This pacifies ‘make sc_cast_of_argument_to_free’, which otherwise
complains about the ‘free ((void *) elt)’ in dispose_file_to_delete.
Rather than worry about pacifying that ‘make’ rule,
simplify memory allocation by doing the linked list by hand,
with a ‘next’ member the way our grandfathers did it.
This reduces the number of source code lines by 23,
removes the need for Gnulib’s linked-list and xlist modules,
and makes the code type-safer (as opposed to going through void *).
* bootstrap.conf (gnulib_modules): Remove linked-list, xlist.
* src/patch.c: Do not include gl_linked_list.h, gl_xlist.h.
(struct file_to_delete): New member ‘next’.
(files_to_delete): Now struct file_to_delete *, not gl_list_t.
(dispose_file_to_delete, init_files_to_delete):
Remove; no longer needed.
(files_to_delete_tail): New static var.
(delete_file_later): Append the new file by hand.
(delete_files): Iterate and free by hand.
Refactor by using a sig_atomic_t variable instead of a sigprocmask
call to defer signals. This should be good enough for a
single-thread app where we write all the code that needs critical
sections, and where the signal handler merely cleans up and exits.
The resulting code should have the same behavior (including
signal-handling races!) as the original.
* bootstrap.conf (gnulib_modules): Remove sigaction, sigprocmask.
Instead, use sigaction only if it’s supported natively,
as the Gnulib emulation of sigaction drags in code we no longer need.
* configure.ac: Check for sigaction, sigfillset.
* src/patch.c (fatal_cleanup): New async-signal-safe function,
which does the cleanup that the old fatal_exit (SIG) did when SIG
was nonzero.
(fatal_exit): Do what the old fatal_exit (SIG) did when SIG was zero.
Omit SIG arg. All callers changed. This function is no longer
called from signal handlers, and so no longer needs to be
async-signal-safe under some circumstances. However, it now
defers signals.
* src/util.c (signal_received): New static var.
(signal_deferring_level): Now sig_atomic_t.
(fatal_cleanup_and_terminate, handle_signal): New functions.
(defer_signals, undefer_signals): Reimplement by
using sigatomic_t volatile vars, not by using sigprocmask.
(init_signals): Don’t assume SIGPIPE since we don’t use the
Gnulib sigpipe module. Use simple sigfillset signal mask
so that we needn’t use sigprocmask to inquire about the
current signal mask. Have a fallback for old platforms
that lack sigaction and sigfillset, since we no longer use
Gnulib’s sigaction module.
(exit_with_signal): Remove; no longer needed.
Various parts of ‘patch’ can misbehave when stdin, stdout, stderr
are closed. For example, ‘dup’ can yield 0, 1, or 2 and the
resulting file descriptor will be misused. Although POSIX
requires that ‘patch’ be invoked with stdin/stdout/stderror open,
it’s better to defend against the possbility that they’re not
open. Use Gnulib’s xstdopen module to defend against this.
* bootstrap.conf (gnulib_modules): Add xstdopen.
* src/patch.c: Include xstdopen.h.
(main): Call xstdopen before doing I/O.
This is motivated by wanting to remove dependencies on
Gnulib’s sigprocmask etc. modules, in later patches.
* bootstrap.conf (gnulib_modules): Remove execute.
* src/pch.c: Don’t include execute.h.
(do_ed_script): Use ‘quote_system_arg’ and ‘systemic’, not
‘execute’, to run the editor command while avoiding
quoting vulnerabilities.
* src/util.c (quote_system_arg): Now extern.
We don’t need its dir_name and base_name functions, since we
merely copy the strings elsewhere. Instead, use some of the
modules that dirname uses.
* bootstrap.conf (gnulib_modules): Add basename-lgpl, filename.
Remove dirname.
* src/pch.c, src/util.c:
Include basename-lgpl.h and filename.h instead of dirname.h.
* src/pch.c (best_name):
* src/util.c (version_controller):
Use last_component instead of the dirname module’s functions.
* src/safe.c: Include filename.h instead of dirname.h.
* src/util.c (make_tempfile): No need to break the file name
into directory and basename; just use the whole file name.
Also, use Gnulib modules fseeko, ftello, and rely on off_t,
fseeko, ftello as they are safe to use nowadays.
* bootstrap.conf (gnulib_modules): Add fseeko, ftello.
This is needed only for very old platforms, plus MSVC.
* src/common.h (file_offset, file_seek, file_tell): Remove.
All uses replaced with off_t, fseek, ftell.
* src/util.c (Fseeko): Rename from Fseek. All uses changed.
