Problem reported by Joseph Myers in:
https://gcc.gnu.org/ml/gcc-patches/2015-05/msg00704.html
* localtime.c (detzcode, detzcode64): Don't rely on
undefined behavior with left shift into sign bit.
Port better to non-2's-complement machines.
* private.h (TWOS_COMPLEMENT, MAXVAL, MINVAL): New macros.
* private.h (time_t_min, time_t_max):
* zic.c (min_time, max_time): Use them to avoid undefined behavior.
* zdump.c (atime_shift): New constant.
(absolute_min_time, absolute_max_time):
Use it to avoid undefined behavior.
Its function 'scheck' can be done more efficiently inline.
* Makefile (TZCOBJS): Remove scheck.o.
(NONLIBSRCS): Remove scheck.c.
(scheck.o): Remove.
* private.h (scheck): Remove decl.
* scheck.c: Remove.
* zic.c (gethms, inleap, rulesub): Instead of scheck, use sscanf
directly, with %c appended to the format to detect excess input.
One of its functions, icpyalloc, duplicates the now-standard
function strdup, and we might as well use the standard function.
Its other function, icatalloc, is used only in O(N**2) algorithms
that can be rewritten to be O(N).
* Makefile: Mention HAVE_STRDUP in commentary.
(TZCOBJS): Remove ialloc.o.
(NONLIBSRCS): Remove ialloc.c.
(ialloc.o): Remove.
* ialloc.c: Remove.
* private.h (HAVE_STRDUP): New macro, defaulting to 1.
(icatalloc, icpyalloc): Remove decls.
* zic.c (end): Remove.
(strdup) [!HAVE_STRDUP]: New function.
(memcheck): Arg is no longer a const pointer, since the
result isn't.
(emalloc, erealloc, ecpyalloc): Now functions, not macros.
(ecpyalloc): Use strdup, not icpyalloc.
(ecatalloc): Remove. All callers changed.
(componentcheck): Check that file name components are nonempty;
otherwise, relname might return nonsense.
(relname): New function.
(dolink, itsdir, writezone): Use it.
(dolink, stringrule, stringzone):
Rewrite to avoid O(N**2) algorithm involving 'strcat' and 'end'.
(writezone): Use local, not static, to store fullname,
and free it before returning.
(doabbr, stringoffset): Return strlen of result.
Allow libraries built with -Dtime_tz=... to be used in executables
that also use standard-library time_t and libraries.
(Problem reported by Bradley White.)
* NEWS: Document this.
* private.h (localtime_rz, mktime_rz, posix2time_z, time2posix_z)
(tzalloc, tzfree, tzset, tzsetwall) [time_tz]: Define to
tz_localtime_rz etc., so that these functions can be used in the
same executable as standard functions with standard time_t.
(tzset, tzsetwall) [time_tz]: Declare, so that the tz_-prefixed
version ins declared.
Christos Zoulas reported a crash due to a tzsetlcl failure to
initialize data in some places, and requested that errno be set
when time functions fail; see:
http://mm.icann.org/pipermail/tz/2014-October/021754.html
While fixing this in a different way, I noticed and fixed another
instance of undefined behavior when read returns a too-small value.
* NEWS: Document this.
* localtime.c (union input_buffer): Rename from u_t.
(union input_buffer, union local_storage):
Move to top level so that two functions can use them.
(tzloadbody): New function, with most of the body of the old tzload.
Check for short reads that leave uninitialized buffers behind.
Define a new constant TZHEADSIZE for this, and use it to simplify
other code that already uses the concept.
(tzload): Use it. This removes the need for gotos. Return an errno
value; all callers changed.
(zoneinit): Return bool, not struct state *. Assume SP is nonnull.
All callers changed.
(zoneinit, tzalloc): Set errno on failure.
(tzsetlcl): Don't crash if zoneinit fails.
* private.h (ENAMETOOLONG): Define if not already defined.
See: http://mm.icann.org/pipermail/tz/2014-October/021692.html
* asctime.c (asctime_r): Remove now-unnecessary EOVERFLOW ifdef.
* localtime.c (timesub): Set errno to EOVERFLOW on overflow.
POSIX requires this.
(ctime, ctime_r): Return NULL instead of having undefined behavior
when the time stamp is out of struct tm range. NetBSD does this,
the standards allow it, and it's nicer for users.
* private.h (EOVERFLOW): Default to EINVAL on ancient hosts that lack it.
* NEWS: Document this.
This is mostly for convenience, so that plain 'make' works out of
the box on Solaris, instead of having to run something awkward like
'make CFLAGS="-xc99=all -DHAVE_INCOMPATIBLE_CTIME_R=1"', and
similarly for Irix 6.5.
