, srandomdev(3).

Setting aside the problems with rand(3) in general, the problem with this
interface is that the seed isn't shared with the caller (other than by
attacking the output of the generator, which is trivial, but not a hallmark of
pleasant API design).  The (arguable) utility of rand(3) or random(3) is as a
semi-fast simulation generator which produces consistent results from a given
seed.  These are mutually at odd.  Furthermore, sometimes people got the
mistaken impression that a high quality random seed meant a weak generator like
rand(3) or random(3) could be used for things like cryptographic key
generation.  This is absolutely not so.

The API was never part of a standard and was not widely used in tree.  Existing
in-tree uses have all been removed.

Possible replacement in out of tree codebases:

	char buf[3];
	time_t t;

	time(t);
	strftime(buf, sizeof(buf), "%S", gmtime(&t));
	srand(atoi(buf));

Relnotes:	yes
2019-12-14 08:28:10 +00:00
Mark Johnston
076574744c Add mkostempsat(3).
This is a variant of mkostemps() which takes a directory descriptor and
returns a descriptor for a tempfile relative to that directory.  Unlike
the other mktemp functions, mkostempsat() can be used in capability
mode.

Reviewed by:	cem
Discussed with:	brooks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D21031
2019-07-29 19:02:16 +00:00
Xin LI
a29173be53 Remove arc4random_stir and arc4random_addrandom from stdlib.h.
Users of arc4random(3) should never call them directly.

All ports tree usage was fixed as part of bug 230756.

Relnotes:       yes
Approved by:    re (marius), exp-run (bug 230756 by portmgr antoine)
2018-08-26 18:04:54 +00:00
Xin LI
c1e80940f3 Update userland arc4random() with OpenBSD's Chacha20 based arc4random().
ObsoleteFiles.inc:

    Remove manual pages for arc4random_addrandom(3) and
    arc4random_stir(3).

  contrib/ntp/lib/isc/random.c:
  contrib/ntp/sntp/libevent/evutil_rand.c:

    Eliminate in-tree usage of arc4random_addrandom().

  crypto/heimdal/lib/roken/rand.c:
  crypto/openssh/config.h:

    Eliminate in-tree usage of arc4random_stir().

  include/stdlib.h:

    Remove arc4random_stir() and arc4random_addrandom() prototypes,
    provide temporary shims for transistion period.

  lib/libc/gen/Makefile.inc:

    Hook arc4random-compat.c to build, add hint for Chacha20 source for
    kernel, and remove arc4random_addrandom(3) and arc4random_stir(3)
    links.

  lib/libc/gen/arc4random.c:

    Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the
    sys/crypto/chacha20 implementation of keystream.

  lib/libc/gen/Symbol.map:

    Remove arc4random_stir and arc4random_addrandom interfaces.

  lib/libc/gen/arc4random.h:

    Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own.

  lib/libc/gen/arc4random.3:

    Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and
    r118247.

  lib/libc/gen/arc4random-compat.c:

    Compatibility shims for arc4random_stir and arc4random_addrandom
    functions to preserve ABI.  Log once when called but do nothing
    otherwise.

  lib/libc/gen/getentropy.c:
  lib/libc/include/libc_private.h:

    Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl).
    Remove from libc_private.h as a result.

  sys/crypto/chacha20/chacha.c:
  sys/crypto/chacha20/chacha.h:

    Make it possible to use the kernel implementation in libc.

PR:		182610
Reviewed by:	cem, markm
Obtained from:	OpenBSD
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16760
2018-08-19 17:40:50 +00:00
Pedro F. Giffuni
b8d1747e75 Use the __alloc_size2 attribute where relevant.
This follows the documented use in GCC. It is basically only relevant for
calloc(3), reallocarray(3) and  mallocarray(9).

Suggested by:	Mark Millard

Reference:
https://docs.freebsd.org/cgi/mid.cgi?9DE674C6-EAA3-4E8A-906F-446E74D82FC4
2018-01-22 01:50:10 +00:00
Pedro F. Giffuni
dd5edb11b1 Use the __result_use_check attribute also for reallocf(3).
The GCC attribute causes a warning to be emitted if a caller of the
function with this attribute does not use its return value. Unlike the
traditional realloc, with reallocf(3) we don't have to check for NULL
values but we still have to make sure the result is used.

MFC after:	3 days
2018-01-09 22:48:13 +00:00
Mariusz Zaborski
16545cf5d5 Introduce the daemonfd function.
The daemonfd function is equivalent to the daemon(3) function expect that
arguments are descriptors. For example dhclient(8) which is sandboxed is
unable to open /dev/null to close stdio instead it's allows to fail
daemon(3) function to close the descriptors and then do it explicit in code.
Instead of such hacks we can use now daemonfd.

