This will make it easier to support both string types at the same time
while we convert code, and tracking down remaining uses.
One big exception is Value::to_string() in LibJS, where the name is
dictated by the ToString AO.
We have a new, improved string type coming up in AK (OOM aware, no null
state), and while it's going to use UTF-8, the name UTF8String is a
mouthful - so let's free up the String name by renaming the existing
class.
Making the old one have an annoying name will hopefully also help with
quick adoption :^)
In the fgetc function, a fix was already in place but was clunky. A real
proper solution is to use an unsigned char instead of a char when
returning the value, so an implicit cast is happening based on the
assumption that the value is unsigned, so if the variable contained 0xff
it won't be treated as -1, but as unsigned 0xff, so the result int will
be 0xff and not -1.
The same solution is applied to the fgetc_unlocked function as well.
We assumed that by returning a char in the fgetc function that an
implicit cast is sufficient, but apparently if that char contains 0xff,
the result int will be -1 (0xFFFFFFFF). To ensure this does not happen,
let's do an explicit casting.
The global variable use in these functions is super thread-unsafe and
means that any concurrent calls to sprintf or fprintf in a process
could race with each other and end up writing unexpected results.
We can just replace the function + global variable with a lambda that
captures the relevant argument when calling printf_internal instead.
When creating uninitialized storage for variables, we need to make sure
that the alignment is correct. Fixes a KUBSAN failure when running
kernels compiled with Clang.
In `Syscalls/socket.cpp`, we can simply use local variables, as
`sockaddr_un` is a POD type.
Along with moving the `alignas` specifier to the correct member,
`AK::Optional`'s internal buffer has been made non-zeroed by default.
GCC emitted bogus uninitialized memory access warnings, so we now use
`__builtin_launder` to tell the compiler that we know what we are doing.
This might disable some optimizations, but judging by how GCC failed to
notice that the memory's initialization is dependent on `m_has_value`,
I'm not sure that's a bad thing.
SPDX License Identifiers are a more compact / standardized
way of representing file license information.
See: https://spdx.dev/resources/use/#identifiers
This was done with the `ambr` search and replace tool.
ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
This was a regression from the 64-bit off_t changes.
When dropping buffered data after a flush, we would subtract the
buffered amount from zero to get the seek offset. This didn't work
right since the subtraction was done with a 32-bit size_t and we
ended up with e.g (i64)0xfffffffc as the offset.
Fixes#6003.
These simply use StringBuilder::appendvf() internally which is not
optimal in terms of heap allocations, but simple enough and I don't
think they are performance sensitive functions anyway.
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)
Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.
We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
This achieves two things:
- Programs can now intentionally perform arbitrary syscalls by calling
syscall(). This allows us to work on things like syscall fuzzing.
- It restricts the ability of userspace to make syscalls to a single
4KB page of code. In order to call the kernel directly, an attacker
must now locate this page and call through it.
This allows us to implement mkstemp() with open() directly, instead of
first lstat()'ing, and then open()'ing the filename.
Also implement tmpfile() in terms of mkstemp() instead of mktemp().