(Ftello): New function. All ftello callers that rely on
nonnegative results changed to Ftello.
‘patch’ dates back to when porting to 16-bit machines still
mattered, and where it was therefore useful to support files that
did not fit in RAM. So ‘patch’ had two operating modes, Plan A
and Plan B. In Plan A the input was simply read into memory, but
if memory was exhausted ‘patch’ fell back onto Plan B where input
was transformed into a temporary file that holds the input lines.
The idea was to not use any malloc calls during the main part of
the ‘patch’ run, so that ‘patch’ could not exhaust memory if Plan
A succeeded. Over the years, though, that approach has not always
been observed, as malloc is called for sundry reasons and ‘patch’
immediately fails when malloc fails other than during the Plan A
initial phase. In practice this misbehavior has not been a
problem, as ‘patch’ now invariably runs on machines where source
file contents fit into RAM so Plan B is never used. The GNU
Coding Standards says not to worry about supporting machines too
small to read file contents, and now’s a good time to remove the
Plan B code, as it is making further maintenance a pain.
* bootstrap.conf (gnulib_modules): Remove ialloc.
All uses of ialloc.h and its API removed, and replaced by
xalloc.h API as needed.
* src/common.h (lin, LINENUM_MIN, LINENUM_MAX): Remove.
All uses of ‘lin’ replaced by idx_t if known to be nonnegative,
ptrdiff_t otherwise. All uses of LINENUM_MAX replaced by IDX_MAX.
LINENUM_MIN was not used.
* src/inp.c (tibufsize, TIBUFSIZE_MINIMUM, tifd, tibuf, tiline)
(lines_per_buf, tireclen, last_line_size, too_many_lines)
(lines_too_long, plan_a, plan_b): Remove. All uses removed.
(scan_input): Do just what plan_a used to do, except report a fatal
error on memory exhaustion.
Do not worry about file types other than regular file or symlink
as they are not possible. All uses changed.
(ifetch): Omit WHICHBUF arg, which is no longer needed now that
we always use Plan A. All uses changed.
* src/patch.c (tmpin): Remove. All uses removed.
* src/pch.c (grow_hunkmax, pget_line): Use xpalloc rather than
doing the equivalent by hand.
(grow_hunkmax): Always succeed. All uses changed.
(another_hunk): Return bool not signed char, since -1 is
no longer possible. All uses changed.
Use ximemdup0 instead of savestr when that is more convenient.
(get_line, pget_line): Return idx_t, not ptrdiff_t, since -1
is no longer possible. All uses changed.
* src/util.c (savebuf): Always succeed. All callers changed.
Simplify.
(Write): Now static.
This is natural, as the args are all nonnegative ptrdiff_t, not size_t.
It also removes the need for Gnulib’s xmemdup0 module.
* bootstrap.conf (gnulib_modules): Remove xmemdup0.
* src/pch.c, src/util.c: Do not include xmemdup0.h.
All calls to xmemdup0 replaced by ximemdup0.
Also, simplify I/O error checking by moving some of it into
new functions Read and Write.
* bootstrap.conf (gnulib_modules): Remove full-write.
* src/inp.c (plan_a, plan_b, ifetch):
* src/util.c (move_file, copy_to_fd):
Use Read or Write instead of checking for I/O errors by hand.
* src/util.c: Do not include full-write.h.
(IO_MAX): New constant.
(ifetch): Diagnose temp file shrinkage.
(ask): Do not attempt a read of more than IO_MAX bytes.
Use xpalloc to reallocate, instead of doing it by hand.
(Read, Write): New functions.
Although this ability is currently not used, so this commit is
merely refactoring, the patch should help ‘patch’ avoid some race
conditions in followup commits.
* bootstrap.conf (gnulib_modules): Add futimens.
* src/util.c: Include utimens.h.
(lacks_appropriate_privileges, copy_fdattr_error): New functions.
(copy_attr): New args src_fd, dst_fd. All uses changed.
(set_file_attributes): New args tofd, fromfd. All uses changed.
Prefer signed to unsigned types for object sizes,
as they have better checking (e.g., gcc -fsanitize=undefined).
* bootstrap.conf (gnulib_modules): Add idx (already being used
indirectly) and stdc_bit_ceil.
* src/common.h: Include idx.h.
* src/inp.c: Include stdbit.h.
(tibufsize, tireclen, last_line_size, plan_a, ifetch):
Prefer idx_t to size_t for object sizes. All uses changed.
(lines_per_buf): Prefer idx_t to lin when it's talking about
object sizes.