This API can be also helpful to migrate system to platforms like CheriBSD.

Reviewed by:	brooks@, bcr@, jilles@ (earlier version)
Differential Revision:	https://reviews.freebsd.org/D13433
2017-12-23 18:07:43 +00:00
Konstantin Belousov
383f241dce Remove lint support from system headers and MD x86 headers.
Reviewed by:	dim, jhb
Discussed with:	imp
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D13156
2017-11-23 11:40:16 +00:00
Pedro F. Giffuni
2321c47418 include: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:45:28 +00:00
Konstantin Belousov
9851b3400a Implement the memset_s(3) function as specified by the C11 ISO/IEC
9899:2011 Appendix K 3.7.4.1.

Other needed supporting types, defines and constraint_handler
infrastructure is added as specified in the C11 spec.

Submitted by:	Tom Rix <trix@juniper.net>
Sponsored by:	Juniper Networks
Discussed with:	ed
MFC after:	3 weeks
Differential revision:	https://reviews.freebsd.org/D9903
Differential revision:	https://reviews.freebsd.org/D10161
2017-03-30 04:57:26 +00:00
Pedro F. Giffuni
10723054ce Remove outdated claim.
Despite wishful thinking the removal of these old function hasn't
happened yet.

MFC after:	3 days
2017-02-16 20:30:55 +00:00
Pedro F. Giffuni
649702c5a3 Make use of clang nullability attributes.
Replace uses of the GCC __nonnull__ attribute with the clang nullability
qualifiers. The replacement should be transparent for clang developers as
the new qualifiers will produce the same warnings and will be useful for
static checkers but will not cause aggressive optimizations.

GCC will not produce such warnings and developers will have to use
upgraded GCC ports built with the system headers from r312538.

Hinted by:	Apple's Libc-1158.20.4, Bionic libc
MFC after:	11.1 Release

Differential Revision:	https://reviews.freebsd.org/D9004
2017-01-28 20:54:43 +00:00
Pedro F. Giffuni
f1b298ad46 Remove some uses of the GCC __nonnull() attribute.
While the checks are considered useful, the attribute does dangerous
optimizations, removing NULL checks where they can be needed. Remove the
uses of this attribute introduced in r281130: the changes were inspired on
Google's bionic where this attribute is not used anymore.

The __nonnull() attribute will be deprecrated from our headers and
replaced with the Clang _Nonnull qualifier in the future.

MFC after:	3 days
2017-01-01 17:16:47 +00:00
Ed Schouten
1a466ddc79 Remove setkey(), encrypt(), des_setkey() and des_cipher().
The setkey() and encrypt() functions are part of XSI, not the POSIX base
definitions. There is no strict requirement for us to provide these,
especially if we're only going to keep these around as undocumented
stubs. The same holds for des_setkey() and des_cipher().

Instead of providing functions that only generate warnings when linking,
simply disallow linking against them. The impact of this is relatively
low. It only causes two leaf ports to break. I'll see what I can do to
help out to get those fixed.

PR:		211626
2016-10-03 18:20:58 +00:00
Ed Schouten
822b22a9bf Change type of MB_CUR_MAX and MB_CUR_MAX_L() to size_t.
POSIX requires that MB_CUR_MAX expands to an expression of type size_t.
It currently expands to an int. As these are already macros, don't
change the underlying type of these functions. There is no ned to touch
those.

Differential Revision:	https://reviews.freebsd.org/D6645
2016-07-28 09:50:19 +00:00
Ed Schouten
8de6c26711 Fix typing of srandom() and initstate().
POSIX requires that these functions have an unsigned int for their first
argument; not an unsigned long.

My reasoning is that we can safely change these functions without
breaking the ABI. As far as I know, our supported architectures either
use registers for passing function arguments that are at least as big as
long (e.g., amd64), or int and long are of the same size (e.g., i386).

Reviewed by:	ache
Differential Revision:	https://reviews.freebsd.org/D6644
2016-07-26 20:11:29 +00:00
Pedro F. Giffuni
9143e6e49a Remove incorrect attributes from posix_memalign(3) declaration.
Both __alloc_align and __alloc_size can't be used when the function
returns a pointer to memory. This fixes breakage when building with
clang 3.4:

In file included from /usr/src/svn/usr.sbin/bhyve/atkbdc.c:40:
/usr/include/stdlib.h:176:6: error: '__alloc_size__' attribute only
applies to functions that return a pointer [-Werror,-Wignored-attributes]

Pointed out by:	ngie, cem
Approved by:	re (gjb)
2016-07-05 22:30:29 +00:00
Dimitry Andric
4ec98362ae For C++, expose long long types and functions (lldiv_t, llabs, lldiv,
etc) in stdlib.h.  These will be needed for newer versions of libc++,
which uses them for defining overloaded versions of abs() and div().

