firewall: skip alias on rules GUI reload
Also align the alias load path in the controller with
how !skip_alias serializes the sequence after rules
reload inside filter_configure_sync().
AMDGPU/GlobalISel: Switch to extended LLTs
With minimal changes. Most notably because of changes to jumptable in isel
GIM_SwitchType requires explicit integer/float types and does not match scalar.
In most places change is in lowering to use LLT::integer or LLT::float.
Other changes:
- replaceRegWith can also change type on Dst register, this can cause CSE data
corruption (fix is to notify observer)
- mixed i32/f32 in G_MERGE_VALUES/G_UNMERGE_VALUES, common in legalizing
ray tracing and image intrinsics
- need extra bitcast between i32/f32 in some place
Convert system.security to the typesafe pattern
## Context
`system.security` (FIPS / STIG / local-account password policy) was still an old dict-based `ConfigService`. This converts it to the typesafe pattern: a lean `GenericConfigService[SystemSecurityEntry]` delegating to a `ConfigServicePart`, with `config()`/`do_update()` returning Pydantic models and same-process callers moved to `call2`/`call_sync2`.
## Solution
- **Service split.** The lean service lives in `plugins/security/__init__.py`; the datastore model and all `do_update` HA/FIPS/STIG logic move to `config.py`; validation and STIG/FIPS/HA-reboot helpers become plain `ServiceContext` functions in `validate.py`/`stig.py`. The `system.security.info` and `system.security.sessions` plain services become children created on the parent (the sessions class was renamed from the duplicate `SystemSecurityInfoService` to `SystemSecuritySessionsService`). `update.py` is removed and the service is registered in `main.py`.
- **API models.** Added `SystemSecurityUpdate` and decoupled the legacy `@single_argument_args` update args into the standard split (wire shape unchanged).
- **Consumers.** Since `config()` now returns a model, every in-process consumer was fixed on both axes — dict access switched to attribute access, and string `system.security.*` calls switched to `call2`/`call_sync2` — across `account`, `api_key`, `auth.twofactor`, `system.general`, `smb`/`passdb`, `account.privilege`, `zettarepl`, three alert sources, and the etc renderers (nine pam/limits/shadow mako templates plus `audit_setup.py`/`fips.py`/`nginx`). Helpers typed `: dict` (e.g. `sync_account_policy`, `shadow_parse_aging`, `generate_smb_conf_dict`) are fed `.model_dump()`. `configure_stig`/`configure_fips` stay registered `@private` stubs because `failover.call_remote` and the config-upload hook reach them by name.
- Added `plugins/security/` to `mypy.yml` and `truenas_pam_session` to the mypy override list.
[libc] fix oob and overflow bugs in wcslcat and wcsncat (#203697)
closes #203649
- I have added a check in `libc/src/wchar/wcslcat.cpp` to prevent
overflow caused by when static_cast wraps the limit.
- For the `wcsncat` implementation I have fixed the condition in the for
loop to first check if `i` is within bounds preventing OOB access on
`s2`
I am new to the codebase so any feedback would be very helpful and I
will be happy to follow up promptly after a review!
misc/ossp-uuid: provide ossp_ prefixed aliases to functions
This would help callers if some functions' names clash with ones from
libc, for example `uuid_create()`.
Co-authored-by: Nikolaj Thygesen <mailinglist at diamondbox.dk>
[Flang][OpenMP] Add combined construct information
This patch adds the `omp.combined` attribute to OpenMP dialect
operations following changes to the `ComposableOpInterface`.
This attribute is added to operations representing non-innermost leaf
constructs of a combined construct and to standalone block-associated
constructs that can be combined with their parent construct.
Changes are made to the OpenMP lowering logic, as well as the
do-concurrent, workshare and workdistribute transformation passes.
[MLIR][OpenMP] Explicit tagging of combined constructs
Combined OpenMP constructs, such as `parallel do`, which represent
nests of constructs where each one contains a single other construct
without any other directives or statements in between, are currently not
marked in any way in the MLIR representation.
