2020-06-15 14:18:57 +00:00
|
|
|
/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
|
2023-12-08 03:11:56 +00:00
|
|
|
│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi │
|
2020-06-15 14:18:57 +00:00
|
|
|
╞══════════════════════════════════════════════════════════════════════════════╡
|
|
|
|
|
│ Copyright 2020 Justine Alexandra Roberts Tunney │
|
|
|
|
|
│ │
|
2020-12-28 01:18:44 +00:00
|
|
|
│ Permission to use, copy, modify, and/or distribute this software for │
|
|
|
|
|
│ any purpose with or without fee is hereby granted, provided that the │
|
|
|
|
|
│ above copyright notice and this permission notice appear in all copies. │
|
2020-06-15 14:18:57 +00:00
|
|
|
│ │
|
2020-12-28 01:18:44 +00:00
|
|
|
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │
|
|
|
|
|
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │
|
|
|
|
|
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │
|
|
|
|
|
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │
|
|
|
|
|
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │
|
|
|
|
|
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │
|
|
|
|
|
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │
|
|
|
|
|
│ PERFORMANCE OF THIS SOFTWARE. │
|
2020-06-15 14:18:57 +00:00
|
|
|
╚─────────────────────────────────────────────────────────────────────────────*/
|
2022-11-06 02:49:41 +00:00
|
|
|
#include "libc/assert.h"
|
|
|
|
|
#include "libc/calls/blockcancel.internal.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
#include "libc/calls/calls.h"
|
2022-11-06 02:49:41 +00:00
|
|
|
#include "libc/calls/cp.internal.h"
|
|
|
|
|
#include "libc/calls/internal.h"
|
2022-06-23 21:09:32 +00:00
|
|
|
#include "libc/calls/struct/sigaction.h"
|
|
|
|
|
#include "libc/calls/struct/sigset.h"
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
#include "libc/calls/struct/sigset.internal.h"
|
2022-05-23 22:06:11 +00:00
|
|
|
#include "libc/calls/syscall-sysv.internal.h"
|
|
|
|
|
#include "libc/calls/syscall_support-nt.internal.h"
|
2022-11-06 02:49:41 +00:00
|
|
|
#include "libc/calls/syscall_support-sysv.internal.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
#include "libc/dce.h"
|
2020-06-15 14:18:57 +00:00
|
|
|
#include "libc/errno.h"
|
2022-11-06 02:49:41 +00:00
|
|
|
#include "libc/intrin/asan.internal.h"
|
|
|
|
|
#include "libc/intrin/asmflag.h"
|
2022-09-13 18:20:35 +00:00
|
|
|
#include "libc/intrin/strace.internal.h"
|
2022-11-06 02:49:41 +00:00
|
|
|
#include "libc/intrin/weaken.h"
|
|
|
|
|
#include "libc/macros.internal.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
#include "libc/nexgen32e/kcpuids.h"
|
|
|
|
|
#include "libc/nexgen32e/rdtsc.h"
|
|
|
|
|
#include "libc/nexgen32e/vendor.internal.h"
|
|
|
|
|
#include "libc/nexgen32e/x86feature.h"
|
|
|
|
|
#include "libc/nexgen32e/x86info.h"
|
|
|
|
|
#include "libc/nt/runtime.h"
|
2020-06-15 14:18:57 +00:00
|
|
|
#include "libc/runtime/runtime.h"
|
2022-08-11 19:26:30 +00:00
|
|
|
#include "libc/stdio/rand.h"
|
2020-06-15 14:18:57 +00:00
|
|
|
#include "libc/str/str.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
#include "libc/sysv/consts/at.h"
|
|
|
|
|
#include "libc/sysv/consts/auxv.h"
|
|
|
|
|
#include "libc/sysv/consts/grnd.h"
|
|
|
|
|
#include "libc/sysv/consts/o.h"
|
2022-06-23 21:09:32 +00:00
|
|
|
#include "libc/sysv/consts/sig.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
#include "libc/sysv/errfuns.h"
