Module Name: src
Committed By: riastradh
Date: Sun Dec 22 23:24:21 UTC 2024
Modified Files:
src/sys/kern: files.kern kern_time.c subr_time.c
src/sys/rump/librump/rumpkern: Makefile.rumpkern
src/sys/sys: time.h timevar.h
Added Files:
src/sys/kern: subr_time_arith.c
src/sys/sys: timearith.h
Log Message:
kern: Move some purely arithmetic routines to subr_time_arith.c.
Preparation for testing and fixing:
PR kern/58922: itimer(9): arithmetic overflow
PR kern/58925: itimer(9) responds erratically to clock wound back
PR kern/58926: itimer(9) integer overflow in overrun counting
PR kern/58927: itimer(9): overrun accounting is broken
To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 src/sys/kern/files.kern
cvs rdiff -u -r1.226 -r1.227 src/sys/kern/kern_time.c
cvs rdiff -u -r1.40 -r1.41 src/sys/kern/subr_time.c
cvs rdiff -u -r0 -r1.1 src/sys/kern/subr_time_arith.c
cvs rdiff -u -r1.191 -r1.192 src/sys/rump/librump/rumpkern/Makefile.rumpkern
cvs rdiff -u -r1.81 -r1.82 src/sys/sys/time.h
cvs rdiff -u -r0 -r1.1 src/sys/sys/timearith.h
cvs rdiff -u -r1.51 -r1.52 src/sys/sys/timevar.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/files.kern
diff -u src/sys/kern/files.kern:1.60 src/sys/kern/files.kern:1.61
--- src/sys/kern/files.kern:1.60 Fri Jul 28 18:19:01 2023
+++ src/sys/kern/files.kern Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-# $NetBSD: files.kern,v 1.60 2023/07/28 18:19:01 christos Exp $
+# $NetBSD: files.kern,v 1.61 2024/12/22 23:24:20 riastradh Exp $
#
# kernel sources
@@ -154,6 +154,7 @@ file kern/subr_psref.c kern
file kern/subr_specificdata.c kern
file kern/subr_tftproot.c tftproot
file kern/subr_time.c kern
+file kern/subr_time_arith.c kern
file kern/subr_thmap.c kern
file kern/subr_userconf.c userconf
file kern/subr_vmem.c kern
Index: src/sys/kern/kern_time.c
diff -u src/sys/kern/kern_time.c:1.226 src/sys/kern/kern_time.c:1.227
--- src/sys/kern/kern_time.c:1.226 Sun Dec 22 23:18:29 2024
+++ src/sys/kern/kern_time.c Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_time.c,v 1.226 2024/12/22 23:18:29 riastradh Exp $ */
+/* $NetBSD: kern_time.c,v 1.227 2024/12/22 23:24:20 riastradh Exp $ */
/*-
* Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009, 2020
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.226 2024/12/22 23:18:29 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.227 2024/12/22 23:24:20 riastradh Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -846,10 +846,9 @@ itimer_arm_real(struct itimer * const it
static void
itimer_callout(void *arg)
{
- uint64_t last_val, next_val, interval, now_ns;
struct timespec now, next;
struct itimer * const it = arg;
- int backwards;
+ int overruns;
itimer_lock();
(*it->it_ops->ito_fire)(it);
@@ -866,34 +865,13 @@ itimer_callout(void *arg)
getnanotime(&now);
}
- backwards = (timespeccmp(&it->it_time.it_value, &now, >));
-
- /* Nonnegative interval guaranteed by itimerfix. */
- KASSERT(it->it_time.it_interval.tv_sec >= 0);
- KASSERT(it->it_time.it_interval.tv_nsec >= 0);
-
- /* Handle the easy case of non-overflown timers first. */
- if (!backwards &&
- timespecaddok(&it->it_time.it_value, &it->it_time.it_interval)) {
- timespecadd(&it->it_time.it_value, &it->it_time.it_interval,
- &next);
- it->it_time.it_value = next;
- } else {
- now_ns = timespec2ns(&now);
- last_val = timespec2ns(&it->it_time.it_value);
- interval = timespec2ns(&it->it_time.it_interval);
-
- next_val = now_ns +
- (now_ns - last_val + interval - 1) % interval;
-
- if (backwards)
- next_val += interval;
- else
- it->it_overruns += (now_ns - last_val) / interval;
-
- it->it_time.it_value.tv_sec = next_val / 1000000000;
- it->it_time.it_value.tv_nsec = next_val % 1000000000;
- }
+ /*
+ * Given the current itimer value and interval and the time
+ * now, compute the next itimer value and count overruns.