(plan_b): Check for idx_t overflow too. Use stdc_bit_ceil
instead of doing it by hand.
* bootstrap.conf (gnulib_modules): Add ialloc.
* src/inp.c: Include ialloc.h.
(plan_a, plan_b): Prefer idx_t and ssize_t to size_t.
Use stdckdint instead of by-hand overflow checks that might not work.
It means unbounded allocation on the stack, which is trouble
on some platforms. Also, gcc-12 on Pop!_OS 22.04 LTS complains.
* bootstrap.conf (gnulib_modules): Remove alloca.
* src/pch.c, src/safe.c: Don’t include alloca.h.
* src/pch.c (do_ed_script):
Use designated initializer instead of fixed-size alloca.
* src/safe.c (new_cached_dirfd, openat_cached):
Name arg is now allocated on heap by caller, and is now char * not
char const *. All callers changed.
(openat_cached, traverse_next): Redo to avoid gotos.
(traverse_next, traverse_another_path):
Use ximemdup0 instead of alloca, to allocate on the heap rather than
unboundedly on the stack.
* bootstrap.conf (gnulib_modules): Add c-ctype.
It’s alreay being used indirectly.
* src/common.h: Include c-ctype.h instead of ctype.h.
All uses of isspace replaced by c_isspace; this is equivalent
since we do not call setlocale. All uses of c==' ' || c=='\t'
replaced by c_isblank.
Sort includes, system includes last.
(ISDIGIT): Remove. All uses replaced by c_isdigit.
* bootstrap.conf (gnulib_modules): Add ‘attribute’.
It’s already being used indirectly.
* configure.ac (WARN_CFLAGS): Omit -Wno-unused-parameter.
* src/common.h: Include attribute.h.
(FALLTHROUGH): Remove, as attribute.h does this now.
* src/util.c (copy_attr_error, copy_attr_quote, copy_attr_free):
Use MAYBE_UNUSED.
* bootstrap.conf (gnulib_modules): Add nullptr.
* src/patch.c (if_defined, not_defined):
Now merely strings, not printf formats. All uses changed.
(putline): New static function.
(print_header_line, abort_hunk_unified, abort_hunk_context)
(apply_hunk): Use it to remove assumptions that string
lengths fit in int. Also, prefer fputs to printf with plain %s.
(print_header_line): TAG arg now is assumed to have an appended ' ',
to save us the trouble of outputting ' ' separately. All uses changed.
The bug is extremely unlikely, but it’s easy to fix.
* bootstrap.conf (gnulib_modules): Add stpcpy.
* src/util.c (SCCSPREFIX): Now a macro, so that it can be concatenated.
(try1, try2): Remove these macros. Replace all uses with ...
(trystat): ... this new function.
* src/util.c (version_controller, make_tempfile):
Avoid issues with sprintf result exceeding INT_MAX.
This is encouraged by POSIX.1-2004.
* bootstrap.conf (gnulib_modules): Add mempcpy.
* src/patch.c (main, get_some_switches):
* src/util.c (parse_c_string):
Reject output file names containing newlines.
(backup_file_name_option): New function, to help with that.
(make_tempfile): Reject TMPDIR values containing newlines.
Do not silently screw up if TMPDIR length exceeds INT_MAX.
* tests/bad-filenames: Test for file names containing '\n'.
Switch to single intervals for FSF notices,
and consistently put them first.
Update copyright notices for 2024.
* cfg.mk (update-copyright-env): Use UPDATE_COPYRIGHT_FORCE=1,
UPDATE_COPYRIGHT_USE_INTERVALS=2.
* patch.man: Always use \(co, so that update-copyright
updates these dates.
* src/version.c: Correct Larry Wall copyright years.
* bootstrap.conf (gnulib_modules): Add raise, sigaction, signal-h,
sigprocmask. Remove signal.
* configure.ac: Do not check for raise, sigaction, sigprocmask,
sigsetmask.
* src/patch.c (main): Do not block signals during dry runs; there's
no need.
* src/util.c (SIGCHLD, raise, sigset_t, sigemptyset, sigmask)
(sigaddset, sigismember, sigprocmask, sigblock, sigsetmask):
Remove substitutes; not needed now that we have Gnulib.
(sigs): Don’t worry about whether SIGHUP and SIGPIPE are present.
(NUM_SIGS): Now a constant, not a macro.
(signals_to_block): Remove. All uses changed to fatal_act.sa_mask.
(fatal_exit_handler) [!HAVE_SIGACTION]: Remove. All uses removed.