|
2022-11-05 01:19:05 +00:00
|
|
|
#include "libc/thread/thread.h"
|
2021-06-24 19:31:26 +00:00
|
|
|
|
2023-07-26 20:54:49 +00:00
|
|
|
__static_yoink("rdrand_init");
|
2022-11-06 02:49:41 +00:00
|
|
|
|
|
|
|
|
int sys_getentropy(void *, size_t) asm("sys_getrandom");
|
2023-10-15 03:57:15 +00:00
|
|
|
ssize_t sys_getrandom_metal(char *, size_t, int);
|
2022-11-06 02:49:41 +00:00
|
|
|
|
2021-06-24 19:31:26 +00:00
|
|
|
static bool have_getrandom;
|
2020-06-15 14:18:57 +00:00
|
|
|
|
2022-11-06 02:49:41 +00:00
|
|
|
static void GetRandomEntropy(char *p, size_t n) {
|
2023-07-26 20:54:49 +00:00
|
|
|
unassert(n <= 256);
|
Apply clang-format update to repo (#1154)
Commit bc6c183 introduced a bunch of discrepancies between what files
look like in the repo and what clang-format says they should look like.
However, there were already a few discrepancies prior to that. Most of
these discrepancies seemed to be unintentional, but a few of them were
load-bearing (e.g., a #include that violated header ordering needing
something to have been #defined by a 'later' #include.)
I opted to take what I hope is a relatively smooth-brained approach: I
reverted the .clang-format change, ran clang-format on the whole repo,
reapplied the .clang-format change, reran clang-format again, and then
reverted the commit that contained the first run. Thus the full effect
of this PR should only be to apply the changed formatting rules to the
repo, and from skimming the results, this seems to be the case.
My work can be checked by applying the short, manual commits, and then
rerunning the command listed in the autogenerated commits (those whose
messages I have prefixed auto:) and seeing if your results agree.
It might be that the other diffs should be fixed at some point but I'm
leaving that aside for now.
fd '\.c(c|pp)?$' --print0| xargs -0 clang-format -i
2024-04-25 17:38:00 +00:00
|
|
|
if (sys_getentropy(p, n))
|
|
|
|
|
notpossible;
|
2022-11-06 02:49:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void GetRandomArnd(char *p, size_t n) {
|
|
|
|
|
size_t m;
|
|
|
|
|
int cmd[2];
|
|
|
|
|
cmd[0] = 1; // CTL_KERN
|
|
|
|
|
cmd[1] = IsFreebsd() ? 37 : 81; // KERN_ARND
|
2023-07-26 20:54:49 +00:00
|
|
|
unassert((m = n) <= 256);
|
2024-05-03 06:21:43 +00:00
|
|
|
if (sysctl(cmd, 2, p, &n, 0, 0) == -1)
|
Apply clang-format update to repo (#1154)
Commit bc6c183 introduced a bunch of discrepancies between what files
look like in the repo and what clang-format says they should look like.
However, there were already a few discrepancies prior to that. Most of
these discrepancies seemed to be unintentional, but a few of them were
load-bearing (e.g., a #include that violated header ordering needing
something to have been #defined by a 'later' #include.)
I opted to take what I hope is a relatively smooth-brained approach: I
reverted the .clang-format change, ran clang-format on the whole repo,
reapplied the .clang-format change, reran clang-format again, and then
reverted the commit that contained the first run. Thus the full effect
of this PR should only be to apply the changed formatting rules to the
repo, and from skimming the results, this seems to be the case.
My work can be checked by applying the short, manual commits, and then
rerunning the command listed in the autogenerated commits (those whose
messages I have prefixed auto:) and seeing if your results agree.