+ */
+ itimer_transition(&it->it_time, &now, &next, &overruns);
+ it->it_time.it_value = next;
+ it->it_overruns += overruns;
/*
* Reset the callout, if it's not going away.
Index: src/sys/kern/subr_time.c
diff -u src/sys/kern/subr_time.c:1.40 src/sys/kern/subr_time.c:1.41
--- src/sys/kern/subr_time.c:1.40 Sun Dec 22 23:18:47 2024
+++ src/sys/kern/subr_time.c Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_time.c,v 1.40 2024/12/22 23:18:47 riastradh Exp $ */
+/* $NetBSD: subr_time.c,v 1.41 2024/12/22 23:24:20 riastradh Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.40 2024/12/22 23:18:47 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.41 2024/12/22 23:24:20 riastradh Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -62,69 +62,6 @@ tvhzto(const struct timeval *tvp)
return tvtohz(&tv);
}
-/*
- * Compute number of ticks in the specified amount of time.
- */
-int
-tvtohz(const struct timeval *tv)
-{
- unsigned long ticks;
- long sec, usec;
-
- /*
- * If the number of usecs in the whole seconds part of the time
- * difference fits in a long, then the total number of usecs will
- * fit in an unsigned long. Compute the total and convert it to
- * ticks, rounding up and adding 1 to allow for the current tick
- * to expire. Rounding also depends on unsigned long arithmetic
- * to avoid overflow.
- *
- * Otherwise, if the number of ticks in the whole seconds part of
- * the time difference fits in a long, then convert the parts to
- * ticks separately and add, using similar rounding methods and
- * overflow avoidance. This method would work in the previous
- * case, but it is slightly slower and assumes that hz is integral.
- *
- * Otherwise, round the time difference down to the maximum
- * representable value.
- *
- * If ints are 32-bit, then the maximum value for any timeout in
- * 10ms ticks is 248 days.
- */
- sec = tv->tv_sec;
- usec = tv->tv_usec;
-
- KASSERT(usec >= 0);
- KASSERT(usec < 1000000);
-
- /* catch overflows in conversion time_t->int */
- if (tv->tv_sec > INT_MAX)
- return INT_MAX;
- if (tv->tv_sec < 0)
- return 0;
-
- if (sec < 0 || (sec == 0 && usec == 0)) {
- /*
- * Would expire now or in the past. Return 0 ticks.
- * This is different from the legacy tvhzto() interface,
- * and callers need to check for it.
- */
- ticks = 0;
- } else if (sec <= (LONG_MAX / 1000000))
- ticks = (((sec * 1000000) + (unsigned long)usec + (tick - 1))
- / tick) + 1;
- else if (sec <= (LONG_MAX / hz))
- ticks = (sec * hz) +
- (((unsigned long)usec + (tick - 1)) / tick) + 1;
- else
- ticks = LONG_MAX;
-
- if (ticks > INT_MAX)
- ticks = INT_MAX;
-
- return ((int)ticks);
-}
-
int
tshzto(const struct timespec *tsp)
{
@@ -163,40 +100,6 @@ tstohz(const struct timespec *ts)
return tvtohz(&tv);
}
-/*
- * Check that a proposed value to load into the .it_value or
- * .it_interval part of an interval timer is acceptable, and
- * fix it to have at least minimal value (i.e. if it is less
- * than the resolution of the clock, round it up.). We don't
- * timeout the 0,0 value because this means to disable the
- * timer or the interval.
- */
-int
-itimerfix(struct timeval *tv)
-{
-
- if (tv->tv_usec < 0 || tv->tv_usec >= 1000000)
- return EINVAL;
- if (tv->tv_sec < 0)
- return ETIMEDOUT;
- if (tv->tv_sec == 0 && tv->tv_usec != 0 && tv->tv_usec < tick)
- tv->tv_usec = tick;
- return 0;
-}
-
-int
-itimespecfix(struct timespec *ts)
-{
-
- if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000)
- return EINVAL;
- if (ts->tv_sec < 0)
- return ETIMEDOUT;
- if (ts->tv_sec == 0 && ts->tv_nsec != 0 && ts->tv_nsec < tick * 1000)
- ts->tv_nsec = tick * 1000;
- return 0;
-}
-
int
inittimeleft(struct timespec *ts, struct timespec *sleepts)
{
@@ -349,221 +252,3 @@ ts2timo(clockid_t clock_id, int flags, s
return 0;
}
-
-bool
-timespecaddok(const struct timespec *tsp, const struct timespec *usp)
-{
- enum { TIME_MIN = __type_min(time_t), TIME_MAX = __type_max(time_t) };
- time_t a = tsp->tv_sec;
- time_t b = usp->tv_sec;
- bool carry;
-
- /*
- * Caller is responsible for guaranteeing valid timespec
- * inputs. Any user-controlled inputs must be validated or
- * adjusted.
