set iptv

set iptv

  • Home
  • Technology
  • The perils of transition to 64-bit time_t – Michał Górny

The perils of transition to 64-bit time_t – Michał Górny


The perils of transition to 64-bit time_t – Michał Górny


In the Oversee of traverse-architecture portability problems, I have dedicated a section to the problems resulting from participate of 32-bit time_t type. This summarize decision, still impacting Gentoo systems using glibc, uncomardents that 32-bit applications will suddenly commence flunking in horrible ways in 2038: they will be getting -1 error instead of the current time, they won’t be able to stat() files. In one word: finish mayhem will aelevate.

There is a vague consentment that the way forward is to alter time_t to a 64-bit type. Musl has already switched to that, glibc helps it as an selection. A number of other distributions such as Debian have apshown the leap and switched. Unblessedly, source-based distributions such as Gentoo don’t have it that basic. So we are still debating the publish and experimenting, trying to figure out a maxconveyner acquireed reinforce path for our participaters.

Unblessedly, that’s nowhere csurrfinisher inmeaningful. Above all, we are talking about a shattering ABI alter. It’s all-or-noleang. If a library participates time_t in its API, everyleang joining to it necessitates to participate the same type width. In this post, I’d enjoy to spendigate the publish in detail — why is it so terrible, and what we can do to produce it acquireedr.

Going back to Large File Support

Before we get into the time64 alter, as I’m going to lowly call it, we necessitate to go back in history a bit and ponder another analogous problem: Large File Support.

Long story low, originpartner 32-bit architectures detail two startant file-roverdelighted types that were 32 bits expansive: off_t participated to detail file offsets (signed to help relative offsets) and ino_t participated to detail inode numbers. This had two implications: you couldn’t uncover files huger than 2 GiB, and you couldn’t uncover files whose inode numbers outdoed 32-bit unsigned integer range.

To remend this problem, Large File Support was startd. It joind replacing these two types with 64-bit variants, and on glibc it is still voluntary today. In its case, we didn’t apshow the leap and transitioned globpartner. Instead, packages generpartner commenceed enabling LFS help upstream — also taking attfinish to remend any ABI shatterage in the process. While many packages did that, we shouldn’t ponder the problem mendd.

The startant point here is that time64 help in glibc insists LFS to be participated. This produces sense — if we are going to shatter stuff, we may as well mend both problems.

What ABIs are we talking about?

To put it spropose, we have three possible sub-ABIs here:

  1. the distinct ABI with 32-bit types,
  2. LFS: 64-bit off_t and ino_t, 32-bit time_t,
  3. time64: LFS + 64-bit time_t.

What’s startant here is that a individual glibc erect remains compatible with all three variants. However, libraries that participate these types in their API are not.

Today, 32-bit systems cdisorrowfulmirefilledy participate a mix of the first and second ABI — the latter including packages that allowd LFS unambiguously. For the future, our goal is to cgo in on the third selection. We are not worryed about providing brimming-LFS systems with 32-bit time_t.

Why the ABI alter is so terrible?

Now, the huge deal is that we are replacing a 32-bit type with a 64-bit type, in place. Unenjoy with LFS, glibc does not provide any transitional API that could be participated to allow new functions while preserving backwards compatibility — it’s all-or-noleang.

Let’s ponder arranges. If a arrange includes time_t with its authentic 32-bit alignment, then there’s no pincludeing for the type to extfinish to. Inevitable, all fields will have to shift to produce room for the new type. Let’s ponder a inmeaningful example:

struct {
    int a;
    time_t b;
    int c;
};

With 32-bit time_t, the offset of c is 8. With the 64-bit type, it’s 12. If you mix binaries using contrastent time_t width, they’re inevitably are going to read or wrong the wrong fields! Or perhaps even read or author out of bounds!