MFC after:	1 week
2016-03-23 19:17:12 +00:00
Pedro F. Giffuni
ee90489bc4 Make use of GCC alloc_align attribute
This lets the compiler know about the alignment of pointers returned
by aligned_alloc(3), posix_memalign(3). and contigmalloc(9)

Currently this is only supported in recent gcc but we are ready to
use it if clang implements it.

Relnotes:	yes
2015-05-15 20:43:37 +00:00
Pedro F. Giffuni
d0e9981e39 No need for result_use_check attribute in reallocf(3). 2015-05-01 20:40:48 +00:00
Baptiste Daroussin
8f0baadaa0 Move reallocarray definition to the _BSD_VISIBLE block
Add the required __alloc_size attributes

Requested by:	pfg
2015-05-01 19:14:32 +00:00
Baptiste Daroussin
450dfafb15 Import reallocarray(3) from OpenBSD
Add a manpage for it, assign the copyright to the OpenBSD project on it since it
is mostly copy/paste from OpenBSD manpage.
style(9) fixes

Differential Revision:	https://reviews.freebsd.org/D2420
Reviewed by:	kib
2015-05-01 18:32:16 +00:00
Pedro F. Giffuni
153cbcd657 Make use of gcc attributes in some standard include headers.
The `nonnull' attribute specifies that some function parameters should be
non-null pointers.  This is very useful as it helps the compiler generate
warnings on suspicious code and can also enable some small optimizations.

Also start using 'alloc_size' attribute in the allocator functions.

This is an initial step to better integrate our libc with the compiler:
these attributes are fully supported by clang and they are also useful
for the static analyzer.

Note that due to some bogus internal procedure in the way gcc ports
are built they may require updating if they were built before r280801.

Relnotes:		yes
Hinted by:		Android's bionic libc
Differential Revision:	https://reviews.freebsd.org/D2107
2015-04-06 01:39:16 +00:00
Pedro F. Giffuni
1693a59a64 Clean sparse spaces. 2015-03-25 16:54:37 +00:00
Pedro F. Giffuni
f4189cd649 Add bsearch_b to the libc map and the stdlib header.
bsearch_b is the Apple blocks enabled version of bsearch(3).
This was added to libc in Revision 264042 but the commit
missed the declaration required to make use of it.

While here move some other block-related functions to the
BSD_VISIBLE block as these are non-standard.

Phabric:	D638
Reviewed by:	theraven, wollman
2014-09-01 22:25:42 +00:00
David Chisnall
46cdc14062 Add support for some block functions that come from OS X. These are
intended to build with any C compiler.

Reviewed by:	pfg
MFC after:	3 weeks
2014-04-02 16:07:48 +00:00
Tijl Coosemans
0a4c54d606 Rename __wchar_t so it no longer conflicts with __wchar_t from clang 3.4
-fms-extensions.

MFC after:	2 weeks
2014-04-01 14:46:11 +00:00
Jilles Tjoelker
65ba8dff5f Add mkostemp() and mkostemps().
These are like mkstemp() and mkstemps() but allow passing open(2) flags like
O_CLOEXEC.
2013-08-09 17:24:23 +00:00
Jilles Tjoelker
e45e1f2730 stdlib.h: Add correct POSIX version for POSIX extensions to C. 2013-07-05 14:16:04 +00:00
Andrey A. Chernov
476d9314d6 1) POSIX requires rand(3) return values to be in the [0, RAND_MAX] range,
but ACM formula we use have internal state (and return value) in the
[1, 0x7ffffffe] range, so our RAND_MAX (0x7fffffff) is never reached
because it is off by one, zero is not reached too.

Correct both RAND_MAX and rand(3) return value, shifting last one
to the 0 by 1 subtracted, resulting POSIXed [0, 0x7ffffffd(=new RAND_MAX)]
range.

2) Add a checks for not overflowing on too big seeds. It may happens on
the machines, where sizeof(unsigned int) > 32 bits.

Reviewed by:    bde [1]
MFC after:      2 weeks
2013-07-03 21:21:54 +00:00
Jason Evans
a4bd5210d5 Import jemalloc 9ef7f5dc34ff02f50d401e41c8d9a4a928e7c2aa (dev branch,
prior to 3.0.0 release) as contrib/jemalloc, and integrate it into libc.
The code being imported by this commit diverged from
lib/libc/stdlib/malloc.c in March 2010, which means that a portion of
the jemalloc 1.0.0 ChangeLog entries are relevant, as are the entries
for all subsequent releases.
2012-04-17 07:22:14 +00:00
David Chisnall
3ac9d65989 Correctly expose xlocale functions if people include the headers in the wrong
order (as some ports apparently do).