- */
- KASSERT(tsp->tv_nsec >= 0);
- KASSERT(usp->tv_nsec >= 0);
- KASSERT(tsp->tv_nsec < 1000000000L);
- KASSERT(usp->tv_nsec < 1000000000L);
- CTASSERT(1000000000L <= __type_max(long) - 1000000000L);
-
- /*
- * Fail if a + b + carry overflows TIME_MAX, or if a + b
- * overflows TIME_MIN because timespecadd adds the carry after
- * computing a + b.
- *
- * Break it into two mutually exclusive and exhaustive cases:
- * I. a >= 0
- * II. a < 0
- */
- carry = (tsp->tv_nsec + usp->tv_nsec >= 1000000000L);
- if (a >= 0) {
- /*
- * Case I: a >= 0. If b < 0, then b + 1 <= 0, so
- *
- * a + b + 1 <= a + 0 <= TIME_MAX,
- *
- * and
- *
- * a + b >= 0 + b = b >= TIME_MIN,
- *
- * so this can't overflow.
- *
- * If b >= 0, then a + b + carry >= a + b >= 0, so
- * negative results and thus results below TIME_MIN are
- * impossible; we need only avoid
- *
- * a + b + carry > TIME_MAX,
- *
- * which we will do by rejecting if
- *
- * b > TIME_MAX - a - carry,
- *
- * which in turn is incidentally always false if b < 0
- * so we don't need extra logic to discriminate on the
- * b >= 0 and b < 0 cases.
- *
- * Since 0 <= a <= TIME_MAX, we know
- *
- * 0 <= TIME_MAX - a <= TIME_MAX,
- *
- * and hence
- *
- * -1 <= TIME_MAX - a - 1 < TIME_MAX.
- *
- * So we can compute TIME_MAX - a - carry (i.e., either
- * TIME_MAX - a or TIME_MAX - a - 1) safely without
- * overflow.
- */
- if (b > TIME_MAX - a - carry)
- return false;
- } else {
- /*
- * Case II: a < 0. If b >= 0, then since a + 1 <= 0,
- * we have
- *
- * a + b + 1 <= b <= TIME_MAX,
- *
- * and
- *
- * a + b >= a >= TIME_MIN,
- *
- * so this can't overflow.
- *
- * If b < 0, then the intermediate a + b is negative
- * and the outcome a + b + 1 is nonpositive, so we need
- * only avoid
- *
- * a + b < TIME_MIN,
- *
- * which we will do by rejecting if
- *
- * a < TIME_MIN - b.
- *
- * (Reminder: The carry is added afterward in
- * timespecadd, so to avoid overflow it is not enough
- * to merely reject a + b + carry < TIME_MIN.)
- *
- * It is safe to compute the difference TIME_MIN - b
- * because b is negative, so the result lies in
- * (TIME_MIN, 0].
- */
- if (b < 0 && a < TIME_MIN - b)
- return false;
- }
-
- return true;
-}
-
-bool
-timespecsubok(const struct timespec *tsp, const struct timespec *usp)
-{
- enum { TIME_MIN = __type_min(time_t), TIME_MAX = __type_max(time_t) };
- time_t a = tsp->tv_sec, b = usp->tv_sec;
- bool borrow;
-
- /*
- * Caller is responsible for guaranteeing valid timespec
- * inputs. Any user-controlled inputs must be validated or
- * adjusted.
- */
- KASSERT(tsp->tv_nsec >= 0);
- KASSERT(usp->tv_nsec >= 0);
- KASSERT(tsp->tv_nsec < 1000000000L);
- KASSERT(usp->tv_nsec < 1000000000L);
- CTASSERT(1000000000L <= __type_max(long) - 1000000000L);
-
- /*
- * Fail if a - b - borrow overflows TIME_MIN, or if a - b
- * overflows TIME_MAX because timespecsub subtracts the borrow
- * after computing a - b.
