Slashdot Mirror
GNU C Library Alternative Musl Libc Hits 1.0 Milestone
New submitter dalias (1978986) writes "The musl libc project has released version 1.0, the result of three years of development and testing. Musl is a lightweight, fast, simple, MIT-licensed, correctness-oriented alternative to the GNU C library (glibc), uClibc, or Android's Bionic. At this point musl provides all mandatory C99 and POSIX interfaces (plus a lot of widely-used extensions), and well over 5000 packages are known to build successfully against musl.
Several options are available for trying musl. Compiler toolchains are available from the musl-cross project, and several new musl-based Linux distributions are already available (Sabotage and Snowflake, among others). Some well-established distributions including OpenWRT and Gentoo are in the process of adding musl-based variants, and others (Aboriginal, Alpine, Bedrock, Dragora) are adopting musl as their default libc." The What's New file contains release notes (you have to scroll to the bottom). There's also a handy chart comparing muscl to other libc implementations: it looks like musl is a better bet than dietlibc and uclibc for embedded use.
Several options are available for trying musl. Compiler toolchains are available from the musl-cross project, and several new musl-based Linux distributions are already available (Sabotage and Snowflake, among others). Some well-established distributions including OpenWRT and Gentoo are in the process of adding musl-based variants, and others (Aboriginal, Alpine, Bedrock, Dragora) are adopting musl as their default libc." The What's New file contains release notes (you have to scroll to the bottom). There's also a handy chart comparing muscl to other libc implementations: it looks like musl is a better bet than dietlibc and uclibc for embedded use.
Hey guys I just finish making an Arduino-driven, vibrating buttplug. Is this awesome?!!
... which I don't believe because the guys at gnu know a thing or 2 about compilers and libraries - or this library has cut some corners and/or missed out some functionality.
For those curious about which "5000 packages" that build with musl, there is the awesome automated pkgsrc tests published: http://wiki.musl-libc.org/wiki...
Hi mom! I'm doing well, how about you?
It might be easier to add than to remove, leading to bloat over time and glibc has been around for a while. Also, building on old code might mean that you are limited in what you can change. For example, the modular design of LLVM has been a pretty big success and is considered easier to work with/develop than gcc. For musl, I think they have decided to remove all legacy stuff + non-standard extensions.
libc is just old and not developed very much...
I'm guessing that it only targets x86, amd64, ARM, and MIPS. That sounds comprehensive until one considers sparc, HPPA, PPC, POWER, and various "embedded but not ARM or MIPS" architectures like Blackfin or CRIS.
What is the real benefit besides license? Is it correctness?
-=/\- Jizzbug -/\=-
I downloaded the library to see some random code. Here is the very first file I (randomly) chose (putw.c):
#define _GNU_SOURCE
#include
int putw(int x, FILE *f)
{
return (int)fwrite(&x, sizeof x, 1, f)-1;
}
Cheers.
From the FAQ:
On musl, the entire standard library is included in a single library file — libc.a for static linking, and libc.so for dynamic linking. This significantly improves the efficiency of dynamic linking, and avoids all sorts of symbol interposition bugs that arise when you split the libraries up — bugs which have plagued glibc for more than a decade.
Bringing it all together? That's why they call it the love musl.
You obviously never worked on or looked at their source code.
The first priority on musl is correctness, and they will take a hit to size and speed if that's what's necessary to achieve it. But thus far, they've been doing a good job of achieving correctness without introducing too much bloat.
Take a look at their page on bugs found while developing musl, and you'll find that they've found and reported quite a few bugs in glibc where glibc had been "cutting corners".
Steps to a useless comment:
1) Speculate on the features of something
2) Note that that speculated feature set doesn't include something you want
3) Criticise based on your speculation
For every problem, there is at least one solution that is simple, neat, and wrong.
You're right that musl doesn't support the same breadth of architectures that glibc does. They currently support x86, amd64, ARM, MIPS, PPC, microblaze, and they have experimental support for superh and x32.
One big advantage they do have is that it's much simpler to add support for a new architecture to musl than it is to add it to glibc. They are interested in supporting more architectures, so I'd expect their list of supported architectures to grow fairly quickly if there are people interested in that support.
The GPL is communist.
bugs fixed:
- buffer overflow in printf when printing smallest denormal exactly
-=/\- Jizzbug -/\=-
I like how they place an emphasis on it being small, but they require you to link the whole damned thing into your app. And of c ourse that doesn't help you write correct software, because you won't figure out if you really need -lm unless you also test your app on a more correct libc.
Lightweight and correct indeed.
For every problem, there is at least one solution that is simple, neat, and wrong.