* private.h (_POSIX_PTHREAD_SEMANTICS):
* private.h, zdump.c (__EXTENSIONS__):
New macros, to make Solaris headers more like what we want out
of the box.
(LLONG_MAX, LLONG_MIN): Default from __LONG_LONG_MAX__ if it's defined.
This simplifies later code.
(SCNdFAST64, PRIdMAX): Don't assume they're defined when
INT_FAST64_MAX is, as that's not true on Solaris 10 + Sun C 5.12.
(PRIuMAX): Likewise, for Solaris 11 + Sun C 5.12.
* zdump.c (HAVE_LOCALTIME_RZ): Default to 1 only if TM_ZONE.
* Makefile, NEWS: Document this.
* Makefile, NEWS: Document this.
* localtime.c (NETBSD_INSPIRED_EXTERN): New macro.
(zoneinit): New function, with tzset_unlocked's internals.
(tzset_unlocked): Use it.
(tzalloc, tzfree) [NETBSD_INSPIRED]: New functions.
(localsub, gmtsub, time2sub, time2, time1, leapcorr):
New time zone argument. All uses changed.
(localsub, gmtsub): Cast to char *, since the time zone argument
is a pointer-to-const.
(localtime_rz): New function, with localtime_tzset's internals.
(localtime_tzset): Use it.
(mktime_z): New function, with mktime's internals.
(mktime): Use it.
(leapcorr): Pass time_t by value, not by reference.
(time2posix_z): New function, with time2posix's internals.
(time2posix): Use it. Omit unnecessary local.
(posix2time_z): New function, with posix2time's internals.
(posix2time): Use it.
* private.h (NETBSD_INSPIRED): Default to 1.
(localtime_rz, mktime_z, timezone_t, strftime, tzalloc, tzfree):
Define if NETBSD_INSPIRED is defined.
Use macros to avoid any clashes with <time.h>.
(posiztime_z, time2posix_z): Likewise, but only if
STD_INSPIRED is also defined.
These files were removed from Solaris long ago,
and are not present on any current platforms.
* Makefile, NEWS: Document this.
* private.h (LOCALE_HOME): Remove.
* strftime.c: Assume LOCALE_HOME is not defined.
Do not include sys/stat.h.
(localebuf, _loc) [LOCALE_HOME]: Remove. All uses removed.
* localtime.c (SMALLEST): New macro.
(time2sub) [TM_GMTOFF && !UNINIT_TRAP]:
If the UTC offset doesn't match the request, try the requested offset.
This catches a problem caught by -DTYPECHECK with a time stamp
near a transition from LMT to standard time, where both sides of
the transition have tm_isdst == 0. If !defined TM_GMTOFF ||
UNINIT_TRAP you're out of luck: mktime will still conform
to its spec but it'll be more likely to guess wrong on these
ambiguous inputs.
* private.h (UNINIT_TRAP): New macro that defaults to 0.
* Makefile, NEWS: Document this.
* localtime.c (LOCALTIME_IMPLEMENTATION): New macro.
(time) [time_tz]: Move here from private.h, and make external.
* private.h (sys_time) [time_tz]: Define only if
LOCALTIME_IMPLEMENTATION, so that the code doesn't define an unused
static function sys_time that the compiler might complain about.
(time) [time_tz]: Move to localtime.c.
* NEWS: Document this.
* private.h (offtime, posix2time, time2posix, timeoff) [time_tz]:
Define tz_* replacements for these functions too.
(asctime_r): Move to after time_tz definitions, to keep like
declarations together.
(tzsetwall) [STD_INSPIRED]: Declare if not defined.
(offtime, timeoff, time2posix, posix2time) [STD_INSPIRED]:
Declare if not defined, or if time_tz is defined.
* NEWS: Document this.
These changes pacify gcc 4.8.2-19ubuntu1 on Ubuntu 14.04,
and take advantage of recently-added GCC options when compiling
with GCC_DEBUG_FLAGS.
* Makefile (GCC_DEBUG_FLAGS): Add -Wdeclaration-after-statement,
-Wjump-misses-init, -Wsuggest-attribute=format.
* date.c (copyright, sccsid):
* strftime.c (sccsid):
Remove unused vars.
* date.c (main):
* localtime.c (tzparse):
Remove no-longer-needed uses of INITIALIZE; GCC is smart enough to
figure these out on its own now.
* localtime.c (gmtsub): Redo initialization of gmt_is_set to pacify GCC.
Retry malloc next time even if it failed this time.