- *
- * Break it into two mutually exclusive and exhaustive cases:
- * I. a < 0
- * II. a >= 0
- */
- borrow = (tsp->tv_nsec - usp->tv_nsec < 0);
- if (a < 0) {
- /*
- * Case I: a < 0. If b < 0, then -b - 1 >= 0, so
- *
- * a - b - 1 >= a + 0 >= TIME_MIN,
- *
- * and, since a <= -1, provided that TIME_MIN <=
- * -TIME_MAX - 1 so that TIME_MAX <= -TIME_MIN - 1 (in
- * fact, equality holds, under the assumption of
- * two's-complement arithmetic),
- *
- * a - b <= -1 - b = -b - 1 <= TIME_MAX,
- *
- * so this can't overflow.
- */
- CTASSERT(TIME_MIN <= -TIME_MAX - 1);
-
- /*
- * If b >= 0, then a - b - borrow <= a - b < 0, so
- * positive results and thus results above TIME_MAX are
- * impossible; we need only avoid
- *
- * a - b - borrow < TIME_MIN,
- *
- * which we will do by rejecting if
- *
- * a < TIME_MIN + b + borrow.
- *
- * The right-hand side is safe to evaluate for any
- * values of b and borrow as long as TIME_MIN +
- * TIME_MAX + 1 <= TIME_MAX, i.e., TIME_MIN <= -1.
- * (Note: If time_t were unsigned, this would fail!)
- *
- * Note: Unlike Case I in timespecaddok, this criterion
- * does not work for b < 0, nor can the roles of a and
- * b in the inequality be reversed (e.g., -b < TIME_MIN
- * - a + borrow) without extra cases like checking for
- * b = TEST_MIN.
- */
- CTASSERT(TIME_MIN < -1);
- if (b >= 0 && a < TIME_MIN + b + borrow)
- return false;
- } else {
- /*
- * Case II: a >= 0. If b >= 0, then
- *
- * a - b <= a <= TIME_MAX,
- *
- * and, provided TIME_MIN <= -TIME_MAX - 1 (in fact,
- * equality holds, under the assumption of
- * two's-complement arithmetic)
- *
- * a - b - 1 >= -b - 1 >= -TIME_MAX - 1 >= TIME_MIN,
- *
- * so this can't overflow.
- */
- CTASSERT(TIME_MIN <= -TIME_MAX - 1);
-
- /*
- * If b < 0, then a - b >= a >= 0, so negative results
- * and thus results below TIME_MIN are impossible; we
- * need only avoid
- *
- * a - b > TIME_MAX,
- *
- * which we will do by rejecting if
- *
- * a > TIME_MAX + b.
- *
- * (Reminder: The borrow is subtracted afterward in
- * timespecsub, so to avoid overflow it is not enough
- * to merely reject a - b - borrow > TIME_MAX.)
- *
- * It is safe to compute the sum TIME_MAX + b because b
- * is negative, so the result lies in [0, TIME_MAX).
- */
- if (b < 0 && a > TIME_MAX + b)
- return false;
- }
-
- return true;
-}
Index: src/sys/rump/librump/rumpkern/Makefile.rumpkern
diff -u src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.191 src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.192
--- src/sys/rump/librump/rumpkern/Makefile.rumpkern:1.191 Sat Jun 3 09:09:15 2023
+++ src/sys/rump/librump/rumpkern/Makefile.rumpkern Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rumpkern,v 1.191 2023/06/03 09:09:15 lukem Exp $
+# $NetBSD: Makefile.rumpkern,v 1.192 2024/12/22 23:24:20 riastradh Exp $
#
IOCONFDIR:= ${.PARSEDIR}
@@ -126,6 +126,7 @@ SRCS+= init_sysctl_base.c \
subr_psref.c \
subr_specificdata.c \
subr_time.c \
+ subr_time_arith.c \
subr_thmap.c \
subr_vmem.c \
subr_workqueue.c \
Index: src/sys/sys/time.h
diff -u src/sys/sys/time.h:1.81 src/sys/sys/time.h:1.82
--- src/sys/sys/time.h:1.81 Sun May 12 10:34:56 2024
+++ src/sys/sys/time.h Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: time.h,v 1.81 2024/05/12 10:34:56 rillig Exp $ */
+/* $NetBSD: time.h,v 1.82 2024/12/22 23:24:20 riastradh Exp $ */
/*
* Copyright (c) 1982, 1986, 1993
@@ -266,7 +266,8 @@ ns2bintime(uint64_t ns)
} while (0)
#define timespec2ns(x) (((uint64_t)(x)->tv_sec) * 1000000000L + (x)->tv_nsec)
-#ifdef _KERNEL
+#if defined(_KERNEL) || defined(_TIME_TESTING)
+#include <sys/stdbool.h>
bool timespecaddok(const struct timespec *, const struct timespec *) __pure;
bool timespecsubok(const struct timespec *, const struct timespec *) __pure;
#endif
@@ -310,6 +311,7 @@ struct itimerspec {
#define TIMER_ABSTIME 0x1 /* absolute timer */
#ifdef _KERNEL
+#include <sys/timearith.h>
#include <sys/timevar.h>
#else /* !_KERNEL */
#ifndef _STANDALONE
Index: src/sys/sys/timevar.h
diff -u src/sys/sys/timevar.h:1.51 src/sys/sys/timevar.h:1.52
--- src/sys/sys/timevar.h:1.51 Mon Jul 17 13:44:24 2023
+++ src/sys/sys/timevar.h Sun Dec 22 23:24:20 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: timevar.h,v 1.51 2023/07/17 13:44:24 riastradh Exp $ */
+/* $NetBSD: timevar.h,v 1.52 2024/12/22 23:24:20 riastradh Exp $ */
/*
* Copyright (c) 2005, 2008, 2020 The NetBSD Foundation, Inc.