This works because they don't usually require any specific handling
other than what would be done for the included operations. However, the
handling of `target` regions needs to know whether it was part of a
combined construct in order to properly optimize for the SPMD case and
detect when certain clauses must be inconditionally evaluated in the
host.
So far, this has been achieved by having some MLIR pattern-matching
logic to infer whether a nest of operations could have potentially been
produced for a combined construct. This approach is error prone,
computationally expensive and it can't really work in the general case.
On the other hand, a compiler frontend can easily tell the difference
[10 lines not shown]
[Flang][MLIR][OpenMP] Explicitly represent omp.target kernel types
Currently, the kernel type (i.e. `generic`, `spmd`, `spmd-no-loop` and
`bare`) of an `omp.target` operation is not an explicit attribute of the
operation. Rather, this is inferred based on the contents of its region
and clauses.
The problems with this approach are that it can be a potentially resource
intensive check for large kernels, and misidentifications are prone to
happen based on the presence of arbitrary operations from other dialects.
Since the AST already contains the information needed to identify the
kernel type in a more reliable manner, this patch moves that
responsiblity to the Flang frontend. Other MLIR passes that create
`omp.target` operations are updated as well.
One known limitation of this approach is that the MLIR op verifier for
`omp.target` can't completely check that the contents of its region are
compatible with the declared kernel type without being exposed to the
[4 lines not shown]
sysutils/coreutils: fix build on powerpc64le/CURRENT
Clang crashes with the default -mcpu, but builds with -O0:
Assertion failed: (Subtarget->hasP9Vector() && "XSCMPUQP requires Power9 Vector"), function SelectCC, file /usr/src/contrib/llvm-project/llvm/lib/Target/PowerPC/PPCISelDAGToDAG.cpp, line 4271.
shells/bash: fix build on powerpc64le/CURRENT
Clang crashes with the default -mcpu, but builds with -O0:
Assertion failed: (Subtarget->hasP9Vector() && "XSCMPUQP requires Power9 Vector"), function SelectCC, file /usr/src/contrib/llvm-project/llvm/lib/Target/PowerPC/PPCISelDAGToDAG.cpp, line 4271.
[AArch64] Don't call fma/fmaf for @llvm.fmuladd.f64/f32 in softfp (#205356)
@llvm.fmuladd is the IR intrinsic that leaves it up to code generation
whether to fuse an FP multiply+add pair or leave them separate.
Generally you only fuse them if fused mul+add has good performance.
On AArch64, for the float and double instances of this intrinsic, isel
was unconditionally fusing the operations. This is sensible with
hardware FP, but a bad idea for the rare case of AArch64 without
hardware FP, because that leads to a call to the libm `fma()` or
`fmaf()` function. That function generally (in multiple libcs) seems to
be much slower than separate mul+add operations. So this patch checks
for the presence of FP before reporting that fusing the operations is a
performance win.
Let this build with clang 22 on arm64
More complete trio.c diff to avoid:
trio.c:4858:57: error: passing 'void *' to parameter of incompatible type 'va_list' (aka '__builtin_va_list')
There is a newer 2.4.0 release from 2019 in upstream's github repo.
[InstCombine] do not assume the operand position of reverse shuffle (#205747)
Fixes https://github.com/llvm/llvm-project/issues/204522
`Shuf->isReverse` only guarantees that the shuffle mask is reverse for
one of the operands, instead of the first one, and we cannot assume that
the second shuffle operand is undef. Otherwise, the assertion can be
triggered by the bitcasts on non-canonical shuffles, e.g., bitcast on
`%shuffle` generated by `InstCombinerImpl::mergeStoreIntoSuccessor` in
the testcase.
In this patch, we remove the assertion and do the fold only if the
second shuffle operand is undef. In this case, for whichever shuffle
operand the mask is reverse for, we are performing the correct
refinement.