The first thing I saw was MIT vs GPL. What is the difference between the two?
Never trust a man wearing a coat and tie!
The chart shows a few things, though I notice they don't include comparison to the full glibc itself.
Hacker Public Radio is our Friend
Such a trend to reinvent wheels. Hidden intention seems to be to allow more "Mixed source" BS through the push for permitive licenses. And devs are falling all over it by providing free code to these projects. A shame.
Here is a link to the comparison chart mentioned in the description.
Forking the Linux userland yet again should have some serious motivations behind it. I can't find them neither in the benchmarks nor in the feature comparisons provided here.
At the time the comparison was made, glibc was essentially unmaintained and Debian-based distributions were using the eglibc fork. Now that glibc is under new leadership, eglibc is being discontinued and the important changes have been merged back to glibc upstream. So when I update the chart's quantitative comparisons, it will be for glibc rather than eglibc. The main things that will change when I do are significant increases in size (especially since I seem to have under-measured eglibc's totals) and possibly some improvements in performance. In terms of all the other qualitative comparisons, glibc remains about the same place it was before.
I am glad to see an alternative to GNU's C library. I have run into a number of bugs with the GNU C library, or more specifically, incompatibilities which crop up between versions. Sometimes behaviour changes between one version of the library and another, causing end-user applications to stop working properly. If someone provides a more consistent library with similar performance, I would be happy to see it adopted.
... which I don't believe because the guys at gnu know a thing or 2 about compilers and libraries - or this library has cut some corners and/or missed out some functionality.
NSA has not had a chance to sneak their stuff in yet?
Unlike some projects, we fully disclose bugs that might be relevant to security. In this instance, the bug could only be triggered by explicitly requesting sufficiently many decimal places (16445 for ld80) and printing a denormal long double with the lowest bit set, as in:
printf("%.16445Lf", 0x1p-16445);
In addition, even when triggered, it only wrote past the end of the buffer by one slot, and we were unable to get it to overwrite anything important like a return address (of course, what it overwrites depends on the compiler, so in principle it could).
WTF does this mean? I'm sure as hell not developing against a libc that doesn't have debugging hooks. This can't be what it means.
I read the internet for the articles.
Yeah, the guys at gnu must know a lot, it's thanks to them that we have autoconf hell and myriads of projects trying to save us from it. Or why others started LLVM, or why others start a libc.
Don't measure the knowledge of the gnu guys based on your own lack of it.
It doesn't mean you can't use gdb, just that libc itself does not try to double as a debugging tool. This is actually a security consideration. For example, glibc prints debugging information if it detects corruption in malloc. But if there's already memory corruption, you have to assume the whole program state is inconsistent; the corruption may be intentional due to the actions of an attacker, and various function pointers, etc. may have been overwritten. Continuing execution, even to print debug output, risks expanding the attacker's opportunity to take control of the program.
FWIW, musl does detect heap corruption. The difference is that it immediately executes an instruction that will crash the program rather than trying to continue execution, make additional function calls that go though indirection (the PLT) and access complex data structures, etc.
Don't measure the knowledge of the gnu guys based on your own lack of it.
Why not? It's exactly how we operate our political... oh, wait...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Thanks for the update. I used to hear about the drama around drepper, but I didn't understand what happened after he left.
argument by status quo? surely you're not serious that
since gnu has been at it a while it follows that they are good?
what's this a remix of the old hungarian mathematics joke?
The compare page is missing the only other entry I wanted to see.... and that is, BSD libc. This is widely used by QNX (Blackberry) and probably all kinds of other vendors. I image Apple has their own fork.
The others aren't comparable because they're copylefted, so cannot be used everywhere like musl and BSD libc can.
Let me fix that for you:
Steps to a typical Slashdot comment:
1) Speculate on the features of something
2) Note that that speculated feature set doesn't include something you want
3) Criticise based on your speculation
Tragic to watch this happening! True open-source code is being slowly replaced by code that corporations can exploit to build walled gardens. They're slowly replacing the whole toolchain from top to bottom with code that they can use to make money. Apple is sitting on billions, and what benefit do any open-source contributors get? I wouldn't work for one of these projects and be exploited like this. If Apple wants to use part of the toolchain that makes them billions, they can pay for it.
Comment removed based on user account deletion
Just look at typical GNU code though. It's well written but it's not small, and often not efficient. Much of this is due to accretion over time, however there also is a certain style that the programs follow. Thus the parodied GNU HelloWorld program. Glibc makes an implicit assumption that it is being used on a fast computer with lots of memory (ie, a PC or minicomputer). This is perfectly normal, however it leads to a different sort of optimization than you would find for embedded systems or small computers for example, thus the popularity of alternative standard C libraries or lots of roll-your-own.