* private.h, zdump.c (GNUC_or_lint): Remove, as it provoked a GCC
diagnostic about unused macros in some cases. Instead, just use
'lint'. All uses removed.
(TZ_DOMAIN): Don't define unless needed, as otherwise it provokes
a GCC diagnostic about unused macros.
* private.h (INITIALIZE): Simplify accordingly.
* NEWS: Document this.
This was appropriate before Unicode, where "`" and "'" often balanced
in visual output, but that's been obsolete for a while.
Overall, single-quote 'like this' instead of `like this', and
double-quote "like this" or (in typeset output) “like this”
instead of ``like this''. While we're at it, fix some glitches
with hyphens versus minus versus en dash versus em dash.
* Makefile ($(MANTXTS)): Use UTF-8 locale to produce *.txt output.
* checktab.awk, tzselect.ksh:
Quote 'like this' in diagnostics, instead of `like this'.
* date.1, newctime.3, newtzset.3, time2posix.3, zic.8 (q, lq, rq):
New macros. Use them for better double-quoting in output.
* workman.sh: Tell Perl that its stdin and stdout are UTF-8.
* NEWS: Document this.
Also, allocate memory faster by growing buffers by a factor of 1.5
each time, rather than simply adding 1 to the size.
* private.h (SIZE_MAX): New macro, for older systems lacking it.
* zic.c (nrules_alloc, nzones_alloc, nlinks_alloc): New static vars.
(memory_exhausted, size_product, growalloc): New functions.
(memcheck, inrule, inzsub, inlink, getfields): Use them.
MinGW problem reported by Theo Veenker in
<http://mm.icann.org/pipermail/tz/2013-September/020378.html>.
The patched code should work even on POSIXish hosts
where 'link' and 'symlink' fail for whatever reason,
e.g., if the destination file system is VFAT.
Also, the patch fixes some bugs when symlinks are used.
* Makefile (CFLAGS): Mention HAVE_LINK in the comment.
(TZDSRCS): Add asctime.o, since MinGW lacks asctime.
(TZDOBJS): Add asctime.c.
* private.h (HAVE_LINK): Default to 1.
* zic.c (link) [!HAVE_LINK]: New macro.
(symlink) [!HAVE_SYMLINK]: New macro.
(dolink): Fix some bugs when 'link' fails but 'symlink' succeeds.
Fall back on copying when both fail.
* NEWS: Document the above.
Since we assume C89 now, it's safe to use vfprintf.
(verror): New function, with the old implementation of 'error'
but with a va_list API.
(error, warning): Use it.
(associate, gethms): Pass explicit %s to avoid GCC warning about
possibly unsafe formats.
(inzone, outzone, newabbr): Simplify by using the new error or
warning functions, avoiding the need to allocate and free memory.
* private.h (ATTRIBUTE_FORMAT): New macro.
* date.1: Document -r.
* date.c (main, usage): Support -r.
(main, reset): Remove EBUG code.
(display): New argument NOW. Do not exit; that's now the
caller's responsibility. All callers changed.
(display, timeout, convert, checkfinal, iffy):
Don't assume that localtime and gmtime succeed.
This prevents a core dump for, e.g., 'date -r 0xffffffffffffffff'.
* private.h: Include float.h.
(strtoimax): New macro, for pre-C99 systems that lack strtoimax.
(time_t_min, time_t_max): New constants, from zdump, with
different names to avoid a clash when zdump.c includes private.h.
See the thread starting with Clive D.W. Feather's comments in
<http://mm.icann.org/pipermail/tz/2013-August/019496.html>.
* localtime.c (truncate_time): Don't bother with uintmax_t,
as using it doesn't help on any known platform.
* private.h (UINTMAX_MAX): Remove.
Problem reported by Alois Treindl in
<http://mm.icann.org/pipermail/tz/2013-August/019493.html>.
* localtime.c (truncate_time): New function.
(localsub): Use it to avoid undefined behavior on integer overflow.
* private.h (INTMAX_MAX, INTMAX_MIN, UINTMAX_MAX):
New macros, for older platforms that lack them.
I audited the code and fixed as many width-asssumptions as I could
find, including several places where the code assumed that 'time_t'
was no wider than 'long'; this assumption is not true on 32-bit
NetBSD platforms. This caught every problem that is already fixed
in the NetBSD zic.c, and caught quite a few more.
* Makefile: Add comments re HAVE_DOS_FILE_NAMES and HAVE_INTTYPES_H.
* date.c (checkfinal, netsettime): Don't use 'long' where 'int' will do.