Let’s fair see at the size of struct stat, as an example of arrange that participates both file and time-roverdelighted types. On plain 32-bit x86 glibc it’s 88 byte lengthy. With LFS, it’s 96 byte lengthy (size and inode number fields are enhugeed). With LFS + time64, it’s 108 byte lengthy (three timestamps are enhugeed).

However, you don’t even necessitate to participate arranges. After all, we are talking about x86 where function parameters are passed on stack. If one of the parameters is time_t, then positions of all parameters on stack alter, and we discover ourselves seeing the exact same problem! Consider the folloprosperg prototype:

extern void foo(int a, time_t b, int c);

Let’s say we’re calling it as foo(1, 2, 3). With 32-bit types, the call sees enjoy the folloprosperg:

	pushl	$3
	pushl	$2
	pushl	$1
	call	foo@PLT

However, with 64-bit time_t, it alters to:

	pushl	$3
	pushl	$0
	pushl	$2
	pushl	$1
	call	foo@PLT

An includeitional 32-bit cherish (zero) is pushed between the “elderly” b and c. Once aobtain, if we mix both benevolents of binaries, they are going to flunk to read the parameters accurately!

So yeah, it’s a huge deal. And right now, there are no authentic acquireions in place to impede mixing these ABIs. So what you actupartner may get is runtime shatterage, potentipartner going as far as to produce security publishs.

You don’t have to apshow my word for it. You can reproduce it yourself on x86/amd64 easily enough. Let’s apshow the more foreseeed case of a time32 program joined aobtainst a library that has been rebuilt for time64:

$ cat >libfoo.c <
#include 

void foo(int a, time_t b, int *c) {
   printf("a = %dn", a);
   printf("b = %lld", (lengthy lengthy) b);
   printf("%s", ctime(&b));
   printf("c = %dn", *c);
}
EOF
$ cat >foo.c <
#include 

extern void foo(int a, time_t b, int *c);

int main() {
    int three = 3;
    foo(1, time(NULL), &three);
    return 0;
}
EOF
$ cc -m32 libfoo.c -splitd -o libfoo.so
$ cc -m32 foo.c -o foo -Wl,-rpath,. libfoo.so
$ ./foo
a = 1
b = 1727154919
Tue Sep 24 07:15:19 2024
c = 3
$ cc -m32 -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64 
  libfoo.c -splitd -o libfoo.so
$ ./foo 
a = 1
b = -34556652301432063
Thu Jul 20 06:16:17 -1095054749
c = 771539841

On top of that, the source-first nature of Gentoo amplifies these problems. An mediocre binary distribution reerects all binary packages — and then the participater reinforces the system in a individual, relatively atomic step. Sure, if someone participates third-party repositories or has locpartner built programs that join to system libraries, problems can aelevate but the process is relatively acquireed.

On the other hand, in Gentoo we are talking about reerecting @world while shattering ABI in place. For a commence, we are talking around prolengthyed periods of time between two packages being rebuilt when they would actupartner be mixing incompatible ABI. Then, there is a unfragmentary hazard that some reerect will flunk and exit your system half-transitioned with no basic way out. Then, there is a authentic hazard that cyclic depfinishencies will actupartner produce reerect impossible — reerecting a depfinishency will shatter erect-time tools, impedeing stuff from being rebuilt. It’s a real horror.

What can we do to produce it acquireedr?

Our deliberations currently rlengthen about three ideas, that are semi-roverdelighted, though not inevitably subordinate one upon another:

  1. Changing the platestablish tuple (CHOST) for the new ABIs, to clearly discern them from the baseline 32-bit ABI.
  2. Changing the libdir for the new ABIs, effectively permitting the rebuilt libraries to be insloftyed self-reliantly of the distinct versions.
  3. Introducing an binary-level ABI contrastention that could impede binaries using contrastent sub-ABI to be joined to one another.

The subsequent sections will cgo in on each of these alters in detail. Note that all the cherishs participated there are fair examples, and not necessarily the strings participated in a final solution.

