diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 172 |
1 files changed, 86 insertions, 86 deletions
@@ -6,85 +6,7 @@ Please send Guile bug reports to bug-guile@gnu.org. -Changes in 2.1.7 (changes since the 2.1.6 alpha release): - -* Notable changes - -** Web server now suspendable - -The web server's implementation has been slightly modified in order to -allow coroutines to suspend and resume around it when it would block on -input or output. See "Non-Blocking IO" in the manual for more. - -** Add support for arrays in `truncated-print'. - -See "Pretty Printing" in the manual. Thanks to Daniel Llorens. - -** Gnulib update - -Gnulib has been updated to v0.1-1157-gb03f418. - -* Performance improvements - -** Stringbufs immutable by default - -Stringbufs are backing buffers for strings, and are not user-visible. -Calling "substring" on a base string will result in a new string that -shares state with the base string's stringbuf. A subsequent attempt to -mutate the substring will first copy a fresh stringbuf; that is, Guile's -strings are copy-on-write. There is also "substring/shared" which -allows mutations to be shared between substring and base string; in that -case the stringbuf is modified directly. - -It used to be that mutating a string would have to take a global lock, -to ensure that no one was concurrently taking a copy-on-write substring -of that string. That is, stringbufs were mutable by default and -transitioning to immutable could happen at any time. - -This situation has been reversed: stringbufs are now immutable by -default and attempts to mutate an immutable stringbuf will copy a fresh -stringbuf and mark it as mutable. This way we can avoid the global -lock. This change likely speeds up common "substring" workloads, though -it make make the first in-place mutation on an immutable string take -more time because it has to copy a fresh backing stringbuf. - -** Speed up number->string - -** `accept' now takes optional flags argument - -These flags can include `SOCK_NONBLOCK' and `SOCK_CLOEXEC', indicating -options to apply to the returned socket, potentially removing the need -for additional system calls to set these options. See "Network Sockets -and Communication" in the manual, for more. - -* New deprecations - -** `SCM_FDES_RANDOM_P' - -Instead, use `lseek (fd, 0, SEEK_CUR)' directly. - -* Bug fixes - -** Fix too-broad capture of dynamic stack by delimited continuations - -Guile was using explicit stacks to represent, for example, the chain of -current exception handlers. This means that a delimited continuation -that captured a "catch" expression would capture the whole stack of -exception handlers, not just the exception handler added by the "catch". -This led to strangeness when resuming the continuation in some other -context like other threads; "throw" could see an invalid stack of -exception handlers. This has been fixed by the addition of the new -"fluid-ref*" procedure that can access older values of fluids; in this -way the exception handler stack is now implicit. See "Fluids and -Dynamic States" in the manual, for more on fluid-ref*. - -** Fix bug comparing unboxed floating-point values (#25492) - -Thanks to Daniel Llorens. - -** Fix crasher bugs for multiple threads writing to same port - -** Fix bug resuming partial continuations that contain prompts +Changes in 2.1.8 (changes since the 2.1.7 alpha release): Previous changes in 2.1.x (changes since the 2.0.x series): @@ -339,6 +261,13 @@ See "Custom Ports" in the manual. See "R6RS Transcoders" in the manual. +** `accept' now takes optional flags argument + +These flags can include `SOCK_NONBLOCK' and `SOCK_CLOEXEC', indicating +options to apply to the returned socket, potentially removing the need +for additional system calls to set these options. See "Network Sockets +and Communication" in the manual, for more. + ** Thread-safe atomic boxes (references) See "Atomics" in the manual. @@ -728,6 +657,19 @@ specifies #:duplicates, of course we use that. The `default-duplicate-binding-handlers' parameter now simply accesses the handlers of the current module, instead of some global value. +** Fix too-broad capture of dynamic stack by delimited continuations + +Guile was using explicit stacks to represent, for example, the chain of +current exception handlers. This means that a delimited continuation +that captured a "catch" expression would capture the whole stack of +exception handlers, not just the exception handler added by the "catch". +This led to strangeness when resuming the continuation in some other +context like other threads; "throw" could see an invalid stack of +exception handlers. This has been fixed by the addition of the new +"fluid-ref*" procedure that can access older values of fluids; in this +way the exception handler stack is now implicit. See "Fluids and +Dynamic States" in the manual, for more on fluid-ref*. + ** `dynamic-wind' doesn't check that guards are thunks Checking that the dynamic-wind out-guard procedure was actually a thunk @@ -849,6 +791,10 @@ scm_t_debug_info', `scm_pure_generic_p', `SCM_PUREGENERICP', * New deprecations +** `SCM_FDES_RANDOM_P' + +Instead, use `lseek (fd, 0, SEEK_CUR)' directly. + ** `_IONBF', `_IOLBF', and `_IOFBF' Instead, use the symbol values `none', `line', or `block', respectively, @@ -987,19 +933,60 @@ users, but packagers may be interested. +Changes in 2.0.14 (since 2.0.13): + +* Bug fixes + +** Builds of .go files and of Guile itself are now bit-reproducible + (<http://bugs.gnu.org/20272>) + +** 'number->locale-string' and 'monetary-amount->locale-string' fixes + (<http://bugs.gnu.org/24990>) + +** (system base target) now recognizes "sh3" as a cross-compilation target + +** Fix race condition in '00-repl-server.test' + (<http://bugs.gnu.org/24769>) + +** 'scandir' from (ice-9 ftw) no longer calls 'stat' for each entry + +** Several documentation improvements + + Changes in 2.0.13 (since 2.0.12): -* Notable changes -* New interfaces -** mkstemp! takes optional "mode" argument +* Security fixes -See "File System" in the manual, for more. +** CVE-2016-8606: REPL server now protects against HTTP inter-protocol + attacks -** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions +Guile 2.x provides a "REPL server" started by the '--listen' +command-line option or equivalent API (see "REPL Servers" in the +manual). -* Bug fixes +The REPL server is vulnerable to the HTTP inter-protocol attack as +described at +<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the +HTML form protocol attack described at +<https://www.jochentopf.com/hfpa/hfpa.pdf>. A "DNS rebinding attack" +can be combined with this attack and allow an attacker to send arbitrary +Guile code to the REPL server through web pages accessed by the +developer, even though the REPL server is listening to a loopback device +("localhost"). This was demonstrated in an article entitled "How to +steal any developer's local database" available at +<http://bouk.co/blog/hacking-developers/>. + +The REPL server in Guile 2.0.13 now detects attempts to exploit this +vulnerability. It immediately closes the connection when it receives a +line that looks like an HTTP request. -** 'mkdir' procedure no longer calls umask(2) (<http://bugs.gnu.org/24659>) +Nevertheless, we recommend binding the REPL server to a Unix-domain +socket, for instance by running: + + guile --listen=/tmp/guile-socket + +** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2) + (<http://bugs.gnu.org/24659>) When the second argument to the 'mkdir' procedure was omitted, it would call umask(0) followed by umask(previous_umask) and apply the umask to @@ -1010,9 +997,22 @@ applications: during a small window the process' umask was set to zero, so other threads calling mkdir(2) or open(2) could end up creating world-readable/writable/executable directories or files. +* New interfaces + +** mkstemp! takes optional "mode" argument + +See "File System" in the manual, for more. + +** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions + +* Bug fixes + ** Fix optimizer bug when compiling fixpoint operator ** Fix build error on MinGW ** Update 'uname' implementation on MinGW +** 'port-encoding' and 'set-port-encoding!' ensure they are passed an + open port +** (system base target) now recognizes Alpha as a cross-compilation target Changes in 2.0.12 (since 2.0.11): |