[AArch64] Fix reversed values in big-endian 128-bit atomics (#205760)
When AArch64TargetLowering expands a load-linked or a store-conditional
during the atomic-expand pass, it made the fixed assumption that the
64-bit value stored first in memory was the low-order half of the
128-bit value, instead of checking the SubtargetInfo's endianness. The
same was true of the code that expands CMP_SWAP_128 pseudoinstructions.
So in each case, if you compiled 128-bit atomic code big-endian, you'd
get back a 128-bit integer with the top and bottom half swapped.
This was found by compiler-rt's existing tests when we ran them for a
big-endian AArch64 target in Arm Toolchain.
Most of the test changes here are `update_llc_test_checks` churn: there
were already many tests of AArch64 atomics in big-endian mode, and
apparently they all simply had the reversed registers in their expected
output.
The one new test, `aarch64_i128_endianness.ll`, directly demonstrates
[4 lines not shown]
netlink: add const variants of NLA iteration macros
Add const-qualified versions of the NLA iteration helpers to allow
walking immutable netlink attribute buffers without discarding const
qualifiers.
This introduces NLA_NEXT_CONST(), _NLA_END_CONST(), and
NLA_FOREACH_CONST() in netlink_snl.h.
Signed-off-by: Ishan Agrawal <iagrawal9990 at gmail.com>
Sponsored-by : Google LLC (GSoC 2026)
[Dexter] Switch to using script-mode by default (#204369)
This patch changes the default mode of Dexter from heuristic-mode to
script-mode. The --use-script argument is replaced with --use-heuristic,
some comments/docs/error messages are updated accordingly, and tests
have their flags switched accordingly.
[libc][ARM] Defend banked SP setup against register allocator (#206757)
The startup code for bare-metal AArch32 A/R shifts the CPU through all
the different modes which have their own copies of SP, updating all the
stack pointers to the same value. But it does it using C intrinsics,
leaving the register allocation to the compiler – so it's possible that
the register allocator happens to use one of the _other_ banked
registers, such as LR.
For example, when I built this code today, it happened that LR was used
to hold one of the constants written into CPSR_c to change mode. That
constant was written into the SVC mode LR before any mode changes, but
the MSR instruction that tried to use it was run in a different mode, so
it copied from _that_ mode's LR, which contained uninitialised nonsense
in place of the desired constant, triggering a boot-time crash.
I think it's safer to use a single asm statement for the whole job,
guaranteeing which registers it uses.
[IR] Explicitly specify target feature for module asm (#204548)
Support specifying additional properties on module-level inline
assembly. In particular, the target features and target CPU can now be
specified as follows:
module asm(target_features: "+foo", target_cpu: "bar")
"asm line 1"
"asm line 2"
There may be multiple module inline assembly blocks with different
properties.
This is intended to fix the long standing issue where in LTO scenarios
we don't know what target features to use for parsing the module-level
inline assembly. Now they can be faithfully preserved, even when merging
inline assembly from different modules with different features.
If target_features and target_cpu are empty, we fall back to the old
[4 lines not shown]
[LifetimeSafety] Track unary plus on a pointer (#207243)
Unary plus on a pointer is the identity (+p == p), so the result carries
the operand's loans -- but UO_Plus fell through VisitUnaryOperator's
default and left the result origin empty, dropping the borrow (e.g. p =
+&local was a silently-missed use-after-scope). Handle it by flowing the
operand's rvalue origins.
Assisted-by: Claude Opus 4.8
Co-authored-by: Gabor Horvath <gaborh at apple.com>
[Dexter] Switch to using script-mode by default
This patch changes the default mode of Dexter from heuristic-mode to
script-mode. The --use-script argument is replaced with --use-heuristic,
some comments/docs/error messages are updated accordingly, and tests have
their flags switched accordingly.
[CrossProjectTests] Fixup expect in ctor.cpp to accept multiple steps (#207337)
In the test `ctor.cpp`, Dexter tests that when we step into the
constructor used in the test, the value of `this` isn't irretrievable.
To protect against a rotten pass it also checked that we stepped once,
but this caused failures on some platforms where we would step twice on
the constructor - this patch resolves the issue by accepting any
non-zero value for the number of steps.
[Hexagon] Lower vselect instruction (#206675)
Selection fails with "Cannot select: vselect" when the condition and
both data operands of an HVX vselect are predicate vectors (e.g. v32i1,
v64i1, v128i1). This patch adds patterns for vselect on HVX predicate
vectors of all three element widths (VecQ8, VecQ16, VecQ32), expanding
them to V6_pred_or/V6_pred_and/V6_pred_and_n on Q registers.
Patch-By: @iajbar
Fixes #206353
py-octoprint: updated to 1.11.8
1.11.8
Security fixes
XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.
An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.
See also the GitHub Security Advisory and CVE-2026-35163.
File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.
The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.
See also the GitHub Security Advisory and CVE-2026-54134.
Bug fixes
[2 lines not shown]
[clang] use decl itself in static assert failed boolean condition printer (#203736)
fixes #203701
`getName()` assumes the decl used in the static asserts has a simple
identifier name, but in some cases like `operator int` don't — they
fails the assertion `Name.isIdentifier() && "Name is not a simple
identifier"` when the `static_assert` failure diagnostic tries to print
the boolean expression.
Switching to getDeclName() handles these special names properly.
Reproducer:
```c++
struct S {
constexpr S(auto) {}
constexpr operator int() const { return 0; }
};
[13 lines not shown]
[AMDGPU] IGroupLP: Avoid DAG manipulation in greedyFind (#194827)
The greedy pipeline solver needs to determine the edges that are
implied by assigning an SUnit to a SchedGroup and the cost of this
assignment. The cost is the number of edges that cannot be added without
introducing cycles. The current implementation (addEdges) adds the
edges to the DAG and uses the DAG reachability function for cycle
checking. This happens for each candidate SchedGroup and needs to be
undone before other candidates are considered. The DAG manipulations
become a significant performance bottleneck on bigger pipelines.
This commit implements an alternative function for computing the edges
and cost of an assignment. This function performs the reachability
analysis that is necessary for the cyclicity checks without modifying
the DAG.
The new function returns the same cost as addEdges. The concrete edge
set may show insignificant differences, because, for instance,
the link function called from addEdges chooses not to add transitive
[7 lines not shown]
icinga2: updated to 2.16.3
2.16.3 (2026-07-01)
This is a hotfix release that fixes a regression with the `Json.decode()` DSL function that was introduced in v2.16.2:
The addition of a second argument to the internal `JsonDecode()` function unintentionally leaked into the DSL as a
required argument. This version restores the old and intended behavior of `Json.decode()`.
Changes
* Restore single-argument `Json.decode()` in the DSL
* Add the upgrading documentation for v2.15.1 again, which went missing with the v2.16.0 release