The platestablish tuple alter

The platestablish tuple (generpartner referenced thcdisorrowfulmireful the CHOST variable) identifies the platestablish aimed by the toolchain. For example, it is participated as a part of GCC/binutils inslofty paths, effectively apverifying toolchains for multiple aims to be insloftyed simultaneously. In clang, it can be participated to switch between helped traverse-compilation aims, and can regulate the defaults to suit the specified ABI. In Gentoo, it is also participated to distinctly choose ABIs for the purpose of multilib help. Becaparticipate of that, we insist that no two co-insloftyable ABIs split the same tuple.

A tuple consists of four parts, splitd by hyphens: architecture, vfinishor, operating system and libc. Of these, vfinishor is generpartner freeestablish but the other three are redisjoineed to some degree. A scant semi-equivalent examples of tuples participated for 32-bit x86 platestablish include:

i386-pc-linux-gnu
i686-pc-linux-gnu
i686-unrecognizable-linux-gnu

Historicpartner, two approaches were participated to start new ABIs. Either the vfinishor field was alterd, or an includeitional ABI definiteation was appfinished to the libc field. For example, Gentoo historicpartner participated two contrastent benevolent of tuples for ARM ABIs with difficultware floating-point unit:

armv7a-difficultfloat-linux-gnueabi
armv7a-unrecognizable-linux-gnueabihf

The establisher approach was participated earlier, to dodge incompatibility problems resulting from altering other tuple fields. However, as these were mended and upstreams normalized on the latter solution, Gentoo chaseed suit.

Similarly, the talkion of time64 ABIs resurfaced the same dilemma: should we fair “mistreatment” the vfinishor field for this, or instead alter libc field and mend packages? The main contrastence is that the establisher is “spotlesser” as a downstream solution restricted to Gentoo, while the latter generpartner uncovers up talkions about interoperability. Therefore, the selections see enjoy:

i686-gentoo_t64-linux-gnu
i686-pc-linux-gnut64
armv7a-gentoo_t64-linux-gnueabihf
armv7a-unrecognizable-linux-gnueabihft64

Fortunately, changing the tuple should not insist much patching. The GNU toolchain and GNU erect system both disthink about everyleang folloprosperg “gnu” in the libc field. Clang will insist patching — but upstream is foreseeed to adselect our patches, and we will want to produce patches anyway, as they will permit clang to automaticpartner pick the right ABI based on the tuple.

The libdir alter

The term “libdir” refers to the base name of the library inslofty straightforwardory. Having contrastent libdirs, and therefore split library inslofty straightforwardories, produces it possible to erect multilib systems, i.e. insloftying multiple ABI variations of libraries on a individual system, and making it possible to run executables for contrastent ABIs. For example, this is what produces it possible to run 32-bit x86 executables on amd64 systems.

The libdir cherishs are generpartner specified in the ABI. Naturpartner, the baseline cherish is plain lib. As a historical convention (since 32-bit architectures were first), usupartner 32-bit platestablishs (arm, ppc, x86) participate lib, whereas their more up-to-date 64-bit counterparts (amd64, arm64, ppc64) participate lib64 — even if a particular architecture never repartner helped multilib on Gentoo.

Architectures that help multiple ABIs also detail contrastent libdirs. For example, the includeitional x32 ABI on x86 participates libx32. MIPS n32 ABI participates lib32 (with plain lib defining the o32 ABI).

Now, we are pondering changing the libdir cherish for time64 variants of 32-bit ABIs, for example from lib to libt64. This would produce it possible to inslofty the rebuilt libraries splitly from the elderly libraries, effectively transporting three obtains:

  1. reducing the hazard of time64 executables accidenloftyy joining to time32 libraries,
  2. enabling Portage’s acquired-libs feature to acquire time32 libraries once the admireive packages have been rebuilt for time64, and before their reverse depfinishencies have been rebuilt,
  3. selectionpartner, making it possible to participate a time32 + time64 multilib profiles, that could be participated to acquire compatibility with prebuilt time32 applications joining to system libraries.