@@ -202,8 +202,6 @@ int tshzto(const struct timespec *);
int tshztoup(const struct timespec *);
int tvhzto(const struct timeval *);
void inittimecounter(void);
-int itimerfix(struct timeval *);
-int itimespecfix(struct timespec *);
int ppsratecheck(struct timeval *, int *, int);
int ratecheck(struct timeval *, const struct timeval *);
int settime(struct proc *p, struct timespec *);
@@ -213,8 +211,6 @@ int settimeofday1(const struct timeval *
const void *, struct lwp *, bool);
int timer_create1(timer_t *, clockid_t, struct sigevent *, copyin_t,
struct lwp *);
-int tstohz(const struct timespec *);
-int tvtohz(const struct timeval *);
int inittimeleft(struct timespec *, struct timespec *);
int gettimeleft(struct timespec *, struct timespec *);
void timerupcall(struct lwp *);
Added files:
Index: src/sys/kern/subr_time_arith.c
diff -u /dev/null src/sys/kern/subr_time_arith.c:1.1
--- /dev/null Sun Dec 22 23:24:21 2024
+++ src/sys/kern/subr_time_arith.c Sun Dec 22 23:24:20 2024
@@ -0,0 +1,490 @@
+/* $NetBSD: subr_time_arith.c,v 1.1 2024/12/22 23:24:20 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009, 2020
+ * The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christopher G. Demetriou, by Andrew Doran, and by Jason R. Thorpe.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 1982, 1986, 1989, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)kern_clock.c 8.5 (Berkeley) 1/21/94
+ * @(#)kern_time.c 8.4 (Berkeley) 5/26/95
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: subr_time_arith.c,v 1.1 2024/12/22 23:24:20 riastradh Exp $");
+
+#include <sys/types.h>
+
+#include <sys/errno.h>
+#include <sys/time.h>
+#include <sys/timearith.h>
+
+#if defined(_KERNEL)
+
+#include <sys/kernel.h>
+#include <sys/systm.h>
+
+#include <machine/limits.h>
+
+#elif defined(_TIME_TESTING)
+
+#include <assert.h>
+#include <limits.h>
+#include <stdbool.h>
+
+extern int hz;
+extern long tick;
+
+#define KASSERT assert
+
+#endif
+
+/*
+ * Compute number of ticks in the specified amount of time.
+ */
+int
+tvtohz(const struct timeval *tv)
+{
+ unsigned long ticks;
+ long sec, usec;
+
+ /*
+ * If the number of usecs in the whole seconds part of the time
+ * difference fits in a long, then the total number of usecs will
+ * fit in an unsigned long. Compute the total and convert it to
+ * ticks, rounding up and adding 1 to allow for the current tick
+ * to expire. Rounding also depends on unsigned long arithmetic
+ * to avoid overflow.
+ *
+ * Otherwise, if the number of ticks in the whole seconds part of
+ * the time difference fits in a long, then convert the parts to
+ * ticks separately and add, using similar rounding methods and
+ * overflow avoidance. This method would work in the previous
+ * case, but it is slightly slower and assumes that hz is integral.
+ *
+ * Otherwise, round the time difference down to the maximum
+ * representable value.
+ *
+ * If ints are 32-bit, then the maximum value for any timeout in
+ * 10ms ticks is 248 days.
