Skip to content

Refactor rand48 functions with less unsafe

Peter Limkilde Svendsen requested to merge plimkilde/relibc:safer-rand48 into master

This is a refactor of the functions from https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/functions/drand48.html and the helper code in rand48.rs. It includes a new U48 type to encapsulate their processing of 48-bit integers, as well as the use of mutexes to eliminate as much unsafe code as possible.

With these changes, drand48(), lrand48() and mrand48() are no longer unsafe as they handle only static data now behind mutexes.

The remaining functions are still unsafe as they dereference raw pointers. Additionally, seed48() hands out a pointer to a shared, static buffer.

The a and c parameters of the LCG generator are behind a mutex here, which can cause overzealous protection for the erand48()/jrand48()/nrand48() functions. Ideally, I'd have used an rwlock for a and c, but relibc's Rwlock does not seem to support a Params payload in its current form.

Tests are currently not passing. Apparently there is unsound multithreaded use of lrand48() in the pthread tests (through random_bool() in test_helpers.h). With this MR, such use is exposed with a panic instead.

Edited by Peter Limkilde Svendsen

Merge request reports