It might be that the other diffs should be fixed at some point but I'm
leaving that aside for now.
fd '\.c(c|pp)?$' --print0| xargs -0 clang-format -i
2024-04-25 17:38:00 +00:00
|
|
|
notpossible;
|
|
|
|
|
if (m != n)
|
|
|
|
|
notpossible;
|
2022-11-06 02:49:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ssize_t GetRandomBsd(char *p, size_t n, void impl(char *, size_t)) {
|
|
|
|
|
size_t m, i;
|
|
|
|
|
for (i = 0;;) {
|
|
|
|
|
m = MIN(n - i, 256);
|
|
|
|
|
impl(p + i, m);
|
|
|
|
|
if ((i += m) == n) {
|
|
|
|
|
return n;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ssize_t GetDevUrandom(char *p, size_t n) {
|
2022-11-05 01:19:05 +00:00
|
|
|
int fd;
|
|
|
|
|
ssize_t rc;
|
2023-10-09 00:56:59 +00:00
|
|
|
BLOCK_SIGNALS;
|
2024-01-08 18:07:35 +00:00
|
|
|
BLOCK_CANCELATION;
|
2022-11-06 02:49:41 +00:00
|
|
|
fd = sys_openat(AT_FDCWD, "/dev/urandom", O_RDONLY | O_CLOEXEC, 0);
|
2023-10-09 00:56:59 +00:00
|
|
|
if (fd != -1) {
|
|
|
|
|
rc = sys_read(fd, p, n);
|
|
|
|
|
} else {
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
2024-01-08 18:07:35 +00:00
|
|
|
ALLOW_CANCELATION;
|
2023-10-09 00:56:59 +00:00
|
|
|
ALLOW_SIGNALS;
|
2022-11-05 01:19:05 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-06 02:49:41 +00:00
|
|
|
ssize_t __getrandom(void *p, size_t n, unsigned f) {
|
|
|
|
|
ssize_t rc;
|
|
|
|
|
if (IsWindows()) {
|
2024-02-01 11:39:46 +00:00
|
|
|
rc = ProcessPrng(p, n) ? n : __winerr();
|
2022-11-06 02:49:41 +00:00
|
|
|
} else if (have_getrandom) {
|
|
|
|
|
if (IsXnu() || IsOpenbsd()) {
|
|
|
|
|
rc = GetRandomBsd(p, n, GetRandomEntropy);
|
2022-11-05 01:19:05 +00:00
|
|
|
} else {
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
BEGIN_CANCELATION_POINT;
|
2022-11-06 02:49:41 +00:00
|
|
|
rc = sys_getrandom(p, n, f);
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
END_CANCELATION_POINT;
|
2022-11-05 01:19:05 +00:00
|
|
|
}
|
2022-11-06 02:49:41 +00:00
|
|
|
} else if (IsFreebsd() || IsNetbsd()) {
|
|
|
|
|
rc = GetRandomBsd(p, n, GetRandomArnd);
|
2023-10-15 03:57:15 +00:00
|
|
|
#ifdef __x86_64__
|
2022-11-06 02:49:41 +00:00
|
|
|
} else if (IsMetal()) {
|
2023-10-15 03:57:15 +00:00
|
|
|
rc = sys_getrandom_metal(p, n, f);
|
|
|
|
|
#endif
|
2022-11-06 02:49:41 +00:00
|
|
|
} else {
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
BEGIN_CANCELATION_POINT;
|
2022-11-06 02:49:41 +00:00
|
|
|
rc = GetDevUrandom(p, n);
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
END_CANCELATION_POINT;
|
2022-11-05 01:19:05 +00:00
|
|
|
}
|
2022-11-06 02:49:41 +00:00
|
|
|
return rc;
|
2022-11-05 01:19:05 +00:00
|
|
|
}
|
|
|
|
|
|
2020-06-15 14:18:57 +00:00
|
|
|
/**
|
2021-06-24 19:31:26 +00:00
|
|
|
* Returns cryptographic random data.