+ */
+ sec = tv->tv_sec;
+ usec = tv->tv_usec;
+
+ KASSERT(usec >= 0);
+ KASSERT(usec < 1000000);
+
+ /* catch overflows in conversion time_t->int */
+ if (tv->tv_sec > INT_MAX)
+ return INT_MAX;
+ if (tv->tv_sec < 0)
+ return 0;
+
+ if (sec < 0 || (sec == 0 && usec == 0)) {
+ /*
+ * Would expire now or in the past. Return 0 ticks.
+ * This is different from the legacy tvhzto() interface,
+ * and callers need to check for it.
+ */
+ ticks = 0;
+ } else if (sec <= (LONG_MAX / 1000000))
+ ticks = (((sec * 1000000) + (unsigned long)usec + (tick - 1))
+ / tick) + 1;
+ else if (sec <= (LONG_MAX / hz))
+ ticks = (sec * hz) +
+ (((unsigned long)usec + (tick - 1)) / tick) + 1;
+ else
+ ticks = LONG_MAX;
+
+ if (ticks > INT_MAX)
+ ticks = INT_MAX;
+
+ return ((int)ticks);
+}
+
+/*
+ * Check that a proposed value to load into the .it_value or
+ * .it_interval part of an interval timer is acceptable, and
+ * fix it to have at least minimal value (i.e. if it is less
+ * than the resolution of the clock, round it up.). We don't
+ * timeout the 0,0 value because this means to disable the
+ * timer or the interval.
+ */
+int
+itimerfix(struct timeval *tv)
+{
+
+ if (tv->tv_usec < 0 || tv->tv_usec >= 1000000)
+ return EINVAL;
+ if (tv->tv_sec < 0)
+ return ETIMEDOUT;
+ if (tv->tv_sec == 0 && tv->tv_usec != 0 && tv->tv_usec < tick)
+ tv->tv_usec = tick;
+ return 0;
+}
+
+int
+itimespecfix(struct timespec *ts)
+{
+
+ if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000)
+ return EINVAL;
+ if (ts->tv_sec < 0)
+ return ETIMEDOUT;
+ if (ts->tv_sec == 0 && ts->tv_nsec != 0 && ts->tv_nsec < tick * 1000)
+ ts->tv_nsec = tick * 1000;
+ return 0;
+}
+
+/*
+ * timespecaddok(tsp, usp)
+ *
+ * True if tsp + usp can be computed without overflow, i.e., if it
+ * is OK to do timespecadd(tsp, usp, ...).
+ */
+bool
+timespecaddok(const struct timespec *tsp, const struct timespec *usp)
+{
+ enum { TIME_MIN = __type_min(time_t), TIME_MAX = __type_max(time_t) };
+ time_t a = tsp->tv_sec;
+ time_t b = usp->tv_sec;
+ bool carry;
+
+ /*
+ * Caller is responsible for guaranteeing valid timespec
+ * inputs. Any user-controlled inputs must be validated or
+ * adjusted.
+ */
+ KASSERT(tsp->tv_nsec >= 0);
+ KASSERT(usp->tv_nsec >= 0);
+ KASSERT(tsp->tv_nsec < 1000000000L);
+ KASSERT(usp->tv_nsec < 1000000000L);
+ __CTASSERT(1000000000L <= __type_max(long) - 1000000000L);
+
+ /*
+ * Fail if a + b + carry overflows TIME_MAX, or if a + b
+ * overflows TIME_MIN because timespecadd adds the carry after
+ * computing a + b.
+ *
+ * Break it into two mutually exclusive and exhaustive cases:
+ * I. a >= 0
+ * II. a < 0
+ */
+ carry = (tsp->tv_nsec + usp->tv_nsec >= 1000000000L);
+ if (a >= 0) {
+ /*
+ * Case I: a >= 0. If b < 0, then b + 1 <= 0, so
+ *
+ * a + b + 1 <= a + 0 <= TIME_MAX,
+ *
+ * and
+ *
+ * a + b >= 0 + b = b >= TIME_MIN,
+ *
+ * so this can't overflow.
+ *
+ * If b >= 0, then a + b + carry >= a + b >= 0, so
+ * negative results and thus results below TIME_MIN are
+ * impossible; we need only avoid
+ *
+ * a + b + carry > TIME_MAX,
+ *
+ * which we will do by rejecting if
+ *
+ * b > TIME_MAX - a - carry,
+ *
+ * which in turn is incidentally always false if b < 0
+ * so we don't need extra logic to discriminate on the
+ * b >= 0 and b < 0 cases.
+ *
+ * Since 0 <= a <= TIME_MAX, we know
+ *
+ * 0 <= TIME_MAX - a <= TIME_MAX,
+ *
+ * and hence
+ *
+ * -1 <= TIME_MAX - a - 1 < TIME_MAX.
