This was a regression from the 64-bit off_t changes.
When dropping buffered data after a flush, we would subtract the
buffered amount from zero to get the seek offset. This didn't work
right since the subtraction was done with a 32-bit size_t and we
ended up with e.g (i64)0xfffffffc as the offset.
Fixes#6003.
These simply use StringBuilder::appendvf() internally which is not
optimal in terms of heap allocations, but simple enough and I don't
think they are performance sensitive functions anyway.
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)
Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.
We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
This achieves two things:
- Programs can now intentionally perform arbitrary syscalls by calling
syscall(). This allows us to work on things like syscall fuzzing.
- It restricts the ability of userspace to make syscalls to a single
4KB page of code. In order to call the kernel directly, an attacker
must now locate this page and call through it.
This allows us to implement mkstemp() with open() directly, instead of
first lstat()'ing, and then open()'ing the filename.
Also implement tmpfile() in terms of mkstemp() instead of mktemp().
