[VPlan] Add helpers to get header, latch and middle VPBB from CFG (NFC) (#198378)
Retrieving header, latch and middle VPBBs from the plain CFG is a
somewhat common operation. Add dedicated helpers.
[flang] Add diagnostics for conflicting EXTERNAL/INTRINSIC and TARGET attributes (#197831)
Flang silently accepted declarations with both EXTERNAL and TARGET (or
INTRINSIC and TARGET) attributes on the same entity. This violates the
Fortran standard since TARGET requires a variable, but EXTERNAL/INTRINSIC
makes the entity a procedure.
Add CheckConflicting calls in CheckProcEntity to diagnose both cases.
All other major Fortran compilers already reject these combinations.
Fixes #197830
Assisted-by: Claude Opus 4.6.
Co-authored-by: Matt P. Dziubinski <matt-p.dziubinski at hpe.com>
NAS-141011 / 26.0.0-BETA.2 / webshell: replace sudo gating with per-shell-type RBAC + audit (by anodos325) (#18966)
The shell websocket handler used to wrap VM/APP/CONTAINER commands in
`sudo -H -u <user>` for users without ALL-sudo, then run unwrapped
otherwise. In practice the wrapped form failed at root-owned libvirt/
docker sockets, so authorization was effectively "do you have
unrestricted sudo?" — coarse, surprising, and not auditable. The reason
why we did this historically was because the shell feature here was
added before we actually had RBAC.
Replace it with an explicit role gate keyed on the requested shell type:
HOST -> web_shell privilege only (unchanged) -- login as user
VM -> web_shell + VM_WRITE
CONTAINER -> web_shell + CONTAINER_WRITE
APP -> web_shell + APPS_WRITE
`auth.get_token_for_shell_application` now takes the shell_type and
returns structured errors (WEB_SHELL_DENIED, MISSING_ROLE) along with
[14 lines not shown]
[CIR] Add support for partial array cleanup with ILE (#198000)
This adds support for partial array cleanup when an array of a
destructed type is initialized, or partially initialized with an init
list expression.
In the case where the array is only partially initialized with the ILE
and the remainder gets implicit initialization, the cleanup for both
pieces of initialization is handled by the same cleanup scope. This is a
difference from classic codegen, but there is a FIXME in the classic
codegen implementation suggesting exactly this change.
Assisted-by: Cursor / claude-opus-4.7-thinking-xhigh
NAS-141011 / 26.0.0-RC.1 / webshell: replace sudo gating with per-shell-type RBAC + audit (by anodos325) (#18967)
The shell websocket handler used to wrap VM/APP/CONTAINER commands in
`sudo -H -u <user>` for users without ALL-sudo, then run unwrapped
otherwise. In practice the wrapped form failed at root-owned libvirt/
docker sockets, so authorization was effectively "do you have
unrestricted sudo?" — coarse, surprising, and not auditable. The reason
why we did this historically was because the shell feature here was
added before we actually had RBAC.
Replace it with an explicit role gate keyed on the requested shell type:
HOST -> web_shell privilege only (unchanged) -- login as user
VM -> web_shell + VM_WRITE
CONTAINER -> web_shell + CONTAINER_WRITE
APP -> web_shell + APPS_WRITE
`auth.get_token_for_shell_application` now takes the shell_type and
returns structured errors (WEB_SHELL_DENIED, MISSING_ROLE) along with
[14 lines not shown]
NAS-141011 / 26.0.0-RC.1 / webshell: replace sudo gating with per-shell-type RBAC + audit (by anodos325) (#18967)
The shell websocket handler used to wrap VM/APP/CONTAINER commands in
`sudo -H -u <user>` for users without ALL-sudo, then run unwrapped
otherwise. In practice the wrapped form failed at root-owned libvirt/
docker sockets, so authorization was effectively "do you have
unrestricted sudo?" — coarse, surprising, and not auditable. The reason
why we did this historically was because the shell feature here was
added before we actually had RBAC.