+ *
+ * So we can compute TIME_MAX - a - carry (i.e., either
+ * TIME_MAX - a or TIME_MAX - a - 1) safely without
+ * overflow.
+ */
+ if (b > TIME_MAX - a - carry)
+ return false;
+ } else {
+ /*
+ * Case II: a < 0. If b >= 0, then since a + 1 <= 0,
+ * we have
+ *
+ * a + b + 1 <= b <= TIME_MAX,
+ *
+ * and
+ *
+ * a + b >= a >= TIME_MIN,
+ *
+ * so this can't overflow.
+ *
+ * If b < 0, then the intermediate a + b is negative
+ * and the outcome a + b + 1 is nonpositive, so we need
+ * only avoid
+ *
+ * a + b < TIME_MIN,
+ *
+ * which we will do by rejecting if
+ *
+ * a < TIME_MIN - b.
+ *
+ * (Reminder: The carry is added afterward in
+ * timespecadd, so to avoid overflow it is not enough
+ * to merely reject a + b + carry < TIME_MIN.)
+ *
+ * It is safe to compute the difference TIME_MIN - b
+ * because b is negative, so the result lies in
+ * (TIME_MIN, 0].
+ */
+ if (b < 0 && a < TIME_MIN - b)
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * timespecsubok(tsp, usp)
+ *
+ * True if tsp - usp can be computed without overflow, i.e., if it
+ * is OK to do timespecsub(tsp, usp, ...).
+ */
+bool
+timespecsubok(const struct timespec *tsp, const struct timespec *usp)
+{
+ enum { TIME_MIN = __type_min(time_t), TIME_MAX = __type_max(time_t) };
+ time_t a = tsp->tv_sec, b = usp->tv_sec;
+ bool borrow;
+
+ /*
+ * Caller is responsible for guaranteeing valid timespec
+ * inputs. Any user-controlled inputs must be validated or
+ * adjusted.
+ */
+ KASSERT(tsp->tv_nsec >= 0);
+ KASSERT(usp->tv_nsec >= 0);
+ KASSERT(tsp->tv_nsec < 1000000000L);
+ KASSERT(usp->tv_nsec < 1000000000L);
+ __CTASSERT(1000000000L <= __type_max(long) - 1000000000L);
+
+ /*
+ * Fail if a - b - borrow overflows TIME_MIN, or if a - b
+ * overflows TIME_MAX because timespecsub subtracts the borrow
+ * after computing a - b.
+ *
+ * Break it into two mutually exclusive and exhaustive cases:
+ * I. a < 0
+ * II. a >= 0
+ */
+ borrow = (tsp->tv_nsec - usp->tv_nsec < 0);
+ if (a < 0) {
+ /*
+ * Case I: a < 0. If b < 0, then -b - 1 >= 0, so
+ *
+ * a - b - 1 >= a + 0 >= TIME_MIN,
+ *
+ * and, since a <= -1, provided that TIME_MIN <=
+ * -TIME_MAX - 1 so that TIME_MAX <= -TIME_MIN - 1 (in
+ * fact, equality holds, under the assumption of
+ * two's-complement arithmetic),
+ *
+ * a - b <= -1 - b = -b - 1 <= TIME_MAX,
+ *
+ * so this can't overflow.
+ */
+ __CTASSERT(TIME_MIN <= -TIME_MAX - 1);
+
+ /*
+ * If b >= 0, then a - b - borrow <= a - b < 0, so
+ * positive results and thus results above TIME_MAX are
+ * impossible; we need only avoid
+ *
+ * a - b - borrow < TIME_MIN,
+ *
+ * which we will do by rejecting if
+ *
+ * a < TIME_MIN + b + borrow.
+ *
+ * The right-hand side is safe to evaluate for any
+ * values of b and borrow as long as TIME_MIN +
+ * TIME_MAX + 1 <= TIME_MAX, i.e., TIME_MIN <= -1.
+ * (Note: If time_t were unsigned, this would fail!)
+ *
+ * Note: Unlike Case I in timespecaddok, this criterion
+ * does not work for b < 0, nor can the roles of a and
+ * b in the inequality be reversed (e.g., -b < TIME_MIN
+ * - a + borrow) without extra cases like checking for
+ * b = TEST_MIN.