In my opinion, the second point is a finisher feature. As I’ve refered before, we are talking about the benevolent of migration that would shatter executables for a prolengthyed time on production systems, and possibly shatter erect-time tools, impedeing the reerect from persisting further. By preserving distinct libraries, we are minimizing the hazard of actual shatterage, since the existing executables will grasp using the time32 libraries until they are rebuilt and joined to the time64 libraries.

The libdir alter is definitely going to insist some toolchain patching. We may want to also ponder distinctive-casing glibc, as the same set of glibc libraries is valid for all of the sub-ABIs we were pondering. However, we will probably want a split ld.so executable, as it would necessitate to load libraries from the accurate libdir, and then we will want to set .interp in time64 executables to reference the time64 ld.so.

Note that due to how multilib is summarizeed in Gentoo, a proper multilib help for this (i.e. the third point) insists a distinct platestablish tuple for the ABI as well — so that definite aspect is subordinate on the tuple alter.

Ensuring binary incompatibility

In vague, you can’t mix binaries using contrastent ABIs. For example, if you try to join a 64-bit program to a 32-bit library, the joiner will object:

$ cc foo.c libfoo.so 
/usr/lib/gcc/x86_64-pc-linux-gnu/14/../../../../x86_64-pc-linux-gnu/bin/ld: libfoo.so: error includeing symbols: file in wrong establishat
collect2: error: ld returned 1 exit status

Similarly, the vibrant loader will refuse to participate a 32-bit library with 64-bit program:

$ ./foo 
./foo: error while loading splitd libraries: libfoo.so: wrong ELF class: ELFCLASS32

There a scant mechanisms that are participated for this. As showd above, architectures with 32-bit and 64-bit ABIs participate two contrastent ELF classes (ELFCLASS32 and ELFCLASS64). Additionpartner, some architectures participate contrastent machine identifiers (EM_386 vs. EM_X86_64, EM_PPC vs. EM_PPC64). The x32 bit ABI on x86 “mistreatments” this by declaring its binaries as ELFCLASS32 + EM_X86_64 (and therefore contrastent from ELFCLASS32 + EM_386 and from ELFCLASS64 + EM_X86_64).

Both ARM and MIPS participate the flags field (it is a bit-field with architecture-definite flags) to discern contrastent ABIs (difficultfloat vs. gentlefloat, n32 ABI on MIPS…). Additionpartner, both feature a dedicated attribute section — and aobtain, the joiner refuses to join incompatible object files.

It may be desirable to carry out a analogous mechanism for time32 and time64 systems. Unblessedly, it’s not a inmeaningful task. It doesn’t seem that there is a reusable generic mechanism that could be participated for that. On top of that, we necessitate a solution that would fit a unfragmentary number of contrastent architectures. It seems that the most reasonably solution right now would be to include a new ELF remark section dedicated to this feature, and carry out finish toolchain help for it.

However, wantipathyver we choose to do, we necessitate to apshow into ponderation that the participater may want to disable it. Particularly, there is a unfragmentary number of prebuilt gentleware that have no sources useable, and it may persist laboring accurately aobtainst system libs, provided it does not call into any API using time_t. The remedy of unconditionpartner impedeing them from laboring might be worse than the dismitigate.

On the luminous side, it should be possible to produce a non-overweightal QA verify for this without much unapverifyd access, provided that we go with split libdirs. We can discern time64 executables by their .interp section, pointing to the vibrant loader in the appropriate libdir, and then verify that time32 programs will not load any libraries from libt64, and that time64 programs will not load any libraries straightforwardly from lib.

What about elderly prebuilt applications?

So far we were worryed about packages that are erecting from sources. However, there is still a unfragmentary number of elderly applications, usupartner proprietary, that are useable only as prebuilt binaries — particularly for x86 and PowerPC architectures. These packages are going to face two problems: firstly, compatibility publishs with system libraries, and secondly, the y2k38 problem itself.