|
|
|
|
|
*
|
2022-04-07 07:15:35 +00:00
|
|
|
* This random number seed generator obtains information from:
|
2021-06-24 19:31:26 +00:00
|
|
|
*
|
2024-02-01 11:39:46 +00:00
|
|
|
* - ProcessPrng() on Windows
|
2021-06-24 19:31:26 +00:00
|
|
|
* - getentropy() on XNU and OpenBSD
|
2022-11-06 02:49:41 +00:00
|
|
|
* - getrandom() on Linux, FreeBSD, and NetBSD
|
|
|
|
|
* - sysctl(KERN_ARND) on older versions of FreeBSD and NetBSD
|
|
|
|
|
*
|
|
|
|
|
* Unlike getentropy() this function is interruptible. However EINTR
|
|
|
|
|
* shouldn't be possible if `f` is zero and `n` is no more than 256,
|
|
|
|
|
* noting that kernels are a bit vague with their promises here, and
|
|
|
|
|
* if you're willing to trade some performance for a more assurances
|
|
|
|
|
* that EINTR won't happen, then either consider using getentropy(),
|
|
|
|
|
* or using the `SA_RESTART` flag on your signal handlers.
|
2021-06-24 19:31:26 +00:00
|
|
|
*
|
2022-11-06 02:49:41 +00:00
|
|
|
* Unlike getentropy() you may specify an `n` greater than 256. When
|
|
|
|
|
* larger amounts are specified, the caller must be prepared for the
|
|
|
|
|
* case where fewer than `n` bytes are returned. In that case, it is
|
|
|
|
|
* likely that a signal delivery occured. Cancellations in mask mode
|
|
|
|
|
* also need to be suppressed while processing the bytes beyond 256.
|
|
|
|
|
* On BSD OSes, this entire process is uninterruptible so be careful
|
|
|
|
|
* when using large sizes if interruptibility is needed.
|
2020-06-15 14:18:57 +00:00
|
|
|
*
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
* Unlike getentropy() this function is a cancelation point. But it
|
2022-11-06 02:49:41 +00:00
|
|
|
* shouldn't be a problem, unless you're using masked mode, in which
|
|
|
|
|
* case extra care must be taken to consider the result.
|
2021-06-24 19:31:26 +00:00
|
|
|
*
|
2022-11-06 02:49:41 +00:00
|
|
|
* It's recommended that `f` be set to zero, although it may include
|
|
|
|
|
* the following flags:
|
|
|
|
|
*
|
|
|
|
|
* - `GRND_NONBLOCK` when you want to elevate the insecurity of your
|
|
|
|
|
* random data
|
|
|
|
|
*
|
|
|
|
|
* - `GRND_RANDOM` if you want to have the best possible chance your
|
|
|
|
|
* program will freeze and the system operator is paged to address
|
|
|
|
|
* the outage by driving to the data center and jiggling the mouse
|
2021-06-24 19:31:26 +00:00
|
|
|
*
|
2022-04-07 07:15:35 +00:00
|
|
|
* @note this function could block a nontrivial time on old computers
|
|
|
|
|
* @note this function is indeed intended for cryptography
|
|
|
|
|
* @note this function takes around 900 cycles
|
2022-10-02 21:58:14 +00:00
|
|
|
* @raise EINVAL if `f` is invalid
|
2022-11-06 02:49:41 +00:00
|
|
|
* @raise ECANCELED if thread was cancelled in masked mode
|
|
|
|
|
* @raise EFAULT if the `n` bytes at `p` aren't valid memory
|
|
|
|
|
* @raise EINTR if we needed to block and a signal was delivered instead
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
* @cancelationpoint
|
2021-06-24 19:31:26 +00:00
|
|
|
* @asyncsignalsafe
|
2022-03-25 14:11:44 +00:00
|
|
|
* @restartable
|
2021-06-24 19:31:26 +00:00
|
|
|
* @vforksafe
|
2020-06-15 14:18:57 +00:00
|
|
|
*/
|
2021-06-24 19:31:26 +00:00
|
|
|
ssize_t getrandom(void *p, size_t n, unsigned f) {
|
|
|
|
|
ssize_t rc;
|
2022-11-06 02:49:41 +00:00
|
|
|
