From db065163031fc77488820a0a4acc36326ea64042 Mon Sep 17 00:00:00 2001 From: auronandace Date: Mon, 8 Jun 2026 09:08:21 +0100 Subject: [PATCH] verify stdio header includes --- src/header/stdio/cbindgen.toml | 16 ++++++++++++++-- src/header/stdio/getdelim.rs | 20 ++++++++++++-------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/src/header/stdio/cbindgen.toml b/src/header/stdio/cbindgen.toml index af7d17ee11..6e6c497082 100644 --- a/src/header/stdio/cbindgen.toml +++ b/src/header/stdio/cbindgen.toml @@ -1,5 +1,17 @@ -# stddef.h brings in size_t -sys_includes = ["stdarg.h", "stddef.h", "stdint.h", "features.h"] +# POSIX header spec: https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/stdio.h.html +# +# Spec quotations relating to includes: +# - "off_t As described in ." +# - "size_t As described in ." +# - "ssize_t As described in ." +# - "va_list As described in ." +# - "The header shall define NULL as described in ." +# - "Inclusion of the header may also make visible all symbols from ." +# +# stdarg.h brings in va_list (TODO split out) +# stddef.h brings in size_t and NULL +# features.h required for deprecated annotations +sys_includes = ["stdarg.h", "stddef.h", "features.h"] after_includes = """ #include // for off_t from sys/types.h #include // for ssize_t from sys/types.h diff --git a/src/header/stdio/getdelim.rs b/src/header/stdio/getdelim.rs index 145aa25b31..9a8beacc5b 100644 --- a/src/header/stdio/getdelim.rs +++ b/src/header/stdio/getdelim.rs @@ -38,14 +38,18 @@ pub unsafe extern "C" fn getline( /// - `stream` has to be a valid file handle returned by fopen and likes. /// /// # Deviation from POSIX -/// - **EINVAL is set on stream being NULL or delim not fitting into char** (POSIX allows UB) -/// - **`*n` can contain invalid data.** The buffer size `n` is not read, instead realloc is called each time. That is in principle -/// inefficent since the buffer is reallocated in memory for every call, but if `n` is by mistake -/// bigger than the number of bytes allocated for the buffer, there can be no out-of-bounds write. -/// - On non-stream-related errors, the error indicator of the stream is *not* set. Posix states -/// "If an error occurs, the error indicator for the stream shall be set, and the function shall -/// return -1 and set errno to indicate the error." but in cases that produce EINVAL even glibc -/// doesn't seem to set the error indicator, so we also don't. +/// - **EINVAL is set on stream being NULL or delim not fitting into char** +/// (POSIX allows UB) +/// - **`*n` can contain invalid data.** The buffer size `n` is not read, +/// instead realloc is called each time. That is in principle inefficent +/// since the buffer is reallocated in memory for every call, but if `n` is +/// by mistake bigger than the number of bytes allocated for the buffer, +/// there can be no out-of-bounds write. +/// - On non-stream-related errors, the error indicator of the stream is *not* +/// set. Posix states "If an error occurs, the error indicator for the stream +/// shall be set, and the function shall return -1 and set errno to indicate +/// the error." but in cases that produce EINVAL even glibc doesn't seem to +/// set the error indicator, so we also don't. #[unsafe(no_mangle)] pub unsafe extern "C" fn getdelim( lineptr: *mut *mut c_char,