(init_signals): Rename from set_signals. All uses changed.
Only do the true part; the false part is now done by unblock_signals.
(block_signals): Rename from ignore_signals, since it now blocks
instead of ignoring on all platforms. All uses changed.
(init_signals, block_signals): Simplify by assuming
HAVE_SIGACTION, HAVE_SIGPROCMASK, HAVE_SIGSETMASK.
(setup_handler): Remove macro.
(unblock_signals): New function.
It lacks PATH_MAX, so don’t use PATH_MAX.
* bootstrap.conf (gnulib_modules): Add stdckdint.
* src/util.c: Include stdckdint.h. Omit duplicate stdarg.h include.
(move_file, copy_file): Don’t limit symlink contents to PATH_MAX.
Check for symlink or file contents that unexpectedly grew.
(copy_file): New arg FROMST. All callers changed.
* bootstrap: Update.
* bootstrap.conf (gnulib_modules): Replace getdate with parse-datetime, malloc
with malloc-gnu, and realloc with realloc-gnu.
* src/patch.c (main): Function find_backup_file_name has gained a new dir_fd
argument.
* src/util.c (create_backup): Likewise.
(fetchname): Function get_date has been renamed to parse_datetime.
* bootstrap.conf: use intprops module.
* src/common.h: Define LINENUM_MIN and LINENUM_MAX macros.
* src/pch.c (another_hunk): Add line number overflow checking. Based on Robert
C. Seacord's INT32-C document for integer overflow checking and Tobias
Stoeckmann's "integer overflows and oob memory access" patch for FreeBSD.
* bootstrap.conf: use xmemdup0 module.
* src/pch.c (there_is_another_patch): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
(intuit_diff_type): Likewise, use xstrdup instead of savestr.
(another_hunk): Handle the case when savestr returns NULL.
* src/util.c (fetchname, parse_name): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
Bugs pointed out by Tobias Stoeckmann <tobias@stoeckmann.org>.
Fixes the bug that more than one numbered backup would be created when a patch
file deletes and recreates a file.
* bootstrap.conf (gnulib_modules): Add linked-list and xlist modules.
* src/util.h (file_id_type): Add DELETE_LATER and OVERWRITTEN types.
(create_backup, set_file_attributes): Update prototype.
(insert_file_id): Add prototype.
* src/util.c (insert_file_id): Export.
(set_file_attributes, create_backup_copy): Make the st argument const.
(create_backup): Pass in to_st instead of returning it from create_backup().
This obsoletes the to_errno argument.
(move_file): Determine to_st here and pass it to create_backup(). Remember
when a file is overwritten.
* src/patch.c (output_file): Add to_st parameter. Remember files to delete
instead of deleting them immediately. Pass from-st to create_backup().
(file_to_delete): New struct.
(init_files_to_delete, delete_file_later, delete_files): New functions.
(main): Use init_files_to_delete() and delete_files(). Pass to_st to
output_file() where we already have it.
* src/pch.c (intuit_diff_type): Assume that files which are marked for deletion
don't exist.
* bootstrap: Update from gnulib.
* bootstrap.conf (gnulib_tool_option_extras): Define.
* lib/Makefile.am: Initialize numerous automake variables so that
generated code in gnulib.mk may use += to append to them.
* configure.ac: Add AM_PROG_AR, to placate newer automake.
* configure.ac: Remove AC_SYS_LARGEFILE, subsumed by ...
* bootstrap.conf (gnulib_modules): ...this. Use largefile module.
* gnulib: Update to latest.
This is useful to Mac OS X 10.5 users if/when configure
is generated using autoconf prior to v2.68-80-gdb2f2e0.
* src/util.c: Include "ignore-value.h".
(ask): Use ignore_value to tell tools that yes, we really do
mean to ignore any close failure on this error path.
* bootstrap.conf (gnulib_modules): Add ignore-value.
* bootstrap.conf (gnulib_modules): Include gnulib's signal module,
so that signal.h guarantees definition of certain macros.
* src/util.c (SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK): Remove definition.
Now, gnulib guarantees that these are defined.
* src/common.h (SIZE_MAX): Likewise.
* cfg.mk (local-checks-to-skip): Enable the
sc_prohibit_always-defined_macros check, now that it passes.
* src/patch.c (main): Call set_program_name rather than
initializing program_name explicitly.
* src/common.h: Include progname.h rather than declaring the extern,
program_name.
* bootstrap.conf (gnulib_modules): Add progname.
* cfg.mk (local-checks-to-skip): Remove sc_program_name,
thus enabling this test.