if ((!p && n) || (IsAsan() && !__asan_is_valid(p, n))) {
|
|
|
|
|
rc = efault();
|
2023-10-09 00:56:59 +00:00
|
|
|
} else if (f & ~(GRND_RANDOM | GRND_NONBLOCK)) {
|
2022-10-02 21:58:14 +00:00
|
|
|
rc = einval();
|
2021-09-28 05:58:51 +00:00
|
|
|
} else {
|
2022-11-06 02:49:41 +00:00
|
|
|
rc = __getrandom(p, n, f);
|
2020-06-15 14:18:57 +00:00
|
|
|
}
|
2022-11-06 02:49:41 +00:00
|
|
|
STRACE("getrandom(%p, %'zu, %#x) → %'ld% m", p, n, f, rc);
|
2020-06-15 14:18:57 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
2021-06-24 19:31:26 +00:00
|
|
|
|
Release Cosmopolitan v3.3
This change upgrades to GCC 12.3 and GNU binutils 2.42. The GNU linker
appears to have changed things so that only a single de-duplicated str
table is present in the binary, and it gets placed wherever the linker
wants, regardless of what the linker script says. To cope with that we
need to stop using .ident to embed licenses. As such, this change does
significant work to revamp how third party licenses are defined in the
codebase, using `.section .notice,"aR",@progbits`.
This new GCC 12.3 toolchain has support for GNU indirect functions. It
lets us support __target_clones__ for the first time. This is used for
optimizing the performance of libc string functions such as strlen and
friends so far on x86, by ensuring AVX systems favor a second codepath
that uses VEX encoding. It shaves some latency off certain operations.
It's a useful feature to have for scientific computing for the reasons
explained by the test/libcxx/openmp_test.cc example which compiles for
fifteen different microarchitectures. Thanks to the upgrades, it's now
also possible to use newer instruction sets, such as AVX512FP16, VNNI.
Cosmo now uses the %gs register on x86 by default for TLS. Doing it is
helpful for any program that links `cosmo_dlopen()`. Such programs had
to recompile their binaries at startup to change the TLS instructions.
That's not great, since it means every page in the executable needs to
be faulted. The work of rewriting TLS-related x86 opcodes, is moved to
fixupobj.com instead. This is great news for MacOS x86 users, since we
previously needed to morph the binary every time for that platform but
now that's no longer necessary. The only platforms where we need fixup
of TLS x86 opcodes at runtime are now Windows, OpenBSD, and NetBSD. On
Windows we morph TLS to point deeper into the TIB, based on a TlsAlloc
assignment, and on OpenBSD/NetBSD we morph %gs back into %fs since the
kernels do not allow us to specify a value for the %gs register.
OpenBSD users are now required to use APE Loader to run Cosmo binaries
and assimilation is no longer possible. OpenBSD kernel needs to change
to allow programs to specify a value for the %gs register, or it needs
to stop marking executable pages loaded by the kernel as mimmutable().
This release fixes __constructor__, .ctor, .init_array, and lastly the
.preinit_array so they behave the exact same way as glibc.
We no longer use hex constants to define math.h symbols like M_PI.
2024-02-20 19:12:09 +00:00
|
|
|
__attribute__((__constructor__(30))) static textstartup void getrandom_init(
|
|
|
|
|
void) {
|
2022-03-19 10:37:00 +00:00
|
|
|
int e, rc;
|
Apply clang-format update to repo (#1154)
Commit bc6c183 introduced a bunch of discrepancies between what files
look like in the repo and what clang-format says they should look like.