Replace it with an explicit role gate keyed on the requested shell type:
HOST -> web_shell privilege only (unchanged) -- login as user
VM -> web_shell + VM_WRITE
CONTAINER -> web_shell + CONTAINER_WRITE
APP -> web_shell + APPS_WRITE
`auth.get_token_for_shell_application` now takes the shell_type and
returns structured errors (WEB_SHELL_DENIED, MISSING_ROLE) along with
[14 lines not shown]
[llvm][ABI] Add NonTrivialCopyConstructor and NonTrivialDestructor RecordFlags (#194427)
Breakout from @vortex73's PR #140112.
Add HasNonTrivialCopyConstructor and HasNonTrivialDestructor flags to
RecordFlags, with accessor methods on RecordType. These flags are needed
by target-specific ABI classifiers (e.g. X86_64) to determine whether a
C++ record type must be passed indirectly per the Itanium ABI.
Also adds unit test infrastructure for the ABI library
(llvm/unittests/ABI/) with tests for the new flags and their interaction
with existing flags.
This is Narayan's design and logic from the LLVM ABI Lowering Library,
adapted to the current upstream API.
Made with [Cursor](https://cursor.com)
Co-authored-by: Narayan Raul Kamath <vortex73 at users.noreply.github.com>
[CIR] Allow implicit truncation in CharacterLiteral codegen (#197269)
`VisitCharacterLiteral` is calling the `IntAttr::get(Type, int64_t)`
builder, which builds the underlying `APInt` with
`isSigned=type.isSigned()` and no implicit truncation. That asserts the
moment a high-bit character literal like `'\xFF'` (which the AST stores
as `CharacterLiteral 'int' 4294967295`) comes through with `int` as the
destination type:
```
APInt.h:121: Assertion `llvm::isIntN(BitWidth, val) &&
"Value is not an N-bit signed value"' failed.
```
Classic CodeGen passes `IsSigned=false, ImplicitTrunc=true` here, with a
comment that says character literals are stored unsigned even for signed
char. Just mirror that: build the `APInt` explicitly with those flags
and hand it to `IntAttr::get`. After this the CIR const folder produces
`#cir.int<-1> : !s8i` for `signed char c = '\xFF';` and the lowered
[7 lines not shown]
[DWARFVerifier] Don't require .dwo for non-skeleton CUs (#198112)
The presence of `DW_AT_(GNU_)dwo_id` alone does not make a compile unit
a skeleton: a regular `DW_TAG_compile_unit` is allowed to carry a DWO
id. DWARF 5 marks skeleton CUs with `DW_TAG_skeleton_unit` while older
pre DWARF 5 identifies them by absence of children.
Before this change, the verifier would any CU whose header reported a
DWO id as a skeleton, then tried and failed to load its (non-existent)
.dwo and reported an error. This updates the verifier to gate the check
on the CU being an actual skeleton CU.
[flang][openacc] add optional extension to allow default none scalars (#197718)
Adds the flag, `-facc-allow-default-none-scalars`. When this flag is
enabled, Flang reverts to the pre-3.2 behavior: scalar variables
referenced inside a `default(none)` compute region without an explicit
data clause do not produce an error. Instead, Flang infers implicit data
attributes for those scalars via the same implicit-copy logic applied in
regions without `default(none)`.
- Adds tests and documentation.
- Makes an explicit extensions doc for OpenACC to mirror the OpenMP
extensions doc.
- Moves the intentional deviations to from the standard to the
extensions doc.
[LLDB] Support reading size of constant values from DWARF directly (#198392)
Some type systems (such as Swift) cannot determine a type's byte size
without an execution context (e.g. types whose layout depends on runtime
metadata). In those cases the debug info might still carry the static
size of the value's box, which is enough if the value is a constant.
This patch adds a unit test that mocks up an analogous situation using
TypeSystemClang.
Assisted-by: claude