* difftime.c (difftime): Mark with ATTRIBUTE_CONST.
Use uintmax_t, not unsigned long, for the widest unsigned integer type.
Use long double, not double, if time_t is wider than uintmax_t;
this can in theory help on nonstandard platforms, such as GCC
with 64-bit uintmax_t and 128-bit __int128_t.
* localtime.c (struct ttinfo.tt_gmtoff, struct rule.r_time)
(detzcode, getsecs, getoffset, gmtsub, localsub, increment_overflow32)
(normalize_overflow32, time1, time2, timesub, transtime, tzparse)
(time2sub, timeoff, gtime):
* tzfile.h (SECSPERDAY):
* zdump.c (SECSPERDAY):
* zic.c (convert, puttzcode):
Use int_fast32_t, not long, when all we care is that values up to
2**31 can be stored. This doesn't fix any bugs, but it allows
more opportunity for compiler optimization.
(struct lsinfo.ls_corr, timesub, leapcorr):
Use int_fast64_t, not long, when values up to 2**63 can be stored.
(timesub): Make it clearer when we are truncating 0.5 to 0.
(increment_overflow32): Rename from long_increment_overflow.
All uses changed.
(normalize_overflow32): Rename from long_normalize_overflow.
All uses changed.
* private.h (HAVE_INTTYPES_H, ATTRIBUTE_CONST): New macros.
Include <inttypes.h> if HAVE_INTTYPES_H.
(INT_FAST64_MIN, INT_FAST64_MAX, SCNdFAST64, int_fast32_t, PRIdMAX)
(uintmax_t, PRIuMAX, _Noreturn):
Define to reasonable values if it's an older compiler.
* scheck.c (scheck): Add support for arbitrary formats, such as
those that SCNdFAST64 can expand to, at the price of no longer
supporting weird conversion specs like "%[%]".
* strftime.c (_fmt): Use intmax_t and uintmax_t to format time_t,
not long and unsigned long.
* zdump.c (int_fast32_t, intmax_t, PRIdMAX, SCNdMAX):
Define for pre-C99 compilers, like private.h does.
(delta, yeartot, main): Use intmax_t, not long.
(hunt): Use time_t, not long, since the diff must be nonnegative.
(tformat): Allow for time_t wider than long.
* zic.c (ZIC_MIN, ZIC_MAX, SCNdZIC): New macros.
(OFFSET_STRLEN_MAXIMUM, RULE_STRLEN_MAXIMUM): Remove.
(struct rule): Make r_loyear, r_hiyear, r_tod, r_stdoff, z_gmtoff,
z_stdoff zic_t, not long.
(addtype, gethms, oadd, rpytime, tadd, gmtoffs, corr, inleap)
(stringoffset, stringrule, outzone, addtype, adjleap, rpytime)
(LDAYSPERWEEK):
Use zic_t, not long.
(leapminyear, leapmaxyear, min_year, max_year, rulesub, updateminmax)
(outzone, rpytime):
Use zic_t, not int.
(usage): Now _Noreturn.
(main): Use S_IWGRP, not 'unix', to determine whether to call umask.
(writezone): Omit unnecessary cast.
(mkdirs): Use HAVE_DOS_FILE_NAMES, not 'unix', to determine
whether to parse DOS file anmes.
(eitol): Remove; no longer needed.
This makes it easier to test on (say) Debian, even if we're
testing the time_t type on (say) NetBSD. NetBSD uses 64-bit
time_t on 32-bit hosts, and this lets us test a NetBSD-style
implementation (32-bit 'long', 64-bit time_t) on a 32-bit Debian host.
* Makefile: Update comments to talk about TIME_T_FLOATING and time_tz.
Sort the comments.
* private.h (restrict): Define to empty with older compilers.
'restrict' is now needed, to define gmtime_r and localtime_r in
standard ways when time_tz is defined.
Make the following changes if time_tz is defined:
(sys_time, time): New static functions. The former is the system
'time' function that applies to the system time_t, the latter
our function that applies to our time_t.
(time_t, ctime, ctime_r, difftime, gmtime, gmtime_r, localtime)
(localtime_r, mktime): Rename to tz_time_t, tz_ctime, etc.,
via macros. Declare the renamed versions.
* zdump.8: Document new options -V, -t.
* zdump.c: Include private.h if time_tz is defined.
(INITIALIZE): Remove; no longer needed.
(absolute_min_time, absolute_max_time): Work even if time_t
is wider than intmax_t, which can be true with GCC and __int128_t.
Use the new TIME_T_FLOATING macro for this.
(usage): Document new flags.
(main): Support them.