However, there were already a few discrepancies prior to that. Most of
these discrepancies seemed to be unintentional, but a few of them were
load-bearing (e.g., a #include that violated header ordering needing
something to have been #defined by a 'later' #include.)
I opted to take what I hope is a relatively smooth-brained approach: I
reverted the .clang-format change, ran clang-format on the whole repo,
reapplied the .clang-format change, reran clang-format again, and then
reverted the commit that contained the first run. Thus the full effect
of this PR should only be to apply the changed formatting rules to the
repo, and from skimming the results, this seems to be the case.
My work can be checked by applying the short, manual commits, and then
rerunning the command listed in the autogenerated commits (those whose
messages I have prefixed auto:) and seeing if your results agree.
It might be that the other diffs should be fixed at some point but I'm
leaving that aside for now.
fd '\.c(c|pp)?$' --print0| xargs -0 clang-format -i
2024-04-25 17:38:00 +00:00
|
|
|
if (IsWindows() || IsMetal())
|
|
|
|
|
return;
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
BLOCK_CANCELATION;
|
2022-10-17 18:02:04 +00:00
|
|
|
e = errno;
|
2022-03-19 10:37:00 +00:00
|
|
|
if (!(rc = sys_getrandom(0, 0, 0))) {
|
2021-06-24 19:31:26 +00:00
|
|
|
have_getrandom = true;
|
2022-11-03 16:32:12 +00:00
|
|
|
} else {
|
|
|
|
|
errno = e;
|
2021-06-24 19:31:26 +00:00
|
|
|
}
|
Make improvements
- We now serialize the file descriptor table when spawning / executing
processes on Windows. This means you can now inherit more stuff than
just standard i/o. It's needed by bash, which duplicates the console
to file descriptor #255. We also now do a better job serializing the
environment variables, so you're less likely to encounter E2BIG when
using your bash shell. We also no longer coerce environ to uppercase
- execve() on Windows now remotely controls its parent process to make
them spawn a replacement for itself. Then it'll be able to terminate
immediately once the spawn succeeds, without having to linger around
for the lifetime as a shell process for proxying the exit code. When
process worker thread running in the parent sees the child die, it's
given a handle to the new child, to replace it in the process table.
- execve() and posix_spawn() on Windows will now provide CreateProcess
an explicit handle list. This allows us to remove handle locks which
enables better fork/spawn concurrency, with seriously correct thread
safety. Other codebases like Go use the same technique. On the other
hand fork() still favors the conventional WIN32 inheritence approach
which can be a little bit messy, but is *controlled* by guaranteeing
perfectly clean slates at both the spawning and execution boundaries
- sigset_t is now 64 bits. Having it be 128 bits was a mistake because
there's no reason to use that and it's only supported by FreeBSD. By
using the system word size, signal mask manipulation on Windows goes
very fast. Furthermore @asyncsignalsafe funcs have been rewritten on
Windows to take advantage of signal masking, now that it's much more
pleasant to use.
- All the overlapped i/o code on Windows has been rewritten for pretty
good signal and cancelation safety. We're now able to ensure overlap
data structures are cleaned up so long as you don't longjmp() out of
out of a signal handler that interrupted an i/o operation. Latencies
are also improved thanks to the removal of lots of "busy wait" code.
Waits should be optimal for everything except poll(), which shall be
the last and final demon we slay in the win32 i/o horror show.
- getrusage() on Windows is now able to report RUSAGE_CHILDREN as well
as RUSAGE_SELF, thanks to aggregation in the process manager thread.
2023-10-08 12:36:18 +00:00
|
|
|
ALLOW_CANCELATION;
|
2022-06-23 21:09:32 +00:00
|
|
|
STRACE("sys_getrandom(0,0,0) → %d% m", rc);
|
2021-06-24 19:31:26 +00:00
|
|
|
}
|