Approved by:	dim (mentor)
2012-03-28 12:11:54 +00:00
David Chisnall
79d09835dd Expose some C11 stuff that is also C++11 stuff in C++11 mode.
Approved by:	dim (mentor)
2012-03-14 14:39:07 +00:00
Ed Schouten
9e16bab42a Add aligned_alloc(3).
The C11 folks reinvented the wheel by introducing an aligned version of
malloc(3) called aligned_alloc(3), instead of posix_memalign(3). Instead
of returning the allocation by reference, it returns the address, just
like malloc(3).

Reviewed by:	jasone@
2012-01-09 06:36:28 +00:00
Ed Schouten
5d8c5f69f1 Fix spelling of C11 and sort functions by name. 2012-01-08 12:03:46 +00:00
Ed Schouten
b1214a51cc Improve C11 bits in <stdlib.h>:
- Add missing semicolon to quick_exit(),
- Remove `func' parameter name from at_quick_exit(),
- Fix indentation.
- Compare against 2011 value.
2011-12-26 18:55:37 +00:00
Ed Schouten
f6ab8089c6 Replace __const by const in all non-contributed source code.
As C1X is close to being released, there is no need to wrap around a
feature that is already part of C90. Most of these files already use
`const' in different placed as well.
2011-12-13 13:32:56 +00:00
David Chisnall
57979d1bd8 As per das@'s suggestion, s/__noreturn/_Noreturn/, since the latter is an
identifier reserved for the implementation in C99 and earlier so there is
no sensible reason for introducing yet another reserved identifier when we
could just use the one C1x uses.

Approved by:	brooks (mentor)
2011-12-07 21:17:50 +00:00
David Chisnall
0a31efe016 Implement quick_exit() / at_quick_exit() from C++11 / C1x. Also add a
__noreturn macro and modify the other exiting functions to use it.

The __noreturn macro, unlike __dead2, must be used BEFORE the function.
This is in line with the C and C++ specifications that place _Noreturn (c1x)
and [[noreturn]] (C++11) in front of the functions.  As with __dead2, this
macro falls back to using the GCC attribute.

Unfortunately, clang currently sets the same value for the C version macro
in C99 and C1x modes, so these functions are hidden by default.  At some
point before 10.0, I need to go through the headers and clean up the C1x /
C++11 visibility.

Reviewed by:	brooks (mentor)
2011-12-07 15:25:48 +00:00
David Chisnall
3c87aa1d3d Implement xlocale APIs from Darwin, mainly for use by libc++. This adds a
load of _l suffixed versions of various standard library functions that use
the global locale, making them take an explicit locale parameter.  Also
adds support for per-thread locales.  This work was funded by the FreeBSD
Foundation.

Please test any code you have that uses the C standard locale functions!

Reviewed by:    das (gdtoa changes)
Approved by:    dim (mentor)
2011-11-20 14:45:42 +00:00
Konstantin Belousov
585b8e0f8a Move realpath(3) prototype to a POSIX section.
Noted by:	bde
MFC after:	2 weeks
2010-04-21 16:38:37 +00:00
Konstantin Belousov
9d79ec20fb Slightly modernize realpath(3).
SUSv4 requires that implementation returns EINVAL if supplied path is NULL,
and ENOENT if path is empty string [1].
Bring prototype in conformance with SUSv4, adding restrict keywords.
Allow the resolved path buffer pointer be NULL, in which case realpath(3)
allocates storage with malloc().

PR:	kern/121897 [1]
MFC after:	2 weeks
2010-04-20 10:16:44 +00:00
Warner Losh
f2556687c6 Remove the Berkeley clause 3's.
Add a few $FreeBSD$
2010-02-16 19:39:50 +00:00
David Schultz
b38a55d49d Namespace: abort2() is a BSD extension. 2009-03-14 19:13:30 +00:00
David Schultz
d9c4315930 r189349 removed mktemp() from the XSI namespace when
__XOPEN_SOURCE >= 700, since mktemp() was withdrawn
from the standard. However, __XSI_VISIBLE is set to
700 in the default BSD envrionment, where mktemp()
should still exist; hence, check for this.
2009-03-14 02:31:48 +00:00
David Schultz
65e8b12988 - Add getsubopt and mkdtemp to the POSIX.1-2008 namespace.
- Add mkstemp to the POSIX.1-2008 and BSD namespaces.
- Remove mktemp from the XSI namespace.
2009-03-04 03:31:10 +00:00