[X86] Select BLSMSK for i8 operands (#205093)
Adds a tablegen pattern to select BLSMSK i8 for
```
%neg = sub i8 %x, 1
%and = xor i8 %neg, %x
```
I've used Claude to generate the comment line before the tablegen entry and the ll file decoding which I confirmed after llc
Fixes #204984
[LifetimeSafety] Fix loop liveness leakage for conditional operator
Generate flow facts for conditional operators in their respective
predecessor blocks (branches) instead of the merge block, path-isolating
the flows and preventing liveness from leaking across loop backedges.
Also includes tests, formatting cleanups, and refactoring of the flow propagation.
TAG=agy
CONV=b4614911-a1e1-489f-a395-2f895c423788
[X86] Fold splat XOR on VGF2P8AFFINEQB source (#204508)
Given that XORs are associative, a XOR on `vgf2p8affineqb`'s source can
be reassociated to occur after by first permuting by the matrix. If the
XOR operand is a 8-bit splat, it can be applied for free by combining it
with the immediate. This patch:
- Folds XOR by splat on `vgf2p8affineqb`'s source into its immediate.
- Only occurs when the matrix is both constant and splat across each
64-bit lane.
- Can occur when the XOR is multi-use, as it can still reduce the
dependency chain.
- Includes test coverage for a variety of matrices and negative cases
for when the fold isn't possible.
Fixes #179606
[Flang][OpenMP] Add combined construct information (#198783)
This patch adds the `omp.combined` attribute to OpenMP dialect
operations following changes to the `ComposableOpInterface`.
This attribute is added to operations representing non-innermost leaf
constructs of a combined construct and to standalone block-associated
constructs that can be combined with their parent construct.
Changes are made to the OpenMP lowering logic, as well as the
do-concurrent, workshare and workdistribute transformation passes.
[MLIR][OpenMP] Explicit tagging of combined constructs (#198782)
Combined OpenMP constructs, such as `parallel do`, which represent nests
of constructs where each one contains a single other construct without
any other directives or statements in between, are currently not marked
in any way in the MLIR representation.
This works because they don't usually require any specific handling
other than what would be done for the included operations. However, the
handling of `target` regions needs to know whether it was part of a
combined construct in order to properly optimize for the SPMD case and
detect when certain clauses must be inconditionally evaluated in the
host.
So far, this has been achieved by having some MLIR pattern-matching
logic to infer whether a nest of operations could have potentially been
produced for a combined construct. This approach is error prone,
computationally expensive and it can't really work in the general case.
On the other hand, a compiler frontend can easily tell the difference
[10 lines not shown]
[Flang][MLIR][OpenMP] Explicitly represent omp.target kernel types (#186166)
Currently, the kernel type (i.e. `generic`, `spmd`, `spmd-no-loop` and
`bare`) of an `omp.target` operation is not an explicit attribute of the
operation. Rather, this is inferred based on the contents of its region
and clauses.
The problems with this approach are that it can be a potentially
resource intensive check for large kernels, and misidentifications are
prone to happen based on the presence of arbitrary operations from other
dialects.
Since the AST already contains the information needed to identify the
kernel type in a more reliable manner, this patch moves that
responsiblity to the Flang frontend. Other MLIR passes that create
`omp.target` operations are updated as well.
One known limitation of this approach is that the MLIR op verifier for
`omp.target` can't completely check that the contents of its region are
[4 lines not shown]
Update nsd to version 4.14.3.
Pkgsrc changes:
* Checksum changes.
Upstream changes:
4.14.3
================
FEATURES:
BUG FIXES:
- Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap
overflow of up to 65509 attacker controlled bytes.
Thanks to Qifan Zhang, Palo Alto Networks for the report
https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
- Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a
client that performs a TLS action, closing the connection early,
causes a crash and restart of the server process. An attacker can
keep all children in a crash-restart loop denying DoT service.
[12 lines not shown]
firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
AMDGPU/GlobalISel: Switch to extended LLTs
With minimal changes. Most notably because of changes to jumptable in isel
GIM_SwitchType requires explicit integer/float types and does not match scalar.
In most places change is in lowering to use LLT::integer or LLT::float.
Other changes:
- replaceRegWith can also change type on Dst register, this can cause CSE data
corruption (fix is to notify observer)
- mixed i32/f32 in G_MERGE_VALUES/G_UNMERGE_VALUES, common in legalizing
ray tracing and image intrinsics
- need extra bitcast between i32/f32 in some place
Convert system.security to the typesafe pattern
## Context
`system.security` (FIPS / STIG / local-account password policy) was still an old dict-based `ConfigService`. This converts it to the typesafe pattern: a lean `GenericConfigService[SystemSecurityEntry]` delegating to a `ConfigServicePart`, with `config()`/`do_update()` returning Pydantic models and same-process callers moved to `call2`/`call_sync2`.
## Solution
- **Service split.** The lean service lives in `plugins/security/__init__.py`; the datastore model and all `do_update` HA/FIPS/STIG logic move to `config.py`; validation and STIG/FIPS/HA-reboot helpers become plain `ServiceContext` functions in `validate.py`/`stig.py`. The `system.security.info` and `system.security.sessions` plain services become children created on the parent (the sessions class was renamed from the duplicate `SystemSecurityInfoService` to `SystemSecuritySessionsService`). `update.py` is removed and the service is registered in `main.py`.
- **API models.** Added `SystemSecurityUpdate` and decoupled the legacy `@single_argument_args` update args into the standard split (wire shape unchanged).
- **Consumers.** Since `config()` now returns a model, every in-process consumer was fixed on both axes — dict access switched to attribute access, and string `system.security.*` calls switched to `call2`/`call_sync2` — across `account`, `api_key`, `auth.twofactor`, `system.general`, `smb`/`passdb`, `account.privilege`, `zettarepl`, three alert sources, and the etc renderers (nine pam/limits/shadow mako templates plus `audit_setup.py`/`fips.py`/`nginx`). Helpers typed `: dict` (e.g. `sync_account_policy`, `shadow_parse_aging`, `generate_smb_conf_dict`) are fed `.model_dump()`. `configure_stig`/`configure_fips` stay registered `@private` stubs because `failover.call_remote` and the config-upload hook reach them by name.
- Added `plugins/security/` to `mypy.yml` and `truenas_pam_session` to the mypy override list.
[libc] fix oob and overflow bugs in wcslcat and wcsncat (#203697)
closes #203649
- I have added a check in `libc/src/wchar/wcslcat.cpp` to prevent
overflow caused by when static_cast wraps the limit.
- For the `wcsncat` implementation I have fixed the condition in the for
loop to first check if `i` is within bounds preventing OOB access on
`s2`
I am new to the codebase so any feedback would be very helpful and I
will be happy to follow up promptly after a review!
misc/ossp-uuid: provide ossp_ prefixed aliases to functions
This would help callers if some functions' names clash with ones from
libc, for example `uuid_create()`.
Co-authored-by: Nikolaj Thygesen <mailinglist at diamondbox.dk>