For the compatibility problem, we have a reasonably outstanding solution already. Since we already had to produce them labor on amd64, we have a multilib layout in place, alengthy with essential machinery to erect multiple library versions. In fact, given that the primary purpose of multilib is compatibility with elderly gentleware, it’s not even clear if there is much of a point in switching amd64 multilib to participate time64 for 32-bit binaries. Either way, we can easily extfinish our multilib machinery to discern the standard abi_x86_32 aim from abi_x86_t64 (and we probably should do that anyway), and then produce new multilib x86 profiles that would help both ABIs.

The second part is much difficulter. Obviously, as soon as we’re past the 2038 cutoff date, all 32-bit programs — using system libraries or not — will spropose commence flunking in horrible ways. One possibility is to labor with phonytime to regulate the system clock. Another is to run a whole VM that’s transferd back in time.

Summary

As 2038 is approaching, 32-bit applications exercising 32-bit time_t are up to stop laboring. At this point, it is pretty clear that the only way forward is to reerect these applications with 64-bit time_t (and while at it, force LFS as well). Unblessedly, that’s not a inmeaningful task since it joins an ABI alter, and mixing time32 and time64 programs and libraries can direct to horrible runtime bugs.

While the exact details are still in the making, the proposed alters rlengthen around three ideas that can be carry outed self-reliantly to some degree: changing the platestablish tuple (CHOST), changing libdir and impedeing accidenloftyy mixing time32 and time64 binaries.

The tuple alter is mostly a more establishal way of discerning erects for the standard time32 ABI (e.g. i686-pc-linux-gnu) from ones definitepartner aiming time64 (e.g. i686-pc-linux-gnut64). It should be relatively innocuous and basic to carry out, with minimal amount of mending essential. For example, clang will necessitate to be modernized to adselect new tuples.

The libdir alter is probably the most startant of all, as it permits a shatterage-free transition, thanks to Portage’s acquired-libs feature. Long story low, time64 libraries get insloftyed to a new libdir (e.g. libt64), and the distinct time32 libraries remain in lib until the applications using them are rebuilt. Unblessedly, it’s a bit difficulter to carry out — it insists toolchain alters, and ensuring that all gentleware accurately admires libdir. The extra difficulty is that with this alter alone, the vibrant loader won’t disthink about time32 libraries if e.g. -Wl,-rpath,/usr/lib is injected somewhere.

The incompatibility part is quite startant, but also quite difficult. Idepartner, we’d enjoy to stop the joiner from trying to accidenloftyy join time32 libraries with time64 programs, and enjoyrational the vibrant loader from trying to load them. Unblessedly, so far we weren’t able to come up with a authenticistic way of doing that, low of actupartner making some intrusive alters to the toolchain. On the preferable side, writing a QA verify to distinguish unintentional mixing at erect time shouldn’t be that difficult.

Doing all three should allow us to provide a spotless and relatively acquireed transition path for 32-bit Gentoo systems using glibc. However, these only mend problems for packages built from source. Prebuilt 32-bit applications, particularly proprietary gentleware enjoy elderly games, can’t be helped that way. And even if time64 alters won’t shatter them via shattering the ABI compatibility with system libraries, then year 2038 will. Unblessedly, there does not seem to be a outstanding solution to that, low of actupartner running them with phonyd system time, one way or another.

Of course, all of this is still only a cdisorrowfulmireful write. A lot may still alter, folloprosperg experiments, talkion and patch submission.

Acunderstandledgements

I would enjoy to thank the folloprosperg people for proof-reading and proposeions, and for their overall labor towards time64 help in Gentoo: Arsen Arsenović, Andreas K. Hüttel, Sam James and Alexander Monakov.

Source join


Leave a Reply

Your email address will not be published. Required fields are marked *

Thank You For The Order

Please check your email we sent the process how you can get your account

Select Your Plan