+ */
+ __CTASSERT(TIME_MIN < -1);
+ if (b >= 0 && a < TIME_MIN + b + borrow)
+ return false;
+ } else {
+ /*
+ * Case II: a >= 0. If b >= 0, then
+ *
+ * a - b <= a <= TIME_MAX,
+ *
+ * and, provided TIME_MIN <= -TIME_MAX - 1 (in fact,
+ * equality holds, under the assumption of
+ * two's-complement arithmetic)
+ *
+ * a - b - 1 >= -b - 1 >= -TIME_MAX - 1 >= TIME_MIN,
+ *
+ * so this can't overflow.
+ */
+ __CTASSERT(TIME_MIN <= -TIME_MAX - 1);
+
+ /*
+ * If b < 0, then a - b >= a >= 0, so negative results
+ * and thus results below TIME_MIN are impossible; we
+ * need only avoid
+ *
+ * a - b > TIME_MAX,
+ *
+ * which we will do by rejecting if
+ *
+ * a > TIME_MAX + b.
+ *
+ * (Reminder: The borrow is subtracted afterward in
+ * timespecsub, so to avoid overflow it is not enough
+ * to merely reject a - b - borrow > TIME_MAX.)
+ *
+ * It is safe to compute the sum TIME_MAX + b because b
+ * is negative, so the result lies in [0, TIME_MAX).
+ */
+ if (b < 0 && a > TIME_MAX + b)
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * itimer_transition(it, now, next, &overruns)
+ *
+ * Given:
+ *
+ * - it: the current state of an itimer (it_value = last expiry
+ * time, it_interval = periodic rescheduling interval), and
+ *
+ * - now: the current time on the itimer's clock;
+ *
+ * compute:
+ *
+ * - next: the next time the itimer should be scheduled for, and
+ * - overruns: the number of overruns if we're firing late.
+ *
+ * XXX This should maybe also say whether the itimer should expire
+ * at all.
+ */
+void
+itimer_transition(const struct itimerspec *restrict it,
+ const struct timespec *restrict now,
+ struct timespec *restrict next,
+ int *restrict overrunsp)
+{
+ uint64_t last_val, next_val, interval, now_ns;
+ int backwards;
+
+ /*
+ * Zero the outputs so we can test assertions in userland
+ * without undefined behaviour.
+ */
+ timespecclear(next);
+ *overrunsp = 0;
+
+ /*
+ * Paranoia: Caller should guarantee this.
+ */
+ if (!timespecisset(&it->it_interval)) {
+ timespecclear(next);
+ return;
+ }
+
+ backwards = (timespeccmp(&it->it_value, now, >));
+
+ /* Nonnegative interval guaranteed by itimerfix. */
+ KASSERT(it->it_interval.tv_sec >= 0);
+ KASSERT(it->it_interval.tv_nsec >= 0);
+
+ /* Handle the easy case of non-overflown timers first. */
+ if (!backwards &&
+ timespecaddok(&it->it_value, &it->it_interval)) {
+ timespecadd(&it->it_value, &it->it_interval,
+ next);
+ } else {
+ now_ns = timespec2ns(now);
+ last_val = timespec2ns(&it->it_value);
+ interval = timespec2ns(&it->it_interval);
+
+ next_val = now_ns +
+ (now_ns - last_val + interval - 1) % interval;
+
+ if (backwards)
+ next_val += interval;
+ else
+ *overrunsp = (now_ns - last_val) / interval;
+
+ next->tv_sec = next_val / 1000000000;
+ next->tv_nsec = next_val % 1000000000;
+ }
+}
Index: src/sys/sys/timearith.h
diff -u /dev/null src/sys/sys/timearith.h:1.1
--- /dev/null Sun Dec 22 23:24:21 2024
+++ src/sys/sys/timearith.h Sun Dec 22 23:24:20 2024
@@ -0,0 +1,77 @@
+/* $NetBSD: timearith.h,v 1.1 2024/12/22 23:24:20 riastradh Exp $ */
+
+/*
+ * Copyright (c) 2005, 2008, 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 1982, 1986, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)time.h 8.5 (Berkeley) 5/4/95
+ */
+
+#ifndef _SYS_TIMEARITH_H_
+#define _SYS_TIMEARITH_H_
+
+struct itimerspec;
+struct timespec;
+struct timeval;
+
+int tstohz(const struct timespec *);
+int tvtohz(const struct timeval *);
+
+int itimerfix(struct timeval *);
+int itimespecfix(struct timespec *);
+
+void itimer_transition(const struct itimerspec *restrict,
+ const struct timespec *restrict,
+ struct timespec *restrict, int *restrict);
+
+#endif /* _SYS_TIMEARITH_H_ */
