Add notpossible keyword

This is the same as `unreachable` except it always traps violations,
even if we're not running in MODE=dbg. This is useful for impossible
conditions relating to system calls. It avoids terrifying bugs where
control falls through to an unrelated function.

.vscode/c_cpp_properties.json

@@ -46,7 +46,8 @@
 				"testonly=",
 				"donothing=",
 				"nosideeffect=",
-				"unreachable=",
+				"unreachable=",,
+				"notpossible=",
 				"thatispacked=",
 				"dontthrow=",
 				"nocallback=",

libc/calls/execve-nt.greg.c

@@ -121,5 +121,5 @@ textwindows int sys_execve_nt(const char *program, char *const argv[],
   } while (dwExitCode == kNtStillActive);
   __imp_CloseHandle(procinfo.hProcess);
   __imp_ExitProcess(dwExitCode);
-  unreachable;
+  notpossible;
 }

libc/calls/pledge-linux.c

@@ -74,12 +74,6 @@
 #define PLEDGE(pledge) pledge, ARRAYLEN(pledge)
 #define OFF(f)         offsetof(struct seccomp_data, f)
 
-#define AbortPledge(reason) \
-  do {                      \
-    asm("hlt");             \
-    unreachable;            \
-  } while (0)
-
 struct Filter {
   size_t n;
   struct sock_filter p[700];
@@ -992,7 +986,7 @@ static privileged void OnSigSys(int sig, siginfo_t *si, void *vctx) {
       // fallthrough
     case PLEDGE_PENALTY_KILL_THREAD:
       KillThisThread();
-      unreachable;
+      notpossible;
     default:
       break;
   }
@@ -1006,14 +1000,14 @@ static privileged void MonitorSigSys(void) {
   };
   // we block changing sigsys once pledge is installed
   // so we aren't terribly concerned if this will fail
-  if (SigAction(Sigsys, &sa, 0) == -1) asm("hlt");
+  if (SigAction(Sigsys, &sa, 0) == -1) {
+    notpossible;
+  }
 }
 
 static privileged void AppendFilter(struct Filter *f, struct sock_filter *p,
                                     size_t n) {
-  if (UNLIKELY(f->n + n > ARRAYLEN(f->p))) {
-    AbortPledge("need to increase array size");
-  }
+  if (UNLIKELY(f->n + n > ARRAYLEN(f->p))) notpossible;
   MemCpy(f->p + f->n, p, n * sizeof(*f->p));
   f->n += n;
 }
@@ -1857,7 +1851,7 @@ static privileged void AppendPledge(struct Filter *f,   //
       };
       AppendFilter(f, PLEDGE(fragment));
     } else {
-      AbortPledge("list of ordinals exceeds max displacement");
+      notpossible;
     }
   }
 
@@ -1953,7 +1947,7 @@ static privileged void AppendPledge(struct Filter *f,   //
         AllowTkillSelf(f);
         break;
       default:
-        AbortPledge("switch forgot to define a special ordinal");
+        notpossible;
     }
   }
 }
@@ -1987,7 +1981,7 @@ privileged int sys_pledge_linux(unsigned long ipromises, int mode) {
       if (kPledge[i].len) {
         AppendPledge(&f, kPledge[i].syscalls, kPledge[i].len);
       } else {
-        AbortPledge("bad ipromises");
+        notpossible;
       }
     }
   }
@@ -2020,7 +2014,7 @@ privileged int sys_pledge_linux(unsigned long ipromises, int mode) {
         sf[0].k = SECCOMP_RET_ERRNO | Eperm;
         break;
       default:
-        unreachable;
+        return -Einval;
     }
     AppendFilter(&f, PLEDGE(sf));
   }

libc/calls/sigenter-xnu.c

@@ -531,5 +531,5 @@ privileged void __sigenter_xnu(void *fn, int infostyle, int sig,
                : "=a"(ax)
                : "0"(0x20000b8 /* sigreturn */), "D"(xnuctx), "S"(infostyle)
                : "rcx", "r11", "memory", "cc");
-  unreachable;
+  notpossible;
 }

libc/calls/statfs2cosmo.c

@@ -281,8 +281,7 @@ void statfs2cosmo(struct statfs *f, const union statfs_meta *m) {
     memcpy(f_fstypename, m->netbsd.f_fstypename, 16);
 
   } else {
-    asm("hlt");
-    unreachable;
+    notpossible;
   }
 
   f->f_type = f_type;

libc/calls/tmpfd.c

@@ -98,8 +98,7 @@ int tmpfd(void) {
                    0600)) != -1) {
       if (!IsWindows()) {
         if (unlink(path)) {
-          asm("hlt");
-          unreachable;
+          notpossible;
         }
       }
       return fd;

libc/integral/c.inc

@@ -591,6 +591,12 @@ typedef struct {
 #endif
 #endif
 
+#define notpossible \
+  do {              \
+    asm("hlt");     \
+    unreachable;    \
+  } while (0)
+
 #define donothing \
   do {            \
   } while (0)

libc/runtime/abort.c

@@ -40,6 +40,5 @@ wontreturn void abort(void) {
   raise(SIGABRT);
   signal(SIGABRT, SIG_DFL);
   raise(SIGABRT);
-  asm("hlt");
-  unreachable;
+  notpossible;
 }

libc/sock/nointernet.c

@@ -66,8 +66,7 @@
   do {                                                        \
     if (UNLIKELY((x) == -1)) {                                \
       DEBUG("%s:%d: %s failed %m\n", __FILE__, __LINE__, #x); \
-      asm("hlt");                                             \
-      unreachable;                                            \
+      notpossible;                                            \
     }                                                         \
   } while (0)
 

tool/emacs/c.lang

@@ -117,6 +117,7 @@ Keywords={
 "reallocesque",
 "nullterminated",
 "unreachable",
+"notpossible",
 "hidden",
 "privileged",
 "hasatleast",

tool/emacs/cosmo-c-keywords.el

@@ -61,6 +61,7 @@
            "reallocesque"
            "nullterminated"
            "unreachable"
+           "notpossible"
            "hidden"
            "privileged"
            "hasatleast"

tool/emacs/key.py

@@ -378,6 +378,7 @@ cosmo_kws = frozenset([
   "threadlocal",
   "typeof",
   "unreachable",
+  "notpossible",
   "warnifused",
   "winstruct",
   "nocallersavedregisters",
@@ -440,6 +441,7 @@ cosmo_kws = frozenset([
   "threadlocal",
   "typeof",
   "unreachable",
+  "notpossible",
   "warnifused",
   "winstruct",
   "nocallersavedregisters",