Yes some functionality may be missing, but is that necessarily required or standard functionality?
I wonder how small Musl is in comparison to Bionic which is really, really small.
You don't know much.
Some parts of glibc are definitely broken. For example, snprintf(3) does a ton of dynamic memory allocation, which means printing a formatted string to a static buffer could still fail with ENOMEM! That's because snprintf is a wrapper around fprintf() using a dynamic file object, among other niceties! Sane implementations like on OpenBSD are async-signal-safe for all the basic formatting specifiers.
The problem with glibc is they do too much dynamic memory allocation in general. Several functions you would think should never fail on a sane implementation could fail. Then you have just plain stupid stuff, like NL_TEXT being INT_MAX, because apparently the GNU folks expect that some time in the future strerror_r() may return system error messages gigabytes in length. It's really because they took too literally the GNU Coding Style requirement of using dynamic memory as much as possible to avoid arbitrary limitations. But sometimes arbitrary limitations are really nice, making simpler code which is more secure. Imagine dealing with DNS names of arbitrary length!
It's ridiculous. When you're boxed into a corner because of various _other_ failures (I/O, authentication failure, w'ever), the last thing you want to worry about in your failure path is having to deal with crap like OOM conditions.
Someone with mod points, please mod up the parent post. Even if you disagree with it, it's informative about one of the big issues in glibc that musl does differently: musl's snprintf and dprintf, for example, are async-signal-safe. Roland McGrath, who holds claim to being the "inventor" of dprintf and author of the original implementation in glibc, has stated that he intended for the function to be async-signal-safe or at least close to it, and that later introduction of dynamic allocation is a bug (which I later filed as #16060) that glibc should fix.
No, glibc is just garbage, like so much other Gnu code. And no, I disagree with your unwarranted assertion that Gnu code is typically well written. Counter examples galore: Gnu Emacs, Autoconf, Automake, guile, GCC.
It's just Gnu has fame from blowing the Free Software horn so hard and for so long, that people naturally and incorrectly assume that they must be technically competent.
Unlike some projects, we fully disclose bugs that might be relevant to security.
Thank you. As a security guy, knowing that the disinfectant of sunlight is illuminating your project, I am willing to spend more time examining and using your project. I hope your project becomes the default libc everywhere.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
But if there's already memory corruption, you have to assume the whole program state is inconsistent; the corruption may be intentional due to the actions of an attacker, and various function pointers, etc. may have been overwritten. Continuing execution, even to print debug output, risks expanding the attacker's opportunity to take control of the program.
I'm sorry, this sounds like a poor rationalization for lack of useful functionality. By this logic, you should crash the program without warning whenever invalid input is detected - it could be an attack since no program should ever provide invalid input to a function. In real life, programs have tons of bugs and diagnostic messages are hugely useful in identifying and then fixing them. Especially since the vast majority of programs are not used in a context where an attack can occur.
A 'paranoid' mode with this behavior may make sense for some people. Most people, especially those in the process of developing the software, would prefer diagnostics when things go wrong.
I'm sorry, this sounds like a poor rationalization for lack of useful functionality. By this logic, you should crash the program without warning whenever invalid input is detected - it could be an attack since no program should ever provide invalid input to a function. In real life, programs have tons of bugs and diagnostic messages are hugely useful in identifying and then fixing them. Especially since the vast majority of programs are not used in a context where an attack can occur.
A 'paranoid' mode with this behavior may make sense for some people. Most people, especially those in the process of developing the software, would prefer diagnostics when things go wrong.
I disagree. There is a big difference between invalid input to a function (eg trying to convert "abc" to an integer) and a memory corruption bug. In the former case, you can return an error to the caller, and if they were written with enough attention to detail, they can fix the problem and move on, or ask the user for actually valid input, or whatever followup action may be appropriate.
In the case of a memory corruption bug, there is no way to correct the problem and move on. By the time you detect the problem, you're already hosed. You can't even rely on the fact that the program accurately knows what it was in the middle of trying to do. I think crashing is absolutely appropriate here. And if you want to debug it, then attach a debugging to the program or the resulting core dump -- all the same information you would have gotten from printed diagnostics can be found (albeit with more effort). But trying to diagnose a memory corruption bug after the fact like this is the hard way to do it anyway. You really want to catch the corruption as it happens, and the are much better tools for this (valgrind, etc).
Perhaps you should read this: https://twitter.com/solardiz/s...
What is wrong with old code?
It is well-tested.